How can you use pcaps to analyze malware?
Using packet captures to find, catalog, and report on a malware incident makes threat hunting easier for your entire team and is an integral part of your SIEM process. Malware-traffic-analysis.net regularly publishes great exercises for catching malware, and includes pcaps of the incident to flex your analysis skills. In this video, we explore one of these exercises to learn how to investigate security monitoring alerts using packet captures, from identification to remediation, and the steps you can take to organize and save your analysis for better reporting and retro-hunting in the future.
Join our tech specialist Tom as he takes you through this malware traffic analysis exercise that explores identifying a malware-infected Windows machine. You can even try it on your own using this packet capture on CS Personal SaaS!
In the video above, Tom will show you how to:
- Investigate alerts from a security monitor using full packet capture
- Determine if a machine was infected with malware
- Identify the infected host
- Create an incident report containing indicators of compromise
- Organize, save, and share your analysis
This video features the use of CloudShark's Threat Assessment tool, which incorporates Suricata IDS to work directly with your packet captures in a single interface. Contact us to learn more!