Malware Analysis SIG


Computer Security Incident Response Teams (CSIRT) are typically engaged in mitigating malware incidents. The identification and mitigation of these incidents is often complex, and requires a variety of skills, including anomaly detection, dynamic analysis, static analysis, prioritization and clustering. In addition, mitigations and responses can be very diverse, from the simple removal of a file, over the wiping of an individual machine, through the rebuild and migration of a network area or enterprise network.

Accurate prioritization, while always a goal, is often very difficult. Some organizations invest large resources in distinguishing between day-to-day attacks that can be addressed through anti-malware solutions, and more targeted or significant infections that may require significant forensics and investigation. However, a large part of the CSIRT community is simply not able to invest these resources, or does not have a good place to start.

This SIG will have as goal to develop best practices for the CSIRT community around malware detection, mitigation and remediation. It will aim to build a framework which organizations can readily adopt for malware response, including both baseline and state of the art elements at varying levels of organizational maturity, and develop an index of tools available to fill specific needs.


We have the following goals:

  • Develop a framework that contains best practices on malware analysis and response. This framework document will agree on the high level steps in detecting, categorizing, analyzing, prioritizing and responding to malware threats.
  • Develop a list of tools which support each of the functions above, and a listing of skills required to successfully use each of the tools;
  • Develop a list of Indicators of Compromise types that are typically the goal of extraction from a malware sample;
  • Develop a channel within the FIRST community for the ongoing discussion of new techniques and methodologies used by malware developers, and ensure there is a process for these discussions to inform updating the documents created as part of the SIG.


Maarten Van Horenbeeck and Matt Jezorek

Mailing list

(please send requests to join to )