Even for a larger incident response team handling all of the repetitive tasks related to malware infections is a tedious task. Our malware analysts have spent a lot of time chasing digital forensics from potentially infected Mac OS X systems, leveraging open source tools, like OSXCollector. Early on, we have automated some part of the analysis process, augmenting the initial set of digital forensics collected from the machines with the information gathered from the threat intelligence APIs. They helped us with additional information on potentially suspicious domains, URLs and file hashes. But our approach to the analysis still required a certain degree of configuration and manual maintenance that was consuming lots of attention from malware responders.
Enter automation: turning all of your repetitive tasks in a scripted way that will help you deal faster with the incident discovery, forensic collection and analysis, with fewer possibilities to make a mistake. We went ahead and turned OSXCollector toolkit into AMIRA: Automated Malware Incident Response and Analysis service. AMIRA turns the forensic information gathered by OSXCollector into actionable response plan, suggesting the infection source as well as suspicious files and domains requiring a closer look. Furthermore, we integrated AMIRA with our incident response platform, making sure that as little interaction as necessary is required from the analyst to follow the investigation. Thanks to that, the incident response team members can focus on what they excel at: finding unusual patterns and the novel ways that malware was trying to sneak into the corporate infrastructure.
7. Initial triage // Malware Analyst
Forensics collection // IT Engineer
Forensics analysis // Malware Analyst
Final remediation // IT Engineer
Malware incident response process
8. ● OSXAuditor
● osquery
● KnockKnock
● Grr (Google Rapid Response)
● OS X Incident Response: Scripting and Analysis
by Jaron Bradley
Digital Forensics on macOS
9.
10. Forensics Collected by OSXCollector
OS System Info Applications Browser History
Kernel Extensions Quarantines Email Info
Downloads Startup Items
Groups &
Accounts
12. Manual analysis with grep and jq works pretty well
grep a time window
only urls in a time window
grep a single user
$ cat bsideslv.json | grep '2016-08-03 10:1[2-8]'
$ cat bsideslv.json | grep '2016-08-03 10:1[2-8]' | jq 'select(has("url")).url'
$ cat bsideslv.json | jq 'select(.osxcollector_username=="kuba")|.'
22. ● Domains and hashes found on the blacklist.
● Threat intel APIs hits for domains and file hashes.
● Blacklist suggestions.
Analysis results
23. Prerequisites:
● SQS queue for the S3 event notifications.
● S3 bucket configured to send S3 event notifications.
● (optional) Another S3 bucket for the analysis results.
Running AMIRA
25. 1. Trigger OSXCollector via inventory management system.
2. Upload the results to an S3 bucket*.
3. Profit!
Automated forensics collection
*hint: use create-only rights in the S3 bucket policy