An investigator finds that a suspicious binary reuses multiple coding structures and variable naming styles seen in a previous high-impact threat. Which tactic best supports drawing a reliable link between the new binary and the previously observed malicious code base?
Scheduling a sandbox run to observe the binary’s malicious actions
Matching binary hashes against antivirus signatures
Reviewing code stylometry to identify repeated programming conventions
Comparing event logs to see if both binaries triggered the same alert
Code stylometry examines programming patterns that persist across different binaries, allowing analysts to attribute samples to specific threat actor toolsets. Unlike behavior analysis or log comparison, which confirm malicious activity or operational context, stylometry links binaries based on development style, aiding in attribution. This makes it an effective method for associating unknown binaries with previously observed malicious code bases.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is code stylometry?
Open an interactive chat with Bash
Why is code stylometry better for attribution than using binary hashes?
Open an interactive chat with Bash
How does code stylometry differ from behavior analysis?