Lab Setup For Malware Analysis
Threats are one of the most challenging areas in the field of Information security and the lack of qualified personnel makes it even harder for companies to keep their information and assets secure and cater to such a situation without incurring much loss. Malware analysis is the process of determining the origin, potential impact, and functionality of the given malware sample such as virus, trojan horse, etc.
In this article, we are not going to discuss the whereabouts of Malware or Malware Analysis. Rather we will see How can you effectively set up a lab for Malware Analysis. As one plan can not fit for the need of all the organizations, so we need to take in mind a few alternatives and decide the best according to your organization’s needs.
We will be covering the following topics in this article:
- Why do we need Malware Analysis Lab?
- Brainstorming to build a Malware Analysis Lab.
- Steps for setting up a Malware Analysis Lab.
Let’s get started and discuss each of these topics in detail.
Why do we need Malware Analysis Lab?
Malware Analysis Lab can help you in any of the following ways:
- It will increase your analysis speed.
- A suitable environment will build a framework and identify TTP and IOC.
- A malware analysis lab will help you to get control of what gets in and out of the network.
- It will decrease the risk of infection.
Brainstorming to Build a Malware Analysis Lab
The first and the most important thing to do before setting up a lab is to figure out the needs and the requirements for setting up a lab. It is very important to have some dedicated systems with tools to control, analyze, and safeguard your environment.
Some of the questions that you need to be clear about, to have a clear understanding of what you need in your lab.
What tools you need?:
There are a lot of tools available in the market for each task associated with Malware Analysis. But you need to try a bunch of these tools and determine which tools are best suited for your need.
What type of Operating Systems do you need?:
There are a variety of systems available out there like Windows, Linux, OS X, or even mobile OS like Android, iOS, etc. It is advisable to get started with Windows and Linux first and then you can get your hands on other operating systems.
What do you want to achieve?:
You should have a clear understanding of your motive of setting up the lab and be clear which what you want to achieve through the lab.
Steps for setting up Malware Analysis Lab
To set up the Malware Analysis Lab, follow the points mentioned below.
1. Network: One of the most important and the first step in setting up a lab is to define its network. Here are a few reasons why this step is important:
- You need to have information about your network to identify uncommon patterns and uncommon connection attempts.
- You need to know about what is going in and what is going out of the network.
- You need to intercept traffic between your Analysis system and the Network.
- You need to isolate the analysis system from other computers.
Choose your favorite private network address spaces so you assign static IP addresses to each one of your systems. The reason for this allotment is that when you start collecting Network information and you will spend most of your time trying to figure out which systems did that belong to if you don’t make a list.
You’re also going to need a dedicated machine to control your network traffic and to act as a gateway for your lab. REMnux and Kali are two options that you can consider for your gateway.
2. Virtualization: Virtualization software is required in either of the following scenarios:
- When you don’t have a few spare machines, a switch, and a dedicated physical space for this.
- You simply want to carry your Lab with you whenever you go.
There are few options for Virtualisation software like VMWare, Qemu, Virtual Box (free), and if you don’t mind spending a few bucks then you can go for VMWare Workstation. Virtualization software will allow you to host your entire lab in a single machine and they provide another interesting feature i.e. snapshots. Snapshots allow you to revert the state of your machines to a clean state, so you can start an analysis over and over again. These are quite useful for keeping track of your work on long analysis. If you are using Virtualization Software, how you set up your virtual network is very important. You have three options for this:
- Bridged: Do not use Bridged mode, this can expose your network to threats, and you don’t want to infect anybody else systems.
- NAT: This is the ideal choice. Disable DHCP so you can stick to your design.
- Host-Only: Host-Only will only communicate your virtual system with your host machine, you don’t want this either.
3. Analysis Machines: If you are going to do Malware Analysis, then you will need a variety of systems to run your samples, Execute your tools, and do Static and Dynamic Analysis. You will have to follow the following simple steps to set up each one of the systems that you choose.
- Install the Operating System and install the Security Updates.
- Install Virtual Machine Tools(optional).
- Install Analysis Tools and for Windows, you can check Flare VM tools to automate some of this task.
- Set up Network Configuration.
- Save a Snapshot in a clear state.
These simple five steps will help you to get a checklist and set up the machines you’ll need to move forward on your analysis.
Operating systems can be selected from the following list:
- Windows 10
- Windows 7
- Linux (Ubuntu Server 16.04)
- Kali Linux
- Metasploitable 2
- Metasploitable 3
- Virtual Machine with OS X
REMnux or Kali needs to be your Gateway as REMnux is a dedicated system for Malware Reverse Engineering and comes with tons of handy tools for this purpose and Kali is a Linux Distro which is specifically designed for Penetration Testing and Ethical Hacking. For beginners, REMnux should be first and the last choice for the Gateway as REMnux allow you to sniff network traffic outside from your analysis machines and also control it.
In case, you are ready to go with both the options, REMnux and Kali, then these should be your only machines with Internet access. You can achieve this by adding more than one network card to these virtual machines. As the second Network card will allow you to provide Internet access to your analysis machine when needed and you’ll be less prone to expose yourself to the malware samples that you are analyzing.
4. Testing your Environment: Before starting with the analysis, you need to make sure that everything is perfect and working fine. For this you need to check the following things:
- Make sure no analysis machine has access to the Internet or your home/ work network. You can control this with a Gateway. Try turning it ON and OFF so that you can get familiar with the process.
- Turn all your machines ON and try running a network scan to see that everything is working properly.
- It is very important to make sure that all your machines have a Snapshot in a clear state. You should have clear rules and definitions stating how often you will update them to install security patches, new software versions, and other caveats.
5. Start your Malware Analysis: Now at this stage, you are all set to get started with your first Malware Analysis. Just pick up a sample, turn on your machines and begin to internalize yourself with the tools, systems, and brand new environment. You can also take a look at theZoo, a Github repo with over 170+ samples of different families for you to look at, in case you don’t have any sample to start with.
Malware Analysis might be hard, but it would be fun as it is not only running samples and disassembling code but also you’ll explore a lot of different technologies and architectures over time. The best way to keep up is to continuously try new things and look at new samples, and the best way to be effective is to have a proper functional environment where you can do all the activities.