Overview
As a network defender, you are tasked with finding a needle in a needlestack where the needle you’re looking for may or may not exist, and you don’t know exactly what the needle looks like in the first place. On top of that, the need maker tries very hard to make their needle look like all the other needles.
That is a really hard job, and it can be very daunting for someone who is new to the job to be able to differentiate good from bad. The number one question I hear from new intrusion detection analysts is, “What should I be looking for?” We’re going to try and answer that question today.
In this series, we will take a look at portable executable files and highlight key differentiators to look for that can help you say, with confidence, whether or not an executable is legitimate or malicious.