I am a believer of the ‘just because you can do something, doesn’t necessarily mean that you should‘ mentality, and I was reminded of this again this morning when I read ‘Malware Analysis as a function of intelligence and counterintelligence operations.‘.
As I start my first blog, I am grappling with the matter of what to blog about, what not to blog about, what to do, and what not to do; lest my actions potentially say more than I wanted to say. The idea that your actions (or sometimes inaction) can say more than you wish to say, isn’t new to me and is, in fact, something which I would like to blog about later — software/devices (and people for that matter) often leak information which, while not explicitly disclosing information, can sometimes allow for (potentially undesirable) inferences. Passive operating system fingerprinting is an example of this.
As a blogging newbie keen to share some of the malware analysis knowledge (which enables me to do certain things) that I have built up, but without, as yet, having the chance to gain any professional malware analysis experience (which would help enable me to tell whether I should), the ‘just because you can do something, doesn’t necessarily mean that you should’ thought popped back in to my head. Just because I can blog about a particular topic, process, script, or piece of malware that drifted in from the Internet, doesn’t necessarily mean that I should.
I have spent a reasonable amount of time (especially as I prepared to start this blog) reading other malware analysis related blogs to try to find the professional ‘norm’. As one of the reasons for starting this blog is to share ideas (including methods and scripts) with other analysts, I am keen to find out what other malware analysts think is a good compromise between sharing useful information, and disclosing too much — after all, malware analysts posting blog entries about their methods strikes me as being a bit like a military organisation posting some of their military strategy on the Internet for their enemies to read. Having said that, I wouldn’t have been able to gain most of my recent knowledge, had it not been for the available (whether via the Internet or through books) information regarding malware analysis techniques.