 All right, next up we have My Little AWS IR Sandbox by Michael Wiley. Please welcome Michael. Thank you very much. I'm not getting the slides. Awesome. Okay, a couple of familiar faces from 10 minutes ago. That's good, thank you. So, about me getting for those who weren't in here, I'm the director of cybersecurity services at Richie Mae Technology Solutions. Recently joined their team to help them build up their information security best practices. I do a whole plethora of cloud security, cyber security, GRC, et cetera. And so I built this talk because we've internally built our own little IR sandboxes and there's a lot involved with that. And so I'll kind of explain how we did it and what we do here. But a couple statistics, I always like to start my slides with what's the point of the talk. And so I think 92.4% of malware being delivered via email is one of the key pieces of why we started building our sandboxes out. We get a lot of cases where there's different malware or phishing attempts that come in and we needed something to quickly test these things out. 75% of businesses hit by ransomware were running endpoint protection. So even with your EDR solution, Silence, Carbon Black, Macv, whatever you have in your environment, we still saw the need to be able to test things that got past that. And the average cost for ransomware, instance, was 133K in 2017. Obviously there was some with a lot more. Atlanta ended up spending $2.6 million or more in their incident response situations. There was the giant shipping companies that spent billions of dollars in their ransomware incidents. And then there's the small businesses that probably spend a couple thousand dollars in those cases. But we're seeing a lot of money around these malicious files and things that get past the endpoint protection. And so it's always great to just double check before you go ahead and open a Word document or PDF. So in these situations where there's something suspicious going on, we wanted an area that we could quickly and expensively test this out. And so if we look at what's being delivered into mailboxes, we can see that Microsoft Office documents and archives like zip files make up a big portion of that. And then a lot of PDF files as well. And there's a couple of different techniques that we're seeing that I don't have time to go into detail on right now, but I talked some about this on Friday and to more about how phishing attempts are getting past different email gateways. So when we get some of these files or whether it's phishing or whatever it is that's a little malicious, we wanted it to be able to solve some of these problems. So we wanted a safe place to detonate malware, avoid spreading the worm to other systems. So if something got infected, we didn't want it to go and spread out. We possibly examine email links and their attachments. So if we saw some type of link and it looked legitimate, but we really wanted to investigate it without detonating it on the endpoint. To validate documents for phishing attempts, there's a lot of scenarios that emails look legitimate and they bypass security gateways. They bypass the end user or maybe there was something that was a little fishy and that's why they wanted to take a look at it. You wanna learn about your enemy and their tactics. So even if you do see something and it had grammatical errors and there was pixelated graphics and it's pretty obvious that it's not legitimate, you still may wanna learn about your enemy or who's targeting you. Or maybe it's just a mass distribution of this malware or a phishing attempt. You wanna look at that and say, well, why did it get past my email gateway? Why did it get past my DNS protection? Why did it get past my inbox or my endpoint protection? All these tools and this layered defense that I have, it's still got to the end user and it's in their inbox. So how can we adjust our security to strategy and our controls to better protect against this next time? Because if Sally and HR got this email, it's gonna come in next time and someone else is gonna get it and someone else is gonna get it and someone else is gonna get it unless we do something. And I think that was an old approach of let's go look at the IP address or the email address and we'll block it and be done with it. And so a lot of junior people now have to coach on this and say that's an old strategy and there's a lot of flaws with that. It might block them from sending another email, but they probably didn't send it to Sally and HR wait 24 hours, then they're gonna send it to Bob and accounts receivable and so on. It's probably they send to everyone at the same time and they're gonna try that technique again and someone else is gonna reuse their techniques and it's gonna be an ongoing thing. So you can't just block an IP address or an email address. We have to go a little further than that and look at the actual technique, tactic and procedure, the TTPs. You might wanna prove your security controls as I said, after you find out why they're bypassing all your other controls, you may build security awareness programs around it. So when we get new malware and we're seeing new techniques each month, we may say here's a new technique they're using. So one common one we're seeing in the mortgage industry, the mortgage lenders is that they are, the people are spoofing escrow officers. And if you've ever bought a house or been involved with that, you can see the escrow officers are very involved in the transaction. And so they're trying to spoof the escrow officer with a DocuSign e-signature and that's the most popular tool out there for these mortgage lenders. So they say, click on this link or here's the secure document, you have to click on this, ends up being a PDF and they say for security reasons, we've encrypted it and put a password on it. And so that also bypasses endpoint protection and email gateways and other stuff because it's not only an encrypted or compressed file, it needs a password. And so then they'll put the password either in plain text or they'll put it in an image that the email gateway can't even see that. So they're bypassing a lot of stuff in those cases. So we may wanna build a security awareness program around this or our own phishing campaign around this and maybe using GoFish or FishMe or some other tool and you can test your users to make sure that they're actually doing what you recommend. And then you could demonstrate malicious activity. So when you're trying to get executive buy-in and you're trying to sell something you go to the executives and get them to pay for it, you can show them some of these different techniques or how ransomware works in a isolated environment that's not gonna impact the rest of your users here. And then so traditional sandboxes, you can go out there and I'm not inventing a new sandbox at all by any means. I'm actually taking a lot of pieces from many other security professionals out there and kind of blending it. So there's hybrid analysis, there's malware which has been down for I don't know how long but it's still up there. It was a good one when it was up. Cuckoo, it's a little bit difficult to set up. You could use VMware virtual box, that's generally a recommendation but what we're seeing a lot of is that good malware especially targeted stuff with APTs. They are bypassing a lot of these malware or they're doing some security checks to see are you running a virtual environment? And if you are, they're not gonna detonate the malware so it looks like it's legitimate. Then you go run it on an actual bare bone system and it detonates because it's looking at the whether it's the VMware MAC address or the NIT cards or VMware tools. It's doing a lot of different checks to see if you're trying to reverse engineer the malware. Remnicks from Sands and there's a bunch of other traditional ones out there but some of the concerns that I had with these sandboxes when some of my team pitched the different solutions was they're complex to set up and configure. Cuckoo, I spent hours on and couldn't get it to work properly the way I wanted it to. Some of the analysis tools published by nearest communities so virus total, hybrid analysis. If you upload a document there it is available for the community and there's a premium version you can pay for and I think there's an opt out there but other tools that you may use as well as directly going to some of these sites you upload a document it's there for the community to look at and to analyze. And those situations could you imagine a proprietary document that looks fishy and so you upload it and all of a sudden you're leaking that out to the whole world. Also some of these tools if you're publishing a binary of the document now the bad guys and the malware creators know that the signatures and virus total and they need to now more fit and adjust it so it can continue to work. So you're basically telling them I found your stuff I think it's suspicious and I'm posting it out there to get analysis on and now they say got it now I'm gonna rewrite my techniques here. And then there's so I needed something that had dynamic analysis as well as some static analysis because I don't fully trust automated tools. I think AI and machine learning is an awesome field of study. I just don't think it's doing what a lot of people are advertising it has and we still need that human eye to say this is legitimate or it's bad and there's a lot of variables that a machine can't quite do yet. And so I also need advanced malware that had or I was trying to get around some of the anti-reverse engineering techniques. So sometimes these pieces of malware that I'm collecting they look for internet access. So if I have an isolated virtual machine that's disconnected from the network it goes out to the DNS check if it fails it's gonna say I'm not gonna do anything I'm not letting you look at this I know I'm not connected to the internet. Other times they'll look as I mentioned to VMware and Nix, the Mac address they'll look for the tools that you install. There's if there's a number of files that are missing from desktop. So if you just create a virtual machine vanilla, Windows XP or Windows 7 or Windows 10 or whatever you're using and you have no files on the desktop or documents and no favorites, nothing there they're checking those and if it's less than a certain number of threshold the malware will not detonate. It says I know I'm in a virtual machine it's not reasonable for someone to have a machine that has no files on it. If it's an actual user there's gonna be a desktop with a thousand things on it. So they look for that as well. Sometimes they'll also look for tools like Wireshark it'll look in C programs, Wireshark and it'll look for the Wireshark.exe file. So I needed a lot of different techniques that I can kind of bypass this or make sure that the pieces of malware weren't going to detect that I was trying to detect them. So my, our sandbox requirements in this case I want it to be easy to set up and tear down for the rest of my team so I didn't have to have this complex cuckoo setup. I needed to be low cost so I could spin it up quickly and if I want to make changes it wasn't going to cost a lot of money and I could get even internal teams from some of our clients to use. I needed to be isolated obviously I didn't want to go out and detonate malware and have it spread if I didn't know what it did and it need to be accessible from anywhere. A lot of times I'm in San Diego or Los Angeles or Canada and I'm traveling and visiting different clients and if I get a case I have to look at some malware I don't want to have to say sorry I have to wait till I get back to my office in the Los Angeles in 40 days and then I'll take a look at your malware by then it's going to be all over the place. I needed those static dynamic tools the ability to share it with junior members of my team so some of the newer guys that didn't have quite the skill set that I do I wanted to be easy enough for them to launch it quickly analyze malware and they could always send me reports to look at a little bit further but they could detonate the malware or the phishing attempts in this isolated box and then we'd be able to respond quickly so I couldn't have two, three, four hours or 40 days before I was able to get my reports I needed to make my decisions very quickly. So here's some of the tools I'll leave this up for a little bit if anyone wants a picture and I can publish the slides later but here's some of the tools I picked there's a lot out there but this is a collection that I find really good and I'm using a Windows box because I'm assuming that my targets are mostly going to be Windows and I want to have these tools on there so I couldn't use certain things that are Linux or Unix based only. So Wireshark obviously for the full packet capture and this is one that's going to change in the near future it's there but I'm also concerned that it will be caught by some malware and they won't detonate and I am experimenting currently one of the future versions for this talk I want to have this in AWS which it is right now but I want to do inline packet capture and it's a little bit difficult in AWS because I can't go put a wire tap or a packet squirrel between there because it's in Amazon's data center so I'm experimenting with some different ways of using IP tables to funnel data through a Linux box and then go to my Windows and I can still do full packet capture inline without impacting the device that I'm actually working on. I use Process Explorer because Windows Explorer isn't good enough and looking at the process there I get a little more detail of Process Explorer. Process Monitor sometimes I'll pull up it gives me file system monitoring as well as registry monitoring but for registries I really like RedShot and what that will do is it'll take a snapshot of the registry. I launch my malware I take another shot of the registry and it compares and contrasts the two versions and it'll show me registry keys added, deleted, modified. It's a huge list of file but at least you have any change that's been done to the registry. I also really like and this is a recent addition to my sandbox is LogMD and so LogMD they call it the malicious file and discovery tool and really what it does is Windows does not log enough by default and so what it will do is it gives you recommendations based off of CIS best practices, the Windows logging cheat sheet, the US government baselines as well as the Australian Cyber Security Defense Force their best practices and then what your computer set for. So my first launch of that it'll give me just what I should be logging compared to what I am logging because Windows won't even tell me if I failed to log in correctly, right by default. So I have to turn all these logs on the advanced logging, retention, PowerShell logging all the things that turn on so that's my checklist. Once I get that set up then it'll also query different information for me so it'll give me a lot more data on login attempts or PowerShell scripts run and it's great logging tool. I need a disassembler so I can look at some binaries and find out what they're doing. TRID is a file identifier. I normally just use file inside of Linux, the command but since we're running Windows I need something that's going to try and identify the type of file. UPX it's a common packer for malware and so it'll help me unpack it if it's packed with UPX. I can use different memory dump tools I'm experimenting with this at the moment over the next couple of months to figure out better options for this. Strings, one of my favorite tools on there you can get strings for Windows as part of SysInternals. It'll scan a file and tell you any strings that are inside this and I've found at least four zero day vulnerabilities and tax software just using strings. It's one of my favorite tools out there. PE viewer, it looks at executable files and analyzes them for you. There's quite a few of those. Resource Hacker, it'll try and look for DLLs or other libraries that the malware, the file and question might be calling. We've got PDF ID. So in certain cases where you have a PDF file it's going to parse through that because the tool strings doesn't do a great job. There's a lot of things that are compressed and inflated and et cetera. And so that's a better tool than strings if it's a PDF file. File Analyzer, it'll look at the executable information PCU is another executable tool. Dependency Walker, that's a great one that's going to look for DLL calls. And if it's a piece of tool that says it's like a game but yet it's all of a sudden requesting registry changes and other libraries that are unusual that's going to give you an ID and say this DLL shouldn't be being called by a game. It makes no sense. A couple other PE tools at the bottom there. Some additional tools that a lot of people that write these blogs for malware analysis don't call out but I'd say I install Chrome and Firefox. A lot of times I don't want to have just IE. This is one check that a lot of malware will do and say do they have other browsers installed? They're making an assumption that most people aren't just going to have internet explorer and so if you just have internet explorer they might say this isn't a real computer. Silenced Protect and Optics, Carbon Black has one out there but the thing I like about Silenced Protect and Optics is that they're Cyber Force, they're a company in Irvine I think and they will sell you one or five user licenses. So I put this in my sandbox if I don't have 100 endpoints. I just want one license, I throw it up in Amazon on my EC2 instance and I could do my analysis without buying 100 endpoints from Carbon Black and I put it in learning mode so it's not blocking anything, it's just analyzing stuff and it gives me a little more input of something maybe I missed. Adobe Reader, another check that malware will do to see if you are a legitimate box. Microsoft Office, this is the one I forgot in version one of my sandbox and then I opened up someone at an email and I tried to open the office document and I thought oh that makes sense, I need word, right? So you have to have Office Suite on there. Multiple files and folders in the user profiles, I mentioned documents, all kinds of stuff, you could put fake files in there, they just have to have content in your profile and then you can rename your analysis tool. So don't leave it default, you can change the executable name so it doesn't look like that. If you ever seen talks or they say change MemeCats to MemeDogs, it's the same type of concept, you're just modifying the hash and or the name of the file so it doesn't get picked up by some of these pieces of malware. A bunch of online tools for shortcuts, I don't just have all the devices on or all the tools on my system, I will use get file hash to grab the hash of this file in question, I then put it to virus total. In this case, I'm not giving them the binary or the actual file, instead I'm giving them the hash, the fingerprint of the file and seeing if it's been found before. And in this case, I'm not sharing more information with the malware creator or the community than I need to. I'm all for sharing with the community but I don't want more information to get out there that doesn't need to, especially my analysis phase. A bunch of other tools out there you could do who is history, you can look for blacklists. The other one at the bottom which I really enjoy is CloudShark, oops. CloudShark and packet total, you could take your PCAPs, upload it and it'll do a quick analysis for you to look for malicious traffic or URLs. And as I mentioned logging, you absolutely have to have logging on there. There's not enough logging done by default inside of Windows, so you've got to turn that on. LogMD as I mentioned or the Windows log checklist, those are great places to go. And you could take a look at that. Even the CI's benchmarks, you could start there, it's just not enough. I would absolutely say LogMD will give you a lot more information to log. So you log, use Windows or LogMD, you run it the first time with a dash one and it'll go ahead and give you your, whether you're compliance and which different standards you're in compliance with or out of compliance with. And so I love this at this part. It'll tell me my computer, if I'm doing successful or failed logings or if I'm not logging at all. And it'll compare me to the different baselines of CIS, the US government's, is it's a compliance baseline or something like that. The Australian cyber defense security or whatever they are, it'll give me all of those. And then the Windows logging cheat sheet, it'll just show me all of them, the different logs of what I'm doing it or not. But you want all these logings turned on if you're looking at malware or suspicious activity. So what I do is I've created and you can absolutely take this home or to your office and you can start doing this. Set up an AWS account. You set up an isolated VPC. You don't want to be doing this in your production network. You then create EC2 instance with at least four gigs of RAM. You're paying by the hour so you could even do more than that. But I found four gigs is pretty adequate and it's legitimate. A lot of you systems still have four gigs or eight gigs of RAM. So it's enough to pass the malware checks. Install tools and logging, fake files, create shortcuts, make it look like legitimate user profile. I set the background to red because when I'm doing remote desktop into the system and it might be a production system or a client system, I want an absolute indication I'm on the right box. And if it's got the default blue background, I might be installing malware on a production server not paying attention. So I put that red background, make it very clear of the system that I'm on. And then I create an image for it so I can use it again in AMI. Deploy the instance. And one thing you do when you use Wireshark or whatever analysis tools, you have to exclude port 3389. Otherwise, Wireshark just tons of stuff from your own login session to it. So this is essentially what it comes down to, what my box looks like with all my tools. I started adding a whole lot more documents on the desktop and the profile since then, but I have other tax software, maybe QuickBooks, whatever you can think of to make it look more legitimate and a bunch of stuff on there that it's not just a vanilla box. So it's the future things that I'm gonna work on for the next iteration and future talks. And you could check out the Richie Mae tech blog and I'll have definitely something on this within the next probably 30 days or so, maybe 60. And I wanna add additional tools to it. I really want inline packet capture so I don't have that running on my system. I don't want the malware or the phishing to look and see that the device is on promiscuous mode. So I wanna remove Wireshark. And then I also wanna have these P-Caps fed into Sericata or Bro with an Elk stack. So I'm doing off system logging because the malware could be corrupting my logs, deleting my logs, messing with those. So I wanna get those logs off and running it through some type of tool that's looking for signatures. It's maybe taking stuff from MITRE or TTPs or whatever they are. And that way I have a second thing that's looking at my logs, my P-Caps to see if there's any malicious activity. So that's all I have for this. Are we on questions or outside? Couple questions? Probably got three minutes for questions if anyone has any. In the back. Yeah, I have a question. A lot of things you can solve the back end phishing is just basically could create a PPC where you send all of your all-year-old instance data over to log and then you can collect a capture that way. I have it. So it would be on a system that's in line so that the traffic's going through there and then passing through or how is it gonna work in AWS? A quick picture. Yeah. So would it be something similar like that? Okay. There's something like that. Do you know how to use someone who tells them it is? Absolutely. I'd love to get it off the EC2 instance. I just feel like it's way too obvious that wire sharks on there and that it's putting the NIC in permissions mode and I just, I feel like that's a red flag to anyone riding malware. Absolutely. Thank you. Any other questions? All right. We'll be around in the hall if you have any questions. Enjoy to work on. Thank you for your time.