SlideShare une entreprise Scribd logo

Automated Malware Analysis and Cyber Security Intelligence

Jason Choi
Jason Choi

This presentation is an introduction to Cuckoo Sandbox, an automated a malware analysis system, and Intelligence to use this tool, at Department of Scientific Criminal Investigation in SungKyunKwan University in Korea.

Ingénierie
1  sur  48
Télécharger pour lire hors ligne
Cyber Security Intelligence Automated Malware Analysis and 과학수사학과 디지털 포렌식 전공 최우석
AMA and Cyber Security Intelligence 2  이름: 최우석  소속 • 한국정보보호교육센터 f-NGS 연구소 팀장 • 성균관대학원 과학수사학과 3기  본업  사이버 시큐리티 연구  집필  Introduce myself Coming Soon with 에이콘  기타 • 컨설팅 (안전성 진단) ▪ 웹 사이트 진단 ▪ 공격 시나리오 기반 컨설팅 • 강의 ▪ 악성코드 분야 ▪ NISA, 금보원, SKT, 넥슨, 머니투데이, 쿠 시스, 산업통상자원부, 융합보안지원센터 등 • 발표 ▪ 코드엔진, 신한시큐어, 한국정보보호학회, KISA, FIOS 등 • 커뮤니티 활동 ▪ 포렌식 인사이트, S2M
역사 & 개론 개발 & 제작 유포 & 감염 조사 & 분석 복구 & 대응 예방 & 관리 AMA and Cyber Security Intelligence 3  Goals of my life Playing
Contents  Cuckoo Sandbox Environment  Introduction Cuckoo Sandbox  Cyber Security Intelligence  Conclusion
소목차 Cuckoo Sandbox Environment  Malware Trend  Type of Malware Analysis's Method  Open Source License  Open Source License Comparison  Sandbox  Hypervisor  Hypervisor in Cuckoo Sandbox  Honeypot Project  Type of Honeypot Project
Cuckoo Sandbox Environment 6  Malware Trend Total Malware New Malware https://www.av-test.org/en/statistics/malware/
Cuckoo Sandbox Environment 7  Type of Malware Analysis's Method Basic Static Analysis AV Test Calculating Hash Detecting of Packer/Obfuscation Extracting of String Basic Dynamic Analysis Process Monitoring Network Monitoring Analyzing File System Analyzing Registry Advanced Static Analysis Analyzing File Format Analyzing implicit linking DLL Disassembling Decompiling Advanced Dynamic Analysis Debugging Analyzing explicit linking DLL Analyzing Memory Analyzing hidden function Initial Analysis Detail Analysis
Cuckoo Sandbox Environment 8  Type of Malware Analysis's Method  in Cuckoo Sandbox Implementation Unimplemented Basic Static Analysis AV Test Calculating Hash Detecting of Packer/Obfuscation Extracting of String Basic Dynamic Analysis Process Monitoring Network Monitoring Analyzing File System Analyzing Registry Advanced Static Analysis Analyzing File Format Analyzing implicit linking DLL Disassembling Decompiling Advanced Dynamic Analysis Debugging Analyzing explicit linking DLL Analyzing Memory Analyzing hidden function Initial Analysis Detail Analysis
Cuckoo Sandbox Environment 9  Open Source License 34% 25% 15% 6% 6% 14% 0% 5% 10% 15% 20% 25% 30% 35% 40% GNU GPL 2.0 & 3.0 MIT Apache 2.0 BSD 3 GNU LGPL 2.1 Other 2016 Open Source License Top 5 https://resources.whitesourcesoftware.com/blog-whitesource/top-10-open-source-software-licenses-of-2016-and-key-trends
Cuckoo Sandbox Environment 10  Open Source License Comparison Licenses Link Distribute Modify Patent Using Private Re-License Brand GNU GPL Self Non-commercial Non-commercial O O Non-commercial O MIT O O O X O O X Apache O O O O O O X BSD O O O X O O X GNU LGPL Limit Non-commercial Non-commercial O O Non-commercial O http://www.bloter.net/archives/209318
 Sandbox is mechanism for separating execution regions in the cyber security  Controlled by hardware or software resources  Sandbox mainly use virtualization  Virtualization • CPU-dependent • Hypervisor • Virtual Machines Cuckoo Sandbox Environment 11  Sandbox
 Type of Hypervisor  Type 1 - VT-d support in CPU  Type 2 - VT-x support in CPU Cuckoo Sandbox Environment 12  Hypervisor Hardware Type 1 Hypervisor OS Hardware Host OS Type 2 Hypervisor Guest OS
 Purchasing a computer for each operating system is a waste  Hardware cost, OS cost, Electronic cost, Resource waste in computer  Malware analysis  An isolated environment is required  in Cuckoo Sandbox  If host OS is the Ubuntu, it will be uncomfortable to use • For this reason, use nested virtualization • Nested virtualization support in the VMware Workstation (Type 2) Cuckoo Sandbox Environment 13  Hypervisor in Cuckoo Sandbox Hardware Host OS (Windows 10) Type 2 Hypervisor (VMware Workstation) Guest OS (Ubuntu Server) Type 2 Hypervisor (Virtualbox) Sandboxes Guest OS (Ubuntu Desktop)
 Requirements  Easily exposed to hackers • Intentionally set to vulnerable • Configure for a variety of situations  Monitoring everything accessing the system  Type of Honeypot Project • Honeynet ▪ Build at the infrastructure level ▪ Early Honeypot Project • Client Honeypot ▪ Same call HoneyClient ▪ Run at the client level ▪ Mainly Internet Security Cuckoo Sandbox Environment 14  Honeypot Project
 High interactivity client honeypot  Similar to the real environment • Pros ▪ Ability to detect new attacks • Cons ▪ High performance deviation, High costs, A lot of time wasted  Low interactivity client honeypot  Simulation • Pros ▪ Low performance deviation, Low cost, Fast detection • Cons ▪ No new attack detection  Hybrid client honeypot  First detection use low interactivity honeypot, second detection use high interactivity honeypot Cuckoo Sandbox Environment 15  Type of Client Honeypot
소목차 Introduction Cuckoo Sandbox  History of Cuckoo Sandbox  Analyzable file type  Operating principle  Pros and Cons  Technology  Functionalities  Demonstration
Introduction Cuckoo Sandbox 17  History of Cuckoo Sandbox Rapid’s Magnificent7 Malwr Open Cuckoo Foundation Brucon 2013 Malwr Reload New Website 2012 2013 2014 2015 Dec v0.5 Oct v1.1.1Sep v0.42 Aug v0.41 Jul v0.4 Apr v0.6 Apr v1.1 Jan v1.0 Blackhat 2013 Consultancy Service Honey Project Google SoC Feb v0.32 Dec v0.3 Nov v0.2 20112010 Feb v0.1 Mar v1.2 Jan v2.0 2016 2017 Jan v2.0 RC2 RC1 Jan v2.0
 Basic Windows File  Scriptable File  Office File  3rd Party Application Introduction Cuckoo Sandbox 18  Analyzable file types
Introduction Cuckoo Sandbox 19  Operating principle Submit Malware Report Analyzed Data Web Service Core Sandbox Cuckoo Sandbox
 Pros  Open source code  Produced by python language  Provides both CLI and GUI modes  Provide REST API • Control by HTTP protocol • System connectivity  Permanent bug patches and version upgrades • User community & Feedback of researchers  Multiple sandboxes can be configured • If system resources remain...  Feedback the latest malware issues • ex, Added DDE analysis function Introduction Cuckoo Sandbox 20  Pros and Cons (1/2)
 Cons  Core functionality is documented well, but additional functionality is insufficient  If encounter problems, report any issue or self fix the source code • Issue solving is optional  Functionalities may be removed without prior consent  Release progress even if unfinished • Improvement by participant • May affect business operations  Not all malware is analyzed well • Environment configuration is very important • Weakness in anti-technology (Anti-Debugging, Anti-Virtualizing ...)  Limitation of detail analysis • Can not analyze functions according to specific commands Introduction Cuckoo Sandbox 21  Pros and Cons (2/2)
 Cuckoo Core Server  Ubuntu 16.04 LTS Desktop 64 bit  CPU 4 Core, Memory 16 GB  Sandbox x 5  Win7 SP1 64 bit  CPU 1 Core, Memory 1024 MB  Cuckoo Sandbox Application  2.0.5.3 Introduction Cuckoo Sandbox 22  Environment
Introduction Cuckoo Sandbox 23  Infrastructure Host OS Type 2 Hypervisor Type 2 Hypervisor Cuckoo Core Service (Ubuntu 16.04 Desktop) Other Service (Ubuntu 16.04 Server)
 Database  Scheduling - RDBMS(SQLite, PostgreSQL, MariaDB)  Web - NoSQL(MongoDB)  Search - NoSQL(ElasticSearch)  Support type of hypervisor  Type 1 - XenServer, VMware(ESX, vSphere), KVM, Qemu  Type 2 - VMware(Workstation), Virtualbox  Physical Sandbox - Fog Project  Android Emulate - AVD  Memory  Volatility (with baseline Analysis) Introduction Cuckoo Sandbox 24  Technology (1/3)
 Pattern and Signature  Network Pattern - Snort, Suricata  Static Binary Pattern - Yara  Behavior Log Pattern - Only use in Cuckoo Sandbox with python coding  Network  Type of Network Line - Proxy, VPN, Tor Network  Analyzing - Moloch, MiTMProxy  Server  Main Web Service - Django  Distributed and API Service - Werkzeug  Change server type - Nginx + uWSGI • Increase Stability Introduction Cuckoo Sandbox 25  Technology (2/3)
 Behavior Analysis  The agent communicates with Cuckoo Core using XML-RPC protocol  Type of Reports  HTML, PDF, JSON, Web Service  Intelligence  MISP  System Management  ICINGA, Supervisord  Supporting Android Analysis  GooglePlay, Droidmon, ApkInfo,  ETC  VirusTotal, Certification Pinning at PE Introduction Cuckoo Sandbox 26  Technology (3/3)
 Hash for malware  ssdeep, imphash  Support of archive type malware  E-Mail, OLE, ZIP  Analyzing Lateral Movement  Announce 2.0-RC1, but not implementation  Network routing  no routing, drop routing, dirty line, InetSim, Tor, VPN  TLS/HTTPS capturing and decrypting  MiTMProxy, HTTPReplay • But, it has some problem • HTTPReply is not implementation Certification Pinning Introduction Cuckoo Sandbox 27  Functionalities (1/5)
 Baseline analysis in analyzing memory  It's not documentation!!  Only in JSON report (not view in Web report)  Extracting URL in process memory  When I test with a memory DNS malware, this function is not extract URL.  Static Binary Pattern and Behavior Log Pattern  Static Binary Pattern uses YARA  Behavior Log Pattern should use Cuckoo's dependent functions • To need python programming  YARA 3.7.1 can use the Cuckoo Sandbox dependency function. • But, Cuckoo Sandbox 2.0.5.3 is not support YARA 3.7.1 Introduction Cuckoo Sandbox 28  Functionalities (2/5)
 Malicious quantify  Using Behavior Log Pattern  Max is 10 but possible over 10  Comparing malware  Using API call order  It is well implemented in 1.x version, but in 2.x version  Implementing a distributed system  It's not documentation!!  Implementation using REST API service  Provide dedicated web services  Gevent for asynchronous systems, Greenlet for coroutine  Not enough • Not support integrated database, only analyzing a file type Introduction Cuckoo Sandbox 29  Functionalities (3/5)
Introduction Cuckoo Sandbox 30  Functionalities (4/5)
 Mass analysis  Ability to separate functions Introduction Cuckoo Sandbox 31  Functionalities (5/5) Start Submit Start analyzing End analyzing Generate report End Core(analyzing and reporting) Yes No Other Malware Start Submit Start analyzing End analyzing End Generate report End Core(analyzing) Sub Core(reporting) No No Yes Yes Other Malware Other report
 http://192.168.0.100:8000 Introduction Cuckoo Sandbox 32  Demonstration
 JOESandbox Cloud- https://joesecurity.org/joe-security-products  BASIC version - (Only Online) Windows + Android  PRO version - (Standalone) + macOS + iOS + API + Cookbook (Virtual and physical support) + ...  Report Sample Introduction Cuckoo Sandbox 33  Other automated malware analysis tools (1/3)
 Hybrid-analysis - https://www.hybrid-analysis.com/  Free Service - Only Win7, Only File, Analysis submit limit 30, Sample download  Private Cloud - Win 10, IoC, YARA, URL, Various reports  Full Standalone - SIEM system integration(CEF syslog), Custom signature test, Memory dump  Report Sample Introduction Cuckoo Sandbox 34  Other automated malware analysis tools (2/3)
 any run - https://any.run/  Semi automated cloud malware analysis tools • Free • Live access to the virtual machines  Report Sample Introduction Cuckoo Sandbox 35  Other automated malware analysis tools (3/3)
소목차 Cyber Security Intelligence  Other automated malware analysis tools  Cyber Security Intelligence  Used by many intelligence analysts  Binary intelligence & limitation
 Purpose  Identify attacker  Predict the future through the past • Incident Response(Establish preventive policy) Cyber Security Intelligence 37  Cyber Security Intelligence Tactics, Techniques and Procedures https://en.wikipedia.org/wiki/PLA_Unit_61398 http://detect-respond.blogspot.kr/2013/03/the-pyramid-of-pain.html
 Automated malware analysis and Cyber Security Intelligence  Purpose • Automatically analyze numerous malware and accumulate analytical data  Used by many intelligence analysts  VirusTotal used Cuckoo Sandbox Cyber Security Intelligence 38  Cyber Security Intelligence
 Used by many intelligencer in cyber security Cyber Security Intelligence 39  Cyber Security Intelligence https://digital-forensics.sans.org/summit-archives/DFIR_Summit/Open-Source-Threat-Intelligence-Kyle-Maxwell.pdf
 Used by many intelligencer in cyber security Cyber Security Intelligence 40  Cyber Security Intelligence https://www.rsaconference.com/writable/presentations/file_upload/anf-t10_implementing-an-automated-incident-response-architecture.pdf
 Used by many intelligencer in cyber security Cyber Security Intelligence 41  Cyber Security Intelligence https://sector.ca/wp-content/uploads/presentations16/simmons%20Open%20Source%20Malware%20Lab%20SecTor.pdf
 Papers related to Cuckoo Sandbox Cyber Security Intelligence 42  Cyber Security Intelligence www.cs.ucsb.edu/~vigna/publications/2014_USENIX_BareCloud.pdf adamdoupe.com/publications/towards-automated-threat-intelligence-fusion-cic2016.pdf 2016, IEEE nsl.cs.waseda.ac.jp/~mori/papers/ccnc15-fujino-sumitted.pdf 2015, IEEE arxiv.org/pdf/1709.08753.pdf 2017, IEEE 2014, USENIX
 Binary intelligence  Same mean client-side intelligence but, not strictly  Various attack type statistics used by binaries  If collect a lot of malware, can analyze the association  Limitation of binary intelligence  Counter intelligence • Vulnerability of evidence  More data to overcome • Need server-side intelligence ▪ But, no ownership and investigation Cyber Security Intelligence 43  Binary intelligence & limitation
소목차 Conclusion  Matthew Effect  [OR] Next Project  with Digital Forensics
Conclusion 45  Matthew Effect The Matthew Effect = much data is good quality information
Conclusion 46  with Digital Forensics  Include Digital Forensics process in Incident Response  Importance of DFIR • But, availability vs. integrity  So many question (Can ~ be evidence?)  Can information gathered from the Internet be evidence?  Can malware analysis information be evidence?  Can data without a chain of custody be evidence?  Can data collected from untrusted tools be evidence?  ...  No!  Digital evidence is very regrettable in Korea • And, too difficult to follow the speed of rapid development • Rapid of singularity!!  Information collected by intelligence activities can not be evidence
Q & A
The End

Recommandé

Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
Sunny Neo
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)
Gaurav Sharma
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentation
Sandeep Joshi
 
malware analysis
malware analysismalware analysis
malware analysis
20CS201AkashR
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chain
Symantec Brasil
 
Malware classification and detection
Malware classification and detectionMalware classification and detection
Malware classification and detection
Chong-Kuan Chen
 

Recommandé

Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
Sunny Neo
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)
Gaurav Sharma
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentation
Sandeep Joshi
 
malware analysis
malware analysismalware analysis
malware analysis
20CS201AkashR
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chain
Symantec Brasil
 
Malware classification and detection
Malware classification and detectionMalware classification and detection
Malware classification and detection
Chong-Kuan Chen
 
A Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo SandboxA Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo Sandbox
Andy Lee
 
INCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONINCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATION
Sylvain Martinez
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
Malware Detection using Machine Learning
Malware Detection using Machine Learning Malware Detection using Machine Learning
Malware Detection using Machine Learning
Cysinfo Cyber Security Community
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
securityxploded
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
NishaYadav177
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
Prakashchand Suthar
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Teymur Kheirkhabarov
 
Recon and Bug Bounties - What a great love story!
Recon and Bug Bounties - What a great love story!Recon and Bug Bounties - What a great love story!
Recon and Bug Bounties - What a great love story!
Abhijeth D
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Sergey Soldatov
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
Sqrrl
 
Incident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfIncident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdf
Amazon Web Services
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
Ben Boyd
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
Andrew McNicol
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
bartblaze
 
Linux privilege escalation 101
Linux privilege escalation 101Linux privilege escalation 101
Linux privilege escalation 101
Rashid feroz
 
Dos & Ddos Attack. Man in The Middle Attack
Dos & Ddos Attack. Man in The Middle AttackDos & Ddos Attack. Man in The Middle Attack
Dos & Ddos Attack. Man in The Middle Attack
marada0033
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Sam Bowne
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
DevOps.com
 
Automate Your Container Deployments Securely
Automate Your Container Deployments SecurelyAutomate Your Container Deployments Securely
Automate Your Container Deployments Securely
DevOps.com
 

Contenu connexe

Tendances

Tendances (20)

A Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo SandboxA Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo Sandbox
 
INCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONINCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATION
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
Malware Detection using Machine Learning
Malware Detection using Machine Learning Malware Detection using Machine Learning
Malware Detection using Machine Learning
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Recon and Bug Bounties - What a great love story!
Recon and Bug Bounties - What a great love story!Recon and Bug Bounties - What a great love story!
Recon and Bug Bounties - What a great love story!
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
Incident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfIncident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdf
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
 
Linux privilege escalation 101
Linux privilege escalation 101Linux privilege escalation 101
Linux privilege escalation 101
 
Dos & Ddos Attack. Man in The Middle Attack
Dos & Ddos Attack. Man in The Middle AttackDos & Ddos Attack. Man in The Middle Attack
Dos & Ddos Attack. Man in The Middle Attack
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
 

Similaire à Automated Malware Analysis and Cyber Security Intelligence

Automate Your Container Deployments Securely
Automate Your Container Deployments SecurelyAutomate Your Container Deployments Securely
Automate Your Container Deployments Securely
DevOps.com
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
MichaelM85042
 

Similaire à Automated Malware Analysis and Cyber Security Intelligence (20)

The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 
Automate Your Container Deployments Securely
Automate Your Container Deployments SecurelyAutomate Your Container Deployments Securely
Automate Your Container Deployments Securely
 
Securing your Cloud Environment
Securing your Cloud EnvironmentSecuring your Cloud Environment
Securing your Cloud Environment
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
Zerovm backgroud
Zerovm backgroudZerovm backgroud
Zerovm backgroud
 
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptxSANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
 
Container Security Mmanagement
Container Security MmanagementContainer Security Mmanagement
Container Security Mmanagement
 
2012-03-15 What's New at Red Hat
2012-03-15 What's New at Red Hat2012-03-15 What's New at Red Hat
2012-03-15 What's New at Red Hat
 
Secure container: Kata container and gVisor
Secure container: Kata container and gVisorSecure container: Kata container and gVisor
Secure container: Kata container and gVisor
 
Enabling Worm and Malware Investigation Using Virtualization
Enabling Worm and Malware Investigation Using VirtualizationEnabling Worm and Malware Investigation Using Virtualization
Enabling Worm and Malware Investigation Using Virtualization
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with Snort
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
 
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
 
Enhancing OpenShift Security for Business Critical Deployments
Enhancing OpenShift Security for Business Critical DeploymentsEnhancing OpenShift Security for Business Critical Deployments
Enhancing OpenShift Security for Business Critical Deployments
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
 

Dernier

Final DBMS Manual (2).pdf final lab manual
Final DBMS Manual (2).pdf final lab manualFinal DBMS Manual (2).pdf final lab manual
Final DBMS Manual (2).pdf final lab manual
BalamuruganV28
 
ALCOHOL PRODUCTION- Beer Brewing Process.pdf
ALCOHOL PRODUCTION- Beer Brewing Process.pdfALCOHOL PRODUCTION- Beer Brewing Process.pdf
ALCOHOL PRODUCTION- Beer Brewing Process.pdf
Madan Karki
 
Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...
Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...
Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...
Lovely Professional University
 
Maher Othman Interior Design Portfolio..
Maher Othman Interior Design Portfolio..Maher Othman Interior Design Portfolio..
Maher Othman Interior Design Portfolio..
MaherOthman7
 
Microkernel in Operating System | Operating System
Microkernel in Operating System | Operating SystemMicrokernel in Operating System | Operating System
Microkernel in Operating System | Operating System
Sampad Kar
 
Filters for Electromagnetic Compatibility Applications
Filters for Electromagnetic Compatibility ApplicationsFilters for Electromagnetic Compatibility Applications
Filters for Electromagnetic Compatibility Applications
Mathias Magdowski
 
Online crime reporting system project.pdf
Online crime reporting system project.pdfOnline crime reporting system project.pdf
Online crime reporting system project.pdf
Kamal Acharya
 

Dernier (20)

5G and 6G refer to generations of mobile network technology, each representin...
5G and 6G refer to generations of mobile network technology, each representin...5G and 6G refer to generations of mobile network technology, each representin...
5G and 6G refer to generations of mobile network technology, each representin...
 
NEWLETTER FRANCE HELICES/ SDS SURFACE DRIVES - MAY 2024
NEWLETTER FRANCE HELICES/ SDS SURFACE DRIVES - MAY 2024NEWLETTER FRANCE HELICES/ SDS SURFACE DRIVES - MAY 2024
NEWLETTER FRANCE HELICES/ SDS SURFACE DRIVES - MAY 2024
 
Final DBMS Manual (2).pdf final lab manual
Final DBMS Manual (2).pdf final lab manualFinal DBMS Manual (2).pdf final lab manual
Final DBMS Manual (2).pdf final lab manual
 
ALCOHOL PRODUCTION- Beer Brewing Process.pdf
ALCOHOL PRODUCTION- Beer Brewing Process.pdfALCOHOL PRODUCTION- Beer Brewing Process.pdf
ALCOHOL PRODUCTION- Beer Brewing Process.pdf
 
Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...
Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...
Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...
 
Low rpm Generator for efficient energy harnessing from a two stage wind turbine
Low rpm Generator for efficient energy harnessing from a two stage wind turbineLow rpm Generator for efficient energy harnessing from a two stage wind turbine
Low rpm Generator for efficient energy harnessing from a two stage wind turbine
 
Maher Othman Interior Design Portfolio..
Maher Othman Interior Design Portfolio..Maher Othman Interior Design Portfolio..
Maher Othman Interior Design Portfolio..
 
Microkernel in Operating System | Operating System
Microkernel in Operating System | Operating SystemMicrokernel in Operating System | Operating System
Microkernel in Operating System | Operating System
 
Involute of a circle,Square, pentagon,HexagonInvolute_Engineering Drawing.pdf
Involute of a circle,Square, pentagon,HexagonInvolute_Engineering Drawing.pdfInvolute of a circle,Square, pentagon,HexagonInvolute_Engineering Drawing.pdf
Involute of a circle,Square, pentagon,HexagonInvolute_Engineering Drawing.pdf
 
Filters for Electromagnetic Compatibility Applications
Filters for Electromagnetic Compatibility ApplicationsFilters for Electromagnetic Compatibility Applications
Filters for Electromagnetic Compatibility Applications
 
Module-III Varried Flow.pptx GVF Definition, Water Surface Profile Dynamic Eq...
Module-III Varried Flow.pptx GVF Definition, Water Surface Profile Dynamic Eq...Module-III Varried Flow.pptx GVF Definition, Water Surface Profile Dynamic Eq...
Module-III Varried Flow.pptx GVF Definition, Water Surface Profile Dynamic Eq...
 
Diploma Engineering Drawing Qp-2024 Ece .pdf
Diploma Engineering Drawing Qp-2024 Ece .pdfDiploma Engineering Drawing Qp-2024 Ece .pdf
Diploma Engineering Drawing Qp-2024 Ece .pdf
 
Online crime reporting system project.pdf
Online crime reporting system project.pdfOnline crime reporting system project.pdf
Online crime reporting system project.pdf
 
SLIDESHARE PPT-DECISION MAKING METHODS.pptx
SLIDESHARE PPT-DECISION MAKING METHODS.pptxSLIDESHARE PPT-DECISION MAKING METHODS.pptx
SLIDESHARE PPT-DECISION MAKING METHODS.pptx
 
Seismic Hazard Assessment Software in Python by Prof. Dr. Costas Sachpazis
Seismic Hazard Assessment Software in Python by Prof. Dr. Costas SachpazisSeismic Hazard Assessment Software in Python by Prof. Dr. Costas Sachpazis
Seismic Hazard Assessment Software in Python by Prof. Dr. Costas Sachpazis
 
Intelligent Agents, A discovery on How A Rational Agent Acts
Intelligent Agents, A discovery on How A Rational Agent ActsIntelligent Agents, A discovery on How A Rational Agent Acts
Intelligent Agents, A discovery on How A Rational Agent Acts
 
Supermarket billing system project report..pdf
Supermarket billing system project report..pdfSupermarket billing system project report..pdf
Supermarket billing system project report..pdf
 
How to Design and spec harmonic filter.pdf
How to Design and spec harmonic filter.pdfHow to Design and spec harmonic filter.pdf
How to Design and spec harmonic filter.pdf
 
Introduction to Heat Exchangers: Principle, Types and Applications
Introduction to Heat Exchangers: Principle, Types and ApplicationsIntroduction to Heat Exchangers: Principle, Types and Applications
Introduction to Heat Exchangers: Principle, Types and Applications
 
Introduction to Artificial Intelligence and History of AI
Introduction to Artificial Intelligence and History of AIIntroduction to Artificial Intelligence and History of AI
Introduction to Artificial Intelligence and History of AI
 

Automated Malware Analysis and Cyber Security Intelligence

  • 1. Cyber Security Intelligence Automated Malware Analysis and 과학수사학과 디지털 포렌식 전공 최우석
  • 2. AMA and Cyber Security Intelligence 2  이름: 최우석  소속 • 한국정보보호교육센터 f-NGS 연구소 팀장 • 성균관대학원 과학수사학과 3기  본업  사이버 시큐리티 연구  집필  Introduce myself Coming Soon with 에이콘  기타 • 컨설팅 (안전성 진단) ▪ 웹 사이트 진단 ▪ 공격 시나리오 기반 컨설팅 • 강의 ▪ 악성코드 분야 ▪ NISA, 금보원, SKT, 넥슨, 머니투데이, 쿠 시스, 산업통상자원부, 융합보안지원센터 등 • 발표 ▪ 코드엔진, 신한시큐어, 한국정보보호학회, KISA, FIOS 등 • 커뮤니티 활동 ▪ 포렌식 인사이트, S2M
  • 3. 역사 & 개론 개발 & 제작 유포 & 감염 조사 & 분석 복구 & 대응 예방 & 관리 AMA and Cyber Security Intelligence 3  Goals of my life Playing
  • 4. Contents  Cuckoo Sandbox Environment  Introduction Cuckoo Sandbox  Cyber Security Intelligence  Conclusion
  • 5. 소목차 Cuckoo Sandbox Environment  Malware Trend  Type of Malware Analysis's Method  Open Source License  Open Source License Comparison  Sandbox  Hypervisor  Hypervisor in Cuckoo Sandbox  Honeypot Project  Type of Honeypot Project
  • 6. Cuckoo Sandbox Environment 6  Malware Trend Total Malware New Malware https://www.av-test.org/en/statistics/malware/
  • 7. Cuckoo Sandbox Environment 7  Type of Malware Analysis's Method Basic Static Analysis AV Test Calculating Hash Detecting of Packer/Obfuscation Extracting of String Basic Dynamic Analysis Process Monitoring Network Monitoring Analyzing File System Analyzing Registry Advanced Static Analysis Analyzing File Format Analyzing implicit linking DLL Disassembling Decompiling Advanced Dynamic Analysis Debugging Analyzing explicit linking DLL Analyzing Memory Analyzing hidden function Initial Analysis Detail Analysis
  • 8. Cuckoo Sandbox Environment 8  Type of Malware Analysis's Method  in Cuckoo Sandbox Implementation Unimplemented Basic Static Analysis AV Test Calculating Hash Detecting of Packer/Obfuscation Extracting of String Basic Dynamic Analysis Process Monitoring Network Monitoring Analyzing File System Analyzing Registry Advanced Static Analysis Analyzing File Format Analyzing implicit linking DLL Disassembling Decompiling Advanced Dynamic Analysis Debugging Analyzing explicit linking DLL Analyzing Memory Analyzing hidden function Initial Analysis Detail Analysis
  • 9. Cuckoo Sandbox Environment 9  Open Source License 34% 25% 15% 6% 6% 14% 0% 5% 10% 15% 20% 25% 30% 35% 40% GNU GPL 2.0 & 3.0 MIT Apache 2.0 BSD 3 GNU LGPL 2.1 Other 2016 Open Source License Top 5 https://resources.whitesourcesoftware.com/blog-whitesource/top-10-open-source-software-licenses-of-2016-and-key-trends
  • 10. Cuckoo Sandbox Environment 10  Open Source License Comparison Licenses Link Distribute Modify Patent Using Private Re-License Brand GNU GPL Self Non-commercial Non-commercial O O Non-commercial O MIT O O O X O O X Apache O O O O O O X BSD O O O X O O X GNU LGPL Limit Non-commercial Non-commercial O O Non-commercial O http://www.bloter.net/archives/209318
  • 11.  Sandbox is mechanism for separating execution regions in the cyber security  Controlled by hardware or software resources  Sandbox mainly use virtualization  Virtualization • CPU-dependent • Hypervisor • Virtual Machines Cuckoo Sandbox Environment 11  Sandbox
  • 12.  Type of Hypervisor  Type 1 - VT-d support in CPU  Type 2 - VT-x support in CPU Cuckoo Sandbox Environment 12  Hypervisor Hardware Type 1 Hypervisor OS Hardware Host OS Type 2 Hypervisor Guest OS
  • 13.  Purchasing a computer for each operating system is a waste  Hardware cost, OS cost, Electronic cost, Resource waste in computer  Malware analysis  An isolated environment is required  in Cuckoo Sandbox  If host OS is the Ubuntu, it will be uncomfortable to use • For this reason, use nested virtualization • Nested virtualization support in the VMware Workstation (Type 2) Cuckoo Sandbox Environment 13  Hypervisor in Cuckoo Sandbox Hardware Host OS (Windows 10) Type 2 Hypervisor (VMware Workstation) Guest OS (Ubuntu Server) Type 2 Hypervisor (Virtualbox) Sandboxes Guest OS (Ubuntu Desktop)
  • 14.  Requirements  Easily exposed to hackers • Intentionally set to vulnerable • Configure for a variety of situations  Monitoring everything accessing the system  Type of Honeypot Project • Honeynet ▪ Build at the infrastructure level ▪ Early Honeypot Project • Client Honeypot ▪ Same call HoneyClient ▪ Run at the client level ▪ Mainly Internet Security Cuckoo Sandbox Environment 14  Honeypot Project
  • 15.  High interactivity client honeypot  Similar to the real environment • Pros ▪ Ability to detect new attacks • Cons ▪ High performance deviation, High costs, A lot of time wasted  Low interactivity client honeypot  Simulation • Pros ▪ Low performance deviation, Low cost, Fast detection • Cons ▪ No new attack detection  Hybrid client honeypot  First detection use low interactivity honeypot, second detection use high interactivity honeypot Cuckoo Sandbox Environment 15  Type of Client Honeypot
  • 16. 소목차 Introduction Cuckoo Sandbox  History of Cuckoo Sandbox  Analyzable file type  Operating principle  Pros and Cons  Technology  Functionalities  Demonstration
  • 17. Introduction Cuckoo Sandbox 17  History of Cuckoo Sandbox Rapid’s Magnificent7 Malwr Open Cuckoo Foundation Brucon 2013 Malwr Reload New Website 2012 2013 2014 2015 Dec v0.5 Oct v1.1.1Sep v0.42 Aug v0.41 Jul v0.4 Apr v0.6 Apr v1.1 Jan v1.0 Blackhat 2013 Consultancy Service Honey Project Google SoC Feb v0.32 Dec v0.3 Nov v0.2 20112010 Feb v0.1 Mar v1.2 Jan v2.0 2016 2017 Jan v2.0 RC2 RC1 Jan v2.0
  • 18.  Basic Windows File  Scriptable File  Office File  3rd Party Application Introduction Cuckoo Sandbox 18  Analyzable file types
  • 19. Introduction Cuckoo Sandbox 19  Operating principle Submit Malware Report Analyzed Data Web Service Core Sandbox Cuckoo Sandbox
  • 20.  Pros  Open source code  Produced by python language  Provides both CLI and GUI modes  Provide REST API • Control by HTTP protocol • System connectivity  Permanent bug patches and version upgrades • User community & Feedback of researchers  Multiple sandboxes can be configured • If system resources remain...  Feedback the latest malware issues • ex, Added DDE analysis function Introduction Cuckoo Sandbox 20  Pros and Cons (1/2)
  • 21.  Cons  Core functionality is documented well, but additional functionality is insufficient  If encounter problems, report any issue or self fix the source code • Issue solving is optional  Functionalities may be removed without prior consent  Release progress even if unfinished • Improvement by participant • May affect business operations  Not all malware is analyzed well • Environment configuration is very important • Weakness in anti-technology (Anti-Debugging, Anti-Virtualizing ...)  Limitation of detail analysis • Can not analyze functions according to specific commands Introduction Cuckoo Sandbox 21  Pros and Cons (2/2)
  • 22.  Cuckoo Core Server  Ubuntu 16.04 LTS Desktop 64 bit  CPU 4 Core, Memory 16 GB  Sandbox x 5  Win7 SP1 64 bit  CPU 1 Core, Memory 1024 MB  Cuckoo Sandbox Application  2.0.5.3 Introduction Cuckoo Sandbox 22  Environment
  • 23. Introduction Cuckoo Sandbox 23  Infrastructure Host OS Type 2 Hypervisor Type 2 Hypervisor Cuckoo Core Service (Ubuntu 16.04 Desktop) Other Service (Ubuntu 16.04 Server)
  • 24.  Database  Scheduling - RDBMS(SQLite, PostgreSQL, MariaDB)  Web - NoSQL(MongoDB)  Search - NoSQL(ElasticSearch)  Support type of hypervisor  Type 1 - XenServer, VMware(ESX, vSphere), KVM, Qemu  Type 2 - VMware(Workstation), Virtualbox  Physical Sandbox - Fog Project  Android Emulate - AVD  Memory  Volatility (with baseline Analysis) Introduction Cuckoo Sandbox 24  Technology (1/3)
  • 25.  Pattern and Signature  Network Pattern - Snort, Suricata  Static Binary Pattern - Yara  Behavior Log Pattern - Only use in Cuckoo Sandbox with python coding  Network  Type of Network Line - Proxy, VPN, Tor Network  Analyzing - Moloch, MiTMProxy  Server  Main Web Service - Django  Distributed and API Service - Werkzeug  Change server type - Nginx + uWSGI • Increase Stability Introduction Cuckoo Sandbox 25  Technology (2/3)
  • 26.  Behavior Analysis  The agent communicates with Cuckoo Core using XML-RPC protocol  Type of Reports  HTML, PDF, JSON, Web Service  Intelligence  MISP  System Management  ICINGA, Supervisord  Supporting Android Analysis  GooglePlay, Droidmon, ApkInfo,  ETC  VirusTotal, Certification Pinning at PE Introduction Cuckoo Sandbox 26  Technology (3/3)
  • 27.  Hash for malware  ssdeep, imphash  Support of archive type malware  E-Mail, OLE, ZIP  Analyzing Lateral Movement  Announce 2.0-RC1, but not implementation  Network routing  no routing, drop routing, dirty line, InetSim, Tor, VPN  TLS/HTTPS capturing and decrypting  MiTMProxy, HTTPReplay • But, it has some problem • HTTPReply is not implementation Certification Pinning Introduction Cuckoo Sandbox 27  Functionalities (1/5)
  • 28.  Baseline analysis in analyzing memory  It's not documentation!!  Only in JSON report (not view in Web report)  Extracting URL in process memory  When I test with a memory DNS malware, this function is not extract URL.  Static Binary Pattern and Behavior Log Pattern  Static Binary Pattern uses YARA  Behavior Log Pattern should use Cuckoo's dependent functions • To need python programming  YARA 3.7.1 can use the Cuckoo Sandbox dependency function. • But, Cuckoo Sandbox 2.0.5.3 is not support YARA 3.7.1 Introduction Cuckoo Sandbox 28  Functionalities (2/5)
  • 29.  Malicious quantify  Using Behavior Log Pattern  Max is 10 but possible over 10  Comparing malware  Using API call order  It is well implemented in 1.x version, but in 2.x version  Implementing a distributed system  It's not documentation!!  Implementation using REST API service  Provide dedicated web services  Gevent for asynchronous systems, Greenlet for coroutine  Not enough • Not support integrated database, only analyzing a file type Introduction Cuckoo Sandbox 29  Functionalities (3/5)
  • 30. Introduction Cuckoo Sandbox 30  Functionalities (4/5)
  • 31.  Mass analysis  Ability to separate functions Introduction Cuckoo Sandbox 31  Functionalities (5/5) Start Submit Start analyzing End analyzing Generate report End Core(analyzing and reporting) Yes No Other Malware Start Submit Start analyzing End analyzing End Generate report End Core(analyzing) Sub Core(reporting) No No Yes Yes Other Malware Other report
  • 33.  JOESandbox Cloud- https://joesecurity.org/joe-security-products  BASIC version - (Only Online) Windows + Android  PRO version - (Standalone) + macOS + iOS + API + Cookbook (Virtual and physical support) + ...  Report Sample Introduction Cuckoo Sandbox 33  Other automated malware analysis tools (1/3)
  • 34.  Hybrid-analysis - https://www.hybrid-analysis.com/  Free Service - Only Win7, Only File, Analysis submit limit 30, Sample download  Private Cloud - Win 10, IoC, YARA, URL, Various reports  Full Standalone - SIEM system integration(CEF syslog), Custom signature test, Memory dump  Report Sample Introduction Cuckoo Sandbox 34  Other automated malware analysis tools (2/3)
  • 35.  any run - https://any.run/  Semi automated cloud malware analysis tools • Free • Live access to the virtual machines  Report Sample Introduction Cuckoo Sandbox 35  Other automated malware analysis tools (3/3)
  • 36. 소목차 Cyber Security Intelligence  Other automated malware analysis tools  Cyber Security Intelligence  Used by many intelligence analysts  Binary intelligence & limitation
  • 37.  Purpose  Identify attacker  Predict the future through the past • Incident Response(Establish preventive policy) Cyber Security Intelligence 37  Cyber Security Intelligence Tactics, Techniques and Procedures https://en.wikipedia.org/wiki/PLA_Unit_61398 http://detect-respond.blogspot.kr/2013/03/the-pyramid-of-pain.html
  • 38.  Automated malware analysis and Cyber Security Intelligence  Purpose • Automatically analyze numerous malware and accumulate analytical data  Used by many intelligence analysts  VirusTotal used Cuckoo Sandbox Cyber Security Intelligence 38  Cyber Security Intelligence
  • 39.  Used by many intelligencer in cyber security Cyber Security Intelligence 39  Cyber Security Intelligence https://digital-forensics.sans.org/summit-archives/DFIR_Summit/Open-Source-Threat-Intelligence-Kyle-Maxwell.pdf
  • 40.  Used by many intelligencer in cyber security Cyber Security Intelligence 40  Cyber Security Intelligence https://www.rsaconference.com/writable/presentations/file_upload/anf-t10_implementing-an-automated-incident-response-architecture.pdf
  • 41.  Used by many intelligencer in cyber security Cyber Security Intelligence 41  Cyber Security Intelligence https://sector.ca/wp-content/uploads/presentations16/simmons%20Open%20Source%20Malware%20Lab%20SecTor.pdf
  • 42.  Papers related to Cuckoo Sandbox Cyber Security Intelligence 42  Cyber Security Intelligence www.cs.ucsb.edu/~vigna/publications/2014_USENIX_BareCloud.pdf adamdoupe.com/publications/towards-automated-threat-intelligence-fusion-cic2016.pdf 2016, IEEE nsl.cs.waseda.ac.jp/~mori/papers/ccnc15-fujino-sumitted.pdf 2015, IEEE arxiv.org/pdf/1709.08753.pdf 2017, IEEE 2014, USENIX
  • 43.  Binary intelligence  Same mean client-side intelligence but, not strictly  Various attack type statistics used by binaries  If collect a lot of malware, can analyze the association  Limitation of binary intelligence  Counter intelligence • Vulnerability of evidence  More data to overcome • Need server-side intelligence ▪ But, no ownership and investigation Cyber Security Intelligence 43  Binary intelligence & limitation
  • 44. 소목차 Conclusion  Matthew Effect  [OR] Next Project  with Digital Forensics
  • 45. Conclusion 45  Matthew Effect The Matthew Effect = much data is good quality information
  • 46. Conclusion 46  with Digital Forensics  Include Digital Forensics process in Incident Response  Importance of DFIR • But, availability vs. integrity  So many question (Can ~ be evidence?)  Can information gathered from the Internet be evidence?  Can malware analysis information be evidence?  Can data without a chain of custody be evidence?  Can data collected from untrusted tools be evidence?  ...  No!  Digital evidence is very regrettable in Korea • And, too difficult to follow the speed of rapid development • Rapid of singularity!!  Information collected by intelligence activities can not be evidence
  • 47. Q & A