when we discussed Mao analysis as it concerns Bill, they're all lab. We tend to think that we can just throw a few of'em together, install some software and grab some devices, and we're off to the races. And while of course, this is true in the very short term, it's not very scalable. If you plan on doing malware analysis every single day,
trust me. I speak from experience that if you plan to analyze malware long term
or make it something that's repeatable and relatively hassle free, you should take some time to think about how to build a Mauer lab that's efficient, effective and scaleable. If you do legwork to scope out your lab before you start analysing matter where you can save a lot of time in a long run,
okay, then you may be asking yourself, Well, why the heck is this module for then? Well, it's a good question. The answer is that in this instance, our lab serves our purpose. We want to get you up in analyzing now we're fairly quickly, but now that you have a taste for the tools and what the process is, you can pick out what you like and what you don't like And design a live on your own
to begin your lab planning you should think about the purpose of your lab is gonna be just for a mobile. Mauer, are you gonna analyze Windows, Mauer, Lennix, BlackBerry, etcetera. Will this being open lab or will it be air gapped?
Do you need to share data with other parties?
Are you creating this lab for work or just your personal research? These are just some basic questions to get your thinking
to get them answered and to generate your own questions, I will recommend you sitting down and having your own little brainstorming session.
Think about how you might handle the entire mouth where analysis process and write down any issues that you think you might encounter. Also, make sure you get input from others who have done this before, who built their own labs before.
And you can get help with overcoming any lab challenges that you might encounter once you're finished. And once you have a clear set of requirements, you can then continue with the other steps in the process or modify it if you need.
When you think about the network as it relates to mobile malware. There's often a set of new challenges that present themselves when designing access to mobile networks.
If you take a minute, think about the dynamic analysis process. Typically want to see how these devices act when we install Mauer on them? Well, now we're authors. Think about this, too,
and they could design malware that could react differently when a device is connected to WiFi or a four G network. This might make having access to sim cards or hot spots available to these devices. If hot spots or SIM cards are out of the question for you,
maybe faking Internet service is air. The answer. Really, it's going to depend on your needs during this process. You'll also want to think about your physical or virtual network layout. How would your analysis workstations connect to your devices?
How your mouth. Now we're connected to other company. Resource is, if that's required. So my experience the best way that this works is if you create an entire network with no access to your company network, basically create entire analysis network from the ground up and call it the dirty Network, or maybe something equivalent
then what you could do is segment that network, so that device is infected with malware. Can't communicate with other, announce the segments that you work with regularly. In essence, you'll create trusted and untrusted zones and your dirty network. Although this limits the problem of our escape, it also might create a few. New challenge is how do you handle sample tracking? For instance,
how do you handle Mauer properly? For example, the collection in storage of samples
These are all things you should try to get in front off when you're developing your Mauer. Networked apology.
When you have a layout determined, then you'll want to decide whether you'll implement your plan with virtual or physical networking technologies. If real hardware's in your plan, then don't forget about the costs associated with this. All right, so you've settled on your requirements. You understand the network. What's next? So now it's time to understand the hardware requirements.
So because we're talking about Mobile Mauer, at the very least, you'll need some access to physical devices such as iPhones
or android tablets. Then, along with the hardware needed to create your network, such as a virtual or physical servers, you also want to be thinking about the analysis machines. What type of hardware will you need to support the various platforms? Analyze. When I try to answer these questions, a good rule of thumb for me is to try and reduce the attack surface
by analyzing on a system that is opposite of the one you're analyzing.
For instance, if you're analyzing Mac malware, maybe use a Windows OS. If you're analyzing Android, maybe used limits. Either way, you'll want to make sure you have enough. Resource is available on your hardware, such as CPU cores, memory, etcetera to support your analysis efforts without taking a performance hit.
Depending on the platform you're trying to analyze, this might change. For instance, I know that's to run MCA West on a host with a Mac of'em. Inside takes a lot of resource is
typically need to devote at least two cores of sea pew with about Kiki good bites of memory to operate it in an efficient manner. So these are definitely things you want to consider
when thinking about your hardware requirements. Okay, so you have everything set up next you want to pick out a tool set so you might ask me Well, how do I do that?
Well, I would start with tools that come pre bundled with distributions like Callie and Remix, etcetera,
and pick some tools that do a lot of the work for you. Then you can see the results and research how that tool got to those specific results. This is helpful when you may not know about a particular language like Objective CR Swift, for example. Another advantage is that these destroyers are already set up and they work very well. This could cut your set of time in half.
Also, I would pick tools that have good documentation,
and it's over Boast with its air messages and help features. The last thing you want to be is frustrated. A tool. While you're trying to learn our analysis, it's not helpful. All Another thing I would try is to stick to some gooey tools in the beginning and then moved to the command line is become more familiar with the platform you're analyzing. Also, if it's possible trying to select several tools that do the same job,
see which one you like and evaluate them to see which one does a better job at a particular task.
But whatever tools you select, try to have a good mix of static and dynamic analysis tools. Also, it's pretty important to keep your bill chains independent. Ah, lot of these times, these tools required different dependencies, so money that you can get lost in the weeds with installing and uninstalling software.
This is especially true with python packages. If possible, learn about running virtual python environments so you can control your dependencies. Went running multiple projects. Lastly, before going through the painful process of installing all the tools near lab,
make sure you're careful interested, the requirements required to make them run and that they meet your analytical goals. You can even go so far as right up requirements list for the specific tool
and decide whether it'll be effective or not saving you time and money. So in one instance, I built a lab for a customer they didn't really know about malware analysis, and they hired me as their expert. Now I advise them against buying several different tools because they weren't designed from our analysis, but they had code analysis the name, so I guess they were enamored with this piece of software something
now. In the end, they decided to buy and others like it, which cost him hundreds of thousands of dollars extra than they needed to spend,
and they never ended up using the software. So the moral of story there is. Just make sure you have a good idea of your requirements of the analysis tools that you want.
So if you come to the end of your lab design phase and you've selected your tools before installing them in your analysis machines, you should set up your tools first. In a test environment, run the tools and look at the results against a few different analysis scenarios to see how the tool performs. What you want to do here is make sure that they run correctly
and that they give results that are repeatable for other analysts.
You want to do this before you install them in your lab production environment. Also, I would say to try toe automate everything, if possible, be creative here as analysts, we spent a lot of time updating our software removing software. You can use tools like brew for Mac or chocolatey for windows to automate the tool installation process.
Lastly, should follow the three D's document document Document?
Yes, Document everything. And make sure you have an accurate record of networking diagrams, software, assets and all the harbor used as well as any configurations you made.
This is gonna help others. And of course, you remember how the labs designed
this. Documentation can also be used to analyze areas that need to be improved or upgraded later.
So let me give you some recommendations when it comes to setting up your lab. So first, I would recommend that you do a lot of testing. Go grab yourself a copy of Virtual Box and Run Ram Necks and Callie and all these other distributions and just see how they perform. Just keep in mind that you don't want to test reel. Now we're in this situation.
My suggestion is to maybe write an android or IOS application.
It probably will only take about 10 minutes, and then doing you're testing in a virtual lab before you go by actual hardware or software, the only thing that I would advise is you can't run real Mauer scenarios for IOS without a device, but you can still do a lot of testing with the application you developed by running in the simulator. Now, as it regards tools, once you've decided on a set that you like,
I would recommend you install them and created baseline.
Then you have all your tools installed in one place. The way you like them. You'll be more than prepared to perform ineffective malware analysis. Now, in real or testing scenarios where virtual platforms are implemented, be sure that you create snapshots. Then you can always revert your design changes just in case you make mistake. In a configuration,
a tool doesn't work or worse, Mauer runs in your guest.
This also save you the hassle of having to install software 1000 times and afford you a quick way to get back to your gold image. As it comes to the network. I would make sure that you're capturing traffic going in and out of your lab. You want to make sure that you own the network and not the Mauer. Actually, make sure you implement host only networking wherever possible,
as this can limit the mount. Where s capability through the network