Dynamic Analysis Part 2.1

Video Activity

In this module, we will take a closer look at basic network dynamic analysis. In the real World, most malware generally has some kind of network presence. We'll begin with Indicators of Compromise (IOC's) such as file hashes, domain names, network traffic, strings, registry keys, files names, file paths, process names, URLs and IP addresses. We'll ...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
9 hours 10 minutes
Difficulty
Advanced
CEU/CPE
9
Video Description

In this module, we will take a closer look at basic network dynamic analysis. In the real World, most malware generally has some kind of network presence. We'll begin with Indicators of Compromise (IOC's) such as file hashes, domain names, network traffic, strings, registry keys, files names, file paths, process names, URLs and IP addresses. We'll also cover how to use OpenIOC and segregate some indicators. Note that singularly any indicator may not be useful but when combined with other indicators, it is critical in dynamic analysis. You'll also learn about Yara that is used for identifying indicators. We'll also walkthrough three websites that'll help you understand these concepts better. These include: www.github.com, www.malware-analyzer.com and www.opensecuritytraining.info.

Video Transcription
00:03
>> Hi, welcome to the Cybrary.
00:03
My name is Sean Pierce.
00:03
I'm subject matter expert from malware analysis.
00:03
Today we will be covering Part 2 of
00:03
basic dynamic analysis where
00:03
we'll be looking at networking.
00:03
Just a quick recap of what we covered last time.
00:03
We talked about what dynamic analysis is,
00:03
which is just basically dropping
00:03
>> a piece of malware into
00:03
>> a VM and just executing it and seeing what it does.
00:03
Like I said, this is very fast, it's easy.
00:03
But there is a drawback where code may
00:03
not execute for a great many number of reasons.
00:03
Like it's VM-aware or is past a certain date
00:03
or you just don't
00:03
trigger that functionality because
00:03
the environment is not right,
00:03
like you don't have a certain piece
00:03
of software or something like that.
00:03
It's easy to generate indicators of compromise,
00:03
like path names or
00:03
file hashes from files that are dropped by the malware.
00:03
But it's a little more difficult for
00:03
other kinds of indicators like attribution.
00:03
That's where the human element comes into play
00:03
because there are plenty of sandboxes out there,
00:03
plenty use of malware analysis platforms,
00:03
but they can't really tell you attribution,
00:03
they can't really tell you risk
00:03
or impact to your business or organization.
00:03
That's really why you need a human malware analyst
00:03
to do this stuff.
00:03
Today we're going to be looking at indicators of
00:03
compromise on the network level,
00:03
which I think is very important because most malware,
00:03
every piece of malware I've ever
00:03
seen in the real world has always had
00:03
some network presence
00:03
>> where it either spreads via network
00:03
>> or communicates with its command and control
00:03
server over the network.
00:03
There are some tricky things out there
00:03
that use like peer-to-peer or
00:03
that uses tour or
00:03
an IRC chat room or something like that.
00:03
But most of the time it's going
00:03
>> to use a simple website,
00:03
>> a domain name most like
00:03
update hairdresser.com or something like that.
00:03
The command and control server will
00:03
be up for a little while over here,
00:03
then they'll change
00:03
the domain endpoint to somewhere else.
00:03
It's really easy to pick that stuff out, pretty fast,
00:03
and we're going to see an example of how we would do
00:03
that with our current environment
00:03
that we have set up before.
00:03
As I said, indicators
00:03
of compromise or what you're really after.
00:03
There's plenty of those file hashes,
00:03
strings, path names, process names, registry keys.
00:03
Since we are going to be talking about networking,
00:03
mainly we are going to be after
00:03
domain names, IP addresses.
00:03
Network traffic is pretty important if it's encrypted,
00:03
if it's easy to
00:03
decrypt because some malware
00:03
has very lousy encryption that
00:03
we can break pretty trivially.
00:03
There are other malware we cannot break
00:03
trivially or they use HTTPS or something like that.
00:03
In which case it would be a pain to get at.
00:03
Really, if all we
00:03
want is an indicator that someone is infected,
00:03
we don't necessarily need to break
00:03
the crypto or get at the information inside
00:03
because usually is some beacon to
00:03
the command and control server with
00:03
basic information of the compromised host.
00:03
Like username, IP address, both internal address,
00:03
an external address, or time or date of the infection,
00:03
usually a campaign code.
00:03
The botnet herders know what
00:03
campaigns are most effective at infecting
00:03
people like via exploit kit,
00:03
a spam, or some other method.
00:03
We saw some network traffic and we're able
00:03
to make some indicators of compromise, some IoCs.
00:03
There are a few ways in
00:03
which we can standardize this format.
00:03
OpenIoC, made by
00:03
Mandiant is an interesting project where they
00:03
have gone though the trouble of categorizing
00:03
tons and tons of indicators.
00:03
Here's some basic ones I just throw up on the screen,
00:03
like process name, file strings,
00:03
file owner, your file path,
00:03
eventlog ID, file name,
00:03
file hash, file MD5.
00:03
These things aren't always fantastic indicator,
00:03
but when combined, they can be quite effective.
00:03
Like filename doesn't really
00:03
mean a whole lot because any file
00:03
can change its name
00:03
or any file can have any name pretty much.
00:03
Except if we know
00:03
this particular filename is
00:03
only used by this one piece of malware or
00:03
this one version of a piece of malware,
00:03
that can help us identify stuff pretty quickly.
00:03
They keep some public information
00:03
about indicators that they
00:03
have for all the common malware families.
00:03
They use these indicators to scan
00:03
files on a computer or scan their holdings,
00:03
their malware repos or whatever else.
00:03
It is quite helpful, they're easy to make.
00:03
I would like to point out that this is
00:03
not an antivirus solution.
00:03
You shouldn't just go grab a whole bunch
00:03
of indicators or some openIoC files,
00:03
and scan your computer and say,
00:03
"Oh, look at this file right
00:03
here has an openIoC alert of new Zeus."
00:03
It's like, wow. There's a string in
00:03
the file that triggered this, but that's benign.
00:03
It's not an antivirus signature.
00:03
It's really just to help defenders of networks
00:03
communicate threat data to
00:03
each other in a standardized format.
00:03
I've seen some products
00:03
on the market start to support openIoC.
00:03
But it's not very common and it's a great idea,
00:03
but it's not currently implemented.
00:03
What's far more implemented is Yara.
00:03
Yara is very simple.
00:03
It is basically what it looks like,
00:03
where you can describe a few things.
00:03
With openIoC, you can do
00:03
>> lots of things, tons of things.
00:03
>> With the Yara, it's more of here's this,
00:03
whose hashes is this?
00:03
Metadata file name could be this.
00:03
Strings might be A or B or
00:03
C. Down at the bottom
00:03
you see there's a little condition part,
00:03
where it's A or B or C,
00:03
and you can actually make some complicated logic or
00:03
it's A and B or
00:03
C. It's like A and or B or
00:03
C. This is far more implemented,
00:03
but it is not an antivirus solution either.
00:03
It's important to note that this is
00:03
useful and it is supported by lots of things,
00:03
but not very well.
00:03
Some platforms search your signatures and
00:03
memory 1,000 times faster than other platforms.
00:03
But their detections aren't
00:03
very good because they have sloppy programming.
00:03
It's just important to know that this is how one would
00:03
communicate threat data in
00:03
>> the real world between groups,
00:03
>> like intelligence groups or network defense groups or
00:03
hunt teams or malware analyst teams
00:03
or network defender teams.
00:03
But it may not suit you in your enterprise.
00:03
You should test this stuff.
00:03
Just to recap of what we covered today.
00:03
We covered indicators of compromise.
00:03
We covered some of their standards in the industry.
00:03
I mentioned two major ones,
00:03
which is openIoC and Yara.
00:03
We demonstrate basic dynamic analysis
00:03
looking for network indicators.
00:03
I want to show you three web pages I think will be
00:03
very useful to you and here they are.
00:03
The first one is a GitHub page
00:03
with a lot of excellent malware analysis tools.
00:03
In particular, the network segment
00:03
has some pretty good tools.
00:03
I recognized them all and I
00:03
would suggest that you familiarize yourself with them.
00:03
Maybe not taking a whole day per tool,
00:03
but you should at least click through some demo videos.
00:03
Another good website is malware-analyzer.com,
00:03
and they list a good number of tools.
00:03
Same, this is what we use today.
00:03
Ncat is different than Netcat.
00:03
Netcat is NC and is a traditional Linux tool,
00:03
Ncat is the upgrade.
00:03
The third site is this opensecuritytraining.info,
00:03
that's put on by [inaudible] and it is fantastic.
00:03
They have hands-on online learning labs
00:03
and they have lots of
00:03
samples and they have
00:03
really smart people working for them.
00:03
It's really something you should invest a whole week or
00:03
two because they go pretty in-depth.
00:03
It's good but I've never made
00:03
it more than a few days through all of this stuff.
00:03
They use the same book that I've suggested before.
00:03
Thank you for watching
00:03
this Cybrary video. Hope to see you again.
Up Next