You know what would be really helpful? I mean, actually helpful to people in the security industry as a whole? We need some kind of collaboration tool that allows many different users to view, download, analyze, tag, describe and ask questions about any and all kinds of malware, network captures and security logs. I’ve been talking to some of the #rawpacket guys/gals about how it would work, so now I’m stealing their ideas for a blog post
For example, let’s say you discover a new binary malware that one of your honeypots caught, here’s how I envision this would work out:
- You register an account at the collaboration website, you can additionally assign your pgp key to your name, security people like to know who they’re actually talking with.
- You upload the file, in this case it’s a .exe file, tagging it with a basic description (“nepenthes honeypot caught this transferred over ftp, I think it’s a trojan, etc, etc”) and tags so it becomes searchable (exe, malware, binary, ftp).
- The file/pcap is anonymized (optional, but would be extremely nice)
- After the initial upload, the collaboration server performs super-basic, but good baseline analysis on the file, saving the results for later. For a .exe file, it could be things like md5sum, clamscan and strings. For other types of files, different tools could be used (*cough* an automated NSM-Console session *cough*), etc
- The malware is displayed on the page, security gurus log into their account, have the ability to download the binary to play with it themselves, and are encouraged to share what they found when doing their analysis (and how). They have the ability to upload screenshots, short video clips, textfiles, whatever would help with the analysis. This of it like a traditional website ‘shoutbox’, but with comments on a particular piece of malware or network capture.
- Users can also create correlations between different submissions, Example: “This is the link to the network capture for the worm exploiting this particular binary malware”, now we can draw pretty graphs!
- Discussion continues until the file has been “figure out”. Give people ‘karma’ or whatever to encourage posting.
In all seriousness, you know what I think would be great about this? The community as a whole benefits from the knowledge and talent of people who are good at an individual skill. For instance, I might suck at binary malware analysis, but I can help decode what’s going on with a network trace picked up by an IDS. Community is created, knowledge is shared, security can be improved, people become familiar with the parts of security in which they lack knowledge, everyone is happy.
Make the framework distributable, small groups of people can set up their own collaboration for working with extremely confidential files, think Trac, but instead of bug reports and svn tracking, malware/pcap collaboration and research.
There are projects already like this, I’m excited for the direction that OpenPacket is going with packet captures, upload a file and it’s automatically run through tshark, giving you a baseline to start working with. I think that if the idea is expanded, we can get a lot of different people involved. I know I’d certainly like to get better at doing binary analysis.
Does this sound interesting? It certainly does to me. I’m curious if anyone else is interested, leave me a comment and let me know if you’d be interested in something like this! (Maybe if 40 hours suddenly appear out of nowhere I’m start working on it…)
P.S. I didn’t think of all of this myself, thanks to all the people in #rawpacket for their ideas Just want to give credit where it’s due…