Weitere ähnliche Inhalte Ähnlich wie Seminario-15-04-2015-IT_professions_in_the_anti-malware_industry (20) Seminario-15-04-2015-IT_professions_in_the_anti-malware_industry1. IT Professions in the Anti-Malware Industry
Roberto Sponchioni
Sr. Anti-Malware Engineer
2. Who am I?
• Working as a Senior Anti-Malware Engineer @ Symantec
• Worked as a Security Consultant (PT/VA, Incident Response)
• Graduated from University of Milan (DTI)
Copyright © 2014 Symantec Corporation
2
3. A long series of data breaches
Some examples…
Copyright © 2014 Symantec Corporation 3
4. A long series of data breaches in the US
Copyright © 2014 Symantec Corporation
4Ref.: http://www.bloomberg.com/graphics/2014-data-breaches/
5. A long series of data breaches in the US
Copyright © 2014 Symantec Corporation
5Ref.: http://www.bloomberg.com/graphics/2014-data-breaches/
6. A long series of data breaches in the US
Copyright © 2014 Symantec Corporation
6Ref.: http://www.bloomberg.com/graphics/2014-data-breaches/
8. Different types of malware, different purposes
• DDoS botnet (Backdoor.Zemra, Linux.Shelldos, Linux.Xnote, etc.)
• Banking malware (Zbot, Carberp, etc.)
• Ransomlock & Cryptolocker
• Mobile malware
• Information-stealing malware (Rodagose, Rawpos, Steem, etc.)
• APT (zero-day-exploits, ad-hoc malware, spearphishing, etc.)
• State sponsored / cyberespionage (Stuxnet, etc.)
• Exploit kits (Blackhole, Angler, Rig, etc.)
Copyright © 2014 Symantec Corporation
8
9. It’s easy to build your own malware…
Copyright © 2014 Symantec Corporation
9
10. What would you do to protect yourself / your
company?
• User education
• Antivirus / security products
• Reputation systems
• Firewall
• IDS/IPS sensors within the network
• Follow best practices (ISO-27001, etc.)
Copyright © 2014 Symantec Corporation
10
11. Let’s look at some figures…
Copyright © 2014 Symantec Corporation 11
12. Let’s look at some figures…
• How much malware/adware/PUAs do we see?
Copyright © 2014 Symantec Corporation
12
• It’s ~190M in 1 month. It’s ~ 6M per day
13. Let’s look at some figures…
• In total: network and files are...
Copyright © 2014 Symantec Corporation
13
• It’s ~250M in 1 month. It’s ~ 8M per day
14. Let’s look at some figures…
• Number of reputation queries?
Copyright © 2014 Symantec Corporation
14
• ~ 40 + 35 billion (URLs + Files)
15. The need for specialists!
IT professionals work hard to protect our data
Malware Researchers, QA, Developers, Network Security Specialists, IR
17. What do we do in Security Response?
Let’s have a look at some examples…
Copyright © 2014 Symantec Corporation 17
18. Let’s try to identify a malware sample…
What would you do to identify a malicious file?
Copyright © 2014 Symantec Corporation
18
• File structure analysis
• Behavioural analysis
– Network analysis
– File system changes
– Registry changes
– Etc.
• Code analysis & debugging
– Identify hidden functionalities
– Forcing the code to follow different branches
– Etc.
19. File structure analysis
What would you do to identify a malicious file?
Copyright © 2014 Symantec Corporation
19
• EXE icon
• Packer identification
Header
Code
Data
Header
Compressed /
encrypted
code + data
Packer’s
code
Normal executable Packed executable
• Suspicious data
20. Behavioural analysis
What would you do to identify a malicious behavior?
Copyright © 2014 Symantec Corporation
20
• File system (e.g. Lower security settings)
• Registry changes (e.g.. Autorun keys)
• Network Traffic
21. Code analysis & debugging
What can you do if you have the ASM code?
Copyright © 2014 Symantec Corporation
21
• Identify hidden functionalities
• Identify malware capabilities such as propagation, load points,
infection, and C&C server communications
• Identify encryption and compression algorithms used
• Identify portion of code/data that can be used to identify the
threat
23. Examples of evasions are…
• Sandbox evasion
• Anti-VM tricks
• Anti-analysis tricks
• Signature evasion
Copyright © 2014 Symantec Corporation
23
How can they do that?
24. What we do in Symantec Security Response
• Analyse new malware (e.g.. Stuxnet, Regin)
• Analyse malware submitted by customers
• Analyse and write reports for internal use and for customers
• Write automation tools and systems
• Write decryptors, decoders, and DGA-decoders
• Write generic detections and remediation routines
• Develop FixTools (e.g. Poweliks, Ramnit)
• Write blog entries about new malware and trends
Copyright © 2014 Symantec Corporation
24
25. What we do in Symantec Security Response
Decryptors. Just an example…
Copyright © 2014 Symantec Corporation
25
26. What we do in Symantec Security Response
Decryptors. Just an example…
Copyright © 2014 Symantec Corporation
26
27. What we do in Symantec Security Response
Decryptors. Just an example…
Copyright © 2014 Symantec Corporation
27
28. What we do in Symantec Security Response
Decryptors. Just an example…
Copyright © 2014 Symantec Corporation
28
29. IT professionals involved in malware protection
• Malware Researchers
• Automation Developers
• Network Analysis Specialists
• QA Engineers
• Incident Responders / Incident Handlers
• Engine Developers
Copyright © 2014 Symantec Corporation
29
31. Incident Responders on-site
We’re not talking about Event Analysts here…
Copyright © 2014 Symantec Corporation
31
• Data collection (order of volatility must be preserved)
• Timeline of operations
• Chain of custody
• Data analysis
– Memory analysis (live analysis)
– Log analysis
– File analysis (EnCase, FTK, Sleuthkit, malware analysis)
– Network traffic analysis
– Customer machine replication on VMWare
32. How to get a job in IT security
Some tips…
Copyright © 2014 Symantec Corporation 32
33. Some tips…
• Be passionate
• Work on external projects
• Work hard on your university projects
• Work hard on your dissertation
Copyright © 2014 Symantec Corporation
33
We are hiring!
34. Let’s talk! Scenario time!
You’re a security specialist now
Copyright © 2014 Symantec Corporation 34
35. &Q A
Copyright © 2014 Symantec Corporation 35
Roberto Sponchioni
Thank you!
Roberto_Sponchioni@Symantec.com