To establish the behaviour characteristics of certain malware, especially previously unseen or bespoke strains, the malware must be executed in an isolated, sandbox environment where this behaviour can be observed. Local actions, such as the creation of registry keys, local files, services and other artefacts, can be recorded and monitored. Network actions, such as the downloading of additional files, access to command and control servers and local traffic used to spread the malware, can all be observed and intercepted.

In addition to the actions above the malware can also be reverse engineered so that the original source code instructions can be viewed to ascertain if there are any inbuilt detection avoidance capabilities such as time delayed actions, software detection or virtualisation prevention.

NGTS have access to a custom built lab environment that can provide a secure environment to study malware and have the necessary expertise to conduct a detailed examination of the malware.