Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CISSA Lightning Talk - Building a Malware Analysis Lab on a Budget


Published on

This presentation was originally given as a lightning talk for a Charleston ISSA meeting. I talk briefly about malware analysis, and how to get started with malware analysis on a budget using virtualization.

Published in: Technology
  • Good info!.... STARTUPS...Send your pitchdeck to thousands of VC's and Angel's with just 1 click. Visit:
    Are you sure you want to  Yes  No
    Your message goes here

CISSA Lightning Talk - Building a Malware Analysis Lab on a Budget

  1. 1. Building a Malware Analysis Lab on a Budget Chris Sanders Charleston ISSA January 2015
  2. 2. Chris Sanders • Christian & Husband • Mandiant • Kentuckian and South Carolinian • MS, GSE, et al. • Non-Profit Director • BBQ Pit Master
  3. 3. Chris Sanders “[Practical Packet Analysis] gives you everything you need, step by step, to become proficient in packet analysis. I could not find a better book.” “[Applied NSM] should be required reading for all intrusion analysts and those looking to develop a security monitoring program.” – Amazon Reviewers
  4. 4. Outline Objectives:  Intro to Malware Analysis  Lab Networking  Lab Hardware  Lab Software  Other Resources “How can I build a malware analysis lab without spending much money? What are some best practices?”
  5. 5. ***Disclaimer*** • You cannot be reckless while performing malware analysis. • Malware can – Erase your hard drive – Permanently encrypt your data – Highjack your social networking identity – Highjack your real identity
  6. 6. Why Analyze Malware? • It’s critical as a function of intelligence. • It’s useful for understanding how systems work. • It’s a desirable skill. If you can analyze malware well and enjoy it, we’ll hire you.
  7. 7. Malware Analysis Processes • Behavioral Analysis – Executing malware to observe behaviors – Requires network knowledge and communication manipulation • Code Analysis – Reverse engineering malware by examining code – Much harder, requires assembly and system level knowledge
  8. 8. Malware Analysis Network
  9. 9. Virtualization is a Must • Free / Cheap – VirtualBox, VMWare ESXi, VMWare Workstation • Configurable Networking – Instant setup of virtual networks • Snapshots – Create and restore points in time
  10. 10. Virtualization is a Must Source: content/uploads/2012/06/snapshots_jpeg.jpg
  11. 11. Networking • Isolated virtual networks • Multiple guests can exists in these networks and communicate with each other • Guests should not be able to communicate with the host • Be EXTREMELY careful not to connect infected devices to the Internet
  12. 12. Hardware • System Specs (2 Running Infected Machines) – 4 GB RAM – 50 GB Storage • Scale from here!
  13. 13. Software • Windows Operating Systems – MSDN Accounts – Leverage 30 Day Trials – Windows 7 • Remnux – Free malware analysis distro from Lenny Zeltser (SANS) – Pre-built tools
  14. 14. Pro Tips™ • Color code your Virtual Machines • Leave a terminal window with your IP open • Snapshot early, snapshot often • Don’t leave an infected machine unwatched • Always encrypt + password protect malware during transmission – Password: “infected”
  15. 15. Learning Resources • Practical Malware Analysis - By Mike Sikorski • SANS FOR610 (GREM) w/ Lenny Zeltser
  16. 16. Conclusion • Malware analysis is an important security skill even if it isn’t your primary focus • If you can do it well, you can find a job • You can practice analyzing malware right now! • The best way to learn is to do the real thing.
  17. 17. Thank You! E-Mail: Twitter: @chrissanders88 Blog: Book Blog: