open source sandbox in a corporate infrastructure · in a corporate infrastructure sberbank cyber...
TRANSCRIPT
OpenSourceSandboxinacorporateinfrastructure
SberbankCyberSecurity
YuryDoroshenko
• ChiefexpertatSberbankCyberSecurity/Redteamer• Pentest/MalwareAnalysis/Memoryforensics• Musicandcinemalover• I’mintoextremesports
#Whoami
2
SocialEngineering
Massmail
BankerTrojan
APT
Ransomware
#Threats
• 24/7wearefightingemergingcyberattacksthataretargeting• Bankinfrastructure• Sensitivedata• Clientdata
3
• Source?• Risklevel?• Targetedattack?• Fastandefficientanalysis?
#Whoisyourenemy
4
#OurThreatIntelligencePlatform
DataEngine
RequestFor
Intelligence
ThreatHunting
IntelligenceDriven
Response
UseCaseManagement
RequestForintelligence
Infrastructuredata
IntelligenceAnalysis
Feed
SubscribesReports
IncidentManagement
IOC
ThreatIntelligence proccess
Requestforintelligence
Intelligenceanalysis
UseCaseManagement
ThreatHunting
IntelligenceDriveResponce
5
#ThreatIntelligenceproductmap
VulnerabilityManagement
IntelDataManagement
RequestFor
Intelligence
IntelligenceAnalysis
ThreatHunting
UseCaseManagementMaxPatrol
Bi.ZoneFinCERTKasperskyGroup-IB
IBMX-ForceCiscoThreatGridCiscoIntelliShieldCiscoSenderbase
MicrosoftVirusTotal
RecordedFutureBrandAnalytics
IBMi2/WatsonThreatQ(onpremis)
EclecticIQAnomaliBlueLiv
LookingGlassThreatConnectDECOYNETCynet360ERAM
NetskopeTPRiskIQ
StatusTodayVariatoReconVerintTP
illusiveSqrrl
FussionBehavioralExabeamEndgame
MaxPatrolSOCPrimeUCLThreatModeler
SkyBoxCronusCybot
6
#Oh,really?
7
#Personalhandymalwareanalysislab
Cuckoo Sandbox2.0.4.4/Cuckoo Sandbox1.3-NG ElasticSearch5.3.0 Moloch0.19.2 Volatility2.6
LokiIOCScanner0.24.2Malheur0.6.0Yara3.6.3
*ThelabwasdeployedandisrunningsmoothlyonmacOSHighSierra8
#Sandboxing?!
Whenyoustillthinkthatmalwaresarenotawareofsandboxing
9
• VMcloacking• AutomaticVMgeneration• Replaces“synthetic”VMparams with“real”
• Antivmdetection0.1.8https://github.com/nsmfoo/antivmdetection/• VMCloak0.4.4https://github.com/jbremer/vmcloak/
#AntiAnti-VMandAnti-Sandbox
10
#It’salive!
11
#Outofthebox+extrafeatures
Dynamicanalysis
Staticanalysis
Processactivityanalysis
Networkactivityanalysis
Registeranalysis
Memory-dumppost-analysis
Fileactivityanalysis
Networksniffering
Post-analysiswithLOKIIOCScanner
CustomYararulesbasedanalysis
BehavioralanalysiswithMalheurAutomaticAnalysisTool
Moloch+Elasticsearch integration
12
#Fileformats
msidll
bin
xls
doc
exe
bin
ppt
zip
ps1html
jar
js
hta
ie
swf
vbs
rar
cpl
apk
*Supportsautomaticformatdetection13
#Demo
14
#Demo
15
#BadRabbit
16
#BadRabbit
17
#Emotet
18
#Emotet
19
#Workingwithnetworkdata
20
#Post-analysis(IOCs)
21
• Supportingdifferentbuilt-inmodules:• Mitm (CuckooSanbox 2.0.4.4)• Snort(CuckooSanbox 2.0.4.4)• Malheur(CuckooSanbox 1.3-NG)
• Differentsignaturemechanics• Differentanalysisapproaches• Resultscomplementeachother
#Usingdifferentbranches?
22
#Whatfor?
Whenyoubegintounderstand
23
• Targetedattacksdetection• Extendablewithmoduleswritteninpython• Nowwehaveapersonalpowerfulmalwareanalysislab• Just-in-timepreventionandremediationstepsbasedonanalysisreport
#Profit?
24
• HardeningAntiAnti-Sandbox&Anti-VMtechniques• IntegratingitinThreatIntelligencePlatform• ExtendingthenumberofVirtualMachines• Machinelearning?
#ToDoList
25
Thankyouforyourattention!
#Q&A
• Links:https://github.com/YuryDo/MalwareLab
26