Guide

Malware analysis & breach assessment: triage to decision

A safe, high-level workflow for time-critical investigations.

10 min read

In a live incident, aim for fast, defensible decisions. Use staged triage, preserve evidence, and escalate to vetted specialists when deep reversing is required.

This guide focuses on what teams can do safely in the first hours: confirm scope, reduce harm, and decide whether to contain, monitor, or hand off.

Safety, legality, and scope (start here)

  • Do not execute suspicious files on production endpoints. Use an isolated analysis environment with no outbound trust to production or sensitive SaaS.
  • Collect only what you need; tag and hash artifacts; keep chain-of-custody notes. Coordinate with legal/HR for any personal data.
  • Follow platform and tool licenses; never acquire or deploy offensive tools without approval and documented authority.

Stage 1: rapid triage (≤60 minutes)

  • Identify artifacts: suspicious binaries, scripts, documents, URLs, email headers, and process trees from alerts.
  • Hash first: compute SHA-256; record file size and timestamps. Compare against internal intel and reputable threat feeds.
  • Static peek only: safe metadata and strings review to classify family/intent; avoid interactive execution at this stage.
  • Scope check: list potentially affected hosts, accounts, and data stores based on logs and EDR findings.

Decision point A: contain now or watch briefly?

Contain immediately if destructive behavior, credential theft, or data access is suspected. A short monitor window is acceptable only to confirm scope and should be time-boxed with explicit approval.

Evidence handling and minimal live response

  • Acquire memory and key logs from priority hosts when feasible; avoid altering disks beyond what collection requires.
  • Preserve relevant email items (message/routing headers) and proxy/DNS logs for the time window in question.
  • Store artifacts in a restricted workspace; record who accessed what and when.

Stage 2: safe analysis for classification

Goal: decide family/behavior and likely objectives without deep reversing. Keep it reproducible and low-risk.

  • Detonation only in a sandbox with strict egress controls; capture process, file, network, and registry behavior.
  • Extract indicators: domains, IPs, mutexes, scheduled tasks, service names, persistence keys, and dropped paths.
  • Map to intent: loader vs. stealer vs. wiper vs. ransomware staging; note evidence supporting the call.

Decision point B: scope confirmed → action plan

  • If credentials touched: revoke sessions, rotate credentials, and invalidate tokens for affected identities.
  • If lateral movement suspected: isolate hosts, disable risky protocols, and block IOCs at email, web, DNS, and EDR.
  • If data access likely: begin impact assessment with data owners; prepare regulatory notification pathways as required.

Communications and documentation

  • Maintain a timeline of observations, actions, and decisions with timestamps and owners.
  • Brief stakeholders in plain language: what happened, what we did, what remains, and when the next update arrives.
  • Track external dependencies (vendors, cloud providers) and ticket them with clear IOCs and containment asks.

When to call specialists

  • You need deep reversing, firmware analysis, or kernel-level forensics beyond in-house skills.
  • Suspected destructive malware, data exfiltration at scale, or ransomware negotiations.
  • Cross-border implications or criminal activity requiring law-enforcement coordination via counsel.

Metrics leaders can track

  • Time-to-classify: Hours from alert to preliminary family/intent determination.
  • Time-to-contain: Hours from first decision to host isolation, token revocation, and IOC blocking.
  • Reinfection rate: Hosts that re-trigger after containment due to missed persistence or credentials.
  • Evidence completeness: Percentage of priority artifacts collected (hashes, logs, memory).

Common anti-patterns to avoid

  • Running malware on corporate laptops or inside the production network.
  • Jumping to eradication without scoping; missing persistence or secondary access paths.
  • Collecting excessive personal data with no retention limits or legal review.
  • Untracked changes—no hashes, no case IDs, weak notes—making lessons and audit impossible.

Speed and discipline win. Classify safely, contain precisely, and document clearly. When complexity spikes, hand off to specialists and keep ownership of decisions and outcomes.