Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to CISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
Similar to CISSA Lightning Talk - Building a Malware Analysis Lab on a Budget (20)
Recently uploaded
Recently uploaded (20)
CISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
- 1. Building a Malware Analysis Lab on a Budget Chris Sanders Charleston ISSA January 2015
- 2. Chris Sanders • Christian & Husband • Mandiant • Kentuckian and South Carolinian • MS, GSE, et al. • Non-Profit Director • BBQ Pit Master
- 3. Chris Sanders “[Practical Packet Analysis] gives you everything you need, step by step, to become proficient in packet analysis. I could not find a better book.” “[Applied NSM] should be required reading for all intrusion analysts and those looking to develop a security monitoring program.” – Amazon Reviewers
- 4. Outline Objectives: Intro to Malware Analysis Lab Networking Lab Hardware Lab Software Other Resources “How can I build a malware analysis lab without spending much money? What are some best practices?”
- 5. ***Disclaimer*** • You cannot be reckless while performing malware analysis. • Malware can – Erase your hard drive – Permanently encrypt your data – Highjack your social networking identity – Highjack your real identity
- 6. Why Analyze Malware? • It’s critical as a function of intelligence. • It’s useful for understanding how systems work. • It’s a desirable skill. If you can analyze malware well and enjoy it, we’ll hire you.
- 7. Malware Analysis Processes • Behavioral Analysis – Executing malware to observe behaviors – Requires network knowledge and communication manipulation • Code Analysis – Reverse engineering malware by examining code – Much harder, requires assembly and system level knowledge
- 9. Virtualization is a Must • Free / Cheap – VirtualBox, VMWare ESXi, VMWare Workstation • Configurable Networking – Instant setup of virtual networks • Snapshots – Create and restore points in time
- 10. Virtualization is a Must Source: http://www.cybersquared.com.php53-7.dfw1-1.websitetestlink.com/wp- content/uploads/2012/06/snapshots_jpeg.jpg
- 11. Networking • Isolated virtual networks • Multiple guests can exists in these networks and communicate with each other • Guests should not be able to communicate with the host • Be EXTREMELY careful not to connect infected devices to the Internet
- 12. Hardware • System Specs (2 Running Infected Machines) – 4 GB RAM – 50 GB Storage • Scale from here!
- 13. Software • Windows Operating Systems – MSDN Accounts – Leverage 30 Day Trials – Windows 7 • Remnux – Free malware analysis distro from Lenny Zeltser (SANS) – Pre-built tools
- 14. Pro Tips™ • Color code your Virtual Machines • Leave a terminal window with your IP open • Snapshot early, snapshot often • Don’t leave an infected machine unwatched • Always encrypt + password protect malware during transmission – Password: “infected”
- 15. Learning Resources • Practical Malware Analysis - By Mike Sikorski • SANS FOR610 (GREM) w/ Lenny Zeltser
- 16. Conclusion • Malware analysis is an important security skill even if it isn’t your primary focus • If you can do it well, you can find a job • You can practice analyzing malware right now! • The best way to learn is to do the real thing.
- 17. Thank You! E-Mail: chris@chrissanders.org Twitter: @chrissanders88 Blog: http://www.chrissanders.org Book Blog: http://www.appliednsm.com
Editor's Notes
- Military distinction story