Chapter 8: Interpreting Endpoint Security

Understanding filesystems used within various operating systems can help you, as a cybersecurity professional, better understand limitations on file and partition sizes. Imagine, during an investigation on a compromised Windows system, that you as the forensic investigator are required to understand the filesystem of a computer and how it functions. Furthermore, as a security professional, it's important to understand how various metrics are used to determine the severity and priority of vulnerabilities found on a system.

Throughout the course of this chapter, you will discover the fundamentals of filesystems that are used by the Microsoft Windows and Linux operating systems. You will learn how to use the Common Vulnerability Scoring System (CVSS) calculator to determine the severity of a vulnerability, and why CVSS is an industry-recognized tool. Furthermore, you will learn how malware analysis tools work and gain hands-on experience in building your very own malware analysis sandbox.

In this chapter, we will cover the following topics:

• Exploring the Microsoft Windows filesystem
• Delving into the Linux filesystem
• Understanding the CVSS
• Working with malware analysis tools

Technical requirements

To follow along with the exercises in this chapter, please ensure that you have met the following hardware and software requirements:

• Oracle VirtualBox 6.1: https://www.virtualbox.org/
• VMware Workstation 15 Pro: https://www.vmware.com/products/workstation-pro.html
• Microsoft Windows 10 Enterprise: https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise
• Ubuntu Desktop 18.04: https://old-releases.ubuntu.com/releases/18.04.4/

Link for Code in Action video https://bit.ly/3ey0NEC

Exploring the Microsoft Windows filesystem

When you purchase a new storage device such as a hard disk drive (HDD) or solid state drive (SSD), the storage component is literally blank without anything on it. Imagine connecting a new HDD or SSD to your computer for the first time. Your computer will not recognize the storage drive and won't be able to write any data on it. Storage devices require a filesystem, which the operating system will use to organize how data is stored on the drive itself.

Imagine years ago, if you wanted to call your friend's landline telephone but did not know their number, you would have needed to use a traditional telephone directory. This was a large printed book containing publicly listed telephone numbers with the person's name and address. Think of a filesystem organizing files as a type of directory formatting. Hence, when a user or an operating system wants to locate a file, this task will be easier when using a filesystem on the storage drive. Without a filesystem, locating a particular piece of data on a storage drive such as a traditional HDD will be difficult as there is no kind of order or procedure on how to store files.

Furthermore, a filesystem allows a user and an operating system to better manage any free spaces on the storage drive. The following screenshot shows the properties of the C: drive on a Windows 10 computer:

Figure 8.1 – Filesystem

As shown in the preceding screenshot, the filesystem for the device is using the New Technology File System (NTFS) and we are able to determine the amount of used and free space on the drive.

You're probably wondering: What does a filesystem have to do with cybersecurity? As a security analyst, or even a computer forensic investigator, you may be asked to retrieve data from a drive that contains potential evidence of a cybercrime. Therefore, understanding the characteristics of various filesystems will help you determine where there are any file size limitations, the total capacity for a single partition or storage volume, and whether it supports data encryption and compression.

Filesystems

There are many filesystems that are commonly used by the Microsoft Windows operating system. The following are filesystems that are available for Microsoft Windows:

• File Allocation Table (FAT): This is an older filesystem that was used with older versions of Windows. FAT is also supported by other operating systems. However, one of the major drawbacks of using FAT as the preferred filesystem is its limitation in terms of file size, the number of partitions on a single drive, and the size of a partition. Due to these disadvantages, FAT is no longer being used on mass storage devices such as HDDs and SSDs.
• FAT32 used the FAT filesystem, which supported a maximum file size of 4 gigabytes (GB). This means that the largest file can be up to 4 GB in size on a storage drive that uses the FAT32 filesystem. With FAT32, each volume, such as an HDD or a partition, can only be up 2 terabytes (TB) in size. However, this version of FAT does not support any data encryption or compression on the filesystem.
• Extended File Allocation Table (exFAT): This filesystem has few limitations compared with FAT32; however, it is not widely supported outside of the Microsoft Windows environment by other vendors.
• Hierarchical File System Plus (HFS+): This is a filesystem used with macOS systems. The HFS+ filesystem allows larger file sizes, filenames, and partitions.
• Extended File System (EXT): The EXT filesystem is supported on Linux-based operating systems.
• NTFS: This filesystem is currently being used on all modern versions of Microsoft Windows. With NTFS, there is support for encryption, compression, file permissions, disk quotas, recovery, and improved performance and reliability. NTFS has become the preferred filesystem for Microsoft Windows. Additionally, NTFS supports both large file sizes and partitions.

Next, we will take a dive into understanding a feature found within the NTFS filesystem that allows you to hide a file within another file.

Alternate data streams

Alternate Data Streams (ADS) allow a user with administrative privileges to hide a file within another file. The functionality of ADS was not intended to be malicious in nature, but threat actors such as hackers saw this feature as an opportunity within the NTFS filesystem to hide data within another file so as to evade detection.

To get a better understanding of ADS and how it works, we will perform a simple hands-on exercise in the next section.

Lab exercise – Using ADS to hide a file

During this lab exercise, you will learn how to use ADS on the NTFS filesystem to hide a text file within another file using the Microsoft Windows 10 operating system.

To get started with this lab exercise, observe the following instructions:

1. On the search bar, type cmd and right-click, then choose Run as administrator to provide administrative privileges.
2. Once Command Prompt is open, type cd and hit Enter to change your working directory to the root of the C: drive, shown as follows:
   

   Figure 8.2 – Changing the working directory

3. Next, use the following command to write a string of text into a file, and name the file safefile.txt:

   C:>echo "This is the data found within the safe file" > safefile.txt

4. Then, use the dir command to verify that the file exists within the present working directory, shown as follows:
   

   Figure 8.3 – Verifying the file size

   As shown in the preceding screenshot, the file size of safefile.txt is 48 bytes.

5. Next, let's create our hidden file with some text. We'll name the file oursecret.txt and hide it with the safefile.txt file by using the following command:

   C:>echo "This data located within our secret file" > safefile.txt:oursecretfile.txt

6. Let's now use the dir command to verify that oursecretfile.txt is visible within our working directory, as follows:
   

   Figure 8.4 – Verifying files

   As shown in the preceding screenshot, the oursecretfile.txt file is not present. The reason is that the file is hidden with safefile.txt. However, the file size of safefile.txt did not increase, even though oursecretfile.txt contains data of its own.

7. We can use the dir /r command to view additional content within our working directory, as follows:
   

   Figure 8.5 – Viewing additional content

   As shown in the preceding screenshot, we are now able to see oursecretfile.txt and its size file as 45 bytes. Furthermore, the ADS hidden file does not contain any date and timestamps as compared with other files.

8. To view the contents of the hidden file, use the following command:

   C:>notepad safefile.txt:oursecretfile.txt

   The following screenshot shows the expected results after executing the command:

Figure 8.6 – Viewing hidden content

As shown in the preceding screenshot, we are now able to view the contents of the hidden file using ADS.

Having completed this lab exercise, you have learned how a threat actor can take advantage of ADS within the NTFS filesystem to hide a file within another file. Having this knowledge will help you further understand how hackers can use native features within a filesystem to perform malicious actions during a cyber-attack. As a cybersecurity professional, understanding how ADS works will better prepare you in discovering whether a user has used ADS to hide a file within another file on the NTFS filesystem. Next, we will take a dive into exploring the characteristics of the Linux filesystem.

Delving into the Linux filesystem

The Linux operating system uses the EXT, which has many features, as well as providing speed and performance for the operating system. There are a few versions of EXT and, as a cybersecurity professional, it's beneficial to understand the characteristics of each one. Let's have a look at the different versions here:

• EXT2: This version was originally the default filesystem for any distribution of the Linux operating system. Today, it still is the preferred choice for some flash-based storage devices, even though it does not support journaling.

  Important note

  Journaling is a feature that improves performance and reduces the number of times data is written to an HDD or a SDD. By reducing the number of times data is written to a drive, it increases the lifespan of the drive itself.

• EXT3: EXT3 supports journaling, which is designed to provide improved performance. With journaling added to EXT3, this reduces the risk of a filesystem being corrupted in the event of a sudden power loss. Furthermore, a journal is used as a log of all the changes made to files by an operating system. Imagine that a sudden power loss occurs before the files are saved properly on the operating system. The journal can be used to restore or even fix any issues that may happen during the system crash or sudden power loss.
• EXT4: EXT4 is the current version of EXT and supports larger file sizes than previous versions. This version also contains journaling for improved performance and the simple restoration of files during system crashes.
• Network File System (NFS): This filesystem is a network-based filesystem that allows a user to access files over a network. NFS is an open standard and can be implemented by anyone.
• Compact Disc File System (CDFS): This filesystem is used specifically on compact disks (CDs).
• HFS+: This is a filesystem used with macOS systems. The HFS+ filesystem allows larger file sizes, filenames, and partitions. The kernel of the Linux operating system is able to perform read and write actions to the filesystem.
• Apple File System (APFS): This is an updated filesystem that Apple uses on its devices. Benefits include the provision of strong data encryption and optimization for both SSDs and flash storage.
• Master Boot Record (MBR): The MBR is found within the first sector on an HDD. The MBR contains information pertaining to all files stored on a filesystem. It supports partitions up to 2 TB.
• Swap file: The Linux operating system uses a small portion of the HDD as the swap file. The swap file has similar functionality to the paging file used in Microsoft Windows operating systems. Linux uses the swap file to temporary hold data and applications in the event that there isn't enough storage available in the Random Access Memory (RAM) modules.

On a Linux system, you can use the parted –l command to view all partitions on a host device. The following screenshot shows an example of using the parted –l command:

Figure 8.7 – Linux filesystem

As shown in the preceding screenshot, the name of the local drive is sda, the boot partition on the HDD is formatted using fat32, and partition 5 is using the ext4 filesystem for data storage. Additionally, you are able to see the sizes of each partition.

Important note

Additional tools, including gparted and fdisk, allow a user to perform disk management functions within the Linux operating system. These tools have a similar functionality to the parted tool.

Having completed this section, you have acquired some knowledge regarding the various filesystems used with the Linux operating system. In the next section, we'll take a dive into learning how to calculate the severity score of a vulnerability, using a popular scoring system.

Understanding the CVSS

CVSS 3.1 is a non-vendor-specific system widely accepted by the cybersecurity community that helps professionals and researchers to determine the severity of a vulnerability. Imagine that a security engineer performs a vulnerability assessment on an organization's IT infrastructure and the result provides a number of security flaws found within many systems. What if the security engineer chooses to remediate and fix random vulnerabilities? This means that vulnerabilities that may impact critical services, and devices may not gain the attention of security professionals while they are resolving less important security flaws.

Important note

The Forum of Incident Response and Security Teams (FIRST) maintains the CVSS 3.1 calculator on their website at https://www.first.org/cvss/calculator/3.1.

A security professional can input various factors into the CVSS 3.1 calculator to get a score ranging from 0 to 10, where 10 is critical and should be given the highest priority. Using this type of scoring system allows a security professional and vendors to determine how to prioritize vulnerabilities and which one should be addressed first on a system.

CVSS metrics

An important question is: how can a number such as a score be assigned to a vulnerability and what are the components needed to determine the score? The CVSS 3.1 calculator allows a user to input various components and factors that describe how a system can be exploited by a threat actor. These components are referred to as metrics.

Base score

The base score is simply the core metrics, which do not change over time. The following is a complete breakdown for each metric within the base score category:

• Attack Vector (AV): The AV metric defines how an attack can happen on the target system, and is broken down as follows:

  a) Network (N): Indicates that an attack can occur across a network.

  b) Adjacent (A): Indicates that an attack can be launched from the same local network as the target system.

  c) Local (L): This selection indicates that an attack can be launched on a local system.

  d) Physical (P): Indicates that an attacker requires physical access to the target system.

• Attack Complexity (AC): The AC metric simply defines the conditions that are beyond the threat actor's control in order to exploit the target system, and is broken down as follows:

  a) Low (L): Indicates that an attacker does not require any specialist conditions to launch an attack.

  b) High (H): Indicates that an attacker needs to perform additional actions to ensure that an attack is successful.

• Privileges Required (PR): This metric indicates the level of privileges that is required by the threat actor to perform an attack on a target system, and is broken down as follows:

  a) None (N): Choosing none indicates that no privileges are required to perform an attack by the threat actor.

  b) Low (L): Using low indicates that an attacker requires basic-level privileges in order for an attack to be successful.

  c) High (H): Indicates that an attacker requires administrative privileges.

• User Interaction (UI): This metric indicates whether human interaction outside of an attacker is required in order to compromise a target system, and is broken down as follows:

  a) None (N): Indicates that a target system can be exploited without the need for human interaction.

  b) Required (R): Indicates that user interaction is required for a successful exploitation.

• Scope (S): This metric defines whether a vulnerability can affect other components on a vulnerable system, and is broken down as follows:

  a) Unchanged (U): Indicates that the exploit can only affect a specific vulnerability that an attacker is targeting.

  b) Changed (C): Indicates that a vulnerability can affect other resources on a system.

• Confidentiality (C): This metric defines whether a vulnerability affects confidentiality, and is broken down as follows:

  a) None (N): Indicates that confidentiality is not impacted.

  b) Low (L): Indicates that a vulnerability can create some loss of confidentiality.

  c) High (H): Indicates a total loss of confidentiality.

• Integrity (I): This metric defines whether a vulnerability affects the integrity of a system and data, and is broken down as follows:

  a) None (N): Indicates that there is zero impact on integrity.

  b) Low (L): Indicates that there is a possibility that integrity may be affected.

  c) High (H): Indicates that there is a total impact or loss of integrity on a system.

• Availability (A): This metric defines whether the availability of a system or services will be affected by a vulnerability, and is broken down as follows:

  a) None (N): Indicates that there is no impact on availability on a system.

  b) Low (L): Indicates that there is little impact on availability.

  c) High (H): Indicates that there is a total loss of availability on a system.

To get a better understanding of how to use the CVSS 3.1 calculator, let's assume the following: there is a vulnerability on a system that can be exploited across networks; the threat actor does not require any special conditions to launch an attack; no privileges are required; user interaction by the victim is not required; the vulnerability does not affect any other components. Confidentiality, integrity, and availability will be lost if the vulnerability is exploited.

We can use the CVSS 3.1 calculator at https://www.first.org/cvss/calculator/3.1 to determine our vulnerability score, shown as follows:

Figure 8.8 – Base score metrics

As shown in the preceding screenshot, the CVSS 3.1 calculator evaluates the vulnerability score using all the information provided to be 9.8 (Critical). Additionally, the following vector string is obtained:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

The vector string is used to quickly identify the calculator version and the metric values that were used to obtain the vulnerability score using the base score category.

Temporal score

The temporal score denotes the metrics that can change over time on a vulnerability—in other words, a vulnerability can change over time. A simple example is a vulnerability found within an application and, after some time has passed, the vendor releases a security patch to fix the flaw within the application.

The following is a detailed breakdown of each metric found within the temporal score category:

• Exploit Code Maturity (E): This metric is used to measure the possibility that a vulnerability will be taken advantage of by a threat actor based on the current state of an exploit or malicious code, and is broken down as follows:

  a) Not Defined (X): This selection can be chosen if there is not enough information to choose another value for this metric.

  b) Unproven (U): This means that the exploit code does not exist and is only theoretical.

  c) Proof-of-Concept (PoC): This means that the PoC exploit code is available, but the attack is only demonstrated on some systems and not all.

  d) Functional (F): The exploit code takes advantage of the vulnerability on most systems.

  e) High (H): The exploit code works on every vulnerable system.

• Remediation Level (RL): This metric is simply used to define whether a solution is available to fix a vulnerability and the type of solution required to do so, and is broken down as follows:

  a) Not Defined (X): This selection can be chosen if there is not enough information to choose another value for this metric.

  b) Official Fix (O): This option indicates that an official solution is available to fix the vulnerability.

  c) Temporary Fix (T): This option indicates that a temporary fix is available for the vulnerability.

  d) Workaround (W): This option indicates that an unofficial workaround solution is available.

  e) Unavailable (U): This option indicates that a solution is not available to fix the vulnerability.

• Report Confidence (RC): This metric is used to measure the level of confidence and the technical details that are known regarding the vulnerability, and is broken down as follows:

  a) Not Defined (X): This selection can be chosen if there is not enough information to choose another value for this metric.

  b) Unknown (U): This option indicates that the vulnerability exists but no details are known.

  c) Reasonable (R): This option indicates that there are sufficient details about the vulnerability, but these are unconfirmed.

  d) Confirmed (C): This option indicates that there are official details from the vendor regarding the vulnerability.

To get an idea of how temporal metrics can be used, the following screenshot shows the Temporal Score metrics on the CVSS 3.1 calculator:

Figure 8.9 – Temporal Score metrics

As shown in the preceding screenshot, the temporal score is lower than the base score. Additionally, the vector string has been updated to the following to include both the base and temporal scores:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:U/RC:C

Keep in mind that the temporal score is always lower than the base score on the CVSS calculator. Next, let's take a look at the metrics found within the environmental score.

Environmental score

The environmental score contains the metrics that are bound to the user operating environment. The following metrics are applicable to just your operating environment:

• Confidentiality Requirement (CR)
• Integrity Requirement (IR)
• Availability Requirement (AR)
• Modified Attack Vector (MAV)
• Modified Attack Complexity (MAC)
• Modified Privileges Required (MPR)
• Modified User Interaction (MUI)
• Modified Scope (MS)
• Modified Confidentiality (MC)
• Modified Integrity (MI)
• Modified Availability (MA)

Adjusting the environmental score will usually lower the base score on the CVSS 3.1 calculator. The following screenshot shows the Environmental Score metrics on the CVSS 3.1 calculator:

Figure 8.10 – Environmental Score metrics

As shown in the preceding screenshot, the user can choose various options within the Environmental Score category. As you have seen thus far, the CVSS calculator provides a score that allows us to determine the severity level of a vulnerability and how it should be prioritized over others. This helps us to understand the severity level of each score. FIRST has created its qualitative severity rating scale, which maps a given score to a rating level.

The following table shows FIRST's qualitative severity rating scale:

Figure 8.11 – Qualitative severity rating scale

Imagine obtaining a score of 5.6 on a vulnerability on a system, which means the severity rating is medium, while another vulnerability provides a score of 3.1, which is low. As a security professional, you should always take action in relation to tasks that are more critical and have a higher priority.

Having completed this section, you have learned about the role CVSS plays within the cybersecurity industry, which helps professionals—and even vendors—to better understand the severity rating of vulnerabilities on a system. In the next section, we will take a dive into understanding and working with malware analysis tools.

Working with malware analysis tools

As a cybersecurity professional, you may be required to perform analysis on suspicious files, Uniform Resource Locators (URLs), or even by using the hash values. Many times, a user may scan a file using an anti-malware application and the results will show that the file is benign and not harmful. However, keep in mind that sometimes an anti-malware protection application may not always detect a malicious file or URL to be harmful, and this can be huge concern. Therefore, it's really important to get a second opinion from another malware analysis scanning tool.

Important note

The Cisco Threat Grid is a product from Cisco that is an on-premises malware analysis sandbox.

To gain a better understanding of malware analysis tools, let's take a look at Cisco's Firepower Management Center (FMC). Cisco FMC is integrated in many of Cisco's security appliances and solutions, and this allows a security engineer to gain an overview of the entire threat landscape on their network.

The following screenshot shows the user dashboard of Cisco FMC:

Figure 8.12 – Cisco FMC interface

As shown in the preceding screenshot, Cisco FMC provides the top Indicator of Compromise (IoC) by host devices, users, malware threats, and even number of intrusions over a given period of time. Cisco FMC allows a security engineer to gather in-depth details regarding a threat on a network.

The following screenshot shows the top malware threats using Cisco FMC:

Figure 8.13 – Observing the top malware threats on Cisco FMC

As shown in the preceding screenshot, various malware threats were detected on the network. For each malware threat, Cisco FMC provides a count of the number of occasions when the threat was detected on the network. Let's imagine you want to get further details regarding the SWF.Exploit.Rigek threat. Within Cisco FMC, you can simply click on it to get further details.

The following screenshot shows a summary of details gathered by Cisco FMC regarding the SWF.Exploit.Rigek threat while it was on the network:

Figure 8.14 – Gathering a malware summary on Cisco FMC

As shown in the preceding screenshot, Cisco FMC determined that it was a malware and created an SHA256 hash of the malicious file. By clicking on the hash value of the malware, Cisco FMC provides even more details regarding the threat, as shown in the following screenshot:

Figure 8.15 – Gathering more details regarding threats on Cisco FMC

As shown in the preceding screenshot, Cisco FMC provides data on all four counts of the SWF.Exploit.Rigek threat. Cisco FMC provides the time and date the threat was detected; the actions taken by Cisco FMC to mitigate the malware; the source and destination Internet Protocol (IP) addresses; the source and destination port numbers; and the countries of origin and destination.

Additionally, you are able to ascertain the threat score, the file type, the file URL, the application protocol, the client used to access the malware, and even the web application, as shown here:

Figure 8.16 – Additional details regarding the malware

Furthermore, the Cisco FMC malware analysis tool allows us to obtain advanced details, such as trajectory data about the threat. The following screenshot shows advanced details of the SWF.Exploit.Rigek malware on Cisco FMC:

Figure 8.17 – Gathering advanced details of the malware

As shown in the preceding screenshot, a security engineer is able to gather full details regarding a threat that has been detected using Cisco security solutions with Cisco FMC as the management dashboard.

Important note

Another online malware analysis sandbox is ANY.RUN. To learn more about ANY.RUN, please see the following link: https://app.any.run/.

Sometimes, a malware analysis tool may not always detect a malware as a threat on a network or system. Therefore, it is best practice to get a second opinion from a reputable source. We can use data from Cisco FMC, such as the hash value of the SWF.Exploit.Rigek malware, and insert it into VirusTotal (www.virustotal.com) for a second opinion on this potential threat.

The following screenshot shows how to use a hash of a file on VirusTotal:

Figure 8.18 – Using a hash on VirusTotal

As shown in the preceding screenshot, a security professional can simply visit the VirusTotal website, select the SEARCH option, and enter the hash value of any file. This allows VirusTotal to query its database and past records for any previous reports of a file that has the same hash value. If a match is found, VirusTotal will provide details to the user.

The following screenshot shows the results from VirusTotal, using the hash of the SWF.Exploit.Rigek malware:

Figure 8.19 – VirusTotal results

As shown in the preceding screenshot, VirusTotal provided a second opinion to Cisco FMC regarding the malware and 35 virus engines detected SWF.Exploit.Rigek as a malware, while the other sensors determined it to be benign—hence the need for a second opinion, especially in the case of threat analysis.

Additionally, VirusTotal can be used to scan websites for any potential threats. The following screenshot shows how a security professional can use the URL option on VirusTotal to insert a URL:

Figure 8.20 – URL scanning using VirusTotal

Once VirusTotal has completed its scan on the URL it will provide its detailed results, as follows:

Figure 8.21 – URL scan results

As shown in the preceding screenshot, only eight virus engines detected the target URL as a potential threat, while the others did not. Once again, it's always good to get a second opinion on threats within the cybersecurity industry. Up next, you will learn how to build your very own malware analysis sandbox using Cuckoo.

Lab exercise – Building a malware analysis sandbox

While there are many malware analysis sandboxes available online, these sandbox environments may be flooded from time to time with a lot of submissions from users around the world and become overwhelmed. If you are working in a large security team such as a Security Operation Center (SOC), you will commonly find a local sandbox that reverse malware engineers use frequently to understand the behavior and characteristics of malware and any potentially harmful files.

This lab exercise will teach you how to build your very own malware analysis sandbox using Cuckoo on your local machine. To get started with the lab exercise, ensure that you have the following requirements:

• Oracle VirtualBox 6.1
• VMware Workstation 15.5
• Ubuntu 18.04 Desktop

Before getting started, the following are a number of important factors:

• Ensure virtualization is enabled on your processor via the Basic Input/Output System (BIOS) or Unified Extensible Firmware Interface (UEFI).
• Ensure that Oracle VirtualBox or VMware Workstation has access to the Intel VT-x or AMD-V feature.
• Ensure the Ubuntu virtual machine (VM) is assigned two central processing units (CPUs), 8-10 GB RAM and 60 GB HDD storage.
• On Ubuntu, create a user account named cuckoo; this will make the setup process easier for the sandbox environment.
• Ensure Ubuntu 18.04 does not have internet access during the installation process. Only assign internet access after the installation has completed.
• After installing Ubuntu on either VirtualBox or VMware Workstation, update the system repositories using the sudo apt-get update command.
• Do not perform an apt-get upgrade command as this will cause the Ubuntu operating system to freeze at the logon screen.
• If you are planning on using Oracle VirtualBox, ensure that you install the VirtualBox Guest Additions as this will benefit you in scaling the display and copying clipboard content between the host and guest operating systems.
• If you are planning on using VMware Workstation, use the sudo apt install open-vm-tools-desktop command to install the VMware tools on Ubuntu.
• If you feel uncertain about performing various tasks on the Ubuntu VM, create a snapshot. This will enable you to revert a VM to a point in time within a few seconds.

The following screenshot is a visual representation showing how the user (you) will be interacting with Cuckoo, an open source malware analysis sandbox environment:

Figure 8.22 – Sandbox environment

To get started building a malware analysis sandbox using Cuckoo, observe the following instructions:

Part 1 – Installing all the required software packages and dependencies

1. Download and install either Oracle VirtualBox or VMware Workstation on your computer.
2. Install Ubuntu 18.04 on either VirtualBox or VMware Workstation. During the installation process, do not update or upgrade anything on Ubuntu.
3. Once installation is complete for the Ubuntu VM, install the VirtualBox Guest Additions if you are using Oracle VirtualBox. If you are using VMware Workstation, use the sudo apt install open-vm-tools-desktop command within the Linux terminal to install VMware Tools on Ubuntu. Restart the VM to ensure it takes effect.
4. On the Linux terminal, run the following commands to install the necessary dependencies for the Cuckoo sandbox:

   cuckoo@ubuntu:~$ sudo apt-get install python python-pip python-dev libffi-dev libssl-dev

   cuckoo@ubuntu:~$ sudo apt-get install python-virtualenv python-setuptools

   cuckoo@ubuntu:~$ sudo apt-get install libjpeg-dev zlib1g-dev swig

5. Next, we need to install MongoDB for our web interface for Cuckoo and the PostgreSQL database, as follows:

   cuckoo@ubuntu:~$ sudo apt-get install mongodb

   cuckoo@ubuntu:~$ sudo apt-get install postgresql libpq-dev

   Once the entire setup and configuration process is complete, the web interface will allow us to interact with the Cuckoo malware analysis sandbox. We'll be able to submit potentially harmful files to the sandbox, which Cuckoo will execute and then gather data regarding its behavior.

6. Within our Ubuntu VM, we'll need to install Oracle VirtualBox in order for Cuckoo to create additional VMs to analyze malware. To install VirtualBox within Ubuntu, use the following command:

   cuckoo@ubuntu:~$ sudo apt-get install virtualbox

   This command will allow Ubuntu to download and install the latest version of VirtualBox from the online repository. VirtualBox is required for the execution of the Cuckoo sandbox. By default, there won't be any virtual networks (adapters) configured on VirtualBox. We will use VMCloak to create the virtual networks later on.

7. To allow Cuckoo to perform network traffic analysis, let's install TCPdump on Ubuntu using the following commands:

   cuckoo@ubuntu:~$ sudo apt-get install tcpdump apparmor-utils

   cuckoo@ubuntu:~$ sudo aa-disable /usr/sbin/tcpdump

   This allows TCPdump to create a Packet Capture (PCAP) file that can be used later on with protocol analyzers and even an Intrusion Detection System (IDS) to detect further threats.

8. Since we have already created a user account named cuckoo, we need to assign it to the vboxusers group by using the following command:

   cuckoo@ubuntu:~$ sudo usermod -a -G vboxusers cuckoo

   This will allow the cuckoo user to use our virtualization application—that is, VirtualBox—on the Ubuntu machine.

9. Since it's not recommended to use the Cuckoo malware analysis sandbox as the root user, but TCPdump requires root privileges to execute and run properly, we need to make the following configurations:

   cuckoo@ubuntu:~$ sudo groupadd pcap

   cuckoo@ubuntu:~$ sudo usermod -a -G pcap cuckoo

   cuckoo@ubuntu:~$ sudo chgrp pcap /usr/sbin/tcpdump

   cuckoo@ubuntu:~$ sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

10. Next, we will install Volatility, which is a tool that performs forensic analysis on memory dumps to detect potential threats on an operating system. The following command will allow you to install Volatility:

    cuckoo@ubuntu:~$ sudo apt-get install volatility

11. Next, we will need to install M2Crypto, which is a Python-based wrapper for OpenSSL. This is a requirement for the Cuckoo sandbox. Use the following command to install M2Crypto:

    cuckoo@ubuntu:~$ sudo pip install m2crypto

    Tip

    If you want to increase file limits on the Cuckoo sandbox, information is available at https://cuckoo.readthedocs.io/en/latest/faq/#openfiles24.

Part 2 – Creating the Python virtual environment

1. It is recommended to install the Cuckoo sandbox in a virtualenv on Linux. I've found a cool script online that makes it super simple to set up a virtual environment on Ubuntu. Therefore, use the following commands to download and execute the script on Ubuntu:

   cuckoo@ubuntu:~$ wget https://bit.ly/3h1vgvO

   cuckoo@ubuntu:~$ cp 3h1vgvO setup-virtualenv.sh

   Important note

   To view the original script for the script of the virtualenv on Ubuntu, see the following URL: https://gist.github.com/jstrosch/de20131dda2aac5cd1116dd44b8f2474.

2. Next, configure the script with executable privileges and use the cuckoo user to run the script, as follows:

   cuckoo@ubuntu:~$ chmod +x setup-virtualenv.sh

   cuckoo@ubuntu:~$ sudo -u cuckoo ./setup-virtualenv.sh

   cuckoo@ubuntu:~$ source ~/.bashrc

   This step may be time-consuming based on the computing resources assigned to your Ubuntu VM.

3. Next, create a virtual environment for the Cuckoo sandbox, as follows:

   cuckoo@ubuntu:~$ mkvirtualenv cuckoo-sandbox

   This command creates the name of the virtual environment as cuckoo-sandbox. Once the virtual environment has been created, you'll see that the terminal interface has been adjusted to include the name of the virtual environment. This indicates that we are now working within the cuckoo-sandbox virtual environment on our Ubuntu machine.

   Tip

   If you happen to exit the virtual environment, you can use the workon cuckoo-sandbox command to re-enter.

Part 3 – Installing Cuckoo and creating VMs

1. Next, we can install the setuptools and Cuckoo using the following commands:

   (cuckoo-sandbox) cuckoo@ubuntu:~$ pip install -U pip setuptools

   (cuckoo-sandbox) cuckoo@ubuntu:~$ pip install -U cuckoo

2. Next, let's create a VM running Microsoft Windows 7 Ultimate. The following commands will download a copy of Microsoft Windows 7 Ultimate from the Cuckoo website and mount it within Ubuntu:

   (cuckoo-sandbox) cuckoo@ubuntu:~$ wget https://cuckoo.sh/win7ultimate.iso

   (cuckoo-sandbox) cuckoo@ubuntu:~$ sudo mkdir /mnt/win7

   (cuckoo-sandbox) cuckoo@ubuntu:~$ sudo chown cuckoo:cuckoo /mnt/win7

   (cuckoo-sandbox) cuckoo@ubuntu:~$ sudo mount -o ro,loop win7ultimate.iso /mnt/win7

3. Use the following commands to install the necessary packages for VMCloak and Cuckoo:

   (cuckoo-sandbox) cuckoo@ubuntu:~$ sudo apt-get -y install build-essential libssl-dev libffi-dev python-dev genisoimage

   (cuckoo-sandbox) cuckoo@ubuntu:~$ sudo apt-get -y install zlib1g-dev libjpeg-dev

   (cuckoo-sandbox) cuckoo@ubuntu:~$ sudo apt-get -y install python-pip python-virtualenv python-setuptools swig

4. Then, you need to install the VMCloak tool on Ubuntu. This can be done using the following command:

   (cuckoo-sandbox) cuckoo@ubuntu:~$ pip install vmcloak

   VMCloak handles the automation of creating VMs.

5. Currently, VirtualBox on Ubuntu does not have any network adapters. We can use VMCloak to create a network adapter on VirtualBox by using the following command:

   (cuckoo-sandbox) cuckoo@ubuntu:~$ vmcloak-vboxnet0

   Once the adapter has been created successfully, you will see the new vboxnet0 interface on both VirtualBox and the Ubuntu machine.

6. In order for Cuckoo to perform its malware analysis, we will need to create a VM using Microsoft Windows 7. To create the new Microsoft Windows 7 VM inside of Ubuntu, we will assign two CPUs and 2 GB of RAM from Ubuntu onto the new VM, using the following command:

   (cuckoo-sandbox) cuckoo@ubuntu:~$ vmcloak init --verbose --win7x64 win7x64base --cpus 2 --ramsize 2048

   This process is also very time-consuming.

7. After the VM has been created, we need to create a clone of it. To create a clone of the VM with VMCloak, use the following command:

   (cuckoo-sandbox) cuckoo@ubuntu:~$ vmcloak clone win7x64base win7x64cuckoo

   By creating a clone, this allows Cuckoo to always revert to a snapshot of the VM so as to perform the malware analysis. Therefore, each time Cuckoo has to perform a new malware analysis, it can always revert to a snapshot of the Windows 7 VM.

   Tip

   To a view an entire list of available software packages that can be installed within the VM, use the vmcloak list deps command. To install a specific software package on the VM, the vmcloak install <image name> <package> syntax can be used.

8. Let's now install a package on our Windows 7 VM using VMCloak. By way of a simple example, we can install Internet Explorer 11 on the VM by using the following command:

   (cuckoo-sandbox) cuckoo@ubuntu:~$ vmcloak install win7x64cuckoo ie11

9. Whether you have installed packages or not, you need to create a snapshot of the VM, as follows:

   (cuckoo-sandbox) cuckoo@ubuntu:~$ vmcloak snapshot --count 4 win7x64cuckoo 192.168.56.101

   This command will create four VMs with a range of IP addresses, from 192.168.56.101 to 192.168.56.104. Once this is done, use the vmcloak list vms command to view a listed of the VMs created, shown as follows:

Figure 8.23 – Verifying VMs using VMCloak

Part 4 – Configuring Cuckoo

1. Next, we need to configure Cuckoo by using the cuckoo init command. This command will initialize and configure the Cuckoo sandbox environment automatically. Once it's complete, you will get the following output:
   

   Figure 8.24 – Verifying that Cuckoo has been initialized

2. Update the Cuckoo malware signatures on the Cuckoo sandbox by using the following command:

   (cuckoo-sandbox) cuckoo@ubuntu:~$ cuckoo community

3. Since we've installed VMCloak, let's use it to add VMs for Cuckoo to use to perform malware analysis. To complete this task, use the following command:

   (cuckoo-sandbox) cuckoo@ubuntu:~$ while read -r vm ip; do cuckoo machine --add $vm $ip; done < <(vmcloak list vms)

   Now, we have our four VMs available.

4. Next, access the virtualbox.conf file within the Cuckoo directory using the following commands:

   (cuckoo-sandbox) cuckoo@ubuntu:~$ cd ~/.cuckoo/conf

   (cuckoo-sandbox) cuckoo@ubuntu:~/.cuckoo/conf$ nano virtualbox.conf

5. Delete cuckoo1 from the line that has machines = cuckoo1, 192.168.56.1011, 192.168.56.1012, 192.168.56.1013, 192.168.56.1014.
6. Then, delete everything from the line that begins with [cuckoo1] to the line just before [192.168.56.1011]. Press Ctrl + X to exit, and then hit Y for yes, followed by Enter to save the file.

   We can configure internet access on all the VMs. However, internet access on the VMs is not mandatory, although it does prevent the malware from connecting with its Command and Control (C2) servers to retrieve any instructions and payloads. The network traffic generated by the malware allows Cuckoo to obtain better results regarding the behavior of the malware.

   Important note

   If the malware is able to connect to the internet, it can also attempt to replicate itself and spread to other devices on your network and even devices on the internet. Please be careful.

7. Use the ip addr command on Ubuntu to determine the name of the interface that is connected to your Ubuntu machine—for example, the network adapter that is connected to the internet on my Ubuntu machine has the name ens33. This information is important in terms of performing the forwarding of traffic from the VMs to the internet.
8. We will need to modify the routing.conf file to specify the network adapter that has the internet connection. Use the following commands to perform this task:

   (cuckoo-sandbox) cuckoo@ubuntu:~$ cd ~/.cuckoo/conf

   (cuckoo-sandbox) cuckoo@ubuntu:~/.cuckoo/conf$ nano routing.conf

   Change internet = none to internet = ens33 (replace ens33 with the name of your network adapter). To exit, press Ctrl + X, hit Y, and then press Enter to save the file.

9. Next, we need to modify the reporting.conf file to ensure that our web server interface runs smoothly with the Cuckoo sandbox. To perform this action, use the following command:

   (cuckoo-sandbox) cuckoo@ubuntu:~/.cuckoo/conf$ nano reporting.conf

   Scroll down until you reach the [mongodb] section, and then change enabled = no to enabled = yes, shown as follows:

   

   Figure 8.25 – Changing the mongodb configurations

   Once this change is complete, to exit, press Ctrl + X, hit Y, and then press Enter to save the file.

   Tip

   You can also configure Per-Analysis Network Routing for Cuckoo, which allows you to configure how to route traffic through various services such as Tor and a virtual private network (VPN). Personally, I recommend using a VPN connection on your sandbox VM. To learn more on how to configure this type of advanced routing, please refer to the official documentation at https://cuckoo.sh/docs/installation/host/routing.html#per-analysis-network-routing-options.

10. Next, we can configure some basic parameters to enable per-analysis network routing. Such a route can be specified when a malware sample is submitted. For this action, we'll need to use the Cuckoo Rooter, which enables network-related configurations on the Cuckoo sandbox.

    Open a new terminal and use the following commands to run the Cuckoo Rooter:

    cuckoo@ubuntu:~$ workon cuckoo-sandbox

    (cuckoo-sandbox) cuckoo@ubuntu:~$ cuckoo rooter --sudo --group cuckoo

Part 5 – Starting and working with the Cuckoo sandbox

1. Open another terminal on your Ubuntu machine. This new terminal will be used to start the Cuckoo sandbox environment. Use the following commands to perform this action:

   cuckoo@ubuntu:~$ workon cuckoo-sandbox

   (cuckoo-sandbox) cuckoo@ubuntu:~$ cuckoo

   This terminal interface will be used to monitor the Cuckoo sandbox environment. Additionally, you see within it log messages appearing on the terminal that the four VMs have been loaded.

2. Next, we need to enable the web server within the virtual environment. Open a new terminal and run the following commands:

   cuckoo@ubuntu:~$ workon cuckoo-sandbox

   (cuckoo-sandbox) cuckoo@ubuntu:~$ cuckoo web --host 127.0.0.1 --port 8080

3. Once the web server is running, open the web browser on the Ubuntu machine and go to the following URL to access the web interface for the Cuckoo sandbox:

   http://127.0.0.1:8080/

   The following screenshot shows the Cuckoo sandbox web interface:

Figure 8.26 – Cuckoo web interface

Now, you can submit malware, hashes, and URLs to your Cuckoo sandbox environment in order to perform malware analysis. After Cuckoo has completed the analysis, click anywhere within the row to access the report, as shown in the following screenshot:

Figure 8.27 – Accessing the analysis report

The following screenshot shows an example of a report provided by Cuckoo:

Figure 8.28 – Cuckoo-generated report

In the event that you want to clear the Cuckoo sandbox environment, use the cuckoo clean command within the Cuckoo sandbox virtual environment. After performing a clean Cuckoo may be non-responsive, so simply restart Cuckoo and the web server again, as shown from Part 4, Step 10 to Part 5, Step 3.

Having completed this lab exercise, you have learned how to build your very own malware analysis sandbox environment on your local computer. Please be mindful that if you allow the sandbox internet access during the malware analysis process, the malware can spread and infect systems on your local network as well.

Summary

Having completed this chapter, you have learned about various characteristics and key elements of various filesystems for both the Microsoft Windows and Linux operating systems. Additionally, you have acquired knowledge in terms of how cybersecurity professionals use a scoring system such as the CVSS to obtain a severity score on a vulnerability and determine the priority. Furthermore, we took a dive into learning about and exploring various malware analysis tools; and lastly, you gained the skills required to build your very own malware analysis sandbox.

I hope that this chapter has been informative for you and will be helpful in your journey to learning the foundations of cybersecurity operations and gaining your Cisco Certified CyberOps Associate certification. In the next chapter, you will learn about the need for computer forensics, the types of evidence that can be acquired during an investigation, and how to get started with forensics as a security analyst.

Questions

The following is a short list of review questions to help reinforce your learning and help you identify areas that may require some improvement. The answers to the questions can be found in the Assessments section at the end of this book:

1. Which filesystem allows a threat actor to hide a file within another file so as to avoid detection?

   A. EXT4

   B. NTFS

   C. EXT3

   D. FAT32

2. Which filesystem is currently being used on Linux systems?

   A. HFS+

   B. FAT32

   C. EXT4

   D. APFS

3. Which command can be used to view a list of partitions on a Linux system?

   A. parted

   B. dparted

   C. view partition

   D. ls -l

4. Which metric within CVSS defines how an attack can happen on a target system?

   A. Attack complexity

   B. Network

   C. Attack vector

   D. Adjacent

5. Which of the following can be submitted to VirusTotal to perform malware analysis?

   A. File

   B. URL

   C. Hash

   D. All of the above