**2.3 Advanced malware techniques**

These type of malware are developed to be escaped from being detected from normal anti-malware defense systems. The three good examples here are, rootkits, polymorphism and armored types of viruses. In the first type, the virus is designed to hack the root account which is the super user account which has an unrestricted access to the resources of the system and these privileges are usually preserved to system administrator [11]. After the hacker succeed in gaining access to normal user account then use the rootkit to move to the unrestricted super user access. The concept of this type of viruses can be explained as a technique that uses software techniques hiding other software to hack the system. A variety of malicious payload can be delivered by rootkits as backdoors, botnet agents and adware or spyware. Rootkits can attack the system in both levels of user modes or kernel mode and there is trade-off issue in each

#### *Intelligent Cybersecurity Threat Management in Modern Information Technologies Systems DOI: http://dx.doi.org/10.5772/intechopen.105478*

of these two modes. The user mode rootkit runs with the normal user privileges and they considered easy to write and difficult to detect however, in the privileges mode, the access to the system is in much advanced privileges with trade-off here that these viruses are difficult to write and relatively are easy to be detected.

The polymorphic viruses are advanced types of viruses that have the ability to fight signature detection. Viruses signature detection is very important concept for isolating viruses by discover their patterns and match that with known code pattern stored in dedicated database. Polymorphic viruses escaping signature detection by changing their behavior from time to time so that the virus files look different in each system been attacked so that no signature matching and that will inactivate the signature detection method. One clear method that polymorphic viruses use is different encryption with different key in each system being attacked to make the virus file look totally different. The virus loader has the decryption key that can retrieve the original virus code.

The third advanced type of malware known as armored viruses came with the ability to stop reverse engineering techniques which are usually used to analyze deeply the viruses at the level of the machine language or the assembly code that considered the DNA of the attacking viruses. The techniques followed in these type of viruses are writing the code in obfuscated assembly language that hide the true intention of the code sometimes also blocking the system debugger and using some techniques to stop the methods of sandboxing that used to isolate viruses.

#### **2.4 Botnet**

The concept of botnet can be understood as taking control of computer network using let us say worm viruses propagating through the network as startup from single infected computer. The hacker intention in affecting these network system is to steal the system power, storage or even the network connectivity by joining the infected system with botnets. These botnets can be considered as a collection of zombie computers been connected for malicious actions [12]. Once the hacker succeeds in hacking and gaining control of particular system in any technique discussed earlier then, he/ she will join the network to the botnet. The infected network will be considered a victim and will be waiting for further instruction from the hacker. The hacker usually sells or rent this botnet to others to use them for spam delivery or distribution denialof-services attacks, exposing the system for brute-force attacks to crack passwords or even mine bitcoins activities. It can be said here the key resources of these infected systems as storage, computing power or network connectivity are stolen maliciously. Usually in these type of scenarios the hackers not communicate directly with the infected system to avoid the risk of being discovered by security analyst team that will cut-off these connection of network once been discovered instead, hackers use indirect commands and control mechanisms to hide their true locations and usually the hackers here use punch of these techniques together at the same time to be able to gain control of the botnet to the longest possible time.

## **3. Threat intelligence**

Threat intelligence can be described as the adoption of best practices in identifying latest security threats and the risks associated to these threats that can affect the functionaries and operations in an organization [13]. Threat intelligence is

very important part of any organization cyber-security analysis program. Threat intelligence if been applied effectively it can significantly enhance organization security by making this organization updated to the latest security threats and how to deal with these risks fast and accurately. As security threat intelligent analyst, few points should be considered for this type of this highly demanded job recently as the following: First, effective information gathering from trusted common opensource like security web sites, news media, social medias and government-sponsored centers for security analysis as well as security research centers. With such information pinching security attacks can be performed to test the readiness level and the effectiveness of the security defense lines [14].

Threat intelligent centers can play very effective roles to leverage the readiness and maturity levels against latest threats trends by the engagement with security information briefing summarizing latest security critical issues. Examples can be varied as educating audience about IP reputation services to provide real-time information about IP involved on suspected security attacks. This useful information can be sent directly to be utilized in firewalls, intrusion prevention and other security tools. Threat intelligent sources can be evaluated in three main criteria namely are timeliness as how fast the reaction to the security threat as the accuracy of detecting these threat and how reliable the system in performing the necessary related defense action.
