An important and rapidly growing role within the cybersecurity hierarchy is that of a malware analyst. Part security engineer, part digital forensics expert, and part programmer, this crucial function provides in-depth intelligence after a cybersecurity event. Once the initial cyberattack has been identified and contained it is critical that a thorough analysis and examination of the incident take place. This will necessarily include a close look at the tools and methods used by the adversary.
By analyzing the malicious software used in an attack new defenses can be deployed or refined as needed. The ability to reverse engineer malicious code is paramount in a defensive strategy and this is where the malware analyst brings value to the cybersecurity team.
The cross between a highly-skilled programmer and a cyber detective makes this an attractive option for many highly skilled and curious tech types.
Five steps to becoming a malware analyst
- Education A fundamental building block for any cybersecurity career is a bachelor’s degree in either cybersecurity or computer science. Since at the very heart of being a successful malware analyst is the ability to stay one step ahead of the highly skilled cyber bad-actor, a bachelor’s degree in one of these disciplines should be viewed as an essential entry point into the field. This foundation can support the required additional programming and reverse engineering skills.
- Career path A common career path for this cybersecurity specialty passes through several years as a programmer or developer. These skills arm the applicant with the basis for understanding how malicious software is created. A path coming up through the security department is common only for those possessing advanced programming skills as well as an understanding of security principles.
- Professional certifications While there is no industry-wide prescribed professional certification required for a career as a malware analyst, two certifications stand out as desirable qualifiers. The Certified Information Systems Security Professional (CISSP) demonstrates that an applicant has a sound understanding of security architecture, engineering, and management. The Certified Ethical Hacker (CEH) further demonstrates an in-depth knowledge of cyberattacks and mitigation methods.
For work in the government or government contractor sectors plan on acquiring a top-secret with access to sensitive compartmentalized information (TS/SCI) clearance, for it will likely be required.
- Experience Because the knowledge base required to be a successful malware analyst is, in many aspects, cross-functional it is a position best suited for an experienced computer scientist or security professional. Even coming out of college with either of the above-mentioned bachelor’s degrees it is unlikely that a candidate would possess the experience needed in both security and programming. Experience in the field will allow for adding a solid knowledge of security principles and practices on top of programming skills or vice versa.
- Continued learning A critical qualifying step toward becoming a malware analyst is to demonstrate a drive and ability to stay abreast of cutting-edge attack techniques and methods. The ability to identify, contain, disassemble, and mitigate zero-day malware is the pinnacle of desirable skills.
Largely, cyberattacks are successful because they contain some unexpected or unforeseen element in the cyber kill chain. The job of a malware analyst includes being able to look at past events and accurately predict what the next attack may look like.
What is a malware analyst?
More than anything else a malware analyst is a cyber-sleuth, but one with carefully honed programming skills. They use their programming ability to gain an understanding of how an attack was deployed, why it was or wasn’t successful, and most importantly how it can be defended against. They possess the knowledge needed to dissect the exploit and identify the target vulnerability. Working with other cybersecurity experts they make an invaluable contribution toward protecting against and mitigating cyber threats.
This role is unique within a security enterprise because it requires an understanding of offensive as well as defensive techniques and security principles. It requires assembly language programming skills alongside a Columbo temperament.
Malware analyst skills and experience
The ability to analyze and reverse engineer suspicious code enables the malware analyst to protect digital assets by predicting the intended results of the code and to establish a signature to help identify its presence.
While most malware is written in middle-level languages such as C or C++, the code will need to be disassembled to be readable. This requires that a malware analyst be able to read, understand, and program in the much more arduous low-level assembly language.
The ability to work with various high-level programming languages is important. The use of specialized and sophisticated digital tools will be required.
What do malware analysts do?
The primary function of a malware analyst is to identify, examine, and understand various forms of malware and their delivery methods. This malicious software includes all the diverse forms of adware, bots, bugs, rootkits, spyware, ransomware, Trojan horses, viruses, and worms.
After the organization’s incident response team has identified and contained an attack the malware analyst will be called upon to disassemble, deconstruct, and reverse engineer the malicious code in an effort to allow the security team to better protect against a future attack of the same or similar origins and capabilities. It is largely a function of solving puzzles and connecting seemly disparate dots.
While not generally considered part of the incident response team or first line of defense, malware analysts can sometimes be called in during the early stages of an attack to bring clarity to the type of attack and the methods being used by the attackers. It is also common for the malware analyst to play a significant role in mitigation and recovery efforts once the attack vector has been identified and the payload contained.
On a routine basis, the analyst will be called upon to examine suspect code and determine if it is, in fact, an element of a malware attack. Especially when working with advanced persistent threats (APT), the nefarious code may be placed little by little before being detonated. While this makes the task of detecting and identifying malicious code more difficult, it also affords the malware analyst opportunity to examine and protect against the attack before harm is done.
Malware analyst job description
It should be expected that each organization will seek a unique set of skills when considering the addition of a malware analyst. The size and composition of their security team along with the strengths and weaknesses of existing staff will shape their specific needs. Generally speaking, however, an ideal candidate will have one or more of the following skills:
- IDA Pro, WinDbg, OllyDbg, Immunity Debugger
- Strong knowledge of C/C++, Windows API, and Windows OS internals
- Reconstruct unknown file formats & data structures
- Reconstruct unknown TCP/IP protocols
- Understand unpacking, deobfuscation, and anti-debugging techniques
- Python, Perl, Ruby scripting
- Ability to write technical reports
Commonly job responsibilities will include:
- Record malware threats and identify systems to avoid them
- Examine programs and software using analysis programs to identify threats
- Classify malware based on threats and characteristics
- Stay up to date on the latest malware and keep software updated to defend against them
- Write alerts to keep the security team informed
- Help create documentation for security policies
- Understand tools that identify zero-day cyber threats
Outlook for malware analysts
As the much-heralded world-wide cybersecurity staffing shortage grows so does the demand for qualified malware analysts. As new entrants fill entry-level positions in the field, opportunities for security professionals wishing to advance and even cross-over from programming roles are expected to increase.
There are no credible indications that the rate at which malicious code is deployed across the globe will decrease in the foreseeable future. On the contrary, new evermore pernicious forms of malware are found every month. While this holds true, the need for malware analysts will continue to increase.
How much do malware analysts make?
Malware analysts have a competitive advantage over many other cybersecurity jobs because being an analyst takes special programming and language skills as well as a strong understanding of complex tools. It is considered by most to be an experienced-level, rather than an entry-level, role and commands a commensurate level of compensation.
While some researchers indicate an average annual salary of around $100,000, according to a recent finding by Neuvoo.com, the average malware analyst salary in the USA is $165,000 per year. Entry-level positions start at $78,000 per year while experienced workers can make up to $234,000 per year.