End-to-end processing of malware samples using open source technologies
The Datadog Threat Research team routinely collects and analyzes potential malware samples from multiple sources such as honeypots, intelligence shared by partners and intel contacts, internal security incidents or Guarddog sourced malicious packages.
From these malware analysis, we extract Indicators of Compromise (IoCs), such as malicious IP addresses, domains, file hashes and other atomic indicators. For example, a cloud crypto-jacking campaign could involve malicious container images associated with an attacker-controlled Dockerhub user. Malware in the Docker images could communicate with a Command and Control (C2) server at a specific IP. The names of the images, along with the Dockerhub username and the C2 IP would be considered atomic indicators in this case.
With the increase of daily analyses, our team had to handle the detonation of various types of samples and built an automated pipeline from data ingestion to detonation and collection contextualised IoCs in our TIP. We built our pipeline by relying on several Open Source projects including eBPF tracers, Threat Intelligence Platform and malware analysis orchestrator.
With this talk we want to share how we implemented and deployed our pipeline and also give feedback and lessons learned while implementing it.