Embed Size (px)
Citation preview
Building a Malware Analysis Lab on a Budget
Chris SandersCharleston ISSA
January 2015
Chris Sanders
• Christian & Husband• Mandiant• Kentuckian and South
Carolinian• MS, GSE, et al.• Non-Profit Director• BBQ Pit Master
Chris Sanders
“[Practical Packet Analysis] gives you everything you need, step by step, to become proficient in packet analysis. I could not find a better book.”
“[Applied NSM] should be required reading for all intrusion analysts and those looking to develop a security monitoring program.”
– Amazon Reviewers
Outline
Objectives: Intro to Malware Analysis Lab Networking Lab Hardware Lab Software Other Resources
“How can I build a malware analysis lab without spending much money? What are some best practices?”
***Disclaimer***
• You cannot be reckless while performing malware analysis.
• Malware can– Erase your hard drive– Permanently encrypt your data– Highjack your social networking identity– Highjack your real identity
Why Analyze Malware?
• It’s critical as a function of intelligence.• It’s useful for understanding how systems
work.• It’s a desirable skill. If you can analyze
malware well and enjoy it, we’ll hire you.
Malware Analysis Processes
• Behavioral Analysis– Executing malware to observe behaviors– Requires network knowledge and communication
manipulation
• Code Analysis– Reverse engineering malware by examining code– Much harder, requires assembly and system level
knowledge
Malware Analysis Network
Virtualization is a Must
• Free / Cheap– VirtualBox, VMWare ESXi, VMWare Workstation
• Configurable Networking– Instant setup of virtual networks
• Snapshots– Create and restore points in time
Virtualization is a Must
Source: http://www.cybersquared.com.php53-7.dfw1-1.websitetestlink.com/wp-content/uploads/2012/06/snapshots_jpeg.jpg
Networking
• Isolated virtual networks• Multiple guests can exists in these networks
and communicate with each other• Guests should not be able to communicate
with the host• Be EXTREMELY careful not to connect infected
devices to the Internet
Hardware
• System Specs (2 Running Infected Machines)– 4 GB RAM– 50 GB Storage
• Scale from here!
Software
• Windows Operating Systems– MSDN Accounts– Leverage 30 Day Trials– Windows 7
• Remnux– Free malware analysis distro from Lenny Zeltser
(SANS)– Pre-built tools
Pro Tips™
• Color code your Virtual Machines• Leave a terminal window with your IP open• Snapshot early, snapshot often• Don’t leave an infected machine unwatched• Always encrypt + password protect malware
during transmission– Password: “infected”
Learning Resources
• Practical Malware Analysis
- By Mike Sikorski
• SANS FOR610 (GREM) w/ Lenny Zeltser
Conclusion
• Malware analysis is an important security skill even if it isn’t your primary focus
• If you can do it well, you can find a job• You can practice analyzing malware right
now!• The best way to learn is to do the real thing.
Thank You!
E-Mail: [email protected]: @chrissanders88
Blog: http://www.chrissanders.orgBook Blog: http://www.appliednsm.com
