Friday, April 19, 2013

REMnux by Lenny Zeltser

Lenny Zeltser, a SANS instructor who, among others, teaches the FOR610 Reverse-Engineering Malware: Malware Analysis Tools and Techniques track has a Linux distribution called REMnux for assisting malware analysts. The tool could be helpful for intrusion analysts as well, as it includes programs to decode JavaScript, examine executables and analyze malicious documents including the PDF tools by Didier Stevens. The distro comes in .ova format for use in either VMWare or Virtual box or as a virtual appliance for VMWare Workstation only. You can download the tool and read about it at Lenny's site here. Lenny's blog is here for even more information on malware analysis.

Tuesday, April 16, 2013


Practicing intrusion analysis can be a worthy investment of your time when an alert you begin investigating turns out to be a critical event, such as a compromised server or data leakage of your companies information.

As you add to your arsenal, whether a new tool or a new methodology you've discovered for analyzing packets and data, it's a good thing to practice on non-critical events. Waiting until an important investigation where your superiors want information immediately or a decision on whether to shut down some piece of critical infrastructure or not isn't the time to hone your skills.

If you discover a new tool, practice with it. Read the documentation on it, know all the parameters for the command, and use it to investigate some routine alerts. Determine what information you would need and make sure you can use the tool to extract it. Make sure that tool or a combination of tools would allow you to determine what happened, what the source of the attack was and what it's target(s) were, whether or not the target was compromised, and how to mitigate the attack from reoccurring.

In most cases one tool won't accomplish everything. You may be alerted by your IDS/IPS, verify the alert using a SIEM or pulling the packets involved from your packet auditing system, and use other tools  to analyze those packets and logs or recreate the session.

The important thing to determine as you practice is that you are competent and confident in how to use each tool to accomplish the goal. You more you work with it, obviously, the better you'll become and you might discover better ways to use the tool, shortcomings in it that need a work around or even another tool for the task. An intrusion analyst's tool  kit should never be static. Knowledge is increasing and new and better tools are being released all the time and to stay on the curve as attackers adjust their methods require us doing the same.

Practice examples from web sites like the Ethical Hacker Network are great, but make sure if you use them, make sure you follow the same process and use the same tools you would if you were investigating traffic on your own network. Depending on your situation, you may not be able to dedicate time at work to hone your skills. It may require you using some of your own personal time to practice. If so, try to replicate your tool kit as closely to possible as what you have at work. If you have a spare machine at home, load your favorite distro of Linux on it and build your tool set on it. If you have a way to capture packets or are running your own Snort box or some other IDS, investigate alerts from it. You'll not only be sharpening your skills but you may found out your own network is being probed and needs locked down a little tighter, a great extra benefit to your investment of time.

Blog Archive