Best Books to Learn Malware Analysis & Intrusion Detection


Feb 15th, 2015

I currently work for Trend Micro, one of the top three Anti-Virus vendors in the market. In fact in Japan we have something like 70% market share and are also by far the favourite AV product in Germany and Iceland. We fight with McAfee and Symantec for the top positions around the rest of the globe.

My background has always been security, but previously it was Security Information and Event Management, known as SIEM, and Security Configuration Management, not so much Malware and Trojans. So, I had to get up to speed. I did do an internal course for all the new guys, which was fantastic, but I have always been a reader and was looking for a good book or two to help me with the learning curve.

I asked the instructor for any good reference guides and he swore by Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software, by Michael Sikorski and Andrew Honig. This was also the book that practically everyone I asked at Blackhat also recommended.

The book is BIG and very in-depth, assuming no prior knowledge starting with the basics, static and dynamic analysis and standard malware taxonomy. There is discussions on free tools, although some of them are no longer updated, like the PEiD, and the more common tools like PROC Mon and process explorer.

Each chapter finished with a lab to ensure that your knowledge was cemented with practical hands on exercises. This is by far the best book on how to reverse engineer malware and to most in the industry the bible.

The second book out of the stack I had available to me from work was The Tao of Network Security Monitoring: Beyond Intrusion Detection, by Richard Bejtlich. It comes from a different perspective than the Practical Malware Analysis book, but just as interesting. This book is more about the analysis of network traffic and statistics to identify a breach or intrusion by a piece of malware or an individual. He covers a bunch of open source tools such as SNORT, TCPDump and Ethereal, in great detail and gets deep enough in to each tool to ensure you walk away with enough understanding to start using the tools in anger. He could have covered SNORT in more detail, but obviously it is covered in more detail elsewhere, such as Snort Intrusion Detection and Prevention Toolkit.

The detail is great, but do not get in to this book unless you want to look through logs and understand exactly what you are looking at, in other words, unless you are a right geek! If your job is to track down the bad guys in your network you can’t go wrong with this book.

The final book I picked up because the name was so cool, Network Forensics: Tracking Hackers through Cyberspace. I was not disappointed, yes the title is cheesy, but this is 500 pages of gold. The authors are Jonathan Ham and Sherri Davidoff, both of whom I have previously been instructed by at SANS Institute courses, and both of whom obviously have in-depth knowledge. I particularly liked the statistical flow analysis section and the second chapter which covered malware forensics and network tunnelling.

With three above books you are on your way to learning the art of malware detection and analysis, which as a long term geek I find fascinating.

Leave a Reply

© 2006-2017 Security Magazine.