Erika Noerenberg: Binary Emulation for Threat Analysis and Hunting with Binee
December 9, 2019.
Erika Noerenberg speaking at the Jailbreak Brewing Company Security Summit on Friday, October 11, 2019.
In August of 2019, Carbon Black researchers Kyle Gwinnup and John Holowczak introduced and open sourced a novel tool called Binee (Binary Emulation Environment) at DEF CON 27. Binee is a complete x86 binary emulation environment focusing on introspection of all IO operations. Because Binee can run on Windows, OS X, and Linux, it can be integrated into existing analysis and processing frameworks regardless of platform.
Methods for extracting data from binaries at scale typically rely on static analysis. Binee additionally provides a method for capturing runtime information typically obtained from dynamic analysis, but at the cost and scale at which static analysis can run. Furthermore, Binee can run in the cloud at scale and output structured data to be analyzed. This can facilitate the automation of malware analysis, data extraction, and hunting across large datasets.
In this talk, I will briefly introduce Binee and demonstrate how static process emulation can assist with both malware analysis and hunting for Windows threats. I will also discuss how this capability can facilitate automation of analysis tasks, as well as preview future work currently in planning.