HITB LAB: IRMA – A Framework for Incident Response & Malware Analysis

Today many of the sophisticated attacks still manage to penetrate computers with antivirus programs installed. This single product has become insufficient to keep your computer safe against increasingly savvy attackers. To counter new threats, security software companies are providing a central platform where suspicious files can be analyzed on multiple file analysis engines such as antivirus programs, sandboxes, etc.

IRMA (Incident Response & Malware Analysis) is a platform where  you keep control over where your files go and who gets your data. As a valuable company, you may not want your documents being submitted to external analysis platforms for obvious confidentiality matters. IRMA is open-source piece of software: anyone can modify it and you choose who has access to it once installed on your network – in short, your data stays on your network.

Beyond being an open-source platform, IRMA is more importantly a framework. One can customize it at different levels or extend its functionalities quickly:

– write new probes, i.e modules that give IRMA its analytical capabilities, in few python lines or modify existing ones.
– post-process probe results stored in database to extract only relevant information
– modify the web user interface do display analysis results the way he wants.
– benefit from IRMA’s frontend API by plugging it into milter or by using it in a USB malware cleaner tool.

In this lab, we want stimulate code sharing between malware analysts and will cover:

  1. How to write a custom analysis engine with little effort.
  2. IRMA’s frontend API
  3. Two side projects we started: a USB malware cleaner and a mail filtering solution.

CONFERENCE
Location: Track 3 / HITB Labs Date: May 29, 2015 Time: 2:00 pm - 4:00 pm Alexandre Quint Fernand Lone-Sang Guillaume Dedrie Download Presentation Materials Download Whitepaper