SlideShare une entreprise Scribd logo

Automated Malware Analysis and Cyber Security Intelligence

Jason Choi
Jason Choi

This presentation is an introduction to Cuckoo Sandbox, an automated a malware analysis system, and Intelligence to use this tool, at Department of Scientific Criminal Investigation in SungKyunKwan University in Korea.

Ingénierie
1  sur  48
Télécharger pour lire hors ligne
Cyber Security Intelligence Automated Malware Analysis and 과학수사학과 디지털 포렌식 전공 최우석
AMA and Cyber Security Intelligence 2  이름: 최우석  소속 • 한국정보보호교육센터 f-NGS 연구소 팀장 • 성균관대학원 과학수사학과 3기  본업  사이버 시큐리티 연구  집필  Introduce myself Coming Soon with 에이콘  기타 • 컨설팅 (안전성 진단) ▪ 웹 사이트 진단 ▪ 공격 시나리오 기반 컨설팅 • 강의 ▪ 악성코드 분야 ▪ NISA, 금보원, SKT, 넥슨, 머니투데이, 쿠 시스, 산업통상자원부, 융합보안지원센터 등 • 발표 ▪ 코드엔진, 신한시큐어, 한국정보보호학회, KISA, FIOS 등 • 커뮤니티 활동 ▪ 포렌식 인사이트, S2M
역사 & 개론 개발 & 제작 유포 & 감염 조사 & 분석 복구 & 대응 예방 & 관리 AMA and Cyber Security Intelligence 3  Goals of my life Playing
Contents  Cuckoo Sandbox Environment  Introduction Cuckoo Sandbox  Cyber Security Intelligence  Conclusion
소목차 Cuckoo Sandbox Environment  Malware Trend  Type of Malware Analysis's Method  Open Source License  Open Source License Comparison  Sandbox  Hypervisor  Hypervisor in Cuckoo Sandbox  Honeypot Project  Type of Honeypot Project
Cuckoo Sandbox Environment 6  Malware Trend Total Malware New Malware https://www.av-test.org/en/statistics/malware/
Cuckoo Sandbox Environment 7  Type of Malware Analysis's Method Basic Static Analysis AV Test Calculating Hash Detecting of Packer/Obfuscation Extracting of String Basic Dynamic Analysis Process Monitoring Network Monitoring Analyzing File System Analyzing Registry Advanced Static Analysis Analyzing File Format Analyzing implicit linking DLL Disassembling Decompiling Advanced Dynamic Analysis Debugging Analyzing explicit linking DLL Analyzing Memory Analyzing hidden function Initial Analysis Detail Analysis
Cuckoo Sandbox Environment 8  Type of Malware Analysis's Method  in Cuckoo Sandbox Implementation Unimplemented Basic Static Analysis AV Test Calculating Hash Detecting of Packer/Obfuscation Extracting of String Basic Dynamic Analysis Process Monitoring Network Monitoring Analyzing File System Analyzing Registry Advanced Static Analysis Analyzing File Format Analyzing implicit linking DLL Disassembling Decompiling Advanced Dynamic Analysis Debugging Analyzing explicit linking DLL Analyzing Memory Analyzing hidden function Initial Analysis Detail Analysis
Cuckoo Sandbox Environment 9  Open Source License 34% 25% 15% 6% 6% 14% 0% 5% 10% 15% 20% 25% 30% 35% 40% GNU GPL 2.0 & 3.0 MIT Apache 2.0 BSD 3 GNU LGPL 2.1 Other 2016 Open Source License Top 5 https://resources.whitesourcesoftware.com/blog-whitesource/top-10-open-source-software-licenses-of-2016-and-key-trends
Cuckoo Sandbox Environment 10  Open Source License Comparison Licenses Link Distribute Modify Patent Using Private Re-License Brand GNU GPL Self Non-commercial Non-commercial O O Non-commercial O MIT O O O X O O X Apache O O O O O O X BSD O O O X O O X GNU LGPL Limit Non-commercial Non-commercial O O Non-commercial O http://www.bloter.net/archives/209318
 Sandbox is mechanism for separating execution regions in the cyber security  Controlled by hardware or software resources  Sandbox mainly use virtualization  Virtualization • CPU-dependent • Hypervisor • Virtual Machines Cuckoo Sandbox Environment 11  Sandbox
 Type of Hypervisor  Type 1 - VT-d support in CPU  Type 2 - VT-x support in CPU Cuckoo Sandbox Environment 12  Hypervisor Hardware Type 1 Hypervisor OS Hardware Host OS Type 2 Hypervisor Guest OS
 Purchasing a computer for each operating system is a waste  Hardware cost, OS cost, Electronic cost, Resource waste in computer  Malware analysis  An isolated environment is required  in Cuckoo Sandbox  If host OS is the Ubuntu, it will be uncomfortable to use • For this reason, use nested virtualization • Nested virtualization support in the VMware Workstation (Type 2) Cuckoo Sandbox Environment 13  Hypervisor in Cuckoo Sandbox Hardware Host OS (Windows 10) Type 2 Hypervisor (VMware Workstation) Guest OS (Ubuntu Server) Type 2 Hypervisor (Virtualbox) Sandboxes Guest OS (Ubuntu Desktop)
 Requirements  Easily exposed to hackers • Intentionally set to vulnerable • Configure for a variety of situations  Monitoring everything accessing the system  Type of Honeypot Project • Honeynet ▪ Build at the infrastructure level ▪ Early Honeypot Project • Client Honeypot ▪ Same call HoneyClient ▪ Run at the client level ▪ Mainly Internet Security Cuckoo Sandbox Environment 14  Honeypot Project
 High interactivity client honeypot  Similar to the real environment • Pros ▪ Ability to detect new attacks • Cons ▪ High performance deviation, High costs, A lot of time wasted  Low interactivity client honeypot  Simulation • Pros ▪ Low performance deviation, Low cost, Fast detection • Cons ▪ No new attack detection  Hybrid client honeypot  First detection use low interactivity honeypot, second detection use high interactivity honeypot Cuckoo Sandbox Environment 15  Type of Client Honeypot
소목차 Introduction Cuckoo Sandbox  History of Cuckoo Sandbox  Analyzable file type  Operating principle  Pros and Cons  Technology  Functionalities  Demonstration
Introduction Cuckoo Sandbox 17  History of Cuckoo Sandbox Rapid’s Magnificent7 Malwr Open Cuckoo Foundation Brucon 2013 Malwr Reload New Website 2012 2013 2014 2015 Dec v0.5 Oct v1.1.1Sep v0.42 Aug v0.41 Jul v0.4 Apr v0.6 Apr v1.1 Jan v1.0 Blackhat 2013 Consultancy Service Honey Project Google SoC Feb v0.32 Dec v0.3 Nov v0.2 20112010 Feb v0.1 Mar v1.2 Jan v2.0 2016 2017 Jan v2.0 RC2 RC1 Jan v2.0
 Basic Windows File  Scriptable File  Office File  3rd Party Application Introduction Cuckoo Sandbox 18  Analyzable file types
Introduction Cuckoo Sandbox 19  Operating principle Submit Malware Report Analyzed Data Web Service Core Sandbox Cuckoo Sandbox
 Pros  Open source code  Produced by python language  Provides both CLI and GUI modes  Provide REST API • Control by HTTP protocol • System connectivity  Permanent bug patches and version upgrades • User community & Feedback of researchers  Multiple sandboxes can be configured • If system resources remain...  Feedback the latest malware issues • ex, Added DDE analysis function Introduction Cuckoo Sandbox 20  Pros and Cons (1/2)
 Cons  Core functionality is documented well, but additional functionality is insufficient  If encounter problems, report any issue or self fix the source code • Issue solving is optional  Functionalities may be removed without prior consent  Release progress even if unfinished • Improvement by participant • May affect business operations  Not all malware is analyzed well • Environment configuration is very important • Weakness in anti-technology (Anti-Debugging, Anti-Virtualizing ...)  Limitation of detail analysis • Can not analyze functions according to specific commands Introduction Cuckoo Sandbox 21  Pros and Cons (2/2)
 Cuckoo Core Server  Ubuntu 16.04 LTS Desktop 64 bit  CPU 4 Core, Memory 16 GB  Sandbox x 5  Win7 SP1 64 bit  CPU 1 Core, Memory 1024 MB  Cuckoo Sandbox Application  2.0.5.3 Introduction Cuckoo Sandbox 22  Environment
Introduction Cuckoo Sandbox 23  Infrastructure Host OS Type 2 Hypervisor Type 2 Hypervisor Cuckoo Core Service (Ubuntu 16.04 Desktop) Other Service (Ubuntu 16.04 Server)
 Database  Scheduling - RDBMS(SQLite, PostgreSQL, MariaDB)  Web - NoSQL(MongoDB)  Search - NoSQL(ElasticSearch)  Support type of hypervisor  Type 1 - XenServer, VMware(ESX, vSphere), KVM, Qemu  Type 2 - VMware(Workstation), Virtualbox  Physical Sandbox - Fog Project  Android Emulate - AVD  Memory  Volatility (with baseline Analysis) Introduction Cuckoo Sandbox 24  Technology (1/3)
 Pattern and Signature  Network Pattern - Snort, Suricata  Static Binary Pattern - Yara  Behavior Log Pattern - Only use in Cuckoo Sandbox with python coding  Network  Type of Network Line - Proxy, VPN, Tor Network  Analyzing - Moloch, MiTMProxy  Server  Main Web Service - Django  Distributed and API Service - Werkzeug  Change server type - Nginx + uWSGI • Increase Stability Introduction Cuckoo Sandbox 25  Technology (2/3)
 Behavior Analysis  The agent communicates with Cuckoo Core using XML-RPC protocol  Type of Reports  HTML, PDF, JSON, Web Service  Intelligence  MISP  System Management  ICINGA, Supervisord  Supporting Android Analysis  GooglePlay, Droidmon, ApkInfo,  ETC  VirusTotal, Certification Pinning at PE Introduction Cuckoo Sandbox 26  Technology (3/3)
 Hash for malware  ssdeep, imphash  Support of archive type malware  E-Mail, OLE, ZIP  Analyzing Lateral Movement  Announce 2.0-RC1, but not implementation  Network routing  no routing, drop routing, dirty line, InetSim, Tor, VPN  TLS/HTTPS capturing and decrypting  MiTMProxy, HTTPReplay • But, it has some problem • HTTPReply is not implementation Certification Pinning Introduction Cuckoo Sandbox 27  Functionalities (1/5)
 Baseline analysis in analyzing memory  It's not documentation!!  Only in JSON report (not view in Web report)  Extracting URL in process memory  When I test with a memory DNS malware, this function is not extract URL.  Static Binary Pattern and Behavior Log Pattern  Static Binary Pattern uses YARA  Behavior Log Pattern should use Cuckoo's dependent functions • To need python programming  YARA 3.7.1 can use the Cuckoo Sandbox dependency function. • But, Cuckoo Sandbox 2.0.5.3 is not support YARA 3.7.1 Introduction Cuckoo Sandbox 28  Functionalities (2/5)
 Malicious quantify  Using Behavior Log Pattern  Max is 10 but possible over 10  Comparing malware  Using API call order  It is well implemented in 1.x version, but in 2.x version  Implementing a distributed system  It's not documentation!!  Implementation using REST API service  Provide dedicated web services  Gevent for asynchronous systems, Greenlet for coroutine  Not enough • Not support integrated database, only analyzing a file type Introduction Cuckoo Sandbox 29  Functionalities (3/5)
Introduction Cuckoo Sandbox 30  Functionalities (4/5)
 Mass analysis  Ability to separate functions Introduction Cuckoo Sandbox 31  Functionalities (5/5) Start Submit Start analyzing End analyzing Generate report End Core(analyzing and reporting) Yes No Other Malware Start Submit Start analyzing End analyzing End Generate report End Core(analyzing) Sub Core(reporting) No No Yes Yes Other Malware Other report
 http://192.168.0.100:8000 Introduction Cuckoo Sandbox 32  Demonstration
 JOESandbox Cloud- https://joesecurity.org/joe-security-products  BASIC version - (Only Online) Windows + Android  PRO version - (Standalone) + macOS + iOS + API + Cookbook (Virtual and physical support) + ...  Report Sample Introduction Cuckoo Sandbox 33  Other automated malware analysis tools (1/3)
 Hybrid-analysis - https://www.hybrid-analysis.com/  Free Service - Only Win7, Only File, Analysis submit limit 30, Sample download  Private Cloud - Win 10, IoC, YARA, URL, Various reports  Full Standalone - SIEM system integration(CEF syslog), Custom signature test, Memory dump  Report Sample Introduction Cuckoo Sandbox 34  Other automated malware analysis tools (2/3)
 any run - https://any.run/  Semi automated cloud malware analysis tools • Free • Live access to the virtual machines  Report Sample Introduction Cuckoo Sandbox 35  Other automated malware analysis tools (3/3)
소목차 Cyber Security Intelligence  Other automated malware analysis tools  Cyber Security Intelligence  Used by many intelligence analysts  Binary intelligence & limitation
 Purpose  Identify attacker  Predict the future through the past • Incident Response(Establish preventive policy) Cyber Security Intelligence 37  Cyber Security Intelligence Tactics, Techniques and Procedures https://en.wikipedia.org/wiki/PLA_Unit_61398 http://detect-respond.blogspot.kr/2013/03/the-pyramid-of-pain.html
 Automated malware analysis and Cyber Security Intelligence  Purpose • Automatically analyze numerous malware and accumulate analytical data  Used by many intelligence analysts  VirusTotal used Cuckoo Sandbox Cyber Security Intelligence 38  Cyber Security Intelligence
 Used by many intelligencer in cyber security Cyber Security Intelligence 39  Cyber Security Intelligence https://digital-forensics.sans.org/summit-archives/DFIR_Summit/Open-Source-Threat-Intelligence-Kyle-Maxwell.pdf
 Used by many intelligencer in cyber security Cyber Security Intelligence 40  Cyber Security Intelligence https://www.rsaconference.com/writable/presentations/file_upload/anf-t10_implementing-an-automated-incident-response-architecture.pdf
 Used by many intelligencer in cyber security Cyber Security Intelligence 41  Cyber Security Intelligence https://sector.ca/wp-content/uploads/presentations16/simmons%20Open%20Source%20Malware%20Lab%20SecTor.pdf
 Papers related to Cuckoo Sandbox Cyber Security Intelligence 42  Cyber Security Intelligence www.cs.ucsb.edu/~vigna/publications/2014_USENIX_BareCloud.pdf adamdoupe.com/publications/towards-automated-threat-intelligence-fusion-cic2016.pdf 2016, IEEE nsl.cs.waseda.ac.jp/~mori/papers/ccnc15-fujino-sumitted.pdf 2015, IEEE arxiv.org/pdf/1709.08753.pdf 2017, IEEE 2014, USENIX
 Binary intelligence  Same mean client-side intelligence but, not strictly  Various attack type statistics used by binaries  If collect a lot of malware, can analyze the association  Limitation of binary intelligence  Counter intelligence • Vulnerability of evidence  More data to overcome • Need server-side intelligence ▪ But, no ownership and investigation Cyber Security Intelligence 43  Binary intelligence & limitation
소목차 Conclusion  Matthew Effect  [OR] Next Project  with Digital Forensics
Conclusion 45  Matthew Effect The Matthew Effect = much data is good quality information
Conclusion 46  with Digital Forensics  Include Digital Forensics process in Incident Response  Importance of DFIR • But, availability vs. integrity  So many question (Can ~ be evidence?)  Can information gathered from the Internet be evidence?  Can malware analysis information be evidence?  Can data without a chain of custody be evidence?  Can data collected from untrusted tools be evidence?  ...  No!  Digital evidence is very regrettable in Korea • And, too difficult to follow the speed of rapid development • Rapid of singularity!!  Information collected by intelligence activities can not be evidence
Q & A
The End

Recommandé

Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Aqua Security
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container SecuritySuraj Khetani
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 eventsMichael Gough
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 

Recommandé

Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Aqua Security
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container SecuritySuraj Khetani
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 eventsMichael Gough
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 
Cyber Threat Intelligence | Information to Insight
Cyber Threat Intelligence | Information to InsightCyber Threat Intelligence | Information to Insight
Cyber Threat Intelligence | Information to InsightDeep Shankar Yadav
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageErik Van Buggenhout
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security JourneyJerry Jalava
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Lane Huff
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
A Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo SandboxA Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo SandboxAndy Lee
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container securityVolodymyr Shynkar
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Container Security
Container SecurityContainer Security
Container SecurityAmazon Web Services
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedSteve Lodin
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
CNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceCNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceSam Bowne
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
 
Automate Your Container Deployments Securely
Automate Your Container Deployments SecurelyAutomate Your Container Deployments Securely
Automate Your Container Deployments SecurelyDevOps.com
 

Contenu connexe

Tendances

MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 
Cyber Threat Intelligence | Information to Insight
Cyber Threat Intelligence | Information to InsightCyber Threat Intelligence | Information to Insight
Cyber Threat Intelligence | Information to InsightDeep Shankar Yadav
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageErik Van Buggenhout
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security JourneyJerry Jalava
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Lane Huff
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
A Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo SandboxA Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo SandboxAndy Lee
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container securityVolodymyr Shynkar
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedSteve Lodin
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
CNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceCNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceSam Bowne
 

Tendances (20)

MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
 
Cyber Threat Intelligence | Information to Insight
Cyber Threat Intelligence | Information to InsightCyber Threat Intelligence | Information to Insight
Cyber Threat Intelligence | Information to Insight
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common Language
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security Journey
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
 
A Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo SandboxA Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo Sandbox
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
Container Security
Container SecurityContainer Security
Container Security
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - Submitted
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
 
CNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceCNIT 121: 9 Network Evidence
CNIT 121: 9 Network Evidence
 

Similaire à Automated Malware Analysis and Cyber Security Intelligence

The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
 
Automate Your Container Deployments Securely
Automate Your Container Deployments SecurelyAutomate Your Container Deployments Securely
Automate Your Container Deployments SecurelyDevOps.com
 
Securing your Cloud Environment
Securing your Cloud EnvironmentSecuring your Cloud Environment
Securing your Cloud EnvironmentShapeBlue
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009dnomura
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Sysdig
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2ShapeBlue
 
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptxSANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptxJasonOstrom1
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...B.A.
 
2012-03-15 What's New at Red Hat
2012-03-15 What's New at Red Hat2012-03-15 What's New at Red Hat
2012-03-15 What's New at Red HatShawn Wells
 
Secure container: Kata container and gVisor
Secure container: Kata container and gVisorSecure container: Kata container and gVisor
Secure container: Kata container and gVisorChing-Hsuan Yen
 
Enabling Worm and Malware Investigation Using Virtualization
Enabling Worm and Malware Investigation Using VirtualizationEnabling Worm and Malware Investigation Using Virtualization
Enabling Worm and Malware Investigation Using Virtualizationamiable_indian
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22MichaelM85042
 
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)FFRI, Inc.
 
Enhancing OpenShift Security for Business Critical Deployments
Enhancing OpenShift Security for Business Critical DeploymentsEnhancing OpenShift Security for Business Critical Deployments
Enhancing OpenShift Security for Business Critical DeploymentsDevOps.com
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon chinaPeter Hlavaty
 
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...sparkfabrik
 
Derbycon Bromium Labs: Sandboxes
Derbycon Bromium Labs: SandboxesDerbycon Bromium Labs: Sandboxes
Derbycon Bromium Labs: SandboxesBromium Labs
 

Similaire à Automated Malware Analysis and Cyber Security Intelligence (20)

The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 
Automate Your Container Deployments Securely
Automate Your Container Deployments SecurelyAutomate Your Container Deployments Securely
Automate Your Container Deployments Securely
 
Securing your Cloud Environment
Securing your Cloud EnvironmentSecuring your Cloud Environment
Securing your Cloud Environment
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
Zerovm backgroud
Zerovm backgroudZerovm backgroud
Zerovm backgroud
 
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptxSANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
 
Container Security Mmanagement
Container Security MmanagementContainer Security Mmanagement
Container Security Mmanagement
 
2012-03-15 What's New at Red Hat
2012-03-15 What's New at Red Hat2012-03-15 What's New at Red Hat
2012-03-15 What's New at Red Hat
 
Secure container: Kata container and gVisor
Secure container: Kata container and gVisorSecure container: Kata container and gVisor
Secure container: Kata container and gVisor
 
Enabling Worm and Malware Investigation Using Virtualization
Enabling Worm and Malware Investigation Using VirtualizationEnabling Worm and Malware Investigation Using Virtualization
Enabling Worm and Malware Investigation Using Virtualization
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with Snort
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
 
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
 
Enhancing OpenShift Security for Business Critical Deployments
Enhancing OpenShift Security for Business Critical DeploymentsEnhancing OpenShift Security for Business Critical Deployments
Enhancing OpenShift Security for Business Critical Deployments
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
 
Derbycon Bromium Labs: Sandboxes
Derbycon Bromium Labs: SandboxesDerbycon Bromium Labs: Sandboxes
Derbycon Bromium Labs: Sandboxes
 

Dernier

Work-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptxWork-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptxJuliansyahHarahap1
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performancesivaprakash250
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdfKamal Acharya
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXssuser89054b
 
Intze Overhead Water Tank Design by Working Stress - IS Method.pdf
Intze Overhead Water Tank Design by Working Stress - IS Method.pdfIntze Overhead Water Tank Design by Working Stress - IS Method.pdf
Intze Overhead Water Tank Design by Working Stress - IS Method.pdfSuman Jyoti
 
Double rodded leveling 1 pdf activity 01
Double rodded leveling 1 pdf activity 01Double rodded leveling 1 pdf activity 01
Double rodded leveling 1 pdf activity 01KreezheaRecto
 
Top Rated Call Girls In chittoor 📱 {7001035870} VIP Escorts chittoor
Top Rated Call Girls In chittoor 📱 {7001035870} VIP Escorts chittoorTop Rated Call Girls In chittoor 📱 {7001035870} VIP Escorts chittoor
Top Rated Call Girls In chittoor 📱 {7001035870} VIP Escorts chittoordharasingh5698
 
Unit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdfUnit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdfRagavanV2
 
chapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineeringchapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineeringmulugeta48
 
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Call Girls in Nagpur High Profile
 
Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapRishantSharmaFr
 
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...tanu pandey
 
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night StandCall Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Standamitlee9823
 
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Bookingroncy bisnoi
 
notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptMsecMca
 

Dernier (20)

Work-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptxWork-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptx
 
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performance
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdf
 
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak HamilCara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 
Intze Overhead Water Tank Design by Working Stress - IS Method.pdf
Intze Overhead Water Tank Design by Working Stress - IS Method.pdfIntze Overhead Water Tank Design by Working Stress - IS Method.pdf
Intze Overhead Water Tank Design by Working Stress - IS Method.pdf
 
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024
 
Double rodded leveling 1 pdf activity 01
Double rodded leveling 1 pdf activity 01Double rodded leveling 1 pdf activity 01
Double rodded leveling 1 pdf activity 01
 
Top Rated Call Girls In chittoor 📱 {7001035870} VIP Escorts chittoor
Top Rated Call Girls In chittoor 📱 {7001035870} VIP Escorts chittoorTop Rated Call Girls In chittoor 📱 {7001035870} VIP Escorts chittoor
Top Rated Call Girls In chittoor 📱 {7001035870} VIP Escorts chittoor
 
Unit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdfUnit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdf
 
chapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineeringchapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineering
 
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
 
Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leap
 
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
 
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night StandCall Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
 
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
 
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
 
notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.ppt
 

Automated Malware Analysis and Cyber Security Intelligence

  • 1. Cyber Security Intelligence Automated Malware Analysis and 과학수사학과 디지털 포렌식 전공 최우석
  • 2. AMA and Cyber Security Intelligence 2  이름: 최우석  소속 • 한국정보보호교육센터 f-NGS 연구소 팀장 • 성균관대학원 과학수사학과 3기  본업  사이버 시큐리티 연구  집필  Introduce myself Coming Soon with 에이콘  기타 • 컨설팅 (안전성 진단) ▪ 웹 사이트 진단 ▪ 공격 시나리오 기반 컨설팅 • 강의 ▪ 악성코드 분야 ▪ NISA, 금보원, SKT, 넥슨, 머니투데이, 쿠 시스, 산업통상자원부, 융합보안지원센터 등 • 발표 ▪ 코드엔진, 신한시큐어, 한국정보보호학회, KISA, FIOS 등 • 커뮤니티 활동 ▪ 포렌식 인사이트, S2M
  • 3. 역사 & 개론 개발 & 제작 유포 & 감염 조사 & 분석 복구 & 대응 예방 & 관리 AMA and Cyber Security Intelligence 3  Goals of my life Playing
  • 4. Contents  Cuckoo Sandbox Environment  Introduction Cuckoo Sandbox  Cyber Security Intelligence  Conclusion
  • 5. 소목차 Cuckoo Sandbox Environment  Malware Trend  Type of Malware Analysis's Method  Open Source License  Open Source License Comparison  Sandbox  Hypervisor  Hypervisor in Cuckoo Sandbox  Honeypot Project  Type of Honeypot Project
  • 6. Cuckoo Sandbox Environment 6  Malware Trend Total Malware New Malware https://www.av-test.org/en/statistics/malware/
  • 7. Cuckoo Sandbox Environment 7  Type of Malware Analysis's Method Basic Static Analysis AV Test Calculating Hash Detecting of Packer/Obfuscation Extracting of String Basic Dynamic Analysis Process Monitoring Network Monitoring Analyzing File System Analyzing Registry Advanced Static Analysis Analyzing File Format Analyzing implicit linking DLL Disassembling Decompiling Advanced Dynamic Analysis Debugging Analyzing explicit linking DLL Analyzing Memory Analyzing hidden function Initial Analysis Detail Analysis
  • 8. Cuckoo Sandbox Environment 8  Type of Malware Analysis's Method  in Cuckoo Sandbox Implementation Unimplemented Basic Static Analysis AV Test Calculating Hash Detecting of Packer/Obfuscation Extracting of String Basic Dynamic Analysis Process Monitoring Network Monitoring Analyzing File System Analyzing Registry Advanced Static Analysis Analyzing File Format Analyzing implicit linking DLL Disassembling Decompiling Advanced Dynamic Analysis Debugging Analyzing explicit linking DLL Analyzing Memory Analyzing hidden function Initial Analysis Detail Analysis
  • 9. Cuckoo Sandbox Environment 9  Open Source License 34% 25% 15% 6% 6% 14% 0% 5% 10% 15% 20% 25% 30% 35% 40% GNU GPL 2.0 & 3.0 MIT Apache 2.0 BSD 3 GNU LGPL 2.1 Other 2016 Open Source License Top 5 https://resources.whitesourcesoftware.com/blog-whitesource/top-10-open-source-software-licenses-of-2016-and-key-trends
  • 10. Cuckoo Sandbox Environment 10  Open Source License Comparison Licenses Link Distribute Modify Patent Using Private Re-License Brand GNU GPL Self Non-commercial Non-commercial O O Non-commercial O MIT O O O X O O X Apache O O O O O O X BSD O O O X O O X GNU LGPL Limit Non-commercial Non-commercial O O Non-commercial O http://www.bloter.net/archives/209318
  • 11.  Sandbox is mechanism for separating execution regions in the cyber security  Controlled by hardware or software resources  Sandbox mainly use virtualization  Virtualization • CPU-dependent • Hypervisor • Virtual Machines Cuckoo Sandbox Environment 11  Sandbox
  • 12.  Type of Hypervisor  Type 1 - VT-d support in CPU  Type 2 - VT-x support in CPU Cuckoo Sandbox Environment 12  Hypervisor Hardware Type 1 Hypervisor OS Hardware Host OS Type 2 Hypervisor Guest OS
  • 13.  Purchasing a computer for each operating system is a waste  Hardware cost, OS cost, Electronic cost, Resource waste in computer  Malware analysis  An isolated environment is required  in Cuckoo Sandbox  If host OS is the Ubuntu, it will be uncomfortable to use • For this reason, use nested virtualization • Nested virtualization support in the VMware Workstation (Type 2) Cuckoo Sandbox Environment 13  Hypervisor in Cuckoo Sandbox Hardware Host OS (Windows 10) Type 2 Hypervisor (VMware Workstation) Guest OS (Ubuntu Server) Type 2 Hypervisor (Virtualbox) Sandboxes Guest OS (Ubuntu Desktop)
  • 14.  Requirements  Easily exposed to hackers • Intentionally set to vulnerable • Configure for a variety of situations  Monitoring everything accessing the system  Type of Honeypot Project • Honeynet ▪ Build at the infrastructure level ▪ Early Honeypot Project • Client Honeypot ▪ Same call HoneyClient ▪ Run at the client level ▪ Mainly Internet Security Cuckoo Sandbox Environment 14  Honeypot Project
  • 15.  High interactivity client honeypot  Similar to the real environment • Pros ▪ Ability to detect new attacks • Cons ▪ High performance deviation, High costs, A lot of time wasted  Low interactivity client honeypot  Simulation • Pros ▪ Low performance deviation, Low cost, Fast detection • Cons ▪ No new attack detection  Hybrid client honeypot  First detection use low interactivity honeypot, second detection use high interactivity honeypot Cuckoo Sandbox Environment 15  Type of Client Honeypot
  • 16. 소목차 Introduction Cuckoo Sandbox  History of Cuckoo Sandbox  Analyzable file type  Operating principle  Pros and Cons  Technology  Functionalities  Demonstration
  • 17. Introduction Cuckoo Sandbox 17  History of Cuckoo Sandbox Rapid’s Magnificent7 Malwr Open Cuckoo Foundation Brucon 2013 Malwr Reload New Website 2012 2013 2014 2015 Dec v0.5 Oct v1.1.1Sep v0.42 Aug v0.41 Jul v0.4 Apr v0.6 Apr v1.1 Jan v1.0 Blackhat 2013 Consultancy Service Honey Project Google SoC Feb v0.32 Dec v0.3 Nov v0.2 20112010 Feb v0.1 Mar v1.2 Jan v2.0 2016 2017 Jan v2.0 RC2 RC1 Jan v2.0
  • 18.  Basic Windows File  Scriptable File  Office File  3rd Party Application Introduction Cuckoo Sandbox 18  Analyzable file types
  • 19. Introduction Cuckoo Sandbox 19  Operating principle Submit Malware Report Analyzed Data Web Service Core Sandbox Cuckoo Sandbox
  • 20.  Pros  Open source code  Produced by python language  Provides both CLI and GUI modes  Provide REST API • Control by HTTP protocol • System connectivity  Permanent bug patches and version upgrades • User community & Feedback of researchers  Multiple sandboxes can be configured • If system resources remain...  Feedback the latest malware issues • ex, Added DDE analysis function Introduction Cuckoo Sandbox 20  Pros and Cons (1/2)
  • 21.  Cons  Core functionality is documented well, but additional functionality is insufficient  If encounter problems, report any issue or self fix the source code • Issue solving is optional  Functionalities may be removed without prior consent  Release progress even if unfinished • Improvement by participant • May affect business operations  Not all malware is analyzed well • Environment configuration is very important • Weakness in anti-technology (Anti-Debugging, Anti-Virtualizing ...)  Limitation of detail analysis • Can not analyze functions according to specific commands Introduction Cuckoo Sandbox 21  Pros and Cons (2/2)
  • 22.  Cuckoo Core Server  Ubuntu 16.04 LTS Desktop 64 bit  CPU 4 Core, Memory 16 GB  Sandbox x 5  Win7 SP1 64 bit  CPU 1 Core, Memory 1024 MB  Cuckoo Sandbox Application  2.0.5.3 Introduction Cuckoo Sandbox 22  Environment
  • 23. Introduction Cuckoo Sandbox 23  Infrastructure Host OS Type 2 Hypervisor Type 2 Hypervisor Cuckoo Core Service (Ubuntu 16.04 Desktop) Other Service (Ubuntu 16.04 Server)
  • 24.  Database  Scheduling - RDBMS(SQLite, PostgreSQL, MariaDB)  Web - NoSQL(MongoDB)  Search - NoSQL(ElasticSearch)  Support type of hypervisor  Type 1 - XenServer, VMware(ESX, vSphere), KVM, Qemu  Type 2 - VMware(Workstation), Virtualbox  Physical Sandbox - Fog Project  Android Emulate - AVD  Memory  Volatility (with baseline Analysis) Introduction Cuckoo Sandbox 24  Technology (1/3)
  • 25.  Pattern and Signature  Network Pattern - Snort, Suricata  Static Binary Pattern - Yara  Behavior Log Pattern - Only use in Cuckoo Sandbox with python coding  Network  Type of Network Line - Proxy, VPN, Tor Network  Analyzing - Moloch, MiTMProxy  Server  Main Web Service - Django  Distributed and API Service - Werkzeug  Change server type - Nginx + uWSGI • Increase Stability Introduction Cuckoo Sandbox 25  Technology (2/3)
  • 26.  Behavior Analysis  The agent communicates with Cuckoo Core using XML-RPC protocol  Type of Reports  HTML, PDF, JSON, Web Service  Intelligence  MISP  System Management  ICINGA, Supervisord  Supporting Android Analysis  GooglePlay, Droidmon, ApkInfo,  ETC  VirusTotal, Certification Pinning at PE Introduction Cuckoo Sandbox 26  Technology (3/3)
  • 27.  Hash for malware  ssdeep, imphash  Support of archive type malware  E-Mail, OLE, ZIP  Analyzing Lateral Movement  Announce 2.0-RC1, but not implementation  Network routing  no routing, drop routing, dirty line, InetSim, Tor, VPN  TLS/HTTPS capturing and decrypting  MiTMProxy, HTTPReplay • But, it has some problem • HTTPReply is not implementation Certification Pinning Introduction Cuckoo Sandbox 27  Functionalities (1/5)
  • 28.  Baseline analysis in analyzing memory  It's not documentation!!  Only in JSON report (not view in Web report)  Extracting URL in process memory  When I test with a memory DNS malware, this function is not extract URL.  Static Binary Pattern and Behavior Log Pattern  Static Binary Pattern uses YARA  Behavior Log Pattern should use Cuckoo's dependent functions • To need python programming  YARA 3.7.1 can use the Cuckoo Sandbox dependency function. • But, Cuckoo Sandbox 2.0.5.3 is not support YARA 3.7.1 Introduction Cuckoo Sandbox 28  Functionalities (2/5)
  • 29.  Malicious quantify  Using Behavior Log Pattern  Max is 10 but possible over 10  Comparing malware  Using API call order  It is well implemented in 1.x version, but in 2.x version  Implementing a distributed system  It's not documentation!!  Implementation using REST API service  Provide dedicated web services  Gevent for asynchronous systems, Greenlet for coroutine  Not enough • Not support integrated database, only analyzing a file type Introduction Cuckoo Sandbox 29  Functionalities (3/5)
  • 30. Introduction Cuckoo Sandbox 30  Functionalities (4/5)
  • 31.  Mass analysis  Ability to separate functions Introduction Cuckoo Sandbox 31  Functionalities (5/5) Start Submit Start analyzing End analyzing Generate report End Core(analyzing and reporting) Yes No Other Malware Start Submit Start analyzing End analyzing End Generate report End Core(analyzing) Sub Core(reporting) No No Yes Yes Other Malware Other report
  • 33.  JOESandbox Cloud- https://joesecurity.org/joe-security-products  BASIC version - (Only Online) Windows + Android  PRO version - (Standalone) + macOS + iOS + API + Cookbook (Virtual and physical support) + ...  Report Sample Introduction Cuckoo Sandbox 33  Other automated malware analysis tools (1/3)
  • 34.  Hybrid-analysis - https://www.hybrid-analysis.com/  Free Service - Only Win7, Only File, Analysis submit limit 30, Sample download  Private Cloud - Win 10, IoC, YARA, URL, Various reports  Full Standalone - SIEM system integration(CEF syslog), Custom signature test, Memory dump  Report Sample Introduction Cuckoo Sandbox 34  Other automated malware analysis tools (2/3)
  • 35.  any run - https://any.run/  Semi automated cloud malware analysis tools • Free • Live access to the virtual machines  Report Sample Introduction Cuckoo Sandbox 35  Other automated malware analysis tools (3/3)
  • 36. 소목차 Cyber Security Intelligence  Other automated malware analysis tools  Cyber Security Intelligence  Used by many intelligence analysts  Binary intelligence & limitation
  • 37.  Purpose  Identify attacker  Predict the future through the past • Incident Response(Establish preventive policy) Cyber Security Intelligence 37  Cyber Security Intelligence Tactics, Techniques and Procedures https://en.wikipedia.org/wiki/PLA_Unit_61398 http://detect-respond.blogspot.kr/2013/03/the-pyramid-of-pain.html
  • 38.  Automated malware analysis and Cyber Security Intelligence  Purpose • Automatically analyze numerous malware and accumulate analytical data  Used by many intelligence analysts  VirusTotal used Cuckoo Sandbox Cyber Security Intelligence 38  Cyber Security Intelligence
  • 39.  Used by many intelligencer in cyber security Cyber Security Intelligence 39  Cyber Security Intelligence https://digital-forensics.sans.org/summit-archives/DFIR_Summit/Open-Source-Threat-Intelligence-Kyle-Maxwell.pdf
  • 40.  Used by many intelligencer in cyber security Cyber Security Intelligence 40  Cyber Security Intelligence https://www.rsaconference.com/writable/presentations/file_upload/anf-t10_implementing-an-automated-incident-response-architecture.pdf
  • 41.  Used by many intelligencer in cyber security Cyber Security Intelligence 41  Cyber Security Intelligence https://sector.ca/wp-content/uploads/presentations16/simmons%20Open%20Source%20Malware%20Lab%20SecTor.pdf
  • 42.  Papers related to Cuckoo Sandbox Cyber Security Intelligence 42  Cyber Security Intelligence www.cs.ucsb.edu/~vigna/publications/2014_USENIX_BareCloud.pdf adamdoupe.com/publications/towards-automated-threat-intelligence-fusion-cic2016.pdf 2016, IEEE nsl.cs.waseda.ac.jp/~mori/papers/ccnc15-fujino-sumitted.pdf 2015, IEEE arxiv.org/pdf/1709.08753.pdf 2017, IEEE 2014, USENIX
  • 43.  Binary intelligence  Same mean client-side intelligence but, not strictly  Various attack type statistics used by binaries  If collect a lot of malware, can analyze the association  Limitation of binary intelligence  Counter intelligence • Vulnerability of evidence  More data to overcome • Need server-side intelligence ▪ But, no ownership and investigation Cyber Security Intelligence 43  Binary intelligence & limitation
  • 44. 소목차 Conclusion  Matthew Effect  [OR] Next Project  with Digital Forensics
  • 45. Conclusion 45  Matthew Effect The Matthew Effect = much data is good quality information
  • 46. Conclusion 46  with Digital Forensics  Include Digital Forensics process in Incident Response  Importance of DFIR • But, availability vs. integrity  So many question (Can ~ be evidence?)  Can information gathered from the Internet be evidence?  Can malware analysis information be evidence?  Can data without a chain of custody be evidence?  Can data collected from untrusted tools be evidence?  ...  No!  Digital evidence is very regrettable in Korea • And, too difficult to follow the speed of rapid development • Rapid of singularity!!  Information collected by intelligence activities can not be evidence
  • 47. Q & A