On the viability of data collection using Google Rapid Response for enterprise-level malware research

Abstract

With the increasing number of attacks on enterprises, which often involves the deployment of some form of malware, an automated method for performing large-scale triage has become essential to the timely resolution of an incident. The purpose of this project is to combine the data collection capabilities of Google Rapid Response (GRR) with the flexible automation of Cuckoo Sandbox, to collect data for training machine learning models that perform triage on enterprise machines. To evaluate the viability of this approach, we investigate the artifacts that can be collected using GRR and whether they provide salient features for triage automation. Furthermore, we consider the speed of data collection and the consistency of the collected data when scaling the analysis environment to include more machines. Moreover, we develop multiple simulations of benign computer usage for both generating the benign dataset and as real-world background activities when injecting malware samples. Examples of the simulations include surfing the web, using a word editor, and python coding using an IDE. We investigated a total of 39 Windows artifacts that can be remotely collected using GRR's StartFlowAndWait API. StartFlowAndWait blocks execution until the artifacts are collected or until an error message is received. Collecting all 39 artifacts required over 1 h on a dedicated network connection between the analysis VM and the GRR server. However, handpicking only 11 artifacts reduces the average data collection time to 4 min. We also found that increasing the number of analysis machines caused less artifacts to be successfully collected. This drop in reliability is due to network congestion and the waste of other computing resources from the blocking mechanism of StartFlowAndWait. Although GRR is designed for large-scale deployment, we found that the default configuration of GRR is not sufficient for malware research data collection when using StartFlowAndWait instead of StartFlow.