SlideShare a Scribd company logo

Applied machine learning defeating modern malicious documents

Priyanka Aash
Priyanka Aash

A common tactic adopted by attackers for initial exploitation is the use of malicious code embedded in Microsoft Office documents. This attack vector is not new, but attackers are still having success. This session will dive into the details of these techniques, introduce some machine learning approaches to analyze and detect these attempts, and explore the output in Elasticsearch and Kibana. (Source : RSA Conference USA 2017)

1 of 41
Download to read offline
SESSION ID:SESSION ID: #RSAC Evan Gaustad Applied Machine Learning: Defeating Modern Malicious Documents HT-W02 Sr. Manager CSIRT Target Corporation
#RSAC Agenda 2 Office Macro Use and Abuse Malicious documents in attack lifecycle Machine Learning for Malware Detection Demo Project: Malicious Macro Bot Conclusion
#RSAC Macro-enabled Microsoft Office Documents 3 An office macro is code that automates tasks in office documents Automatically fill out forms Update graphs and display data Make web requests Perform computations Written in Visual Basic for Applications (VBA) VBA Support built into MS Office 99.7% of documents used in attachment-based campaigns relied on social engineering and macros, rather than exploits. - Proofpoint1
#RSAC Attacker motivation for malicious office docs 4 Barrier of entry is very low Uses built in, cross-platform features “exploit” reliability is high Can implement sandbox evasion Easy to update to evade AV signatures
#RSAC Malicious Macro-enabled Office Documents 5 Used by an attacker to gain code execution on the targeted system(s) Common Attacker VBA Techniques: Download and execute malicious payload Drop and execute embedded payloads or scripts Obfuscation to hide intent Sandbox evasion techniques Payload targeting … “98% of Office-targeted threats use macros” - Microsoft2
#RSAC Example: Maldocs in Attack Lifecycle 1) Phishing email with attachment “Invoice Past Due” 6
#RSAC 7 1) Phishing email with attachment “Invoice Past Due” 2) Victim opens file, allows macros to run Example: Maldocs in Attack Lifecycle
#RSAC Example: Maldocs in Attack Lifecycle 8 1) Phishing email with attachment “Invoice Past Due” 2) Victim opens file, allows macros to run 3) Malicious macro executes
#RSAC Example: Maldocs in Attack Lifecycle 9 1) Phishing email with attachment “Invoice Past Due” 2) Victim opens file, allows macros to run 3) Malicious macro executes 4) Downloads / drops executables or powershell
#RSAC Example: Maldocs in Attack Lifecycle 10 1) Phishing email with attachment “Invoice Past Due” 2) Victim opens file, allows macros to run 3) Malicious macro executes 4) Downloads / drops executables or powershell 5) Install additional malware e.g. Pony, Hancitor, Vawtrak
#RSAC Example: Maldocs in Attack Lifecycle 11 1) Phishing email with attachment “Invoice Past Due” 2) Victim opens file, allows macros to run 3) Malicious macro executes 4) Downloads / drops executables or powershell 5) Install additional malware e.g. Pony, Hancitor, Vawtrak 6) Steal credentials, data, maintain persistence, command and control VictimAttacker http://.../gate.php
#RSAC Detecting Malicious Macros How hard is it to create: a malicious macro… that runs an executable… on victim’s machine… and evades AV? Some easy to find tools: CrunchCode7 MacroShop8 Veil Framework9 Generate-Macro10 Criminals sell their own 12
#RSAC Detecting Malicious Macros How hard is it to create: a malicious macro… that runs an executable… on victim’s machine… and evades AV? Some easy to find tools: CrunchCode7 MacroShop8 Veil Framework9 Generate-Macro10 Criminals sell their own 13 Really easy
#RSAC Detecting Malicious Macros 14
#RSAC Detecting Malicious Macros 15
#RSAC Why Machine Learning? 16 Existing anti-virus and sandbox techniques can be subverted Automates extracting insight from file samples Can better generalize at identifying unknown variations Reduces human analysis time
#RSAC Project Approach 17 Goals: Triage: Determine whether a new Microsoft Office document contains a malicious or benign macro Detection: Provide useful detection when signature-based methods fail Threat Intelligence: identify phishing campaigns Guiding Principles: Supervised Machine Learning – Classification Well thought out features Generalized and interpretable model output
#RSAC Applied Machine Learning Steps 18 Benign Files Malicious Files Collect labeled data
#RSAC Applied Machine Learning Steps 19 Benign Files Malicious Files Feature Extraction 5.7 10 98 … 1.2 23 15 … 0.7 57 20 … … Collect labeled data Feature extraction
#RSAC “Feature Engineering” 20 DOCUMENT #1 … BHJASD = Chr(102 + 8) Set uHhdBhd = CreateObject("" & "W" & "" & "or" & "d." & "Applicatio" & BHJASD) uHhdBhd.Documents.Open (FFFNNNF) Module1.Tyryka (2) HYUASGD = Module1.Girow(WOIEW) Module1.Tyryka (3) uHhdBhd.Quit Set uHhdBhd = Nothing End Sub Public Function Girow(qqa As String) Dim jjz As Variant jjz = Shell(qqa, 0) … DOCUMENT #2 … '############################# '# Code to Add Total Value Formula # '############################## 'Go to the top of the Price column Range("H10").Select 'Find the bottom value - there are no values in the Non Stock Items Selection.End(xlDown).Select 'Check to see if still in the order form range - if not there were no Standard Items Selected If ActiveCell.Row > 1000 Then GoTo TidyUp … Which one is malicious? Why? How would you measure that?
#RSAC “Feature Engineering” 21 DOCUMENT #1 … BHJASD = Chr(102 + 8) Set uHhdBhd = CreateObject("" & "W" & "" & "or" & "d." & "Applicatio" & BHJASD) uHhdBhd.Documents.Open (FFFNNNF) Module1.Tyryka (2) HYUASGD = Module1.Girow(WOIEW) Module1.Tyryka (3) uHhdBhd.Quit Set uHhdBhd = Nothing End Sub Public Function Girow(qqa As String) Dim jjz As Variant jjz = Shell(qqa, 0) … DOCUMENT #2 … '############################# '# Code to Add Total Value Formula # '############################# 'Go to the top of the Price column Range("H10").Select 'Find the bottom value - there are no values in the Non Stock Items Selection.End(xlDown).Select 'Check to see if still in the order form range - if not there were no Standard Items Selected If ActiveCell.Row > 1000 Then GoTo TidyUp … Feature Doc1 Doc2 # Lines of Code 74 584 # Comments 8 161 # Functions 9 14 # Shell Instructions 1 0 Entropy 4.3 3.8
#RSAC Feature Engineering 22
#RSAC Feature Engineering 23
#RSAC Applied Machine Learning Steps 24 Benign Files Malicious Files Feature Extraction 5.7 10 98 … 1.2 23 15 … 0.7 57 20 … … Classification Model Collect labeled data Feature extraction Train and Test model Classification Models
#RSAC Choose and Test Model 25 DOCUMENT #1 … BHJASD = Chr(102 + 8) Set uHhdBhd = CreateObject("" & "W" & "" & "or" & "d." & "Applicatio" & BHJASD) uHhdBhd.Documents.Open (FFFNNNF) Module1.Tyryka (2) HYUASGD = Module1.Girow(WOIEW) Module1.Tyryka (3) uHhdBhd.Quit Set uHhdBhd = Nothing End Sub Public Function Girow(qqa As String) Dim jjz As Variant jjz = Shell(qqa, 0) … DOCUMENT #2 … '############################# '# Code to Add Total Value Formula # '############################## 'Go to the top of the Price column Range("H10").Select 'Find the bottom value - there are no values in the Non Stock Items Selection.End(xlDown).Select 'Check to see if still in the order form range - if not there were no Standard Items Selected If ActiveCell.Row > 1000 Then GoTo TidyUp … Feature Doc1 Doc2 # Lines of Code 74 584 # Comments 8 161 # Functions 9 14 # Shell Instructions 1 0 Entropy 4.3 3.8
#RSAC Simple Decision Tree Model 26 entropy <= 4.27 samples = 88 samples = 47 class = benign # comments <= 39.0 samples = 41 samples = 47 class = benign samples = 47 class = malicious True False True False
#RSAC Simple Decision Tree Model 27 entropy <= 4.27 samples = 88 samples = 47 class = benign # comments <= 39.0 samples = 41 samples = 47 class = benign samples = 47 class = malicious True False True False Doc #1 Feature Doc1 Doc2 Entropy 4.3 3.8 # Comments 8 161 Doc #2
#RSAC Applied Machine Learning Steps 28 Benign Files Malicious Files Feature Extraction 5.7 10 98 … 1.2 23 15 … 0.7 57 20 … … Classification Model Collect labeled data Feature extraction Train and Test model Classification Model Deploy Model New Files “Benign” “Malicious” Classification Models
#RSAC Malicious Macro Bot Project 29 Model factored in over 20,000 samples Analyzed over 121,000 samples from 7 months of VirusTotal samples Over a thousand features VBA built-in language semantics for base language e.g. Shell, Dim, If, … Code heuristics e.g. LOC, # functions, entropy, … Use Random Forest Classifier Fits many decision trees on many subsets of the dataset Picks best decision tree combinations “Ensemble”
#RSAC Demo: Malicious Macro Bot Project 30 Demonstrate classification Gaining insight from machine learning features Identifying phishing campaigns through featureprints Search and visualize in Elasticsearch / Kibana
#RSAC Conclusion 31 Project Uses: Threat Intelligence: Identify new phishing campaigns Detection: Fill traditional detection gaps Incident Response: Rapid triage of office documents Prevention would be best
#RSAC Thank You! 32 https://github.com/egaus/MaliciousMacroBot
#RSAC References 33 [1] Proofpoint “Human Factor Report”, 2016. https://www.proofpoint.com/sites/default/files/human-factor- report-2016.pdf [2] Microsoft, “New feature in Office 2016 can block macros and help prevent infection”, Mar 22, 2016. https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help- prevent-infection/ [3] Proofpoint, “The Cybercrime Economics of Malicious Macros”, 2016. https://www.proofpoint.com/sites/default/files/documents/bnt_download/pp-macroeconomics-rr.pdf [4] Ankit Anubhav, Dileep Kumar Jallepalli. “Hancitor (aka Chanitor) Observed Using Multiple Attack Approaches”. FireEye. Sept 23, 2016. https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html [5] PonyUp: Tracing Pony’s Threat Cycle and Multi-Stage Infection Chain. Damballa. Aug. 2015. https://www.damballa.com/wp-content/uploads/2015/08/Damballa_PonyUp.pdf [6] New Hancitor: Pimp my Downloader. Minerva Labs Research Team. Aug 19, 2016. http://www.minerva- labs.com/post/new-hancitor-pimp-my-downloader [7] CrunchCode http://www.crunchcode.de/en/index.html [8] MacroShop https://github.com/khr0x40sh/MacroShop [9] Veil Evasion Framework https://github.com/Veil-Framework/Veil-Evasion [10] Generate-Macro https://github.com/enigma0x3/Generate-Macro [11] SciKit Learn Algorithm Cheat Sheet. http://scikit-learn.org/stable/tutorial/machine_learning_map/
#RSAC Thank You! 34 Questions?
#RSAC Offline Demo 35
#RSAC Identifying Phishing Campaigns 36
#RSAC Identifying Phishing Campaigns 37
#RSAC Identifying Phishing Campaigns 38
#RSAC Identifying Phishing Campaigns 39
#RSAC Identifying Phishing Campaigns 40
#RSAC Identifying Phishing Campaigns 41

Recommended

Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst
Priyanka Aash
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
Rod Soto
 
Machine learning cybersecurity boon or boondoggle
Machine learning cybersecurity boon or boondoggleMachine learning cybersecurity boon or boondoggle
Machine learning cybersecurity boon or boondoggle
Priyanka Aash
 
Advances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defenseAdvances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defense
Priyanka Aash
 
Confusion and deception new tools for data protection
Confusion and deception new tools for data protectionConfusion and deception new tools for data protection
Confusion and deception new tools for data protection
Priyanka Aash
 
Threat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detectionThreat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detection
Priyanka Aash
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
Akash Sarode
 
The Rise of the Purple Team
The Rise of the Purple TeamThe Rise of the Purple Team
The Rise of the Purple Team
Priyanka Aash
 

Recommended

Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst
Priyanka Aash
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
Rod Soto
 
Machine learning cybersecurity boon or boondoggle
Machine learning cybersecurity boon or boondoggleMachine learning cybersecurity boon or boondoggle
Machine learning cybersecurity boon or boondoggle
Priyanka Aash
 
Advances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defenseAdvances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defense
Priyanka Aash
 
Confusion and deception new tools for data protection
Confusion and deception new tools for data protectionConfusion and deception new tools for data protection
Confusion and deception new tools for data protection
Priyanka Aash
 
Threat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detectionThreat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detection
Priyanka Aash
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
Akash Sarode
 
The Rise of the Purple Team
The Rise of the Purple TeamThe Rise of the Purple Team
The Rise of the Purple Team
Priyanka Aash
 
Treat Detection using Hadoop
Treat Detection using HadoopTreat Detection using Hadoop
Treat Detection using Hadoop
DataWorks Summit
 
Insights from-NSAs-cybersecurity-threat-operations-center
Insights from-NSAs-cybersecurity-threat-operations-centerInsights from-NSAs-cybersecurity-threat-operations-center
Insights from-NSAs-cybersecurity-threat-operations-center
Priyanka Aash
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
Predicting exploitability-forecasts-for-vulnerability-management
Predicting exploitability-forecasts-for-vulnerability-managementPredicting exploitability-forecasts-for-vulnerability-management
Predicting exploitability-forecasts-for-vulnerability-management
Priyanka Aash
 
The Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSThe Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOS
Priyanka Aash
 
Soc 2030-socs-are-broken-lets-fix- them
Soc 2030-socs-are-broken-lets-fix- themSoc 2030-socs-are-broken-lets-fix- them
Soc 2030-socs-are-broken-lets-fix- them
Priyanka Aash
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
Raffael Marty
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
Sqrrl
 
Pulling our-socs-up
Pulling our-socs-upPulling our-socs-up
Pulling our-socs-up
Priyanka Aash
 
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - December
MITRE - ATT&CKcon
 
TTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesTTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil Refineries
Dragos, Inc.
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark Arts
Spyglass Security
 
Security precognition chaos engineering in incident response
Security precognition chaos engineering in incident responseSecurity precognition chaos engineering in incident response
Security precognition chaos engineering in incident response
Priyanka Aash
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
Vishal Kumar
 
Continuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiContinuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash Barai
AllanGray11
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
Matthew Dunwoody
 
Insider Threat Visualization - HITB 2007, Kuala Lumpur
Insider Threat Visualization - HITB 2007, Kuala LumpurInsider Threat Visualization - HITB 2007, Kuala Lumpur
Insider Threat Visualization - HITB 2007, Kuala Lumpur
Raffael Marty
 
Burning Down the Haystack to Find the Needle: Security Analytics in Action
Burning Down the Haystack to Find the Needle: Security Analytics in ActionBurning Down the Haystack to Find the Needle: Security Analytics in Action
Burning Down the Haystack to Find the Needle: Security Analytics in Action
Josh Sokol
 
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE - ATT&CKcon
 
Breaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration testsBreaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration tests
Priyanka Aash
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
Felipe Prado
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous Environment
Stefano Maccaglia
 

More Related Content

What's hot

Treat Detection using Hadoop
Treat Detection using HadoopTreat Detection using Hadoop
Treat Detection using Hadoop
DataWorks Summit
 
Insights from-NSAs-cybersecurity-threat-operations-center
Insights from-NSAs-cybersecurity-threat-operations-centerInsights from-NSAs-cybersecurity-threat-operations-center
Insights from-NSAs-cybersecurity-threat-operations-center
Priyanka Aash
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
Predicting exploitability-forecasts-for-vulnerability-management
Predicting exploitability-forecasts-for-vulnerability-managementPredicting exploitability-forecasts-for-vulnerability-management
Predicting exploitability-forecasts-for-vulnerability-management
Priyanka Aash
 
The Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSThe Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOS
Priyanka Aash
 
Soc 2030-socs-are-broken-lets-fix- them
Soc 2030-socs-are-broken-lets-fix- themSoc 2030-socs-are-broken-lets-fix- them
Soc 2030-socs-are-broken-lets-fix- them
Priyanka Aash
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
Raffael Marty
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
Sqrrl
 
Pulling our-socs-up
Pulling our-socs-upPulling our-socs-up
Pulling our-socs-up
Priyanka Aash
 
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - December
MITRE - ATT&CKcon
 
TTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesTTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil Refineries
Dragos, Inc.
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark Arts
Spyglass Security
 
Security precognition chaos engineering in incident response
Security precognition chaos engineering in incident responseSecurity precognition chaos engineering in incident response
Security precognition chaos engineering in incident response
Priyanka Aash
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
Vishal Kumar
 
Continuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiContinuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash Barai
AllanGray11
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
Matthew Dunwoody
 
Insider Threat Visualization - HITB 2007, Kuala Lumpur
Insider Threat Visualization - HITB 2007, Kuala LumpurInsider Threat Visualization - HITB 2007, Kuala Lumpur
Insider Threat Visualization - HITB 2007, Kuala Lumpur
Raffael Marty
 
Burning Down the Haystack to Find the Needle: Security Analytics in Action
Burning Down the Haystack to Find the Needle: Security Analytics in ActionBurning Down the Haystack to Find the Needle: Security Analytics in Action
Burning Down the Haystack to Find the Needle: Security Analytics in Action
Josh Sokol
 
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE - ATT&CKcon
 
Breaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration testsBreaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration tests
Priyanka Aash
 

What's hot (20)

Treat Detection using Hadoop
Treat Detection using HadoopTreat Detection using Hadoop
Treat Detection using Hadoop
 
Insights from-NSAs-cybersecurity-threat-operations-center
Insights from-NSAs-cybersecurity-threat-operations-centerInsights from-NSAs-cybersecurity-threat-operations-center
Insights from-NSAs-cybersecurity-threat-operations-center
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
Predicting exploitability-forecasts-for-vulnerability-management
Predicting exploitability-forecasts-for-vulnerability-managementPredicting exploitability-forecasts-for-vulnerability-management
Predicting exploitability-forecasts-for-vulnerability-management
 
The Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSThe Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOS
 
Soc 2030-socs-are-broken-lets-fix- them
Soc 2030-socs-are-broken-lets-fix- themSoc 2030-socs-are-broken-lets-fix- them
Soc 2030-socs-are-broken-lets-fix- them
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
Pulling our-socs-up
Pulling our-socs-upPulling our-socs-up
Pulling our-socs-up
 
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - December
 
TTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesTTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil Refineries
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark Arts
 
Security precognition chaos engineering in incident response
Security precognition chaos engineering in incident responseSecurity precognition chaos engineering in incident response
Security precognition chaos engineering in incident response
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
 
Continuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiContinuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash Barai
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
Insider Threat Visualization - HITB 2007, Kuala Lumpur
Insider Threat Visualization - HITB 2007, Kuala LumpurInsider Threat Visualization - HITB 2007, Kuala Lumpur
Insider Threat Visualization - HITB 2007, Kuala Lumpur
 
Burning Down the Haystack to Find the Needle: Security Analytics in Action
Burning Down the Haystack to Find the Needle: Security Analytics in ActionBurning Down the Haystack to Find the Needle: Security Analytics in Action
Burning Down the Haystack to Find the Needle: Security Analytics in Action
 
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
 
Breaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration testsBreaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration tests
 

Similar to Applied machine learning defeating modern malicious documents

DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
Felipe Prado
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous Environment
Stefano Maccaglia
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
Stephan Chenette
 
Toorcon - Purple Haze: The Spear Phishing Experience
Toorcon - Purple Haze: The Spear Phishing ExperienceToorcon - Purple Haze: The Spear Phishing Experience
Toorcon - Purple Haze: The Spear Phishing Experience
Jesse Nebling
 
Isolating the Ghost in the Machine: Unveiling Post Exploitation Threatsrsac
Isolating the Ghost in the Machine: Unveiling Post Exploitation ThreatsrsacIsolating the Ghost in the Machine: Unveiling Post Exploitation Threatsrsac
Isolating the Ghost in the Machine: Unveiling Post Exploitation Threatsrsac
Priyanka Aash
 
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Priyanka Aash
 
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
Alexandre Borges
 
Analysing Ransomware
Analysing RansomwareAnalysing Ransomware
Analysing Ransomware
Napier University
 
Malware Analysis Tips and Tricks.pdf
Malware Analysis Tips and Tricks.pdfMalware Analysis Tips and Tricks.pdf
Malware Analysis Tips and Tricks.pdf
Yushimon
 
Super1
Super1Super1
Super1
neelakanteswarreddy
 
How to write clean & testable code without losing your mind
How to write clean & testable code without losing your mindHow to write clean & testable code without losing your mind
How to write clean & testable code without losing your mind
Andreas Czakaj
 
End of Studies project: Malware Repsonse Center
End of Studies project: Malware Repsonse CenterEnd of Studies project: Malware Repsonse Center
End of Studies project: Malware Repsonse Center
Abdessabour Arous
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography API
Kevin Hakanson
 
Malware analysis and detection using reverse Engineering, Available at: www....
Malware analysis and detection using reverse Engineering, Available at: www....Malware analysis and detection using reverse Engineering, Available at: www....
Malware analysis and detection using reverse Engineering, Available at: www....
Research Publish Journals (Publisher)
 
Reverse Engineering 101
Reverse Engineering 101Reverse Engineering 101
Reverse Engineering 101
ysurer
 
Catching Multilayered Zero-Day Attacks on MS Office
Catching Multilayered Zero-Day Attacks on MS OfficeCatching Multilayered Zero-Day Attacks on MS Office
Catching Multilayered Zero-Day Attacks on MS Office
Kaspersky
 
Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and Exploitation Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and Exploitation
Mattia Salvi
 
Xss mitigation php [Repaired]
Xss mitigation php [Repaired]Xss mitigation php [Repaired]
Xss mitigation php [Repaired]
Tinashe Makuti
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
ShapeBlue
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac Attack
Priyanka Aash
 

Similar to Applied machine learning defeating modern malicious documents (20)

DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous Environment
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
 
Toorcon - Purple Haze: The Spear Phishing Experience
Toorcon - Purple Haze: The Spear Phishing ExperienceToorcon - Purple Haze: The Spear Phishing Experience
Toorcon - Purple Haze: The Spear Phishing Experience
 
Isolating the Ghost in the Machine: Unveiling Post Exploitation Threatsrsac
Isolating the Ghost in the Machine: Unveiling Post Exploitation ThreatsrsacIsolating the Ghost in the Machine: Unveiling Post Exploitation Threatsrsac
Isolating the Ghost in the Machine: Unveiling Post Exploitation Threatsrsac
 
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
 
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
 
Analysing Ransomware
Analysing RansomwareAnalysing Ransomware
Analysing Ransomware
 
Malware Analysis Tips and Tricks.pdf
Malware Analysis Tips and Tricks.pdfMalware Analysis Tips and Tricks.pdf
Malware Analysis Tips and Tricks.pdf
 
Super1
Super1Super1
Super1
 
How to write clean & testable code without losing your mind
How to write clean & testable code without losing your mindHow to write clean & testable code without losing your mind
How to write clean & testable code without losing your mind
 
End of Studies project: Malware Repsonse Center
End of Studies project: Malware Repsonse CenterEnd of Studies project: Malware Repsonse Center
End of Studies project: Malware Repsonse Center
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography API
 
Malware analysis and detection using reverse Engineering, Available at: www....
Malware analysis and detection using reverse Engineering, Available at: www....Malware analysis and detection using reverse Engineering, Available at: www....
Malware analysis and detection using reverse Engineering, Available at: www....
 
Reverse Engineering 101
Reverse Engineering 101Reverse Engineering 101
Reverse Engineering 101
 
Catching Multilayered Zero-Day Attacks on MS Office
Catching Multilayered Zero-Day Attacks on MS OfficeCatching Multilayered Zero-Day Attacks on MS Office
Catching Multilayered Zero-Day Attacks on MS Office
 
Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and Exploitation Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and Exploitation
 
Xss mitigation php [Repaired]
Xss mitigation php [Repaired]Xss mitigation php [Repaired]
Xss mitigation php [Repaired]
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac Attack
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Priyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
Priyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
Priyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
Priyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
Priyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
Priyanka Aash
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
Priyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Priyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
Priyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
Priyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
Priyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
Priyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
Priyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Priyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
Priyanka Aash
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Priyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Chart Kalyan
 
Project Management Semester Long Project - Acuity
Project Management Semester Long Project - AcuityProject Management Semester Long Project - Acuity
Project Management Semester Long Project - Acuity
jpupo2018
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
Wouter Lemaire
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
OpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - AuthorizationOpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - Authorization
David Brossard
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
Postman
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 

Recently uploaded (20)

Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
 
Project Management Semester Long Project - Acuity
Project Management Semester Long Project - AcuityProject Management Semester Long Project - Acuity
Project Management Semester Long Project - Acuity
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
OpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - AuthorizationOpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - Authorization
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 

Applied machine learning defeating modern malicious documents

  • 1. SESSION ID:SESSION ID: #RSAC Evan Gaustad Applied Machine Learning: Defeating Modern Malicious Documents HT-W02 Sr. Manager CSIRT Target Corporation
  • 2. #RSAC Agenda 2 Office Macro Use and Abuse Malicious documents in attack lifecycle Machine Learning for Malware Detection Demo Project: Malicious Macro Bot Conclusion
  • 3. #RSAC Macro-enabled Microsoft Office Documents 3 An office macro is code that automates tasks in office documents Automatically fill out forms Update graphs and display data Make web requests Perform computations Written in Visual Basic for Applications (VBA) VBA Support built into MS Office 99.7% of documents used in attachment-based campaigns relied on social engineering and macros, rather than exploits. - Proofpoint1
  • 4. #RSAC Attacker motivation for malicious office docs 4 Barrier of entry is very low Uses built in, cross-platform features “exploit” reliability is high Can implement sandbox evasion Easy to update to evade AV signatures
  • 5. #RSAC Malicious Macro-enabled Office Documents 5 Used by an attacker to gain code execution on the targeted system(s) Common Attacker VBA Techniques: Download and execute malicious payload Drop and execute embedded payloads or scripts Obfuscation to hide intent Sandbox evasion techniques Payload targeting … “98% of Office-targeted threats use macros” - Microsoft2
  • 6. #RSAC Example: Maldocs in Attack Lifecycle 1) Phishing email with attachment “Invoice Past Due” 6
  • 7. #RSAC 7 1) Phishing email with attachment “Invoice Past Due” 2) Victim opens file, allows macros to run Example: Maldocs in Attack Lifecycle
  • 8. #RSAC Example: Maldocs in Attack Lifecycle 8 1) Phishing email with attachment “Invoice Past Due” 2) Victim opens file, allows macros to run 3) Malicious macro executes
  • 9. #RSAC Example: Maldocs in Attack Lifecycle 9 1) Phishing email with attachment “Invoice Past Due” 2) Victim opens file, allows macros to run 3) Malicious macro executes 4) Downloads / drops executables or powershell
  • 10. #RSAC Example: Maldocs in Attack Lifecycle 10 1) Phishing email with attachment “Invoice Past Due” 2) Victim opens file, allows macros to run 3) Malicious macro executes 4) Downloads / drops executables or powershell 5) Install additional malware e.g. Pony, Hancitor, Vawtrak
  • 11. #RSAC Example: Maldocs in Attack Lifecycle 11 1) Phishing email with attachment “Invoice Past Due” 2) Victim opens file, allows macros to run 3) Malicious macro executes 4) Downloads / drops executables or powershell 5) Install additional malware e.g. Pony, Hancitor, Vawtrak 6) Steal credentials, data, maintain persistence, command and control VictimAttacker http://.../gate.php
  • 12. #RSAC Detecting Malicious Macros How hard is it to create: a malicious macro… that runs an executable… on victim’s machine… and evades AV? Some easy to find tools: CrunchCode7 MacroShop8 Veil Framework9 Generate-Macro10 Criminals sell their own 12
  • 13. #RSAC Detecting Malicious Macros How hard is it to create: a malicious macro… that runs an executable… on victim’s machine… and evades AV? Some easy to find tools: CrunchCode7 MacroShop8 Veil Framework9 Generate-Macro10 Criminals sell their own 13 Really easy
  • 16. #RSAC Why Machine Learning? 16 Existing anti-virus and sandbox techniques can be subverted Automates extracting insight from file samples Can better generalize at identifying unknown variations Reduces human analysis time
  • 17. #RSAC Project Approach 17 Goals: Triage: Determine whether a new Microsoft Office document contains a malicious or benign macro Detection: Provide useful detection when signature-based methods fail Threat Intelligence: identify phishing campaigns Guiding Principles: Supervised Machine Learning – Classification Well thought out features Generalized and interpretable model output
  • 18. #RSAC Applied Machine Learning Steps 18 Benign Files Malicious Files Collect labeled data
  • 19. #RSAC Applied Machine Learning Steps 19 Benign Files Malicious Files Feature Extraction 5.7 10 98 … 1.2 23 15 … 0.7 57 20 … … Collect labeled data Feature extraction
  • 20. #RSAC “Feature Engineering” 20 DOCUMENT #1 … BHJASD = Chr(102 + 8) Set uHhdBhd = CreateObject("" & "W" & "" & "or" & "d." & "Applicatio" & BHJASD) uHhdBhd.Documents.Open (FFFNNNF) Module1.Tyryka (2) HYUASGD = Module1.Girow(WOIEW) Module1.Tyryka (3) uHhdBhd.Quit Set uHhdBhd = Nothing End Sub Public Function Girow(qqa As String) Dim jjz As Variant jjz = Shell(qqa, 0) … DOCUMENT #2 … '############################# '# Code to Add Total Value Formula # '############################## 'Go to the top of the Price column Range("H10").Select 'Find the bottom value - there are no values in the Non Stock Items Selection.End(xlDown).Select 'Check to see if still in the order form range - if not there were no Standard Items Selected If ActiveCell.Row > 1000 Then GoTo TidyUp … Which one is malicious? Why? How would you measure that?
  • 21. #RSAC “Feature Engineering” 21 DOCUMENT #1 … BHJASD = Chr(102 + 8) Set uHhdBhd = CreateObject("" & "W" & "" & "or" & "d." & "Applicatio" & BHJASD) uHhdBhd.Documents.Open (FFFNNNF) Module1.Tyryka (2) HYUASGD = Module1.Girow(WOIEW) Module1.Tyryka (3) uHhdBhd.Quit Set uHhdBhd = Nothing End Sub Public Function Girow(qqa As String) Dim jjz As Variant jjz = Shell(qqa, 0) … DOCUMENT #2 … '############################# '# Code to Add Total Value Formula # '############################# 'Go to the top of the Price column Range("H10").Select 'Find the bottom value - there are no values in the Non Stock Items Selection.End(xlDown).Select 'Check to see if still in the order form range - if not there were no Standard Items Selected If ActiveCell.Row > 1000 Then GoTo TidyUp … Feature Doc1 Doc2 # Lines of Code 74 584 # Comments 8 161 # Functions 9 14 # Shell Instructions 1 0 Entropy 4.3 3.8
  • 24. #RSAC Applied Machine Learning Steps 24 Benign Files Malicious Files Feature Extraction 5.7 10 98 … 1.2 23 15 … 0.7 57 20 … … Classification Model Collect labeled data Feature extraction Train and Test model Classification Models
  • 25. #RSAC Choose and Test Model 25 DOCUMENT #1 … BHJASD = Chr(102 + 8) Set uHhdBhd = CreateObject("" & "W" & "" & "or" & "d." & "Applicatio" & BHJASD) uHhdBhd.Documents.Open (FFFNNNF) Module1.Tyryka (2) HYUASGD = Module1.Girow(WOIEW) Module1.Tyryka (3) uHhdBhd.Quit Set uHhdBhd = Nothing End Sub Public Function Girow(qqa As String) Dim jjz As Variant jjz = Shell(qqa, 0) … DOCUMENT #2 … '############################# '# Code to Add Total Value Formula # '############################## 'Go to the top of the Price column Range("H10").Select 'Find the bottom value - there are no values in the Non Stock Items Selection.End(xlDown).Select 'Check to see if still in the order form range - if not there were no Standard Items Selected If ActiveCell.Row > 1000 Then GoTo TidyUp … Feature Doc1 Doc2 # Lines of Code 74 584 # Comments 8 161 # Functions 9 14 # Shell Instructions 1 0 Entropy 4.3 3.8
  • 26. #RSAC Simple Decision Tree Model 26 entropy <= 4.27 samples = 88 samples = 47 class = benign # comments <= 39.0 samples = 41 samples = 47 class = benign samples = 47 class = malicious True False True False
  • 27. #RSAC Simple Decision Tree Model 27 entropy <= 4.27 samples = 88 samples = 47 class = benign # comments <= 39.0 samples = 41 samples = 47 class = benign samples = 47 class = malicious True False True False Doc #1 Feature Doc1 Doc2 Entropy 4.3 3.8 # Comments 8 161 Doc #2
  • 28. #RSAC Applied Machine Learning Steps 28 Benign Files Malicious Files Feature Extraction 5.7 10 98 … 1.2 23 15 … 0.7 57 20 … … Classification Model Collect labeled data Feature extraction Train and Test model Classification Model Deploy Model New Files “Benign” “Malicious” Classification Models
  • 29. #RSAC Malicious Macro Bot Project 29 Model factored in over 20,000 samples Analyzed over 121,000 samples from 7 months of VirusTotal samples Over a thousand features VBA built-in language semantics for base language e.g. Shell, Dim, If, … Code heuristics e.g. LOC, # functions, entropy, … Use Random Forest Classifier Fits many decision trees on many subsets of the dataset Picks best decision tree combinations “Ensemble”
  • 30. #RSAC Demo: Malicious Macro Bot Project 30 Demonstrate classification Gaining insight from machine learning features Identifying phishing campaigns through featureprints Search and visualize in Elasticsearch / Kibana
  • 31. #RSAC Conclusion 31 Project Uses: Threat Intelligence: Identify new phishing campaigns Detection: Fill traditional detection gaps Incident Response: Rapid triage of office documents Prevention would be best
  • 33. #RSAC References 33 [1] Proofpoint “Human Factor Report”, 2016. https://www.proofpoint.com/sites/default/files/human-factor- report-2016.pdf [2] Microsoft, “New feature in Office 2016 can block macros and help prevent infection”, Mar 22, 2016. https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help- prevent-infection/ [3] Proofpoint, “The Cybercrime Economics of Malicious Macros”, 2016. https://www.proofpoint.com/sites/default/files/documents/bnt_download/pp-macroeconomics-rr.pdf [4] Ankit Anubhav, Dileep Kumar Jallepalli. “Hancitor (aka Chanitor) Observed Using Multiple Attack Approaches”. FireEye. Sept 23, 2016. https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html [5] PonyUp: Tracing Pony’s Threat Cycle and Multi-Stage Infection Chain. Damballa. Aug. 2015. https://www.damballa.com/wp-content/uploads/2015/08/Damballa_PonyUp.pdf [6] New Hancitor: Pimp my Downloader. Minerva Labs Research Team. Aug 19, 2016. http://www.minerva- labs.com/post/new-hancitor-pimp-my-downloader [7] CrunchCode http://www.crunchcode.de/en/index.html [8] MacroShop https://github.com/khr0x40sh/MacroShop [9] Veil Evasion Framework https://github.com/Veil-Framework/Veil-Evasion [10] Generate-Macro https://github.com/enigma0x3/Generate-Macro [11] SciKit Learn Algorithm Cheat Sheet. http://scikit-learn.org/stable/tutorial/machine_learning_map/