Are you a security professional who is struggling to obtain a reasonable budget for IT security or are you a business owner who cannot afford expensive security solutions for your business at the moment? Well, you are in luck and whatever the reason may be for lacking funds for security systems there are free solutions out there that can help you greatly increase your security level. Even though these systems do not cost anything as they are open source, they usually come with a bit of required effort to set them up properly and maintain them. In this section of the Forum I will be sharing security solutions that we tested and all the pros and cons that go with them.
This series will focus on evaluating free and open source security systems with a goal of making it as clear as possible of what this system can do so you can have an easier time in making a call if it meets your needs or is it worth the effort.
We will be updating these evaluations from time to time if the systems gets major updates so be sure to follow us on Linkedin and/or subscribe to our news letter!
So let's get started with:
Cuckoo sandbox framework
What it is:
Cuckoo Sandbox is the open source automated malware analysis system. You can throw any suspicious file at it and in a matter of minutes Cuckoo will provide a detailed report outlining the behavior of the file when executed inside a realistic but isolated environment.
Cuckoo Sandbox is free software that automated the task of analyzing any malicious file under Windows, macOS, Linux, and Android.
What it can do:
What you can do with Cuckoo sandbox is Analyze many different malicious files (executables, office documents, pdf files, emails, etc) as well as malicious websites under Windows, Linux, macOS, and Android virtualized environments. You can trace API calls and general behavior of the file and distill this into high level information and signatures comprehensible by anyone.
You can even dump and analyze network traffic, even when encrypted with SSL/TLS. With native network routing support to drop all traffic or route it through InetSIM, a network interface, or a VPN.
Also, you can perform advanced memory analysis of the infected virtualized system through Volatility as well as on a process memory granularity using YARA.
What we think about it:
We tested Cuckoo sandbox in different environments using many samples of infected files over a period of 6 months. Yes, that is a long time but we were using it in work environment for the exact same purpose that the tool states. The verdict is as follows:
1. Detection rate
The detection rate was naturally very high since the tool uses many plugins including the infamous VirusTotal. The most shocking revelation was that this tool detected zero-days that entire VirusTotal arsenal didn't detect including two of our enterprise enpoint security solutions. Thanks to it's behavioral analysis you can track what the file does when certain action is performed on it, such as a basic opening of the file. Deep inside certain files were malicious links or scripts that are the real threat and Cuckoo sandbox was able to find it before any AV, and we are talking about AVs with up to 98.6% detection rates. That is something.
2. Implementation and Ease of Use
Setting up the tool is fairly straight forward (assuming you have some basic IT experience) thanks to the very details documentation provided on the website so you will not have to worry about that, you can set up the Host and Guest machines in the environments you prefer or require and go from there. I see it as an overkill to post implementation instructions as the ones available on the official Cuckoo documentation page are necessary in it's entirety and should be followed step by step. However, I invite everyone who has any issues or different experience with implementation to start a discussion below!
Cuckoo might not be the easiest system to use but it sure gets easier by the minute. The Web based dashboard is very well designed and has an abundance of helpful features you can use.
Obviously, the first feature that will catch your eye is the most used one and that is a file drop-off field and a URL submit box so you can immediately start with the analysis of whatever raises your suspicion. Other than that you have a clear monitoring info and version of the software around the analysis area so you can keep an eye on your platforms health.
1. Cuckoo Dashboard
Besides the dashboard (Web GUI or API), you can submit a file to Cuckoo from the console as well. Cuckoo will attempt to determine the best analysis method and VM image to execute the submitted file or you can explicitly declare what analyzers and VM image to use. Cuckoo schedules the submission into a task, then loads the appropriate VM image (or multiple VMs) to execute it.
To be continued...