From SOC to Analyst: bridging automated and manual analyses - - PowerPoint PPT Presentation

from soc to analyst bridging automated and manual analyses
SMART_READER_LITE
LIVE PREVIEW

From SOC to Analyst: bridging automated and manual analyses - - PowerPoint PPT Presentation

Jun 15, 2023 19 likes •90 views

From SOC to Analyst: bridging automated and manual analyses Practical Considerations and Issues July, 10th 2017 Raphal Rigo Typical (ideal) workflow of a malware sample reverser binary SOC CERT special malware malware SOC

slide-1
SLIDE 1

From SOC to Analyst: bridging automated and manual analyses

Practical Considerations and Issues

July, 10th 2017

Raphaël Rigo

slide-2
SLIDE 2

Typical (ideal) workflow of a malware sample

SOC CERT reverser

malware “special” malware binary

SOC Security Operations Center CERT Computer Emergency Response Team

“Special” malware

  • Unknown, Targeted, Complex
  • Anything not handled automatically ?

Our tools

  • Tools for automated malware analysis and triage, for SOC & CERT (bnew)
  • Tools for manual analysis by reverser – including our own, BinCAT
  • R. Rigo :: From SOC to Analyst: bridging automated and manual analyses
slide-3
SLIDE 3

Links to the seminar issues

The end of the chain

“When automated processing ends/fails/is not sufficient”

Overall issue

  • Sometimes a human is needed
  • =

⇒ what be done to help the human be more efficient ?

End goals for the analyst

  • IOCs
  • automated tools for families to integrate in the SOC chain:
  • static unpackers
  • config extractors
  • R. Rigo :: From SOC to Analyst: bridging automated and manual analyses
slide-4
SLIDE 4

Analyst view

Which information from the automated process (SOC) can be presented to the analyst ?

  • generically unpacked sample
  • interesting code parts (in IDA) ? :
  • potential crypto loops (cf. IDAScope, crypton)
  • deobfuscated/decrypted strings
  • annotated trace (cf. pTra, MazeWalker)
  • visualization methods: bitmaps, dynamic graphs, etc.

Helpful properties:

  • resolve indirect calls (C++ !)
  • dead code (no need to reverse)
  • R. Rigo :: From SOC to Analyst: bridging automated and manual analyses
slide-5
SLIDE 5

Challenges (helping the analyst)

Special cases for “usual” malwares:

  • complex packers: VMProtect-ed packed samples
  • obfuscation

Other complex (“unusal”) cases:

  • implants/rootkits (harder to analyse dynamically):
  • Secure boot bypass (SMM code ?)
  • jailbreaks
  • rootkits (drivers)
  • embedded/network devices exploits/implants
  • vulnerability and exploit analysis:
  • need to analyse complex software behaviour
  • understand vulnerability to create efficient signatures
  • all in memory code (no imports, everything dynamic)
  • R. Rigo :: From SOC to Analyst: bridging automated and manual analyses
slide-6
SLIDE 6

Room for improvements: tooling

Manual reversing

  • interactive
  • integrated into IDA (for low level properties)
  • easy to install / use

Ex: Ponce, IDAscope, BinCAT ;)

For automated (static) handling

  • scriptable (of course)
  • versatile/expressive
  • OS agnostic

Ex: Miasm

  • R. Rigo :: From SOC to Analyst: bridging automated and manual analyses
slide-7
SLIDE 7

BinCAT

  • demo
  • slides
  • R. Rigo :: From SOC to Analyst: bridging automated and manual analyses