Royal Holloway 2012: An incident response process for armoured malware

An incident response process may be futile when dealing with today’s armoured malware, as explained in this Royal Holloway article.

2012 Royal Holloway thesis seriesMakers of today’s malware go to great lengths to disguise their code and cover its tracks, often making it virtually impossible for even the most determined investigator to trace the true course of events.

For his MSc thesis at Royal Holloway University of London (RHUL), Steve Hendrikse, under the supervision of course director John Austen, set out to explore how formal incident response processes need to change in the light of this increasingly complex or 'armoured' malware.

In an article (.pdf) published here on, Hendrikse outlines the elements of a good incident response process, and then explains the various techniques malware developers use to disguise their code and prevent it from being analysed.

Read the article

Download the article on malware armouring (.pdf) by Steve Hendrikse.

Read the full thesis (.pdf).

Hendrikse concludes that the time and effort involved in conducting this analysis may not be worthwhile, especially since there is growing pressure on companies to have their systems up and running as soon as possible.

This article is essential reading for anyone involved in either designing an incident response process or in forensic investigations of malware infections.

This feature is one of six that is publishing this year in collaboration with RHUL.

Read more on Data breach incident management and recovery