SlideShare a Scribd company logo

Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Tools [RootedCON 2010]

RootedCON
RootedCON
Technology
1 of 21
Download to read offline
Fighting Advanced Persistent Threats (APT) with Open Source Tools Congreso de Seguridad ~ Rooted CON’2010
What is APT? •  The US Air Force invented the term in 2006 •  APT refers to advanced techniques used to gain access to an intelligence objective to gather the needed information to execute specific objectives. Congreso de Seguridad ~ Rooted CON’2010 2
APT characteristics •  Advanced: The intruder can exploit publicly known vulnerabilities but the attackers also are highly skilled and well funded and can research and exploit new vulnerabilities. •  Persistent: the attacker wants to accomplish a mission that can take place over months. •  Threat: Dedicated organized groups are behind the attack motivated by political, economical or military reasons. Congreso de Seguridad ~ Rooted CON’2010 3
GhostNet •  Ghostnet: China VS Tibetan institutions •  1295 computers in 103 countries Congreso de Seguridad ~ Rooted CON’2010 4
Aurora Attack •  Coordinated attack against Google, Adobe, Juniper and 30 other companies. •  Exploits a zero-day vulnerability in Microsoft Internet Explorer (CVE-2010-0249) •  Installs Trojan.Hydraq. Congreso de Seguridad ~ Rooted CON’2010 5
Trojan.Hydraq •  Standard Trojan, not too sophisticated. •  No anti-debugging, No anti-analysis tricks. •  Uses spaghetti code to make code analysis more difficult. (Easily analized with IDA) •  Previous versions of Trojan.Hydraq observed 6 month previous to Aurora Attack. Congreso de Seguridad ~ Rooted CON’2010 6
Trojan.Hydraq •  Files: – %System%[RANDOM].dll: Main backdoor registered as a service. – %System%acelpvc.dll: Remote access capabilities (VNC). – %System%VedioDriver.dll: Helps monitoring keyboard and mouse activity. Congreso de Seguridad ~ Rooted CON’2010 7
Trojan.Hydraq •  Capabilities: – Command execution – Download additional files – System operations (halt, clean log files…) – Service, registry control. Congreso de Seguridad ~ Rooted CON’2010 8
Trojan.Hydraq •  C&C communication: – Encrypted protocol on port 443 (not SSL) [ ff ff ff ff ff ff 00 00 fe ff ff ff ff ff ff ff ff ff 88 ff ] Source: McAfee Labs Congreso de Seguridad ~ Rooted CON’2010 9
Keys for Fighting APT •  An anti-APT solution doesn’t exists. •  Centralizing and correlating security data is the key (SIEM!!) •  Security is a continuous process. Congreso de Seguridad ~ Rooted CON’2010 1 0
Intrusion •  Examples: – An email with a PDF or Office document that exploits a vulnerability (Maybe 0-day). •  Countermeasures: – Patch Management and Auditing (Openvas + OVAL). – Policy Auditing (Openvas – Ossec checks). •  Is Adobe Javascript support disabled? •  Internet Explorer Security Configuration Congreso de Seguridad ~ Rooted CON’2010 1 1
Setting Up •  Examples: – Backdoor and Rootkit installation, system modification, privilege escalation. •  Countermeasures: – Log monitoring: Ossec, Snare. – Integrity Monitoring: Ossec •  Registry changes. •  File creation/modifications •  Service registration and process creation. Congreso de Seguridad ~ Rooted CON’2010 1 2
Network Activity •  Examples: – C&C communication, cover channels, updated downloads… •  Countermeasures: – IDS/IPS technology (Snort, Suricata). Ej: Packed binary download. – Deep Packet Inspection (OpenDPI). Ej: Non SSL traffic over port 443. Congreso de Seguridad ~ Rooted CON’2010 1 3
Network Activity •  Netflow Data : Nfdump + Nfsen (plugins). – AS and Country data. •  Alert on suspicious AS’s (reputation) – Fire project – http://www.maliciousnetworks.org/index.php – Identify traffic patterns: •  Mutiple clients sending high amount of data to an external server. •  Regurarly client connections to external servers (even after hours) Congreso de Seguridad ~ Rooted CON’2010 1 4
Advanced techniques •  Create an APT trap – Information Gathering •  Collect suspicious content from Corporate Mail Server. •  Create false accounts. – Automatic analysis framework •  Analize obtained information – Check for exploits/javascript on .pdf, .xls, .doc files. •  Extract the involved binary •  Automatic sandbox/analysis environment. •  Compare obtained patterns with your SIEM data. Congreso de Seguridad ~ Rooted CON’2010 1 5
Advanced techniques •  Analize obtained data – The goal is to identify malicious content an extract the involved binary. – Tools: •  Didier Stevens pdf tools •  SpiderMonkey •  Libemu •  JsUnpack •  Malzilla •  Wepawet Congreso de Seguridad ~ Rooted CON’2010 1 6
Advanced techniques •  Automatic sandbox/analysis environment – Once we have the binary we have to extract the information needed to build the Behaviour Matrix. – SandBox execution: •  Qemu, VirtualBox, Bochs…. •  Dynamic pattern extraction: –  Snare, Ossec, memoryze, Volatility… •  Network behaviour pattern extraction: –  Snort for IDS pattern detection –  Scapy protocol parsers: »  DNS, HTTP, IRC, SMTP…. Congreso de Seguridad ~ Rooted CON’2010 1 7
Advanced techniques •  Static analysis o Antivirus Coverage : VirusTotal o Packers : PeFile + PEID o Imports/Exports : PeFile o Antidebug/Virtual Machine Detection : Pyew Congreso de Seguridad ~ Rooted CON’2010 1 8
Advanced techniques •  Build the behaviour matrix, example: [ Process_Creation, test.exe] [ DNS_Query, www.securedz.com] [ HTTP_Request, POST, /panel2/haya.php] [ Driver_Loaded, wowsub.sys] [ IDS_Pattern, Snort, 2008576] Congreso de Seguridad ~ Rooted CON’2010 1 9
Advanced techniques • Once you have the behaviour matrix: DNS Activity HTTP Activity - DNS Server Log - Corporate Proxy Logs Suspect Matrix Connections System Activity - Firewall logs - Change management system logs - Netflow Data Congreso de Seguridad ~ Rooted CON’2010 2 0
Jaime Blasco jaime.blasco@alienvault.com http://twitter.com/jaimeblascob Congreso de Seguridad ~ Rooted CON’2010

Recommended

Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)mmubashirkhan
 
Introduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivismIntroduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivismGlobal Micro Solutions
 
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?festival ICT 2016
 
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...Luigi Delgrosso
 
Persistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent ThreatsPersistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent ThreatsSameer Thadani
 
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Dan Morrill
 
Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Yuval Sinay, CISSP, C|CISO
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementMayur Nanotkar
 

Recommended

Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)mmubashirkhan
 
Introduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivismIntroduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivismGlobal Micro Solutions
 
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?festival ICT 2016
 
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...Luigi Delgrosso
 
Persistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent ThreatsPersistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent ThreatsSameer Thadani
 
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Dan Morrill
 
Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Yuval Sinay, CISSP, C|CISO
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementMayur Nanotkar
 
Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554TISA
 
Combating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringCombating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringLancope, Inc.
 
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersIntroduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersOllie Whitehouse
 
Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & ForensicsPriyanka Aash
 
Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing Rishabh Upadhyay
 
Security Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsSecurity Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsPeter Wood
 
Honeypot Essentials
Honeypot EssentialsHoneypot Essentials
Honeypot EssentialsAnton Chuvakin
 
Cambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksCambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksAPNIC
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedFalgun Rathod
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
How to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USMHow to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USMAlienVault
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Mohammed Adam
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cyclepenetration Tester
 
Penetration Testing Execution Phases
Penetration Testing Execution Phases Penetration Testing Execution Phases
Penetration Testing Execution Phases Nasir Bhutta
 
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentTIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentInfocyte
 
Network Security Tools and applications
Network Security Tools and applicationsNetwork Security Tools and applications
Network Security Tools and applicationswebhostingguy
 
RSA: Security Analytics Architecture for APT
RSA: Security Analytics Architecture for APTRSA: Security Analytics Architecture for APT
RSA: Security Analytics Architecture for APTLee Wei Yeong
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testingecmee
 
Hunting The Shadows: In Depth Analysis of Escalated APT Attacks
Hunting The Shadows: In Depth Analysis of Escalated APT AttacksHunting The Shadows: In Depth Analysis of Escalated APT Attacks
Hunting The Shadows: In Depth Analysis of Escalated APT AttacksF _
 
Loggin alerting and hunting technology hub 2016
Loggin alerting and hunting technology hub 2016Loggin alerting and hunting technology hub 2016
Loggin alerting and hunting technology hub 2016Scot Berner
 

More Related Content

What's hot

Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554TISA
 
Combating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringCombating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringLancope, Inc.
 
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersIntroduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersOllie Whitehouse
 
Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & ForensicsPriyanka Aash
 
Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing Rishabh Upadhyay
 
Security Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsSecurity Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsPeter Wood
 
Cambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksCambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksAPNIC
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedFalgun Rathod
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
How to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USMHow to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USMAlienVault
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Mohammed Adam
 
Penetration Testing Execution Phases
Penetration Testing Execution Phases Penetration Testing Execution Phases
Penetration Testing Execution Phases Nasir Bhutta
 
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentTIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentInfocyte
 
Network Security Tools and applications
Network Security Tools and applicationsNetwork Security Tools and applications
Network Security Tools and applicationswebhostingguy
 
RSA: Security Analytics Architecture for APT
RSA: Security Analytics Architecture for APTRSA: Security Analytics Architecture for APT
RSA: Security Analytics Architecture for APTLee Wei Yeong
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testingecmee
 

What's hot (20)

Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554
 
Combating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security MonitoringCombating Advanced Persistent Threats with Flow-based Security Monitoring
Combating Advanced Persistent Threats with Flow-based Security Monitoring
 
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersIntroduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
 
Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics
 
Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing
 
Security Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsSecurity Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent Threats
 
Honeypot Essentials
Honeypot EssentialsHoneypot Essentials
Honeypot Essentials
 
Cambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksCambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacks
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
How to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USMHow to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USM
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
 
Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cycle
 
Penetration Testing Execution Phases
Penetration Testing Execution Phases Penetration Testing Execution Phases
Penetration Testing Execution Phases
 
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentTIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
 
Network Security Tools and applications
Network Security Tools and applicationsNetwork Security Tools and applications
Network Security Tools and applications
 
RSA: Security Analytics Architecture for APT
RSA: Security Analytics Architecture for APTRSA: Security Analytics Architecture for APT
RSA: Security Analytics Architecture for APT
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testing
 

Viewers also liked

Hunting The Shadows: In Depth Analysis of Escalated APT Attacks
Hunting The Shadows: In Depth Analysis of Escalated APT AttacksHunting The Shadows: In Depth Analysis of Escalated APT Attacks
Hunting The Shadows: In Depth Analysis of Escalated APT AttacksF _
 
Loggin alerting and hunting technology hub 2016
Loggin alerting and hunting technology hub 2016Loggin alerting and hunting technology hub 2016
Loggin alerting and hunting technology hub 2016Scot Berner
 
Hacklu2011 tricaud
Hacklu2011 tricaudHacklu2011 tricaud
Hacklu2011 tricaudstricaud
 
Giorgia Mia Ok 23 Settembre
Giorgia Mia Ok 23 SettembreGiorgia Mia Ok 23 Settembre
Giorgia Mia Ok 23 SettembreMarisa Corapi
 
Protecting your site by detection
Protecting your site by detectionProtecting your site by detection
Protecting your site by detectionMarko Heijnen
 
The moment my site got hacked
The moment my site got hackedThe moment my site got hacked
The moment my site got hackedMarko Heijnen
 
Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)Papun Papun
 
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlowCisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlowLancope, Inc.
 
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Santiago Bassett
 
Advanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective ResponsesAdvanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective ResponsesNetIQ
 
APT 28 :Cyber Espionage and the Russian Government?
APT 28 :Cyber Espionage and the Russian Government?APT 28 :Cyber Espionage and the Russian Government?
APT 28 :Cyber Espionage and the Russian Government?anupriti
 
Visiting the Bear Den
Visiting the Bear DenVisiting the Bear Den
Visiting the Bear DenESET
 
Layakk - Atacando 3G Vol. 2 [rootedvlc2]
Layakk - Atacando 3G Vol. 2 [rootedvlc2]Layakk - Atacando 3G Vol. 2 [rootedvlc2]
Layakk - Atacando 3G Vol. 2 [rootedvlc2]RootedCON
 
TEDx Manchester: AI & The Future of Work
TEDx Manchester: AI & The Future of WorkTEDx Manchester: AI & The Future of Work
TEDx Manchester: AI & The Future of WorkVolker Hirsch
 

Viewers also liked (15)

Hunting The Shadows: In Depth Analysis of Escalated APT Attacks
Hunting The Shadows: In Depth Analysis of Escalated APT AttacksHunting The Shadows: In Depth Analysis of Escalated APT Attacks
Hunting The Shadows: In Depth Analysis of Escalated APT Attacks
 
Loggin alerting and hunting technology hub 2016
Loggin alerting and hunting technology hub 2016Loggin alerting and hunting technology hub 2016
Loggin alerting and hunting technology hub 2016
 
Hacklu2011 tricaud
Hacklu2011 tricaudHacklu2011 tricaud
Hacklu2011 tricaud
 
Giorgia Mia Ok 23 Settembre
Giorgia Mia Ok 23 SettembreGiorgia Mia Ok 23 Settembre
Giorgia Mia Ok 23 Settembre
 
Protecting your site by detection
Protecting your site by detectionProtecting your site by detection
Protecting your site by detection
 
The moment my site got hacked
The moment my site got hackedThe moment my site got hacked
The moment my site got hacked
 
Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)
 
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlowCisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
 
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
 
Advanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective ResponsesAdvanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective Responses
 
APT 28 :Cyber Espionage and the Russian Government?
APT 28 :Cyber Espionage and the Russian Government?APT 28 :Cyber Espionage and the Russian Government?
APT 28 :Cyber Espionage and the Russian Government?
 
Visiting the Bear Den
Visiting the Bear DenVisiting the Bear Den
Visiting the Bear Den
 
Layakk - Atacando 3G Vol. 2 [rootedvlc2]
Layakk - Atacando 3G Vol. 2 [rootedvlc2]Layakk - Atacando 3G Vol. 2 [rootedvlc2]
Layakk - Atacando 3G Vol. 2 [rootedvlc2]
 
TEDx Manchester: AI & The Future of Work
TEDx Manchester: AI & The Future of WorkTEDx Manchester: AI & The Future of Work
TEDx Manchester: AI & The Future of Work
 
Build Features, Not Apps
Build Features, Not AppsBuild Features, Not Apps
Build Features, Not Apps
 

Similar to Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Tools [RootedCON 2010]

RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityAPNIC
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Chris Sistrunk
 
Analisis Estatico y de Comportamiento de un Binario Malicioso
Analisis Estatico y de Comportamiento de un Binario MaliciosoAnalisis Estatico y de Comportamiento de un Binario Malicioso
Analisis Estatico y de Comportamiento de un Binario MaliciosoConferencias FIST
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...Robert Conti Jr.
 
Catch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkCatch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkDefCamp
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3ShivamSharma909
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course contentShivamSharma909
 
Sasa milic, cisco advanced malware protection
Sasa milic, cisco advanced malware protectionSasa milic, cisco advanced malware protection
Sasa milic, cisco advanced malware protectionDejan Jeremic
 
Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Security Weekly
 
Geek Night 15.0 - Touring the Dark-Side of the Internet
Geek Night 15.0 - Touring the Dark-Side of the InternetGeek Night 15.0 - Touring the Dark-Side of the Internet
Geek Night 15.0 - Touring the Dark-Side of the InternetGeekNightHyderabad
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself Alert Logic
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)ClubHack
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...grecsl
 
Topics in network security
Topics in network securityTopics in network security
Topics in network securityNasir Bhutta
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...Felipe Prado
 
Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementNovell
 

Similar to Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Tools [RootedCON 2010] (20)

RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?
 
Analisis Estatico y de Comportamiento de un Binario Malicioso
Analisis Estatico y de Comportamiento de un Binario MaliciosoAnalisis Estatico y de Comportamiento de un Binario Malicioso
Analisis Estatico y de Comportamiento de un Binario Malicioso
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
 
Catch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkCatch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your network
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course content
 
Sasa milic, cisco advanced malware protection
Sasa milic, cisco advanced malware protectionSasa milic, cisco advanced malware protection
Sasa milic, cisco advanced malware protection
 
Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)
 
Geek Night 15.0 - Touring the Dark-Side of the Internet
Geek Night 15.0 - Touring the Dark-Side of the InternetGeek Night 15.0 - Touring the Dark-Side of the Internet
Geek Night 15.0 - Touring the Dark-Side of the Internet
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
 
Dns firewalls null-may2020
Dns firewalls null-may2020Dns firewalls null-may2020
Dns firewalls null-may2020
 
Topics in network security
Topics in network securityTopics in network security
Topics in network security
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
 
Security Onion
Security OnionSecurity Onion
Security Onion
 
Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log Management
 

More from RootedCON

Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRootedCON
 
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...RootedCON
 
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRootedCON
 
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_RootedCON
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...RootedCON
 
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...RootedCON
 
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...RootedCON
 
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRootedCON
 
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...RootedCON
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRootedCON
 
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...RootedCON
 
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRootedCON
 
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...RootedCON
 
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRootedCON
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRootedCON
 
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRootedCON
 
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...RootedCON
 
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...RootedCON
 
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRootedCON
 
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRootedCON
 

More from RootedCON (20)

Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
 
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
 
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amado
 
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
 
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
 
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
 
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
 
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
 
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
 
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molina
 
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
 
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopez
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
 
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jara
 
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
 
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
 
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
 
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
 

Recently uploaded

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 

Recently uploaded (20)

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 

Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Tools [RootedCON 2010]

  • 1. Fighting Advanced Persistent Threats (APT) with Open Source Tools Congreso de Seguridad ~ Rooted CON’2010
  • 2. What is APT? •  The US Air Force invented the term in 2006 •  APT refers to advanced techniques used to gain access to an intelligence objective to gather the needed information to execute specific objectives. Congreso de Seguridad ~ Rooted CON’2010 2
  • 3. APT characteristics •  Advanced: The intruder can exploit publicly known vulnerabilities but the attackers also are highly skilled and well funded and can research and exploit new vulnerabilities. •  Persistent: the attacker wants to accomplish a mission that can take place over months. •  Threat: Dedicated organized groups are behind the attack motivated by political, economical or military reasons. Congreso de Seguridad ~ Rooted CON’2010 3
  • 4. GhostNet •  Ghostnet: China VS Tibetan institutions •  1295 computers in 103 countries Congreso de Seguridad ~ Rooted CON’2010 4
  • 5. Aurora Attack •  Coordinated attack against Google, Adobe, Juniper and 30 other companies. •  Exploits a zero-day vulnerability in Microsoft Internet Explorer (CVE-2010-0249) •  Installs Trojan.Hydraq. Congreso de Seguridad ~ Rooted CON’2010 5
  • 6. Trojan.Hydraq •  Standard Trojan, not too sophisticated. •  No anti-debugging, No anti-analysis tricks. •  Uses spaghetti code to make code analysis more difficult. (Easily analized with IDA) •  Previous versions of Trojan.Hydraq observed 6 month previous to Aurora Attack. Congreso de Seguridad ~ Rooted CON’2010 6
  • 7. Trojan.Hydraq •  Files: – %System%[RANDOM].dll: Main backdoor registered as a service. – %System%acelpvc.dll: Remote access capabilities (VNC). – %System%VedioDriver.dll: Helps monitoring keyboard and mouse activity. Congreso de Seguridad ~ Rooted CON’2010 7
  • 8. Trojan.Hydraq •  Capabilities: – Command execution – Download additional files – System operations (halt, clean log files…) – Service, registry control. Congreso de Seguridad ~ Rooted CON’2010 8
  • 9. Trojan.Hydraq •  C&C communication: – Encrypted protocol on port 443 (not SSL) [ ff ff ff ff ff ff 00 00 fe ff ff ff ff ff ff ff ff ff 88 ff ] Source: McAfee Labs Congreso de Seguridad ~ Rooted CON’2010 9
  • 10. Keys for Fighting APT •  An anti-APT solution doesn’t exists. •  Centralizing and correlating security data is the key (SIEM!!) •  Security is a continuous process. Congreso de Seguridad ~ Rooted CON’2010 1 0
  • 11. Intrusion •  Examples: – An email with a PDF or Office document that exploits a vulnerability (Maybe 0-day). •  Countermeasures: – Patch Management and Auditing (Openvas + OVAL). – Policy Auditing (Openvas – Ossec checks). •  Is Adobe Javascript support disabled? •  Internet Explorer Security Configuration Congreso de Seguridad ~ Rooted CON’2010 1 1
  • 12. Setting Up •  Examples: – Backdoor and Rootkit installation, system modification, privilege escalation. •  Countermeasures: – Log monitoring: Ossec, Snare. – Integrity Monitoring: Ossec •  Registry changes. •  File creation/modifications •  Service registration and process creation. Congreso de Seguridad ~ Rooted CON’2010 1 2
  • 13. Network Activity •  Examples: – C&C communication, cover channels, updated downloads… •  Countermeasures: – IDS/IPS technology (Snort, Suricata). Ej: Packed binary download. – Deep Packet Inspection (OpenDPI). Ej: Non SSL traffic over port 443. Congreso de Seguridad ~ Rooted CON’2010 1 3
  • 14. Network Activity •  Netflow Data : Nfdump + Nfsen (plugins). – AS and Country data. •  Alert on suspicious AS’s (reputation) – Fire project – http://www.maliciousnetworks.org/index.php – Identify traffic patterns: •  Mutiple clients sending high amount of data to an external server. •  Regurarly client connections to external servers (even after hours) Congreso de Seguridad ~ Rooted CON’2010 1 4
  • 15. Advanced techniques •  Create an APT trap – Information Gathering •  Collect suspicious content from Corporate Mail Server. •  Create false accounts. – Automatic analysis framework •  Analize obtained information – Check for exploits/javascript on .pdf, .xls, .doc files. •  Extract the involved binary •  Automatic sandbox/analysis environment. •  Compare obtained patterns with your SIEM data. Congreso de Seguridad ~ Rooted CON’2010 1 5
  • 16. Advanced techniques •  Analize obtained data – The goal is to identify malicious content an extract the involved binary. – Tools: •  Didier Stevens pdf tools •  SpiderMonkey •  Libemu •  JsUnpack •  Malzilla •  Wepawet Congreso de Seguridad ~ Rooted CON’2010 1 6
  • 17. Advanced techniques •  Automatic sandbox/analysis environment – Once we have the binary we have to extract the information needed to build the Behaviour Matrix. – SandBox execution: •  Qemu, VirtualBox, Bochs…. •  Dynamic pattern extraction: –  Snare, Ossec, memoryze, Volatility… •  Network behaviour pattern extraction: –  Snort for IDS pattern detection –  Scapy protocol parsers: »  DNS, HTTP, IRC, SMTP…. Congreso de Seguridad ~ Rooted CON’2010 1 7
  • 18. Advanced techniques •  Static analysis o Antivirus Coverage : VirusTotal o Packers : PeFile + PEID o Imports/Exports : PeFile o Antidebug/Virtual Machine Detection : Pyew Congreso de Seguridad ~ Rooted CON’2010 1 8
  • 19. Advanced techniques •  Build the behaviour matrix, example: [ Process_Creation, test.exe] [ DNS_Query, www.securedz.com] [ HTTP_Request, POST, /panel2/haya.php] [ Driver_Loaded, wowsub.sys] [ IDS_Pattern, Snort, 2008576] Congreso de Seguridad ~ Rooted CON’2010 1 9
  • 20. Advanced techniques • Once you have the behaviour matrix: DNS Activity HTTP Activity - DNS Server Log - Corporate Proxy Logs Suspect Matrix Connections System Activity - Firewall logs - Change management system logs - Netflow Data Congreso de Seguridad ~ Rooted CON’2010 2 0
  • 21. Jaime Blasco jaime.blasco@alienvault.com http://twitter.com/jaimeblascob Congreso de Seguridad ~ Rooted CON’2010