SlideShare ist ein Scribd-Unternehmen logo

Hidden empires of malware

Als PPTX, PDF herunterladen
R
Ryan Kovar

The landscape of "threat hunting" has drastically changed due to the increase in TLS encrypted Internet traffic. The days of adversaries registering domains with their given names are gone and malicious actors increasingly use malware that takes advantage of TLS encryption to hide their tracks. Yet, even in this brave new world of altered TTPs, the adversaries leave clues that can expose their infrastructure. To find these clues, however, blue teams need to learn some new tricks. Our talk focuses on expanding upon techniques that have been researched and presented on at various conferences by Mark Parsons, specifically, his methods for using TLS certificates to find malicious malware infrastructure. We will build upon Parsons' corpus of work and show how his approach to malware certificate hunting can be expanded upon to detect instances of PowerShell Empire servers that have self-generated SSL certs on port 443 and 8080. These certificates have a unique finger print that can be detected by leveraging tools like zmap/zgrep, python, and statistics/machine learning. The results of this research will show how network defenders can find previously unknown instances of malicious infrastructure communicating with their network and prevent them in the future. Finally, we will discuss our hypotheses creation, our code and techniques, methods of validation for verification, and release our tools and methodology for use by the community to explore other "hidden empires" of malware that may exist.

Technologie
1 von 70
© 2017 SPLUNK INC. The “Hidden Empires” of Malware Dave Ryan International Conference on Cyber Security January 2018
© 2017 SPLUNK INC. Disclaimer 2 During the course of this presentation, we may make forward looking statements regarding future events or the expected performance of the company. I often lie. Maybe this is a lie. Wik Alsø wik Alsø alsø wik Wi nøt trei a høliday in Sweden this yër? See the løveli lakes The wøndërful telephøne system And mäni interesting furry animals The characters and incidents portrayed and the names used in this Presentation are fictitious and any similarity to the names, characters, or history of any person is entirely accidental and unintentional. Signed RICHARD M. NIXON Including the majestik møøse A Møøse once bit my Marcus... No realli! He was Karving his initials on the møøse with the sharpened end of an interspace tøøthbrush given him by Svenge – his brother-in-law – a Canadian dentist and star of many Norwegian møvies: "The Høt Hands of an Canadian Dentist", "Fillings of Passion", "The Huge Mølars of Horst Nordfink"... In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. Splunk undertakës no øbligation either to develøp the features or functionality described or to include any such feature or functionality in a future release.
© 2017 SPLUNK INC. ▶ 17 years of cyber security experience ▶ Current role on Security Practice team focuses on incident/breach response, threat intelligence, and research ▶ Also investigating why printers are so insubordinate ಠ_ಠ 3 Staff Security Strategist Minster of the OODAloopers @meansec # whoami > Ryan Kovar CISSP, MSc(Dist)
© 2017 SPLUNK INC. - 20+ years IT and security - Information security officer, security architect, pen tester, consultant, SE, system/network engineer - Former SANS Mentor - Co-creator of Splunk Boss of the SOC Security Architect @splunk @daveherrald # whoami > Dave Herrald CISSP, GIAC G*, GSE #79
© 2017 SPLUNK INC. Agenda ▶ Answering some W ’s • What are we talking about with “Hunting Empires”? • What are SSL certificates and why do I care? • What can I do with them? ▶ Talk about the “H” • How can I get this data myself? ▶ And now another W • Where can I get this awesome stuff! 5
© 2017 SPLUNK INC.
© 2017 SPLUNK INC. On the shoulders of giants
© 2017 SPLUNK INC. Mark Parsons “Lord of SSL Pivoting” @markpars0ns ▶ https://t.co/amyR9pU8o4 ▶ https://medium.com/@mark.pars ons/hunting-a-tls-certificate- series-post-1-6ad7adfebe44 ▶ https://mpars0ns.github.io/bsides charm-2016slides/ ▶ https://mpars0ns.github.io/archc 0n-2016-tls-slides/#/ ▶ https://www.slideshare.net/MSbl uehat/bluehat-v17-using-tls- certificates-to-track-activity- groups
© 2017 SPLUNK INC. What are these “Hidden” Empires?
© 2017 SPLUNK INC. POWERSHELL EMPIRE 10
© 2017 SPLUNK INC. • Similar to Metasploit in user experience • C2 functionality • Second stage infection/implant after initial infection • Used extensively for lateral movement
© 2017 SPLUNK INC. Sometimes its hard to find evidence that
© 2017 SPLUNK INC. Place Holder PowerSploit Capabilities 13
© 2017 SPLUNK INC. Place Holder PowerSploit Capabilities 14
© 2017 SPLUNK INC. 15
© 2017 SPLUNK INC. 16
© 2017 SPLUNK INC.
© 2017 SPLUNK INC. SSL Certificates
© 2017 SPLUNK INC. What are SSL certificates and why do I care?
© 2017 SPLUNK INC. [SSL certificates are] Small [unencrypted] data files that digitally bind a cryptographic key to an organization’s details.” [1] Sooo… SSL Certificates? [1] https://www.godaddy.com/help/what-is-an-ssl- certificate-542
© 2017 SPLUNK INC. So that shows SSL certificates?
© 2017 SPLUNK INC. Censys.io
© 2017 SPLUNK INC. Circl.lu
© 2017 SPLUNK INC. Passivetotal.org
© 2017 SPLUNK INC. Splunk!
© 2017 SPLUNK INC. Internet-Wide Scan Data Repository ▶ Public archive of research data ▶ Hosted by the Censys team at the University of Michigan ▶ Perform scans, and host results from other teams ▶ The data on the site is restricted to non- commercial use ▶ https://scans.io (https://scans.io/json)
© 2017 SPLUNK INC. Exploring scans.io Studies Web Interface https://scans.io JSON https://scans.io/json Command Line $ python ./download.py --liststudies https://github.com/daveherrald/scansio-sonar-splunk
© 2017 SPLUNK INC. Project Sonar by Rapid7 https://sonar.labs.rapid7.com/ ▶ Many studies • SSL Certificates • HTTP Content • HTTPS Content • DNS • Various TCP/UDP services (SSH, SMB, Telnet, etc.) ▶ Hosted at scans.io ▶ Please review Project Sonar TOS ▶ Thanks to Rapid7 Labs!
© 2017 SPLUNK INC. SSL Certificates Study (sonar.ssl) ▶ October 30, 2013 – Present ▶ Raw size • Entire data set: 315 GB compressed (as of 02JAN2017) • Weekly: ~1.5 - 2.0 GB compressed ▶ Entire data set indexed in Splunk: ~1.2TB ▶ Scan the entire Internet (TCP/443 only) ▶ Comprised of: • Observed certificates * • Observed IP address / certificate * • Names • Endpoints
© 2017 SPLUNK INC. sonar.ssl Certificates 2 Column CSV SHA1 Hash + Base64 Encoded DER Decoded DER ( https://gchq.github.io )
© 2017 SPLUNK INC. sonar.ssl Certificate in Splunk index=sonarsslcert earliest=0 hash_id=b4c68c2fe3e689bd51c3676c69c02454be1f545f
© 2017 SPLUNK INC. sonar.ssl Hosts 2 Column CSV IP Address + Certificate hash (SHA1) Host, IP Address, Observation Date Enriched with Country and ASN via Maxmind
© 2017 SPLUNK INC. sonar.ssl First/Last seen Search for a hash, or pivot here from search
© 2017 SPLUNK INC. HTTPS (TCP/443) (sonar.https) ▶ July 25, 2016 – Present ▶ Raw size • Entire data set: ~3.2 TB compressed (as of 02JAN2017) • Weekly: ~25 GB compressed ▶ Entire data set indexed in Splunk: ~10TB ▶ Scan the entire Internet (TCP/443 only) ▶ Comprised of: • IP • Path • Port (Always 443) • Certificate Subject •Payload!
© 2017 SPLUNK INC. HTTPS (TCP/443) (sonar.https) in Splunk index=sonarhttps earliest=0
© 2017 SPLUNK INC. [1] David Bianco http://detect-respond.blogspot.com/2013/03/the- pyramid-of-pain.html
© 2017 SPLUNK INC.
© 2017 SPLUNK INC. openssl req -new -x509 -keyout ../data/empire-priv.key -out ../data/empire-chain.pem -days 365 -nodes -subj "/C=US" >/dev/null 2>&1
© 2017 SPLUNK INC.
© 2017 SPLUNK INC. VS
© 2017 SPLUNK INC. And I care why?
© 2017 SPLUNK INC. One of these is not like the others
We use Splunk But you don’t have to!
© 2017 SPLUNK INC. ▶DAVE. DONE UP TO HERE But what do we do with it?
© 2017 SPLUNK INC. You can do at least two things with SSL Certificate information Known Unknown
© 2017 SPLUNK INC. THE SSL CERTIFICATES IN YOUR INCIDENTS ARE REAL.
© 2017 SPLUNK INC. Start with some known naughty SSL SHA1 fingerprints
© 2017 SPLUNK INC. Gozi Trojan 8fc4a51bb808d0050a85f55de93b3aa9db4fef90
© 2017 SPLUNK INC.
© 2017 SPLUNK INC.
© 2017 SPLUNK INC.
© 2017 SPLUNK INC.
© 2017 SPLUNK INC. “As we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don't know we don't know. And when someone tries to hunt in CyberSpace the known unknowns are the hardest to find ” - Donald “Cybersfeld”
© 2017 SPLUNK INC. Hunting PowerShell Empire
© 2017 SPLUNK INC. C=US is weird…
© 2017 SPLUNK INC.
© 2017 SPLUNK INC.
© 2017 SPLUNK INC.
© 2017 SPLUNK INC.
© 2017 SPLUNK INC.
© 2017 SPLUNK INC. 200MM IPs 90 suspect 3 PSE :-)
© 2017 SPLUNK INC. 63 Oh… Just one more thing…
© 2017 SPLUNK INC. Splunk-based Certificate Research Platform Splunk Indexers QTY=3 i3.2xlarge 8 TB EBS Volume (10,000 IOPs) Elastic IP Splunk Search Head QTY=1 c3.4xlarge Elastic IP Data Staging and Load QTY=1 i3.16xlarge 8 TB EBS Volume (10,000 IOPs) Elastic IP Elastic Load Balancer TCP/8088 Splunk HTTP Event Collector Internet –Wide Scans Repository https://scans.io Processing and Load Metrics 6,000 Certificates / Second 25,000 Hosts / Second
© 2017 SPLUNK INC. Certificate Research Platform Resources https://github.com/daveherrald/scansio-sonar- splunk •Download any scans.io study, load sonar.ssl & sonar.https into Splunk for analysis https://github.com/mpars0ns/scansio-sonar-es •Download sonar.ssl load into Elasticsearch
© 2017 SPLUNK INC. Splunk Licensing Free: 500MB / day Enterprise Trial: 500MB / Day Developer: 10 GB/Day Enterprise Dev/Test: 50GB/day Splunk Enterprise Each approach has its pros and cons, but recall:
© 2017 SPLUNK INC. Can we wrap this up?
© 2017 SPLUNK INC. Conclusion 68 ▶ SSL certificates can be a great way to track adversary behavior ▶ Consider tracking from known and unknown ▶ Think about bringing SSL certificates “in house” to use and run greater analysis against with temporal knowledge
© 2017 SPLUNK INC. Special Thanks 69 ▶ Mark Parsons ▶ IKBD ▶ Rapid 7 ▶ Censys team at University of Michigan ▶ ICCS Conference ▶ Fordham University ▶ The FBI
© 2017 SPLUNK INC. Dave Herrald @daveherrald Ryan Kovar @meansec Contact info(Come see us at SANS CTI where we talk about ML against SSL data!)

Empfohlen

The Hidden Empires of Malware with TLS Certified Hypotheses and Machine Learning
The Hidden Empires of Malware with TLS Certified Hypotheses and Machine LearningThe Hidden Empires of Malware with TLS Certified Hypotheses and Machine Learning
The Hidden Empires of Malware with TLS Certified Hypotheses and Machine LearningRyan Kovar
 
10(?) holiday gifts for the SOC who has everything
10(?) holiday gifts for the SOC who has everything10(?) holiday gifts for the SOC who has everything
10(?) holiday gifts for the SOC who has everythingRyan Kovar
 
SOCs for the rest of us
SOCs for the rest of usSOCs for the rest of us
SOCs for the rest of usRyan Kovar
 
Threat Intelligence Victory Garden
Threat Intelligence Victory GardenThreat Intelligence Victory Garden
Threat Intelligence Victory GardenRyan Kovar
 
Using Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsUsing Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsGreat Wide Open
 
Implementing Inexpensive Honeytrap Techniques
Implementing Inexpensive Honeytrap TechniquesImplementing Inexpensive Honeytrap Techniques
Implementing Inexpensive Honeytrap TechniquesDaniel Miessler
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?Deploy360 Programme (Internet Society)
 

Empfohlen

The Hidden Empires of Malware with TLS Certified Hypotheses and Machine Learning
The Hidden Empires of Malware with TLS Certified Hypotheses and Machine LearningThe Hidden Empires of Malware with TLS Certified Hypotheses and Machine Learning
The Hidden Empires of Malware with TLS Certified Hypotheses and Machine LearningRyan Kovar
 
10(?) holiday gifts for the SOC who has everything
10(?) holiday gifts for the SOC who has everything10(?) holiday gifts for the SOC who has everything
10(?) holiday gifts for the SOC who has everythingRyan Kovar
 
SOCs for the rest of us
SOCs for the rest of usSOCs for the rest of us
SOCs for the rest of usRyan Kovar
 
Threat Intelligence Victory Garden
Threat Intelligence Victory GardenThreat Intelligence Victory Garden
Threat Intelligence Victory GardenRyan Kovar
 
Using Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsUsing Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsGreat Wide Open
 
Implementing Inexpensive Honeytrap Techniques
Implementing Inexpensive Honeytrap TechniquesImplementing Inexpensive Honeytrap Techniques
Implementing Inexpensive Honeytrap TechniquesDaniel Miessler
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?Deploy360 Programme (Internet Society)
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
 
2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoringchrissanders88
 
Shamoon
ShamoonShamoon
ShamoonShakacon
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static AnalysisHossein Yavari
 
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Andrew Morris
 
DNSSEC best practices Webinar
DNSSEC best practices WebinarDNSSEC best practices Webinar
DNSSEC best practices WebinarMen and Mice
 
OSINT tools for security auditing with python
OSINT tools for security auditing with pythonOSINT tools for security auditing with python
OSINT tools for security auditing with pythonJose Manuel Ortega Candel
 
Attack Simulation and Hunting
Attack Simulation and HuntingAttack Simulation and Hunting
Attack Simulation and Huntingnathi mogomotsi
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the InternetAndrew Morris
 
Standardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower CostsStandardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower CostsOpenDNS
 
LOGGING FOR FUN, AND PROFIT
LOGGING FOR FUN, AND PROFITLOGGING FOR FUN, AND PROFIT
LOGGING FOR FUN, AND PROFITInformatics Summit
 
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani GolandCODE BLUE
 
Mapping Tweets to Conference Talks: A Goldmine for Semantics
Mapping Tweets to Conference Talks: A Goldmine for SemanticsMapping Tweets to Conference Talks: A Goldmine for Semantics
Mapping Tweets to Conference Talks: A Goldmine for SemanticsMilan Stankovic
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptxChi En (Ashley) Shen
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCanSecWest
 
Cybereason - behind the HackingTeam infection server
Cybereason - behind the HackingTeam infection serverCybereason - behind the HackingTeam infection server
Cybereason - behind the HackingTeam infection serverAmit Serper
 
PowerDNS Webinar
PowerDNS Webinar PowerDNS Webinar
PowerDNS Webinar Men and Mice
 
CISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
CISSA Lightning Talk - Building a Malware Analysis Lab on a BudgetCISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
CISSA Lightning Talk - Building a Malware Analysis Lab on a Budgetchrissanders88
 
Navigating the Security Landscape
Navigating the Security LandscapeNavigating the Security Landscape
Navigating the Security LandscapeSucuri
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksEC-Council
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Splunk live nyc_2017_sec_buildinganalyticsdrivensoc
Splunk live nyc_2017_sec_buildinganalyticsdrivensocSplunk live nyc_2017_sec_buildinganalyticsdrivensoc
Splunk live nyc_2017_sec_buildinganalyticsdrivensocRene Aguero
 

Weitere ähnliche Inhalte

Was ist angesagt?

Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
 
2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoringchrissanders88
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static AnalysisHossein Yavari
 
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Andrew Morris
 
DNSSEC best practices Webinar
DNSSEC best practices WebinarDNSSEC best practices Webinar
DNSSEC best practices WebinarMen and Mice
 
OSINT tools for security auditing with python
OSINT tools for security auditing with pythonOSINT tools for security auditing with python
OSINT tools for security auditing with pythonJose Manuel Ortega Candel
 
Attack Simulation and Hunting
Attack Simulation and HuntingAttack Simulation and Hunting
Attack Simulation and Huntingnathi mogomotsi
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the InternetAndrew Morris
 
Standardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower CostsStandardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower CostsOpenDNS
 
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani GolandCODE BLUE
 
Mapping Tweets to Conference Talks: A Goldmine for Semantics
Mapping Tweets to Conference Talks: A Goldmine for SemanticsMapping Tweets to Conference Talks: A Goldmine for Semantics
Mapping Tweets to Conference Talks: A Goldmine for SemanticsMilan Stankovic
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptxChi En (Ashley) Shen
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCanSecWest
 
Cybereason - behind the HackingTeam infection server
Cybereason - behind the HackingTeam infection serverCybereason - behind the HackingTeam infection server
Cybereason - behind the HackingTeam infection serverAmit Serper
 
CISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
CISSA Lightning Talk - Building a Malware Analysis Lab on a BudgetCISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
CISSA Lightning Talk - Building a Malware Analysis Lab on a Budgetchrissanders88
 
Navigating the Security Landscape
Navigating the Security LandscapeNavigating the Security Landscape
Navigating the Security LandscapeSucuri
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksEC-Council
 

Was ist angesagt? (20)

Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
 
2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring
 
Shamoon
ShamoonShamoon
Shamoon
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
 
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
 
DNSSEC best practices Webinar
DNSSEC best practices WebinarDNSSEC best practices Webinar
DNSSEC best practices Webinar
 
OSINT tools for security auditing with python
OSINT tools for security auditing with pythonOSINT tools for security auditing with python
OSINT tools for security auditing with python
 
Attack Simulation and Hunting
Attack Simulation and HuntingAttack Simulation and Hunting
Attack Simulation and Hunting
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the Internet
 
Standardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower CostsStandardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower Costs
 
LOGGING FOR FUN, AND PROFIT
LOGGING FOR FUN, AND PROFITLOGGING FOR FUN, AND PROFIT
LOGGING FOR FUN, AND PROFIT
 
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
 
Mapping Tweets to Conference Talks: A Goldmine for Semantics
Mapping Tweets to Conference Talks: A Goldmine for SemanticsMapping Tweets to Conference Talks: A Goldmine for Semantics
Mapping Tweets to Conference Talks: A Goldmine for Semantics
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
 
Cybereason - behind the HackingTeam infection server
Cybereason - behind the HackingTeam infection serverCybereason - behind the HackingTeam infection server
Cybereason - behind the HackingTeam infection server
 
PowerDNS Webinar
PowerDNS Webinar PowerDNS Webinar
PowerDNS Webinar
 
CISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
CISSA Lightning Talk - Building a Malware Analysis Lab on a BudgetCISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
CISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
 
Navigating the Security Landscape
Navigating the Security LandscapeNavigating the Security Landscape
Navigating the Security Landscape
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael Banks
 

Ähnlich wie Hidden empires of malware

Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Splunk live nyc_2017_sec_buildinganalyticsdrivensoc
Splunk live nyc_2017_sec_buildinganalyticsdrivensocSplunk live nyc_2017_sec_buildinganalyticsdrivensoc
Splunk live nyc_2017_sec_buildinganalyticsdrivensocRene Aguero
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting WorkshopSplunk
 
Splunk Discovery: Milan 2018 - Intro to Security Analytics Methods
Splunk Discovery: Milan 2018 - Intro to Security Analytics MethodsSplunk Discovery: Milan 2018 - Intro to Security Analytics Methods
Splunk Discovery: Milan 2018 - Intro to Security Analytics MethodsSplunk
 
Splunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk
 
Machine Data 101: Turning Data Into Insight
Machine Data 101: Turning Data Into InsightMachine Data 101: Turning Data Into Insight
Machine Data 101: Turning Data Into InsightSplunk
 
Splunk Threat Hunting Workshop
Splunk Threat Hunting WorkshopSplunk Threat Hunting Workshop
Splunk Threat Hunting WorkshopSplunk
 
Needlesand haystacks i360-dublin
Needlesand haystacks i360-dublinNeedlesand haystacks i360-dublin
Needlesand haystacks i360-dublinDerek King
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Cisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
Cisco Connect Toronto 2017 - Security Through The Eyes of a HackerCisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
Cisco Connect Toronto 2017 - Security Through The Eyes of a HackerCisco Canada
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Security crawl walk run presentation mckay v1 2017
Security crawl walk run presentation mckay v1 2017Security crawl walk run presentation mckay v1 2017
Security crawl walk run presentation mckay v1 2017Adam Tice
 
Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017
Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017
Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017Splunk
 
Learning the basics of Apache NiFi for iot OSS Europe 2020
Learning the basics of Apache NiFi for iot OSS Europe 2020Learning the basics of Apache NiFi for iot OSS Europe 2020
Learning the basics of Apache NiFi for iot OSS Europe 2020Timothy Spann
 
Securing the Enterprise/Cloud with Splunk at the Centre
Securing the Enterprise/Cloud with Splunk at the CentreSecuring the Enterprise/Cloud with Splunk at the Centre
Securing the Enterprise/Cloud with Splunk at the CentreHarry McLaren
 
Splunk Discovery Indianapolis - October 10, 2017
Splunk Discovery Indianapolis - October 10, 2017Splunk Discovery Indianapolis - October 10, 2017
Splunk Discovery Indianapolis - October 10, 2017Splunk
 
Splunk Discovery Dusseldorf: September 2017 - Security Session
Splunk Discovery Dusseldorf: September 2017 - Security SessionSplunk Discovery Dusseldorf: September 2017 - Security Session
Splunk Discovery Dusseldorf: September 2017 - Security SessionSplunk
 
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOARPartner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOARSplunk
 
Streaming Cyber Security into Graph: Accelerating Data into DataStax Graph an...
Streaming Cyber Security into Graph: Accelerating Data into DataStax Graph an...Streaming Cyber Security into Graph: Accelerating Data into DataStax Graph an...
Streaming Cyber Security into Graph: Accelerating Data into DataStax Graph an...Keith Kraus
 

Ähnlich wie Hidden empires of malware (20)

Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Splunk live nyc_2017_sec_buildinganalyticsdrivensoc
Splunk live nyc_2017_sec_buildinganalyticsdrivensocSplunk live nyc_2017_sec_buildinganalyticsdrivensoc
Splunk live nyc_2017_sec_buildinganalyticsdrivensoc
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting Workshop
 
Splunk Discovery: Milan 2018 - Intro to Security Analytics Methods
Splunk Discovery: Milan 2018 - Intro to Security Analytics MethodsSplunk Discovery: Milan 2018 - Intro to Security Analytics Methods
Splunk Discovery: Milan 2018 - Intro to Security Analytics Methods
 
Splunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk workshop-Threat Hunting
Splunk workshop-Threat Hunting
 
Machine Data 101: Turning Data Into Insight
Machine Data 101: Turning Data Into InsightMachine Data 101: Turning Data Into Insight
Machine Data 101: Turning Data Into Insight
 
Splunk Threat Hunting Workshop
Splunk Threat Hunting WorkshopSplunk Threat Hunting Workshop
Splunk Threat Hunting Workshop
 
Needlesand haystacks i360-dublin
Needlesand haystacks i360-dublinNeedlesand haystacks i360-dublin
Needlesand haystacks i360-dublin
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Cisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
Cisco Connect Toronto 2017 - Security Through The Eyes of a HackerCisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
Cisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Security crawl walk run presentation mckay v1 2017
Security crawl walk run presentation mckay v1 2017Security crawl walk run presentation mckay v1 2017
Security crawl walk run presentation mckay v1 2017
 
Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017
Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017
Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017
 
Learning the basics of Apache NiFi for iot OSS Europe 2020
Learning the basics of Apache NiFi for iot OSS Europe 2020Learning the basics of Apache NiFi for iot OSS Europe 2020
Learning the basics of Apache NiFi for iot OSS Europe 2020
 
Securing the Enterprise/Cloud with Splunk at the Centre
Securing the Enterprise/Cloud with Splunk at the CentreSecuring the Enterprise/Cloud with Splunk at the Centre
Securing the Enterprise/Cloud with Splunk at the Centre
 
Splunk Discovery Indianapolis - October 10, 2017
Splunk Discovery Indianapolis - October 10, 2017Splunk Discovery Indianapolis - October 10, 2017
Splunk Discovery Indianapolis - October 10, 2017
 
Splunk Discovery Dusseldorf: September 2017 - Security Session
Splunk Discovery Dusseldorf: September 2017 - Security SessionSplunk Discovery Dusseldorf: September 2017 - Security Session
Splunk Discovery Dusseldorf: September 2017 - Security Session
 
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOARPartner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
 
Streaming Cyber Security into Graph: Accelerating Data into DataStax Graph an...
Streaming Cyber Security into Graph: Accelerating Data into DataStax Graph an...Streaming Cyber Security into Graph: Accelerating Data into DataStax Graph an...
Streaming Cyber Security into Graph: Accelerating Data into DataStax Graph an...
 

Kürzlich hochgeladen

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 

Kürzlich hochgeladen (20)

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 

Hidden empires of malware

  • 1. © 2017 SPLUNK INC. The “Hidden Empires” of Malware Dave Ryan International Conference on Cyber Security January 2018
  • 2. © 2017 SPLUNK INC. Disclaimer 2 During the course of this presentation, we may make forward looking statements regarding future events or the expected performance of the company. I often lie. Maybe this is a lie. Wik Alsø wik Alsø alsø wik Wi nøt trei a høliday in Sweden this yër? See the løveli lakes The wøndërful telephøne system And mäni interesting furry animals The characters and incidents portrayed and the names used in this Presentation are fictitious and any similarity to the names, characters, or history of any person is entirely accidental and unintentional. Signed RICHARD M. NIXON Including the majestik møøse A Møøse once bit my Marcus... No realli! He was Karving his initials on the møøse with the sharpened end of an interspace tøøthbrush given him by Svenge – his brother-in-law – a Canadian dentist and star of many Norwegian møvies: "The Høt Hands of an Canadian Dentist", "Fillings of Passion", "The Huge Mølars of Horst Nordfink"... In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. Splunk undertakës no øbligation either to develøp the features or functionality described or to include any such feature or functionality in a future release.
  • 3. © 2017 SPLUNK INC. ▶ 17 years of cyber security experience ▶ Current role on Security Practice team focuses on incident/breach response, threat intelligence, and research ▶ Also investigating why printers are so insubordinate ಠ_ಠ 3 Staff Security Strategist Minster of the OODAloopers @meansec # whoami > Ryan Kovar CISSP, MSc(Dist)
  • 4. © 2017 SPLUNK INC. - 20+ years IT and security - Information security officer, security architect, pen tester, consultant, SE, system/network engineer - Former SANS Mentor - Co-creator of Splunk Boss of the SOC Security Architect @splunk @daveherrald # whoami > Dave Herrald CISSP, GIAC G*, GSE #79
  • 5. © 2017 SPLUNK INC. Agenda ▶ Answering some W ’s • What are we talking about with “Hunting Empires”? • What are SSL certificates and why do I care? • What can I do with them? ▶ Talk about the “H” • How can I get this data myself? ▶ And now another W • Where can I get this awesome stuff! 5
  • 7. © 2017 SPLUNK INC. On the shoulders of giants
  • 8. © 2017 SPLUNK INC. Mark Parsons “Lord of SSL Pivoting” @markpars0ns ▶ https://t.co/amyR9pU8o4 ▶ https://medium.com/@mark.pars ons/hunting-a-tls-certificate- series-post-1-6ad7adfebe44 ▶ https://mpars0ns.github.io/bsides charm-2016slides/ ▶ https://mpars0ns.github.io/archc 0n-2016-tls-slides/#/ ▶ https://www.slideshare.net/MSbl uehat/bluehat-v17-using-tls- certificates-to-track-activity- groups
  • 9. © 2017 SPLUNK INC. What are these “Hidden” Empires?
  • 10. © 2017 SPLUNK INC. POWERSHELL EMPIRE 10
  • 11. © 2017 SPLUNK INC. • Similar to Metasploit in user experience • C2 functionality • Second stage infection/implant after initial infection • Used extensively for lateral movement
  • 12. © 2017 SPLUNK INC. Sometimes its hard to find evidence that
  • 13. © 2017 SPLUNK INC. Place Holder PowerSploit Capabilities 13
  • 14. © 2017 SPLUNK INC. Place Holder PowerSploit Capabilities 14
  • 15. © 2017 SPLUNK INC. 15
  • 16. © 2017 SPLUNK INC. 16
  • 18.
  • 19. © 2017 SPLUNK INC. SSL Certificates
  • 20. © 2017 SPLUNK INC. What are SSL certificates and why do I care?
  • 21. © 2017 SPLUNK INC. [SSL certificates are] Small [unencrypted] data files that digitally bind a cryptographic key to an organization’s details.” [1] Sooo… SSL Certificates? [1] https://www.godaddy.com/help/what-is-an-ssl- certificate-542
  • 22. © 2017 SPLUNK INC. So that shows SSL certificates?
  • 23. © 2017 SPLUNK INC. Censys.io
  • 24. © 2017 SPLUNK INC. Circl.lu
  • 25. © 2017 SPLUNK INC. Passivetotal.org
  • 26. © 2017 SPLUNK INC. Splunk!
  • 27. © 2017 SPLUNK INC. Internet-Wide Scan Data Repository ▶ Public archive of research data ▶ Hosted by the Censys team at the University of Michigan ▶ Perform scans, and host results from other teams ▶ The data on the site is restricted to non- commercial use ▶ https://scans.io (https://scans.io/json)
  • 28. © 2017 SPLUNK INC. Exploring scans.io Studies Web Interface https://scans.io JSON https://scans.io/json Command Line $ python ./download.py --liststudies https://github.com/daveherrald/scansio-sonar-splunk
  • 29. © 2017 SPLUNK INC. Project Sonar by Rapid7 https://sonar.labs.rapid7.com/ ▶ Many studies • SSL Certificates • HTTP Content • HTTPS Content • DNS • Various TCP/UDP services (SSH, SMB, Telnet, etc.) ▶ Hosted at scans.io ▶ Please review Project Sonar TOS ▶ Thanks to Rapid7 Labs!
  • 30. © 2017 SPLUNK INC. SSL Certificates Study (sonar.ssl) ▶ October 30, 2013 – Present ▶ Raw size • Entire data set: 315 GB compressed (as of 02JAN2017) • Weekly: ~1.5 - 2.0 GB compressed ▶ Entire data set indexed in Splunk: ~1.2TB ▶ Scan the entire Internet (TCP/443 only) ▶ Comprised of: • Observed certificates * • Observed IP address / certificate * • Names • Endpoints
  • 31. © 2017 SPLUNK INC. sonar.ssl Certificates 2 Column CSV SHA1 Hash + Base64 Encoded DER Decoded DER ( https://gchq.github.io )
  • 32. © 2017 SPLUNK INC. sonar.ssl Certificate in Splunk index=sonarsslcert earliest=0 hash_id=b4c68c2fe3e689bd51c3676c69c02454be1f545f
  • 33. © 2017 SPLUNK INC. sonar.ssl Hosts 2 Column CSV IP Address + Certificate hash (SHA1) Host, IP Address, Observation Date Enriched with Country and ASN via Maxmind
  • 34. © 2017 SPLUNK INC. sonar.ssl First/Last seen Search for a hash, or pivot here from search
  • 35. © 2017 SPLUNK INC. HTTPS (TCP/443) (sonar.https) ▶ July 25, 2016 – Present ▶ Raw size • Entire data set: ~3.2 TB compressed (as of 02JAN2017) • Weekly: ~25 GB compressed ▶ Entire data set indexed in Splunk: ~10TB ▶ Scan the entire Internet (TCP/443 only) ▶ Comprised of: • IP • Path • Port (Always 443) • Certificate Subject •Payload!
  • 36. © 2017 SPLUNK INC. HTTPS (TCP/443) (sonar.https) in Splunk index=sonarhttps earliest=0
  • 37. © 2017 SPLUNK INC. [1] David Bianco http://detect-respond.blogspot.com/2013/03/the- pyramid-of-pain.html
  • 39. © 2017 SPLUNK INC. openssl req -new -x509 -keyout ../data/empire-priv.key -out ../data/empire-chain.pem -days 365 -nodes -subj "/C=US" >/dev/null 2>&1
  • 41. © 2017 SPLUNK INC. VS
  • 42. © 2017 SPLUNK INC. And I care why?
  • 43. © 2017 SPLUNK INC. One of these is not like the others
  • 44. We use Splunk But you don’t have to!
  • 45. © 2017 SPLUNK INC. ▶DAVE. DONE UP TO HERE But what do we do with it?
  • 46. © 2017 SPLUNK INC. You can do at least two things with SSL Certificate information Known Unknown
  • 47. © 2017 SPLUNK INC. THE SSL CERTIFICATES IN YOUR INCIDENTS ARE REAL.
  • 48. © 2017 SPLUNK INC. Start with some known naughty SSL SHA1 fingerprints
  • 49. © 2017 SPLUNK INC. Gozi Trojan 8fc4a51bb808d0050a85f55de93b3aa9db4fef90
  • 54. © 2017 SPLUNK INC. “As we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don't know we don't know. And when someone tries to hunt in CyberSpace the known unknowns are the hardest to find ” - Donald “Cybersfeld”
  • 55. © 2017 SPLUNK INC. Hunting PowerShell Empire
  • 56. © 2017 SPLUNK INC. C=US is weird…
  • 62. © 2017 SPLUNK INC. 200MM IPs 90 suspect 3 PSE :-)
  • 63. © 2017 SPLUNK INC. 63 Oh… Just one more thing…
  • 64. © 2017 SPLUNK INC. Splunk-based Certificate Research Platform Splunk Indexers QTY=3 i3.2xlarge 8 TB EBS Volume (10,000 IOPs) Elastic IP Splunk Search Head QTY=1 c3.4xlarge Elastic IP Data Staging and Load QTY=1 i3.16xlarge 8 TB EBS Volume (10,000 IOPs) Elastic IP Elastic Load Balancer TCP/8088 Splunk HTTP Event Collector Internet –Wide Scans Repository https://scans.io Processing and Load Metrics 6,000 Certificates / Second 25,000 Hosts / Second
  • 65. © 2017 SPLUNK INC. Certificate Research Platform Resources https://github.com/daveherrald/scansio-sonar- splunk •Download any scans.io study, load sonar.ssl & sonar.https into Splunk for analysis https://github.com/mpars0ns/scansio-sonar-es •Download sonar.ssl load into Elasticsearch
  • 66. © 2017 SPLUNK INC. Splunk Licensing Free: 500MB / day Enterprise Trial: 500MB / Day Developer: 10 GB/Day Enterprise Dev/Test: 50GB/day Splunk Enterprise Each approach has its pros and cons, but recall:
  • 67. © 2017 SPLUNK INC. Can we wrap this up?
  • 68. © 2017 SPLUNK INC. Conclusion 68 ▶ SSL certificates can be a great way to track adversary behavior ▶ Consider tracking from known and unknown ▶ Think about bringing SSL certificates “in house” to use and run greater analysis against with temporal knowledge
  • 69. © 2017 SPLUNK INC. Special Thanks 69 ▶ Mark Parsons ▶ IKBD ▶ Rapid 7 ▶ Censys team at University of Michigan ▶ ICCS Conference ▶ Fordham University ▶ The FBI
  • 70. © 2017 SPLUNK INC. Dave Herrald @daveherrald Ryan Kovar @meansec Contact info(Come see us at SANS CTI where we talk about ML against SSL data!)

Hinweis der Redaktion

  1. Learned System Administration in the US Navy Worked in the UK/US in public/private sector Most recently at DARPA using Splunk Has a masters degree from University of Westminster Focuses on Incident response, Threat intel, dry humor,
  2. Ryan
  3. Ryan
  4. Discuss what powerShell Empire is
  5. Steve
  6. Who uses it? The usual Suspects
  7. DeepPanda/APT19 Ryan
  8. Poseidon Brazillian APT Steve Primarily used for corporate and government espionage for the purposes of financial gain. Estimated to have been operating since 2005. Known to pose as Windows security consultants who, as part of their “service” run powershell scripts to gain a foothold and gather data.
  9. APT28/Fancy Bear/Sofacy Ryan
  10. Gothic Panda/APT3 Ryan
  11. But the internet is fast… and its hard to find things unless you have…
  12. Hard evidence in a forensic investigation. But its good to be proactive
  13. So we are going to use PowerSHell empire as an exmple of how to find “hidden” infrastrucutre using information in SSL Certificates and ALSO how to find things that are not so “hidden”
  14. Two options when you are looking at SSL certificate data: Hunting for known SSL certificates that have been found during the course of your research or incident Hunting for unknnown things using statstical analysis or other methods
  15. IN the course of your incident response or threat hunting you might find SSL certificates that are connected to malware.
  16. Ryan
  17. Ryan