SlideShare a Scribd company logo

BSidesSF 2016 - A year in the wild: fighting malware at the corporate level

Jakub "Kuba" Sendor
Jakub "Kuba" Sendor

From the moment of the threat detection, first response throughout the analysis, and the final resolution, we make sure that we can catch as many incidents as possible and properly sanitize the environment so that the potential problems are cut short. All this in an automated and orchestrated fashion, eliminating the manual repetition as much as possible thanks to the in-house built tools like AIR (Automated Incident Response), OSXCollector (Mac OS X forensics collection) and ElastAlert (alerting out of Elasticsearch). We also complement the pipeline with some available open source tools, like osquery and other proprietary threat detection technologies. This adds up to a balanced ecosystem that helps us leverage the current assets, learn about the potential problems quickly and respond to them in a timely fashion.

Software
1 of 35
Download to read offline
A year in the wild Fighting malware at the corporate level Jakub (Kuba) Sendor @jsendor
@jsendor whoami ● Joined Yelp security team in July 2014. ● Mostly involved in malware incident response. ● Also working on automating our security processes. ● Previously worked at SAP in Sophia Antipolis (France) in the Security & Trust research group. ● Before that: MSc from AGH University of Science and Technology in Kraków (Poland) and Telecom ParisTech/Institut Eurecom (France).
@jsendor Yelp’s Mission: Connecting people with great local businesses.
@jsendor Yelp Stats: As of Q4 2015 86M 3270%95M
@jsendor Yelp Stats: As of Q4 2015 > 300> 3000
@jsendor Malware response process at a glance Detection Analysis Remediation
@jsendor Detection Various alert sources: ● endpoint monitoring ○ antivirus ○ osquery ● network traffic monitoring ● SIEM (Security Incident and Event Management) ● email (phishing, adware, popups, etc.)
@jsendor AIR: Automated Incident Response AV Filter out potential false positives Email HelpDesk Cut ticket Match employee office
@jsendor { "UserName": "YELP-KUBAkuba", "ThreatType": "Viruses", "@timestamp": "2016-02-28T15:06:20.868Z", "ScannerType": "On demand", "InsertedAt_UTC": "2016-02-28 15:11:27", "Status": "Cleanable", "ComputerDomain": "AD", "StatusID": "300", "FullFilePath": "/Users/kuba/Downloads/4akAhdUB.exe.part", "ComputerName": "YELP-1234", "EventTime_UTC": "2016-02-28 15:11:18", .. } Antivirus alert
@jsendor osquery ● kernel extensions ● user logins ● config file hashes ● browser extensions ● startup items ● launchd
@jsendor { "@ingestionTime": "2016-02-28T15:05:33Z", "_id": "AVLwlmFxKVkRUjUGMJlD", "_index": "logstash-osquery-osx-weekly-2016.09", "_type": "osquery", "columns": { "name": "Window Resizer", "path": "/Users/kuba/Library/Application Support/Google/Chrome/Profile 1/Extensions/kkelicaakdanhinjdeammmilcgefonfh/1.9.1.2_0/" }, "filter_result": "blacklisted", "hostIdentifier": "A43F47D0-A921-5895-8A59-AB49EB616A5D", "kibana_link": "https://..." } osquery + ElastAlert
@jsendor ElastAlert Alerting out of data in Elasticsearch indexes. https://github.com/Yelp/elastalert
@jsendor ElastAlert rules ● frequency ● spikes ● flatline ● timeframes
@jsendor Spikes in DNS block This machine had one day with more than 20 blocked DNS lookups, and at least three subsequent days with more than 2 blocked DNS lookups. It should be examined. ('2016-01-09', 21, Counter({'standout[.]tv[.]': 21})) ('2016-01-10', 6, Counter({'ads2[.]contentabc[.]com[.]': 6})) ('2016-01-11', 5, Counter({'bttrack[.]com[.]': 2, 'cdn[.]bttrack[.]com[.]': 2, '94982c5b634975e50103ce96082d2827[.]adsk2[.]co[.]': 1})) ('2016-01-12', 20, Counter({'ads2[.]contentabc[.]com[.]': 8, 'loadm[.]exelator[.]com[.]': 5, 'standout[.]tv[.]': 3, 'loadus[.]exelator[.]com[.]': 2, 'secure-au[.]imrworldwide[.]com[.]': 1, '1049theeagle[.]com[.]': 1})) ('2016-01-13', 47, Counter({'ads2[.]contentabc[.]com[.]': 22, 'www[.]4chan[.]org[.]': 14, 'sys[.]4chan[.]org[.]': 8, '4chan[.]org[.]': 2, 'cdn[.]directrev[.]com[.]': 1})) ('2016-01-14', 2, Counter({'ads2[.]contentabc[.]com[.]': 2}))
@jsendor Analysis ● False positive? ● Wrong OS? ● Who is it? ● How did that malware get there? ● Is the machine really infected?
@jsendor Spikes in DNS block This machine had one day with more than 20 blocked DNS lookups, and at least three subsequent days with more than 2 blocked DNS lookups. It should be examined. ('2016-01-09', 21, Counter({'standout[.]tv[.]': 21})) ('2016-01-10', 6, Counter({'ads2[.]contentabc[.]com[.]': 6})) ('2016-01-11', 5, Counter({'bttrack[.]com[.]': 2, 'cdn[.]bttrack[.]com[.]': 2, '94982c5b634975e50103ce96082d2827[.]adsk2[.]co[.]': 1})) ('2016-01-12', 20, Counter({'ads2[.]contentabc[.]com[.]': 8, 'loadm[.]exelator[.]com[.]': 5, 'standout[.]tv[.]': 3, 'loadus[.]exelator[.]com[.]': 2, 'secure-au[.]imrworldwide[.]com[.]': 1, '1049theeagle[.]com[.]': 1})) ('2016-01-13', 47, Counter({'ads2[.]contentabc[.]com[.]': 22, 'www[.]4chan[.]org[.]': 14, 'sys[.]4chan[.]org[.]': 8, '4chan[.]org[.]': 2, 'cdn[.]directrev[.]com[.]': 1})) ('2016-01-14', 2, Counter({'ads2[.]contentabc[.]com[.]': 2}))
@jsendor Spikes in DNS block This machine had one day with more than 20 blocked DNS lookups, and at least three subsequent days with more than 2 blocked DNS lookups. It should be examined. ('2016-01-09', 21, Counter({'standout[.]tv[.]': 21})) ('2016-01-10', 6, Counter({'ads2[.]contentabc[.]com[.]': 6})) ('2016-01-11', 5, Counter({'bttrack[.]com[.]': 2, 'cdn[.]bttrack[.]com[.]': 2, '94982c5b634975e50103ce96082d2827[.]adsk2[.]co[.]': 1})) ('2016-01-12', 20, Counter({'ads2[.]contentabc[.]com[.]': 8, 'loadm[.]exelator[.]com[.]': 5, 'standout[.]tv[.]': 3, 'loadus[.]exelator[.]com[.]': 2, 'secure-au[.]imrworldwide[.]com[.]': 1, '1049theeagle[.]com[.]': 1})) ('2016-01-13', 47, Counter({'ads2[.]contentabc[.]com[.]': 22, 'www[.]4chan[.]org[.]': 14, 'sys[.]4chan[.]org[.]': 8, '4chan[.]org[.]': 2, 'cdn[.]directrev[.]com[.]': 1})) ('2016-01-14', 2, Counter({'ads2[.]contentabc[.]com[.]': 2}))
@jsendor Requesting osquery data on the host Found 660 launch daemons for victim machine Checking incidence of launch daemons in general population ........................................................................................................ 00001 launch daemons named /Users/joel/Library/LaunchAgents/com.apple.macbuddy.icloudsetup.user.plist found 00001 launch daemons named /Library/LaunchDaemons/com.avid.bsd.DigiShoeTool.plist found 00001 launch daemons named /Users/joel/Library/LaunchAgents/com.adobe.AAM.Updater-1.0.plist found 00002 launch daemons named /Users/joel/Library/LaunchAgents/com.jdibackup.ZipCloud.notify.plist found 00002 launch daemons named /Users/joel/Library/LaunchAgents/com.spotify.webhelper.plist found 00002 launch daemons named /Users/joel/Library/LaunchAgents/com.jdibackup.ZipCloud.autostart.plist found 00002 launch daemons named /Users/joel/Library/LaunchAgents/com.facebook.videochat.joel.plist found 00002 launch daemons named /Users/joel/Library/LaunchAgents/com.nero.HSMMonitor.plist found 00002 launch daemons named /Users/joel/Library/LaunchAgents/com.adobe.ARM.925793fb327152fd34795896fa1fb9ffa268b2
@jsendor Requesting osquery data on the host Found 660 launch daemons for victim machine Checking incidence of launch daemons in general population ........................................................................................................ 00001 launch daemons named /Users/joel/Library/LaunchAgents/com.apple.macbuddy.icloudsetup.user.plist found 00001 launch daemons named /Library/LaunchDaemons/com.avid.bsd.DigiShoeTool.plist found 00001 launch daemons named /Users/joel/Library/LaunchAgents/com.adobe.AAM.Updater-1.0.plist found 00002 launch daemons named /Users/joel/Library/LaunchAgents/com.jdibackup.ZipCloud.notify.plist found 00002 launch daemons named /Users/joel/Library/LaunchAgents/com.spotify.webhelper.plist found 00002 launch daemons named /Users/joel/Library/LaunchAgents/com.jdibackup.ZipCloud.autostart.plist found 00002 launch daemons named /Users/joel/Library/LaunchAgents/com.facebook.videochat.joel.plist found 00002 launch daemons named /Users/joel/Library/LaunchAgents/com.nero.HSMMonitor.plist found 00002 launch daemons named /Users/joel/Library/LaunchAgents/com.adobe.ARM.925793fb327152fd34795896fa1fb9ffa268b2
@jsendor
@jsendor
@jsendor $ sudo osxcollector.py --id BlossomingLotus Wrote 35394 lines. Output in BlossomingLotus-2016_02_28-15_08_38.tar.gz $ 1 Python file 0 dependencies
@jsendor { "file_path": "/System/Library/Extensions/Apple_iSight.kext/Contents/MacOS/Apple_iSight", "sha2": "19b7b85eaedb17d9565dce872f0d1ea8fc0761f508f28bedcc8606b828cbf614", "sha1": "99005b68295c202fd359b46cd1411acea96b2469", "md5": "b8cc164b6546e4b13768d8353820b216", "ctime": "2014-12-05 16:50:39", "mtime": "2014-09-19 00:16:50", "osxcollector_section": "kext", "osxcollector_incident_id": "BlossomingLotus-2016_02_28-15_12_46", "osxcollector_plist_path": "/System/Library/Extensions/Apple_iSight.kext/Contents/Info.plist", "osxcollector_bundle_id": "com.apple.driver.Apple_iSight", "signature_chain": [ "Software Signing", "Apple Code Signing Certification Authority", "Apple Root CA" ] }
@jsendor Shadowserver API OpenDNS Investigate API Internal blacklists VirusTotal API Browser history filter JSON in JSON out
@jsendor We put stuff on a blacklist for a reason. Mostly so you don't do this. - applications applications ctime: "2015-04-13 10:15:32" file_path: "/Applications/MacKeeper.app/Contents/Resources/ZBRemoteSupport.app/Contents/MacOS/ZBRemoteSupport" md5: "50be328745e25afc875842ed578cd3fa" mtime: "2013-01-29 07:03:51" sha1: "f22e7953d0d360956fd43cb79788676e1af60700" sha2: "03ed9cb6e46221d219127b07e1d139132c05509f90636ee1da76c9610a67ae3f" blacklist-hashes: ["50be328745e25afc875842ed578cd3fa"] related-files: ["mackeeper.app"] - chrome history id: 627 name: "http://stream2watch.me/" url_id: 291987 blacklist-domains: ["stream2watch.me"] Analysis summary
@jsendor https://github.com/Yelp/osxcollector
@jsendor Threat Intel API https://github.com/Yelp/threat_intel
@jsendor Phishing
@jsendor ● employee education ● email alias for reporting phishing attempts ● reward positive behavior ● automated email scanning Phishing
@jsendor Analyzing phishing emails ● analyze message headers ● detonate attachments ● past user interaction ● who else received it? ● https://www.phishtank.com/
@jsendor Remediation wipe!
@jsendor Remediation, more seriously ● DNS/firewall blocking ● update IoCs (Indicators of Compromise) ● block/quarantine email senders ● whitelisting ● communication
@jsendor Recap Detect Analyze Remediate ● endpoint protection ● network monitoring ● SIEM ● employees ● collect forensics ● correlate information ● automated analysis ● wipe :( ● block at DNS/firewall ● blacklist/whitelist ● educate
@jsendor Improving the response process faster response better tools education reduce the number of false positives
@jsendor Thanks for tuning in!

Recommended

NSClient++: Monitoring Simplified at OSMC 2013
NSClient++: Monitoring Simplified at OSMC 2013NSClient++: Monitoring Simplified at OSMC 2013
NSClient++: Monitoring Simplified at OSMC 2013
Michael Medin
 
RSA OSX Malware
RSA OSX MalwareRSA OSX Malware
RSA OSX Malware
Synack
 
Black Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XBlack Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS X
Synack
 
Nagios Conference 2013 - Michael Medin - NSClient++ Whats New
Nagios Conference 2013 - Michael Medin - NSClient++ Whats NewNagios Conference 2013 - Michael Medin - NSClient++ Whats New
Nagios Conference 2013 - Michael Medin - NSClient++ Whats New
Nagios
 
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one![DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
Synack
 
OS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorOS X Malware: Let's Play Doctor
OS X Malware: Let's Play Doctor
Synack
 
OSMC 2013 | Making monitoring simple? by Michael Medin
OSMC 2013 | Making monitoring simple? by Michael MedinOSMC 2013 | Making monitoring simple? by Michael Medin
OSMC 2013 | Making monitoring simple? by Michael Medin
NETWAYS
 
Gatekeeper Exposed
Gatekeeper ExposedGatekeeper Exposed
Gatekeeper Exposed
Synack
 

Recommended

NSClient++: Monitoring Simplified at OSMC 2013
NSClient++: Monitoring Simplified at OSMC 2013NSClient++: Monitoring Simplified at OSMC 2013
NSClient++: Monitoring Simplified at OSMC 2013
Michael Medin
 
RSA OSX Malware
RSA OSX MalwareRSA OSX Malware
RSA OSX Malware
Synack
 
Black Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XBlack Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS X
Synack
 
Nagios Conference 2013 - Michael Medin - NSClient++ Whats New
Nagios Conference 2013 - Michael Medin - NSClient++ Whats NewNagios Conference 2013 - Michael Medin - NSClient++ Whats New
Nagios Conference 2013 - Michael Medin - NSClient++ Whats New
Nagios
 
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one![DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
Synack
 
OS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorOS X Malware: Let's Play Doctor
OS X Malware: Let's Play Doctor
Synack
 
OSMC 2013 | Making monitoring simple? by Michael Medin
OSMC 2013 | Making monitoring simple? by Michael MedinOSMC 2013 | Making monitoring simple? by Michael Medin
OSMC 2013 | Making monitoring simple? by Michael Medin
NETWAYS
 
Gatekeeper Exposed
Gatekeeper ExposedGatekeeper Exposed
Gatekeeper Exposed
Synack
 
ZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanning
Mikhail Sosonkin
 
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USARing 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Alexandre Borges
 
Virus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperVirus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing Gatekeeper
Synack
 
Introducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisIntroducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware Analysis
Brian Baskin
 
DEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItDEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke It
Synack
 
NSClient++ whats new for 0.3.9 users
NSClient++ whats new for 0.3.9 usersNSClient++ whats new for 0.3.9 users
NSClient++ whats new for 0.3.9 users
Michael Medin
 
Denis Zhuchinski Ways of enhancing application security
Denis Zhuchinski Ways of enhancing application securityDenis Zhuchinski Ways of enhancing application security
Denis Zhuchinski Ways of enhancing application security
Аліна Шепшелей
 
iOS Automation Primitives
iOS Automation PrimitivesiOS Automation Primitives
iOS Automation Primitives
Synack
 
DLL Hijacking on OS X
DLL Hijacking on OS XDLL Hijacking on OS X
DLL Hijacking on OS X
Synack
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
SecuRing
 
Synack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick WardleSynack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick Wardle
Synack
 
Synack at AppSec California 2015 - Geolocation Vulnerabilities
Synack at AppSec California 2015 - Geolocation VulnerabilitiesSynack at AppSec California 2015 - Geolocation Vulnerabilities
Synack at AppSec California 2015 - Geolocation Vulnerabilities
Synack
 
RING 0/-2 ROOKITS : COMPROMISING DEFENSES
RING 0/-2 ROOKITS : COMPROMISING DEFENSES RING 0/-2 ROOKITS : COMPROMISING DEFENSES
RING 0/-2 ROOKITS : COMPROMISING DEFENSES
Priyanka Aash
 
BSidesLV 2016: Don't Repeat Yourself - Automating Malware Incident Response f...
BSidesLV 2016: Don't Repeat Yourself - Automating Malware Incident Response f...BSidesLV 2016: Don't Repeat Yourself - Automating Malware Incident Response f...
BSidesLV 2016: Don't Repeat Yourself - Automating Malware Incident Response f...
Jakub "Kuba" Sendor
 
Malware Most Wanted: Security Ecosystem
Malware Most Wanted: Security EcosystemMalware Most Wanted: Security Ecosystem
Malware Most Wanted: Security Ecosystem
Cyphort
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner
 
Reversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysisReversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysis
Abdulrahman Bassam
 
Reversing malware analysis trainingpart9 advanced malware analysis
Reversing malware analysis trainingpart9 advanced malware analysisReversing malware analysis trainingpart9 advanced malware analysis
Reversing malware analysis trainingpart9 advanced malware analysis
Cysinfo Cyber Security Community
 
Malware's most wanted-zberp-the_financial_trojan
Malware's most wanted-zberp-the_financial_trojanMalware's most wanted-zberp-the_financial_trojan
Malware's most wanted-zberp-the_financial_trojan
Cyphort
 
Integris Security - Hacking With Glue ℠
Integris Security - Hacking With Glue ℠Integris Security - Hacking With Glue ℠
Integris Security - Hacking With Glue ℠
Integris Security LLC
 
Panda Security2008
Panda Security2008Panda Security2008
Panda Security2008
tswong
 

More Related Content

What's hot

ZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanning
Mikhail Sosonkin
 
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USARing 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Alexandre Borges
 
Virus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperVirus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing Gatekeeper
Synack
 
Introducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisIntroducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware Analysis
Brian Baskin
 
DEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItDEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke It
Synack
 
NSClient++ whats new for 0.3.9 users
NSClient++ whats new for 0.3.9 usersNSClient++ whats new for 0.3.9 users
NSClient++ whats new for 0.3.9 users
Michael Medin
 
Denis Zhuchinski Ways of enhancing application security
Denis Zhuchinski Ways of enhancing application securityDenis Zhuchinski Ways of enhancing application security
Denis Zhuchinski Ways of enhancing application security
Аліна Шепшелей
 
iOS Automation Primitives
iOS Automation PrimitivesiOS Automation Primitives
iOS Automation Primitives
Synack
 
DLL Hijacking on OS X
DLL Hijacking on OS XDLL Hijacking on OS X
DLL Hijacking on OS X
Synack
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
SecuRing
 
Synack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick WardleSynack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick Wardle
Synack
 
Synack at AppSec California 2015 - Geolocation Vulnerabilities
Synack at AppSec California 2015 - Geolocation VulnerabilitiesSynack at AppSec California 2015 - Geolocation Vulnerabilities
Synack at AppSec California 2015 - Geolocation Vulnerabilities
Synack
 
RING 0/-2 ROOKITS : COMPROMISING DEFENSES
RING 0/-2 ROOKITS : COMPROMISING DEFENSES RING 0/-2 ROOKITS : COMPROMISING DEFENSES
RING 0/-2 ROOKITS : COMPROMISING DEFENSES
Priyanka Aash
 

What's hot (14)

ZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanning
 
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USARing 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
 
Virus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperVirus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing Gatekeeper
 
Introducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisIntroducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware Analysis
 
DEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItDEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke It
 
NSClient++ whats new for 0.3.9 users
NSClient++ whats new for 0.3.9 usersNSClient++ whats new for 0.3.9 users
NSClient++ whats new for 0.3.9 users
 
Denis Zhuchinski Ways of enhancing application security
Denis Zhuchinski Ways of enhancing application securityDenis Zhuchinski Ways of enhancing application security
Denis Zhuchinski Ways of enhancing application security
 
iOS Automation Primitives
iOS Automation PrimitivesiOS Automation Primitives
iOS Automation Primitives
 
DLL Hijacking on OS X
DLL Hijacking on OS XDLL Hijacking on OS X
DLL Hijacking on OS X
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Synack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick WardleSynack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick Wardle
 
Synack at AppSec California 2015 - Geolocation Vulnerabilities
Synack at AppSec California 2015 - Geolocation VulnerabilitiesSynack at AppSec California 2015 - Geolocation Vulnerabilities
Synack at AppSec California 2015 - Geolocation Vulnerabilities
 
RING 0/-2 ROOKITS : COMPROMISING DEFENSES
RING 0/-2 ROOKITS : COMPROMISING DEFENSES RING 0/-2 ROOKITS : COMPROMISING DEFENSES
RING 0/-2 ROOKITS : COMPROMISING DEFENSES
 

Similar to BSidesSF 2016 - A year in the wild: fighting malware at the corporate level

BSidesLV 2016: Don't Repeat Yourself - Automating Malware Incident Response f...
BSidesLV 2016: Don't Repeat Yourself - Automating Malware Incident Response f...BSidesLV 2016: Don't Repeat Yourself - Automating Malware Incident Response f...
BSidesLV 2016: Don't Repeat Yourself - Automating Malware Incident Response f...
Jakub "Kuba" Sendor
 
Malware Most Wanted: Security Ecosystem
Malware Most Wanted: Security EcosystemMalware Most Wanted: Security Ecosystem
Malware Most Wanted: Security Ecosystem
Cyphort
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner
 
Reversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysisReversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysis
Abdulrahman Bassam
 
Reversing malware analysis trainingpart9 advanced malware analysis
Reversing malware analysis trainingpart9 advanced malware analysisReversing malware analysis trainingpart9 advanced malware analysis
Reversing malware analysis trainingpart9 advanced malware analysis
Cysinfo Cyber Security Community
 
Malware's most wanted-zberp-the_financial_trojan
Malware's most wanted-zberp-the_financial_trojanMalware's most wanted-zberp-the_financial_trojan
Malware's most wanted-zberp-the_financial_trojan
Cyphort
 
Integris Security - Hacking With Glue ℠
Integris Security - Hacking With Glue ℠Integris Security - Hacking With Glue ℠
Integris Security - Hacking With Glue ℠
Integris Security LLC
 
Panda Security2008
Panda Security2008Panda Security2008
Panda Security2008
tswong
 
Super1
Super1Super1
Super1
neelakanteswarreddy
 
endpoint-detection-and-response-datasheet.pdf
endpoint-detection-and-response-datasheet.pdfendpoint-detection-and-response-datasheet.pdf
endpoint-detection-and-response-datasheet.pdf
Olufemi37
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developer
Steve Poole
 
Understanding Malware Lateral Spread Used in High Value Attacks
Understanding Malware Lateral Spread Used in High Value AttacksUnderstanding Malware Lateral Spread Used in High Value Attacks
Understanding Malware Lateral Spread Used in High Value Attacks
Cyphort
 
Identifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting MalwareIdentifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting Malware
Teodoro Cipresso
 
Spice world 2014 hacker smackdown
Spice world 2014 hacker smackdown Spice world 2014 hacker smackdown
Spice world 2014 hacker smackdown
AlienVault
 
Thinking Outside the Sand[box]
Thinking Outside the Sand[box]Thinking Outside the Sand[box]
Thinking Outside the Sand[box]
Juniper Networks
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Aaron ND Sawmadal
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Aaron ND Sawmadal
 
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of MalwaresAdvanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
securityxploded
 
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
IJERA Editor
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
securityxploded
 

Similar to BSidesSF 2016 - A year in the wild: fighting malware at the corporate level (20)

BSidesLV 2016: Don't Repeat Yourself - Automating Malware Incident Response f...
BSidesLV 2016: Don't Repeat Yourself - Automating Malware Incident Response f...BSidesLV 2016: Don't Repeat Yourself - Automating Malware Incident Response f...
BSidesLV 2016: Don't Repeat Yourself - Automating Malware Incident Response f...
 
Malware Most Wanted: Security Ecosystem
Malware Most Wanted: Security EcosystemMalware Most Wanted: Security Ecosystem
Malware Most Wanted: Security Ecosystem
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Reversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysisReversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysis
 
Reversing malware analysis trainingpart9 advanced malware analysis
Reversing malware analysis trainingpart9 advanced malware analysisReversing malware analysis trainingpart9 advanced malware analysis
Reversing malware analysis trainingpart9 advanced malware analysis
 
Malware's most wanted-zberp-the_financial_trojan
Malware's most wanted-zberp-the_financial_trojanMalware's most wanted-zberp-the_financial_trojan
Malware's most wanted-zberp-the_financial_trojan
 
Integris Security - Hacking With Glue ℠
Integris Security - Hacking With Glue ℠Integris Security - Hacking With Glue ℠
Integris Security - Hacking With Glue ℠
 
Panda Security2008
Panda Security2008Panda Security2008
Panda Security2008
 
Super1
Super1Super1
Super1
 
endpoint-detection-and-response-datasheet.pdf
endpoint-detection-and-response-datasheet.pdfendpoint-detection-and-response-datasheet.pdf
endpoint-detection-and-response-datasheet.pdf
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developer
 
Understanding Malware Lateral Spread Used in High Value Attacks
Understanding Malware Lateral Spread Used in High Value AttacksUnderstanding Malware Lateral Spread Used in High Value Attacks
Understanding Malware Lateral Spread Used in High Value Attacks
 
Identifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting MalwareIdentifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting Malware
 
Spice world 2014 hacker smackdown
Spice world 2014 hacker smackdown Spice world 2014 hacker smackdown
Spice world 2014 hacker smackdown
 
Thinking Outside the Sand[box]
Thinking Outside the Sand[box]Thinking Outside the Sand[box]
Thinking Outside the Sand[box]
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of MalwaresAdvanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
 
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
 

More from Jakub "Kuba" Sendor

To boldly go where no one has gone before: life after the DevSecOps transform...
To boldly go where no one has gone before: life after the DevSecOps transform...To boldly go where no one has gone before: life after the DevSecOps transform...
To boldly go where no one has gone before: life after the DevSecOps transform...
Jakub "Kuba" Sendor
 
DevSecOps: The Final Frontier? Building Secure Software in an Agile Organization
DevSecOps: The Final Frontier? Building Secure Software in an Agile OrganizationDevSecOps: The Final Frontier? Building Secure Software in an Agile Organization
DevSecOps: The Final Frontier? Building Secure Software in an Agile Organization
Jakub "Kuba" Sendor
 
Slicing Apples with Ninja Sword: Fighting Malware at the Corporate Level (OWA...
Slicing Apples with Ninja Sword: Fighting Malware at the Corporate Level (OWA...Slicing Apples with Ninja Sword: Fighting Malware at the Corporate Level (OWA...
Slicing Apples with Ninja Sword: Fighting Malware at the Corporate Level (OWA...
Jakub "Kuba" Sendor
 
AMIRA: Automated Malware Incident Response and Analysis for macOS (Black Hat ...
AMIRA: Automated Malware Incident Response and Analysis for macOS (Black Hat ...AMIRA: Automated Malware Incident Response and Analysis for macOS (Black Hat ...
AMIRA: Automated Malware Incident Response and Analysis for macOS (Black Hat ...
Jakub "Kuba" Sendor
 
AMIRA: Automated Malware Incident Response and Analysis (Black Hat USA Arsena...
AMIRA: Automated Malware Incident Response and Analysis (Black Hat USA Arsena...AMIRA: Automated Malware Incident Response and Analysis (Black Hat USA Arsena...
AMIRA: Automated Malware Incident Response and Analysis (Black Hat USA Arsena...
Jakub "Kuba" Sendor
 
OSXCollector: Automated forensic evidence collection & analysis for OS X (Bru...
OSXCollector: Automated forensic evidence collection & analysis for OS X (Bru...OSXCollector: Automated forensic evidence collection & analysis for OS X (Bru...
OSXCollector: Automated forensic evidence collection & analysis for OS X (Bru...
Jakub "Kuba" Sendor
 

More from Jakub "Kuba" Sendor (6)

To boldly go where no one has gone before: life after the DevSecOps transform...
To boldly go where no one has gone before: life after the DevSecOps transform...To boldly go where no one has gone before: life after the DevSecOps transform...
To boldly go where no one has gone before: life after the DevSecOps transform...
 
DevSecOps: The Final Frontier? Building Secure Software in an Agile Organization
DevSecOps: The Final Frontier? Building Secure Software in an Agile OrganizationDevSecOps: The Final Frontier? Building Secure Software in an Agile Organization
DevSecOps: The Final Frontier? Building Secure Software in an Agile Organization
 
Slicing Apples with Ninja Sword: Fighting Malware at the Corporate Level (OWA...
Slicing Apples with Ninja Sword: Fighting Malware at the Corporate Level (OWA...Slicing Apples with Ninja Sword: Fighting Malware at the Corporate Level (OWA...
Slicing Apples with Ninja Sword: Fighting Malware at the Corporate Level (OWA...
 
AMIRA: Automated Malware Incident Response and Analysis for macOS (Black Hat ...
AMIRA: Automated Malware Incident Response and Analysis for macOS (Black Hat ...AMIRA: Automated Malware Incident Response and Analysis for macOS (Black Hat ...
AMIRA: Automated Malware Incident Response and Analysis for macOS (Black Hat ...
 
AMIRA: Automated Malware Incident Response and Analysis (Black Hat USA Arsena...
AMIRA: Automated Malware Incident Response and Analysis (Black Hat USA Arsena...AMIRA: Automated Malware Incident Response and Analysis (Black Hat USA Arsena...
AMIRA: Automated Malware Incident Response and Analysis (Black Hat USA Arsena...
 
OSXCollector: Automated forensic evidence collection & analysis for OS X (Bru...
OSXCollector: Automated forensic evidence collection & analysis for OS X (Bru...OSXCollector: Automated forensic evidence collection & analysis for OS X (Bru...
OSXCollector: Automated forensic evidence collection & analysis for OS X (Bru...
 

Recently uploaded

E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
Hornet Dynamics
 
Artificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension FunctionsArtificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension Functions
Octavian Nadolu
 
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
Łukasz Chruściel
 
What is Augmented Reality Image Tracking
What is Augmented Reality Image TrackingWhat is Augmented Reality Image Tracking
What is Augmented Reality Image Tracking
pavan998932
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
Green Software Development
 
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeA Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
Aftab Hussain
 
Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query PerformanceUsing Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
Grant Fritchey
 
GreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-JurisicGreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-Jurisic
Green Software Development
 
Hand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code KataHand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code Kata
Philip Schwarz
 
Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)
Julian Hyde
 
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
GraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph TechnologyGraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph Technology
Neo4j
 
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s EcosystemUI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
Peter Muessig
 
Energy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina JonuziEnergy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina Jonuzi
Green Software Development
 
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppAI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
Google
 
SWEBOK and Education at FUSE Okinawa 2024
SWEBOK and Education at FUSE Okinawa 2024SWEBOK and Education at FUSE Okinawa 2024
SWEBOK and Education at FUSE Okinawa 2024
Hironori Washizaki
 
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
kalichargn70th171
 
Using Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional SafetyUsing Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional Safety
Ayan Halder
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j
 

Recently uploaded (20)

E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
 
Artificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension FunctionsArtificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension Functions
 
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
 
What is Augmented Reality Image Tracking
What is Augmented Reality Image TrackingWhat is Augmented Reality Image Tracking
What is Augmented Reality Image Tracking
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
 
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeA Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
 
Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query PerformanceUsing Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
 
GreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-JurisicGreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-Jurisic
 
Hand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code KataHand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code Kata
 
Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)
 
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
GraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph TechnologyGraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph Technology
 
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s EcosystemUI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
 
Energy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina JonuziEnergy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina Jonuzi
 
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppAI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
 
SWEBOK and Education at FUSE Okinawa 2024
SWEBOK and Education at FUSE Okinawa 2024SWEBOK and Education at FUSE Okinawa 2024
SWEBOK and Education at FUSE Okinawa 2024
 
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
 
Using Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional SafetyUsing Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional Safety
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
 

BSidesSF 2016 - A year in the wild: fighting malware at the corporate level

  • 1. A year in the wild Fighting malware at the corporate level Jakub (Kuba) Sendor @jsendor
  • 2. @jsendor whoami ● Joined Yelp security team in July 2014. ● Mostly involved in malware incident response. ● Also working on automating our security processes. ● Previously worked at SAP in Sophia Antipolis (France) in the Security & Trust research group. ● Before that: MSc from AGH University of Science and Technology in Kraków (Poland) and Telecom ParisTech/Institut Eurecom (France).
  • 3. @jsendor Yelp’s Mission: Connecting people with great local businesses.
  • 4. @jsendor Yelp Stats: As of Q4 2015 86M 3270%95M
  • 5. @jsendor Yelp Stats: As of Q4 2015 > 300> 3000
  • 6. @jsendor Malware response process at a glance Detection Analysis Remediation
  • 7. @jsendor Detection Various alert sources: ● endpoint monitoring ○ antivirus ○ osquery ● network traffic monitoring ● SIEM (Security Incident and Event Management) ● email (phishing, adware, popups, etc.)
  • 8. @jsendor AIR: Automated Incident Response AV Filter out potential false positives Email HelpDesk Cut ticket Match employee office
  • 9. @jsendor { "UserName": "YELP-KUBAkuba", "ThreatType": "Viruses", "@timestamp": "2016-02-28T15:06:20.868Z", "ScannerType": "On demand", "InsertedAt_UTC": "2016-02-28 15:11:27", "Status": "Cleanable", "ComputerDomain": "AD", "StatusID": "300", "FullFilePath": "/Users/kuba/Downloads/4akAhdUB.exe.part", "ComputerName": "YELP-1234", "EventTime_UTC": "2016-02-28 15:11:18", .. } Antivirus alert
  • 10. @jsendor osquery ● kernel extensions ● user logins ● config file hashes ● browser extensions ● startup items ● launchd
  • 11. @jsendor { "@ingestionTime": "2016-02-28T15:05:33Z", "_id": "AVLwlmFxKVkRUjUGMJlD", "_index": "logstash-osquery-osx-weekly-2016.09", "_type": "osquery", "columns": { "name": "Window Resizer", "path": "/Users/kuba/Library/Application Support/Google/Chrome/Profile 1/Extensions/kkelicaakdanhinjdeammmilcgefonfh/1.9.1.2_0/" }, "filter_result": "blacklisted", "hostIdentifier": "A43F47D0-A921-5895-8A59-AB49EB616A5D", "kibana_link": "https://..." } osquery + ElastAlert
  • 12. @jsendor ElastAlert Alerting out of data in Elasticsearch indexes. https://github.com/Yelp/elastalert
  • 13. @jsendor ElastAlert rules ● frequency ● spikes ● flatline ● timeframes
  • 14. @jsendor Spikes in DNS block This machine had one day with more than 20 blocked DNS lookups, and at least three subsequent days with more than 2 blocked DNS lookups. It should be examined. ('2016-01-09', 21, Counter({'standout[.]tv[.]': 21})) ('2016-01-10', 6, Counter({'ads2[.]contentabc[.]com[.]': 6})) ('2016-01-11', 5, Counter({'bttrack[.]com[.]': 2, 'cdn[.]bttrack[.]com[.]': 2, '94982c5b634975e50103ce96082d2827[.]adsk2[.]co[.]': 1})) ('2016-01-12', 20, Counter({'ads2[.]contentabc[.]com[.]': 8, 'loadm[.]exelator[.]com[.]': 5, 'standout[.]tv[.]': 3, 'loadus[.]exelator[.]com[.]': 2, 'secure-au[.]imrworldwide[.]com[.]': 1, '1049theeagle[.]com[.]': 1})) ('2016-01-13', 47, Counter({'ads2[.]contentabc[.]com[.]': 22, 'www[.]4chan[.]org[.]': 14, 'sys[.]4chan[.]org[.]': 8, '4chan[.]org[.]': 2, 'cdn[.]directrev[.]com[.]': 1})) ('2016-01-14', 2, Counter({'ads2[.]contentabc[.]com[.]': 2}))
  • 15. @jsendor Analysis ● False positive? ● Wrong OS? ● Who is it? ● How did that malware get there? ● Is the machine really infected?
  • 16. @jsendor Spikes in DNS block This machine had one day with more than 20 blocked DNS lookups, and at least three subsequent days with more than 2 blocked DNS lookups. It should be examined. ('2016-01-09', 21, Counter({'standout[.]tv[.]': 21})) ('2016-01-10', 6, Counter({'ads2[.]contentabc[.]com[.]': 6})) ('2016-01-11', 5, Counter({'bttrack[.]com[.]': 2, 'cdn[.]bttrack[.]com[.]': 2, '94982c5b634975e50103ce96082d2827[.]adsk2[.]co[.]': 1})) ('2016-01-12', 20, Counter({'ads2[.]contentabc[.]com[.]': 8, 'loadm[.]exelator[.]com[.]': 5, 'standout[.]tv[.]': 3, 'loadus[.]exelator[.]com[.]': 2, 'secure-au[.]imrworldwide[.]com[.]': 1, '1049theeagle[.]com[.]': 1})) ('2016-01-13', 47, Counter({'ads2[.]contentabc[.]com[.]': 22, 'www[.]4chan[.]org[.]': 14, 'sys[.]4chan[.]org[.]': 8, '4chan[.]org[.]': 2, 'cdn[.]directrev[.]com[.]': 1})) ('2016-01-14', 2, Counter({'ads2[.]contentabc[.]com[.]': 2}))
  • 17. @jsendor Spikes in DNS block This machine had one day with more than 20 blocked DNS lookups, and at least three subsequent days with more than 2 blocked DNS lookups. It should be examined. ('2016-01-09', 21, Counter({'standout[.]tv[.]': 21})) ('2016-01-10', 6, Counter({'ads2[.]contentabc[.]com[.]': 6})) ('2016-01-11', 5, Counter({'bttrack[.]com[.]': 2, 'cdn[.]bttrack[.]com[.]': 2, '94982c5b634975e50103ce96082d2827[.]adsk2[.]co[.]': 1})) ('2016-01-12', 20, Counter({'ads2[.]contentabc[.]com[.]': 8, 'loadm[.]exelator[.]com[.]': 5, 'standout[.]tv[.]': 3, 'loadus[.]exelator[.]com[.]': 2, 'secure-au[.]imrworldwide[.]com[.]': 1, '1049theeagle[.]com[.]': 1})) ('2016-01-13', 47, Counter({'ads2[.]contentabc[.]com[.]': 22, 'www[.]4chan[.]org[.]': 14, 'sys[.]4chan[.]org[.]': 8, '4chan[.]org[.]': 2, 'cdn[.]directrev[.]com[.]': 1})) ('2016-01-14', 2, Counter({'ads2[.]contentabc[.]com[.]': 2}))
  • 18. @jsendor Requesting osquery data on the host Found 660 launch daemons for victim machine Checking incidence of launch daemons in general population ........................................................................................................ 00001 launch daemons named /Users/joel/Library/LaunchAgents/com.apple.macbuddy.icloudsetup.user.plist found 00001 launch daemons named /Library/LaunchDaemons/com.avid.bsd.DigiShoeTool.plist found 00001 launch daemons named /Users/joel/Library/LaunchAgents/com.adobe.AAM.Updater-1.0.plist found 00002 launch daemons named /Users/joel/Library/LaunchAgents/com.jdibackup.ZipCloud.notify.plist found 00002 launch daemons named /Users/joel/Library/LaunchAgents/com.spotify.webhelper.plist found 00002 launch daemons named /Users/joel/Library/LaunchAgents/com.jdibackup.ZipCloud.autostart.plist found 00002 launch daemons named /Users/joel/Library/LaunchAgents/com.facebook.videochat.joel.plist found 00002 launch daemons named /Users/joel/Library/LaunchAgents/com.nero.HSMMonitor.plist found 00002 launch daemons named /Users/joel/Library/LaunchAgents/com.adobe.ARM.925793fb327152fd34795896fa1fb9ffa268b2
  • 19. @jsendor Requesting osquery data on the host Found 660 launch daemons for victim machine Checking incidence of launch daemons in general population ........................................................................................................ 00001 launch daemons named /Users/joel/Library/LaunchAgents/com.apple.macbuddy.icloudsetup.user.plist found 00001 launch daemons named /Library/LaunchDaemons/com.avid.bsd.DigiShoeTool.plist found 00001 launch daemons named /Users/joel/Library/LaunchAgents/com.adobe.AAM.Updater-1.0.plist found 00002 launch daemons named /Users/joel/Library/LaunchAgents/com.jdibackup.ZipCloud.notify.plist found 00002 launch daemons named /Users/joel/Library/LaunchAgents/com.spotify.webhelper.plist found 00002 launch daemons named /Users/joel/Library/LaunchAgents/com.jdibackup.ZipCloud.autostart.plist found 00002 launch daemons named /Users/joel/Library/LaunchAgents/com.facebook.videochat.joel.plist found 00002 launch daemons named /Users/joel/Library/LaunchAgents/com.nero.HSMMonitor.plist found 00002 launch daemons named /Users/joel/Library/LaunchAgents/com.adobe.ARM.925793fb327152fd34795896fa1fb9ffa268b2
  • 22. @jsendor $ sudo osxcollector.py --id BlossomingLotus Wrote 35394 lines. Output in BlossomingLotus-2016_02_28-15_08_38.tar.gz $ 1 Python file 0 dependencies
  • 23. @jsendor { "file_path": "/System/Library/Extensions/Apple_iSight.kext/Contents/MacOS/Apple_iSight", "sha2": "19b7b85eaedb17d9565dce872f0d1ea8fc0761f508f28bedcc8606b828cbf614", "sha1": "99005b68295c202fd359b46cd1411acea96b2469", "md5": "b8cc164b6546e4b13768d8353820b216", "ctime": "2014-12-05 16:50:39", "mtime": "2014-09-19 00:16:50", "osxcollector_section": "kext", "osxcollector_incident_id": "BlossomingLotus-2016_02_28-15_12_46", "osxcollector_plist_path": "/System/Library/Extensions/Apple_iSight.kext/Contents/Info.plist", "osxcollector_bundle_id": "com.apple.driver.Apple_iSight", "signature_chain": [ "Software Signing", "Apple Code Signing Certification Authority", "Apple Root CA" ] }
  • 24. @jsendor Shadowserver API OpenDNS Investigate API Internal blacklists VirusTotal API Browser history filter JSON in JSON out
  • 25. @jsendor We put stuff on a blacklist for a reason. Mostly so you don't do this. - applications applications ctime: "2015-04-13 10:15:32" file_path: "/Applications/MacKeeper.app/Contents/Resources/ZBRemoteSupport.app/Contents/MacOS/ZBRemoteSupport" md5: "50be328745e25afc875842ed578cd3fa" mtime: "2013-01-29 07:03:51" sha1: "f22e7953d0d360956fd43cb79788676e1af60700" sha2: "03ed9cb6e46221d219127b07e1d139132c05509f90636ee1da76c9610a67ae3f" blacklist-hashes: ["50be328745e25afc875842ed578cd3fa"] related-files: ["mackeeper.app"] - chrome history id: 627 name: "http://stream2watch.me/" url_id: 291987 blacklist-domains: ["stream2watch.me"] Analysis summary
  • 29. @jsendor ● employee education ● email alias for reporting phishing attempts ● reward positive behavior ● automated email scanning Phishing
  • 30. @jsendor Analyzing phishing emails ● analyze message headers ● detonate attachments ● past user interaction ● who else received it? ● https://www.phishtank.com/
  • 32. @jsendor Remediation, more seriously ● DNS/firewall blocking ● update IoCs (Indicators of Compromise) ● block/quarantine email senders ● whitelisting ● communication
  • 33. @jsendor Recap Detect Analyze Remediate ● endpoint protection ● network monitoring ● SIEM ● employees ● collect forensics ● correlate information ● automated analysis ● wipe :( ● block at DNS/firewall ● blacklist/whitelist ● educate
  • 34. @jsendor Improving the response process faster response better tools education reduce the number of false positives