Professional Documents
Culture Documents
Requests SOP
Contents
1. Background ......................................................................................................................................... 2
1.1. Types of request .................................................................................................................................. 2
1.2. Hazmat Safe Transfer Procedures ...................................................................................................... 3
1.3. Baseline Analysis ................................................................................................................................ 4
1.4. SCOE Malware Analysis Support Escalations .................................................................................... 5
1.5. Process refinement ............................................................................................................................. 6
Appendix A. Malware Analysis Techniques ..................................................................................................... 7
Appendix A.1. Surface Analysis (SCOE) ...................................................................................................... 7
Appendix A.2. Automated Dynamic Analysis (SCOE) .................................................................................. 7
Appendix A.3. Deep Static Analysis / Reverse Engineering (CTU) .............................................................. 8
Appendix A.4. Interactive Dynamic Analysis / Debugging (CTU) ................................................................. 8
1. Background
There is a requirement within SCOE to understand aspects of identified malicious code and proper handling
procedures in order to protect clients. There has been agreement between SCOE and the CTU that where
understanding cannot be derived from static analysis (e.g. analysis of file properties and strings) and basic
dynamic analysis (e.g. automated sandbox examination), analysis requests will be escalated to the CTU.
• Indicator extraction:
• Behavioral context:
o What malware is this/does this thing drop (family classification, any association to a known
threat groups)
• Capability statement:
o How does this functionality relate to previously known samples of the same family (if
known)
It is not expected that more prolonged analysis would be requested from SCOE; however, CTU have other
categories of “malware analysis” which are included below for completeness. Requests requiring the
following categories of analysis should be escalated to the CTU using the process described in Section 1.4:
• Threat Analysis
o Temporal or campaign analysis considering how the malware has evolved over time
Analysts should apply the principle of deriving information that is relevant and actionable for their client and
avoid the temptation to submit a request for information that is not necessary or relevant. Doing so will
unnecessarily use up resources and will ultimately delay the final response to the client.
This process has been designed to remove the possibility of “live” malware being passed through jump
servers which can contact client infrastructure. The risks posed through inadvertent execution of malware in
such an environment are significant.
Today, the proposed HAZMAT handling infrastructure consists of CASE, which serves as a frontend for the
sandboxing, sample archival and sharing / transfer functions pertaining to this SOP and SDDC REMNUX,
the SDDC-hosted, standardized configuration REMNUX VM.
Using the CASE web interface, the analyst will upload and submit the sample, considering the specific
parameters and options required in the submission form.
Following submission to CASE, if further assessment of the suspicious sample is required, the analyst has
the option to use the SDDC-hosted REMnux VM. This allow SCOE analysts to leverage specialized
tools/scripts against the sample in a non-executable way (for example, running pdf-parser.py against a PDF
file, or oletools against OLE objects),
• The SDDC REMnux VM needs to have connectivity to CASE for accessing / downloading the
respective sample on the VM, for further assessment.
• As most analysts use WS1 M3 profile machines, a pathway from these assets into the SDDC
REMnux VM needs to be provisioned. The currently agreed approach is to use a FLEX CORP VM
that sits on the WS1 M3 machine.
For client-facing communication, should this need arise, we can provide a high-level overview of the CASE
< - > SDDC REMnux ecosystem, emphasizing both the various access control mechanisms in place, and
the strictly private nature of this malware analysis platform that we make available to our analysts, in
support of malware analysts request types.
It should be noted that the CASE replacement project is underway, codenamed Atlas, and this will provide
an improved “hands free” environment for malware inspection and analysis which will include:
• Improved surface analysis of documents, URLs to minimize the occasions when malware is
handled directly in SDDC REMNUX
1. Before beginning any analysis process, SCOE analysts should ensure they are clear on what
question(s) from Section 1.1 need answering on behalf of their client. The expectation is that most of
the time, requests will be limited to extracting any indicators for further pivoting and analysis in client
telemetry, but in certain cases additional information may be required.
2.1. Gathering information about the file (for example the hash values) and searching for the file or file
attributes in OSINT data sources (but not uploading any content to those external sources).
2.2. Checking existing internal data repositories (e.g. TIMS, CASE) to see whether a file and any
associated threat indicators are already known.
2.5. Running tools/scripts against it in a non-executable way (for example, running pdf-parser.py
against a PDF file, or oletools against OLE objects).
2.6. Submit the file or URL to CASE to check whether any Yara rules or IDS signatures match on the
sample or its network activity, or the file matches on a CASE malware classifier to identify the
family it belongs to. CASE detonations can also identify threat indicators, such as any network C2,
created files, and information on any subsequent files that were downloaded.
3. The expectation is that in the majority of cases these steps will provide sufficient information to answer
the analysis question(s).
Where insufficient information is returned from SCOE analysis, a request should be escalated to CTU for
more in depth analysis via the TI-Support ticketing mechanism. SCOE analysts can open a ticket by:
The request should clearly identify which of the above questions need to be answered and the urgency,
taking into account that basic requests to derive threat indicators will be answered significantly quicker
(normally within a day) than requests for detailed capability statements (days or weeks).
The relevant CTU malware analyst will decide on what depth of analysis (see below) is required to answer
the question(s). The level of required analysis, coupled with the complexity of the sample, will determine
how long the work is likely to take.
A CTU malware analyst will conduct an initial review of the ticket and submitted file(s) and estimate the
likely level of effort required to service the ticket. If the request is straightforward, they will proceed to
answer the question(s) posed. If the request appears on initial glance to be more complex, or the request is
for a deep level of analysis (e.g. a detailed capability statement) the CTU malware analyst will contact the
submitter to discuss expectations and priorities, and/or seek any additional clarification.
If at any point during the analysis it becomes clear that the work involved is more complex than initially
thought, the CTU malware analyst can contact the ticket submitter to discuss. Active dialogue is
encouraged between SCOE and CTU analysts to ensure sufficient levels of information are available on
both sides, and the effort spent answering escalation requests is proportionate.
The CTU may decide, at its own discretion, to conduct additional work above and beyond that requested in
the ticket, for the purposes of understanding and tracking current threats. Examples might include:
Carefully consider the OPSEC sensitivities when deciding what network profile to use for the CASE detonation. Allowing the sample
to communicate with the internet may generate better detonation results, but if the sample is derived from IR or is sensitive in some
other way, this might also tip off the adversary. If in doubt, use a limited/fakenet network profile.
• Decoders or emulators
• Producing written threat intelligence products off the back of the analysis.
The expectation is that where this occurs, all clients, and in turn SCOE analysts, will benefit from new or
improved scaled protections and intelligence products. CTU researchers will endeavor to notify SCOE
where client facing content is derived from analysis initially done by SCOE.
Much information about a particular file or sample for analysis can be gathered this way. Often times this is
enough to determine whether the sample is malicious or not and, if so, what malware family it is and any
applicable IOCs.
The specifics of this activity type are included in the accompanying document: Surface Analysis
and SDDC REMnux Technical Documentation.
• Go to Swim (in the SCWX environment) -> SRSMAN and request a CASE- account.
• Search for CASE-Submitter and submit your request in order to be able to read reports and Submit
Malware.
To submit a sample into CASE, analysts will use the CASE web interface,
https://case.counterthreatunit.net/submit_sample, browse locally in their client's corporate / work environment
for the sample in question in the “Select File” section, and submit it using the “Submit” button located at the
bottom of the web page.
When submitting a sample, the analyst will have to consider the following parameters for configuration: TLP (Traffic
Light Protocol), Priority, Profile, Firewall Policy, Skip if Detonation Exists, Disable collecting dropped files, Execution
Timeout, Execution Arguments, and Override file extension.
TLP Explanation:
TLP Rule
Choose Priority
Priority Reason
Choose Profile
These are profiles on the Norman Sandbox. Each profile has different configurations.
Firewall Policy
Policy Definition
Execution Timeout
Execution Arguments