building better indicators: crowdsourcing malware iocs© copyright 2015 phishme, inc. all rights...
TRANSCRIPT
© Copyright 2015 PhishMe, Inc. All rights reserved. © Copyright 2015 PhishMe, Inc. All rights reserved.
Building Better Indicators: Crowdsourcing Malware IOCs
Sean Wilson Researcher
© Copyright 2015 PhishMe, Inc. All rights reserved.
Researcher @ Phishme Reverse Engineer Incident Responder Twitter: @seanmw flyfishing++;
About me
© Copyright 2015 PhishMe, Inc. All rights reserved.
Building Indicators
Analysis Discovery Development
© Copyright 2015 PhishMe, Inc. All rights reserved.
CrowdSource
© Copyright 2015 PhishMe, Inc. All rights reserved.
Warning: OPSEC!
© Copyright 2015 PhishMe, Inc. All rights reserved.
The Problem • Small teams rely on host and network AV for information
about threats. • These alerts are often quite generic and don’t provide
much information other than: ‘Bad has happened…but don’t worry we got it!’
© Copyright 2015 PhishMe, Inc. All rights reserved.
Scenario
© Copyright 2015 PhishMe, Inc. All rights reserved.
Scenario 1a
© Copyright 2015 PhishMe, Inc. All rights reserved.
Triage
© Copyright 2015 PhishMe, Inc. All rights reserved.
Malware Triage
© Copyright 2015 PhishMe, Inc. All rights reserved.
Triage: We Got This!
Recon Weaponization Delivery Exploitation Installation C2 Activity
Detection
© Copyright 2015 PhishMe, Inc. All rights reserved.
Scenario 1b
© Copyright 2015 PhishMe, Inc. All rights reserved.
© Copyright 2015 PhishMe, Inc. All rights reserved.
Recon Weaponization Delivery Exploitation Installation C2 Activity
Intrusion Kill Chain
Detection
© Copyright 2015 PhishMe, Inc. All rights reserved.
What is it?
Trojan.Win32.Generic!BT
RDN/Generic.PUP.z
Trojan.Generic
Gen:Trojan.Heur
Artemis!12345
© Copyright 2015 PhishMe, Inc. All rights reserved.
© Copyright 2015 PhishMe, Inc. All rights reserved.
© Copyright 2015 PhishMe, Inc. All rights reserved.
Sample Analysis
© Copyright 2015 PhishMe, Inc. All rights reserved.
© Copyright 2015 PhishMe, Inc. All rights reserved.
VirusTotal
© Copyright 2015 PhishMe, Inc. All rights reserved.
© Copyright 2015 PhishMe, Inc. All rights reserved.
Malwr Search
© Copyright 2015 PhishMe, Inc. All rights reserved.
Overview
© Copyright 2015 PhishMe, Inc. All rights reserved.
Network Activity
© Copyright 2015 PhishMe, Inc. All rights reserved.
PassiveTotal
© Copyright 2015 PhishMe, Inc. All rights reserved.
Discovery
Early Indicators
System Changes
Dynamic Properties
Static Properties
© Copyright 2015 PhishMe, Inc. All rights reserved.
Google All the Things!
© Copyright 2015 PhishMe, Inc. All rights reserved.
© Copyright 2015 PhishMe, Inc. All rights reserved.
© Copyright 2015 PhishMe, Inc. All rights reserved.
© Copyright 2015 PhishMe, Inc. All rights reserved.
© Copyright 2015 PhishMe, Inc. All rights reserved.
Netflix Scumblr
Trolling the garbage dump of the internet so you don’t have to
© Copyright 2015 PhishMe, Inc. All rights reserved.
DFIR Scumblr Searches • PassiveTotal • Totalhash • VirusTotal • Malwr • Cuckoo
© Copyright 2015 PhishMe, Inc. All rights reserved.
© Copyright 2015 PhishMe, Inc. All rights reserved.
© Copyright 2015 PhishMe, Inc. All rights reserved.
© Copyright 2015 PhishMe, Inc. All rights reserved.
© Copyright 2015 PhishMe, Inc. All rights reserved.
Development
What properties are common across
samples?
Are my indicators matching new
(unknown) samples?
© Copyright 2015 PhishMe, Inc. All rights reserved.
Dashboards!
© Copyright 2015 PhishMe, Inc. All rights reserved.
Thanks! @seanmw
© Copyright 2015 PhishMe, Inc. All rights reserved.
Images • Icon made by Freepik from http://www.flaticon.com is licensed under CC BY 3.0