How to Build Your Own Lab for Automated Malware Analysis


Understanding the mechanics of malware attacks is critical for remediation and for preventing similar attempts in the future. Malware analysis can provide valuable insights into the adversaries’ goals, especially when they are targeted. While cloud-based malware analysis tools exist, they are largely inflexible. An in-house lab environment can offer more customization, automation and enhanced capabilities without the potential risk of metadata leakage. This lab can then also be used to review potential solutions to prevent and mitigate these threat vectors.

Organizations need the ability to harvest data from threats they are faced with on an ongoing basis. Threats against a specific industry or company include the ability to profile the skillsets, resources and preferred vectors of compromise that a criminal or criminal organization may try and utilize. For smaller companies, it doesn’t always make sense to run a large, in-house malware analysis environment, however, the insight gained from these remains valuable. Due to the skillsets required to run and the overall malicious nature of malware, in general, these environments must be monitored closely and remain adequately segmented from the greater environment. To ensure this, organizations often engage a trusted partner or vendor with the capabilities of running these types of tests. After analyzing specific samples, the threat intelligence can then be used within their security technology stacks.

Why you need automated malware analysis

Threat intelligence, as it relates to computer security, is organized, analyzed and vetted information about potential or current attacks that pose a tangible risk to an organization. The primary purpose of this information is to help staff understand the risks of the most common types of attacks, threat actors, exploits and malware used in the current landscape. Leveraging trusted and vetted data can help in preventing the compromise of an organization by better understanding the who/what/when/where/why of a specific attack. Threat intel can be pumped into multiple levels of the security stack including upstream providers, networking gear, host-based security technologies and configuration hardening.

One of the easiest and fastest ways to deploy an automated malware analysis environment is by utilizing an open source analysis system such as Cuckoo. Cuckoo Sandbox is an advanced, extremely modular, 100 percent open source automated malware analysis system with infinite application opportunities. By default, these systems should be able to:

  • Analyze many different malicious files (executables, office documents, PDF files, emails, etc) as well as malicious websites under Windows, Linux, Mac OS X and Android virtualized environments
  • Trace API calls and general behaviour of the file and distill this into high-level information and signatures comprehensible by anyone
  • Dump and analyze network traffic, even when encrypted with SSL/TLS. With native network routing support to drop all traffic or route it through InetSIM, a network interface or a VPN
  • Perform advanced memory analysis of the infected virtualized system through Volatility as well as on a process memory granularity using YARA
  • Perform analysis on virtual and physical machines

Due to the open source nature and modular design of tools like Cuckoo, one may customize any aspect of the analysis environment, analysis results processing and reporting stage.

How to test your security tech stack with malware analysis

You can also use a malware analysis system to test security technologies and their performance against specific attacks and variants of malware. One of the cool things about Cuckoo is that it is customizable and can scale to test multiple security stacks at the same time (provided you have the hardware capabilities). For example, if you received a malicious file in your organizations’ spam filter you could retrieve that sample and test it on a segregated, unprotected virtual machine and a protected virtual machine at the same time to see the performance of your host hardening.

In conclusion, it is recommended that all organizations harvest and/or utilize some form of threat intelligence to help combat the ever-changing threat landscape. This can be accomplished by leveraging third party sources that are trusted or by testing and triaging malicious content received within your organization. Malware analysis systems give the ability to consider the inner workings of malicious code and give defenders and blue team staff the ability to pivot and protect.