Olivier Bilodeau & Hugo Genesse - Applying DevOps Principles for Better Malware Analysis



The malware battle online is far from being over. Several thousands of new malware binaries are collected by antivirus companies every day. Most organizations don't have the expertise on staff to know if they are being targeted or if they are hit with mass-spreading malware, although knowing the difference is vital for a proper defensive strategy.
Additionally, attackers are sharing data, expertise and they specialize; while on the defense side the competition between security companies is an obstacle to sharing. Malware analysis is a hard task and that the tools are not designed with teamwork in mind. This situation give the bad guys the upper hand.

This talk aims at changing the status quo by leveraging what we can learn and use from the DevOps community and tools. Building analysis machines is a tedious task: one must have all the proper tools installed on VM; specific version of the vulnerable software (ie: Flash), Sysinternal tools, debuggers (Windbg), network traffic analyzers (Wireshark), man-in-the-middle tools (Fiddler), and must avoid leaking their precious proprietary software licenses (IDA). At the moment, this tedious process is not automated and is repeated by every analysts. Adding insult to injury, it is common practice that the machine is archived and recreated when a new malware investigation is started.
We will demonstrate how to leverage the DevOps principle of infrastructure as code to enable researchers to build recipes that automatically creates fully operational and re-usable analysis machines with Vagrant and Packer. Recipes used at GoSecure will be made available on GitHub so that everyone can fork and customize their own whilst building on the work of others.
DevOps practices also teach about service deployment. In the context of malware analysis, service deployment applies to honeypots, sandboxes and sinkholes. We will demonstrate how you can save time by deploying these services quickly and efficiently using Docker. Dockerfiles tailored for malware analysis will be released. Attendees will learn simple tools and safe malware analysis practices that are easy to grasp, enabling them to start doing analysis faster. Seasoned malware researchers will also gain from this talk by seeing how DevOps principles can be applied to simplify and accelerate their labs' malware reverse-engineering capacity.

The presentation includes a live demo and all the code produced will be made available at the conference under an open source licence.

Olivier Bilodeau & Hugo Genesse - Applying DevOps Principles for Better Malware Analysis Olivier Bilodeau & Hugo Genesse - Applying DevOps Principles for Better Malware Analysis Reviewed by Anonymous on January 15, 2019 Rating: 5