Open Source Sandbox in a corporate infrastructure

Transcript

1. Open Source Sandbox in a corporate infrastructure Sberbank Cyber Security

   Yury Doroshenko

2. • Chief expert at Sberbank Cyber Security / Redteamer •

   Pentest / Malware Analysis / Memory forensics • Music and cinema lover • I’m into extreme sports #Whoami 2

3. Social Engineering Mass mail Banker Trojan APT Ransomware #Threats •

   24/7 we are fighting emerging cyberattacks that are targeting • Bank infrastructure • Sensitive data • Client data 3

4. • Source? • Risk level? • Targeted attack? • Fast

   and efficient analysis? #Who is your enemy 4

5. #Our Threat Intelligence Platform Data Engine Request For Intelligence Threat

   Hunting Intelligence Driven Response Use Case Management Request For intelligence Infrastructure data Intelligence Analysis Feed Subscribes Reports Incident Management IOC Threat Intelligence proccess Request for intelligence Intelligence analysis Use Case Management Threat Hunting Intelligence Drive Responce 5

6. #Threat Intelligence product map Vulnerability Management Intel Data Management Request

   For Intelligence Intelligence Analysis Threat Hunting Use Case Management MaxPatrol Bi.Zone FinCERT Kaspersky Group-IB IBM X-Force Cisco ThreatGrid Cisco IntelliShield Cisco Senderbase Microsoft VirusTotal RecordedFuture BrandAnalytics IBM i2 / Watson ThreatQ (on premis) EclecticIQ Anomali BlueLiv LookingGlass ThreatConnect DECOYNET Cynet 360 ERAM Netskope TP RiskIQ StatusToday Variato Recon Verint TP illusive Sqrrl Fussion Behavioral Exabeam Endgame MaxPatrol SOC Prime UCL ThreatModeler SkyBox Cronus Cybot 6

7. #Oh, really? 7

8. #Personal handy malware analysis lab Cuckoo Sandbox 2.0.4.4 / Cuckoo

   Sandbox 1.3-NG ElasticSearch 5.3.0 Moloch 0.19.2 Volatility 2.6 Loki IOC Scanner 0.24.2 Malheur 0.6.0 Yara 3.6.3 * The lab was deployed and is running smoothly on macOS High Sierra 8

9. #Sandboxing?! When you still think that malwares are not aware

   of sandboxing 9

10. • VM cloacking • Automatic VM generation • Replaces “synthetic”

    VM params with “real” • Antivmdetection 0.1.8 https://github.com/nsmfoo/antivmdetection/ • VMCloak 0.4.4 https://github.com/jbremer/vmcloak/ #Anti Anti-VM and Anti-Sandbox 10

11. #It’s alive! 11

12. #Out of the box + extra features Dynamic analysis Static

    analysis Process activity analysis Network activity analysis Register analysis Memory-dump post-analysis File activity analysis Network sniffering Post-analysis with LOKI IOC Scanner Custom Yara rules based analysis Behavioral analysis with Malheur Automatic Analysis Tool Moloch + Elasticsearch integration 12

13. #File formats msi dll bin xls doc exe bin pdf

    ppt zip ps1 html jar js hta ie swf vbs rar cpl apk * Supports automatic format detection 13

14. #Demo 14

15. #Demo 15

16. #BadRabbit 16

17. #BadRabbit 17

18. #Emotet 18

19. #Emotet 19

20. #Working with network data 20

21. #Post-analysis (IOCs) 21

22. • Supporting different built-in modules: • Mitm (Cuckoo Sanbox 2.0.4.4)

    • Snort (Cuckoo Sanbox 2.0.4.4) • Malheur (Cuckoo Sanbox 1.3-NG) • Different signature mechanics • Different analysis approaches • Results complement each other #Using different branches? 22

23. #What for? When you begin to understand 23

24. • Targeted attacks detection • Extendable with modules written in

    python • Now we have a personal powerful malware analysis lab • Just-in-time prevention and remediation steps based on analysis report #Profit? 24

25. • Hardening Anti Anti-Sandbox & Anti-VM techniques • Integrating it

    in Threat Intelligence Platform • Extending the number of Virtual Machines • Machine learning? #To Do List 25

26. Thank you for your attention! #Q&A • Links: https://github.com/YuryDo/MalwareLab 26