At Countercept, our employees are encouraged to devise their own solutions to problems they encounter. After deciding that current open source tooling and storage for analyzing and investigating malware didn’t meet the needs of threat hunting team, threat hunter Alex Kornitzer endeavored to create his own.
The result is Snake, a malware storage zoo that provides centralized and unified storage for malicious samples, designed to seamlessly integrate into a threat hunter’s investigation pipeline.
We spent some time quizzing Alex on the inspiration for Snake, the development process, and his hopes for its evolution.
Alex, before we go on to Snake, can you tell us a little bit about your story pre-Countercept?
I have a degree in Computer Science from the University of York and a Masters in Information Security from University College, London. As an undergraduate, I did a year’s placement with BAE Systems, where I worked on a variety of projects that helped me realize where my interests lay. I also co-founded Ingenious Bytes, a company that created iOS and Mac applications.
You came to Countercept straight from your Master’s course. What about Countercept appealed to you?
I think what appealed to me the most was the potential investigations that stem from identifying a malicious attacker on an estate. The ability to reverse payloads and binaries was and still is an area that I wanted to improve, which was something that this role definitely catered to. In addition to the flexibility of the role (a 50/50 split between core operations, and threat hunting research) is an incredible opportunity to skill up, especially with the ability to interact with the talented red teamers at MWR.
As part of our threat hunting team, you probably have some unique insights into the threat landscape and those that operate in it. What threat hunting experiences stand out most for you?
I think that the most interesting scenarios are the ones that require input from the whole threat hunting team, and – while these are not that common – interacting with a live malicious attacker. The need to liaise with the client and sometimes Incident Response while triaging and analyzing the attacker definitely makes for the most interesting experiences. From a more specific standpoint, the analysis of the techniques such as DoublePulsar and the extraction of its tactics, techniques, and procedures for use in future hunts is the part of hunting that appeals to me the most.
You developed Snake to aid your workflow while hunting across client estates. Can you tell us a bit about how that came about and what the development process was like?
Before Snake, the best option for storage of malware and high level analysis for quick pivoting was an open source tool called Viper. While a powerful and adequate tool for the job, it didn’t quite align with what I felt we needed as a hunt team, so I decided to create a solution from the ground up using current technologies. I wanted a solution that would enable us to seamlessly store and analyze potentially malicious samples without interrupting the hunting workflow.
Tell us a bit about Snake and what it can do.
To me, Snake is an open source malware storage platform that allows analysts to quickly and efficiently pivot to the most suitable tools for the task at hand by allowing ‘work’ to be performed on samples. Due to its reliance on third party tools, it is a Python-based application built on top of Tornado Web and MongoDB. The plugin system is where the true power of Snake resides, and to buy into the naming convention these are called ‘Scales’. Their functionality ranges from static analysis through to interaction with external services.
Another key aspect of Snake is that it can also handle memory images and process dumps in addition to more traditional malware samples. This removes the need to host additional solutions and caters to another important aspect of analysis for a threat hunter.
It was important to you that Snake could integrate with Countercept’s threat investigation agent, Omni. How seamless is it?
Very. For that reason Snake is just a RESTful API, which requires no front end by default. A file that our agent, Omni, detects can go straight to Snake and execute useful commands in the background and store their output for later analysis. All you need for the initial stages of analysis is right there. It will hopefully make our team even more efficient at identifying and analyzing malware, which can then be shared with the wider community.
As with any open source project the most exciting aspect would be an uptake in users and seeing new Scales (plugins) added, as well as other contributions by users. There are still a few features on my roadmap that I would like to add when I get time, such as finishing off self-describing arguments for commands and adding user based authentication. Other than that we will probably add features as and when we need them.
Countercept is known for sharing its research with the wider security community, especially its use of open source tools to threat hunt. Why do we do this?
At Countercept, our goal is to continuously drive the attack detection and response industry forward. By sharing our research and findings – especially with open source tools that can be used by the whole detection and response community – we are hopefully doing just that.
Snake is now available on GitHub.