open source sandbox in a corporate infrastructure · in a corporate infrastructure sberbank cyber...
TRANSCRIPT
![Page 1: Open Source Sandbox in a corporate infrastructure · in a corporate infrastructure Sberbank Cyber Security Yury Doroshenko ... #Our Threat Intelligence Platform Data Engine Request](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae84ba67f8b9a6d4f8f4d7f/html5/thumbnails/1.jpg)
OpenSourceSandboxinacorporateinfrastructure
SberbankCyberSecurity
YuryDoroshenko
![Page 2: Open Source Sandbox in a corporate infrastructure · in a corporate infrastructure Sberbank Cyber Security Yury Doroshenko ... #Our Threat Intelligence Platform Data Engine Request](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae84ba67f8b9a6d4f8f4d7f/html5/thumbnails/2.jpg)
• ChiefexpertatSberbankCyberSecurity/Redteamer• Pentest/MalwareAnalysis/Memoryforensics• Musicandcinemalover• I’mintoextremesports
#Whoami
2
![Page 3: Open Source Sandbox in a corporate infrastructure · in a corporate infrastructure Sberbank Cyber Security Yury Doroshenko ... #Our Threat Intelligence Platform Data Engine Request](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae84ba67f8b9a6d4f8f4d7f/html5/thumbnails/3.jpg)
SocialEngineering
Massmail
BankerTrojan
APT
Ransomware
#Threats
• 24/7wearefightingemergingcyberattacksthataretargeting• Bankinfrastructure• Sensitivedata• Clientdata
3
![Page 4: Open Source Sandbox in a corporate infrastructure · in a corporate infrastructure Sberbank Cyber Security Yury Doroshenko ... #Our Threat Intelligence Platform Data Engine Request](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae84ba67f8b9a6d4f8f4d7f/html5/thumbnails/4.jpg)
• Source?• Risklevel?• Targetedattack?• Fastandefficientanalysis?
#Whoisyourenemy
4
![Page 5: Open Source Sandbox in a corporate infrastructure · in a corporate infrastructure Sberbank Cyber Security Yury Doroshenko ... #Our Threat Intelligence Platform Data Engine Request](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae84ba67f8b9a6d4f8f4d7f/html5/thumbnails/5.jpg)
#OurThreatIntelligencePlatform
DataEngine
RequestFor
Intelligence
ThreatHunting
IntelligenceDriven
Response
UseCaseManagement
RequestForintelligence
Infrastructuredata
IntelligenceAnalysis
Feed
SubscribesReports
IncidentManagement
IOC
ThreatIntelligence proccess
Requestforintelligence
Intelligenceanalysis
UseCaseManagement
ThreatHunting
IntelligenceDriveResponce
5
![Page 6: Open Source Sandbox in a corporate infrastructure · in a corporate infrastructure Sberbank Cyber Security Yury Doroshenko ... #Our Threat Intelligence Platform Data Engine Request](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae84ba67f8b9a6d4f8f4d7f/html5/thumbnails/6.jpg)
#ThreatIntelligenceproductmap
VulnerabilityManagement
IntelDataManagement
RequestFor
Intelligence
IntelligenceAnalysis
ThreatHunting
UseCaseManagementMaxPatrol
Bi.ZoneFinCERTKasperskyGroup-IB
IBMX-ForceCiscoThreatGridCiscoIntelliShieldCiscoSenderbase
MicrosoftVirusTotal
RecordedFutureBrandAnalytics
IBMi2/WatsonThreatQ(onpremis)
EclecticIQAnomaliBlueLiv
LookingGlassThreatConnectDECOYNETCynet360ERAM
NetskopeTPRiskIQ
StatusTodayVariatoReconVerintTP
illusiveSqrrl
FussionBehavioralExabeamEndgame
MaxPatrolSOCPrimeUCLThreatModeler
SkyBoxCronusCybot
6
![Page 7: Open Source Sandbox in a corporate infrastructure · in a corporate infrastructure Sberbank Cyber Security Yury Doroshenko ... #Our Threat Intelligence Platform Data Engine Request](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae84ba67f8b9a6d4f8f4d7f/html5/thumbnails/7.jpg)
#Oh,really?
7
![Page 8: Open Source Sandbox in a corporate infrastructure · in a corporate infrastructure Sberbank Cyber Security Yury Doroshenko ... #Our Threat Intelligence Platform Data Engine Request](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae84ba67f8b9a6d4f8f4d7f/html5/thumbnails/8.jpg)
#Personalhandymalwareanalysislab
Cuckoo Sandbox2.0.4.4/Cuckoo Sandbox1.3-NG ElasticSearch5.3.0 Moloch0.19.2 Volatility2.6
LokiIOCScanner0.24.2Malheur0.6.0Yara3.6.3
*ThelabwasdeployedandisrunningsmoothlyonmacOSHighSierra8
![Page 9: Open Source Sandbox in a corporate infrastructure · in a corporate infrastructure Sberbank Cyber Security Yury Doroshenko ... #Our Threat Intelligence Platform Data Engine Request](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae84ba67f8b9a6d4f8f4d7f/html5/thumbnails/9.jpg)
#Sandboxing?!
Whenyoustillthinkthatmalwaresarenotawareofsandboxing
9
![Page 10: Open Source Sandbox in a corporate infrastructure · in a corporate infrastructure Sberbank Cyber Security Yury Doroshenko ... #Our Threat Intelligence Platform Data Engine Request](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae84ba67f8b9a6d4f8f4d7f/html5/thumbnails/10.jpg)
• VMcloacking• AutomaticVMgeneration• Replaces“synthetic”VMparams with“real”
• Antivmdetection0.1.8https://github.com/nsmfoo/antivmdetection/• VMCloak0.4.4https://github.com/jbremer/vmcloak/
#AntiAnti-VMandAnti-Sandbox
10
![Page 11: Open Source Sandbox in a corporate infrastructure · in a corporate infrastructure Sberbank Cyber Security Yury Doroshenko ... #Our Threat Intelligence Platform Data Engine Request](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae84ba67f8b9a6d4f8f4d7f/html5/thumbnails/11.jpg)
#It’salive!
11
![Page 12: Open Source Sandbox in a corporate infrastructure · in a corporate infrastructure Sberbank Cyber Security Yury Doroshenko ... #Our Threat Intelligence Platform Data Engine Request](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae84ba67f8b9a6d4f8f4d7f/html5/thumbnails/12.jpg)
#Outofthebox+extrafeatures
Dynamicanalysis
Staticanalysis
Processactivityanalysis
Networkactivityanalysis
Registeranalysis
Memory-dumppost-analysis
Fileactivityanalysis
Networksniffering
Post-analysiswithLOKIIOCScanner
CustomYararulesbasedanalysis
BehavioralanalysiswithMalheurAutomaticAnalysisTool
Moloch+Elasticsearch integration
12
![Page 13: Open Source Sandbox in a corporate infrastructure · in a corporate infrastructure Sberbank Cyber Security Yury Doroshenko ... #Our Threat Intelligence Platform Data Engine Request](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae84ba67f8b9a6d4f8f4d7f/html5/thumbnails/13.jpg)
#Fileformats
msidll
bin
xls
doc
exe
bin
ppt
zip
ps1html
jar
js
hta
ie
swf
vbs
rar
cpl
apk
*Supportsautomaticformatdetection13
![Page 14: Open Source Sandbox in a corporate infrastructure · in a corporate infrastructure Sberbank Cyber Security Yury Doroshenko ... #Our Threat Intelligence Platform Data Engine Request](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae84ba67f8b9a6d4f8f4d7f/html5/thumbnails/14.jpg)
#Demo
14
![Page 15: Open Source Sandbox in a corporate infrastructure · in a corporate infrastructure Sberbank Cyber Security Yury Doroshenko ... #Our Threat Intelligence Platform Data Engine Request](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae84ba67f8b9a6d4f8f4d7f/html5/thumbnails/15.jpg)
#Demo
15
![Page 16: Open Source Sandbox in a corporate infrastructure · in a corporate infrastructure Sberbank Cyber Security Yury Doroshenko ... #Our Threat Intelligence Platform Data Engine Request](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae84ba67f8b9a6d4f8f4d7f/html5/thumbnails/16.jpg)
#BadRabbit
16
![Page 17: Open Source Sandbox in a corporate infrastructure · in a corporate infrastructure Sberbank Cyber Security Yury Doroshenko ... #Our Threat Intelligence Platform Data Engine Request](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae84ba67f8b9a6d4f8f4d7f/html5/thumbnails/17.jpg)
#BadRabbit
17
![Page 18: Open Source Sandbox in a corporate infrastructure · in a corporate infrastructure Sberbank Cyber Security Yury Doroshenko ... #Our Threat Intelligence Platform Data Engine Request](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae84ba67f8b9a6d4f8f4d7f/html5/thumbnails/18.jpg)
#Emotet
18
![Page 19: Open Source Sandbox in a corporate infrastructure · in a corporate infrastructure Sberbank Cyber Security Yury Doroshenko ... #Our Threat Intelligence Platform Data Engine Request](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae84ba67f8b9a6d4f8f4d7f/html5/thumbnails/19.jpg)
#Emotet
19
![Page 20: Open Source Sandbox in a corporate infrastructure · in a corporate infrastructure Sberbank Cyber Security Yury Doroshenko ... #Our Threat Intelligence Platform Data Engine Request](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae84ba67f8b9a6d4f8f4d7f/html5/thumbnails/20.jpg)
#Workingwithnetworkdata
20
![Page 21: Open Source Sandbox in a corporate infrastructure · in a corporate infrastructure Sberbank Cyber Security Yury Doroshenko ... #Our Threat Intelligence Platform Data Engine Request](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae84ba67f8b9a6d4f8f4d7f/html5/thumbnails/21.jpg)
#Post-analysis(IOCs)
21
![Page 22: Open Source Sandbox in a corporate infrastructure · in a corporate infrastructure Sberbank Cyber Security Yury Doroshenko ... #Our Threat Intelligence Platform Data Engine Request](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae84ba67f8b9a6d4f8f4d7f/html5/thumbnails/22.jpg)
• Supportingdifferentbuilt-inmodules:• Mitm (CuckooSanbox 2.0.4.4)• Snort(CuckooSanbox 2.0.4.4)• Malheur(CuckooSanbox 1.3-NG)
• Differentsignaturemechanics• Differentanalysisapproaches• Resultscomplementeachother
#Usingdifferentbranches?
22
![Page 23: Open Source Sandbox in a corporate infrastructure · in a corporate infrastructure Sberbank Cyber Security Yury Doroshenko ... #Our Threat Intelligence Platform Data Engine Request](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae84ba67f8b9a6d4f8f4d7f/html5/thumbnails/23.jpg)
#Whatfor?
Whenyoubegintounderstand
23
![Page 24: Open Source Sandbox in a corporate infrastructure · in a corporate infrastructure Sberbank Cyber Security Yury Doroshenko ... #Our Threat Intelligence Platform Data Engine Request](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae84ba67f8b9a6d4f8f4d7f/html5/thumbnails/24.jpg)
• Targetedattacksdetection• Extendablewithmoduleswritteninpython• Nowwehaveapersonalpowerfulmalwareanalysislab• Just-in-timepreventionandremediationstepsbasedonanalysisreport
#Profit?
24
![Page 25: Open Source Sandbox in a corporate infrastructure · in a corporate infrastructure Sberbank Cyber Security Yury Doroshenko ... #Our Threat Intelligence Platform Data Engine Request](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae84ba67f8b9a6d4f8f4d7f/html5/thumbnails/25.jpg)
• HardeningAntiAnti-Sandbox&Anti-VMtechniques• IntegratingitinThreatIntelligencePlatform• ExtendingthenumberofVirtualMachines• Machinelearning?
#ToDoList
25
![Page 26: Open Source Sandbox in a corporate infrastructure · in a corporate infrastructure Sberbank Cyber Security Yury Doroshenko ... #Our Threat Intelligence Platform Data Engine Request](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae84ba67f8b9a6d4f8f4d7f/html5/thumbnails/26.jpg)
Thankyouforyourattention!
#Q&A
• Links:https://github.com/YuryDo/MalwareLab
26