Course overview

How to Design and Defend Against Malware

47 modules
190 lessons
—
Part 1

Appendices

  1. Appendix A - Diagram Templates by StepSign in

  2. Appendix B - Mapping Concepts to Real-World Tools and PlatformsSign in

  3. Appendix C - Readiness Checklists (Step N to Step N+1)Sign in

  4. Appendix D - GlossarySign in

Part 2

Course Setup and the Incremental Ladder

  1. Course Setup and the Incremental LadderSign in

  2. Why Viruses to VaccinesSign in

  3. How to Use This CourseSign in

  4. The Incremental Ladder (Step 0 to Step 7)Sign in

  5. The Course LensesSign in

  6. Diagram Legend and Notation TypesSign in

Part 3

Malware in Context

  1. Malware in ContextSign in

  2. Malware as One Threat ClassSign in

  3. Motivations and ConstraintsSign in

  4. Understanding Without ReplicatingSign in

Part 4

Malware as Programs and Processes

  1. Malware as Programs and ProcessesSign in

  2. Malware as Hostile SoftwareSign in

  3. Execution FormsSign in

  4. Goals of Persistence and EvasionSign in

Part 5

The Defender’s Mental Model

  1. The Defender’s Mental ModelSign in

  2. Attack Surface and Attack PathsSign in

  3. Assume Breach and Layered ControlsSign in

  4. Cost Asymmetry and the Control PortfolioSign in

Part 6

Diagramming Malware Lifecycles and Defenses

  1. Diagramming Malware Lifecycles and DefensesSign in

  2. Infection and Propagation DiagramsSign in

  3. System Context DiagramsSign in

  4. Defense Stack DiagramsSign in

Part 7

Classes of Malware (High-Level Taxonomy)

  1. Classes of Malware (High-Level Taxonomy)Sign in

  2. Labels vs BehaviorsSign in

  3. Payload ConceptsSign in

  4. Examples as Defender AnchorsSign in

Part 8

Malware Lifecycle and Kill Chain (Defender View)

  1. Malware Lifecycle and Kill Chain (Defender View)Sign in

  2. Lifecycle Stages From Initial Access to ObjectivesSign in

  3. Mapping Stages to ControlsSign in

  4. Prioritization Under ConstraintsSign in

Part 9

Persistence, Stealth, and Evasion (Conceptual)

  1. Persistence, Stealth, and Evasion (Conceptual)Sign in

  2. Persistence Categories - Services, Autoruns, Scheduled Tasks, and Staying PowerSign in

  3. Evasion Goals - Avoid Detection, Blend In, and Survive RebootsSign in

  4. Counter-Strategies - Baselining, Integrity Checks, and Continuous MonitoringSign in

Part 10

Initial Infection Vectors (High Level)

  1. Initial Infection Vectors (High Level)Sign in

  2. Social Engineering and Documents - Why User Workflows Are Part of the Attack SurfaceSign in

  3. Exploited Services and Weak Configurations - Exposure as a Design DecisionSign in

  4. Supply-Chain and Dependency Risk (Conceptual) - When Trust Becomes a Propagation ChannelSign in

Part 11

Propagation and Lateral Movement (High Level)

  1. Propagation and Lateral Movement (High Level)Sign in

  2. Propagation vs Non-Propagation - Why Some Incidents Explode and Others Stay LocalSign in

  3. Lateral Activity Concepts - Credential Misuse, Protocol Abuse, Shared Resources as Pathways Through Implicit TrustSign in

  4. Defensive Containment Strategy - Segmentation, Least Privilege, and Monitoring as the Primary Brakes on SpreadSign in

Part 12

Human Factors in Malware Spread

  1. Human Factors in Malware SpreadSign in

  2. Deception Patterns (Conceptual) - Why Training Alone Fails as a ControlSign in

  3. Human Firewall Limitations - Where Users Cannot Be the Only Boundary and How to Measure That RealitySign in

  4. UX and Process as Controls - Designing Defaults, Friction, and Approvals to Make Malicious Actions Harder to CompleteSign in

Part 13

Endpoint Surfaces: OS, Apps, Browsers

  1. Endpoint Surfaces: OS, Apps, BrowsersSign in

  2. OS Components as Exposure - Userland vs Privileged Surfaces and What Can Fail TogetherSign in

  3. Browsers and Script Runtimes - Why "Content" Becomes Execution and How That Expands RiskSign in

  4. Application Exposure at the Architectural Level - How Deployment Choices Affect Exploitability and ContainmentSign in

Part 14

Server, Cloud, and API Surfaces

  1. Server, Cloud, and API SurfacesSign in

  2. Exposed Services and Management Planes - Why Administration Paths Must Be Treated as High-Value TargetsSign in

  3. Cloud Control Planes and Configuration - Misconfiguration as a Dominant Failure Mode in Modern EnvironmentsSign in

  4. Shared Responsibility Realities - What You Can Delegate to Providers and What Remains a Customer Control ProblemSign in

Part 15

Deeper Surfaces: Firmware, Hardware, and Devices

  1. Deeper Surfaces: Firmware, Hardware, and DevicesSign in

  2. Firmware and Device Code (Conceptual) - Why Deeper Layers Change Recovery and VerificationSign in

  3. IoT and Embedded Fleet Risk - Scale, Heterogeneity, and Long Lifetimes as Exposure MultipliersSign in

  4. Defensive Constraints at Lower Layers - What Is Realistically Monitorable and What Must Be Prevented Through Procurement and Lifecycle ControlsSign in

Part 16

Mapping and Reducing Attack Surface

  1. Mapping and Reducing Attack SurfaceSign in

  2. Inventory as the Root Control - You Cannot Defend What You Cannot NameSign in

  3. Minimization Principles - Reduce Services, Privileges, and Software Footprint as Structural Risk ReductionSign in

  4. Architectural Trade-offs - How Convenience Decisions Become Propagation AcceleratorsSign in

Part 17

Malware Classification and Families

  1. Malware Classification and FamiliesSign in

  2. Families and Similarity - Code Similarity and Behavior Similarity as Different Defensive SignalsSign in

  3. Why Classification Matters - Prioritization, Response Routing, and Threat Intelligence AlignmentSign in

  4. Intelligence Pipelines (High Level) - Turning Observations into Usable Detections and Architectural GuidanceSign in

Part 18

Static Analysis (Defender View)

  1. Static Analysis (Defender View)Sign in

  2. "Code at Rest" Pipeline - Signatures, Metadata, Structure, and What Each Can Reliably Tell YouSign in

  3. Disassembly and Decompilation Concepts - What Defenders Extract and Why It Helps Classification and ContainmentSign in

  4. Limits and Evasion - Obfuscation, Packing, Polymorphism, and Why Static Signals Are PartialSign in

Part 19

Dynamic Analysis and Behavioral Observation

  1. Dynamic Analysis and Behavioral ObservationSign in

  2. Controlled Execution Environments - Why Containment Is a Prerequisite for Safe ObservationSign in

  3. Behavioral Surfaces to Observe - File, Process, State, and Network Activity as the Defender's Ground TruthSign in

  4. Interpreting Telemetry - Distinguishing Noisy System Behavior from Meaningful Malicious SequencesSign in

Part 20

Sandboxes, EDR, and Telemetry Sources

  1. Sandboxes, EDR, and Telemetry SourcesSign in

  2. Sandbox vs EDR Scope - Sample-Centric Observation Versus Fleet-Wide Behavioral VisibilitySign in

  3. Correlating Endpoint, Network, and Logs - Building a Coherent Picture from Partial PerspectivesSign in

  4. Privacy and Minimization - Collecting Enough to Defend While Respecting Data Boundaries and GovernanceSign in

Part 21

Using Analysis to Drive Detection and Controls

  1. Using Analysis to Drive Detection and ControlsSign in

  2. From Behavior to Detection Logic (Conceptual) - Patterns, Indicators, and Durable SignalsSign in

  3. Feeding Back into Rules and Policies - Updating Baselines, Controls, and Hardening From Concrete ObservationsSign in

  4. Detection Limits and Layering - Why Detections Must Be Complemented by Minimization, Isolation, and Recovery ReadinessSign in

Part 22

OS Isolation and Privilege Boundaries

  1. OS Isolation and Privilege BoundariesSign in

  2. Accounts and Privilege - Why Privilege Boundaries Are the Primary Containment Structure on EndpointsSign in

  3. Process and Memory Isolation - What Modern OSes Can Guarantee and Where Those Guarantees StopSign in

  4. Administrative Privilege as a Failure Domain - How "Everyone Is Admin" Collapses Your Defensive ArchitectureSign in

Part 23

Application Sandboxing and Confinement

  1. Application Sandboxing and ConfinementSign in

  2. Sandboxed Apps and Browsers - Narrowing What Untrusted Content Can Do by DefaultSign in

  3. Containers and Defensive Isolation (Conceptual) - Using Packaging Boundaries as Security Boundaries When Correctly ScopedSign in

  4. Policy-Driven Confinement - Translating Risk Into Explicit Permissions and Denied CapabilitiesSign in

Part 24

Memory and Execution Defenses (Conceptual)

  1. Memory and Execution Defenses (Conceptual)Sign in

  2. Execution-Barrier Concepts - Why Certain Exploit Classes Become Harder Under Modern DefensesSign in

  3. Compiler and Runtime Safety Features - What "Safer by Default" Means Operationally Over TimeSign in

  4. Memory Safety as a Long-Term Strategy - How Language and Platform Choices Change the Threat LandscapeSign in

Part 25

Application Control and Whitelisting

  1. Application Control and WhitelistingSign in

  2. Allow-Lists vs Block-Lists - Designing a Control That Stays Correct as Threats EvolveSign in

  3. Script and Macro Restrictions - Controlling Powerful Runtimes That Blur Data and CodeSign in

  4. Lockdown vs Operability - Avoiding Security Controls That Force Bypasses in Day-to-Day WorkSign in

Part 26

Endpoint Protection and EDR Patterns

  1. Endpoint Protection and EDR PatternsSign in

  2. Protection Categories - Signatures, Heuristics, and Behavior as Different BoundariesSign in

  3. Deployment and Policy Models - Keeping Endpoint Controls Consistent Across Heterogeneous FleetsSign in

  4. Tuning and Noise Management - Building Confidence in Alerts So Teams Respond DecisivelySign in

Part 27

Malware in the Network: C2 and Exfiltration

  1. Malware in the Network: C2 and ExfiltrationSign in

  2. Command-and-Control Concepts - Why Outbound Control Channels Are a Primary Defender FocusSign in

  3. Exfiltration Patterns - Trickle Versus Burst and the Operational Signals Each Tends to CreateSign in

  4. Outbound Monitoring as Baseline Security - Making "Unknown Outbound" a Design SmellSign in

Part 28

Network Segmentation and Containment

  1. Network Segmentation and ContainmentSign in

  2. Segmenting Endpoints, Servers, Sensitive Systems - Designing Blast-Radius Boundaries for Likely Malware PathsSign in

  3. Limiting Lateral Movement - Constraining Identity and Network Pathways, Not Just PortsSign in

  4. Chokepoints for Monitoring and Blocking - Where to Force Traffic Through Enforceable PolicySign in

Part 29

Email, Web, and Content Gateways

  1. Email, Web, and Content GatewaysSign in

  2. Attachment and Link Risk Controls - Filtering and Detonation Concepts Without Relying on "Perfect Detection"Sign in

  3. Gateway Sandboxing - Using Centralized Controls to Reduce Endpoint ExposureSign in

  4. Policy and UX Alignment - Making Safe Behavior the Easiest Behavior for UsersSign in

Part 30

Network Detection and Response Concepts

  1. Network Detection and Response ConceptsSign in

  2. IDS/IPS-Like Detection (Conceptual) - Signatures, Heuristics, and Anomaly Patterns for Malware BehaviorsSign in

  3. Flows vs Packets - Choosing Scalable Visibility Without Losing Investigative DepthSign in

  4. Coordinating Endpoint and Network Telemetry - Avoiding the "Two Truths" Problem During IncidentsSign in

Part 31

Deception and Honeypots (High Level)

  1. Deception and Honeypots (High Level)Sign in

  2. Deception as Early Warning - Catching Activity by Offering Safer TargetsSign in

  3. Honeypots and Honeynets as Concepts - Benefits, Risks, and Why They Require Disciplined OperationsSign in

  4. Responsible Use - Ensuring Deception Augments Detection Without Creating New LiabilitiesSign in

Part 32

Detecting and Confirming Malware Events

  1. Detecting and Confirming Malware EventsSign in

  2. Signals vs Noise - What Makes an Alert Credible Enough to Act OnSign in

  3. Triage and Scope - Defining Affected Systems and Likely Progression StageSign in

  4. Cross-Team Coordination - Aligning Security, IT, Engineering, and Business Leadership Under Time PressureSign in

Part 33

Containment Strategies

  1. Containment StrategiesSign in

  2. Isolating Hosts, Segments, Accounts - Containment as Boundary ManipulationSign in

  3. Short-Term Restrictions vs Long-Term Remediation - Avoiding Permanent FragilitySign in

  4. Continuity Trade-offs - Keeping the Business Alive While Stopping SpreadSign in

Part 34

Eradication and Recovery

  1. Eradication and RecoverySign in

  2. Clean vs Reimage Decisions - Choosing Strategies That Restore Trust, Not Just FunctionalitySign in

  3. Validation of Cleanliness - Rebuilding Confidence Through Evidence, Not HopeSign in

  4. Backup Integrity - Ensuring Recovery Sources Are Not Part of the CompromiseSign in

Part 35

Forensics and Root Cause (Conceptual)

  1. Forensics and Root Cause (Conceptual)Sign in

  2. Evidence Collection and Preservation - Maintaining Chain-of-Custody Thinking at a Practical LevelSign in

  3. Reconstructing Infection Paths - Using Timelines to Connect Initial Access, Movement, and ObjectivesSign in

  4. From Root Cause to Systemic Fixes - Translating Findings into Architecture and Process ChangesSign in

Part 36

Communication, Reporting, and Legal Considerations

  1. Communication, Reporting, and Legal ConsiderationsSign in

  2. Internal Communication - Keeping Stakeholders Informed Without SpeculationSign in

  3. External Communication (Conceptual) - Customers, Regulators, and Partners as Part of the Incident SystemSign in

  4. Documentation as Control - Audits, Post-Mortems, and Institutional MemorySign in

Part 37

Lessons Learned into Architecture and Process

  1. Lessons Learned into Architecture and ProcessSign in

  2. Updating Policies and Controls - Making Change Concrete and MeasurableSign in

  3. Architecture Changes for Future Containment - Reducing Attack Paths Rather Than Only Improving DetectionSign in

  4. Culture and Continuous Learning - Treating Incidents as Feedback Loops That Improve ResilienceSign in

Part 38

Defense-in-Depth for Malware

  1. Defense-in-Depth for MalwareSign in

  2. Layering Controls Across Stack - Endpoint, Network, Identity, and Cloud as Distinct but Coordinated Failure DomainsSign in

  3. Avoiding Single Points of Failure - Why Tool Monocultures and Centralized Trust Can Collapse DefenseSign in

  4. Lifecycle-to-Control Mapping - Ensuring Every Malware Stage Has at Least One Strong Control and One Detection SignalSign in

Part 39

Threat Modeling for Malware Resilience

  1. Threat Modeling for Malware ResilienceSign in

  2. Environment-Specific Threats - Why Your Likely Malware Problems Are Shaped by Your Business and ArchitectureSign in

  3. Control Prioritization - Impact x Likelihood as a Disciplined Planning ToolSign in

  4. Revisiting Models Over Time - Adapting to Changing Platforms, Users, and Attacker IncentivesSign in

Part 40

Security Architecture for Malware Defense

  1. Security Architecture for Malware DefenseSign in

  2. Reference Architectures by Environment - Endpoint-Heavy, Server-Heavy, Cloud-Heavy as Different Boundary DesignsSign in

  3. Integrating EDR, NDR, Logging, and Identity - Producing One Coherent Operational PictureSign in

  4. Designing for Adaptation - How Detection, Response, and Hardening Form a Living SystemSign in

Part 41

Governance, Policy, and Training

  1. Governance, Policy, and TrainingSign in

  2. Policies that Change Behavior - Least Privilege, Patching, Acceptable Use as Enforceable ArchitectureSign in

  3. Role-Specific Training - Aligning User, Admin, Developer, and Executive Behaviors to Their Real Risk SurfaceSign in

  4. Measuring Effectiveness - Evaluating Training and Policy by Outcomes Rather Than CompletionSign in

Part 42

Metrics, Maturity, and Continuous Improvement

  1. Metrics, Maturity, and Continuous ImprovementSign in

  2. Core Metrics - Time-to-Detect, Time-to-Contain, Coverage, and Hygiene as Operational FeedbackSign in

  3. Maturity Models - Using Staged Progress to Avoid Overbuilding and UnderoperatingSign in

  4. Roadmapping Improvements - Planning Investments That Shift Structure, Not Just Add ToolsSign in

Part 43

Case Studies of Defense Evolution (High Level)

  1. Case Studies of Defense Evolution (High Level)Sign in

  2. Improvement Narratives - How Organizations Evolve Defenses as They Learn From FailuresSign in

  3. Failures That Forced Architectural Change - What Tends to Break First and WhySign in

  4. Patterns of Effective Defense - Recurring Structural Moves That Consistently Reduce Malware ImpactSign in

Part 44

Malware Defense Patterns

  1. Malware Defense PatternsSign in

  2. Endpoint Patterns - Hardening Baselines, Application Control, Least Privilege as Structural ContainmentSign in

  3. Network Patterns - Segmentation, Chokepoints, and Egress Filtering as Propagation BrakesSign in

  4. Identity Patterns - Strong Authentication and Just-in-Time Privilege to Reduce Credential Reuse and Lateral MovementSign in

Part 45

Operational Patterns for Malware Defense

  1. Operational Patterns for Malware DefenseSign in

  2. Patch and Hygiene Programs - Making Routine Maintenance a Primary Security CapabilitySign in

  3. Change Control with Security Review - Preventing Drift from Becoming VulnerabilitySign in

  4. Automation and Orchestration - Scaling Response and Reducing Human Latency in ContainmentSign in

Part 46

Anti-Patterns and Common Pitfalls

  1. Anti-Patterns and Common PitfallsSign in

  2. Structural Anti-Patterns - Flat Networks, Local Admin Everywhere, Missing Inventories as Systemic AmplifiersSign in

  3. Tool-as-Savior Thinking - Why Single-Product Dependency Creates Blind Spots and Operational FragilitySign in

  4. Alert Fatigue - Designing Signal Quality as an Architectural ConcernSign in

Part 47

Design Checklists for Malware-Resistant Systems

  1. Design Checklists for Malware-Resistant SystemsSign in

  2. Endpoint Hardening Checklist - Baseline, Privilege, Application Control, and Recovery PostureSign in

  3. Network and Gateway Checklist - Segmentation, Egress Control, and Content Choke PointsSign in

  4. Monitoring, Response, and Governance Checklist - Ensuring Detection Leads to Action and Lessons Lead to RedesignSign in