The Fraunhofer SIT malware analysis laboratory - establishing a secured, honeynet-based cyber threat analysis and research environment
This report presents the design of a malware collection and analysis environment for operation in an enterprise context, to facilitate empirical improvements to malware detection and Internet early warning research. In addition to reviewing the overall system design, we describe the operational security measures employed to ensure the secure and isolated handling of malware and other malicious content. The environment uses honeypot, honeynet, and virtualisation technologies to collect and discreetly analyse the behaviour of malware samples circulating on the Internet. To avoid potential liability and damage to the enterprise, our design must minimise the inherent risks of cross-infection to local IT systems and third parties imposed by the collection and handling of malware. Our malware collection and analysis pipeline is based on a novel combination of existing open-source technologies that together offer a highly flexible experimental platform, while fulfilling our operational security obligations. Through careful technical and administrative measures, we are able to sufficiently minimise, if not undermine, the risk of undesired impact to both enterprise and third party systems. Experiences with our environment as a research tool will be presented in a future paper.