Over the years I have been asked many questions by clients with regards to computer viruses and malware in general. The challenging thing about the topic is that while what a virus may do is complex, its anatomy is fairly simplistic. Many CIOs and CISOs have asked me to help them translate this language of technical experts into simple business terms. This short blog post is intended to help those struggling with the same issue. It is not intended to be a detailed technical conversation on the topic.
The anatomy of a computer virus is broken down into three basic parts:
Propagation is the means or manner by which the virus will spread or move around from one system to the next, or on a network.
Trigger is the action or event that will activate the virus to release the payload.
Payload is the code, instruction, programming, or whatever you want to call it, that is executed on the target system typically resulting in the exploitation of a system or application vulnerability that is not patched. The end result may be unauthorized access to the target system, unauthorized access to sensitive information, loss of control of the target system to a hacker remotely controlling it over the Internet, etc.
It has been on the understanding of the basic anatomy model of a computer virus that a defensive strategy can be built. Over the years, I have been involved in many incident management efforts in which we leverage specialty skills of the incident management team to understand the challenge at hand. During these it was apparent the malware was moving faster than anti-virus vendors could get an update signature file out, so we recognized the job of protecting the organization during this vulnerable period was up to the team. We did this simply by capturing a copy of the malware, decompiling it in a sanitized and non-connected test environment, and created tactical and strategic plans to combat the threat of the malware.