Understanding filesystems used within various operating systems can help you, as a cybersecurity professional, better understand limitations on file and partition sizes. Imagine, during an investigation on a compromised Windows system, that you as the forensic investigator are required to understand the filesystem of a computer and how it functions. Furthermore, as a security professional, it's important to understand how various metrics are used to determine the severity and priority of vulnerabilities found on a system.
Throughout the course of this chapter, you will discover the fundamentals of filesystems that are used by the Microsoft Windows and Linux operating systems. You will learn how to use the Common Vulnerability Scoring System (CVSS) calculator to determine the severity of a vulnerability, and why CVSS is an industry-recognized tool. Furthermore, you will learn how malware analysis tools work and gain hands-on experience in building your very own malware analysis sandbox.
In this chapter, we will cover the following topics:
To follow along with the exercises in this chapter, please ensure that you have met the following hardware and software requirements:
Link for Code in Action video https://bit.ly/3ey0NEC
When you purchase a new storage device such as a hard disk drive (HDD) or solid state drive (SSD), the storage component is literally blank without anything on it. Imagine connecting a new HDD or SSD to your computer for the first time. Your computer will not recognize the storage drive and won't be able to write any data on it. Storage devices require a filesystem, which the operating system will use to organize how data is stored on the drive itself.
Imagine years ago, if you wanted to call your friend's landline telephone but did not know their number, you would have needed to use a traditional telephone directory. This was a large printed book containing publicly listed telephone numbers with the person's name and address. Think of a filesystem organizing files as a type of directory formatting. Hence, when a user or an operating system wants to locate a file, this task will be easier when using a filesystem on the storage drive. Without a filesystem, locating a particular piece of data on a storage drive such as a traditional HDD will be difficult as there is no kind of order or procedure on how to store files.
Furthermore, a filesystem allows a user and an operating system to better manage any free spaces on the storage drive. The following screenshot shows the properties of the C: drive on a Windows 10 computer:
As shown in the preceding screenshot, the filesystem for the device is using the New Technology File System (NTFS) and we are able to determine the amount of used and free space on the drive.
You're probably wondering: What does a filesystem have to do with cybersecurity? As a security analyst, or even a computer forensic investigator, you may be asked to retrieve data from a drive that contains potential evidence of a cybercrime. Therefore, understanding the characteristics of various filesystems will help you determine where there are any file size limitations, the total capacity for a single partition or storage volume, and whether it supports data encryption and compression.
There are many filesystems that are commonly used by the Microsoft Windows operating system. The following are filesystems that are available for Microsoft Windows:
Next, we will take a dive into understanding a feature found within the NTFS filesystem that allows you to hide a file within another file.
Alternate Data Streams (ADS) allow a user with administrative privileges to hide a file within another file. The functionality of ADS was not intended to be malicious in nature, but threat actors such as hackers saw this feature as an opportunity within the NTFS filesystem to hide data within another file so as to evade detection.
To get a better understanding of ADS and how it works, we will perform a simple hands-on exercise in the next section.
During this lab exercise, you will learn how to use ADS on the NTFS filesystem to hide a text file within another file using the Microsoft Windows 10 operating system.
To get started with this lab exercise, observe the following instructions:
C:>echo "This is the data found within the safe file" > safefile.txt
As shown in the preceding screenshot, the file size of safefile.txt is 48 bytes.
C:>echo "This data located within our secret file" > safefile.txt:oursecretfile.txt
As shown in the preceding screenshot, the oursecretfile.txt file is not present. The reason is that the file is hidden with safefile.txt. However, the file size of safefile.txt did not increase, even though oursecretfile.txt contains data of its own.
As shown in the preceding screenshot, we are now able to see oursecretfile.txt and its size file as 45 bytes. Furthermore, the ADS hidden file does not contain any date and timestamps as compared with other files.
C:>notepad safefile.txt:oursecretfile.txt
The following screenshot shows the expected results after executing the command:
As shown in the preceding screenshot, we are now able to view the contents of the hidden file using ADS.
Having completed this lab exercise, you have learned how a threat actor can take advantage of ADS within the NTFS filesystem to hide a file within another file. Having this knowledge will help you further understand how hackers can use native features within a filesystem to perform malicious actions during a cyber-attack. As a cybersecurity professional, understanding how ADS works will better prepare you in discovering whether a user has used ADS to hide a file within another file on the NTFS filesystem. Next, we will take a dive into exploring the characteristics of the Linux filesystem.
The Linux operating system uses the EXT, which has many features, as well as providing speed and performance for the operating system. There are a few versions of EXT and, as a cybersecurity professional, it's beneficial to understand the characteristics of each one. Let's have a look at the different versions here:
Important note
Journaling is a feature that improves performance and reduces the number of times data is written to an HDD or a SDD. By reducing the number of times data is written to a drive, it increases the lifespan of the drive itself.
On a Linux system, you can use the parted –l command to view all partitions on a host device. The following screenshot shows an example of using the parted –l command:
As shown in the preceding screenshot, the name of the local drive is sda, the boot partition on the HDD is formatted using fat32, and partition 5 is using the ext4 filesystem for data storage. Additionally, you are able to see the sizes of each partition.
Important note
Additional tools, including gparted and fdisk, allow a user to perform disk management functions within the Linux operating system. These tools have a similar functionality to the parted tool.
Having completed this section, you have acquired some knowledge regarding the various filesystems used with the Linux operating system. In the next section, we'll take a dive into learning how to calculate the severity score of a vulnerability, using a popular scoring system.
CVSS 3.1 is a non-vendor-specific system widely accepted by the cybersecurity community that helps professionals and researchers to determine the severity of a vulnerability. Imagine that a security engineer performs a vulnerability assessment on an organization's IT infrastructure and the result provides a number of security flaws found within many systems. What if the security engineer chooses to remediate and fix random vulnerabilities? This means that vulnerabilities that may impact critical services, and devices may not gain the attention of security professionals while they are resolving less important security flaws.
Important note
The Forum of Incident Response and Security Teams (FIRST) maintains the CVSS 3.1 calculator on their website at https://www.first.org/cvss/calculator/3.1.
A security professional can input various factors into the CVSS 3.1 calculator to get a score ranging from 0 to 10, where 10 is critical and should be given the highest priority. Using this type of scoring system allows a security professional and vendors to determine how to prioritize vulnerabilities and which one should be addressed first on a system.
An important question is: how can a number such as a score be assigned to a vulnerability and what are the components needed to determine the score? The CVSS 3.1 calculator allows a user to input various components and factors that describe how a system can be exploited by a threat actor. These components are referred to as metrics.
The base score is simply the core metrics, which do not change over time. The following is a complete breakdown for each metric within the base score category:
a) Network (N): Indicates that an attack can occur across a network.
b) Adjacent (A): Indicates that an attack can be launched from the same local network as the target system.
c) Local (L): This selection indicates that an attack can be launched on a local system.
d) Physical (P): Indicates that an attacker requires physical access to the target system.
a) Low (L): Indicates that an attacker does not require any specialist conditions to launch an attack.
b) High (H): Indicates that an attacker needs to perform additional actions to ensure that an attack is successful.
a) None (N): Choosing none indicates that no privileges are required to perform an attack by the threat actor.
b) Low (L): Using low indicates that an attacker requires basic-level privileges in order for an attack to be successful.
c) High (H): Indicates that an attacker requires administrative privileges.
a) None (N): Indicates that a target system can be exploited without the need for human interaction.
b) Required (R): Indicates that user interaction is required for a successful exploitation.
a) Unchanged (U): Indicates that the exploit can only affect a specific vulnerability that an attacker is targeting.
b) Changed (C): Indicates that a vulnerability can affect other resources on a system.
a) None (N): Indicates that confidentiality is not impacted.
b) Low (L): Indicates that a vulnerability can create some loss of confidentiality.
c) High (H): Indicates a total loss of confidentiality.
a) None (N): Indicates that there is zero impact on integrity.
b) Low (L): Indicates that there is a possibility that integrity may be affected.
c) High (H): Indicates that there is a total impact or loss of integrity on a system.
a) None (N): Indicates that there is no impact on availability on a system.
b) Low (L): Indicates that there is little impact on availability.
c) High (H): Indicates that there is a total loss of availability on a system.
To get a better understanding of how to use the CVSS 3.1 calculator, let's assume the following: there is a vulnerability on a system that can be exploited across networks; the threat actor does not require any special conditions to launch an attack; no privileges are required; user interaction by the victim is not required; the vulnerability does not affect any other components. Confidentiality, integrity, and availability will be lost if the vulnerability is exploited.
We can use the CVSS 3.1 calculator at https://www.first.org/cvss/calculator/3.1 to determine our vulnerability score, shown as follows:
As shown in the preceding screenshot, the CVSS 3.1 calculator evaluates the vulnerability score using all the information provided to be 9.8 (Critical). Additionally, the following vector string is obtained:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
The vector string is used to quickly identify the calculator version and the metric values that were used to obtain the vulnerability score using the base score category.
The temporal score denotes the metrics that can change over time on a vulnerability—in other words, a vulnerability can change over time. A simple example is a vulnerability found within an application and, after some time has passed, the vendor releases a security patch to fix the flaw within the application.
The following is a detailed breakdown of each metric found within the temporal score category:
a) Not Defined (X): This selection can be chosen if there is not enough information to choose another value for this metric.
b) Unproven (U): This means that the exploit code does not exist and is only theoretical.
c) Proof-of-Concept (PoC): This means that the PoC exploit code is available, but the attack is only demonstrated on some systems and not all.
d) Functional (F): The exploit code takes advantage of the vulnerability on most systems.
e) High (H): The exploit code works on every vulnerable system.
a) Not Defined (X): This selection can be chosen if there is not enough information to choose another value for this metric.
b) Official Fix (O): This option indicates that an official solution is available to fix the vulnerability.
c) Temporary Fix (T): This option indicates that a temporary fix is available for the vulnerability.
d) Workaround (W): This option indicates that an unofficial workaround solution is available.
e) Unavailable (U): This option indicates that a solution is not available to fix the vulnerability.
a) Not Defined (X): This selection can be chosen if there is not enough information to choose another value for this metric.
b) Unknown (U): This option indicates that the vulnerability exists but no details are known.
c) Reasonable (R): This option indicates that there are sufficient details about the vulnerability, but these are unconfirmed.
d) Confirmed (C): This option indicates that there are official details from the vendor regarding the vulnerability.
To get an idea of how temporal metrics can be used, the following screenshot shows the Temporal Score metrics on the CVSS 3.1 calculator:
As shown in the preceding screenshot, the temporal score is lower than the base score. Additionally, the vector string has been updated to the following to include both the base and temporal scores:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:U/RC:C
Keep in mind that the temporal score is always lower than the base score on the CVSS calculator. Next, let's take a look at the metrics found within the environmental score.
The environmental score contains the metrics that are bound to the user operating environment. The following metrics are applicable to just your operating environment:
Adjusting the environmental score will usually lower the base score on the CVSS 3.1 calculator. The following screenshot shows the Environmental Score metrics on the CVSS 3.1 calculator:
As shown in the preceding screenshot, the user can choose various options within the Environmental Score category. As you have seen thus far, the CVSS calculator provides a score that allows us to determine the severity level of a vulnerability and how it should be prioritized over others. This helps us to understand the severity level of each score. FIRST has created its qualitative severity rating scale, which maps a given score to a rating level.
The following table shows FIRST's qualitative severity rating scale:
Imagine obtaining a score of 5.6 on a vulnerability on a system, which means the severity rating is medium, while another vulnerability provides a score of 3.1, which is low. As a security professional, you should always take action in relation to tasks that are more critical and have a higher priority.
Having completed this section, you have learned about the role CVSS plays within the cybersecurity industry, which helps professionals—and even vendors—to better understand the severity rating of vulnerabilities on a system. In the next section, we will take a dive into understanding and working with malware analysis tools.
As a cybersecurity professional, you may be required to perform analysis on suspicious files, Uniform Resource Locators (URLs), or even by using the hash values. Many times, a user may scan a file using an anti-malware application and the results will show that the file is benign and not harmful. However, keep in mind that sometimes an anti-malware protection application may not always detect a malicious file or URL to be harmful, and this can be huge concern. Therefore, it's really important to get a second opinion from another malware analysis scanning tool.
Important note
The Cisco Threat Grid is a product from Cisco that is an on-premises malware analysis sandbox.
To gain a better understanding of malware analysis tools, let's take a look at Cisco's Firepower Management Center (FMC). Cisco FMC is integrated in many of Cisco's security appliances and solutions, and this allows a security engineer to gain an overview of the entire threat landscape on their network.
The following screenshot shows the user dashboard of Cisco FMC:
As shown in the preceding screenshot, Cisco FMC provides the top Indicator of Compromise (IoC) by host devices, users, malware threats, and even number of intrusions over a given period of time. Cisco FMC allows a security engineer to gather in-depth details regarding a threat on a network.
The following screenshot shows the top malware threats using Cisco FMC:
As shown in the preceding screenshot, various malware threats were detected on the network. For each malware threat, Cisco FMC provides a count of the number of occasions when the threat was detected on the network. Let's imagine you want to get further details regarding the SWF.Exploit.Rigek threat. Within Cisco FMC, you can simply click on it to get further details.
The following screenshot shows a summary of details gathered by Cisco FMC regarding the SWF.Exploit.Rigek threat while it was on the network:
As shown in the preceding screenshot, Cisco FMC determined that it was a malware and created an SHA256 hash of the malicious file. By clicking on the hash value of the malware, Cisco FMC provides even more details regarding the threat, as shown in the following screenshot:
As shown in the preceding screenshot, Cisco FMC provides data on all four counts of the SWF.Exploit.Rigek threat. Cisco FMC provides the time and date the threat was detected; the actions taken by Cisco FMC to mitigate the malware; the source and destination Internet Protocol (IP) addresses; the source and destination port numbers; and the countries of origin and destination.
Additionally, you are able to ascertain the threat score, the file type, the file URL, the application protocol, the client used to access the malware, and even the web application, as shown here:
Furthermore, the Cisco FMC malware analysis tool allows us to obtain advanced details, such as trajectory data about the threat. The following screenshot shows advanced details of the SWF.Exploit.Rigek malware on Cisco FMC:
As shown in the preceding screenshot, a security engineer is able to gather full details regarding a threat that has been detected using Cisco security solutions with Cisco FMC as the management dashboard.
Important note
Another online malware analysis sandbox is ANY.RUN. To learn more about ANY.RUN, please see the following link: https://app.any.run/.
Sometimes, a malware analysis tool may not always detect a malware as a threat on a network or system. Therefore, it is best practice to get a second opinion from a reputable source. We can use data from Cisco FMC, such as the hash value of the SWF.Exploit.Rigek malware, and insert it into VirusTotal (www.virustotal.com) for a second opinion on this potential threat.
The following screenshot shows how to use a hash of a file on VirusTotal:
As shown in the preceding screenshot, a security professional can simply visit the VirusTotal website, select the SEARCH option, and enter the hash value of any file. This allows VirusTotal to query its database and past records for any previous reports of a file that has the same hash value. If a match is found, VirusTotal will provide details to the user.
The following screenshot shows the results from VirusTotal, using the hash of the SWF.Exploit.Rigek malware:
As shown in the preceding screenshot, VirusTotal provided a second opinion to Cisco FMC regarding the malware and 35 virus engines detected SWF.Exploit.Rigek as a malware, while the other sensors determined it to be benign—hence the need for a second opinion, especially in the case of threat analysis.
Additionally, VirusTotal can be used to scan websites for any potential threats. The following screenshot shows how a security professional can use the URL option on VirusTotal to insert a URL:
Once VirusTotal has completed its scan on the URL it will provide its detailed results, as follows:
As shown in the preceding screenshot, only eight virus engines detected the target URL as a potential threat, while the others did not. Once again, it's always good to get a second opinion on threats within the cybersecurity industry. Up next, you will learn how to build your very own malware analysis sandbox using Cuckoo.
While there are many malware analysis sandboxes available online, these sandbox environments may be flooded from time to time with a lot of submissions from users around the world and become overwhelmed. If you are working in a large security team such as a Security Operation Center (SOC), you will commonly find a local sandbox that reverse malware engineers use frequently to understand the behavior and characteristics of malware and any potentially harmful files.
This lab exercise will teach you how to build your very own malware analysis sandbox using Cuckoo on your local machine. To get started with the lab exercise, ensure that you have the following requirements:
Before getting started, the following are a number of important factors:
The following screenshot is a visual representation showing how the user (you) will be interacting with Cuckoo, an open source malware analysis sandbox environment:
To get started building a malware analysis sandbox using Cuckoo, observe the following instructions:
cuckoo@ubuntu:~$ sudo apt-get install python python-pip python-dev libffi-dev libssl-dev
cuckoo@ubuntu:~$ sudo apt-get install python-virtualenv python-setuptools
cuckoo@ubuntu:~$ sudo apt-get install libjpeg-dev zlib1g-dev swig
cuckoo@ubuntu:~$ sudo apt-get install mongodb
cuckoo@ubuntu:~$ sudo apt-get install postgresql libpq-dev
Once the entire setup and configuration process is complete, the web interface will allow us to interact with the Cuckoo malware analysis sandbox. We'll be able to submit potentially harmful files to the sandbox, which Cuckoo will execute and then gather data regarding its behavior.
cuckoo@ubuntu:~$ sudo apt-get install virtualbox
This command will allow Ubuntu to download and install the latest version of VirtualBox from the online repository. VirtualBox is required for the execution of the Cuckoo sandbox. By default, there won't be any virtual networks (adapters) configured on VirtualBox. We will use VMCloak to create the virtual networks later on.
cuckoo@ubuntu:~$ sudo apt-get install tcpdump apparmor-utils
cuckoo@ubuntu:~$ sudo aa-disable /usr/sbin/tcpdump
This allows TCPdump to create a Packet Capture (PCAP) file that can be used later on with protocol analyzers and even an Intrusion Detection System (IDS) to detect further threats.
cuckoo@ubuntu:~$ sudo usermod -a -G vboxusers cuckoo
This will allow the cuckoo user to use our virtualization application—that is, VirtualBox—on the Ubuntu machine.
cuckoo@ubuntu:~$ sudo groupadd pcap
cuckoo@ubuntu:~$ sudo usermod -a -G pcap cuckoo
cuckoo@ubuntu:~$ sudo chgrp pcap /usr/sbin/tcpdump
cuckoo@ubuntu:~$ sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
cuckoo@ubuntu:~$ sudo apt-get install volatility
cuckoo@ubuntu:~$ sudo pip install m2crypto
Tip
If you want to increase file limits on the Cuckoo sandbox, information is available at https://cuckoo.readthedocs.io/en/latest/faq/#openfiles24.
cuckoo@ubuntu:~$ wget https://bit.ly/3h1vgvO
cuckoo@ubuntu:~$ cp 3h1vgvO setup-virtualenv.sh
Important note
To view the original script for the script of the virtualenv on Ubuntu, see the following URL: https://gist.github.com/jstrosch/de20131dda2aac5cd1116dd44b8f2474.
cuckoo@ubuntu:~$ chmod +x setup-virtualenv.sh
cuckoo@ubuntu:~$ sudo -u cuckoo ./setup-virtualenv.sh
cuckoo@ubuntu:~$ source ~/.bashrc
This step may be time-consuming based on the computing resources assigned to your Ubuntu VM.
cuckoo@ubuntu:~$ mkvirtualenv cuckoo-sandbox
This command creates the name of the virtual environment as cuckoo-sandbox. Once the virtual environment has been created, you'll see that the terminal interface has been adjusted to include the name of the virtual environment. This indicates that we are now working within the cuckoo-sandbox virtual environment on our Ubuntu machine.
Tip
If you happen to exit the virtual environment, you can use the workon cuckoo-sandbox command to re-enter.
(cuckoo-sandbox) cuckoo@ubuntu:~$ pip install -U pip setuptools
(cuckoo-sandbox) cuckoo@ubuntu:~$ pip install -U cuckoo
(cuckoo-sandbox) cuckoo@ubuntu:~$ wget https://cuckoo.sh/win7ultimate.iso
(cuckoo-sandbox) cuckoo@ubuntu:~$ sudo mkdir /mnt/win7
(cuckoo-sandbox) cuckoo@ubuntu:~$ sudo chown cuckoo:cuckoo /mnt/win7
(cuckoo-sandbox) cuckoo@ubuntu:~$ sudo mount -o ro,loop win7ultimate.iso /mnt/win7
(cuckoo-sandbox) cuckoo@ubuntu:~$ sudo apt-get -y install build-essential libssl-dev libffi-dev python-dev genisoimage
(cuckoo-sandbox) cuckoo@ubuntu:~$ sudo apt-get -y install zlib1g-dev libjpeg-dev
(cuckoo-sandbox) cuckoo@ubuntu:~$ sudo apt-get -y install python-pip python-virtualenv python-setuptools swig
(cuckoo-sandbox) cuckoo@ubuntu:~$ pip install vmcloak
VMCloak handles the automation of creating VMs.
(cuckoo-sandbox) cuckoo@ubuntu:~$ vmcloak-vboxnet0
Once the adapter has been created successfully, you will see the new vboxnet0 interface on both VirtualBox and the Ubuntu machine.
(cuckoo-sandbox) cuckoo@ubuntu:~$ vmcloak init --verbose --win7x64 win7x64base --cpus 2 --ramsize 2048
This process is also very time-consuming.
(cuckoo-sandbox) cuckoo@ubuntu:~$ vmcloak clone win7x64base win7x64cuckoo
By creating a clone, this allows Cuckoo to always revert to a snapshot of the VM so as to perform the malware analysis. Therefore, each time Cuckoo has to perform a new malware analysis, it can always revert to a snapshot of the Windows 7 VM.
Tip
To a view an entire list of available software packages that can be installed within the VM, use the vmcloak list deps command. To install a specific software package on the VM, the vmcloak install <image name> <package> syntax can be used.
(cuckoo-sandbox) cuckoo@ubuntu:~$ vmcloak install win7x64cuckoo ie11
(cuckoo-sandbox) cuckoo@ubuntu:~$ vmcloak snapshot --count 4 win7x64cuckoo 192.168.56.101
This command will create four VMs with a range of IP addresses, from 192.168.56.101 to 192.168.56.104. Once this is done, use the vmcloak list vms command to view a listed of the VMs created, shown as follows:
(cuckoo-sandbox) cuckoo@ubuntu:~$ cuckoo community
(cuckoo-sandbox) cuckoo@ubuntu:~$ while read -r vm ip; do cuckoo machine --add $vm $ip; done < <(vmcloak list vms)
Now, we have our four VMs available.
(cuckoo-sandbox) cuckoo@ubuntu:~$ cd ~/.cuckoo/conf
(cuckoo-sandbox) cuckoo@ubuntu:~/.cuckoo/conf$ nano virtualbox.conf
We can configure internet access on all the VMs. However, internet access on the VMs is not mandatory, although it does prevent the malware from connecting with its Command and Control (C2) servers to retrieve any instructions and payloads. The network traffic generated by the malware allows Cuckoo to obtain better results regarding the behavior of the malware.
Important note
If the malware is able to connect to the internet, it can also attempt to replicate itself and spread to other devices on your network and even devices on the internet. Please be careful.
(cuckoo-sandbox) cuckoo@ubuntu:~$ cd ~/.cuckoo/conf
(cuckoo-sandbox) cuckoo@ubuntu:~/.cuckoo/conf$ nano routing.conf
Change internet = none to internet = ens33 (replace ens33 with the name of your network adapter). To exit, press Ctrl + X, hit Y, and then press Enter to save the file.
(cuckoo-sandbox) cuckoo@ubuntu:~/.cuckoo/conf$ nano reporting.conf
Scroll down until you reach the [mongodb] section, and then change enabled = no to enabled = yes, shown as follows:
Once this change is complete, to exit, press Ctrl + X, hit Y, and then press Enter to save the file.
Tip
You can also configure Per-Analysis Network Routing for Cuckoo, which allows you to configure how to route traffic through various services such as Tor and a virtual private network (VPN). Personally, I recommend using a VPN connection on your sandbox VM. To learn more on how to configure this type of advanced routing, please refer to the official documentation at https://cuckoo.sh/docs/installation/host/routing.html#per-analysis-network-routing-options.
Open a new terminal and use the following commands to run the Cuckoo Rooter:
cuckoo@ubuntu:~$ workon cuckoo-sandbox
(cuckoo-sandbox) cuckoo@ubuntu:~$ cuckoo rooter --sudo --group cuckoo
cuckoo@ubuntu:~$ workon cuckoo-sandbox
(cuckoo-sandbox) cuckoo@ubuntu:~$ cuckoo
This terminal interface will be used to monitor the Cuckoo sandbox environment. Additionally, you see within it log messages appearing on the terminal that the four VMs have been loaded.
cuckoo@ubuntu:~$ workon cuckoo-sandbox
(cuckoo-sandbox) cuckoo@ubuntu:~$ cuckoo web --host 127.0.0.1 --port 8080
http://127.0.0.1:8080/
The following screenshot shows the Cuckoo sandbox web interface:
Now, you can submit malware, hashes, and URLs to your Cuckoo sandbox environment in order to perform malware analysis. After Cuckoo has completed the analysis, click anywhere within the row to access the report, as shown in the following screenshot:
The following screenshot shows an example of a report provided by Cuckoo:
In the event that you want to clear the Cuckoo sandbox environment, use the cuckoo clean command within the Cuckoo sandbox virtual environment. After performing a clean Cuckoo may be non-responsive, so simply restart Cuckoo and the web server again, as shown from Part 4, Step 10 to Part 5, Step 3.
Having completed this lab exercise, you have learned how to build your very own malware analysis sandbox environment on your local computer. Please be mindful that if you allow the sandbox internet access during the malware analysis process, the malware can spread and infect systems on your local network as well.
Having completed this chapter, you have learned about various characteristics and key elements of various filesystems for both the Microsoft Windows and Linux operating systems. Additionally, you have acquired knowledge in terms of how cybersecurity professionals use a scoring system such as the CVSS to obtain a severity score on a vulnerability and determine the priority. Furthermore, we took a dive into learning about and exploring various malware analysis tools; and lastly, you gained the skills required to build your very own malware analysis sandbox.
I hope that this chapter has been informative for you and will be helpful in your journey to learning the foundations of cybersecurity operations and gaining your Cisco Certified CyberOps Associate certification. In the next chapter, you will learn about the need for computer forensics, the types of evidence that can be acquired during an investigation, and how to get started with forensics as a security analyst.
The following is a short list of review questions to help reinforce your learning and help you identify areas that may require some improvement. The answers to the questions can be found in the Assessments section at the end of this book:
A. EXT4
B. NTFS
C. EXT3
D. FAT32
A. HFS+
B. FAT32
C. EXT4
D. APFS
A. parted
B. dparted
C. view partition
D. ls -l
A. Attack complexity
B. Network
C. Attack vector
D. Adjacent
A. File
B. URL
C. Hash
D. All of the above
18.116.51.117