open source sandbox in a corporate infrastructure · in a corporate infrastructure sberbank cyber...

OpenSourceSandboxinacorporateinfrastructure

SberbankCyberSecurity

YuryDoroshenko

• ChiefexpertatSberbankCyberSecurity/Redteamer• Pentest/MalwareAnalysis/Memoryforensics• Musicandcinemalover• I’mintoextremesports

#Whoami

2

SocialEngineering

Massmail

BankerTrojan

APT

Ransomware

#Threats

• 24/7wearefightingemergingcyberattacksthataretargeting• Bankinfrastructure• Sensitivedata• Clientdata

3

• Source?• Risklevel?• Targetedattack?• Fastandefficientanalysis?

#Whoisyourenemy

4

#OurThreatIntelligencePlatform

DataEngine

RequestFor

Intelligence

ThreatHunting

IntelligenceDriven

Response

UseCaseManagement

RequestForintelligence

Infrastructuredata

IntelligenceAnalysis

Feed

SubscribesReports

IncidentManagement

IOC

ThreatIntelligence proccess

Requestforintelligence

Intelligenceanalysis

UseCaseManagement

ThreatHunting

IntelligenceDriveResponce

5

#ThreatIntelligenceproductmap

VulnerabilityManagement

IntelDataManagement

RequestFor

Intelligence

IntelligenceAnalysis

ThreatHunting

UseCaseManagementMaxPatrol

Bi.ZoneFinCERTKasperskyGroup-IB

IBMX-ForceCiscoThreatGridCiscoIntelliShieldCiscoSenderbase

MicrosoftVirusTotal

RecordedFutureBrandAnalytics

IBMi2/WatsonThreatQ(onpremis)

EclecticIQAnomaliBlueLiv

LookingGlassThreatConnectDECOYNETCynet360ERAM

NetskopeTPRiskIQ

StatusTodayVariatoReconVerintTP

illusiveSqrrl

FussionBehavioralExabeamEndgame

MaxPatrolSOCPrimeUCLThreatModeler

SkyBoxCronusCybot

6

#Oh,really?

7

#Personalhandymalwareanalysislab

Cuckoo Sandbox2.0.4.4/Cuckoo Sandbox1.3-NG ElasticSearch5.3.0 Moloch0.19.2 Volatility2.6

LokiIOCScanner0.24.2Malheur0.6.0Yara3.6.3

*ThelabwasdeployedandisrunningsmoothlyonmacOSHighSierra8

#Sandboxing?!

Whenyoustillthinkthatmalwaresarenotawareofsandboxing

9

• VMcloacking• AutomaticVMgeneration• Replaces“synthetic”VMparams with“real”

• Antivmdetection0.1.8https://github.com/nsmfoo/antivmdetection/• VMCloak0.4.4https://github.com/jbremer/vmcloak/

#AntiAnti-VMandAnti-Sandbox

10

#It’salive!

11

#Outofthebox+extrafeatures

Dynamicanalysis

Staticanalysis

Processactivityanalysis

Networkactivityanalysis

Registeranalysis

Memory-dumppost-analysis

Fileactivityanalysis

Networksniffering

Post-analysiswithLOKIIOCScanner

CustomYararulesbasedanalysis

BehavioralanalysiswithMalheurAutomaticAnalysisTool

Moloch+Elasticsearch integration

12

#Fileformats

msidll

bin

xls

doc

exe

bin

pdf

ppt

zip

ps1html

jar

js

hta

ie

swf

vbs

rar

cpl

apk

*Supportsautomaticformatdetection13

#Demo

14

#Demo

15

#BadRabbit

16

#BadRabbit

17

#Emotet

18

#Emotet

19

#Workingwithnetworkdata

20

#Post-analysis(IOCs)

21

• Supportingdifferentbuilt-inmodules:• Mitm (CuckooSanbox 2.0.4.4)• Snort(CuckooSanbox 2.0.4.4)• Malheur(CuckooSanbox 1.3-NG)

• Differentsignaturemechanics• Differentanalysisapproaches• Resultscomplementeachother

#Usingdifferentbranches?

22

#Whatfor?

Whenyoubegintounderstand

23

• Targetedattacksdetection• Extendablewithmoduleswritteninpython• Nowwehaveapersonalpowerfulmalwareanalysislab• Just-in-timepreventionandremediationstepsbasedonanalysisreport

#Profit?

24

• HardeningAntiAnti-Sandbox&Anti-VMtechniques• IntegratingitinThreatIntelligencePlatform• ExtendingthenumberofVirtualMachines• Machinelearning?

#ToDoList

25

Thankyouforyourattention!

#Q&A

• Links:https://github.com/YuryDo/MalwareLab

26