InfoSec Notes
Complete guide to malware categories including viruses, worms, trojans, ransomware, and techniques for malware analysis and prevention.
Overview
Understanding malware is essential for building effective defenses. This topic covers the mechanics, real-world examples, detection methods, and prevention strategies that security professionals need to protect their organizations.
How It Works
Types and Classification
| Type | Characteristics | Risk Level | Common Vector |
|---|---|---|---|
| Targeted | Specific victim, sophisticated | Critical | Spear phishing, zero-days |
| Opportunistic | Mass targeting, automated | High | Phishing campaigns, exploits |
| Insider | Employee/contractor initiated | High | Physical/logical access abuse |
| Supply chain | Via trusted third party | Critical | Software updates, dependencies |
Detection Methods
Prevention Strategies
| Layer | Control | Implementation |
|---|---|---|
| People | Security awareness training | Monthly phishing simulations |
| Process | Incident response plans | Documented playbooks, tabletop exercises |
| Technology | EDR/XDR deployment | CrowdStrike, SentinelOne, Defender |
| Data | Backup and encryption | 3-2-1-1-0 backup rule, AES-256 |
| Network | Segmentation and monitoring | Zero trust, SIEM correlation |
Real-World Case Studies
Case 1: Large-Scale Attack
Timeline:
- Day 0: Initial compromise via phishing email
- Day 1-30: Reconnaissance and lateral movement
- Day 31-60: Data staging and exfiltration
- Day 61: Detection by security team
- Day 62+: Containment and remediation
Impact: Millions of records exposed, regulatory fines, reputation damage.
Lessons Learned:
- Faster detection reduces impact exponentially
- Network segmentation limits lateral movement
- Regular access reviews prevent privilege accumulation
- Endpoint detection catches what perimeter misses
Response Procedure
Interview Questions
- How would you detect this type of threat in an enterprise environment?
- Combine multiple detection layers: network monitoring for unusual traffic patterns, endpoint detection for suspicious process behavior, SIEM correlation for related events across systems, user behavior analytics for anomalous actions, and threat intelligence feeds for known indicators.
- What is the most effective prevention strategy?
- Defense in depth combining: security awareness training (human layer), email security and web filtering (delivery prevention), endpoint protection (execution prevention), network segmentation (movement limitation), and robust backup strategy (impact reduction).
- Describe the attack kill chain for this threat type.
- Reconnaissance → Weaponization → Delivery → Exploitation → Installation → Command & Control → Actions on Objectives. Breaking any link in the chain stops the attack. Defense should target multiple links simultaneously.
- How do you prioritize response when multiple systems are affected?
- Prioritize by: business criticality of affected systems, data sensitivity, spread potential, and regulatory requirements. Contain high-value targets first, then work outward. Use pre-defined asset classifications from business impact analysis.
- What metrics would you track to measure the effectiveness of your defenses?
- Mean Time to Detect (MTTD), Mean Time to Respond (MTTR), percentage of attacks blocked at perimeter, false positive rate, number of successful phishing attempts, patch compliance rate, and time from vulnerability disclosure to remediation.
Exam Focus
Revise definitions, diagrams, examples, and short-answer points for Malware Types and Analysis.
Interview Use
Prepare one clear explanation, one practical example, and one common mistake for this Information Security topic.
Search Terms
information-security, information security, information, security, threats, and, attacks, malware
Related Information Security Topics