• CSNP

Using OSINT Sandboxes To Fill The Gaps


Black computer screen with code running on it

Authors: Anaïs Sidhu and Samuel Cameron

In this article we will discuss what an OSINT Sandbox is, how it is used practically, and how it can help to accelerate your learning and fill the gaps in your security expertise. 

*The authors do not encourage the download of malware on any devices that hold any valuable data assets. 

*The views and opinions of this blog are the authors’ alone*

Background


We recently surveyed our network on LinkedIn to determine what they thought to be the most valuable skill when working in a Secure Operations Center (SOC). Provided the options of Malware Analysis Experience, Threat Intelligence Experience, Scripting Experience, and Red Team Experience, 45 percent of respondents felt that Threat Intelligence Experience is most valuable. Malware Analysis followed with 32 percent respondent favorability, while scripting Experience and Red Team Experience received 13 percent and 11 percent of the poll votes, respectively. With responses being dispersed across the four options, there is not any one option that stands out significantly. So, where should someone aspiring to work in cybersecurity start?

With all of the things that modern day security analysts and researchers are supposed to know, it can be quite confusing and a bit overwhelming when it comes time to determine what to really dig into. Here are just a few things you should know when doing security work: Indicators of Compromise (IOC), Indicators of Attack (IOA), net.exe, Sysinternals suite of tools, event log analysis, encoding schemes employed by malware, and anti-sandboxing mechanisms. Needless to say, that list could extend over several more pages. A lack of knowledge in any of these areas can be seen as a ‘barrier to entry’ and can really stop people from being confident in their abilities and from applying to security jobs.

What if we could integrate years of security research and expertise at the click of a button? What if we didn't have to know the ins and outs of the above topics to be effective and efficient in the realm of security operations? What if we had tools which given a sample to study could apply the aforementioned skills, and all we had to focus on was interpreting the outputted results?

It turns out that there is a mechanism to help us achieve just that.  A sandbox, as it relates to cybersecurity, is a safe environment where files and URLs (referred to henceforward as ‘samples’) are detonated/executed in order to see what they do. It’s like playing with a live sample of the malware or malicious file, poking it, and seeing everything that it would try to do on a real system. A crucial aspect of this would be that you are able to detonate the malicious thing, without risking it affecting other systems. 

Now that you have an idea of the benefits and fun possible within the scope of a sandbox, where do you get one? The good news is they are not expensive. You can get some pretty decent sandbox software, such as Cukoo, which is free to download and use. If you have a dedicated system and a lot of free time, this is a pretty good option. However, setting up a lab can not only be tedious but also downright difficult, especially if you are just starting out and trying to break into industry.

Fortunately, Open-Source Intelligence (OSINT) Sandboxes provide a solution. OSINT is being used very loosely here to refer to the practical use of Open-Source Intelligence into automated malware analysis using sandboxes. These sandboxes have both free and premium paid features. Let’s discuss some free version options. 

There are more than a few publicly available sandboxes that security analysts can leverage free of charge, of note: