00:03
>> Hi, welcome to the Cybrary.
00:03
My name is Sean Pierce.
00:03
I'm subject matter expert from malware analysis.
00:03
Today we will be covering Part 2 of
00:03
basic dynamic analysis where
00:03
we'll be looking at networking.
00:03
Just a quick recap of what we covered last time.
00:03
We talked about what dynamic analysis is,
00:03
which is just basically dropping
00:03
>> a piece of malware into
00:03
>> a VM and just executing it and seeing what it does.
00:03
Like I said, this is very fast, it's easy.
00:03
But there is a drawback where code may
00:03
not execute for a great many number of reasons.
00:03
Like it's VM-aware or is past a certain date
00:03
trigger that functionality because
00:03
the environment is not right,
00:03
like you don't have a certain piece
00:03
of software or something like that.
00:03
It's easy to generate indicators of compromise,
00:03
file hashes from files that are dropped by the malware.
00:03
But it's a little more difficult for
00:03
other kinds of indicators like attribution.
00:03
That's where the human element comes into play
00:03
because there are plenty of sandboxes out there,
00:03
plenty use of malware analysis platforms,
00:03
but they can't really tell you attribution,
00:03
they can't really tell you risk
00:03
or impact to your business or organization.
00:03
That's really why you need a human malware analyst
00:03
Today we're going to be looking at indicators of
00:03
compromise on the network level,
00:03
which I think is very important because most malware,
00:03
every piece of malware I've ever
00:03
seen in the real world has always had
00:03
some network presence
00:03
>> where it either spreads via network
00:03
>> or communicates with its command and control
00:03
server over the network.
00:03
There are some tricky things out there
00:03
that use like peer-to-peer or
00:03
an IRC chat room or something like that.
00:03
But most of the time it's going
00:03
>> to use a simple website,
00:03
>> a domain name most like
00:03
update hairdresser.com or something like that.
00:03
The command and control server will
00:03
be up for a little while over here,
00:03
the domain endpoint to somewhere else.
00:03
It's really easy to pick that stuff out, pretty fast,
00:03
and we're going to see an example of how we would do
00:03
that with our current environment
00:03
that we have set up before.
00:03
As I said, indicators
00:03
of compromise or what you're really after.
00:03
There's plenty of those file hashes,
00:03
strings, path names, process names, registry keys.
00:03
Since we are going to be talking about networking,
00:03
mainly we are going to be after
00:03
domain names, IP addresses.
00:03
Network traffic is pretty important if it's encrypted,
00:03
decrypt because some malware
00:03
has very lousy encryption that
00:03
we can break pretty trivially.
00:03
There are other malware we cannot break
00:03
trivially or they use HTTPS or something like that.
00:03
In which case it would be a pain to get at.
00:03
want is an indicator that someone is infected,
00:03
we don't necessarily need to break
00:03
the crypto or get at the information inside
00:03
because usually is some beacon to
00:03
the command and control server with
00:03
basic information of the compromised host.
00:03
Like username, IP address, both internal address,
00:03
an external address, or time or date of the infection,
00:03
usually a campaign code.
00:03
The botnet herders know what
00:03
campaigns are most effective at infecting
00:03
people like via exploit kit,
00:03
a spam, or some other method.
00:03
We saw some network traffic and we're able
00:03
to make some indicators of compromise, some IoCs.
00:03
There are a few ways in
00:03
which we can standardize this format.
00:03
Mandiant is an interesting project where they
00:03
have gone though the trouble of categorizing
00:03
tons and tons of indicators.
00:03
Here's some basic ones I just throw up on the screen,
00:03
like process name, file strings,
00:03
file owner, your file path,
00:03
eventlog ID, file name,
00:03
file hash, file MD5.
00:03
These things aren't always fantastic indicator,
00:03
but when combined, they can be quite effective.
00:03
Like filename doesn't really
00:03
mean a whole lot because any file
00:03
or any file can have any name pretty much.
00:03
this particular filename is
00:03
only used by this one piece of malware or
00:03
this one version of a piece of malware,
00:03
that can help us identify stuff pretty quickly.
00:03
They keep some public information
00:03
about indicators that they
00:03
have for all the common malware families.
00:03
They use these indicators to scan
00:03
files on a computer or scan their holdings,
00:03
their malware repos or whatever else.
00:03
It is quite helpful, they're easy to make.
00:03
I would like to point out that this is
00:03
not an antivirus solution.
00:03
You shouldn't just go grab a whole bunch
00:03
of indicators or some openIoC files,
00:03
and scan your computer and say,
00:03
"Oh, look at this file right
00:03
here has an openIoC alert of new Zeus."
00:03
It's like, wow. There's a string in
00:03
the file that triggered this, but that's benign.
00:03
It's not an antivirus signature.
00:03
It's really just to help defenders of networks
00:03
communicate threat data to
00:03
each other in a standardized format.
00:03
I've seen some products
00:03
on the market start to support openIoC.
00:03
But it's not very common and it's a great idea,
00:03
but it's not currently implemented.
00:03
What's far more implemented is Yara.
00:03
Yara is very simple.
00:03
It is basically what it looks like,
00:03
where you can describe a few things.
00:03
With openIoC, you can do
00:03
>> lots of things, tons of things.
00:03
>> With the Yara, it's more of here's this,
00:03
whose hashes is this?
00:03
Metadata file name could be this.
00:03
Strings might be A or B or
00:03
C. Down at the bottom
00:03
you see there's a little condition part,
00:03
where it's A or B or C,
00:03
and you can actually make some complicated logic or
00:03
C. It's like A and or B or
00:03
C. This is far more implemented,
00:03
but it is not an antivirus solution either.
00:03
It's important to note that this is
00:03
useful and it is supported by lots of things,
00:03
Some platforms search your signatures and
00:03
memory 1,000 times faster than other platforms.
00:03
But their detections aren't
00:03
very good because they have sloppy programming.
00:03
It's just important to know that this is how one would
00:03
communicate threat data in
00:03
>> the real world between groups,
00:03
>> like intelligence groups or network defense groups or
00:03
hunt teams or malware analyst teams
00:03
or network defender teams.
00:03
But it may not suit you in your enterprise.
00:03
You should test this stuff.
00:03
Just to recap of what we covered today.
00:03
We covered indicators of compromise.
00:03
We covered some of their standards in the industry.
00:03
I mentioned two major ones,
00:03
which is openIoC and Yara.
00:03
We demonstrate basic dynamic analysis
00:03
looking for network indicators.
00:03
I want to show you three web pages I think will be
00:03
very useful to you and here they are.
00:03
The first one is a GitHub page
00:03
with a lot of excellent malware analysis tools.
00:03
In particular, the network segment
00:03
has some pretty good tools.
00:03
I recognized them all and I
00:03
would suggest that you familiarize yourself with them.
00:03
Maybe not taking a whole day per tool,
00:03
but you should at least click through some demo videos.
00:03
Another good website is malware-analyzer.com,
00:03
and they list a good number of tools.
00:03
Same, this is what we use today.
00:03
Ncat is different than Netcat.
00:03
Netcat is NC and is a traditional Linux tool,
00:03
Ncat is the upgrade.
00:03
The third site is this opensecuritytraining.info,
00:03
that's put on by [inaudible] and it is fantastic.
00:03
They have hands-on online learning labs
00:03
and they have lots of
00:03
samples and they have
00:03
really smart people working for them.
00:03
It's really something you should invest a whole week or
00:03
two because they go pretty in-depth.
00:03
It's good but I've never made
00:03
it more than a few days through all of this stuff.
00:03
They use the same book that I've suggested before.
00:03
Thank you for watching
00:03
this Cybrary video. Hope to see you again.