1

I am planning to setup a malware analysis lab in the Incident Response team of the company I work for.

As I am basically a malware analyst I some how managed to get up with the malware analysis lab setup.

Now I want to your help in setting up network for the lab.

Here are the scenarios:

  1. I don't have my lab setup in a physical machine next to me, It was set up on a remote machine and it is having a open network connection.

Please tell me how to connect to my lab as I am in my corporate production network, as it is not advisable to connect to a malware system from production environment.

  1. I also have lab going get setup in my client location, so please tell me how to connect to the malware lab, since I have to cross two production environments i.e. my own corporate production environment to our clients production environment and from there to the malware analysis environment.
RoraΖ
  • 12,317
  • 4
  • 51
  • 83
saravanan
  • 11
  • 2
  • 4
    Only the people in your security team can tell you under what condition they will allow you to connect to external system. Also, you see nothing wrong with setting up a system known to have malware installed in an open network connection ? – Stephane Aug 28 '15 at 09:04
  • 1
    I agree with Stephane, you need to isolate these networks, set up VLANs and dont use production hosts, this is a lab set up, you dont need production equipment exposed to the threats you will analyse here – Purefan Aug 28 '15 at 11:02
  • 2
    VLANs, NATs, ACLs. just talk to your Network Engineer. Period. – JOW Aug 28 '15 at 14:07

1 Answers1

1

Virtualized Environment.

Set up a series of virtual machines on virtual networks in a host that is in its own segmented network (VLAN, firewalls, no outward connections allowed, etc.). Run all your analysis in this environment. You connect by connecting to the host, then from there to the virtual machines. Even if malware runs rampant, you only risk the other VMs.

In the off-chance that malware from the VM escapes to the host machine (still uncommon at this point), it is segmented off from the rest of your network.

Being in a closed virtual network, you are more free to set up network traffic analysis to analyze the network connections generated by the malware, without affecting your corporate networks.

The other benefit to VMs for malware analysis is that you can blow away the VMs and restore them to an original image. This should be scheduled on a daily basis (or more often) in case there is an infection that you do not catch or fully understand. This prevents a persistent infection in your environment.

This set up also solves your problem of connecting across multiple networks. A simple VPN will allow you connection to the host machine without fear of malware traversing the VPN.

schroeder
  • 123,438
  • 55
  • 284
  • 319