Malware Forensics, Sandbox and Investigation Techniques for Network Engineers Joseph Muniz – Architect / Researcher @SecureBlogger www.thesecurityblogger.com BRKSEC-2498 Cisco Webex Teams Questions? Use Cisco Webex Teams to chat with the speaker after the session How 1 Find this session in the Cisco Events Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space BRKSEC-2498 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 Assembly + Programming System Operations Malware Behavior Debugging Files Security Tools Incident Response Network Engineer Focused BRKSEC-2498 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 Agenda BRKSEC-2498 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 Agenda BRKSEC-2498 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Download The CTR Comic https://tinyurl.com/ycwt2moz https://tinyurl.com/y6uurzuu [email protected] BRKSEC-2498 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 Joseph Muniz Security Architect – Americas Sales Organization Security Researcher –www.thesecurityblogger.com Speaker: Cisco Live / DEFCON / RSA / (ISC)2 Avid Futbal (Soccer for USA people) Player and Musician Twitter @SecureBlogger BRKSEC-2498 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 Agenda • Industry Concepts • Basic Analysis • Malware – Know Thy Enemy • Static Analysis • Investigating Malware • Dynamic Analysis • Gearing Up • Continue Your Journey • Understanding Malware Behavior BRKSEC-2498 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 Industry Concepts “Why Study Malware????” BRKSEC-2498 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 Why Understand The Attacker and Malware? • Tune your tools • Adjust your security strategies • Improve your incident response • Find the binary = How to detect malware and contain damage Common weakest link is breach detection! BRKSEC-2498 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 SOC Common Services • Risk Management • Vulnerability Management • Compliance • Incident Response • Analysis • Situational and Security Awareness • Research and Development • Digital Forensics Great Reference for PSIRT / CSIRT = https://www.first.org/ BRKSEC-2498 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 Common Vulnerabilities and Exposures (CVE) Vulnerability Type: Apache vulnerability Threat Description: Three vulnerabilities in the Apache Struts 2 package Existing Controls: Firewalled and monitored by IPS Probability: Unlikely (not web facing) Impact: Critical http://cve.mitre.org/about/faqs.html BRKSEC-2498 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 15 Malware BRKSEC-2498 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 Joey’s Shoes 2.0 BRKSEC-2498 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 Joey’s Shoes 2.0 BRKSEC-2498 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 Malware – Know Thy Enemy Malware Software programs designed to damage or do other unwanted actions on a computer system BRKSEC-2498 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 Downloaders and Adware Launchers • Downloads other • Malware that presents malicious software. unwanted advertising to user • Typically used for initial compromise of target • Often included with free software and browser toolbars BRKSEC-2498 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 21 Backdoors Rootkits • Allows attacker to • Designed to conceal the connect to compromised existence of other system and take control malware • RATs, Reverse Shell, • Often Rootkits hide Metetpreter, Trojan, etc. backdoors © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Botnet Ransomware / Scareware • Network of remote • Scares victim into controlled private purchasing something or computers with paying ransomware. backdoors controlled by command and control • Scareware = blackmail | server Ransomware = encrypted data • Often send SPAM and perform distributed denial-of-service attack © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Worm Virus • Malware that replicates • Malware that replicates itself to spread to other itself into other systems applications, files or even • Uses network, P2P the boot sector. networks, email or direct • Can harm computers, exploitation of target steal data or other nefarious actions. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Spam Sending Keyloggers Malware Data Stealing Malware • Sends spam from • Malware designed to compromised system capture specific data • Common part of botnet • Keystrokes, credit card and which could also numbers, bank accounts, perform DDoS other personal data © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Results From Various Samples • New files may be created and/or existing files may be modified • May move or copy to known location such as Windows system folder • Malware here can run with user permissions • May not produce executable, but rather DLL or batch script • May delete temporary files that it had created • Likely to create registry entries (may control network adaptors) • May create unique identifier that are benign but for detecting malware families • May disable security such as the Windows Firewall • May call out to malicious source BRKSEC-2498 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 26 Investigating Malware Tips for Malware Research • Don’t get caught up in details • Different tools are good for different jobs • If one tool or approach fails, try another • The is no “one approach” • Don’t dwell too long on one issue © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Know Your End Goal • Determine something is bad = Stop and remove • Tip: Do quick static analysis first!!! • Understand who is impacted = hash and scan • Prevent future attack = Identify exploited vulnerability • Stop the attack = Develop legal case (if possible, likely a pipedream) Forenics must be done right from the start!!!!! BRKSEC-2498 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 29 Malware Analysis Approach • 1: Review existing data from security tools (IE indicators) • 2: Static analysis using quick tools (AV, Cloud Sandbox, Malware Lists) • 3: Static Analysis of Portable Executable • 4: Dynamic Analysis – Run in a sandbox and monitor changes it makes • 5: Deep Analysis – Dissemble and debug BRKSEC-2498 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 30 Gearing Up Shopping List Virtualization – Clonezilla, dd, FOG, PTE Booting Dissembler / Debugger – Ghidra, Radare2, IDA Pro, x64dbg / x32dbg, perframe Packet Capture – Wireshark, TCP Dump, Netcat Scanning Tools – Antivirus, Database of malware Honeypot – Learn malware behavior Sandbox – Cucukoo, Memory Forensics – Scylla dump, Volatility exam Runtime Tools – Process Explorer, RegShot, fakends File Detectors – Detect It Easy, PiED, TrIDNET BRKSEC-2498 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 32 Clonezilla Real malware analysis means bare metal testing BRKSEC-2498 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 33 Virtualization Vmware and Docker BRKSEC-2498 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 34 Kali Linux – Create Samples Open Source Penetration Testing Arsenal Many Great Forensics Tools Download www.kali.org Metasploit can create samples for testing too (ex malicious PDF) BRKSEC-2498 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 35 Sample Sources • ANY.RUN: Registration required • Malware DB • Contagio Malware Dump: Password required • Objective-See Collection: Mac malware • CAPE Sandbox • PacketTotal: Malware inside downloadable PCAP files • Das Malwerk • SNDBOX: Registration required • theZoo aka Malware DB • Eicar https://www.eicar.org/?page_id=3950 • URLhaus: Links to live sites hosting malware • FreeTrojanBotnet: Registration required • VirusBay: Registration required • Hybrid Analysis: Registration required • VirusShare • KernelMode.info: Registration required • Virusign • MalShare: Registration required • VirusSign: Registration required • Malware.lu’s AVCaesar: Registration required BRKSEC-2498 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 36 T POT - Honeypot • Honeypot platform based on established honeypots and IDS/IPS technology • Learn malware and attack behavior • Collect Samples • Detect internal attacks (inside network deployment) BRKSEC-2498 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 37 Honeypot Deployments Cloud – External Samples Inside Network – Internal Attacks BRKSEC-2498 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 38 Honeypots Collect Samples – T POT • Must use Debian now • AWS free tier wasn’t enough power • Google Cloud offers $300 US giving you a few months for free • Best practice is locking down access to GUIs to your own IP but you don’t have too • Malware samples downloaded at /data/dionaea/binaries How to install T-POT on AWS or Google Cloud http://www.thesecurityblogger.com/installing-t-pot-honeypot-on-aws-and- google-cloud-in-2019/ BRKSEC-2498 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco