Collaborative analysis efforts with simple to use interfaces

February 12, 2008

You know what would be really helpful? I mean, actually helpful to people in the security industry as a whole? We need some kind of collaboration tool that allows many different users to view, download, analyze, tag, describe and ask questions about any and all kinds of malware, network captures and security logs. I’ve been talking to some of the #rawpacket guys/gals about how it would work, so now I’m stealing their ideas for a blog post ;)

For example, let’s say you discover a new binary malware that one of your honeypots caught, here’s how I envision this would work out:

  1. You register an account at the collaboration website, you can additionally assign your pgp key to your name, security people like to know who they’re actually talking with.
  2. You upload the file, in this case it’s a .exe file, tagging it with a basic description (“nepenthes honeypot caught this transferred over ftp, I think it’s a trojan, etc, etc”) and tags so it becomes searchable (exe, malware, binary, ftp).
  3. The file/pcap is anonymized (optional, but would be extremely nice)
  4. After the initial upload, the collaboration server performs super-basic, but good baseline analysis on the file, saving the results for later. For a .exe file, it could be things like md5sum, clamscan and strings. For other types of files, different tools could be used (*cough* an automated NSM-Console session *cough*), etc
  5. The malware is displayed on the page, security gurus log into their account, have the ability to download the binary to play with it themselves, and are encouraged to share what they found when doing their analysis (and how). They have the ability to upload screenshots, short video clips, textfiles, whatever would help with the analysis. This of it like a traditional website ‘shoutbox’, but with comments on a particular piece of malware or network capture.
  6. Users can also create correlations between different submissions, Example: “This is the link to the network capture for the worm exploiting this particular binary malware”, now we can draw pretty graphs!
  7. Discussion continues until the file has been “figure out”. Give people ‘karma’ or whatever to encourage posting.
  8. ????
  9. Profit!

In all seriousness, you know what I think would be great about this? The community as a whole benefits from the knowledge and talent of people who are good at an individual skill. For instance, I might suck at binary malware analysis, but I can help decode what’s going on with a network trace picked up by an IDS. Community is created, knowledge is shared, security can be improved, people become familiar with the parts of security in which they lack knowledge, everyone is happy.

Make the framework distributable, small groups of people can set up their own collaboration for working with extremely confidential files, think Trac, but instead of bug reports and svn tracking, malware/pcap collaboration and research.

There are projects already like this, I’m excited for the direction that OpenPacket is going with packet captures, upload a file and it’s automatically run through tshark, giving you a baseline to start working with. I think that if the idea is expanded, we can get a lot of different people involved. I know I’d certainly like to get better at doing binary analysis.

Does this sound interesting? It certainly does to me. I’m curious if anyone else is interested, leave me a comment and let me know if you’d be interested in something like this! (Maybe if 40 hours suddenly appear out of nowhere I’m start working on it…)

P.S. I didn’t think of all of this myself, thanks to all the people in #rawpacket for their ideas :) Just want to give credit where it’s due… ;)

3 Comments to "Collaborative analysis efforts with simple to use interfaces"

  1. scholar01 wrote:

    Sounds like a great idea. We should look into the reasons this hasn’t been done before….
    Instead of getting into that discussion, I’d rather contribute these ideas:
    1. It seems that it can quickly break down into two camps of core skills: network analysis and malware analysis
    2. Instead of trying to be exhaustive with malware or network attacks, we should pick just a few and pour a lot of energy into them. I think a lot of projects quickly become overwhelmed when they try to be a clearinghouse of malware, none of which is analyzed further than a sandbox.
    3. While tagging and such does help with collaboration, the community is probably best benefited by thoughtful analysis and write up, specifically when it comes to how to use the tools. (teach a man/woman to fish…)
    4. We need to find a way to integrate new people into teams and force them to work together long enough to build up basic skills. This is the only way to scale beyond our small club of friends. <- a lot more thought needs to go into this point, but i rather be wrong and say something, than to wait at this point.

  2. Delilah Hinman wrote:

    This type of community sounds really beneficial for everyone involved. And I think scholar brings up some really good points, particularly points 3 and 4.

  3. Lee Hinman wrote:

    So here’s the real 44-million dollar question, where do we go from here? Prototyping? Design?

Powered by Wordpress and MySQL. Theme by Shlomi Noach,