Love 'em or hate 'em, the malware sandbox has evolved to become a staple for incident responders and researchers alike. In true hacker fashion, many of us have stockpiled thousands of HTML and JSON reports, squirreled away for that rainy day when something sparks a memory of that ‰ÛÏone incident‰Û with that ‰ÛÏone sample‰Û where that ‰ÛÏone thing‰Û occurred. Tragically, that day simply never comes for most malware reports. This presentation discusses one technique for giving new life to dynamically generated malware observables. Specifically, it focuses on putting sandbox reports to work with feature vector clustering. Feature vectors have long been utilized in the mathematical community to facilitate machine learning and pattern recognition. By applying similar concepts to dynamically generated observables, it is possible to visualize the relational proximity of malware samples. The key to this process lies in constructing statistically significant feature sets. This presentation details the methodology for turning predominately text-based reports into a series of meaningful quantitative data points. Lastly, a process for evaluating individual feature effectiveness is explored through the application of real-world data. In a concerted effort to achieve tangible operational benefits from this exercise, an open source reporting module for Cuckoo Sandbox will be released for generating the presented feature vectors as well as code for visualizing sample proximity.

Mike Schladt is an InfoSec Analyst for the GE Power & Water IT Security Operations Team. In this role, Mike leads tools development and analysis responsible for enabling rapid incident response in one of the world's largest, most geographically separated and dynamic networked environments. Recent efforts include developing artifact correlation engines, analyzing attacks and reverse engineering malware in a daily operational rhythm. In a previously life, Mike was active duty US Air Force serving as an analyst and manager of the Malware Lab at the National Air & Space Intelligence Center responsible for integrating technical analysis into strategic intelligence.

@mikeschladt

Back to Derbycon 2015 video list