Incident Handling with Docker Containers

Incident Handler DockerHonestly, I never really played with Docker but… For a few weeks, I succumbed to the temptation of playing with Docker thanks to a friend who’s putting everything in docker containers. If you still don’t know Docker, here is a very brief introduction: Docker lets you run applications in a “container“. In this container, the application will find all its required components to run smoothly: code, scripts, libraries, packages, … Every time you execute an application in a container, it always starts with a fresh environment. What’s the difference with a virtual system you will ask? NIST (the “National Institute of Standards and Technology“) has released a draft document which explains the difference between application containers and virtualized systems. Basically, containers don’t need a complete copy of the operating system, require less resources but their goal is to be ephemeral.

Incident Handlers are building their personal toolbox investigation after investigation. If there are Linux distributions focussing on this specific tasks (REMnux and SIFT are common ones), there are plenty of tools that are developed and shared by the community to address specific cases. Most of those tools can be executed stand alone, require sometimes dependencies with libraries or other software framework. These are perfect candidates to be executed in a container. So, the question arise: What about building a list of Docker images ready to perform incident handling tasks?

Before diving deeper, a few words about the security of containers. They are not bullet-proof: Container evasion is always possible and they share the same kernel (kernel exploits will affect the complete system). Note that Docker version 1.10 introduced the notion of namespaces. Keep this in mind when you are manipulating suspicious files! Personally, I’m running containers in a real virtual system.

So, I searched and compiled a list of interesting containers for your daily incident handling tasks.

Note: The following list of tool contains classic tools that all incident handlers should already know. I just focused on their “docker” version. For performance reasons, I recommend you to download all images (“docker pull <image>“) to your local storage. This will speed up the container startup and allows you to work offline. I also presume that files to be analyzed are stored in /evidences.

PEScanner

PEScanner is a tool to perform static analyzes of Microsoft Portable Executable files.

Usage:

# docker run --rm -it -v /evidences:/home/nonroot/workdir remnux/pescanner pescanner <malicious.exe>

JSDetox

JSDetox is a JavaScript malware analysis tool. With the growing number of malicious .js files spread by phishing campaign. This one is a must at the moment.

Usage:

# docker run --rm -p 3000:3000 remnux/jsdetox

Then point your browser to http://<docker-server>:3000

SpiderMonkey

Another JavaScript analyzer, SpiderMonkey, developed by Mozilla, helps to analyze malicious scripts.

Usage:

# docker run --rm -it -v /evidences:/source nacyot/javascript-spidermonkey:latest js <malicious.js>

VirusTotal

Nothing fancy, just a command line VirusTotal API client.

Usage:

# docker run --rm -it malice/virustotal --api <api_key> lookup <hash>
# docker run --rm -it malice/virustotal --api <api_key> scan <malicious_file>

Malcom

Malcom is a tool which analyzes network communications using graphical representations of network traffic and cross-reference them with public IOC sources.

Usage:

# docker run -p 8080:8080 -d --name malcom tomchop/malcom-automatic

FIR

FIR stands for “Fast Incident Response” and is developed by the Société Générale CERT. There is no public build but a Docker file is available on the FIR GitHub repository.

Usage:

# wget https://github.com/certsocietegenerale/FIR/blob/master/docker/Dockerfile
# docker build -t fir .
# docker run -it -p 8000:8000 fir

Then point your browser to http://<docker-server>:8000

ClamAV

Not the best antivirus but always nice to quickly scan a suspicious system.

Usage:

# docker run --name=clamav -v /evidences:/malware:ro malice/clamav update
# docker restart clamav
# docker exec -it  clamav /malware/<suspicious_file>

YARA

YARA is another must have tool. It helps to classify files based on patterns.

Usage:

# docker run -it -v /evidences:/malware:ro \ -v /rules:/rules:ro blacktop/yara <suspicious_file>

Dradis

Dradis is a tool that is focussing more on pentesters but it can be useful to collect and exchange information betweek incident handlers working on the same case.

Usage:

# docker run -d -p 3000:3000 raesene/auto_docker_dradis bundle exec rails server

Finally, it is also possible to run all the tools available in the SIFT distribution in a single (huge!) docker:

# docker run -v /evidences:/data:rw k0st/sift -it k0st/sift /bin/bash
Here is a recap of the docker images:
Application Image Name Stars
PEScanner remnux/pescanner ******* (7)
JSDetox renmux/jsdetox ***** (5)
YARA blacktop/yara ***** (5)
Volatility remnux/volatility *** (3)
SIFT k0st/sift *** (3)
SpiderMonkey nacyot/javascript-spidermonkey ** (2)
Dradis raesene/auto_docker_dradis ** (2)
VirusTotal malice/virustotal * (1)
Malcom tomchop/malcom-automatic * (1)
ClamAV malice/clamav  * (1)
FIR (no public build)

This list is far from complete. Feel free to submit your suggestion and I’ll update it regularly. You created a nice image? Let me know!

14 comments

Leave a Reply

Your email address will not be published. Required fields are marked *