Security+: How to Identify Indicators of Compromise and Differentiate Different Types of Malware
Introduction
Indicators of compromise reveal malicious activity on a network or system as well as artifacts that indicate an intrusion with high confidence. The artifacts could involve the use of multiple sophisticated malware. Identifying indicators of compromise and differentiating different types of malware is an integral aspect 0f Security+ SY0-501 exam’s first chapter: Threats, Attacks, and Vulnerabilities.
There is a push for Security+ exam candidates to understand the concepts in a well-structured, organized manner to clear the first section of the exam and go on to help their current/future employers streamline the processes used in determining, preventing, and reporting security-related events.
With that in mind, here’s how to analyze indicators of compromise and determine the type of malware.
Crypto-malware
Today’s organizations are on the lookout for any indicators of sensitive data being stolen or decrypted in a crypto-malware attack. Crypto-malware is stealthier than most other forms of malware, and most CPUs are not explicitly made to detect it, which could be detrimental to your system. If someone in your enterprise can’t launch a Microsoft Office document, he/she has saved on the company’s local system and sees nothing but random characters when they force open it to analyze it; there’s a high probability that the machine they’re using is infected with crypto-malware.
Logic Bomb
Also referred to as a slag code, a logic bomb is designed to explode (or execute) under conditions such as a failure of a user to react to a command prompt or a lapse of a specific amount of time. After execution, it may be designed to erase critical files, display spurious text, or have other devastating effects. If an organization had someone in to do any custom programming and things went awry after a few weeks, it could be an indicator of logic bomb compromise. Custom (Read more...)
*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Dan Virgillito. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/LQRervKeqSA/