Automating Dynamic Malware Analysis - Krešimir Kuhar (ReversingLabs)
Get your tickets for Infobip Shift 2023 at https://shift.infobip.com/
/ infobipshift Using a devops toolchain for deploying, maintaining and monitoring dynamic malware analysis sandbox solutions.
When it comes to determining if a file is malicious or not there is a lot to take into consideration before you can give your final answer. Sometimes a benign looking word document can encrypt your files and sometimes important piece of software can be classified as malware. To be able to determine which is which you need to use a plethora of tools working together to give you the necessary data for such decision.
Some of these tools include malware analysis sandboxes. These tools are used for executing files in isolated environments and tracking the behavior of said files. Setup of such an environment is no trivial task but things get much more complicated when you need to analyze tens of thousands files per day using more than one sandbox solution.
My day to day job includes using different tools and technologies for deploying and automating such systems so that end users being threat analysts or client companies can get their data just by uploading a file via REST API. Tools and technologies that I use include python, ceph, jenkins, ansible, kvm, Virtualbox, influxdb, grafana, rmq and some more.
The end result is a system that provides some of the data that is used for identifying if some file is malicious or not and what is the impact of running that file on your system. It has its own flaws and benefits, limitations and advantages and it is the most useful when it is observed as just a part of your defense and threat intelligence tool belt.