Workshop IRMA : Incident Response and Malware Analysis

Speaker(s) : Alexandre Quint Fernand Lone-Sang Guillaume Dedrie (IRMA)

  • Language : Anglais
  • Level : Confirmed
  • Nature : Workshop
  • Date : Wednesday 8 July 2015
  • Schedule : 14h00
  • Duration : 120 minutes
  • Place : 202

Effectively combating new threats has been a very hot issue for the last several years. Nowadays, many sophisticated attacks still manage to penetrate computers despite antivirus programs installed. This single product has become insufficient to keep a computer safe against increasingly savvy attackers.

To counter these threats, some security software companies are providing a central platform where suspicious files can be analyzed on multiple file analysis engines such as antivirus programs, sandboxes, etc.

IRMA (Incident Response & Malware analysis) is such a platform, with the difference that, compared to online solutions, one can keep control over where one’s files go and who gets the associated data.

In this workshop, we will first introduce you to IRMA concepts and goals, then you will install and customize it to build your own Malware Analysis plateform.

Planning. We will:
- Recall our major motivations to build such a system,
- Present the overall architecture of IRMA which has been designed as a 3 part system,
- Guide you to setup your own system, running in virtual machines, in less than 30 minutes,
- Develop together a new analyser and include it to your own IRMA setup,
- Discuss the mechanics under the hood for people willing to contribute to or to reuse this project.
Requirements:
- git
- Vagrant version 1.5 or higher
( VirtualBox Virtual Machine Manager, as it is used by default by Vagrant ( see https://www.vagrantup.com/downloads.html )
- Ansible, version 1.6 or higher ( see http://docs.ansible.com/intro_installation.html )
- The laptop should preferably have at least 4 GB of RAM, capable processor (i5 or i7), and more than 20 GB of free HD space.

Alexandre Quint , Fernand Lone-Sang , Guillaume Dedrie
Alexandre Quint is a software developer. He was previously involved in the IPS module development at Stormshield, worked for the French government as both security and software engineer, and started his career as card security engineer at Gemalto.

Fernand Lone-Sang is a junior security researcher. He currently works on IRMA, an asynchronous & customizable analysis system for suspicious files. In his past Ph.D. life, he has been working on low-level attacks based on hardware components. He often plays with electronics, micro-controllers and FPGAs.

Guillaume Dedrie is a software developer, specialized in frontend development. He likes to automate everything and try to evangelize firms around the world with the emerging DevOps culture. If you’re looking for him, you’ll probably find him in a Paris Meetup.