How to integrate the RSA Malware Analysis with the Cuckoo Sandbox

Discussion created by Luiz Borges on May 22, 2015
Latest reply on Oct 23, 2017 by Luiz Borges

Like • Show 5 Likes5
Comment • 13

Hi everyone!

I updated the post attaching the PPT used during my presentation at the RSA TechFest 2016. Everything that you need to know about the integration process that I developed is avaiable in the file attached.

This is a simple post to show how to integrate the RSA Malware Analysis with the Cuckoo Sandbox solution.

You will need:

RSA Security Analytics for Packet with Malware Analysis
Cuckoo Sandbox (local)

Firstly, you need to enable the File Sharing Protocol on the Service - > Malware Analysis -> Config and then apply the change.

After that, connect through the SSH to your RSA Malware Analysis and change the share name from File Store to repository. Only to remove the space on share name.

Apply the change and restart the smb service.

Now, connect through SSH to your Cuckoo Sandbox (local). Run the steps below:

Install the mount.cifs package
Make a directory /mnt/rsamalware
Make a script file rsamalware.sh (image below) on Cuckoo’s utils directory and set as an executable file. Note: Change your_rsa_malware by the correct IP address

Finally, add a cron job to run the script every 5 minutes (in this case). However, you can parameterize the option that better to attendant your specific demand.

Attachments

160615_TF16_PPT_How to integrate the RSA Malware Analysis with other sandbox solutions.pptx17.1 MB

Outcomes

Ian Cuthbertson

May 26, 2015 9:47 AM

Thanks, this looks really interesting. I'm assuming the results from Cuckoo don't come back into Malware Analysis as scores? I.e. this just pushes one way, right?

Actions

Luiz Borges @ Ian Cuthbertson on May 26, 2015 12:28 PM

Hi @Menwith_hill! Thanks for your question!

Yes, for sure! This is only the Part I.

I'm trying to make a two-way connection to show the results into Malware Anslysis as score. But is very difficult without any documentation to support.

Actions

Luiz Borges @ Ian Cuthbertson on Oct 17, 2017 2:09 PM

Hi Ian!

I did it. Now I can see the results from the 4 analysis process into the same screen. Please, see the image below:

Actions

RSA Admin

May 26, 2015 1:00 PM

I am watching this...

Is this dependent upon licensing for the malware engine? Can you have the limited usage license and still pump out everything to cuckoo?

Actions

Ian Cuthbertson

@ RSA Admin on May 26, 2015 1:09 PM

When you say limited usage license, do you mean the free Malware Analysis in the SA server rather than the dedicated appliance?

Actions

Luiz Borges @ RSA Admin on May 26, 2015 1:15 PM

Hi @Eric_the_Viking! Thanks for your question!

Yes, for sure! You can use the limited license.

Actions

Ian Cuthbertson

@ Luiz Borges on May 26, 2015 1:48 PM

I think that license only allows for items to be manually selected for scanning, I don't think you can send everything that way (at least that is what it is supposed to do).

Actions

Luiz Borges @ Ian Cuthbertson on May 26, 2015 1:57 PM

He can setup the Malware Analysis (limited license) to work in Continuous Scan as well. However, this is limited only 100 analysis per day.

great post!

Joe Gumke Oct 5, 2017 8:32 AM

Is there an ability to integrate cuckoo windows host log data into the log portion of the SIEM? Specifically analyzing windows logs, and consuming them into via a log collection method? Interested to see if we could identify some potential alerting through log consumption mechanisms.

Actions

Luiz Borges @ Joe Gumke on Oct 17, 2017 2:12 PM

Hi Joseph Gumke!

Isn't easier to get the results from the Cuckoo Server? The Cuckoo Server create a JSON file with every info about the analysis process. You can get the file and process them with your SIEM solution. Sometime I did it using the HP ArcSight. Please, see the images below:

1 - JSON file report

2 - Cuckoo report

3 - HP ArcSight

Actions

Joe Gumke @ Luiz Borges on Oct 19, 2017 8:33 AM

hard part is that RSA doesnt natively support JSON ingestion, and nobody really knows how to leverage the plugin framework to support this format

Actions

Luiz Borges @ Joe Gumke on Oct 23, 2017 11:45 AM

Well, in this case I normally use the Smart Connector from HPE (that is free) to get the events that aren't supported by RSA. After that, I send to the NetWitness through the syslog in CEF format.

Actions

13 Replies

Ian Cuthbertson May 26, 2015 9:47 AM
Thanks, this looks really interesting. I'm assuming the results from Cuckoo don't come back into Malware Analysis as scores? I.e. this just pushes one way, right?
Like • Show 1 Like1
Actions
- Luiz Borges @ Ian Cuthbertson on May 26, 2015 12:28 PM
  Hi @Menwith_hill! Thanks for your question!
  
  Yes, for sure! This is only the Part I.
  
  I'm trying to make a two-way connection to show the results into Malware Anslysis as score. But is very difficult without any documentation to support.
  Like • Show 0 Likes0
  Actions
- Luiz Borges @ Ian Cuthbertson on Oct 17, 2017 2:09 PM
  Hi Ian!
  
  I did it. Now I can see the results from the 4 analysis process into the same screen. Please, see the image below:
  Like • Show 0 Likes0
  Actions
RSA Admin May 26, 2015 1:00 PM
I am watching this...

Is this dependent upon licensing for the malware engine? Can you have the limited usage license and still pump out everything to cuckoo?
Like • Show 1 Like1
Actions
- Ian Cuthbertson @ RSA Admin on May 26, 2015 1:09 PM
  When you say limited usage license, do you mean the free Malware Analysis in the SA server rather than the dedicated appliance?
  Like • Show 1 Like1
  Actions
- Luiz Borges @ RSA Admin on May 26, 2015 1:15 PM
  Hi @Eric_the_Viking! Thanks for your question!
  
  Yes, for sure! You can use the limited license.
  Like • Show 0 Likes0
  Actions
  - Ian Cuthbertson @ Luiz Borges on May 26, 2015 1:48 PM
    I think that license only allows for items to be manually selected for scanning, I don't think you can send everything that way (at least that is what it is supposed to do).
    Like • Show 1 Like1
    Actions
    - Luiz Borges @ Ian Cuthbertson on May 26, 2015 1:57 PM
      He can setup the Malware Analysis (limited license) to work in Continuous Scan as well. However, this is limited only 100 analysis per day.
      Like • Show 0 Likes0
      Actions
SeffyGHops May 26, 2015 2:40 PM
great post!
Like • Show 1 Like1
Actions
Joe Gumke Oct 5, 2017 8:32 AM
Is there an ability to integrate cuckoo windows host log data into the log portion of the SIEM? Specifically analyzing windows logs, and consuming them into via a log collection method? Interested to see if we could identify some potential alerting through log consumption mechanisms.
Like • Show 1 Like1
Actions
- Luiz Borges @ Joe Gumke on Oct 17, 2017 2:12 PM
  Hi Joseph Gumke!
  
  Isn't easier to get the results from the Cuckoo Server? The Cuckoo Server create a JSON file with every info about the analysis process. You can get the file and process them with your SIEM solution. Sometime I did it using the HP ArcSight. Please, see the images below:
  
  1 - JSON file report
  
  2 - Cuckoo report
  
  3 - HP ArcSight
  Like • Show 0 Likes0
  Actions
  - Joe Gumke @ Luiz Borges on Oct 19, 2017 8:33 AM
    hard part is that RSA doesnt natively support JSON ingestion, and nobody really knows how to leverage the plugin framework to support this format
    Like • Show 1 Like1
    Actions
    - Luiz Borges @ Joe Gumke on Oct 23, 2017 11:45 AM
      Well, in this case I normally use the Smart Connector from HPE (that is free) to get the events that aren't supported by RSA. After that, I send to the NetWitness through the syslog in CEF format.
      Like • Show 0 Likes0
      Actions

How to integrate the RSA Malware Analysis with the Cuckoo Sandbox

Attachments

Outcomes

Related Content

Recommended Content

Incoming Links