What does the job of a malware analyst entail? If you’re looking to get into this field, or if you’re looking for ideas that can help you succeed there, read on. You might also find this page useful if you are creating a job description for hiring such a person.
A malware analyst examines malicious software, such as bots, worms, and trojans to understand the nature of their threat. This task usually involves reverse-engineering the compiled executable and examining how the program interacts with its environment. The analyst may be asked to document the specimen’s attack capabilities, understand its propagation characteristics, and define signatures for detecting its presence. A malware analyst is sometimes called a reverse engineer.
Security product companies, in industries such as anti-virus or network intrusion prevention, may hire malware analysts to develop ways of blocking malicious code. Large organizations in non-security industries may also hire full-time malware analysts to help protect their environment from attacks, or to respond to incidents that involve malicious software. Malware analysis skills are also valued by companies that cannot justify hiring full-time people to perform this work, but who wish their security or IT administrators to be able to examine malicious software when the need arises.
How to be Successful?
A successful malware analyst is keenly aware of his or her strengths and weaknesses, invests time into keeping up with the evolving threat landscape, and contributes to the malware research community.
- Recognize your strengths and weaknesses. A skilled malware analyst possesses expertise from two often-distinct knowledge spheres: programming, as well as system and network administration. Individuals are often stronger in one of these areas than the other. When analyzing malware, start with the tasks that build upon your strengths, be it a solid understanding of assembly, or an intimate knowledge of Windows internals. Of course, don’t let your weaknesses drag you down. Understand what they are and develop a plan for expanding your expertise to ensure a well-balanced skill-set.
- Stay abreast of the threat landscape. The ever-changing nature of malicious software keeps the analysts on their toes. To excel in this field, research and understand new threats. Malware authors and analysts are at an arms race: as the analysts develop new tools and approaches, the attackers find new mechanisms for protecting their creations from detection or reverse-engineering. Read blogs, books, and papers that discuss malware characteristics and analysis techniques. Attend conferences, large and small, where you can brainstorm with and learn from other malware analysts.
- Contribute to the malware research community. Don’t be a passive observer. Reverse-engineered a particularly challenging specimen? Found a way to bypass protection of a new packer? Figured out how to deobfuscate an insidious collection of malicious browser scripts? Share your insights, findings and suggestions with other analysts via mailing lists, blogs, web forums, conferences, and other venues accessible to you. You will not only contribute to the community’s joint skill set, but also interact with peers who can share their perspectives and help you become the analyst you want to be.
Training and Certification
I teach a class at SANS Institute called FOR610: Reverse-Engineering Malware. It is designed to help malware analysts improve their skills, and may act as a spring-board into this field. The course is attended not only by individuals performing malware analysis as their primary job, but also by security and system administrators who need to analyze malicious software once in a while.
A respected professional certification that covers the field of malware analysis is tied to my course, and is called GIAC Reverse-Engineering Malware (GREM).