SlideShare a Scribd company logo

IT Professions in Anti-Malware Guide

R
Roberto Sponchioni

This document discusses IT security professions in the anti-malware industry. It provides an overview of the work done by security specialists at Symantec, including analyzing malware samples, investigating malware behaviors, developing decryption and detection tools, responding to security incidents, and protecting against increasingly evasive malware. The document encourages those interested in IT security careers to gain experience through personal projects and advises focusing on areas like malware research, network analysis, and incident response.

1 of 35
Download to read offline
IT Professions in the Anti-Malware Industry Roberto Sponchioni Sr. Anti-Malware Engineer
Who am I? • Working as a Senior Anti-Malware Engineer @ Symantec • Worked as a Security Consultant (PT/VA, Incident Response) • Graduated from University of Milan (DTI) Copyright © 2014 Symantec Corporation 2
A long series of data breaches Some examples… Copyright © 2014 Symantec Corporation 3
A long series of data breaches in the US Copyright © 2014 Symantec Corporation 4Ref.: http://www.bloomberg.com/graphics/2014-data-breaches/
A long series of data breaches in the US Copyright © 2014 Symantec Corporation 5Ref.: http://www.bloomberg.com/graphics/2014-data-breaches/
A long series of data breaches in the US Copyright © 2014 Symantec Corporation 6Ref.: http://www.bloomberg.com/graphics/2014-data-breaches/
Malware, it’s everywhere… What is it? What’s its purpose? Who’s behind it? Copyright © 2014 Symantec Corporation 7
Different types of malware, different purposes • DDoS botnet (Backdoor.Zemra, Linux.Shelldos, Linux.Xnote, etc.) • Banking malware (Zbot, Carberp, etc.) • Ransomlock & Cryptolocker • Mobile malware • Information-stealing malware (Rodagose, Rawpos, Steem, etc.) • APT (zero-day-exploits, ad-hoc malware, spearphishing, etc.) • State sponsored / cyberespionage (Stuxnet, etc.) • Exploit kits (Blackhole, Angler, Rig, etc.) Copyright © 2014 Symantec Corporation 8
It’s easy to build your own malware… Copyright © 2014 Symantec Corporation 9
What would you do to protect yourself / your company? • User education • Antivirus / security products • Reputation systems • Firewall • IDS/IPS sensors within the network • Follow best practices (ISO-27001, etc.) Copyright © 2014 Symantec Corporation 10
Let’s look at some figures… Copyright © 2014 Symantec Corporation 11
Let’s look at some figures… • How much malware/adware/PUAs do we see? Copyright © 2014 Symantec Corporation 12 • It’s ~190M in 1 month. It’s ~ 6M per day
Let’s look at some figures… • In total: network and files are... Copyright © 2014 Symantec Corporation 13 • It’s ~250M in 1 month. It’s ~ 8M per day
Let’s look at some figures… • Number of reputation queries? Copyright © 2014 Symantec Corporation 14 • ~ 40 + 35 billion (URLs + Files)
The need for specialists! IT professionals work hard to protect our data Malware Researchers, QA, Developers, Network Security Specialists, IR
Symantec Security Response - 24/7 Copyright © 2014 Symantec Corporation 16
What do we do in Security Response? Let’s have a look at some examples… Copyright © 2014 Symantec Corporation 17
Let’s try to identify a malware sample… What would you do to identify a malicious file? Copyright © 2014 Symantec Corporation 18 • File structure analysis • Behavioural analysis – Network analysis – File system changes – Registry changes – Etc. • Code analysis & debugging – Identify hidden functionalities – Forcing the code to follow different branches – Etc.
File structure analysis What would you do to identify a malicious file? Copyright © 2014 Symantec Corporation 19 • EXE icon • Packer identification Header Code Data Header Compressed / encrypted code + data Packer’s code Normal executable Packed executable • Suspicious data
Behavioural analysis What would you do to identify a malicious behavior? Copyright © 2014 Symantec Corporation 20 • File system (e.g. Lower security settings) • Registry changes (e.g.. Autorun keys) • Network Traffic
Code analysis & debugging What can you do if you have the ASM code? Copyright © 2014 Symantec Corporation 21 • Identify hidden functionalities • Identify malware capabilities such as propagation, load points, infection, and C&C server communications • Identify encryption and compression algorithms used • Identify portion of code/data that can be used to identify the threat
Malware is getting smarter… Copyright © 2014 Symantec Corporation 22
Examples of evasions are… • Sandbox evasion • Anti-VM tricks • Anti-analysis tricks • Signature evasion Copyright © 2014 Symantec Corporation 23 How can they do that?
What we do in Symantec Security Response • Analyse new malware (e.g.. Stuxnet, Regin) • Analyse malware submitted by customers • Analyse and write reports for internal use and for customers • Write automation tools and systems • Write decryptors, decoders, and DGA-decoders • Write generic detections and remediation routines • Develop FixTools (e.g. Poweliks, Ramnit) • Write blog entries about new malware and trends Copyright © 2014 Symantec Corporation 24
What we do in Symantec Security Response Decryptors. Just an example… Copyright © 2014 Symantec Corporation 25
What we do in Symantec Security Response Decryptors. Just an example… Copyright © 2014 Symantec Corporation 26
What we do in Symantec Security Response Decryptors. Just an example… Copyright © 2014 Symantec Corporation 27
What we do in Symantec Security Response Decryptors. Just an example… Copyright © 2014 Symantec Corporation 28
IT professionals involved in malware protection • Malware Researchers • Automation Developers • Network Analysis Specialists • QA Engineers • Incident Responders / Incident Handlers • Engine Developers Copyright © 2014 Symantec Corporation 29
On-site analysis Incident Handlers/Responders Copyright © 2014 Symantec Corporation 30
Incident Responders on-site We’re not talking about Event Analysts here… Copyright © 2014 Symantec Corporation 31 • Data collection (order of volatility must be preserved) • Timeline of operations • Chain of custody • Data analysis – Memory analysis (live analysis) – Log analysis – File analysis (EnCase, FTK, Sleuthkit, malware analysis) – Network traffic analysis – Customer machine replication on VMWare
How to get a job in IT security Some tips… Copyright © 2014 Symantec Corporation 32
Some tips… • Be passionate • Work on external projects • Work hard on your university projects • Work hard on your dissertation Copyright © 2014 Symantec Corporation 33 We are hiring!
Let’s talk! Scenario time! You’re a security specialist now Copyright © 2014 Symantec Corporation 34
&Q A Copyright © 2014 Symantec Corporation 35 Roberto Sponchioni Thank you! Roberto_Sponchioni@Symantec.com

Recommended

Bsides
BsidesBsides
BsidesRoberto Sponchioni
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware AnalysisRamin Farajpour Cami
 
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Santiago Bassett
 
Top 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsTop 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsNarudom Roongsiriwong, CISSP
 
IOT Security FUN-damental
IOT Security FUN-damentalIOT Security FUN-damental
IOT Security FUN-damentalSatria Ady Pradana
 
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...AlienVault
 
Maltego Webinar Slides
Maltego Webinar SlidesMaltego Webinar Slides
Maltego Webinar SlidesThreatConnect
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationSatria Ady Pradana
 

Recommended

Bsides
BsidesBsides
BsidesRoberto Sponchioni
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware AnalysisRamin Farajpour Cami
 
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Santiago Bassett
 
Top 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsTop 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsNarudom Roongsiriwong, CISSP
 
IOT Security FUN-damental
IOT Security FUN-damentalIOT Security FUN-damental
IOT Security FUN-damentalSatria Ady Pradana
 
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...AlienVault
 
Maltego Webinar Slides
Maltego Webinar SlidesMaltego Webinar Slides
Maltego Webinar SlidesThreatConnect
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationSatria Ady Pradana
 
IOCs for modern threat landscape-slideshare
IOCs for modern threat landscape-slideshareIOCs for modern threat landscape-slideshare
IOCs for modern threat landscape-slideshareSai Kesavamatham
 
What is Penetration & Penetration test ?
What is Penetration & Penetration test ?What is Penetration & Penetration test ?
What is Penetration & Penetration test ?Bhavin Shah
 
Secure Software Design for Data Privacy
Secure Software Design for Data PrivacySecure Software Design for Data Privacy
Secure Software Design for Data PrivacyNarudom Roongsiriwong, CISSP
 
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016grecsl
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical HackingS.E. CTS CERT-GOV-MD
 
Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554TISA
 
Persistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent ThreatsPersistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent ThreatsSameer Thadani
 
Ethical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingEthical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingANURAG CHAKRABORTY
 
Understanding ransomware
Understanding ransomwareUnderstanding ransomware
Understanding ransomwarePrathan Phongthiproek
 
Threat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingThreat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingPriyanka Aash
 
Prepare Yourself to Become Infosec Professional
Prepare Yourself to Become Infosec ProfessionalPrepare Yourself to Become Infosec Professional
Prepare Yourself to Become Infosec ProfessionalM.Syarifudin, ST, OSCP, OSWP
 
Honeypot Essentials
Honeypot EssentialsHoneypot Essentials
Honeypot EssentialsAnton Chuvakin
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsSpyglass Security
 
Rise of software supply chain attack
Rise of software supply chain attackRise of software supply chain attack
Rise of software supply chain attackYadnyawalkya Tale
 
Security by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal SecuritySecurity by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal SecurityTara Arnold
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?btpsec
 
Extracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseExtracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseAshwini Almad
 
Open Source Malware Lab
Open Source Malware LabOpen Source Malware Lab
Open Source Malware LabThreatConnect
 
Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing Rishabh Upadhyay
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingWon Ju Jub
 
Cyber security series advanced persistent threats
Cyber security series advanced persistent threats Cyber security series advanced persistent threats
Cyber security series advanced persistent threats Jim Kaplan CIA CFE
 
Detection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day ThreatsDetection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day ThreatsInvincea, Inc.
 

More Related Content

What's hot

IOCs for modern threat landscape-slideshare
IOCs for modern threat landscape-slideshareIOCs for modern threat landscape-slideshare
IOCs for modern threat landscape-slideshareSai Kesavamatham
 
What is Penetration & Penetration test ?
What is Penetration & Penetration test ?What is Penetration & Penetration test ?
What is Penetration & Penetration test ?Bhavin Shah
 
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016grecsl
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical HackingS.E. CTS CERT-GOV-MD
 
Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554TISA
 
Persistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent ThreatsPersistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent ThreatsSameer Thadani
 
Ethical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingEthical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingANURAG CHAKRABORTY
 
Threat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingThreat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingPriyanka Aash
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsSpyglass Security
 
Rise of software supply chain attack
Rise of software supply chain attackRise of software supply chain attack
Rise of software supply chain attackYadnyawalkya Tale
 
Security by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal SecuritySecurity by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal SecurityTara Arnold
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?btpsec
 
Extracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseExtracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseAshwini Almad
 
Open Source Malware Lab
Open Source Malware LabOpen Source Malware Lab
Open Source Malware LabThreatConnect
 
Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing Rishabh Upadhyay
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingWon Ju Jub
 

What's hot (20)

IOCs for modern threat landscape-slideshare
IOCs for modern threat landscape-slideshareIOCs for modern threat landscape-slideshare
IOCs for modern threat landscape-slideshare
 
What is Penetration & Penetration test ?
What is Penetration & Penetration test ?What is Penetration & Penetration test ?
What is Penetration & Penetration test ?
 
Secure Software Design for Data Privacy
Secure Software Design for Data PrivacySecure Software Design for Data Privacy
Secure Software Design for Data Privacy
 
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
 
Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554
 
Persistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent ThreatsPersistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent Threats
 
Ethical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingEthical hacking/ Penetration Testing
Ethical hacking/ Penetration Testing
 
Understanding ransomware
Understanding ransomwareUnderstanding ransomware
Understanding ransomware
 
Threat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingThreat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty Training
 
Prepare Yourself to Become Infosec Professional
Prepare Yourself to Become Infosec ProfessionalPrepare Yourself to Become Infosec Professional
Prepare Yourself to Become Infosec Professional
 
Honeypot Essentials
Honeypot EssentialsHoneypot Essentials
Honeypot Essentials
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark Arts
 
Rise of software supply chain attack
Rise of software supply chain attackRise of software supply chain attack
Rise of software supply chain attack
 
Security by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal SecuritySecurity by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal Security
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
 
Extracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseExtracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet Noise
 
Open Source Malware Lab
Open Source Malware LabOpen Source Malware Lab
Open Source Malware Lab
 
Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testing
 

Similar to IT Professions in Anti-Malware Guide

Cyber security series advanced persistent threats
Cyber security series advanced persistent threats Cyber security series advanced persistent threats
Cyber security series advanced persistent threats Jim Kaplan CIA CFE
 
Detection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day ThreatsDetection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day ThreatsInvincea, Inc.
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementMayur Nanotkar
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineLastline, Inc.
 
Cyber Tech Israel 2016: Advanced Threat Protection Technical Overview
Cyber Tech Israel 2016: Advanced Threat Protection Technical OverviewCyber Tech Israel 2016: Advanced Threat Protection Technical Overview
Cyber Tech Israel 2016: Advanced Threat Protection Technical OverviewSymantec
 
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsGood Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsZivaro Inc
 
What We Learned as the First and Best Customer of Symantec ATP
What We Learned as the First and Best Customer of Symantec ATPWhat We Learned as the First and Best Customer of Symantec ATP
What We Learned as the First and Best Customer of Symantec ATPSymantec
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Cisco Security Presentation
Cisco Security PresentationCisco Security Presentation
Cisco Security PresentationSimplex
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
Tech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs WhitelistingTech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs WhitelistingInvincea, Inc.
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksCiNPA Security SIG
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalPriyanka Aash
 
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Stefan Streichsbier
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityAnne Oikarinen
 
Code to Cloud Workshop
Code to Cloud WorkshopCode to Cloud Workshop
Code to Cloud WorkshopJamie Coleman
 

Similar to IT Professions in Anti-Malware Guide (20)

Cyber security series advanced persistent threats
Cyber security series advanced persistent threats Cyber security series advanced persistent threats
Cyber security series advanced persistent threats
 
Detection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day ThreatsDetection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day Threats
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security Management
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
 
Cyber Tech Israel 2016: Advanced Threat Protection Technical Overview
Cyber Tech Israel 2016: Advanced Threat Protection Technical OverviewCyber Tech Israel 2016: Advanced Threat Protection Technical Overview
Cyber Tech Israel 2016: Advanced Threat Protection Technical Overview
 
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsGood Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
 
Careers in Cyber Security
Careers in Cyber SecurityCareers in Cyber Security
Careers in Cyber Security
 
What We Learned as the First and Best Customer of Symantec ATP
What We Learned as the First and Best Customer of Symantec ATPWhat We Learned as the First and Best Customer of Symantec ATP
What We Learned as the First and Best Customer of Symantec ATP
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Cisco Security Presentation
Cisco Security PresentationCisco Security Presentation
Cisco Security Presentation
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
Tech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs WhitelistingTech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs Whitelisting
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal Tricks
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
 
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
 
Code to Cloud Workshop
Code to Cloud WorkshopCode to Cloud Workshop
Code to Cloud Workshop
 
Threat Landscape Lessons from IoTs and Honeynets
Threat Landscape Lessons from IoTs and Honeynets Threat Landscape Lessons from IoTs and Honeynets
Threat Landscape Lessons from IoTs and Honeynets
 

IT Professions in Anti-Malware Guide

  • 1. IT Professions in the Anti-Malware Industry Roberto Sponchioni Sr. Anti-Malware Engineer
  • 2. Who am I? • Working as a Senior Anti-Malware Engineer @ Symantec • Worked as a Security Consultant (PT/VA, Incident Response) • Graduated from University of Milan (DTI) Copyright © 2014 Symantec Corporation 2
  • 3. A long series of data breaches Some examples… Copyright © 2014 Symantec Corporation 3
  • 4. A long series of data breaches in the US Copyright © 2014 Symantec Corporation 4Ref.: http://www.bloomberg.com/graphics/2014-data-breaches/
  • 5. A long series of data breaches in the US Copyright © 2014 Symantec Corporation 5Ref.: http://www.bloomberg.com/graphics/2014-data-breaches/
  • 6. A long series of data breaches in the US Copyright © 2014 Symantec Corporation 6Ref.: http://www.bloomberg.com/graphics/2014-data-breaches/
  • 7. Malware, it’s everywhere… What is it? What’s its purpose? Who’s behind it? Copyright © 2014 Symantec Corporation 7
  • 8. Different types of malware, different purposes • DDoS botnet (Backdoor.Zemra, Linux.Shelldos, Linux.Xnote, etc.) • Banking malware (Zbot, Carberp, etc.) • Ransomlock & Cryptolocker • Mobile malware • Information-stealing malware (Rodagose, Rawpos, Steem, etc.) • APT (zero-day-exploits, ad-hoc malware, spearphishing, etc.) • State sponsored / cyberespionage (Stuxnet, etc.) • Exploit kits (Blackhole, Angler, Rig, etc.) Copyright © 2014 Symantec Corporation 8
  • 9. It’s easy to build your own malware… Copyright © 2014 Symantec Corporation 9
  • 10. What would you do to protect yourself / your company? • User education • Antivirus / security products • Reputation systems • Firewall • IDS/IPS sensors within the network • Follow best practices (ISO-27001, etc.) Copyright © 2014 Symantec Corporation 10
  • 11. Let’s look at some figures… Copyright © 2014 Symantec Corporation 11
  • 12. Let’s look at some figures… • How much malware/adware/PUAs do we see? Copyright © 2014 Symantec Corporation 12 • It’s ~190M in 1 month. It’s ~ 6M per day
  • 13. Let’s look at some figures… • In total: network and files are... Copyright © 2014 Symantec Corporation 13 • It’s ~250M in 1 month. It’s ~ 8M per day
  • 14. Let’s look at some figures… • Number of reputation queries? Copyright © 2014 Symantec Corporation 14 • ~ 40 + 35 billion (URLs + Files)
  • 15. The need for specialists! IT professionals work hard to protect our data Malware Researchers, QA, Developers, Network Security Specialists, IR
  • 16. Symantec Security Response - 24/7 Copyright © 2014 Symantec Corporation 16
  • 17. What do we do in Security Response? Let’s have a look at some examples… Copyright © 2014 Symantec Corporation 17
  • 18. Let’s try to identify a malware sample… What would you do to identify a malicious file? Copyright © 2014 Symantec Corporation 18 • File structure analysis • Behavioural analysis – Network analysis – File system changes – Registry changes – Etc. • Code analysis & debugging – Identify hidden functionalities – Forcing the code to follow different branches – Etc.
  • 19. File structure analysis What would you do to identify a malicious file? Copyright © 2014 Symantec Corporation 19 • EXE icon • Packer identification Header Code Data Header Compressed / encrypted code + data Packer’s code Normal executable Packed executable • Suspicious data
  • 20. Behavioural analysis What would you do to identify a malicious behavior? Copyright © 2014 Symantec Corporation 20 • File system (e.g. Lower security settings) • Registry changes (e.g.. Autorun keys) • Network Traffic
  • 21. Code analysis & debugging What can you do if you have the ASM code? Copyright © 2014 Symantec Corporation 21 • Identify hidden functionalities • Identify malware capabilities such as propagation, load points, infection, and C&C server communications • Identify encryption and compression algorithms used • Identify portion of code/data that can be used to identify the threat
  • 22. Malware is getting smarter… Copyright © 2014 Symantec Corporation 22
  • 23. Examples of evasions are… • Sandbox evasion • Anti-VM tricks • Anti-analysis tricks • Signature evasion Copyright © 2014 Symantec Corporation 23 How can they do that?
  • 24. What we do in Symantec Security Response • Analyse new malware (e.g.. Stuxnet, Regin) • Analyse malware submitted by customers • Analyse and write reports for internal use and for customers • Write automation tools and systems • Write decryptors, decoders, and DGA-decoders • Write generic detections and remediation routines • Develop FixTools (e.g. Poweliks, Ramnit) • Write blog entries about new malware and trends Copyright © 2014 Symantec Corporation 24
  • 25. What we do in Symantec Security Response Decryptors. Just an example… Copyright © 2014 Symantec Corporation 25
  • 26. What we do in Symantec Security Response Decryptors. Just an example… Copyright © 2014 Symantec Corporation 26
  • 27. What we do in Symantec Security Response Decryptors. Just an example… Copyright © 2014 Symantec Corporation 27
  • 28. What we do in Symantec Security Response Decryptors. Just an example… Copyright © 2014 Symantec Corporation 28
  • 29. IT professionals involved in malware protection • Malware Researchers • Automation Developers • Network Analysis Specialists • QA Engineers • Incident Responders / Incident Handlers • Engine Developers Copyright © 2014 Symantec Corporation 29
  • 31. Incident Responders on-site We’re not talking about Event Analysts here… Copyright © 2014 Symantec Corporation 31 • Data collection (order of volatility must be preserved) • Timeline of operations • Chain of custody • Data analysis – Memory analysis (live analysis) – Log analysis – File analysis (EnCase, FTK, Sleuthkit, malware analysis) – Network traffic analysis – Customer machine replication on VMWare
  • 32. How to get a job in IT security Some tips… Copyright © 2014 Symantec Corporation 32
  • 33. Some tips… • Be passionate • Work on external projects • Work hard on your university projects • Work hard on your dissertation Copyright © 2014 Symantec Corporation 33 We are hiring!
  • 34. Let’s talk! Scenario time! You’re a security specialist now Copyright © 2014 Symantec Corporation 34
  • 35. &Q A Copyright © 2014 Symantec Corporation 35 Roberto Sponchioni Thank you! Roberto_Sponchioni@Symantec.com