WEAPONIZATION Prepare the Operaon
ADVERSARY
The adversaries are in the preparaon
and staging phase of their operaon.
Malware generaon is likely not done
by hand – they use automated tools.
A “weaponizer” couples malware and
exploit into a deliverable payload.
fObtain a weaponizer, either
in-house or obtain through
public or private channels
fFor le-based exploits, select “decoy”
document to present to the vicm.
fSelect backdoor implant and
appropriate command and control
infrastructure for operaon
fDesignate a specic “mission id”
and embed in the malware
fCompile the backdoor and
weaponize the payload
DEFENDER
This is an essenal phase for defenders
to understand. Though they cannot
detect weaponizaon as it happens,
they can infer by analyzing malware
arfacts. Detecons against
weaponizer arfacts are oen the
most durable & resilient defenses.
fConduct full malware analysis –
not just what payload it drops,
but how it was made.
fBuild detecons for weaponizers
– nd new campaigns and new
payloads only because they re-
used a weaponizer toolkit.
fAnalyze meline of when malware
was created relave to when it was
used. Old malware is “malware o
the shelf” but new malware might
mean acve, tailored operaons.
fCollect les and metadata
for future analysis.
fDetermine which weaponizer arfacts
are common to which APT campaigns.
Are they widely shared or closely held?
2