Abstract
The rising cyber threat puts organizations and ordinary users at risk of data breaches. In many cases, Early detection can hinder the occurrence of these incidents or even prevent a full compromise of all internal systems. The existing security controls such as firewalls and intrusion prevention systems are constantly blocking numerous intrusions attempts that happen on a daily basis. However, new situations may arise where these security controls are not sufficient to provide full protection. There is a necessity to establish a threat hunting methodology that can assist investigators and members of the incident response team to analyse malicious binaries quickly and efficiently. The methodology proposed in this research is able to distinguish malicious binaries from benign binaries using a quick and efficient way. The proposed methodology consists of static and dynamic hunting techniques. Using these hunting techniques, the proposed methodology is not only capable of identifying a range of signature-based anomalies but also to pinpoint behavioural anomalies that arise in the operating system when malicious binaries are triggered. Static hunting can describe any extracted artifacts as malicious depending on a set of pre-defined patterns of malicious software. Dynamic hunting can assist investigators in finding behavioural anomalies. This work focuses on applying the proposed threat hunting methodology on samples of malicious binaries, which can be found in common malware repositories and presenting the results.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Dowdy, J.: The cyber-security threat to us growth and prosperity. In: Cyberspace: A New Domain for National Security (2012)
Friedberg, I., Skopik, F., Settanni, G., Fiedler, R.: Combating advanced persistent threats: from network event correlation to incident detection. Comput. Secur. 48, 35–57 (2015)
Connolly, L.Y., Wall, D.S.: The rise of crypto-ransomware in a changing cybercrime landscape: taxonomising countermeasures. Comput. Secur. 87, (2019)
Lord, N.: What is threat hunting? The emerging focus in threat detection. In: Digital Guardian (2018)
Sqrrl. Cyber Threat Hunting. www.sqrrl.com
Bhatt, P., Yano, E.T., Gustavsson, P.: Towards a framework to detect multi-stage advanced persistent threats attacks. In: 2014 IEEE 8th International Symposium on Service Oriented System Engineering, pp. 390–395 (2014)
Scarabeo, N., Fung, B.C., Khokhar, R.H.: Mining known attack patterns from security-related events. Peer J. Comput. Sci. 1, (2015)
Mahyari, A.G., Aviyente, S.: A multi-scale energy detector for anomaly detection in dynamic networks. In: 2013 Asilomar Conference on Signals, Systems and Computers, pp. 962–965. IEEE (2013)
Miller, B.A., Beard, M.S., Bliss, N.T.: Eigenspace analysis for threat detection in social networks. In: 14th International Conference on Information Fusion, pp. 1–7. IEEE (2011)
Bhardwaj, A.K., Singh, M.: Data mining-based integrated network traffic visualization framework for threat detection. Neural Comput. Appl. 26(1), 117–130 (2015)
Gu, G., Perdisci, R., Zhang, J., Lee, W.: Botminer: clustering analysis of network traffic for protocol-and structure-independent botnet detection (2008)
Elmisery, A.M., Sertovic, M.: Privacy preserving threat hunting in smart home environments. In: Anbar, M., Abdullah, N., Manickam, S. (eds.) Advances in Cyber Security (ACeS 2019) Communications in Computer and Information Science, vol. 1132, pp. 104–120. Springer, Singapore (2020). https://doi.org/10.1007/978-981-15-2693-0_8
Elmisery, A.M., Botvich, D.: Privacy aware recommender service using multi-agent middleware-an IPTV network scenario. Informatica 36(1) (2012)
Elmisery, A.M., Rho, S., Botvich, D.: A fog based middleware for automated compliance with OECD privacy principles in internet of healthcare things. IEEE Access 4, 8418–8441 (2016)
Elmisery, A.M., Rho, S., Botvich, D.: Collaborative privacy framework for minimizing privacy risks in an IPTV social recommender service. Multimedia Tools Appl. 75(22), 14927–14957 (2016)
Elmisery, A.M., Botvich, D.: Enhanced middleware for collaborative privacy in IPTV recommender services. J. Converg. 2(2), 10 (2011)
Elmisery, A.M., Doolin, K., Roussaki, I., Botvich, D.: Enhanced middleware for collaborative privacy in community based recommendations services. In: Yeo, S.S., Pan, Y., Lee, Y., Chang, H. (eds.) Computer Science and its Applications. Lecture Notes in Electrical Engineering, vol. 203, pp. 313–328. Springer, Dordrecht (2012)
Berrueta Irigoyen, E., Morató Osés, D., Lizarrondo, M., Izal Azcárate, M.: A survey on detection techniques for cryptographic ransomware. IEEE Access 7, 144925–144944 (2019)
Akbanov, V.G., Vassilakis, I.D. Moscholios, Logothetis, M.D.: Static and dynamic analysis of WannaCry ransmware
Aman, W.: A framework for analysis and comparison of dynamic malware analysis tools. Int. J. Netw. Secur. Its Appl. 6(5), 63–74 (2014). arXiv preprint arXiv:1410.2131
Wichmann, B.A., Canning, A., Clutterbuck, D., Winsborrow, L., Ward, N., Marsh, D.: Industrial perspective on static analysis. Softw. Eng. J. 10(2), 69–75 (1995)
Firdausi, I., Erwin, A., Nugroho, A.S.: Analysis of machine learning techniques used in behavior-based malware detection. In: 2010 Second International Conference on Advances in Computing, Control, and Telecommunication Technologies, pp. 201–203. IEEE (2010)
Snaker (ed.): Softpedia (2008). https://www.softpedia.com/get/Programming/Packers-Crypters-Protectors/PEiD-updated.shtml
Petoolse (ed.): Github (2018). https://github.com/petoolse/petools
Miller, S. (ed.): Dependency walker (2015). http://www.dependencywalker.com
Microsoft (ed.): Process explorer (2019). https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer
Microsoft (ed.): Process monitor. https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
Wojner, C. (ed.): ProcDOT, a new way of visual malware analysis. Austrian National CERT (2015). https://www.procdot.com/
Maddes, X. (ed.): Regshot download (2018). https://sourceforge.net/projects/regshot/
Hungenberg, T., Eckert, M. (ed.): INetSim: internet services simulation suite (2013)
Wireshark, F.: Wireshark-Go Deep, vol. 15. Retrieved Oct 2011
Sistemas, H. (ed.): VirusTotal (2004). https://www.virustotal.com/gui/
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Elmisery, A.M., Sertovic, M., Qasem, M. (2021). Efficient Threat Hunting Methodology for Analyzing Malicious Binaries in Windows Platform. In: Hacid, H., et al. Service-Oriented Computing – ICSOC 2020 Workshops. ICSOC 2020. Lecture Notes in Computer Science(), vol 12632. Springer, Cham. https://doi.org/10.1007/978-3-030-76352-7_54
Download citation
DOI: https://doi.org/10.1007/978-3-030-76352-7_54
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-76351-0
Online ISBN: 978-3-030-76352-7
eBook Packages: Computer ScienceComputer Science (R0)