HITB LAB: IRMA – An Open Source Incident Response & Malware Analysis Platform

PRESENTATION SLIDES (PDF)

WHITE PAPER (PDF)

IRMA (http://irma.quarkslab.com) is an open-source asynchronous system aiming at helping analyze suspicious files.

We all know that anti-virus (AV) are a failure: if someone is basing his security on this one product, failure is sure. Despite that, everyone also considers AV are also needed to detect the generic attack vectors. A not new idea is to use several AV engines. Due to costs and performance constraints, one host cannot run tons of AV. So, several solutions have appeared lately to provide a central place where suspicious files can be tested towards major AV engines.

However, testing suspicious files is only a first step. When one will detect such a file, he might want to apply different analysis, like running it in a sandbox for instance, or statically analyzing the file which requires first to unpack it most of the time. In this lab, we will:

– Recall our major motivations to build such a system,
– Present the overall architecture of IRMA which has been designed as a 3 part system,
– Guide you to setup our own system, running in virtual machines, in less than 30 minutes,
– Develop together a new analyser and include it to your own IRMA setup,
– Discuss the mechanics under the hood for people willing to contribute to or to reuse this project.

CONFERENCE
Location: Track 3 / HITB Labs Date: October 15, 2014 Time: 10:30 am - 12:30 pm Alexandre Quint Fernand Lone-Sang