SlideShare a Scribd company logo

AMIRA: Automated Malware Incident Response and Analysis (Black Hat USA Arsenal 2016)

Jakub "Kuba" Sendor
Jakub "Kuba" Sendor

Even for a larger incident response team handling all of the repetitive tasks related to malware infections is a tedious task. Our malware analysts have spent a lot of time chasing digital forensics from potentially infected Mac OS X systems, leveraging open source tools, like OSXCollector. Early on, we have automated some part of the analysis process, augmenting the initial set of digital forensics collected from the machines with the information gathered from the threat intelligence APIs. They helped us with additional information on potentially suspicious domains, URLs and file hashes. But our approach to the analysis still required a certain degree of configuration and manual maintenance that was consuming lots of attention from malware responders. Enter automation: turning all of your repetitive tasks in a scripted way that will help you deal faster with the incident discovery, forensic collection and analysis, with fewer possibilities to make a mistake. We went ahead and turned OSXCollector toolkit into AMIRA: Automated Malware Incident Response and Analysis service. AMIRA turns the forensic information gathered by OSXCollector into actionable response plan, suggesting the infection source as well as suspicious files and domains requiring a closer look. Furthermore, we integrated AMIRA with our incident response platform, making sure that as little interaction as necessary is required from the analyst to follow the investigation. Thanks to that, the incident response team members can focus on what they excel at: finding unusual patterns and the novel ways that malware was trying to sneak into the corporate infrastructure.

Software
1 of 31
Download to read offline
Jakub (Kuba) Sendor @jsendor AMIRA Automated Malware Incident Response and Analysis
> 4000
Dramatis personæ Yelp Employee HelpDesk IT Engineer Security Team Malware Analyst
● Is this machine infected? ● How'd that malware get there? ● How can I prevent and detect further infection?
Initial triage Forensics collection Forensics analysis Final remediation Malware incident response process
Initial triage // Malware Analyst Forensics collection // IT Engineer Forensics analysis // Malware Analyst Final remediation // IT Engineer Malware incident response process
● OSXAuditor ● osquery ● KnockKnock ● Grr (Google Rapid Response) ● OS X Incident Response: Scripting and Analysis by Jaron Bradley Digital Forensics on macOS
Forensics Collected by OSXCollector OS System Info Applications Browser History Kernel Extensions Quarantines Email Info Downloads Startup Items Groups & Accounts
OSXCollector output path, hashes, timestamps, signature chain, ... { "file_path": "/System/Library/Extensions/Apple_iSight.kext/Contents/MacOS/Apple_iSight", "sha2": "19b7b85eaedb17d9565dce872f0d1ea8fc0761f508f28bedcc8606b828cbf614", "sha1": "99005b68295c202fd359b46cd1411acea96b2469", "md5": "b8cc164b6546e4b13768d8353820b216", "ctime": "2016-03-31 16:50:39", "mtime": "2016-03-30 00:16:50", "osxcollector_section": "kext", "osxcollector_incident_id": "DelayedHedgehog-2016_08_01-12_35_11", "osxcollector_plist_path": "/System/Library/Extensions/Apple_iSight.kext/Contents/Info.plist", "osxcollector_bundle_id": "com.apple.driver.Apple_iSight", "signature_chain": [ "Software Signing", "Apple Code Signing Certification Authority", "Apple Root CA" ] }
Manual analysis with grep and jq works pretty well grep a time window only urls in a time window grep a single user $ cat bsideslv.json | grep '2016-08-03 10:1[2-8]' $ cat bsideslv.json | grep '2016-08-03 10:1[2-8]' | jq 'select(has("url")).url' $ cat bsideslv.json | jq 'select(.osxcollector_username=="kuba")|.'
$ sudo osxcollector.py Wrote 35394 lines. Output in osxcollect-2016_08_03-10_12_39.tar.gz
OSXCollector Output Filters Internal blacklists Related files Domain extraction Threat intel APIs Browser history filter JSON in JSON out
Automated Malware Incident Response and Analysis
Uploading OSXCollector output SlickApocalypse_2016-08-03_10:23:13.tar.gz
S3 Event Notifications SlickApocalypse_2016-08-03_10:23:13.tar.gz ObjectCreated AmiraS3EventNotifications
S3 Event Notifications SlickApocalypse_2016-08-03_10:23:13.tar.gz ObjectCreated AMIRA AmiraS3EventNotifications
S3 Event Notifications SlickApocalypse_2016-08-03_10:23:13.tar.gz AMIRA SlickApocalypse_2016-08-03_10:23:13.tar.gz
Automated analysis AMIRA Internal blacklists Related files Domain extraction Threat intel APIs Browser history filter
Uploading the results AMIRA SlickApocalypse_2016-08-03_10:23:13.json SlickApocalypse_2016-08-03_10:23:13.html
● Domains and hashes found on the blacklist. ● Threat intel APIs hits for domains and file hashes. ● Blacklist suggestions. Analysis results
Prerequisites: ● SQS queue for the S3 event notifications. ● S3 bucket configured to send S3 event notifications. ● (optional) Another S3 bucket for the analysis results. Running AMIRA
from amira.amira import AMIRA amira = AMIRA('us-west-1', 'AmiraS3EventNotifications') # register results uploader from amira.s3 import S3ResultsUploader s3_results_uploader = S3ResultsUploader('amira-results-bucket') amira.register_results_uploader(s3_results_uploader) # Ready, set, GO! amira.run()
1. Trigger OSXCollector via inventory management system. 2. Upload the results to an S3 bucket*. 3. Profit! Automated forensics collection *hint: use create-only rights in the S3 bucket policy
#!/bin/bash file="$1" bucket="$2" echo "Uploading file $file to bucket $bucket" resource="/${bucket}/${file}" contentType="application/x-compressed-tar" dateValue=`date -u +"%a, %d %b %Y %T GMT" ` stringToSign="PUTnn${contentType}n${dateValue}n${resource}" s3Key="$3" s3Secret="$4" signature=`echo -en ${stringToSign} | openssl sha1 -hmac ${s3Secret} -binary | base64` curl -X PUT -T "${file}" -H "Host: ${bucket}.s3.amazonaws.com" -H "Date: ${dateValue}" -H "Content-Type: ${contentType}" -H "Authorization: AWS ${s3Key}:${signature}" "https://${bucket}.s3.amazonaws.com/${file}" | cat
Automation FTW Before 1-2 days Now Several minutes, up to a couple of hours in the worst case
Initial triage // Malware Analyst Forensics collection // AMIRA Forensics analysis // AMIRA/Malware Analyst Final remediation // IT Engineer Malware incident response process
● Automated process equal less human errors ● No need for physical collection. ● More proactive forensics collection. Takeaways
https://github.com/Yelp/amira Try it out! @jsendor kuba@yelp.com
@YelpEngineering fb.com/YelpEngineers engineeringblog.yelp.com github.com/yelp

Recommended

AMIRA: Automated Malware Incident Response and Analysis for macOS (Black Hat ...
AMIRA: Automated Malware Incident Response and Analysis for macOS (Black Hat ...AMIRA: Automated Malware Incident Response and Analysis for macOS (Black Hat ...
AMIRA: Automated Malware Incident Response and Analysis for macOS (Black Hat ...Jakub "Kuba" Sendor
 
Automating malware analysis
Automating malware analysis Automating malware analysis
Automating malware analysis Cysinfo Cyber Security Community
 
Splunk Enterprise for Information Security (Hands-On)
Splunk Enterprise for Information Security (Hands-On) Splunk Enterprise for Information Security (Hands-On)
Splunk Enterprise for Information Security (Hands-On) Splunk
 
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...MITRE - ATT&CKcon
 
(1) c sharp introduction_basics_dot_net
(1) c sharp introduction_basics_dot_net(1) c sharp introduction_basics_dot_net
(1) c sharp introduction_basics_dot_netNico Ludwig
 
An experiment in agile threat modelling
An experiment in agile threat modellingAn experiment in agile threat modelling
An experiment in agile threat modellingDevSecCon
 
Reverse engineering malware
Reverse engineering malwareReverse engineering malware
Reverse engineering malwareCysinfo Cyber Security Community
 
OpenStack Liberty Summit Ops Show & Tell - Go Daddy
OpenStack Liberty Summit Ops Show & Tell - Go DaddyOpenStack Liberty Summit Ops Show & Tell - Go Daddy
OpenStack Liberty Summit Ops Show & Tell - Go DaddyMike Dorman
 

Recommended

AMIRA: Automated Malware Incident Response and Analysis for macOS (Black Hat ...
AMIRA: Automated Malware Incident Response and Analysis for macOS (Black Hat ...AMIRA: Automated Malware Incident Response and Analysis for macOS (Black Hat ...
AMIRA: Automated Malware Incident Response and Analysis for macOS (Black Hat ...Jakub "Kuba" Sendor
 
Automating malware analysis
Automating malware analysis Automating malware analysis
Automating malware analysis Cysinfo Cyber Security Community
 
Splunk Enterprise for Information Security (Hands-On)
Splunk Enterprise for Information Security (Hands-On) Splunk Enterprise for Information Security (Hands-On)
Splunk Enterprise for Information Security (Hands-On) Splunk
 
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...MITRE - ATT&CKcon
 
(1) c sharp introduction_basics_dot_net
(1) c sharp introduction_basics_dot_net(1) c sharp introduction_basics_dot_net
(1) c sharp introduction_basics_dot_netNico Ludwig
 
An experiment in agile threat modelling
An experiment in agile threat modellingAn experiment in agile threat modelling
An experiment in agile threat modellingDevSecCon
 
Reverse engineering malware
Reverse engineering malwareReverse engineering malware
Reverse engineering malwareCysinfo Cyber Security Community
 
OpenStack Liberty Summit Ops Show & Tell - Go Daddy
OpenStack Liberty Summit Ops Show & Tell - Go DaddyOpenStack Liberty Summit Ops Show & Tell - Go Daddy
OpenStack Liberty Summit Ops Show & Tell - Go DaddyMike Dorman
 
Splunk Enterprise for Information Security Hands-On Breakout Session
Splunk Enterprise for Information Security Hands-On Breakout SessionSplunk Enterprise for Information Security Hands-On Breakout Session
Splunk Enterprise for Information Security Hands-On Breakout SessionSplunk
 
Automated malware analysis
Automated malware analysisAutomated malware analysis
Automated malware analysisIbrahim Baliç
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Simon Bennetts
 
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation BlueHat Security Conference
 
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...MITRE - ATT&CKcon
 
Jakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix toolsJakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix toolsDevSecCon
 
Un-broken Logging - Operability.io 2015 - Matthew Skelton
Un-broken Logging - Operability.io 2015 - Matthew SkeltonUn-broken Logging - Operability.io 2015 - Matthew Skelton
Un-broken Logging - Operability.io 2015 - Matthew SkeltonSkelton Thatcher Consulting Ltd
 
Extending Zeek for ICS Defense
Extending Zeek for ICS DefenseExtending Zeek for ICS Defense
Extending Zeek for ICS DefenseJames Dickenson
 
Writing Custom Python Detection with Panther (Part 1)
Writing Custom Python Detection with Panther (Part 1)Writing Custom Python Detection with Panther (Part 1)
Writing Custom Python Detection with Panther (Part 1)Panther Labs
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Cysinfo Cyber Security Community
 
HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
HTTP(S)-Based Clustering for Assisted Cybercrime Investigations HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
HTTP(S)-Based Clustering for Assisted Cybercrime InvestigationsMarco Balduzzi
 
Discussing Errors in Unity3D's Open-Source Components
Discussing Errors in Unity3D's Open-Source ComponentsDiscussing Errors in Unity3D's Open-Source Components
Discussing Errors in Unity3D's Open-Source ComponentsPVS-Studio
 
Justin collins - Practical Static Analysis for continuous application delivery
Justin collins - Practical Static Analysis for continuous application deliveryJustin collins - Practical Static Analysis for continuous application delivery
Justin collins - Practical Static Analysis for continuous application deliveryDevSecCon
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis Cysinfo Cyber Security Community
 
Parrot Drones Hijacking
Parrot Drones HijackingParrot Drones Hijacking
Parrot Drones HijackingPriyanka Aash
 
BSidesLV 2016: Don't Repeat Yourself - Automating Malware Incident Response f...
BSidesLV 2016: Don't Repeat Yourself - Automating Malware Incident Response f...BSidesLV 2016: Don't Repeat Yourself - Automating Malware Incident Response f...
BSidesLV 2016: Don't Repeat Yourself - Automating Malware Incident Response f...Jakub "Kuba" Sendor
 
Sumo Logic Cert Jam - Security Analytics
Sumo Logic Cert Jam - Security AnalyticsSumo Logic Cert Jam - Security Analytics
Sumo Logic Cert Jam - Security AnalyticsSumo Logic
 
Airbnb - StreamAlert
Airbnb - StreamAlertAirbnb - StreamAlert
Airbnb - StreamAlertAmazon Web Services
 
Slicing Apples with Ninja Sword: Fighting Malware at the Corporate Level (OWA...
Slicing Apples with Ninja Sword: Fighting Malware at the Corporate Level (OWA...Slicing Apples with Ninja Sword: Fighting Malware at the Corporate Level (OWA...
Slicing Apples with Ninja Sword: Fighting Malware at the Corporate Level (OWA...Jakub "Kuba" Sendor
 
Security Certification: Security Analytics using Sumo Logic - Oct 2018
Security Certification: Security Analytics using Sumo Logic - Oct 2018Security Certification: Security Analytics using Sumo Logic - Oct 2018
Security Certification: Security Analytics using Sumo Logic - Oct 2018Sumo Logic
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte
 
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USARing 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USAAlexandre Borges
 

More Related Content

What's hot

Splunk Enterprise for Information Security Hands-On Breakout Session
Splunk Enterprise for Information Security Hands-On Breakout SessionSplunk Enterprise for Information Security Hands-On Breakout Session
Splunk Enterprise for Information Security Hands-On Breakout SessionSplunk
 
Automated malware analysis
Automated malware analysisAutomated malware analysis
Automated malware analysisIbrahim Baliç
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Simon Bennetts
 
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation BlueHat Security Conference
 
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...MITRE - ATT&CKcon
 
Jakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix toolsJakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix toolsDevSecCon
 
Un-broken Logging - Operability.io 2015 - Matthew Skelton
Un-broken Logging - Operability.io 2015 - Matthew SkeltonUn-broken Logging - Operability.io 2015 - Matthew Skelton
Un-broken Logging - Operability.io 2015 - Matthew SkeltonSkelton Thatcher Consulting Ltd
 
Extending Zeek for ICS Defense
Extending Zeek for ICS DefenseExtending Zeek for ICS Defense
Extending Zeek for ICS DefenseJames Dickenson
 
Writing Custom Python Detection with Panther (Part 1)
Writing Custom Python Detection with Panther (Part 1)Writing Custom Python Detection with Panther (Part 1)
Writing Custom Python Detection with Panther (Part 1)Panther Labs
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Cysinfo Cyber Security Community
 
HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
HTTP(S)-Based Clustering for Assisted Cybercrime Investigations HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
HTTP(S)-Based Clustering for Assisted Cybercrime InvestigationsMarco Balduzzi
 
Discussing Errors in Unity3D's Open-Source Components
Discussing Errors in Unity3D's Open-Source ComponentsDiscussing Errors in Unity3D's Open-Source Components
Discussing Errors in Unity3D's Open-Source ComponentsPVS-Studio
 
Justin collins - Practical Static Analysis for continuous application delivery
Justin collins - Practical Static Analysis for continuous application deliveryJustin collins - Practical Static Analysis for continuous application delivery
Justin collins - Practical Static Analysis for continuous application deliveryDevSecCon
 
Parrot Drones Hijacking
Parrot Drones HijackingParrot Drones Hijacking
Parrot Drones HijackingPriyanka Aash
 

What's hot (15)

Splunk Enterprise for Information Security Hands-On Breakout Session
Splunk Enterprise for Information Security Hands-On Breakout SessionSplunk Enterprise for Information Security Hands-On Breakout Session
Splunk Enterprise for Information Security Hands-On Breakout Session
 
Automated malware analysis
Automated malware analysisAutomated malware analysis
Automated malware analysis
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk
 
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
 
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...
 
Jakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix toolsJakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix tools
 
Un-broken Logging - Operability.io 2015 - Matthew Skelton
Un-broken Logging - Operability.io 2015 - Matthew SkeltonUn-broken Logging - Operability.io 2015 - Matthew Skelton
Un-broken Logging - Operability.io 2015 - Matthew Skelton
 
Extending Zeek for ICS Defense
Extending Zeek for ICS DefenseExtending Zeek for ICS Defense
Extending Zeek for ICS Defense
 
Writing Custom Python Detection with Panther (Part 1)
Writing Custom Python Detection with Panther (Part 1)Writing Custom Python Detection with Panther (Part 1)
Writing Custom Python Detection with Panther (Part 1)
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1
 
HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
HTTP(S)-Based Clustering for Assisted Cybercrime Investigations HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
 
Discussing Errors in Unity3D's Open-Source Components
Discussing Errors in Unity3D's Open-Source ComponentsDiscussing Errors in Unity3D's Open-Source Components
Discussing Errors in Unity3D's Open-Source Components
 
Justin collins - Practical Static Analysis for continuous application delivery
Justin collins - Practical Static Analysis for continuous application deliveryJustin collins - Practical Static Analysis for continuous application delivery
Justin collins - Practical Static Analysis for continuous application delivery
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
 
Parrot Drones Hijacking
Parrot Drones HijackingParrot Drones Hijacking
Parrot Drones Hijacking
 

Similar to AMIRA: Automated Malware Incident Response and Analysis (Black Hat USA Arsenal 2016)

BSidesLV 2016: Don't Repeat Yourself - Automating Malware Incident Response f...
BSidesLV 2016: Don't Repeat Yourself - Automating Malware Incident Response f...BSidesLV 2016: Don't Repeat Yourself - Automating Malware Incident Response f...
BSidesLV 2016: Don't Repeat Yourself - Automating Malware Incident Response f...Jakub "Kuba" Sendor
 
Sumo Logic Cert Jam - Security Analytics
Sumo Logic Cert Jam - Security AnalyticsSumo Logic Cert Jam - Security Analytics
Sumo Logic Cert Jam - Security AnalyticsSumo Logic
 
Slicing Apples with Ninja Sword: Fighting Malware at the Corporate Level (OWA...
Slicing Apples with Ninja Sword: Fighting Malware at the Corporate Level (OWA...Slicing Apples with Ninja Sword: Fighting Malware at the Corporate Level (OWA...
Slicing Apples with Ninja Sword: Fighting Malware at the Corporate Level (OWA...Jakub "Kuba" Sendor
 
Security Certification: Security Analytics using Sumo Logic - Oct 2018
Security Certification: Security Analytics using Sumo Logic - Oct 2018Security Certification: Security Analytics using Sumo Logic - Oct 2018
Security Certification: Security Analytics using Sumo Logic - Oct 2018Sumo Logic
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte
 
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USARing 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USAAlexandre Borges
 
PyCon 2019 - A Snake in the Bits: Security Automation with Python
PyCon 2019 - A Snake in the Bits: Security Automation with PythonPyCon 2019 - A Snake in the Bits: Security Automation with Python
PyCon 2019 - A Snake in the Bits: Security Automation with PythonMoses Schwartz
 
Security Automation Simplified - BSides Austin 2019
Security Automation Simplified - BSides Austin 2019Security Automation Simplified - BSides Austin 2019
Security Automation Simplified - BSides Austin 2019Moses Schwartz
 
(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...
(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...
(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...Priyanka Aash
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationOlehLevytskyi1
 
Lessons Learnt from Running Thousands of On-demand Spark Applications
Lessons Learnt from Running Thousands of On-demand Spark ApplicationsLessons Learnt from Running Thousands of On-demand Spark Applications
Lessons Learnt from Running Thousands of On-demand Spark ApplicationsItai Yaffe
 
What should I do when my website got hack?
What should I do when my website got hack?What should I do when my website got hack?
What should I do when my website got hack?Sumedt Jitpukdebodin
 
RING 0/-2 ROOKITS : COMPROMISING DEFENSES
RING 0/-2 ROOKITS : COMPROMISING DEFENSES RING 0/-2 ROOKITS : COMPROMISING DEFENSES
RING 0/-2 ROOKITS : COMPROMISING DEFENSESPriyanka Aash
 
Reversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysisReversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysisAbdulrahman Bassam
 
Artem Storozhuk "Building SQL firewall: insights from developers"
Artem Storozhuk "Building SQL firewall: insights from developers"Artem Storozhuk "Building SQL firewall: insights from developers"
Artem Storozhuk "Building SQL firewall: insights from developers"Fwdays
 
End of Studies project: Malware Repsonse Center
End of Studies project: Malware Repsonse CenterEnd of Studies project: Malware Repsonse Center
End of Studies project: Malware Repsonse CenterAbdessabour Arous
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information SecuritySplunk
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information SecurityShannon Cuthbertson
 

Similar to AMIRA: Automated Malware Incident Response and Analysis (Black Hat USA Arsenal 2016) (20)

BSidesLV 2016: Don't Repeat Yourself - Automating Malware Incident Response f...
BSidesLV 2016: Don't Repeat Yourself - Automating Malware Incident Response f...BSidesLV 2016: Don't Repeat Yourself - Automating Malware Incident Response f...
BSidesLV 2016: Don't Repeat Yourself - Automating Malware Incident Response f...
 
Sumo Logic Cert Jam - Security Analytics
Sumo Logic Cert Jam - Security AnalyticsSumo Logic Cert Jam - Security Analytics
Sumo Logic Cert Jam - Security Analytics
 
Airbnb - StreamAlert
Airbnb - StreamAlertAirbnb - StreamAlert
Airbnb - StreamAlert
 
Slicing Apples with Ninja Sword: Fighting Malware at the Corporate Level (OWA...
Slicing Apples with Ninja Sword: Fighting Malware at the Corporate Level (OWA...Slicing Apples with Ninja Sword: Fighting Malware at the Corporate Level (OWA...
Slicing Apples with Ninja Sword: Fighting Malware at the Corporate Level (OWA...
 
Security Certification: Security Analytics using Sumo Logic - Oct 2018
Security Certification: Security Analytics using Sumo Logic - Oct 2018Security Certification: Security Analytics using Sumo Logic - Oct 2018
Security Certification: Security Analytics using Sumo Logic - Oct 2018
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
 
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USARing 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
 
PyCon 2019 - A Snake in the Bits: Security Automation with Python
PyCon 2019 - A Snake in the Bits: Security Automation with PythonPyCon 2019 - A Snake in the Bits: Security Automation with Python
PyCon 2019 - A Snake in the Bits: Security Automation with Python
 
Security Automation Simplified - BSides Austin 2019
Security Automation Simplified - BSides Austin 2019Security Automation Simplified - BSides Austin 2019
Security Automation Simplified - BSides Austin 2019
 
(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...
(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...
(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
 
Lessons Learnt from Running Thousands of On-demand Spark Applications
Lessons Learnt from Running Thousands of On-demand Spark ApplicationsLessons Learnt from Running Thousands of On-demand Spark Applications
Lessons Learnt from Running Thousands of On-demand Spark Applications
 
What should I do when my website got hack?
What should I do when my website got hack?What should I do when my website got hack?
What should I do when my website got hack?
 
RING 0/-2 ROOKITS : COMPROMISING DEFENSES
RING 0/-2 ROOKITS : COMPROMISING DEFENSES RING 0/-2 ROOKITS : COMPROMISING DEFENSES
RING 0/-2 ROOKITS : COMPROMISING DEFENSES
 
Reversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysisReversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysis
 
Nullbyte 6ed. 2019
Nullbyte 6ed. 2019Nullbyte 6ed. 2019
Nullbyte 6ed. 2019
 
Artem Storozhuk "Building SQL firewall: insights from developers"
Artem Storozhuk "Building SQL firewall: insights from developers"Artem Storozhuk "Building SQL firewall: insights from developers"
Artem Storozhuk "Building SQL firewall: insights from developers"
 
End of Studies project: Malware Repsonse Center
End of Studies project: Malware Repsonse CenterEnd of Studies project: Malware Repsonse Center
End of Studies project: Malware Repsonse Center
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
 

Recently uploaded

A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 

Recently uploaded (20)

Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 

AMIRA: Automated Malware Incident Response and Analysis (Black Hat USA Arsenal 2016)