Leveraging DevOps Tools for Malware Research and Red Team

This workshop will get you started with containers and cloud orchestration as a cybersecurity person. You will get hands-on experience with vagrant, docker, docker-compose, ansible and terraform.

Everyone working with computers lately has heard of VMs, cloud orchestration and containers. That said, so many of us still do many things manually or use these technologies inefficiently. Let’s not allow the devs to have all the fun with DevOps (and its tools).

Virtual Machines can be effectively used to test exploits or contain development environments. Vagrant makes it easy to share these pre-built VMs, avoiding tedious "next, next, next" install procedures while supporting both Linux and Windows.

Containers changed the way we distribute applications and combine services together. Built on top of Linux namespaces, they enable us to deploy complex software in a reproducible manner no matter on which Linux distribution we deploy it. Additionally, using network namespaces manually is useful to isolate, bridge, route or firewall a single process or a process hierarchy.

Orchestration is the natural next step of automation. We describe entire fleets of systems in code and use tools to make sure that the current state of the infrastructure matches what the code says. Terraform leverages cloud APIs to deploy computing instances and other cloud resources. Ansible reads from Terraform’s inventory, connects to the instances, install software, copy files and perform the various tasks known as provisioning. Together they are a powerful combination, allowing the deployment of complex systems temporarily in a matter of a few minutes and then tear everything down when it is no longer required.

This workshop will be use case driven and each one will explore more advanced featuresets of the tools demonstrated.

Outline

Virtual Machines (VMs)

  • A very very brief intro to VMs
  • Tool: Vagrant
    • Use case: I need to try a Linux kernel exploit quickly
  • Tool: Malboxes
    • Use case: I need to do a quick investigation on this suspicious Word document
    • Use case: I need to run this Windows binary I don’t trust

Containers

  • A brief intro to Linux containers and network namespaces
  • Tool: lxd / lxc*
    • Use case: I need to try a userspace Linux exploit quickly
  • Tool: netns*
    • Use case: I want a single process on my host to use a VPN
  • Tool: docker + docker-compose
    • Use case: I need to run this Linux binary I don’t trust
    • Use case: I want to deploy a customized Cowrie Honeypot

Orchestration†

  • A brief intro to Cloud Orchestration
  • Tool: Vagrant
    • Use case: I want to deploy a CTF environment (CTF scoring system + challenges)
  • Tool: Ansible*
    • Use case: I want to scan the Internet for USD $2.50
  • Tool: Terraform* + Ansible*
    • Use case: I want to deploy temporary infrastructure for a Red Team (C\&C and redirectors)
Prerequisite

Due to the fast-paced nature of this workshop, no technical support will be provided. So make sure to install and test the following tools before we start:

Alternatively a Vagrant box (based on VirtualBox, which you will need) will be provided on site with all the tools pre-installed. Using this will require only Vagrant and VirtualBox installed and should work cross-platform.

*: These tools require Linux to run. Have a Linux host or VM ready with the tools preinstalled

†: Achieving these use cases will require a Digital Ocean account and will incur costs (should be less than USD $5 unless you forget to destroy your instances after the class). The code provided by the instructor should work with other cloud providers with minor adaptations.

Participants should bring:

See the prerequisite section of the workshop description.

Participants must know or have:

Familiar with a Linux command-line


Olivier Bilodeau Cybersecurity Research Lead, GoSecure

Olivier Bilodeau is leading the Cybersecurity Research team at GoSecure. With more than 10 years of infosec experience, he enjoys attracting embedded Linux malware, writing tools for malware research, reverse-engineering all-the-things and vulnerability research. Passionate communicator, Olivier has spoken at several conferences like BlackHat USA/Europe, Defcon, Botconf, SecTor, Derbycon, HackFest and many more. Invested in his community, he co-organizes MontréHack, a monthly workshop focused on applied information security, and NorthSec, Montreal's community conference and Capture-The-Flag.