Posted 07 September 2016 - 11:30 AM
My understanding is that Splunk is one of the tools that's most widely-used in a commercial context.
IMO virtualisation/sandboxing is the way to go. Essentially, you set up a honeypot VM - a VM with all the vulnerabilities that worms/viruses/trojans love to exploit. Many of the more advanced forms of malware are actually selective about their targets and are designed to go for the lowest-hanging fruit - i.e. the machine that is going to be most likely to let the virus do its thing. So you set up a VM that has all these vulnerabilities built into it. You also set up very comprehensive, debugging-level logging and monitoring on that VM, so that you can see exactly what the virus is doing. The better honeypot VMs that are available are also designed to emulate a real machine - this is because lots of malware starts by detecting whether it's running inside a VM - if the answer is yes, then the malware simply self-destructs, for obvious reasons. It's important not to interconnect the VM to any trusted/secure network to avoid the risk of the malware infecting the said network - in my view, the only 100% secure way of doing this is to use an air-gapped network in addition to the VM - i.e. have a testing network that's physically separated from the machines that you actually use for important things.
After the malware has done its thing, you look at the logs and the output of the monitoring tools to reverse engineer the cunt. With the more advanced forms of malware, this can sometimes be like finding a needle in a haystack, but I still reckon it's good fun. I used to hate viruses but now I actually enjoy letting them run wild and free on my testing platform so that I can find out how they work.
If you'd like some linkage to some of the honeypot software that's available, let me know which platform you're using and I'll send you through some links to downloads and tutorials on how to set them up. Obviously there are different ones available for Windows and Linux.
"Be not forgetful to entertain strangers: for thereby some have entertained angels unawares." Hebrews 13:2
"These sayings are faithful and true: and the Lord God of the holy prophets sent his angel to shew unto his servants the things which must shortly be done." Revelation 22:6
"And, behold, I come quickly; and my reward is with me, to give every man according as his work shall be. I am Alpha and Omega, the beginning and the end, the first and the last. Blessed are they that do his commandments, that they may have right to the tree of life, and may enter in through the gates into the city." Revelation 22:12-14
"I Jesus have sent mine angel to testify unto you these things in the churches. I am the root and the offspring of David, and the bright and morning star." Revelation 22:16