A security analyst is performing an investigation involving multiple targeted Windows malware binaries. The analyst wants to gather intelligence without disclosing information to the attackers. Which of the following actions would allow the analyst to achieve the objective?
To gather intelligence about the behavior of malware binaries without disclosing any information to attackers, the best approach would be to analyze them in a secure and isolated environment. Uploading the binary to an air-gapped sandbox ensures that the malware cannot communicate with external servers or networks, thus preventing any information from being leaked or attackers from being alerted. This isolated sandbox allows the security analyst to observe and study the malware's behavior in a controlled environment.
uploading to Virus-total mean disclosing to a third-party !
A. Upload the binary to an air-gapped sandbox for analysis An air-gapped sandbox is isolated from the Internet and other networks, which means that no information about the investigation can be inadvertently leaked to the attackers. By analyzing the malware in a controlled and isolated environment, the analyst can observe the behavior of the binaries without the risk of the malware "phoning home" to the attacker's command and control servers or otherwise disclosing the investigation. This approach also prevents the malware from potentially spreading or causing harm to the organization's operational network.
A - the attackers will not know what your doing and you can gather intelligence info from the data - isn't gathering intelligence the same as performing an analysis? D - attackers are going to know what your doing here - Please if you chose D then explain how they will not know?
The answer is A. Upload the binary to an air-gapped sandbox for analysis, only because the question states you don't want to alert the attackers. The attackers are definitely going to know once virustotal processes it and all of a sudden their stealthy malware is identified by most major scanning definitions.
The objective isn't t analyze the malware. It is to gather intelligence. Correct answer is D.
I'm leaning towards answer D. Because the question is "analyst wants to gather intelligence". With VirusTotal exactly this is achieved. Uploding to a Sandbox would be a possibility, but the answer already shows that a analysis is to be done...
Not D because Querying the file hashes using VirusTotal could disclose the analyst’s queries to the attackers, as VirusTotal shares its data with the antivirus industry and the public. The attackers could use this information to track the analyst’s investigation or evade detection by changing their file hashes.
I think A makes more sense, unless the malware is programmed to destroy itself when detected in a sandbox environment then C is the next best thing.
A is correct. D is incorrect because the binaries are "targeted" meaning they will likely have a unique hash not found in virus total's database. In the real world of course virus total can provide other useful information like some static and dynamic analysis but this is outside the scope of answer D, which specifically identifies the hash.
Correct. This is a good option because an air-gapped sandbox is isolated from the internet and can be used to analyze the malware without communicating with external servers. This minimizes the risk of disclosing information to the attackers.
The objective isn't t analyze the malware. It is to gather intelligence. Correct answer is D.
Isolated Network Hunting - Isolated networks, such as air-gapped networks or networks with limited connectivity to the internet, are often thought to be more secure. However, attackers can still target these networks by exploiting vulnerabilities in connected systems or through physical access. Source CompTia
sandbox A computing environment that is isolated from a host system to guarantee that the environment runs in a controlled, secure fashion. Communication links between the sandbox and the host are usually completely prohibited so that malware or faulty software can be analyzed in isolation and without risk to the host. Also from Comptia. I give up
There really needs to be more context but if the investigation was performed on an enterprise network then doing a query of the file hash using VirusTotal would be my first step. If I'm performing an investigation using any modern EDR I can remotely get the file hash of the binaries without the adversary knowing assuming they are still on the device being investigated. Doing a query of a file hash doesn't disclose any of your information because you're not uploading anything, you're inputting text into a box. If the malware is polymorphic then you could trigger follow-on actions by attempting to copy or move the binaries when moving it to an air-gapped system. In reality, I would do D first and then do A.
Answer is A. An air-gapped sandbox is a virtual machine or a physical device that is isolated from any network connection. This allows the analyst to safely execute the malware binaries and observe their behavior without risking any communication with the attackers or any damage to other systems. Uploading the binary to an air-gapped sandbox is the best option to gather intelligence without disclosing information to the attackers12 Reference: 1: Dynamic Analysis of a Windows Malicious Self-Propagating Binary 2: GitHub - mikesiko/PracticalMalwareAnalysis-Labs: Binaries for the book Practical Malware Analysis
A - "gather intelligence" this can be done via dynamic analysis and observing the behaviour of the binary.
Correct Answer: **D. Query the file hashes using VirusTotal** Summary: This option allows the security analyst to gather intelligence on the targeted Windows malware binaries without disclosing information to the attackers. By querying the file hashes using VirusTotal, the analyst can obtain insights from a service that aggregates antivirus scanners and website scanners, providing information about potential threats while maintaining confidentiality in the investigation. Why A is wrong: While uploading the binary to an air-gapped sandbox for analysis (Option A) can help understand the malware's behavior, it doesn't address the goal of gathering intelligence without disclosing information to the attackers. Furthermore, an air-gapped environment lacks internet connectivity, preventing the analyst from using online services like VirusTotal to query file hashes without compromising the air gap.
"Furthermore, an air-gapped environment lacks internet connectivity" - then C is a possible answer as well, which is why I think D isn't correct and A is the right answer.
A hash is a one way encryption not meant to be unencrypted. You cannot analyze that which cannot be unencrypted. My answer is "A".
The use of file hashes in cybersecurity involves matching these hashes against known databases of malicious files. In this context, the goal is not to decrypt the hash but to check if the file's hash matches any known malicious hashes.