This document discusses detecting and analyzing indicators of compromise from a malware infection. It describes collecting data from firewalls, IDS/IPS, proxies, DNS logs, and system logs to detect suspicious activity. Once a potential malware sample is acquired, static and dynamic analysis techniques are used to analyze its behavior and identify indicators that can be used to detect infected machines, like created files, registry keys, and network traffic. These indicators are expressed using tools like Yara rules and Snort signatures to enable detection of the compromise across an environment.
Malware Analysis on a Shoestring BudgetMichael Boman
How can you build a infrastructure using mainly free and open source software to analyze potential malicious code. How you can leverage free public services together with in-house systems to compete against expensive commercial solutions which makes it cost-prohibible for many researchers.
This document discusses techniques that malware authors use to frustrate malware analysts, including inserting breakpoints, manipulating timing functions, exploiting Windows internals like debug flags and objects, anti-dumping methods, VM detection, and debugger-specific tricks. The author also announces a public malware repository and API called VXCage for sharing samples.
This document summarizes Muhammad Najmi Ahmad Zabidi's presentation on malware analysis with multiple features at the UKSIM 2012 conference. The presentation discussed static analysis of Windows executables to detect malware using Python scripts. It analyzed API calls, strings, anti-VM techniques, entropy, and PE file structure to identify malware behaviors. The scripts were able to detect bots, debuggers, and VM evasion tricks in samples tested. While effective offline, the approach has limitations with obfuscated binaries that require dynamic analysis.
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON
This document summarizes a talk on conducting a 15-minute Linux live analysis to determine if a system has been hacked with minimal disturbance. The talk discusses opening a case, collecting key system data like processes and users through scripted network listeners, and analyzing the data to look for signs of compromise. It also covers next steps like dead analysis if evidence of hacking is found. The goal is to quickly identify breaches while preserving evidence through an automated and mostly non-invasive process.
This document discusses challenges in malware detection and proposes using machine learning methods. It outlines issues like the enormous number of malware samples and need for automated detection. The objectives are to reduce irrelevant malware API features using feature selection. The methodology examines API calls, anti-debugging strings, and performs feature ranking selection, classification and clustering. The conclusion is that malware writers often reuse code, making it easier to trace malware families based on commonalities.
The document discusses breaking and attacking antivirus software. It begins by introducing common features of antivirus engines like being written in C/C++ and supporting various file formats. It then discusses how installing antivirus software increases a system's attack surface and how antivirus engines can contain vulnerabilities. Specific examples of vulnerabilities found in antivirus products from Panda, ClamAV, and others are then presented, including multiple local privilege escalation issues found in Panda Global Protection 2013. Exploitation techniques for antivirus engines are also covered.
A client-side vulnerability under the microscope!Nelson Brito
Understanding reverse engineer using MS08-078. This presentation is an updated version of a previous series of presentations, which shows a practical methodology to perform a reverse engineering... The approach can be broader applied to any/most of the vulnerabilities targeting client-side applications.
For further details and informations, please, refer to:
- http://www.vimeo.com/nbrito
- https://www.slideshare.net/nbrito01/inception-support-slides
The purpose of this presentation is to explain the basic resources to understand how a programmer can create malware, insides about the theme, and brainstorms following practical codes and many exotic ideas for security mitigations for defense.
"If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle." ― Sun Tzu, The Art of War
Malware Analysis on a Shoestring BudgetMichael Boman
How can you build a infrastructure using mainly free and open source software to analyze potential malicious code. How you can leverage free public services together with in-house systems to compete against expensive commercial solutions which makes it cost-prohibible for many researchers.
This document discusses techniques that malware authors use to frustrate malware analysts, including inserting breakpoints, manipulating timing functions, exploiting Windows internals like debug flags and objects, anti-dumping methods, VM detection, and debugger-specific tricks. The author also announces a public malware repository and API called VXCage for sharing samples.
This document summarizes Muhammad Najmi Ahmad Zabidi's presentation on malware analysis with multiple features at the UKSIM 2012 conference. The presentation discussed static analysis of Windows executables to detect malware using Python scripts. It analyzed API calls, strings, anti-VM techniques, entropy, and PE file structure to identify malware behaviors. The scripts were able to detect bots, debuggers, and VM evasion tricks in samples tested. While effective offline, the approach has limitations with obfuscated binaries that require dynamic analysis.
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON
This document summarizes a talk on conducting a 15-minute Linux live analysis to determine if a system has been hacked with minimal disturbance. The talk discusses opening a case, collecting key system data like processes and users through scripted network listeners, and analyzing the data to look for signs of compromise. It also covers next steps like dead analysis if evidence of hacking is found. The goal is to quickly identify breaches while preserving evidence through an automated and mostly non-invasive process.
This document discusses challenges in malware detection and proposes using machine learning methods. It outlines issues like the enormous number of malware samples and need for automated detection. The objectives are to reduce irrelevant malware API features using feature selection. The methodology examines API calls, anti-debugging strings, and performs feature ranking selection, classification and clustering. The conclusion is that malware writers often reuse code, making it easier to trace malware families based on commonalities.
The document discusses breaking and attacking antivirus software. It begins by introducing common features of antivirus engines like being written in C/C++ and supporting various file formats. It then discusses how installing antivirus software increases a system's attack surface and how antivirus engines can contain vulnerabilities. Specific examples of vulnerabilities found in antivirus products from Panda, ClamAV, and others are then presented, including multiple local privilege escalation issues found in Panda Global Protection 2013. Exploitation techniques for antivirus engines are also covered.
A client-side vulnerability under the microscope!Nelson Brito
Understanding reverse engineer using MS08-078. This presentation is an updated version of a previous series of presentations, which shows a practical methodology to perform a reverse engineering... The approach can be broader applied to any/most of the vulnerabilities targeting client-side applications.
For further details and informations, please, refer to:
- http://www.vimeo.com/nbrito
- https://www.slideshare.net/nbrito01/inception-support-slides
The purpose of this presentation is to explain the basic resources to understand how a programmer can create malware, insides about the theme, and brainstorms following practical codes and many exotic ideas for security mitigations for defense.
"If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle." ― Sun Tzu, The Art of War
Formbook is a malware that steals passwords and harvests credentials by injecting code into targeted applications like web browsers, mail clients, and IM apps. It uses various anti-analysis techniques like manually mapping ntdll.dll and checking for debuggers. Formbook employs process hollowing to inject its code into explorer.exe and other processes, then sets up inline userland hooks to intercept function calls and harvest passwords.
In this presentation, you can learn many practical resources about WAF, how you can create your WAF, and how you can bypass protections in common WAFs.
Source Boston 2009 - Anti-Debugging A Developers ViewpointTyler Shields
The document discusses anti-debugging techniques, defining terms like debugging, anti-debugging, and dumping. It covers why anti-debugging is useful, references past work, and categorizes anti-debugging methods into classes like API based detection, process/thread blocking, hardware/register based detection, exception based detection, modified code based detection, and timing based detection. The goal is to make reversing applications more difficult by implementing multiple layers of defense.
Triển khai Modsecurity vào hệ thống NMS - Quan Minh TâmSecurity Bootcamp
The document discusses various techniques for web application security and traffic analysis using ModSecurity, including real-time application profiling, hacker traps, anomaly scoring, correlation of inbound and outbound events, detecting malicious links, unicode normalization, abnormal header ordering, detecting page title changes, device fingerprinting, and slowing down automated attacks. It also mentions using ELK (Elasticsearch, Logstash, Kibana) for real-time analysis of streaming log data.
FinFisher is cyber espionage software sold by Gamma Group to law enforcement and intelligence agencies. It can infect Windows, iOS, Android, Blackberry, Symbian, and other mobile devices to monitor users. The malware disguises itself using various techniques and communicates with command and control servers located around the world. It has extensive surveillance capabilities including recording calls, intercepting messages, and tracking locations.
The document discusses techniques used by malware to detect virtual machines and strategies to prevent such detection. It outlines several techniques malware uses to detect virtual machines, including hardware fingerprinting, registry checks, process/file checks, memory checks, timing analysis, and communication channel checks. It then discusses approaches used by popular virtual machines like VMware, VirtualBox, and VirtualPC. The document proposes developing a tool called VMDetectGuard that would monitor for calls and instructions used in detection and mask the virtual machine's identity by providing false information to tricks malware.
The Hunter Games: How to Find the Adversary with Event Query LanguageRoss Wolf
Circle City Con 2019 and BSides SATX 2019
Abstract:
How do you find malicious activity? We often resort to the cliche, you know it when you see it, but how do you even see it, without drowning in data? MITRE’s ATT&CK knowledge base organizes adversary behavior into tactics and techniques, and orients our approach to endpoint data. It suggests questions that might be worth asking, but not a way to ask them. The Event Query Language (EQL) allows a security analyst to naturally express queries for IOC search, hunting, and behavioral detections, while remaining platform and data source agnostic.
In this talk, I will demonstrate the iterative process of establishing situational awareness in your environment, creating targeted detections, and hunting for the adversary in your environment with real data, queries, and results.
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
The document discusses various techniques attackers can use to launch executables remotely on Windows systems by leveraging compromised credentials and built-in OS functionality. It describes how to detect remotely launched executables using Windows Event and Sysmon logs. Specific techniques covered include remote file copy over SMB, remote execution via WMI, WinRM, Powershell Remoting, scheduled tasks, services, the registry, and WMI subscriptions. The document provides the event sequences and most interesting events to look for when hunting for evidence of each technique.
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...Ivan Piskunov
Презентация к моему воркшопу на PHDays 2017 на тему "Современные технологии и инструменты анализа вредоносного ПО"
Ссылка на анонс https://www.phdays.ru/program/197805/
Ссылка с моего блога https://www.phdays.ru/program/197805/
This document provides an overview of a presentation on .NET for hackers. The presenter introduces themselves and their background in software development, security, and collaboration with OWASP. The agenda includes introductions to .NET, disassembling binaries, debugging .NET applications, reflection, decompilation techniques, and a malware analysis use case. Key topics covered are the .NET Common Language Runtime environment, .NET file formats, memory models, Just-In-Time compilation, debugging tools like ILDASM and SOS extensions, reflection APIs, decompilation, and anti-decompilation tricks. Examples are provided for debugging and reflection code.
Topic: Art of Web Backdoor
Speaker: Pichaya Morimoto
Event: 2600 Thailand Meeting #5
Date: September 6, 2013
Video: https://www.youtube.com/watch?v=QIXTPPBfLyI
This document discusses static analysis for beginners. It describes how to use techniques like deterministic finite automata (DFA) and parsing tools like Flex and Bison to detect issues in source code. It provides an example of using the Re2c tool to generate a lexer for rule-based detection. The document also introduces heap detective, a tool that maps heap memory usage in programs to find issues like memory leaks. Overall, it offers an overview of static analysis concepts and tools while showcasing examples from open source projects.
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Shota Shinogi
ShinoBOT is a penetration testing tool that simulates a remote access tool (RAT) to measure an organization's defenses against advanced persistent threats. It connects to the ShinoC2 command and control server every 10 seconds to receive and execute jobs. ShinoC2 allows penetration testers to create jobs that are then assigned to compromised systems running ShinoBOT. The tools aim to help security teams understand what would happen if a real APT successfully installed a RAT on their network by testing incident response and log monitoring capabilities. Upcoming features for ShinoBOT include taking webcam snapshots, encrypting its communications and hiding using a kernel driver to simulate more advanced adversary techniques.
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where the hacker/penetration-tester has deployed a malware on a user's workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.) On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user's workstation.
I developed (and will publish) two tools that help the community in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help to circumvent the hardware firewall after one can execute code on the server with admin privileges (using a signed kernel driver). My tools have been tested against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops (e.g. Citrix). The number of problems one can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
Codetainer is a browser-based sandbox for running Docker containers. It allows users to "try 'X' in your browser" for any X by running Docker containers in an isolated and programmable manner directly in the browser. Codetainer uses Docker APIs to launch and manage lightweight containers via a Go-based API server. Users can create and register Docker images, launch "codetainers" from those images, and interact with the codetainers through the browser via websockets, viewing terminals and sending keystrokes. Codetainer aims to provide a secure and flexible environment for use cases like tutorials, training, and remote management while addressing challenges around container introspection and security.
Antonio Costa created the 0d1n tool to automate bruteforcing and fuzzing of web applications written in C for performance. The tool takes parameters like the target host, payload files, and custom request files to identify vulnerabilities like XSS. It can save responses and uses techniques like tampering to bypass defenses. The open source tool is still in beta but can find anomalies and vulnerabilities in parameters, files, directories and forms.
Richard wartell malware is hard. let's go shopping!!Shakacon
Writing a successful, protected, targeted, malicious binary is a software development task that requires great skill. A well-written piece of targeted malware should evade anti-virus solutions, hide its network communications, protect itself against reverse engineering, and clean up any forensic evidence of its existence on the system. However, writing a mediocre piece of targeted malware that works most of the time is easy. There are many publicly available backdoors, downloaders, and keyloggers that require little to no expertise to use, and poorly trained malware authors try to roll their own all the time.
Working in malware detection and reverse engineering, I see some of the intelligent choices malware authors make, but more often I see the hilariously poor code they write. During this talk I will demonstrate how to reverse engineer real world malware. I will focus on samples with interesting and comical mistakes, as well as samples that are impressive and well written.
The document discusses the uncertainties that come with cloud security due to unknown devices and applications running in cloud environments. It advocates for automating security monitoring and response to help reduce dwell times for attackers. Specific techniques recommended include using Linux auditing tools to monitor processes, logins and network activity across cloud instances and storing the data in a backend for analysis to detect anomalies. Monitoring APIs and authentications is also suggested to detect compromised credentials or suspicious activity. The document stresses the importance of automating security to keep pace with threats in cloud environments.
When it comes to actual, real-world, active malware detection there are surprisingly few choices. Most companies invest in one anti-virus vendor and when they suspect a compromise they simply wait for them to issue signatures.
If a company thinks they may be compromised but there is no AV signature, then what?
What if we could use basic python scripting to identify malware based on signatures we produce in real time? There are plenty of python tools, scripts and frameworks for malware identification including yara, pefile, nsrl hash db, pyemu, hachoir, volatility and pyew.
What if we could integrate these together into a system for centrally issuing
indicators of compromise? What if hosts we suspect as being compromised used this system to check themselves for compromise? Lets find out...
Introducing Intelligence Into Your Malware AnalysisBrian Baskin
With malware becoming more prevalent, and the pool of capable reversers falling short of overall need, there is a greater need to provide quick and efficient malware analysis for network defense. While many analysts have a grasp on how to appropriately reverse malware, there is large room for improvement by extracting critical indicators, correlating on key details, and cataloging artifacts in a way to improve your corporate response for the next attack. This talk will cover beyond the basics of malware analysis and focus on critical indicators that should analysts should focus on for attribution and better reporting.
DisCo 2013: Turgay Bas and Mukaddes Erdem - A Study on the Information Liter...8th DisCo conference 2013
Quantitatively increasing information renders it important to possess the skills necessary for reaching the required information and using the information effectively in line with the requirements. These skills are discussed in the information literacy concept and educational institutions are expected to provide individuals with these skills. Within this scope, the study was conducted with university students and the effects of their education on the information literacy were sought. The study was performed on students at two different departments which are closely related to information and information technologies for the purpose of clearly explaining the relationship between the educational processes and information literacy. The two departments included in the study are the Department of Computer Education and Instructional Technology (CEIT) and the Department of Information Management (IM). The study aims to find the differences between these students regarding their levels of possessing information literacy skills. The analysis showed that, there are some significant differences in terms of information literacy skills between the students at the two different departments. The significant differences in the information literacy skills are related to synthesizing the information; or in other words, organizing the information.
Formbook is a malware that steals passwords and harvests credentials by injecting code into targeted applications like web browsers, mail clients, and IM apps. It uses various anti-analysis techniques like manually mapping ntdll.dll and checking for debuggers. Formbook employs process hollowing to inject its code into explorer.exe and other processes, then sets up inline userland hooks to intercept function calls and harvest passwords.
In this presentation, you can learn many practical resources about WAF, how you can create your WAF, and how you can bypass protections in common WAFs.
Source Boston 2009 - Anti-Debugging A Developers ViewpointTyler Shields
The document discusses anti-debugging techniques, defining terms like debugging, anti-debugging, and dumping. It covers why anti-debugging is useful, references past work, and categorizes anti-debugging methods into classes like API based detection, process/thread blocking, hardware/register based detection, exception based detection, modified code based detection, and timing based detection. The goal is to make reversing applications more difficult by implementing multiple layers of defense.
Triển khai Modsecurity vào hệ thống NMS - Quan Minh TâmSecurity Bootcamp
The document discusses various techniques for web application security and traffic analysis using ModSecurity, including real-time application profiling, hacker traps, anomaly scoring, correlation of inbound and outbound events, detecting malicious links, unicode normalization, abnormal header ordering, detecting page title changes, device fingerprinting, and slowing down automated attacks. It also mentions using ELK (Elasticsearch, Logstash, Kibana) for real-time analysis of streaming log data.
FinFisher is cyber espionage software sold by Gamma Group to law enforcement and intelligence agencies. It can infect Windows, iOS, Android, Blackberry, Symbian, and other mobile devices to monitor users. The malware disguises itself using various techniques and communicates with command and control servers located around the world. It has extensive surveillance capabilities including recording calls, intercepting messages, and tracking locations.
The document discusses techniques used by malware to detect virtual machines and strategies to prevent such detection. It outlines several techniques malware uses to detect virtual machines, including hardware fingerprinting, registry checks, process/file checks, memory checks, timing analysis, and communication channel checks. It then discusses approaches used by popular virtual machines like VMware, VirtualBox, and VirtualPC. The document proposes developing a tool called VMDetectGuard that would monitor for calls and instructions used in detection and mask the virtual machine's identity by providing false information to tricks malware.
The Hunter Games: How to Find the Adversary with Event Query LanguageRoss Wolf
Circle City Con 2019 and BSides SATX 2019
Abstract:
How do you find malicious activity? We often resort to the cliche, you know it when you see it, but how do you even see it, without drowning in data? MITRE’s ATT&CK knowledge base organizes adversary behavior into tactics and techniques, and orients our approach to endpoint data. It suggests questions that might be worth asking, but not a way to ask them. The Event Query Language (EQL) allows a security analyst to naturally express queries for IOC search, hunting, and behavioral detections, while remaining platform and data source agnostic.
In this talk, I will demonstrate the iterative process of establishing situational awareness in your environment, creating targeted detections, and hunting for the adversary in your environment with real data, queries, and results.
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
The document discusses various techniques attackers can use to launch executables remotely on Windows systems by leveraging compromised credentials and built-in OS functionality. It describes how to detect remotely launched executables using Windows Event and Sysmon logs. Specific techniques covered include remote file copy over SMB, remote execution via WMI, WinRM, Powershell Remoting, scheduled tasks, services, the registry, and WMI subscriptions. The document provides the event sequences and most interesting events to look for when hunting for evidence of each technique.
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...Ivan Piskunov
Презентация к моему воркшопу на PHDays 2017 на тему "Современные технологии и инструменты анализа вредоносного ПО"
Ссылка на анонс https://www.phdays.ru/program/197805/
Ссылка с моего блога https://www.phdays.ru/program/197805/
This document provides an overview of a presentation on .NET for hackers. The presenter introduces themselves and their background in software development, security, and collaboration with OWASP. The agenda includes introductions to .NET, disassembling binaries, debugging .NET applications, reflection, decompilation techniques, and a malware analysis use case. Key topics covered are the .NET Common Language Runtime environment, .NET file formats, memory models, Just-In-Time compilation, debugging tools like ILDASM and SOS extensions, reflection APIs, decompilation, and anti-decompilation tricks. Examples are provided for debugging and reflection code.
Topic: Art of Web Backdoor
Speaker: Pichaya Morimoto
Event: 2600 Thailand Meeting #5
Date: September 6, 2013
Video: https://www.youtube.com/watch?v=QIXTPPBfLyI
This document discusses static analysis for beginners. It describes how to use techniques like deterministic finite automata (DFA) and parsing tools like Flex and Bison to detect issues in source code. It provides an example of using the Re2c tool to generate a lexer for rule-based detection. The document also introduces heap detective, a tool that maps heap memory usage in programs to find issues like memory leaks. Overall, it offers an overview of static analysis concepts and tools while showcasing examples from open source projects.
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Shota Shinogi
ShinoBOT is a penetration testing tool that simulates a remote access tool (RAT) to measure an organization's defenses against advanced persistent threats. It connects to the ShinoC2 command and control server every 10 seconds to receive and execute jobs. ShinoC2 allows penetration testers to create jobs that are then assigned to compromised systems running ShinoBOT. The tools aim to help security teams understand what would happen if a real APT successfully installed a RAT on their network by testing incident response and log monitoring capabilities. Upcoming features for ShinoBOT include taking webcam snapshots, encrypting its communications and hiding using a kernel driver to simulate more advanced adversary techniques.
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where the hacker/penetration-tester has deployed a malware on a user's workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.) On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user's workstation.
I developed (and will publish) two tools that help the community in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help to circumvent the hardware firewall after one can execute code on the server with admin privileges (using a signed kernel driver). My tools have been tested against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops (e.g. Citrix). The number of problems one can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
Codetainer is a browser-based sandbox for running Docker containers. It allows users to "try 'X' in your browser" for any X by running Docker containers in an isolated and programmable manner directly in the browser. Codetainer uses Docker APIs to launch and manage lightweight containers via a Go-based API server. Users can create and register Docker images, launch "codetainers" from those images, and interact with the codetainers through the browser via websockets, viewing terminals and sending keystrokes. Codetainer aims to provide a secure and flexible environment for use cases like tutorials, training, and remote management while addressing challenges around container introspection and security.
Antonio Costa created the 0d1n tool to automate bruteforcing and fuzzing of web applications written in C for performance. The tool takes parameters like the target host, payload files, and custom request files to identify vulnerabilities like XSS. It can save responses and uses techniques like tampering to bypass defenses. The open source tool is still in beta but can find anomalies and vulnerabilities in parameters, files, directories and forms.
Richard wartell malware is hard. let's go shopping!!Shakacon
Writing a successful, protected, targeted, malicious binary is a software development task that requires great skill. A well-written piece of targeted malware should evade anti-virus solutions, hide its network communications, protect itself against reverse engineering, and clean up any forensic evidence of its existence on the system. However, writing a mediocre piece of targeted malware that works most of the time is easy. There are many publicly available backdoors, downloaders, and keyloggers that require little to no expertise to use, and poorly trained malware authors try to roll their own all the time.
Working in malware detection and reverse engineering, I see some of the intelligent choices malware authors make, but more often I see the hilariously poor code they write. During this talk I will demonstrate how to reverse engineer real world malware. I will focus on samples with interesting and comical mistakes, as well as samples that are impressive and well written.
The document discusses the uncertainties that come with cloud security due to unknown devices and applications running in cloud environments. It advocates for automating security monitoring and response to help reduce dwell times for attackers. Specific techniques recommended include using Linux auditing tools to monitor processes, logins and network activity across cloud instances and storing the data in a backend for analysis to detect anomalies. Monitoring APIs and authentications is also suggested to detect compromised credentials or suspicious activity. The document stresses the importance of automating security to keep pace with threats in cloud environments.
When it comes to actual, real-world, active malware detection there are surprisingly few choices. Most companies invest in one anti-virus vendor and when they suspect a compromise they simply wait for them to issue signatures.
If a company thinks they may be compromised but there is no AV signature, then what?
What if we could use basic python scripting to identify malware based on signatures we produce in real time? There are plenty of python tools, scripts and frameworks for malware identification including yara, pefile, nsrl hash db, pyemu, hachoir, volatility and pyew.
What if we could integrate these together into a system for centrally issuing
indicators of compromise? What if hosts we suspect as being compromised used this system to check themselves for compromise? Lets find out...
Introducing Intelligence Into Your Malware AnalysisBrian Baskin
With malware becoming more prevalent, and the pool of capable reversers falling short of overall need, there is a greater need to provide quick and efficient malware analysis for network defense. While many analysts have a grasp on how to appropriately reverse malware, there is large room for improvement by extracting critical indicators, correlating on key details, and cataloging artifacts in a way to improve your corporate response for the next attack. This talk will cover beyond the basics of malware analysis and focus on critical indicators that should analysts should focus on for attribution and better reporting.
DisCo 2013: Turgay Bas and Mukaddes Erdem - A Study on the Information Liter...8th DisCo conference 2013
Quantitatively increasing information renders it important to possess the skills necessary for reaching the required information and using the information effectively in line with the requirements. These skills are discussed in the information literacy concept and educational institutions are expected to provide individuals with these skills. Within this scope, the study was conducted with university students and the effects of their education on the information literacy were sought. The study was performed on students at two different departments which are closely related to information and information technologies for the purpose of clearly explaining the relationship between the educational processes and information literacy. The two departments included in the study are the Department of Computer Education and Instructional Technology (CEIT) and the Department of Information Management (IM). The study aims to find the differences between these students regarding their levels of possessing information literacy skills. The analysis showed that, there are some significant differences in terms of information literacy skills between the students at the two different departments. The significant differences in the information literacy skills are related to synthesizing the information; or in other words, organizing the information.
Brochure trường Anh ngữ HELP
Để được tư vấn xin vui lòng liên hệ:
CÔNG TY TƯ VẤN DU HỌC QUỐC TẾ MY LONG
Địa chỉ: Số 115, Đường 30/4, P. Trung Dũng, Biên Hoà, Đồng Nai
Văn phòng tại Philippines: No.27, Crown Regency, Lapu-Lapu City, Cebu 6015, Philippines
Hotline: Việt Nam 0909 442 446 - Philippines: +63 9053 544 560
Website: https://duhoctienganh.com
Skype: duhoctienganh.com - Email: info@duhoctienganh.com
Zalo – Viber – Line – Kakao talk: +63 9053 544 560
This document contains templates for attendance sheets from the Muna Police Resort for various community policing activities in April and June 2015. The templates include columns for date, name, address, phone number, role, and signature. Attendance sheets are provided for activities like door-to-door systems, community partnership programs, problem solving meetings, night patrols, and general village activities. The templates are meant to be filled out for each event to keep records of participation.
This document describes a malware analysis sandbox that executes suspicious files in a monitored and controlled virtual environment. It monitors the file system, registry, processes, and network activity of the sample to determine its purpose and behavior. The sandbox automates analysis using open source tools and outputs comprehensive reports, packet captures, artifacts, and screenshots for further examination. It takes samples as input, runs static and dynamic analysis, executes the sample in a clean virtual machine snapshot while monitoring for changes, analyzes memory dumps, and stores the results for later review.
This document discusses trends in game animation including the rise of social, mobile, and casual games. It explores differences between film and game animation in terms of interactivity, environments, and character AI. Examples are given of notable cutscenes and cinematics. The concept of the "uncanny valley" is examined in relation to improving facial animation technology. Emerging technologies like motion capture and platforms like PlayStation Move and Kinect are discussed as ways to bring real-world movement into games. The document speculates on future directions for game animation including 3D, augmented reality, and blending virtual and real worlds.
This document appears to be a student paper submission for a networking course. It discusses using a microwave backhaul link to connect two company branch offices located on different Greek islands. The paper will analyze how the bit error rate of the microwave link at different signal-to-noise ratios can impact the TCP throughput between the two branches. It will include simulations of the microwave link and the network implementation to examine this relationship and draw conclusions. The paper is divided into sections covering the theoretical background of the communication channel, analysis of error correction coding and modulation, and the planned simulations.
Nosologia Clinica y Quirurgica de Musculo Esqueletico ORTOPEDIA Dr Rueben Os...Emma Díaz
Benemerita Universidad Autonoma de Puebla
BUAP
Facultad de medicina
Nosologia Clinica y Quirurgica de Musculo Esqueletico
Verano 2015
ORTOPEDIA
Unidad 2
Dr Rueben Osorio Garcilazo
EMBUAP Diaz Mino Emma Laura
6to Semestre
The document provides guidance on cropping photographs for journalistic purposes. It discusses several reasons for cropping, including improving composition by focusing on the main subject and removing distracting elements. The "rule of thirds" for composition is explained, with the suggestion to place subjects near the intersecting lines of an imaginary three-by-three grid overlaid on the image. Care should be taken not to crop too tightly or in a way that "amputates" the subject. Examples are given of tight versus wide crops and good versus bad cropping. Instructions are provided for making a copy of an original photo before cropping and doing a simple keyboard crop using Macbooks in the classroom.
In this presentation I have tried to figure out common loop holes through which web applications may fall prey to the attackers, common tools used in the trade and some preventive security measures to put us on a safer side.
Top 10 Web Hacks
Every year the number and creativity of Web hacks increases, and the damage from these attacks rises exponentially, costing organizations millions every year.
Join this webinar to learn about the latest and most insidious Web-based attacks. The much anticipated list, now in its seventh year, represents exhaustive research conducted by a panel of experienced security industry professionals. Learn the latest of the worst in Web hacks, and how to protect your organization.
This document discusses understanding cyber attackers by examining their means and motivations. It outlines that modern attacks are often organized crimes for financial gain carried out by dedicated teams. Common roles in these operations include malware developers, distributors, and hosting providers. The document then provides a hypothetical example of how one could get involved, describing the business model, tools, and methods that could be used. It emphasizes that penetration testing can help defend networks by identifying vulnerabilities from an attacker's perspective. Key recommendations include limiting exposure, monitoring networks, educating users, and realizing that antivirus alone is not sufficient. Emerging threats on mobile devices are also highlighted.
The document provides an overview of a hackathon being led by Simon Bennetts on extending the OWASP Zed Attack Proxy (ZAP) tool. The plan is to give an overview of how to extend ZAP, discuss potential topics to cover such as implementing scripts, scan rules, and extensions, and then have hands-on hacking sessions with assistance from Simon. Simon outlines many possible topics for discussion, including the ZAP project structure, development environment, documentation, scripting, active and passive scan rules, extensions, and features or fixes to work on.
Understanding Malware Lateral Spread Used in High Value AttacksCyphort
APTs are known to use advanced Techniques, Tactics, and Procedures (TTP), including advanced malware design with protection layers, sandboxing evasion, and lateral movement inside penetrated networks to seek out high value targets. In this webinar, Nick Bilogorskiy of Cyphort Labs will review various lateral movement techniques and methods used by advanced threats in the past. He will look at some APT samples, e.g. Shamoon, in detail to show the specific steps in the lateral movement by the malware. Understanding the lateral movement of APT should help security defenders to better select and implement protection solutions.
Breaking the cyber kill chain! This slide was presented in securITy – information security conference digital world 2017. This talk is about proactive security and threat hunting.
Malware's Most Wanted: How to tell BADware from adwareCyphort
How do you effectively deal with the ever-increasing amount of adware? Adware is annoying, but not all are created equal. At this MMW we look at growing landscape of adware and malware. We will discuss tools to give you behavior insights and ways to reveal the context of adware as it relates to your business.
1. The document discusses an advanced retail breach where an attacker was able to access a third party contractor's system after phishing their credentials, use that to access the retailer's internal file server, infect POS systems with malware to scrape credit card data from RAM, send the data to an internal server, and then exfiltrate it to external FTP servers in Russia.
2. The IBM X-Force monitors threats and educates customers on security challenges. It analyzed this attack to understand how the attacker was able to compromise systems and extract card data without detection.
3. The document provides recommendations to prevent similar attacks, such as endpoint protection, network segmentation, monitoring and detection of anomalies, and incident response planning.
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...APNIC
The document discusses observations from the APNIC Community Honeynet Project, including Linux/Unix malware targeting servers and IoT devices, and lessons learned. Some key observations are the prevalence of Linux/Unix malware like Mirai that targets exposed devices with weak credentials. Honeypots captured login attempts and payloads downloaded from command and control servers. Lessons include the need to patch systems, use strong unique credentials, and monitor for infections.
Unmasking Careto through Memory Forensics (video in description)Andrew Case
My presentation from SecTor 2014 on analyzing the sophisticated Careto malware with memory forensics & Volatility
Video here: http://2014.video.sector.ca/video/110388398
This document provides an overview of hacking and computer security. It defines hacking as intruding on someone else's information space for malicious purposes. It then discusses the brief history of hacking from the 1980s to present day. Next, it profiles some famous hackers throughout history and outlines the typical hacker attitude. The document concludes by describing basic hacking skills, the process of hacking, and common hacking tools and techniques such as port scanning and denial of service attacks.
This document provides an overview of hacking and computer security. It defines hacking as intruding on someone else's information space for malicious purposes. It then discusses the brief history of hacking from the 1980s to present day. Next, it profiles some famous hackers throughout history and outlines the typical hacker attitude. The document concludes by describing basic hacking skills, the process of hacking, and common hacking tools and techniques such as port scanning and denial of service attacks.
DrupalCamp London 2017 - Web site insecurity George Boobyer
Common threats to web security with real world case studies of compromised sites,
- A 'dissection' of a typical common exploit tool and how it operates,
- Simple approaches to mitigating common threats/vulnerabilities,
- Defence in depth – an overview of the various components of web security,
- Drupal specific measures that standard penetration testing often does not account for.
An overview of how to benefit from:
- Security monitoring and log analysis
- Intrusion Detection Systems & Firewalls
- Security headers and Content Security Policies (CSP).
see Drupal Camp London for full details:
http://drupalcamp.london/session/web-site-insecurity-how-your-cms-site-will-get-hacked-and-how-prevent-it
Splunk Enterpise for Information Security Hands-OnSplunk
Splunk is the ultimate tool for the InfoSec hunter. In this unique session, we’ll dive straight into the Splunk search interface, and interact with wire data harvested from various interesting and hostile environments, as well as some web access logs. We’ll show how you can use Splunk Enterprise with a few free Splunk applications to hunt for attack patterns. We’ll also demonstrate some ways to add context to your data in order to reduce false positives and more quickly respond to information. Bring your laptop – you’ll need a web browser to access our demo systems!
This tutorial is related to Hacking.Key terms: Introduction to Hacking,
History of Hacking,
The Hacker attitude,
Basic Hacking skills,
Hacking Premeasured,
IP Address,
Finding IP Address,
IP Address dangers & Concerns,
Hacking Tutorial
Network Hacking,
General Hacking Methodology,
Port Scanning,
ICMP Scanning,
Security Threats,
Counter-attack strategies,
Host-detection techniques,
Host-detection ping,
Denial of Service attacks, DOS Attacks,
Threat from Sniffing and Key Logging,
Trojan Attacks,
IP Spoofing,
Buffer Overflows,
All other types of Attacks, SMURF attacks, Sniffers, Keylogger, trojans,
Hacking NETBIOS,
Internet application security,
Internet application hacking statistics, Web application hacking reasons,
General Hacking Methods,
Vulnerability,
Hacking techniques,
XPath Injection
For more details visit Tech-Blog: https://msatechnosoft.in/blog/tech-blogs/
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...Felipe Prado
The document discusses vulnerabilities found in common office equipment like printers. It begins with an introduction explaining the researchers' approach of analyzing the security of enterprise printers from various manufacturers through a red teaming methodology. They found printers pose risks as they sit on corporate networks, process sensitive data, and are often assumed to be low risk. The document then covers the large attack surface printers present, including exposed services, firmware, and hardware issues. It describes common flaws found like weak configurations, default credentials, and memory corruption issues. Finally, it provides an example of exploiting a stack buffer overflow vulnerability to achieve remote code execution on a printer.
The document discusses indicators of compromise from a cyber attack. It describes the various stages an attacker goes through from initial access to installing malware and establishing command and control. The summary analyzes the host to find malware samples, network connections, and extracted files. It also looks for indicators in network traffic, such as tools downloaded and data uploaded to attacker infrastructure. The document concludes with monitoring effectiveness of security tools and ongoing attribution of attacks.
Yasser Ramzy Auda is an expert in cybersecurity with numerous certifications including CEH, CCIE, MCSE, VCP-NV, CISSP, and ITIL. He teaches the CEH certification course and provides hands-on training labs with virtual machines like Kali Linux, Metasploitable, Windows Server and more to allow students to conduct security assessments and penetration tests in a safe environment.
Graph databases are an "emerging" technology useful in the field of cybersecurity, especially in the detection of new threats based on the correlation of diverse sources of information. However, insufficient attention has been spent in terms of its security. In this talk, it will be reviewed the state of art of this kind of databases and its desing security problems, specially for Neo4J and OrientDB. We will release a hacking tool for testing and detecting graph databases and will show several examples of information leak in the real world.
Tool: https://github.com/grafscan/GraFScaN
Denis Zhuchinski Ways of enhancing application securityАліна Шепшелей
In this lecture we will talk about what you should know and consider in the construction of an application developer to ensure the safe use of confidential user data.
Similar to Indicators of compromise: From malware analysis to eradication (20)
44CON 2014: Using hadoop for malware, network, forensics and log analysisMichael Boman
The number of new malware samples are over a hundred thousand a day, network speeds are measured in multiple of ten gigabits per second, computer systems have terabytes of storage and the log files are just piling up. By using Hadoop you can tackle these problems in a whole different way, and “Too Much Data to Process” will be a thing of the past.
DEEPSEC 2013: Malware Datamining And AttributionMichael Boman
Greg Hoglund explained at BlackHat 2010 that the development environments that malware authors use leaves traces in the code which can be used to attribute malware to a individual or a group of individuals. Not with the precision of name, date of birth and address but with evidence that a arrested suspects computer can be analysed and compared with the "tool marks" on the collected malware sample.
44CON 2013 - Controlling a PC using ArduinoMichael Boman
Slides from the workshop "Controlling a PC using Arduino" conducted at 44CON 2013 in London. It goes through hardware and software used to remotely control a PC (power/reset). Future developments will be including a telnet/rs232 and environment variables.
Malware analysis as a hobby (Owasp Göteborg)Michael Boman
This document discusses Michael Boman's hobby of analyzing malware samples. It describes how he initially analyzed samples manually in a virtual environment but found it time consuming. He then created the Malware Analysis Research Toolkit (MART) project to automate the process. MART uses tools like Cuckoo Sandbox to analyze samples in virtual machines. It also includes components for sample acquisition, analysis, reporting, and data mining. The document discusses challenges with virtual machine analysis and ways to iterate the automation, such as doing brief static analysis on samples. It provides an overview of the hardware used in Boman's malware lab and discusses next steps for the project.
The document notes that manually analyzing malware can be time consuming and boring. MART was created to automate parts of the process such as sample acquisition, analysis using tools like Cuckoo Sandbox, and reporting. This reduces the time spent by malware analysts and allows them to focus on more complex samples. The system also aims to address limitations of virtual machine-based analysis by integrating additional techniques. Overall, MART streamlines malware analysis as a hobby while cutting costs compared to paying for commercial solutions.
Malware analysis as a hobby - the short story (lightning talk)Michael Boman
Michael Boman created the Malware Analyst Research Toolkit (MART) project to automate malware analysis as a hobby. MART uses public and private malware collections, Cuckoo Sandbox for analysis, and VirusTotal for additional results. It stores findings in MongoDB and provides a GUI for analysts. The initial investment was around €1,320 for a computer and license, but ongoing costs after the first year are only around €590 as the system automates most of the workflow. Future goals include expanding automated analysis to additional platforms like Android, OSX, and iOS.
Blackhat USA 2011 - Cesar Cerrudo - Easy and quick vulnerability hunting in W...Michael Boman
This short workshop will teach attendees how to easily and quickly find vulnerabilities in Windows applications by using some easy to use tools. I will detail step by step some simple techniques that can be used by experts and non experts. While the techniques are simple the results can be great. Learning these easy and fast techniques will allow attendees to do quick audits on Windows applications to determine how secure they are. I will show how to spot vulnerabilities with just a couple of clicks or with very simple and short debugging sessions. The techniques I will be showing are the same that allowed me to find dozen of vulnerabilities in Windows applications, I'm sure that after the workshop attendees will be able to do the same.
OWASP AppSec Research 2010 - The State of SSL in the WorldMichael Boman
The document discusses the results of a large scale scan of HTTPS servers to analyze SSL/TLS configuration trends. Over 500,000 servers were scanned, including the Alexa Top 10,000 and Fortune 500 domains. Key findings included that Fortune 500 domains were more likely to enable HTTPS and use secure configurations compared to popular domains. Factors like industry sector did not strongly correlate with security level, but domains providing internet-facing services tended to use HTTPS more securely. Further investigation of the Swedish market was planned.
Privacy In Wireless Networks Keeping Your Private Data Private 2008-08-08Michael Boman
This document summarizes threats to privacy when using wireless networks and provides technical solutions for keeping private data secure. It discusses attacks like data interception and man-in-the-middle attacks that can be used by individuals, corporations, and governments. The document recommends using SSL-enabled websites, VPN tunnels, and TOR networks to protect data and privacy. It also suggests using personal firewalls, antivirus software, and anti-spyware programs.
This document discusses threats to privacy when using wireless networks, such as data interception and man-in-the-middle attacks. It recommends using SSL-enabled websites, VPN tunnels, and TOR networks to protect private data from individuals, corporations, and governments. Basic protections like personal firewalls, antivirus software, and anti-spyware are also advised. The presentation covers technical solutions for keeping wireless data private and maintaining anonymity online.
This document provides an introduction to Linux security. It covers turning off unnecessary servers and services, limiting access to needed servers using IPTables, updating the system regularly, and reading Linux log files. The document recommends keeping daemons and services disabled or bound to localhost when possible, using tools like netstat, IPTables, and log checking utilities to monitor open ports and system activity. It concludes with a question and answer section and recommends additional security resources.
- Snort is an open source network intrusion detection system (IDS) that was created in 1998 and has continued to evolve, with a focus on detection capacity, speed and output plugin functionality.
- Snort examines packet flows and compares them to configured rule sets, utilizing variables, preprocessors and output plugins. Common preprocessors perform functions like stream reassembly and portscan detection.
- Output is configured through plugins to perform actions like logging to files or databases. Signatures use a standardized language to define common network attacks and anomalies.
- Unified log files were created to offload alerting from Snort to other applications, improving performance for detection. Compatible spool readers like Barnyard and Mudpit can
This document summarizes the SOHO Honeynet Project which aims to use inexpensive consumer routers to expand honeynet networks. The project uses Linksys WRT54G or WRT54GS routers running customized OpenWRT firmware to establish a VPN to a central honeynet and redirect traffic that would normally be dropped by the firewall. The document provides an overview of the project goals, hardware choices, hacking the stock firmware, installing custom firmware, and software required as well as calling for developers, testers, and documentation authors to participate in the project.
Dandelion Hashtable: beyond billion requests per second on a commodity serverAntonios Katsarakis
This slide deck presents DLHT, a concurrent in-memory hashtable. Despite efforts to optimize hashtables, that go as far as sacrificing core functionality, state-of-the-art designs still incur multiple memory accesses per request and block request processing in three cases. First, most hashtables block while waiting for data to be retrieved from memory. Second, open-addressing designs, which represent the current state-of-the-art, either cannot free index slots on deletes or must block all requests to do so. Third, index resizes block every request until all objects are copied to the new index. Defying folklore wisdom, DLHT forgoes open-addressing and adopts a fully-featured and memory-aware closed-addressing design based on bounded cache-line-chaining. This design offers lock-free index operations and deletes that free slots instantly, (2) completes most requests with a single memory access, (3) utilizes software prefetching to hide memory latencies, and (4) employs a novel non-blocking and parallel resizing. In a commodity server and a memory-resident workload, DLHT surpasses 1.6B requests per second and provides 3.5x (12x) the throughput of the state-of-the-art closed-addressing (open-addressing) resizable hashtable on Gets (Deletes).
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
"Choosing proper type of scaling", Olena SyrotaFwdays
Imagine an IoT processing system that is already quite mature and production-ready and for which client coverage is growing and scaling and performance aspects are life and death questions. The system has Redis, MongoDB, and stream processing based on ksqldb. In this talk, firstly, we will analyze scaling approaches and then select the proper ones for our system.
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyScyllaDB
Freshworks creates AI-boosted business software that helps employees work more efficiently and effectively. Managing data across multiple RDBMS and NoSQL databases was already a challenge at their current scale. To prepare for 10X growth, they knew it was time to rethink their database strategy. Learn how they architected a solution that would simplify scaling while keeping costs under control.
5th LF Energy Power Grid Model Meet-up SlidesDanBrown980551
5th Power Grid Model Meet-up
It is with great pleasure that we extend to you an invitation to the 5th Power Grid Model Meet-up, scheduled for 6th June 2024. This event will adopt a hybrid format, allowing participants to join us either through an online Mircosoft Teams session or in person at TU/e located at Den Dolech 2, Eindhoven, Netherlands. The meet-up will be hosted by Eindhoven University of Technology (TU/e), a research university specializing in engineering science & technology.
Power Grid Model
The global energy transition is placing new and unprecedented demands on Distribution System Operators (DSOs). Alongside upgrades to grid capacity, processes such as digitization, capacity optimization, and congestion management are becoming vital for delivering reliable services.
Power Grid Model is an open source project from Linux Foundation Energy and provides a calculation engine that is increasingly essential for DSOs. It offers a standards-based foundation enabling real-time power systems analysis, simulations of electrical power grids, and sophisticated what-if analysis. In addition, it enables in-depth studies and analysis of the electrical power grid’s behavior and performance. This comprehensive model incorporates essential factors such as power generation capacity, electrical losses, voltage levels, power flows, and system stability.
Power Grid Model is currently being applied in a wide variety of use cases, including grid planning, expansion, reliability, and congestion studies. It can also help in analyzing the impact of renewable energy integration, assessing the effects of disturbances or faults, and developing strategies for grid control and optimization.
What to expect
For the upcoming meetup we are organizing, we have an exciting lineup of activities planned:
-Insightful presentations covering two practical applications of the Power Grid Model.
-An update on the latest advancements in Power Grid -Model technology during the first and second quarters of 2024.
-An interactive brainstorming session to discuss and propose new feature requests.
-An opportunity to connect with fellow Power Grid Model enthusiasts and users.
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...Jason Yip
The typical problem in product engineering is not bad strategy, so much as “no strategy”. This leads to confusion, lack of motivation, and incoherent action. The next time you look for a strategy and find an empty space, instead of waiting for it to be filled, I will show you how to fill it in yourself. If you’re wrong, it forces a correction. If you’re right, it helps create focus. I’ll share how I’ve approached this in the past, both what works and lessons for what didn’t work so well.
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/temporal-event-neural-networks-a-more-efficient-alternative-to-the-transformer-a-presentation-from-brainchip/
Chris Jones, Director of Product Management at BrainChip , presents the “Temporal Event Neural Networks: A More Efficient Alternative to the Transformer” tutorial at the May 2024 Embedded Vision Summit.
The expansion of AI services necessitates enhanced computational capabilities on edge devices. Temporal Event Neural Networks (TENNs), developed by BrainChip, represent a novel and highly efficient state-space network. TENNs demonstrate exceptional proficiency in handling multi-dimensional streaming data, facilitating advancements in object detection, action recognition, speech enhancement and language model/sequence generation. Through the utilization of polynomial-based continuous convolutions, TENNs streamline models, expedite training processes and significantly diminish memory requirements, achieving notable reductions of up to 50x in parameters and 5,000x in energy consumption compared to prevailing methodologies like transformers.
Integration with BrainChip’s Akida neuromorphic hardware IP further enhances TENNs’ capabilities, enabling the realization of highly capable, portable and passively cooled edge devices. This presentation delves into the technical innovations underlying TENNs, presents real-world benchmarks, and elucidates how this cutting-edge approach is positioned to revolutionize edge AI across diverse applications.
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframePrecisely
Inconsistent user experience and siloed data, high costs, and changing customer expectations – Citizens Bank was experiencing these challenges while it was attempting to deliver a superior digital banking experience for its clients. Its core banking applications run on the mainframe and Citizens was using legacy utilities to get the critical mainframe data to feed customer-facing channels, like call centers, web, and mobile. Ultimately, this led to higher operating costs (MIPS), delayed response times, and longer time to market.
Ever-changing customer expectations demand more modern digital experiences, and the bank needed to find a solution that could provide real-time data to its customer channels with low latency and operating costs. Join this session to learn how Citizens is leveraging Precisely to replicate mainframe data to its customer channels and deliver on their “modern digital bank” experiences.
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...Alex Pruden
Folding is a recent technique for building efficient recursive SNARKs. Several elegant folding protocols have been proposed, such as Nova, Supernova, Hypernova, Protostar, and others. However, all of them rely on an additively homomorphic commitment scheme based on discrete log, and are therefore not post-quantum secure. In this work we present LatticeFold, the first lattice-based folding protocol based on the Module SIS problem. This folding protocol naturally leads to an efficient recursive lattice-based SNARK and an efficient PCD scheme. LatticeFold supports folding low-degree relations, such as R1CS, as well as high-degree relations, such as CCS. The key challenge is to construct a secure folding protocol that works with the Ajtai commitment scheme. The difficulty, is ensuring that extracted witnesses are low norm through many rounds of folding. We present a novel technique using the sumcheck protocol to ensure that extracted witnesses are always low norm no matter how many rounds of folding are used. Our evaluation of the final proof system suggests that it is as performant as Hypernova, while providing post-quantum security.
Paper Link: https://eprint.iacr.org/2024/257
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/how-axelera-ai-uses-digital-compute-in-memory-to-deliver-fast-and-energy-efficient-computer-vision-a-presentation-from-axelera-ai/
Bram Verhoef, Head of Machine Learning at Axelera AI, presents the “How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-efficient Computer Vision” tutorial at the May 2024 Embedded Vision Summit.
As artificial intelligence inference transitions from cloud environments to edge locations, computer vision applications achieve heightened responsiveness, reliability and privacy. This migration, however, introduces the challenge of operating within the stringent confines of resource constraints typical at the edge, including small form factors, low energy budgets and diminished memory and computational capacities. Axelera AI addresses these challenges through an innovative approach of performing digital computations within memory itself. This technique facilitates the realization of high-performance, energy-efficient and cost-effective computer vision capabilities at the thin and thick edge, extending the frontier of what is achievable with current technologies.
In this presentation, Verhoef unveils his company’s pioneering chip technology and demonstrates its capacity to deliver exceptional frames-per-second performance across a range of standard computer vision networks typical of applications in security, surveillance and the industrial sector. This shows that advanced computer vision can be accessible and efficient, even at the very edge of our technological ecosystem.
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
The Microsoft 365 Migration Tutorial For Beginner.pptxoperationspcvita
This presentation will help you understand the power of Microsoft 365. However, we have mentioned every productivity app included in Office 365. Additionally, we have suggested the migration situation related to Office 365 and how we can help you.
You can also read: https://www.systoolsgroup.com/updates/office-365-tenant-to-tenant-migration-step-by-step-complete-guide/
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
2. About me
4th year speaking at 44CON
- 2012: Malware as a hobby [P]
- 2013: Controlling a PC using Arduino [WS]
- 2014: Malware analysis as a big data problem [P]
- 2015: Malware anti-reversing [P], Indicators of Compromise [WS]
Malware Researcher, Founder Malware Research Institute
6 kids, one more on the way…
5. Detecting the Unknown
FBI: There are only two types of companies: those that have been hacked,
and those that will be.
Always assume that you have been compromised and look for signs to
confirm the assumption
6. Where to look
There is gold in those logfiles!
Firewall
IDS / IPS
Proxy
DNS
System logfiles
Netflow data
7. Firewall
New sessions are enough, no need to log every packet
Ingress (incoming) AND Egress (outgoing)
Denied AND Permitted
8. IDS / IPS
Detecting attacks are ”nice”, detecting compromises are ”cool”
You need actionable information from your IDS / IPS system
Custom rules are the path to salvation
10. DNS
Log queries
Establish DNS query & response baseline
Analyze NXDOMAIN responses
Analyze successful DNS lookups
Identify domain name abnormalities
11. System logfilesWindows 7 regular expressions SOURCE EventID
Number
.*APPCRASH.* Application 1001
.*he protected system file.* Application 64004
.*EMET_DLL Module logged the following event:.* Application 2
.*your virus/spyware.* Application Depends
.*A new process has been created..* Security 4688
.*A service was installed in the system..* Security 4697
.*A scheduled task was created..* Security 4698
.*Logon Type:[W]*(3|10).* Security 4624,
4625
.*SoftwareMicrosoftWindowsCurrentVersionRun.* Security 4657
.*service terminated unexpectedly..* System 7034
.*service was successfully sent a.* System 7035
.*service entered the.* System 7036
.*service was changed from.* System 7040
12. Netflow data
WHO is talking to WHOM
When doing incident response, being able to narrow down the scope is
key
13. Aquire the sample
Exctraction from network traffic
File on disk
Memory dump
18. Cuckoo Sandbox
Uses DLL-injection techniques to intercept and log specific API calls
Uses TCPDump to capture network traffic
19. Minibis
Uses Microsoft ProcMon inside the instrumented environment
Uses TCPDump to capture network trafic
ProcDOT can be used to analyze / visualize the execution process
20. Identify IOCs
Identifiable patterns in the sample
Created files
Created / Modified registry keys
Network traffic
Memory patterns
25. Searching Network Traffic
Firewall
Detection, Block specific communication
IDS / IPS
Create signatures to Detect and Prevent C2 communication, additional
infections
Proxy
Detection, Block specific communication
DNS
Detection, Block communication to sites
27. Announcement
Public VXCage-server
Available at vxcage.malwareresearch.institute (http, soon https)
Feel free to apply for a personal account, free of charge:
TO: michael@michaelboman.org
SUBJECT: VXCage Access
BODY:
Who you are: name, twitter handle (if any, for cyberstalking), other contact info
Why you want access
Proposed username for the system (the password will be generated for you)
Please contact me at the above address for raw access to the archive
28. VXCage API: Quick intro
REST with JSON output
/malware/add – upload sample
/malware/get/<sha256> - download sample
/malware/find – search sample based on hash, date, tag
/tags/list – list tags
Docs & Source code at https://github.com/mboman/vxcage
Hi! Good mom. Thanks for having me.
My name is Michael Boman and I am a Senior Malware Analyst at the Malware Research Institute, an organization that promotes malware research and tools and techniques for malware analysis. We are a young organization, just started out this year. I myself have been speaking on the topic of malware analysis at conferences like 44CON in London and DEEPSEC in Vienna as well as at different OWASP chapters here in Sweden.
This talk will cover things like network monitoring, network forensics, log analysis, memory accusition, malware analysis, creating signatures for files and network traffic etc, all topics worth a talk on their own so please excuse me if I don't go into great details on every single topic.
FBI recently said that basically everyone is or going to be hacked, and that your organization is either a target because you have something of value or that you can be leverage to gain something of value – or just for the LOLs.
If you assume that your systems and network infrastructure is compromised, how would you act differently? And how would you go about to identify the compromised assets?
<open feedback – whiteboard>
You might already have many of the systems on the list, but are you using them to the fullest? Make use of your existing IT investment.
Firewalls can be used to so much more then just to block traffic, with the right rules your IDS or IPS can do much more then just detecting attacks, the proxy you have to cache internet traffic or prevent users to surf questionable sites can also be used to detect malware infections. Have you ever thought about using the DNS? You know - the service which lets you type www.facebook.com instead of 31.13.64.1 - for malware hunting? The system logs. used correctly, is a gold mine for incident response and you know your network switches? They are sitting on a gold mine when it comes to traffic analysis!
Don't start spending a lot of money on new toys, learn how to use the tools you already have in a new, efficient way.
Your firewall has real gold if you do your logging right.
A few years back while I was working as a consultant me and a college was assigned to a municipality who was informed by their ISP that if they don’t stop spamming they will terminate their internet connection, and as their internet connection was providing everything from the local schools to city hall they were in a bit of panic.
They didn’t have any fancy equipment, not even any particular new one at that, so sniffing traffic was kind of a headache. So what we did was blocking outgoing traffic on port 25 – That’s SMTP which is used for sending email out – from everything that isn’t their official email server and then log all blocked connections. That became their source of machines to take in and re-image. I was told that the first machine belonged to a student who got his laptop repossessed from him in the middle of class by fairly large 3 IT-guys…
Anyway, so make sure your firewall does not only block everything you don’t want IN OR OUT of your network, and that you log traffic regardless if you permit it or not. And I don’t mean that you need to log every single packet, but all new connections is a good start.
How many of you have got an IDS or IPS? Raise your hands.
For those who have one, what are you looking for? Does your vendor support custom rules, and by that I mean are you able to write your own signatures and have you created any custom rules specific for your organization? One cool custom rule one can write is one that alerts, or logs, any traffic that goes to your ”dark” IP:s, meaning IP:s that you haven’t assigned to a host yet. As it is unused there shouldn’t be any traffic except misconfigured systems and attacks, both worth knowing about. Another important thing to take note of from your IDS or IPS is answer to the question: “Did it succeed?”
Frankly, I don’t care if we got 10 thousand attacks against our system in the last 24 hours, what I want to know: “DID ANY OF THEM SUCCEED”? Make sure that if you are looking for an IDS or IPS solution it can help you answer that question.
If you can you should record all network traffic data using something like daemon logger – available at sourceforge – which logs all the packets to disk, removing old packet captures based on configuration. Having full packet captures are golden because even if you missed the initial attack or need to verify if the attack was successful you still have the ability to do so.
How many of you work in an organization that, for whatever reason, forces you to surf through a proxy? Raise your hands. Are those requests logged? Is anyone looking at those logs for anything more than “damn you surf the internet a lot” statistics? Doing some analysis of those logs can be a useful source for indications of compromise. What to look at are hostnames, urls and downloaded files and user agents, and it a great source for finding additional comprised systems.
You can also use the proxy logs to detect data exfiltration by looking at POST requests and their sizes.
How about DNS traffic? Does anyone monitor your DNS traffic?
What you need to do is to start logging DNS queries and responses. You can either configure your local resolver to perform this logging or use packet capture techniques to log them. I would recommend that you use something like PassiveDNS - an open source tool written in Python and available on Github - to achive this goal as you don’t need to make any changes to your DNS infrastructure to get the data. If you place your sensor right you will also detect traffic that goes directly to external resolvers.
Once you have collected DNS requests and response it is time to analyze the data. The first thing you need to do is to establish a baseline. How does ”business as usual” look in your environment? Unfortunatly all environments are different so I can’t give you any shorthand tips on how it should look like.
After you have created a baseline you can take a look at all the NXDOMAIN responses. NXDOMAIN is the response you get when the hostname doesn’t resolve. This datapoint is extremely useful as domain generating algorithms used by malware fails a lot, because the bad guy only need successful response on one of the possible domains to control the botnet and it can be quite expensive to buy more domains then required.
By logging successful DNS lookups you can detect when a DNS entry changes from one IP to another, or an IP has several hostnames (the hosting server is supplying malware under many different DNS names). Suddenly you can find a whole bunch of new malware distributing sites just by looking at DNS requests and responses? Isn't that cool?
DGA - Domain Generation Algorithms - are used to create domains for C2 communication and they can make it very hard to block the traffic on a domain name level, but on the other hand DGAs generates very distinct and easy-to-spot domain names which you can locate using statistical analysis.
You should also compare DNS requests with known malicious domain names using blacklists from sites from Malc0de, Malware Domain List, Malware URLs, VX Vault, URLquery, CleanMX, ZeusTracker etc. and use the result as a input for further analysis.
Another data source to add to the DNS data is WHOIS information about the registrator and who registered the domain and how old the domain is.
How about system log files, are you actively collecting and looking through those logs for signs of compromise?
<CLICK>
Crashed applications, new services and scheduled jobs are just a few of many log entries that can indicate a system compromise. The approach you need to take is to filter out known good an investigate all other events. SANS Institute has several good Intrusion Discovery Cheat Sheet for both Windows and Linux systems.
One way to harden your Windows machines is to install EMET, the Microsoft Enhanced Mitigation Experience Toolkit, is a free utility that helps prevent vulnerabilities in software from being successfully exploited. EMET achieves this goal by using security mitigation technologies like:
Data execution prevention -- a security feature that helps prevents code in system memory from being used incorrectly
Mandatory address space layout randomization -- a technology that makes it difficult for exploits to find specific addresses in a system's memory
Structured exception handler overwrite protection -- a mitigation that blocks exploits that attempt to exploit stack overflows
Export address table access filtering -- a technology that blocks an exploit's ability to find the location of a function
Anti-Return Oriented Programming -- a mitigation technique that prevents hackers from bypassing DEP
SSL/TLS certificate trust pinning -- a feature that helps detect man-in-the-middle attacks leveraging the public key infrastructure
Apart from hardening the Windows system it will feed additional events to the system and security logs when the exploit fails.
Is ANYONE here collecting net flow data which contains information on WHO is talking to WHOM? Netflow is the protocol that keeps track on who speaks to whom, when and what ports are being used as well as how much data is being transfered.
In a incident response scenario, being able to map about what servers are talking to each other is a gold mine and a life saver. Think about it, any machine the compromised machine has spoken to is potentionally compromised, and those machines that has not been contacted is fairly unlikely to be affected. This is very useful to know when your kick in your triage kit to verify if the system has been compromised, as it could be a resource intensive action to look at signs of compromise and think about the need to reinstall compromised machines from a known good state to make sure that the infection has been erradicated? Would you reinstall perfectly healty systems because you didn't know the scope of the compromise? How about missing a system or two? You can't go around and nuke the whole IT infrastructure just because Alice in HR got infected while opening a job application...
If you can’t use Netflow from your network infrastructure you can use SANCP (Security Analyst Network Connection Profiler) to extract the same kind on information.
I am telling you, there are gold in those logs!
Let’s say that you now found an infected machine and you have decided to take a look at the particular malware. I believe this is a very important step, don’t just re-image the system and walk away. I’d say it is your duty as a security guy to know why your defenses failed and also make sure you got a complete scoop of the infection. Is it only this particular machine that is compromised or is it elsewhere in your organization?
First of all you need to get hold of the sample. Grabbing the initial exploit and downloader can be challenging because maybe it was just an in-memory kind of thing, but if the attacker wants persistence – meaning surviving a simple reboot – they will need to commit some data to disk. Maybe you can’t get hold of all the different parts of the compromise but some is better than none. When things gets really challenging is when the binary on disk is encrypted, in which case you want to grab a copy from running memory which has to be unencrypted to be able to run. There are plenty of anti-forensic techniques to stop this as well but fortunately they are not too common yet.
Let's start with extracting files from the network traffic. You can do it in many ways using tools like Wireshark, NetworkMiner, Foremost and Dshell – among others.
Foremost is a open source file carving tool originally developed by US Air Force. It is mainly used for extracting files from hard drives or hard drive images but can be used to extract files from network captures are well.
Dshell is an extensible network forensic analysis framework which enables rapid development of plugins to support the dissection of network packet captures. To extract files you just issue decode –d rip-http --rip-output_dir=output/ /path/to/pcap. Optionally you can specify using the --rip-http_content_filter and –rip-http_name_fiter options what kind and/or names of files you want to extract. DShell is quite a new tool, but can replace many other tools mentioned like PassiveDNS and SANCP for Netflow-like output. That said, DShell is more of a analysis and interactive tool so you still want to use PassiveDNS and Netflow or SANCP for collecting data.
MDD, or Memory Data Dumper, is a physical memory acquisition tool for imaging Windows based computers. It is like the unix-tool DD, but for memory. Used together with PsExec from Microsoft Sysinternals you can execute it on remote machines as long as you have a privileged account like a domain administrator. The resulting file is the same size as the physical RAM on the system. Mandiant Memoryze is another tool you can use to grab the RAM. If you are trying this from a Linux environment you could use Metasploit instead of PsExec to execute commands remotely using the credentials of a privileged account.
Once you got a memory dump it is time to extract the malware from it. For this you can either use DLLDUMP command for extracting DLL-files or PROCMEMDUMP to extract executables. If the malware has some anti-forensics enabled it will be more difficult to dump the RAM and extract the malware from the memory image.
Once you got hold of the malware sample you need to analyze it for capabilities and make sure you are acting on a real compromise. This step is important so you don't waste resources and activating incident management procedures for benign files. You also need to find out what kind of damage the malware has done, what kind of information has been sought and possible been compromised, what damage has the malware possible been doing?
There are two ways to analyze code: static and dynamic. Static is when you pick the binary apart and look at what libraries it imports, what strings it has even loading the code into a disassembler like IDA Pro.
Dynamic analysis is when you run the sample in a instrumented environment, which is a fancy word to describe that you in some way detect and log what the malware does to the system. It can range from using regshot available at sourceforge [http://sourceforge.net/projects/regshot/] and sysdiff, a now discontinues tool from Microsoft to customized hypervisors. The problem with using regshot and sysdiff is that it doesn’t record temporary files and registry entries that are created and removed between the different snapshots.
Cuckoo Sandbox is using DLL-injection technique to “hijack” API calls of interest and tcpdump to record network traffic to and from the instrumented system. I can also take optional screenshots at configurable intervals. The drawback from this approach is that DLL-injection can be discovered and that it will miss any API-call it haven’t specifically been told to log. Over all it is a very nice tool that has a lots of features to simulate user interactivity and detect suspect behavior using behavior-based signatures.
You can download Cuckoo from cuckoo sandbox DOT org.
Minibis uses ProcMon from Microsoft, former SysInternals, to record what is happening on the system and tcpdump to record traffic to and from the instrumented system. By using standard tools like ProcMon it has less custom code to maintain, but more components, like a FTP server for supporting file transfers to and from the instrumented system. Another cool feature is the graphical viewer ProcDOT that combines the ProcMon output with the TCPDump traffic to visualize a timeline of events.
Both Minibis and ProcDOT is available from the CERT dot AT website.
Indicators of Compromise, or IOCs for short, are ways to detect if a system has been compromised by looking for specific patterns in files, created files and mutexes, created or modified registry keys on a system. On the network we can look at specific patterns for the command and control traffic or we can search for patterns in the system memory. A mutex, short for mutual exclusion object, is a program object that allows multiple program threads to share the same resource, such as file access, but not simultaneously.
From easy to hard I recommend you approach the IOC identification in this order: Files, mutexes and registry keys followed by network analysis and finally memory dumps.
YARA is the Swish army knife of binary pattern matching. It understands both binary and printable patterns, ASCII and Unicode aware and you can ask it to match patterns a specific distance or range from another pattern. I would need another hour just to tell you all the cool features with YARA but here’s a quick example.
First we have a rule name (“silent_banker”) and a tag (“banker”). If you are collecting malware like me you sooner or later end up with a large collection of samples and it is nice to keep track of what kind of malware they are.
Then we have some metadata, like a human readable description of what it is looking for, and some other metadata. You can write pretty much anything here you want to be able to find in the output later on.
In the “strings” section we are specifying what patterns we are looking for. Here you see that we are using variables and $A and $B is using hex to specify the pattern, while $C is using ASCII.
Finally we specify under what conditions this rule should trigger, and in this example all of the patterns are required to trigger a match.
For SNORT rules it would look something like this if we were looking for the same patterns in the network traffic. First we specify that we want an alert for the match and the network protocol, in this example we are looking at TCP traffic, then we specify the source network followed by the source port. After the direction arrow we specify destination host or network and the port number.
The content tag is specifying that it is content we are looking for, because you can also look at other aspects of the network traffic like flags, time to live etc. Again we are specifying the strings in both HEX and ASCII format and finally the message – the name that will be displayed when the alert triggers – using the MSG tag.
Instead of specifying the known C2 server we just match the traffic pattern so we detect C2 traffic to C2 servers that we don’t yet know about. It is much easier for an attacker to change hostnames or IPs of C2 servers than it is to re-engineer the C2 protocol itself.
Using existing network infrastucture we can detect additional infections.
The firewall can be used to detect C2 traffic based on IP address and port number, and block the communication.
The IDS or IPS can be used to detect C2 communication on a protocol level as well as known binary downloads, and in the case of IPS can be used to block the traffic.
The proxy can be used to detect infections as well as block access to malware-infested sites and C2 servers.
DNS can be used to detect infections and by blackhole-routing known malicious hosts by either redirecting them to localhost but even better to redirect the traffic to a server with extra logging enabled to single out additional infected machines. A quick way to achive this is to use INetSim, the Internet Simulator.
In conclusion, your network has more capabilities to locate “bad stuff” then you know or making use of. You don’t need to spend tens of thousands on software and hardware, you can get a lot from what you already have by using the capabilities you already paid for and looking at the output from the systems. Of course there are many solutions on the market that puts it all together in a easy to use, usually web based, interface and if you can I would recommend you to look at some of the solutions but it is not a requirement.
All the tools I have spoken about today are either free – as in beer - or very cheap. I would say that you wasting your organization’s resources by not employing the techniques discussed here today.
If you have any questions you can ask them now or catch me afterwards, or you can drop me an email at michael AT michael boman DOT org, stalk me on twitter where I am AT mboman.
I also recommend you to visit the Malware Research Institute website at blog DOT malware research DOT institute where you can find more information on how to search and destroy malware.