Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
IT Professions in the Anti-Malware Industry
Roberto Sponchioni
Sr. Anti-Malware Engineer
Who am I?
• Working as a Senior Anti-Malware Engineer @ Symantec
• Worked as a Security Consultant (PT/VA, Incident Respon...
A long series of data breaches
Some examples…
Copyright © 2014 Symantec Corporation 3
A long series of data breaches in the US
Copyright © 2014 Symantec Corporation
4Ref.: http://www.bloomberg.com/graphics/20...
A long series of data breaches in the US
Copyright © 2014 Symantec Corporation
5Ref.: http://www.bloomberg.com/graphics/20...
A long series of data breaches in the US
Copyright © 2014 Symantec Corporation
6Ref.: http://www.bloomberg.com/graphics/20...
Malware, it’s everywhere…
What is it? What’s its purpose? Who’s behind it?
Copyright © 2014 Symantec Corporation 7
Different types of malware, different purposes
• DDoS botnet (Backdoor.Zemra, Linux.Shelldos, Linux.Xnote, etc.)
• Banking...
It’s easy to build your own malware…
Copyright © 2014 Symantec Corporation
9
What would you do to protect yourself / your
company?
• User education
• Antivirus / security products
• Reputation system...
Let’s look at some figures…
Copyright © 2014 Symantec Corporation 11
Let’s look at some figures…
• How much malware/adware/PUAs do we see?
Copyright © 2014 Symantec Corporation
12
• It’s ~190...
Let’s look at some figures…
• In total: network and files are...
Copyright © 2014 Symantec Corporation
13
• It’s ~250M in ...
Let’s look at some figures…
• Number of reputation queries?
Copyright © 2014 Symantec Corporation
14
• ~ 40 + 35 billion (...
The need for specialists!
IT professionals work hard to protect our data
Malware Researchers, QA, Developers, Network Secu...
Symantec Security Response - 24/7
Copyright © 2014 Symantec Corporation
16
What do we do in Security Response?
Let’s have a look at some examples…
Copyright © 2014 Symantec Corporation 17
Let’s try to identify a malware sample…
What would you do to identify a malicious file?
Copyright © 2014 Symantec Corporat...
File structure analysis
What would you do to identify a malicious file?
Copyright © 2014 Symantec Corporation
19
• EXE ico...
Behavioural analysis
What would you do to identify a malicious behavior?
Copyright © 2014 Symantec Corporation
20
• File s...
Code analysis & debugging
What can you do if you have the ASM code?
Copyright © 2014 Symantec Corporation
21
• Identify hi...
Malware is getting smarter…
Copyright © 2014 Symantec Corporation 22
Examples of evasions are…
• Sandbox evasion
• Anti-VM tricks
• Anti-analysis tricks
• Signature evasion
Copyright © 2014 S...
What we do in Symantec Security Response
• Analyse new malware (e.g.. Stuxnet, Regin)
• Analyse malware submitted by custo...
What we do in Symantec Security Response
Decryptors. Just an example…
Copyright © 2014 Symantec Corporation
25
What we do in Symantec Security Response
Decryptors. Just an example…
Copyright © 2014 Symantec Corporation
26
What we do in Symantec Security Response
Decryptors. Just an example…
Copyright © 2014 Symantec Corporation
27
What we do in Symantec Security Response
Decryptors. Just an example…
Copyright © 2014 Symantec Corporation
28
IT professionals involved in malware protection
• Malware Researchers
• Automation Developers
• Network Analysis Specialis...
On-site analysis
Incident Handlers/Responders
Copyright © 2014 Symantec Corporation 30
Incident Responders on-site
We’re not talking about Event Analysts here…
Copyright © 2014 Symantec Corporation
31
• Data c...
How to get a job in IT security
Some tips…
Copyright © 2014 Symantec Corporation 32
Some tips…
• Be passionate
• Work on external projects
• Work hard on your university projects
• Work hard on your dissert...
Let’s talk! Scenario time!
You’re a security specialist now
Copyright © 2014 Symantec Corporation 34
&Q A
Copyright © 2014 Symantec Corporation 35
Roberto Sponchioni
Thank you!
Roberto_Sponchioni@Symantec.com
Upcoming SlideShare
Loading in …5
×

Seminario-15-04-2015-IT_professions_in_the_anti-malware_industry

389 views

Published on

  • Be the first to comment

Seminario-15-04-2015-IT_professions_in_the_anti-malware_industry

  1. 1. IT Professions in the Anti-Malware Industry Roberto Sponchioni Sr. Anti-Malware Engineer
  2. 2. Who am I? • Working as a Senior Anti-Malware Engineer @ Symantec • Worked as a Security Consultant (PT/VA, Incident Response) • Graduated from University of Milan (DTI) Copyright © 2014 Symantec Corporation 2
  3. 3. A long series of data breaches Some examples… Copyright © 2014 Symantec Corporation 3
  4. 4. A long series of data breaches in the US Copyright © 2014 Symantec Corporation 4Ref.: http://www.bloomberg.com/graphics/2014-data-breaches/
  5. 5. A long series of data breaches in the US Copyright © 2014 Symantec Corporation 5Ref.: http://www.bloomberg.com/graphics/2014-data-breaches/
  6. 6. A long series of data breaches in the US Copyright © 2014 Symantec Corporation 6Ref.: http://www.bloomberg.com/graphics/2014-data-breaches/
  7. 7. Malware, it’s everywhere… What is it? What’s its purpose? Who’s behind it? Copyright © 2014 Symantec Corporation 7
  8. 8. Different types of malware, different purposes • DDoS botnet (Backdoor.Zemra, Linux.Shelldos, Linux.Xnote, etc.) • Banking malware (Zbot, Carberp, etc.) • Ransomlock & Cryptolocker • Mobile malware • Information-stealing malware (Rodagose, Rawpos, Steem, etc.) • APT (zero-day-exploits, ad-hoc malware, spearphishing, etc.) • State sponsored / cyberespionage (Stuxnet, etc.) • Exploit kits (Blackhole, Angler, Rig, etc.) Copyright © 2014 Symantec Corporation 8
  9. 9. It’s easy to build your own malware… Copyright © 2014 Symantec Corporation 9
  10. 10. What would you do to protect yourself / your company? • User education • Antivirus / security products • Reputation systems • Firewall • IDS/IPS sensors within the network • Follow best practices (ISO-27001, etc.) Copyright © 2014 Symantec Corporation 10
  11. 11. Let’s look at some figures… Copyright © 2014 Symantec Corporation 11
  12. 12. Let’s look at some figures… • How much malware/adware/PUAs do we see? Copyright © 2014 Symantec Corporation 12 • It’s ~190M in 1 month. It’s ~ 6M per day
  13. 13. Let’s look at some figures… • In total: network and files are... Copyright © 2014 Symantec Corporation 13 • It’s ~250M in 1 month. It’s ~ 8M per day
  14. 14. Let’s look at some figures… • Number of reputation queries? Copyright © 2014 Symantec Corporation 14 • ~ 40 + 35 billion (URLs + Files)
  15. 15. The need for specialists! IT professionals work hard to protect our data Malware Researchers, QA, Developers, Network Security Specialists, IR
  16. 16. Symantec Security Response - 24/7 Copyright © 2014 Symantec Corporation 16
  17. 17. What do we do in Security Response? Let’s have a look at some examples… Copyright © 2014 Symantec Corporation 17
  18. 18. Let’s try to identify a malware sample… What would you do to identify a malicious file? Copyright © 2014 Symantec Corporation 18 • File structure analysis • Behavioural analysis – Network analysis – File system changes – Registry changes – Etc. • Code analysis & debugging – Identify hidden functionalities – Forcing the code to follow different branches – Etc.
  19. 19. File structure analysis What would you do to identify a malicious file? Copyright © 2014 Symantec Corporation 19 • EXE icon • Packer identification Header Code Data Header Compressed / encrypted code + data Packer’s code Normal executable Packed executable • Suspicious data
  20. 20. Behavioural analysis What would you do to identify a malicious behavior? Copyright © 2014 Symantec Corporation 20 • File system (e.g. Lower security settings) • Registry changes (e.g.. Autorun keys) • Network Traffic
  21. 21. Code analysis & debugging What can you do if you have the ASM code? Copyright © 2014 Symantec Corporation 21 • Identify hidden functionalities • Identify malware capabilities such as propagation, load points, infection, and C&C server communications • Identify encryption and compression algorithms used • Identify portion of code/data that can be used to identify the threat
  22. 22. Malware is getting smarter… Copyright © 2014 Symantec Corporation 22
  23. 23. Examples of evasions are… • Sandbox evasion • Anti-VM tricks • Anti-analysis tricks • Signature evasion Copyright © 2014 Symantec Corporation 23 How can they do that?
  24. 24. What we do in Symantec Security Response • Analyse new malware (e.g.. Stuxnet, Regin) • Analyse malware submitted by customers • Analyse and write reports for internal use and for customers • Write automation tools and systems • Write decryptors, decoders, and DGA-decoders • Write generic detections and remediation routines • Develop FixTools (e.g. Poweliks, Ramnit) • Write blog entries about new malware and trends Copyright © 2014 Symantec Corporation 24
  25. 25. What we do in Symantec Security Response Decryptors. Just an example… Copyright © 2014 Symantec Corporation 25
  26. 26. What we do in Symantec Security Response Decryptors. Just an example… Copyright © 2014 Symantec Corporation 26
  27. 27. What we do in Symantec Security Response Decryptors. Just an example… Copyright © 2014 Symantec Corporation 27
  28. 28. What we do in Symantec Security Response Decryptors. Just an example… Copyright © 2014 Symantec Corporation 28
  29. 29. IT professionals involved in malware protection • Malware Researchers • Automation Developers • Network Analysis Specialists • QA Engineers • Incident Responders / Incident Handlers • Engine Developers Copyright © 2014 Symantec Corporation 29
  30. 30. On-site analysis Incident Handlers/Responders Copyright © 2014 Symantec Corporation 30
  31. 31. Incident Responders on-site We’re not talking about Event Analysts here… Copyright © 2014 Symantec Corporation 31 • Data collection (order of volatility must be preserved) • Timeline of operations • Chain of custody • Data analysis – Memory analysis (live analysis) – Log analysis – File analysis (EnCase, FTK, Sleuthkit, malware analysis) – Network traffic analysis – Customer machine replication on VMWare
  32. 32. How to get a job in IT security Some tips… Copyright © 2014 Symantec Corporation 32
  33. 33. Some tips… • Be passionate • Work on external projects • Work hard on your university projects • Work hard on your dissertation Copyright © 2014 Symantec Corporation 33 We are hiring!
  34. 34. Let’s talk! Scenario time! You’re a security specialist now Copyright © 2014 Symantec Corporation 34
  35. 35. &Q A Copyright © 2014 Symantec Corporation 35 Roberto Sponchioni Thank you! Roberto_Sponchioni@Symantec.com

×