In turn, you should actually understand what you're reading in a sandbox report at least, since that's your most efficient source of info. They come back to you with more, rinse, repeat. Pull IOCs, provide additional items for the IR analysts to pivot on and find more. If you're supporting IR you generally take the sample straight to sandbox (get context on the execution to make sure you're running it correctly with the right arguments). I've done both malware analysis from the IR side and the threat intel side. Feel free to ask any follow-up questions and I’ll do my best to answer. These are the two of types of analyst roles in my experience, with some in-between, obviously. This is a research heavy, non operational role. You may work analysis requests for other stakeholders and inform them of your findings. You’ll understand what and why a piece of malware, binary, script or otherwise, does what it does. ![]() This will involve heavy reversing in tools like IDA, X96DBG, leveraging tools like Maltego to build intelligence relationships between threat actors. Other roles will be more research and tracking oriented. This is a fast-paced, heavily operational role. You might also do some debugging, pull out some shellcode, use things like SCDBG, etc to define your actions. This could involve basic binary triage tools like PEStudio, Cuckoo, CyberChef, etc. You’ll do things like respond to alerts pushed to your UI of choice, take the context of the detection into account and triage and do moderate study and reversing of the binaries to inform your remediation or actions to prevent further action on objective. ![]() Hey there, so there are a couple of answers here.įirst and what I do (so can speak the most to) is an analyst that also operates in somewhat of a SOC sort of role.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |