Most commercial malware sandboxes are expensive, such as McAfee’s enterprise version called Artemis. These are great for security teams and malware analysts as they can be used to quickly gather IOC’s which may be required for a security incident or a starting point for a piece of intel, it gives you quick and detailed information on how the malware is likely to behave. The sandbox will then record the activity of the malware and then generate a report on what the malware has attempted to do while in this secure environment.
This article will cover the following topics: This article will cover what a Cuckoo Sandbox is, how it works, and explain the value of the output that is generated from the automated analysis.
This is where a Cuckoo Sandbox can help, by submitting the file to the sandbox it will run the malware and pull out any relevant Indicators of Compromise (IOC’s) such as network connections, use of a suspicious Application Programming Interface (API), created files on disk which can then be used by the SOC to determine if the file warrants raising a security incident or can be confidently closed as a false positive. Due to this alert firing in the early hours of the morning, the analyst may also be reluctant to call out the C Computer Emergency Response Team (CERT) to perform malware analysis with the limited information available to them at this point. SOC analysts have a broad knowledge of cybersecurity matters and may not have the skills to perform some ad-hoc malware analysis on the file.
The hash of the file isn’t on VirusTotal and the SOC analyst cannot find any information on the Internet to determine if the file is malicious or not. Imagine, it’s 2 am in the Security Operations Center (SOC) and an alert has triggered on a key server within the organization, the alert is rather vague but is reporting that the file is potentially malware. A Cuckoo Sandbox is an open-source tool that can be used to automatically analyze malware.
0 kommentar(er)
