WEBVTT

00:07.100 --> 00:13.220
Sometimes as an analyst, you really need to move your items or potential malware into an environment

00:13.220 --> 00:19.490
that really encapsulate it in such a fashion that it can't impose itself on other systems, whether

00:19.490 --> 00:24.290
it be operations or different applications, or in general, to be able to touch other systems as a

00:24.290 --> 00:24.860
whole.

00:24.890 --> 00:27.890
In that process we're really referring to is sandboxing.

00:27.890 --> 00:33.530
Sandboxing is the art of moving something, or putting a piece of software application, or even potential

00:33.530 --> 00:40.310
malware into a position where it truly cannot communicate with the other systems or networking or utilities

00:40.310 --> 00:41.510
on your network.

00:41.540 --> 00:46.160
In this episode, we're going to talk and discuss about how malware can be tested and identified in

00:46.160 --> 00:51.440
an environment where it really can't cause harm to other applications or systems as part of your network.

00:51.440 --> 00:58.040
Sandboxing is truly the isolation of one network from another, meaning that I'm taking a environment

00:58.040 --> 01:00.110
where I don't have internet access.

01:00.110 --> 01:06.440
It's not connected to other, uh, other systems or network devices, it's truly isolated from the network

01:06.440 --> 01:07.190
as a whole.

01:07.220 --> 01:13.730
Sandboxing allows for an isolated network in order to test or to go forward, and the process of identifying

01:13.730 --> 01:19.130
the functions or the functionality of a specific application, or even an operating system that may

01:19.130 --> 01:21.890
have had malware introduced upon it.

01:21.890 --> 01:27.980
And this controlled environment, we can actually test our systems or that application to figure out

01:27.980 --> 01:32.750
how it's interacting with the other environments in which we would normally see it on.

01:32.750 --> 01:38.270
That means that we could take a malware or a piece of application that may be infected by a malware.

01:38.270 --> 01:42.920
We can run it through dynamic analysis and see what's going on across the board.

01:42.920 --> 01:49.040
We can go through the processes, we can go through the environment, in which case we can identify

01:49.040 --> 01:50.360
everything that it touches.

01:50.360 --> 01:56.150
Along the way, we can monitor the different aspects of which that malware or that application is actually

01:56.150 --> 01:59.960
moving forward, meaning that we can analyze everything that comes into play with.

01:59.990 --> 02:04.040
We can identify, hey is this piece of software interacting with something?

02:04.040 --> 02:04.730
It shouldn't be?

02:04.760 --> 02:10.370
Is it going through in the word document when it has no process or understanding, or need to access

02:10.370 --> 02:11.930
that specific application?

02:11.930 --> 02:17.450
In this way, we can identify what is the malware doing on our system and how it's imposing its will

02:17.480 --> 02:18.770
on other applications.

02:18.770 --> 02:22.910
If it's a negative consequence, we can also look in a different environment.

02:22.910 --> 02:27.950
How that piece of application or that piece of software is interacting on a legitimate basis.

02:27.950 --> 02:33.440
Sometimes we want to sandbox a new patch or a new structure in such a way that we can see, hey, we

02:33.440 --> 02:35.780
have proprietary software yet.

02:35.810 --> 02:37.760
Microsoft just came out with a new patch.

02:37.760 --> 02:43.850
Before we roll out that patch to all our other systems, let's see how it reacts to our system in a

02:43.850 --> 02:49.250
sandbox environment so we can understand are we going to have repercussions by applying that patch?

02:49.250 --> 02:56.480
This provides us a way to identify and analyze how that software is actually encoded, or how it's moving

02:56.480 --> 02:57.710
across our entire system.

02:57.710 --> 03:02.600
The first one I want to talk about in terms of malware analysis is actually a program or an application

03:02.600 --> 03:08.580
called Joe Sandbox Now, Joe Sandbox is a virtual environment on the cloud, meaning that we don't have

03:08.580 --> 03:10.680
to actually have it on our software systems.

03:10.680 --> 03:17.850
We can go online and we can provide, uh, a piece of malware or an infected item onto their virtual

03:17.850 --> 03:22.230
environment, and then it will go through and actually test that software for different problems.

03:22.230 --> 03:26.610
We're going to go more in depth in this in the future episode, and really kind of show you how this

03:26.640 --> 03:27.720
actually works.

03:27.720 --> 03:30.630
The other one I want to talk about is Cuckoo Sandbox.

03:30.630 --> 03:35.370
Cuckoo sandbox is a standalone environment that sandboxes itself.

03:35.370 --> 03:39.510
This means that you have to provide that virtual environment, but you can download the software and

03:39.510 --> 03:45.570
turn, say, an ubuntu machine into a sandbox environment where it's not touching other things, and

03:45.570 --> 03:50.730
the software actually goes through and analyzes what it can for you so that you can identify whether

03:50.730 --> 03:56.430
or not that PowerPoint, the Excel document, maybe that software application may have malware embedded

03:56.430 --> 03:56.820
in it.

03:56.820 --> 04:01.440
Now, it's not 100% guaranteed that it's going to find everything, but it does provide an environment,

04:01.440 --> 04:07.260
which case we can go through and we can properly analyze it without the need for inducing our other

04:07.260 --> 04:14.250
systems or applications to a potential piece of malware, we can utilize it within our store or our

04:14.250 --> 04:20.100
scene platforms to provide a detailed and customized report to identify exactly what's going on in that

04:20.100 --> 04:23.070
environment and our holistic and security environment.

04:23.100 --> 04:27.390
Throughout this episode, we talked about how a sandbox environment can use not only for legitimate

04:27.390 --> 04:31.050
processes, but also potential malware or applications.

04:31.080 --> 04:37.050
We also identified how it could be introduced in an aspect of analysis and identification, both in

04:37.050 --> 04:38.760
Joe Sandbox and Kiku.

04:38.790 --> 04:44.400
With throughout your Sisa testing environment, I would expect to see a high level overview of both

04:44.400 --> 04:47.490
sandboxes in relation to different aspects.

04:47.490 --> 04:53.550
At a high level, they're not going to go through and ask you to go through and specifically go through

04:53.550 --> 04:54.240
the process.

04:54.240 --> 04:58.920
They're not going to ask you to go through and identify specific malware, but they would expect you

04:58.920 --> 05:02.880
to understand I can use Cuckoo sandbox, or I could use Joe Sandbox.

05:02.880 --> 05:07.650
And this is the properties, in which case I might use both, where Kiku is a standalone environment

05:07.650 --> 05:11.420
that we're controlling, and Joe Sandbox is a virtual environment on the cloud.

05:11.420 --> 05:16.520
It really depends on the aspects of what direction you want to go in and the process that we might want

05:16.550 --> 05:17.240
to utilize.

05:17.240 --> 05:22.580
For instance, Joe Sandbox is more in relation to the theoretical concepts of different operating systems.

05:22.580 --> 05:27.980
And I can download a file or a folder that may be properly infected, a text document, and then just

05:27.980 --> 05:31.370
upload it to the virtual environment and then ask questions about that.

05:31.550 --> 05:38.420
It also comes into play where we're looking at specific URLs or files, where Coccoon sandbox is more

05:38.420 --> 05:40.340
of a Linux only environment.

05:40.340 --> 05:45.110
Yes, we can do windows environment stuff on there, but it's not going to provide us the holistic view

05:45.140 --> 05:46.070
that we're looking for.

05:46.070 --> 05:50.780
However, where cocoon is real, strength is within the Siem or within the Soar environment because

05:50.780 --> 05:55.610
it's actually part of our environment as a whole, and it can grab those logs, it can grab that information

05:55.610 --> 05:57.500
and analysis directly from our systems.

05:57.500 --> 06:03.680
One definitely has a better property and a holistic viewpoint, i.e. where one is more of a standalone

06:03.680 --> 06:05.630
environment, i.e. Joe Sandbox.

06:05.660 --> 06:11.150
Expect to see questions specifically related to those two environments in which you might use in a scenario

06:11.150 --> 06:13.760
based context, one over another.