Amira - Automated Malware Incident Reply & Analysis
AMIRA is a service for automatically running the analysis on the OSXCollector output files. The automated analysis is performed via OSXCollector Output Filters, inwards exceptional The One Filter to Rule Them All: the Analyze Filter. AMIRA takes help of retrieving the output files from an S3 bucket, running the Analyze Filter together with thus uploading the results of the analysis dorsum to S3 (although ane could envision every bit good attaching them to the related JIRA ticket).
Prerequisites
tox
The next steps assume yous direct maintain tox installed on your machine.
If this is non the case, delight run:
$ sudo pip install tox
OSXCollector Output Filters configuration file
AMIRA uses OSXCollector Output Filters to practise the actual analysis, thus yous volition ask to direct maintain a valid
osxcollector.yaml
configuration file inwards the working directory. The illustration configuration file tin last flora inwards the OSXCollector Output Filters.The configuration file mentions the place of the file hash together with the domain blacklists. Make certain that the blacklist locations mentioned inwards the configuration file are likewise available when running AMIRA.
AWS credentials
AMIRA uses boto to interface amongst AWS. You tin render the credentials using either of the possible boto config files.
The credentials should allow reading together with deleting SQS messages from the SQS queue specified inwards the AMIRA config every bit good every bit the read access to the objects inwards the S3 bucket where the OSXCollector output files are stored. To last able to upload the analysis results dorsum to the S3 bucket specified inwards the AMIRA configuration file, the credentials should likewise allow write access to this bucket.
AMIRA Architecture
The service uses the S3 bucket lawsuit notifications to trigger the analysis. You volition ask to configure an S3 bucket for the OSXCollector output files, thus that when a file is added at that topographic point the notification volition last sent to an SQS queue (
AmiraS3EventNotifications
inwards the moving painting below). AMIRA periodically checks the queue for whatever novel messages together with upon receiving ane it volition fetch the OSXCollector output file from the S3 bucket. It volition thus run the Analyze Filter on the retrieved file.The Analyze Filter runs all the filters contained inwards the OSXCollector Output Filters parcel sequentially. Some of them communicate amongst the external resources, similar domain together with hashes blacklists (or whitelists) together with threat intel APIs, e.g. VirusTotal, OpenDNS Investigate or ShadowServer. The original OSXCollector output is extended amongst all of this information together with the real terminal filter run past times the Analyze Filter summarizes all of the findings into a human-readable form. After the filter finishes running, the results of the analysis volition last uploaded to the Analysis Results S3 bucket.
The overview of the whole procedure together with the organization components involved inwards it are depicted below:
Using AMIRA
The principal entry indicate to AMIRA is inwards the
amira/amira.py
module. You volition get-go ask to practise an instance of AMIRA degree past times providing the AWS share name, where the SQS queue amongst the lawsuit notifications for the OSXCollector output bucket is, together with the SQS queue name:from amira.amira import AMIRA amira = AMIRA('us-west-1', 'AmiraS3EventNotifications')
from amira.s3 import S3ResultsUploader s3_results_uploader = S3ResultsUploader('amira-results-bucket') amira.register_results_uploader(s3_results_uploader)
amira.run()