Even for a larger incident response team handling all of the repetitive tasks related to malware infections is a tedious task. Our malware analysts have spent a lot of time chasing digital forensics from potentially infected Mac OS X systems, leveraging open source tools, like OSXCollector. Early on, we have automated some part of the analysis process, augmenting the initial set of digital forensics collected from the machines with the information gathered from the threat intelligence APIs. They helped us with additional information on potentially suspicious domains, URLs and file hashes. But our approach to the analysis still required a certain degree of configuration and manual maintenance that was consuming lots of attention from malware responders. Enter automation: turning all of your repetitive tasks in a scripted way that will help you deal faster with the incident discovery, forensic collection and analysis, with fewer possibilities to make a mistake. We went ahead and turned OSXCollector toolkit into AMIRA: Automated Malware Incident Response and Analysis service. AMIRA turns the forensic information gathered by OSXCollector into actionable response plan, suggesting the infection source as well as suspicious files and domains requiring a closer look. Furthermore, we integrated AMIRA with our incident response platform, making sure that as little interaction as necessary is required from the analyst to follow the investigation. Thanks to that, the incident response team members can focus on what they excel at: finding unusual patterns and the novel ways that malware was trying to sneak into the corporate infrastructure.

1. Jakub (Kuba) Sendor
@jsendor
Don't Repeat Yourself
Automating Malware Incident Response for Fun and Profit

2. @jsendor
whoami
● Joined Yelp security team in July 2014.
● Mostly involved in malware incident response.
● Also working on automating our security processes.
● Previously worked at SAP in the Security & Trust research group.
● Before that:
MSc from AGH University of Science and Technology
in Kraków (Poland) and Telecom ParisTech/Institut Eurecom
in Sophia‑Antipolis (France).

3. Yelp’s Mission
Connecting people with great
local businesses.

4. Yelp Stats
As of Q1 2016
90M 3270%102M

5. > 4000

7. Dramatis personæ
Yelp
Employee
HelpDesk
IT Engineer
Security Team
Malware Analyst

8. ● Is this machine infected?
● How'd that malware get there?
● How can I prevent and detect further infection?

9. Initial triage
Forensics collection
Forensics analysis
Final remediation
Malware incident response process

10. Initial triage // Malware Analyst
Forensics collection // IT Engineer
Forensics analysis // Malware Analyst
Final remediation // IT Engineer
Malware incident response process

11. ● OSXAuditor
● osquery
● KnockKnock
● Grr (Google Rapid Response)
● OS X Incident Response: Scripting and Analysis
by Jaron Bradley
Digital Forensics on macOS

13. Forensics Collected by OSXCollector
OS System Info Applications Browser History
Kernel Extensions Quarantines Email Info
Downloads Startup Items
Groups &
Accounts

14. OSXCollector output
path, hashes, timestamps, signature chain, ...
{
"file_path": "/System/Library/Extensions/Apple_iSight.kext/Contents/MacOS/Apple_iSight",
"sha2": "19b7b85eaedb17d9565dce872f0d1ea8fc0761f508f28bedcc8606b828cbf614",
"sha1": "99005b68295c202fd359b46cd1411acea96b2469",
"md5": "b8cc164b6546e4b13768d8353820b216",
"ctime": "2016-03-31 16:50:39",
"mtime": "2016-03-30 00:16:50",
"osxcollector_section": "kext",
"osxcollector_incident_id": "DelayedHedgehog-2016_08_01-12_35_11",
"osxcollector_plist_path": "/System/Library/Extensions/Apple_iSight.kext/Contents/Info.plist",
"osxcollector_bundle_id": "com.apple.driver.Apple_iSight",
"signature_chain": [
"Software Signing",
"Apple Code Signing Certification Authority",
"Apple Root CA"
]
}

15. Manual analysis with grep and jq works pretty well
grep a time window
only urls in a time window
grep a single user
$ cat bsideslv.json | grep '2016-08-03 10:1[2-8]'
$ cat bsideslv.json | grep '2016-08-03 10:1[2-8]' | jq 'select(has("url")).url'
$ cat bsideslv.json | jq 'select(.osxcollector_username=="kuba")|.'

16. $ sudo osxcollector.py
Wrote 35394 lines.
Output in osxcollect-2016_08_03-10_12_39.tar.gz

17. OSXCollector Output Filters
Internal blacklists
Related files
Domain extraction
Threat intel APIs
Browser history filter
JSON
in
JSON
out

18. Automated
Malware
Incident
Response and
Analysis
AMIRA

19. Uploading OSXCollector output
SlickApocalypse_2016-08-03_10:23:13.tar.gz

20. S3 Event Notifications
SlickApocalypse_2016-08-03_10:23:13.tar.gz
ObjectCreated
AmiraS3EventNotifications

21. S3 Event Notifications
SlickApocalypse_2016-08-03_10:23:13.tar.gz
ObjectCreated
AMIRA
AmiraS3EventNotifications

22. S3 Event Notifications
SlickApocalypse_2016-08-03_10:23:13.tar.gz
AMIRA
SlickApocalypse_2016-08-03_10:23:13.tar.gz

23. Automated analysis
AMIRA
Internal blacklists
Related files
Domain extraction Threat intel APIs
Browser history filter

24. Uploading the results
AMIRA
SlickApocalypse_2016-08-03_10:23:13.json
SlickApocalypse_2016-08-03_10:23:13.html

25. ● Domains and hashes found on the blacklist.
● Threat intel APIs hits for domains and file hashes.
● Blacklist suggestions.
Analysis results

26. Prerequisites:
● SQS queue for the S3 event notifications.
● S3 bucket configured to send S3 event notifications.
● (optional) Another S3 bucket for the analysis results.
Running AMIRA

27. from amira.amira import AMIRA
amira = AMIRA('us-west-1', 'AmiraS3EventNotifications')
# register results uploader
from amira.s3 import S3ResultsUploader
s3_results_uploader = S3ResultsUploader('amira-results-bucket')
amira.register_results_uploader(s3_results_uploader)
# Ready, set, GO!
amira.run()

28. 1. Trigger OSXCollector via inventory management system.
2. Upload the results to an S3 bucket*.
3. Profit!
Automated forensics collection
*hint: use create-only rights in the S3 bucket policy

29. #!/bin/bash
file="$1"
bucket="$2"
echo "Uploading file $file to bucket $bucket"
resource="/${bucket}/${file}"
contentType="application/x-compressed-tar"
dateValue=`date -u +"%a, %d %b %Y %T GMT" `
stringToSign="PUTnn${contentType}n${dateValue}n${resource}"
s3Key="$3"
s3Secret="$4"
signature=`echo -en ${stringToSign} | openssl sha1 -hmac ${s3Secret} -binary |
base64`
curl -X PUT -T "${file}"
-H "Host: ${bucket}.s3.amazonaws.com"
-H "Date: ${dateValue}"
-H "Content-Type: ${contentType}"
-H "Authorization: AWS ${s3Key}:${signature}"
"https://${bucket}.s3.amazonaws.com/${file}" | cat

30. Automation FTW
Before
1-2 days
Now
Several minutes,
up to a couple of
hours in the worst
case

31. Initial triage // Malware Analyst
Forensics collection // AMIRA
Forensics analysis // AMIRA/Malware Analyst
Final remediation // IT Engineer
Malware incident response process

32. ● Automated process equal less human errors
● No need for physical collection.
● More proactive forensics collection.
Takeaways

33. https://github.com/Yelp/amira
Try it out!
@jsendor
kuba@yelp.com

34. @YelpEngineering
fb.com/YelpEngineers
engineeringblog.yelp.com
github.com/yelp