This document outlines an presentation on indicators of compromise (IOCs). It discusses IOC standards like OpenIOC and STIX, how to mine and apply IOCs through case studies and practical tasks analyzing network traffic, HTTP logs, and antivirus logs. The document provides examples of IOCs like an exploit pack trace and a Nuclearsploit pack indicator.
Honeycon2014: Mining IoCs from Honeypot data feedsF _
The document discusses mining indicators of compromise (IOCs) from honeypot systems. It covers IOC standards like OpenIOC and STIX, analyzing data from honeypots in Russia and Taiwan to extract IOCs like malicious domains, IP addresses and file hashes. The IOCs can help identify compromise events and emerging threats that real networks may face.
This document outlines an presentation on indicators of compromise (IOCs). It discusses IOC standards like OpenIOC and STIX, how to mine and apply IOCs through case studies and practical tasks analyzing network traffic, HTTP logs, and antivirus logs. The document provides examples of IOCs like an exploit pack trace and a Nuclearsploit pack description.
Incident Response Tactics with Compromise IndicatorsF _
Incident Response Tactics with Compromise Indicators - a short presentation on use of Indicators of compromise at RusCrypto 2014. The presentation covers opensource projects and standards (such as openioc) and possible practical applications.
Introducing Intelligence Into Your Malware AnalysisBrian Baskin
With malware becoming more prevalent, and the pool of capable reversers falling short of overall need, there is a greater need to provide quick and efficient malware analysis for network defense. While many analysts have a grasp on how to appropriately reverse malware, there is large room for improvement by extracting critical indicators, correlating on key details, and cataloging artifacts in a way to improve your corporate response for the next attack. This talk will cover beyond the basics of malware analysis and focus on critical indicators that should analysts should focus on for attribution and better reporting.
Alain Zidouemba presented on writing signatures for ClamAV. He discussed the different signature formats including .hdb, .mdb, .ndb, and .ldb. He provided examples of generating signatures using hash databases and extended signatures. He also demonstrated how to write logical signatures in .ldb format through a case study of the Worm.Godog malware. Whitelisting techniques were also covered, including adding entries to ignore specific signatures.
Your Watch can watch you ! Gear up for broken privilege pitfalls in the samsu...Priyanka Aash
"You buy a brand-new smartwatch. You receive emails and send messages, right on your wrist. How convenient, this mighty power! But great power always comes with great responsibility. Smartwatches hold precious information just like smartphones, so do they actually fulfill their responsibilities?
In this talk, we will investigate if the Samsung Gear smartwatch series properly screens unauthorized access to user information. More specifically, we will focus on a communication channel between applications and system services, and how each internal Tizen OS components play the parts in access control.
Based on the analysis, we have developed a new simple tool to discover privilege violations in Tizen-based products. We will present an analysis on the Gear smartwatch which turns out to include a number of vulnerabilities in system services.
We will disclose several previously unknown exploits in this presentation. They enable an unprivileged application to take over the wireless services, the user’s email account, and more. Further discussions will center on the distribution of those exploits through a registered application in the market, and the causes of the vulnerabilities in detail."
Digging deeper into the IE vulnerability CVE-2014-1776 with CyphortCyphort
Web browser vulnerabilities remain a fertile ground for hackers to harvest and mount attacks. Latest vulnerabilities found in Internet Explorer and urgent response from Microsoft highlights the fact that despite end of life announcements for old and less secure products, millions of users remain exposed to threats.
Web browser attacks and how the vulnerabilities are exploited
How CVE-2014-1776 impacts you
Finding and dissecting active attacks
How to mitigate impacts of browser vulnerability based attacks
When it comes to actual, real-world, active malware detection there are surprisingly few choices. Most companies invest in one anti-virus vendor and when they suspect a compromise they simply wait for them to issue signatures.
If a company thinks they may be compromised but there is no AV signature, then what?
What if we could use basic python scripting to identify malware based on signatures we produce in real time? There are plenty of python tools, scripts and frameworks for malware identification including yara, pefile, nsrl hash db, pyemu, hachoir, volatility and pyew.
What if we could integrate these together into a system for centrally issuing
indicators of compromise? What if hosts we suspect as being compromised used this system to check themselves for compromise? Lets find out...
Honeycon2014: Mining IoCs from Honeypot data feedsF _
The document discusses mining indicators of compromise (IOCs) from honeypot systems. It covers IOC standards like OpenIOC and STIX, analyzing data from honeypots in Russia and Taiwan to extract IOCs like malicious domains, IP addresses and file hashes. The IOCs can help identify compromise events and emerging threats that real networks may face.
This document outlines an presentation on indicators of compromise (IOCs). It discusses IOC standards like OpenIOC and STIX, how to mine and apply IOCs through case studies and practical tasks analyzing network traffic, HTTP logs, and antivirus logs. The document provides examples of IOCs like an exploit pack trace and a Nuclearsploit pack description.
Incident Response Tactics with Compromise IndicatorsF _
Incident Response Tactics with Compromise Indicators - a short presentation on use of Indicators of compromise at RusCrypto 2014. The presentation covers opensource projects and standards (such as openioc) and possible practical applications.
Introducing Intelligence Into Your Malware AnalysisBrian Baskin
With malware becoming more prevalent, and the pool of capable reversers falling short of overall need, there is a greater need to provide quick and efficient malware analysis for network defense. While many analysts have a grasp on how to appropriately reverse malware, there is large room for improvement by extracting critical indicators, correlating on key details, and cataloging artifacts in a way to improve your corporate response for the next attack. This talk will cover beyond the basics of malware analysis and focus on critical indicators that should analysts should focus on for attribution and better reporting.
Alain Zidouemba presented on writing signatures for ClamAV. He discussed the different signature formats including .hdb, .mdb, .ndb, and .ldb. He provided examples of generating signatures using hash databases and extended signatures. He also demonstrated how to write logical signatures in .ldb format through a case study of the Worm.Godog malware. Whitelisting techniques were also covered, including adding entries to ignore specific signatures.
Your Watch can watch you ! Gear up for broken privilege pitfalls in the samsu...Priyanka Aash
"You buy a brand-new smartwatch. You receive emails and send messages, right on your wrist. How convenient, this mighty power! But great power always comes with great responsibility. Smartwatches hold precious information just like smartphones, so do they actually fulfill their responsibilities?
In this talk, we will investigate if the Samsung Gear smartwatch series properly screens unauthorized access to user information. More specifically, we will focus on a communication channel between applications and system services, and how each internal Tizen OS components play the parts in access control.
Based on the analysis, we have developed a new simple tool to discover privilege violations in Tizen-based products. We will present an analysis on the Gear smartwatch which turns out to include a number of vulnerabilities in system services.
We will disclose several previously unknown exploits in this presentation. They enable an unprivileged application to take over the wireless services, the user’s email account, and more. Further discussions will center on the distribution of those exploits through a registered application in the market, and the causes of the vulnerabilities in detail."
Digging deeper into the IE vulnerability CVE-2014-1776 with CyphortCyphort
Web browser vulnerabilities remain a fertile ground for hackers to harvest and mount attacks. Latest vulnerabilities found in Internet Explorer and urgent response from Microsoft highlights the fact that despite end of life announcements for old and less secure products, millions of users remain exposed to threats.
Web browser attacks and how the vulnerabilities are exploited
How CVE-2014-1776 impacts you
Finding and dissecting active attacks
How to mitigate impacts of browser vulnerability based attacks
When it comes to actual, real-world, active malware detection there are surprisingly few choices. Most companies invest in one anti-virus vendor and when they suspect a compromise they simply wait for them to issue signatures.
If a company thinks they may be compromised but there is no AV signature, then what?
What if we could use basic python scripting to identify malware based on signatures we produce in real time? There are plenty of python tools, scripts and frameworks for malware identification including yara, pefile, nsrl hash db, pyemu, hachoir, volatility and pyew.
What if we could integrate these together into a system for centrally issuing
indicators of compromise? What if hosts we suspect as being compromised used this system to check themselves for compromise? Lets find out...
This document discusses moving beyond just prevention of cyber attacks and instead assuming that networks will be breached. It argues that protective technologies will inevitably fail and the focus should shift to detection of breaches. Red team assessments are suggested to shift from just finding vulnerabilities to acting as training partners for blue teams by providing indicators of compromise, attack signatures, and use cases to help improve detection capabilities. A pyramid of pain model is presented to show moving up from just tools to full tactics, techniques and procedures used by attackers.
The document summarizes malware spam received in January 2013. It received a total of 8 messages, including ones related to Viagra, jobs, banking, and criminal background checks. The messages contained malicious links, attachments, and sender information that indicated they were sent from compromised systems. They often used link masking and domain proxy services to hide the true source.
Recovering Information From Deleted Security Event Logs CtinCTIN
This document discusses recovering information from deleted security event logs. It explains that security event logs contain important event information in the SecEvent.evt file and registry. It provides guidance on searching for SecEvent.evt fragments using text strings like the computer or event log name. It also explains how to read the fragments by understanding the structure of EVENTLOGRECORD entries and extracting values like the event ID, time, and string offset. The document stresses refining search terms to target specific information like user names, domains, and time stamps when trying to recover deleted security event log data.
The document provides instructions on how to hack into websites and computer systems for beginners in 5 parts:
1. Explains basic UNIX commands needed to use a shell account.
2. Describes how to crack passwords stored in the /etc/passwd file using password cracking tools and wordlists.
3. Outlines two methods to retrieve the /etc/passwd file remotely: using FTP or exploiting PHF scripts.
4. Instructs how to use cracked usernames and passwords to log into the targeted system via telnet.
5. Advises new hackers to clearly understand hacking definitions and ethics before proceeding further.
Windows 7 introduced significant changes to event logging, including a new .evtx file format, over 100 additional event logs, and new security event numbering. Event logs provide system, security, and application events but can be noisy on their own; they are best analyzed in conjunction with other evidence to identify potentially important events. Proper collection and reconstruction of event logs on the analyst's system is important to ensure all message details are available.
The USB device plugin identified that a USB thumb drive had been used on Tom Warner's computer on October 29, 2004 based on registry entries showing the mounting of drive E on that date. This suggests potential transfer of files from his work computer to an external storage device.
Découvrez 14 outils utilses pour Growth Hackers et professionnels du marketing. N'hésitez pas à vous inscrire à la Startup Keynote du 28 mai, qui aura pour sujet: Les enjeux et les techniques du Growth Hacking
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Santiago Bassett
Threat Intelligence has become increasingly important as the number and severity of threats is growing continuously. We live in an era where our prevention technologies are not enough anymore, antivirus products fail to detect new or sophisticated pieces of malware, our firewalls and perimeter defenses are easily bypassed and the attacker’s techniques are growing in complexity. In this new landscape, sharing threat intelligence has become a key component to mitigate cyber-attacks.
In this session we will define what Threat Intelligence is and discuss how to collect and integrate threat intelligence from public sources. In addition, we’ll demonstrate how to build your own Threat Intelligence data using Open Source tools such as sandboxes, honeypots, sinkholes and other publicly available tools.
The industry’s reticence to share information about attack vectors gives the adversary a huge advantage. Using Threat Intelligence we can reduce this advantage and enable preventative response. We will guide you through the different standards (OpenIOC, STIX, MAEC, OTX, IODEF…) to describe and share cyber intelligence, as well as Open Source Frameworks such as CIF (Collective Intelligence Framework) that allows you to combine different threat sources.
One of the biggest problems with Threat Intelligence is finding out how to take advantage of the data you have to actually improve the detection/prevention capabilities in your environment. We will describe how to leverage Threat Intelligence to detect threats and provide defenses, and we will focus on how to use Open Source Tools (Suricata, OSSIM, OSSEC, Bro, Yara…) to get the most of your Threat Intelligence.
Presenters: Jaime Blasco and Santiago Bassett
Cornerstones of Trust 2014:
https://www.cornerstonesoftrust.com
Cyber threat Intelligence and Incident Response by:-Sandeep SinghOWASP Delhi
The broad list of topics include (but not limited to):
- What is Threat Intelligence?
- Type of Threat Intelligence?
- Intelligence Lifecycle
- Threat Intelligence - Classification & Vendor Landscape
- Threat Intelligence Standards (STIX, TAXII, etc.)
- Open Source Threat Intel Tools
- Incident Response
- Role of Threat Intel in Incident Response
- Bonus Agenda
Threat Intelligence 101 - Steve Lodin - SubmittedSteve Lodin
This document provides an overview of threat intelligence and how organizations can build threat intelligence programs. It discusses what threat intelligence is, why organizations should care about it, and how threat intelligence can be used for attack prevention, detection, forensics, and hunting. It also covers threat intelligence technologies, platforms, feeds, sharing approaches, and common challenges organizations may face when developing threat intelligence capabilities. The goal is to help organizations understand threat intelligence and evaluate their own maturity to incorporate these strategies.
This document discusses cyber threat intelligence and strategies for defense. It begins with an introduction to cyber threat intelligence and discusses the cyber attack life cycle model from Lockheed Martin. It then addresses questions to consider regarding cyber threats. The document outlines threat intelligence standards and tools like STIX and TAXII, and discusses challenges with SIEM systems. It proposes architectures that incorporate threat intelligence to provide preventive, detective, and fusion capabilities. The presentation concludes with a discussion of data sources and architectures to support cyber threat analysis.
As we get to know what life in the digital domain is like, one of the revelations we've had is that many large and plenty of smaller organisations are targets of espionage, of the nefarious APT.
During the last decade, it has become gospel to wait, watch, analyse and learn if you detect such an attacker in your infrastructure. Why? Because you get one chance to do the eviction of the attacker right. And if you fail, all your efforts will eventually have been for nothing.
But for how long should you wait and watch? When have you watched long enough? When have you learned enough? And how do you make that decision?
That is the challenge I hope the Cyber Threat Intelligence Matrix can help you face in a more structured manner.
Malware Detection with OSSEC HIDS - OSSECCON 2014Santiago Bassett
My presentation on how to use malware indicators of compromise to create rootcheck signatures for OSSEC. Explains different malware collection and analysis techniques.
This document outlines the course for the Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker. The course covers topics such as introduction to ethical hacking, footprinting and reconnaissance, scanning networks, enumeration, and system hacking. It details specific methodologies, tools, attacks, and defenses for each of these areas to provide students with the skills of an ethical hacker to conduct security assessments and penetration tests. The course aims to teach students how to identify security vulnerabilities and protect systems by knowing how real-world attackers operate.
This document outlines the course for Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker. The course contains 8 modules that cover topics such as introduction to ethical hacking, footprinting and reconnaissance, scanning networks, enumeration, and system hacking. Each module provides in-depth information on key concepts, methodologies, threats, and tools related to that stage of the ethical hacking process. The goal is to teach students how to effectively hack systems for penetration testing purposes while avoiding any illegal activities.
Better neuroimaging data processing: driven by evidence, open communities, an...Gael Varoquaux
My current thoughts about methods validity and design in brain imaging.
Data processing is a significant part of a neuroimaging study. The choice of corresponding methods and tools is crucial. I will give an opinionated view how on a path to building better data processing for neuroimaging. I will take examples on endeavors that I contributed to: defining standards for functional-connectivity analysis, the nilearn neuroimaging tool, the scikit-learn machine-learning toolbox -an industry standard with a million regular users. I will cover not only the technical process -statistics, signal processing, software engineering- but also the epistemology of methods development. Methods govern our results, they are more than a technical detail.
Seaside is a rare example of software that runs on all the major current Smalltalk platforms: Pharo, Gemstone, GNU Smalltalk, Squeak, VA Smalltalk, and VisualWorks. This presentation to the NYC Smalltalk users group looks at some of the tools and techniques the Seaside team uses to make life as easy as possible for the frameworks porters.
This document discusses moving beyond just prevention of cyber attacks and instead assuming that networks will be breached. It argues that protective technologies will inevitably fail and the focus should shift to detection of breaches. Red team assessments are suggested to shift from just finding vulnerabilities to acting as training partners for blue teams by providing indicators of compromise, attack signatures, and use cases to help improve detection capabilities. A pyramid of pain model is presented to show moving up from just tools to full tactics, techniques and procedures used by attackers.
The document summarizes malware spam received in January 2013. It received a total of 8 messages, including ones related to Viagra, jobs, banking, and criminal background checks. The messages contained malicious links, attachments, and sender information that indicated they were sent from compromised systems. They often used link masking and domain proxy services to hide the true source.
Recovering Information From Deleted Security Event Logs CtinCTIN
This document discusses recovering information from deleted security event logs. It explains that security event logs contain important event information in the SecEvent.evt file and registry. It provides guidance on searching for SecEvent.evt fragments using text strings like the computer or event log name. It also explains how to read the fragments by understanding the structure of EVENTLOGRECORD entries and extracting values like the event ID, time, and string offset. The document stresses refining search terms to target specific information like user names, domains, and time stamps when trying to recover deleted security event log data.
The document provides instructions on how to hack into websites and computer systems for beginners in 5 parts:
1. Explains basic UNIX commands needed to use a shell account.
2. Describes how to crack passwords stored in the /etc/passwd file using password cracking tools and wordlists.
3. Outlines two methods to retrieve the /etc/passwd file remotely: using FTP or exploiting PHF scripts.
4. Instructs how to use cracked usernames and passwords to log into the targeted system via telnet.
5. Advises new hackers to clearly understand hacking definitions and ethics before proceeding further.
Windows 7 introduced significant changes to event logging, including a new .evtx file format, over 100 additional event logs, and new security event numbering. Event logs provide system, security, and application events but can be noisy on their own; they are best analyzed in conjunction with other evidence to identify potentially important events. Proper collection and reconstruction of event logs on the analyst's system is important to ensure all message details are available.
The USB device plugin identified that a USB thumb drive had been used on Tom Warner's computer on October 29, 2004 based on registry entries showing the mounting of drive E on that date. This suggests potential transfer of files from his work computer to an external storage device.
Découvrez 14 outils utilses pour Growth Hackers et professionnels du marketing. N'hésitez pas à vous inscrire à la Startup Keynote du 28 mai, qui aura pour sujet: Les enjeux et les techniques du Growth Hacking
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Santiago Bassett
Threat Intelligence has become increasingly important as the number and severity of threats is growing continuously. We live in an era where our prevention technologies are not enough anymore, antivirus products fail to detect new or sophisticated pieces of malware, our firewalls and perimeter defenses are easily bypassed and the attacker’s techniques are growing in complexity. In this new landscape, sharing threat intelligence has become a key component to mitigate cyber-attacks.
In this session we will define what Threat Intelligence is and discuss how to collect and integrate threat intelligence from public sources. In addition, we’ll demonstrate how to build your own Threat Intelligence data using Open Source tools such as sandboxes, honeypots, sinkholes and other publicly available tools.
The industry’s reticence to share information about attack vectors gives the adversary a huge advantage. Using Threat Intelligence we can reduce this advantage and enable preventative response. We will guide you through the different standards (OpenIOC, STIX, MAEC, OTX, IODEF…) to describe and share cyber intelligence, as well as Open Source Frameworks such as CIF (Collective Intelligence Framework) that allows you to combine different threat sources.
One of the biggest problems with Threat Intelligence is finding out how to take advantage of the data you have to actually improve the detection/prevention capabilities in your environment. We will describe how to leverage Threat Intelligence to detect threats and provide defenses, and we will focus on how to use Open Source Tools (Suricata, OSSIM, OSSEC, Bro, Yara…) to get the most of your Threat Intelligence.
Presenters: Jaime Blasco and Santiago Bassett
Cornerstones of Trust 2014:
https://www.cornerstonesoftrust.com
Cyber threat Intelligence and Incident Response by:-Sandeep SinghOWASP Delhi
The broad list of topics include (but not limited to):
- What is Threat Intelligence?
- Type of Threat Intelligence?
- Intelligence Lifecycle
- Threat Intelligence - Classification & Vendor Landscape
- Threat Intelligence Standards (STIX, TAXII, etc.)
- Open Source Threat Intel Tools
- Incident Response
- Role of Threat Intel in Incident Response
- Bonus Agenda
Threat Intelligence 101 - Steve Lodin - SubmittedSteve Lodin
This document provides an overview of threat intelligence and how organizations can build threat intelligence programs. It discusses what threat intelligence is, why organizations should care about it, and how threat intelligence can be used for attack prevention, detection, forensics, and hunting. It also covers threat intelligence technologies, platforms, feeds, sharing approaches, and common challenges organizations may face when developing threat intelligence capabilities. The goal is to help organizations understand threat intelligence and evaluate their own maturity to incorporate these strategies.
This document discusses cyber threat intelligence and strategies for defense. It begins with an introduction to cyber threat intelligence and discusses the cyber attack life cycle model from Lockheed Martin. It then addresses questions to consider regarding cyber threats. The document outlines threat intelligence standards and tools like STIX and TAXII, and discusses challenges with SIEM systems. It proposes architectures that incorporate threat intelligence to provide preventive, detective, and fusion capabilities. The presentation concludes with a discussion of data sources and architectures to support cyber threat analysis.
As we get to know what life in the digital domain is like, one of the revelations we've had is that many large and plenty of smaller organisations are targets of espionage, of the nefarious APT.
During the last decade, it has become gospel to wait, watch, analyse and learn if you detect such an attacker in your infrastructure. Why? Because you get one chance to do the eviction of the attacker right. And if you fail, all your efforts will eventually have been for nothing.
But for how long should you wait and watch? When have you watched long enough? When have you learned enough? And how do you make that decision?
That is the challenge I hope the Cyber Threat Intelligence Matrix can help you face in a more structured manner.
Malware Detection with OSSEC HIDS - OSSECCON 2014Santiago Bassett
My presentation on how to use malware indicators of compromise to create rootcheck signatures for OSSEC. Explains different malware collection and analysis techniques.
This document outlines the course for the Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker. The course covers topics such as introduction to ethical hacking, footprinting and reconnaissance, scanning networks, enumeration, and system hacking. It details specific methodologies, tools, attacks, and defenses for each of these areas to provide students with the skills of an ethical hacker to conduct security assessments and penetration tests. The course aims to teach students how to identify security vulnerabilities and protect systems by knowing how real-world attackers operate.
This document outlines the course for Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker. The course contains 8 modules that cover topics such as introduction to ethical hacking, footprinting and reconnaissance, scanning networks, enumeration, and system hacking. Each module provides in-depth information on key concepts, methodologies, threats, and tools related to that stage of the ethical hacking process. The goal is to teach students how to effectively hack systems for penetration testing purposes while avoiding any illegal activities.
Better neuroimaging data processing: driven by evidence, open communities, an...Gael Varoquaux
My current thoughts about methods validity and design in brain imaging.
Data processing is a significant part of a neuroimaging study. The choice of corresponding methods and tools is crucial. I will give an opinionated view how on a path to building better data processing for neuroimaging. I will take examples on endeavors that I contributed to: defining standards for functional-connectivity analysis, the nilearn neuroimaging tool, the scikit-learn machine-learning toolbox -an industry standard with a million regular users. I will cover not only the technical process -statistics, signal processing, software engineering- but also the epistemology of methods development. Methods govern our results, they are more than a technical detail.
Seaside is a rare example of software that runs on all the major current Smalltalk platforms: Pharo, Gemstone, GNU Smalltalk, Squeak, VA Smalltalk, and VisualWorks. This presentation to the NYC Smalltalk users group looks at some of the tools and techniques the Seaside team uses to make life as easy as possible for the frameworks porters.
This document contains 90 references related to ethical hacking and penetration testing. The references cover topics like footprinting and reconnaissance, information gathering tools, vulnerability scanning, and operating system fingerprinting. Many of the references are websites and papers that provide information on hacking methodology, security research, and the hacker community. The document appears to be compiling sources for a course on ethical hacking techniques and strategies.
The document provides steps for crafting payloads to hack traffic light systems for physical attacks with catastrophic consequences. It introduces the authors and their backgrounds in embedded security and cyber-physical exploitation. It then outlines the stages of control, access, discovery, control and damage when attacking a traffic light system, and provides demonstrations of exploiting the CybatiWorks traffic light kit to force light states, conduct stale data attacks, modify timers to speed up lights, and modify control logic. It stresses the need for cleanup to blind operators of the real system state using man-in-the-middle techniques.
This talk is a collection of my thoughts and observations since my early infosec days - some technical, some philosophical and some pointed questions for all of us to reflect upon. I would like to talk about my journey in the information security industry, from the fledgling years in the late 90s where I was still entrenched in academia to the present day where infosec is redefining the world's political boundaries, literally and figuratively.
Real-time Computer Vision With Ruby - OSCON 2008Jan Wedekind
Computer vision software requires image- and video-file-I/O as well as camera access and fast video display. Ruby and existing open source software allowed us to develop a machine vision library combining performance and flexibility in an unprecedented way. Native array operations are used to implement a variety of machine vision algorithms. This research was funded by the Nanorobotics grant.
The presentation summarizes an upgrade of Test Rig #4 at the Atelier Industriel de l'Aeronautique (AIA) in France. The upgrade involves replacing aging measurement and control systems with NI PXI hardware and LabVIEW software for improved data acquisition, real-time control, security, and automated testing of aircraft turboprop engines. The project scope includes installing a new PXI-based system, recabling, developing automated test scenarios in LabVIEW, and training users on the new system. Future evolutions may include upgrading software versions and hardware platforms to continue meeting users' needs.
The document outlines the course modules for an Ethical Hacking and Countermeasures exam certification. It details 15 modules that cover topics such as introduction to ethical hacking, footprinting and reconnaissance, scanning networks, enumeration, system hacking, hiding files, and information security laws and standards. The modules provide overviews of hacking concepts and methodologies, describe various hacking techniques and tools, and discuss relevant countermeasures.
Academic Summary Example. A Summary Of AAlison Carias
The story "Araby" by James Joyce takes place in Dublin, Ireland in the late 19th century, a time when Ireland was under British rule. The main character, a young boy, lives in a neighborhood that shows signs of poverty and neglect, reflecting the political and economic situation of Ireland at the time under British imperialism. His fascination with a young girl on his street and the bazaar called "Araby" represent his longing to escape from the bleakness of everyday life in Dublin through romance and adventure.
|QAB> : Quantum Computing, AI and BlockchainKan Yuenyong
The document discusses quantum computing, artificial intelligence, and blockchain. It describes how quantum computers could crack encryption like RSA much faster than classical computers. However, building a quantum computer with enough qubits to run algorithms like Shor's algorithm is not currently possible. The document also discusses how quantum computing could be a solution to problems caused by quantum effects at small scales. Photonic quantum computers that operate at room temperature and can scale to millions of qubits are also mentioned.
The document discusses network scanning, which involves identifying live hosts, open ports, services, and vulnerabilities on a network. It describes how the Sality botnet was able to scan the entire IPv4 address space in a stealthy manner using "reverse-byte order scanning." Researchers observed this technique being used to map out vulnerable voice-over-IP servers while evading detection. The document also provides an overview of network scanning objectives and techniques.
Social Networks Protection against Fake Profiles and Social Bots AttacksDr. Mohamed Torky
The document proposes two novel mechanisms:
1. The Fake Profiles Recognizer (FPR) model for detecting fake profiles in online social networks with 94.91% accuracy and low false positive rate.
2. The Necklace CAPTCHA mechanism for protecting against social bots, which employs necklace graph models. It achieved 80.6% effectiveness and can be solved within 24 seconds while demonstrating low 1.65% breaking rate against bots.
This document summarizes a web-based cryptocurrency price tracking project called Della. The project uses Python and Django to provide features like live cryptocurrency prices from APIs, latest news from news APIs, upcoming events from web scraping, and an online forum using Redis. It allows users to post images and comments about cryptocurrencies. The project aims to help users learn about cryptocurrencies and decide where to invest. It was tested for response time with increasing users and was found to provide the essential information and guidance needed for cryptocurrency newcomers.
Example Of A Thesis Statement In An Expository EssayJill Swenson
The document provides instructions for using a writing service called HelpWriting.net. It outlines a 5-step process: 1) Create an account with a password and email, 2) Complete a 10-minute order form providing instructions and deadline, 3) Review bids from writers and choose one, 4) Review the completed paper and authorize payment, 5) Request revisions until satisfied. The purpose is to outline the simple process for using this writing service to have assignments completed.
The document discusses practical incident response in heterogeneous environments and overcoming limitations of traditional approaches. It proposes utilizing intelligence-driven investigation and actionable IOCs to more flexibly shape the triage process across different operating systems. Examples are provided of using software fingerprinting and debugging symbols to attribute malware and build structured knowledge bases of attackers.
Making the Web Fireproof: A Building Code for WebsitesDylan Wilbanks
The moment we start creating a website, we’re setting ourselves up for failure later. Bad code creates middle of the night fire drills. Lack of thinking about accessibility gets our employer sued. Not thinking ahead on mobile generates rework. We accept this as the normal course of business – but is there any way we could prevent (or lower) this cost? Is there anything we can learn from the building codes that dictate how our built environment is constructed?
We will talk about the lessons of building codes and what we can do today to build more robust web applications and sites, including:
- The need for design patterns in websites
- The need for patterns in user stories so that we build websites consistently
- Baking accessibility into websites comes from putting accessibility into user stories
- Planning a web application is different from planning a building, but it does share similar aspects of work
- The better we can becoming at creating best practices (building codes) the better we will get at building sites, and the closer we will come to Berners-Lee’s “one web for all” dream
Presented at MinneWebCon 2015.
The Kyoto Protocol was devised to reduce greenhouse gas emissions and combat global warming. It outlined goals for developed countries to reduce emissions and increase energy efficiency, minimize emissions increases in developing countries, and promote sustainable practices. The Protocol set specific emissions reduction targets ranging from 8-10% below 1990 levels for developed countries. This document examines challenging aspects of international climate negotiations, the successes and failures of the agreement, factors contributing to these outcomes, and an overall assessment of the agreement.
The document provides an overview of standards and standardization for nanotechnologies. It discusses why standards are important for nanotechnologies, the roles and types of standards, and major international organizations developing standards including ISO, IEC, CEN, and BSI. It outlines some key challenges for nanotechnology standardization and provides examples of existing and in-development standards.
Similar to Indicators of Compromise Magic: Living with compromise (20)
This document discusses case studies of network breaches in virtualized environments. It provides an overview of the speaker's background and experience investigating cyber attacks. The document then outlines several past cases from 2011-2015, including nation state compromises and criminal organizations exfiltrating data. Tactics of advanced persistent threats and cybercriminals are converging. The presentation will explore a case study from Central Asia involving compromised government websites and the challenges of attribution.
Hitcon 2014: Surviving in tough Russian EnvironmentF _
This document summarizes a presentation on enterprise network security given in Taipei in 2014. The presentation covers prerequisites and past experience in enterprise defense, demonstrates tools and techniques for improving detection and incident handling, and discusses living with compromise in a challenging security environment like Russia. The document outlines the agenda and provides details on topics like identifying the attack surface, attacker tactics, incident response processes, and analyzing security incidents and systems.
whats wrong with modern security tools and other blurpsF _
This document discusses the limitations of modern network security tools and techniques. It provides examples of how malware authors are able to evade detection from antivirus software, network filters, and other defenses by using techniques like domain generation algorithms, encoding payloads in images and documents, and compromising legitimate websites and infrastructure to host and distribute attacks. The document argues that security vendors struggle to keep up with the constantly evolving tactics of cybercriminals, and that non-targeted social engineering attacks remain an effective way to compromise users.
Hunting The Shadows: In Depth Analysis of Escalated APT AttacksF _
This document analyzes advanced persistent threat (APT) attacks targeting Taiwan, focusing on the "Lstudio" group. It describes the group's infrastructure including command and control servers, use of botnets to control thousands of compromised machines internationally, and development of custom tools. The summary highlights key points about the group's operations since 2007, use of multiple software versions and back-ends, and targeting of both government and private sector victims primarily in Taiwan but also worldwide.
This document discusses various techniques used in cyber attacks, including exploiting vulnerabilities in software like Adobe Reader and Microsoft Office, using email as an attack vector, and social engineering techniques like password-protected archives. Specific examples are given of attacks resembling advanced persistent threats (APTs), including a targeted email with an exploit-carrying document and customized payload behavior. Detection and prevention methods are also covered, such as analyzing suspicious user agents and traffic patterns.
HITB2013AMS Defenting the enterprise, a russian way!F _
Thank you for the summary. While technology can enable both helpful and harmful uses, focusing on understanding different perspectives and bringing more light than heat can help address challenges in a constructive manner.
This document discusses detecting malicious network infrastructure through analyzing DNS traffic patterns. Specific techniques discussed include analyzing DNS query patterns for domain generation algorithm (DGA) domains to identify botnets. The document outlines a system built to perform passive DNS analysis to cluster similarly behaving domains and map command and control (C&C) infrastructure through techniques like WHOIS lookups and identifying domains with shared IP addresses or autonomous system numbers. Examples are provided of analyzing DNS query data step-by-step to identify known botnets like Carberp and Palevo. Automated detection and mapping of C&C infrastructure is discussed as well as potential uses of the collected data like generating blacklists or taking over botnets.
The document outlines tools and methods used to study the Russian underground economy. It discusses how data is collected from public forums and compromised systems. Automated and manual analysis is used to understand terminology and trends. Open source tools like Nutch and SOLR are customized for processing slang and context. The document then describes various online criminal activities like malware distribution, credit card theft, money laundering through money mules and currency exchanges. Metrics on traffic generation and DDoS costs are provided. Emerging areas like mobile malware and SEO spam are also covered. The document concludes by noting how cybercrime has become a global online economy rather than isolated incidents.
This document provides a summary of a presentation on cybercrime trends in 2012. It discusses emerging attack vectors like database breaches and email campaigns. Case studies are presented on malicious campaigns targeting Russian websites like kp.ru and rzd.ru in late 2011. Evolving evasion techniques used by cybercriminals like exploiting stolen DNS accounts and domains with similar names are examined. Mobile malware scams are also covered. The document concludes by emphasizing the need for automating real-time detection to keep up with cybercriminal techniques.
The document outlines an agenda for a seminar on enhancing AML/CTF tools and techniques to address electronic payment systems increasingly used for criminal activities. The seminar will examine case studies of real "red flag" activities involving electronic payment channels and patterns, and discuss regulatory requirements and best practices for monitoring these payment vehicles and strengthening AML programs. Speakers will also provide examples of underground money transfer systems like WebMoney that are abused for fraudulent services.
The document discusses unlawful internet activities like malware, cybercrime and digital piracy. It describes different types of actors involved, from "kiddies" to organized cybercriminal groups. It analyzes advanced persistent threats and case studies of infrastructure compromises. Examples are given of traffic monetization, ad abuse like malvertisements, extortion scams, and illicit online goods and services. The presentation aims to provide insights into these criminal underground economies and how they operate.
WhatsApp offers simple, reliable, and private messaging and calling services for free worldwide. With end-to-end encryption, your personal messages and calls are secure, ensuring only you and the recipient can access them. Enjoy voice and video calls to stay connected with loved ones or colleagues. Express yourself using stickers, GIFs, or by sharing moments on Status. WhatsApp Business enables global customer outreach, facilitating sales growth and relationship building through showcasing products and services. Stay connected effortlessly with group chats for planning outings with friends or staying updated on family conversations.
Revolutionizing Visual Effects Mastering AI Face Swaps.pdfUndress Baby
The quest for the best AI face swap solution is marked by an amalgamation of technological prowess and artistic finesse, where cutting-edge algorithms seamlessly replace faces in images or videos with striking realism. Leveraging advanced deep learning techniques, the best AI face swap tools meticulously analyze facial features, lighting conditions, and expressions to execute flawless transformations, ensuring natural-looking results that blur the line between reality and illusion, captivating users with their ingenuity and sophistication.
Web:- https://undressbaby.com/
DDS Security Version 1.2 was adopted in 2024. This revision strengthens support for long runnings systems adding new cryptographic algorithms, certificate revocation, and hardness against DoS attacks.
What is Augmented Reality Image Trackingpavan998932
Augmented Reality (AR) Image Tracking is a technology that enables AR applications to recognize and track images in the real world, overlaying digital content onto them. This enhances the user's interaction with their environment by providing additional information and interactive elements directly tied to physical images.
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j
Dr. Jesús Barrasa, Head of Solutions Architecture for EMEA, Neo4j
Découvrez les dernières innovations de Neo4j, et notamment les dernières intégrations cloud et les améliorations produits qui font de Neo4j un choix essentiel pour les développeurs qui créent des applications avec des données interconnectées et de l’IA générative.
Zoom is a comprehensive platform designed to connect individuals and teams efficiently. With its user-friendly interface and powerful features, Zoom has become a go-to solution for virtual communication and collaboration. It offers a range of tools, including virtual meetings, team chat, VoIP phone systems, online whiteboards, and AI companions, to streamline workflows and enhance productivity.
E-commerce Development Services- Hornet DynamicsHornet Dynamics
For any business hoping to succeed in the digital age, having a strong online presence is crucial. We offer Ecommerce Development Services that are customized according to your business requirements and client preferences, enabling you to create a dynamic, safe, and user-friendly online store.
Unveiling the Advantages of Agile Software Development.pdfbrainerhub1
Learn about Agile Software Development's advantages. Simplify your workflow to spur quicker innovation. Jump right in! We have also discussed the advantages.
UI5con 2024 - Keynote: Latest News about UI5 and it’s EcosystemPeter Muessig
Learn about the latest innovations in and around OpenUI5/SAPUI5: UI5 Tooling, UI5 linter, UI5 Web Components, Web Components Integration, UI5 2.x, UI5 GenAI.
Recording:
https://www.youtube.com/live/MSdGLG2zLy8?si=INxBHTqkwHhxV5Ta&t=0
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeAftab Hussain
Understanding variable roles in code has been found to be helpful by students
in learning programming -- could variable roles help deep neural models in
performing coding tasks? We do an exploratory study.
- These are slides of the talk given at InteNSE'23: The 1st International Workshop on Interpretability and Robustness in Neural Software Engineering, co-located with the 45th International Conference on Software Engineering, ICSE 2023, Melbourne Australia
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j
Dr. Jesús Barrasa, Head of Solutions Architecture for EMEA, Neo4j
Découvrez les dernières innovations de Neo4j, et notamment les dernières intégrations cloud et les améliorations produits qui font de Neo4j un choix essentiel pour les développeurs qui créent des applications avec des données interconnectées et de l’IA générative.
Measures in SQL (SIGMOD 2024, Santiago, Chile)Julian Hyde
SQL has attained widespread adoption, but Business Intelligence tools still use their own higher level languages based upon a multidimensional paradigm. Composable calculations are what is missing from SQL, and we propose a new kind of column, called a measure, that attaches a calculation to a table. Like regular tables, tables with measures are composable and closed when used in queries.
SQL-with-measures has the power, conciseness and reusability of multidimensional languages but retains SQL semantics. Measure invocations can be expanded in place to simple, clear SQL.
To define the evaluation semantics for measures, we introduce context-sensitive expressions (a way to evaluate multidimensional expressions that is consistent with existing SQL semantics), a concept called evaluation context, and several operations for setting and modifying the evaluation context.
A talk at SIGMOD, June 9–15, 2024, Santiago, Chile
Authors: Julian Hyde (Google) and John Fremlin (Google)
https://doi.org/10.1145/3626246.3653374
Microservice Teams - How the cloud changes the way we workSven Peters
A lot of technical challenges and complexity come with building a cloud-native and distributed architecture. The way we develop backend software has fundamentally changed in the last ten years. Managing a microservices architecture demands a lot of us to ensure observability and operational resiliency. But did you also change the way you run your development teams?
Sven will talk about Atlassian’s journey from a monolith to a multi-tenanted architecture and how it affected the way the engineering teams work. You will learn how we shifted to service ownership, moved to more autonomous teams (and its challenges), and established platform and enablement teams.
Hand Rolled Applicative User ValidationCode KataPhilip Schwarz
Could you use a simple piece of Scala validation code (granted, a very simplistic one too!) that you can rewrite, now and again, to refresh your basic understanding of Applicative operators <*>, <*, *>?
The goal is not to write perfect code showcasing validation, but rather, to provide a small, rough-and ready exercise to reinforce your muscle-memory.
Despite its grandiose-sounding title, this deck consists of just three slides showing the Scala 3 code to be rewritten whenever the details of the operators begin to fade away.
The code is my rough and ready translation of a Haskell user-validation program found in a book called Finding Success (and Failure) in Haskell - Fall in love with applicative functors.
Indicators of Compromise Magic: Living with compromise
1. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Compromise Indicator Magic: Living with Compromise
Vladimir Kropotov, Vitaly Chetvertakov, Fyodor Yarochkin
PhDays 2014
Affilations: Academia Sinica, o0o.nu, chroot.org
May 22, 2014, Moscow
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
2. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Outline
Introduction
IOC Standards
V:IOCs
mining IOCs
Applying IOCs
Case studies
Categirizing Incidents
Practical tasks
Analysing Network traffic
Analyzing HTTP logs
Analyzing AV logs
Creating 0wn IOCs
EOF
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
3. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Everyone is p0wn3d :)
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
4. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Challenges
Main Assumption: All networks are compromised
The difference between a good security team and a bad security team is that
with a bad security team you will never know that you’ve been compromised.
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
5. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Statistic speaks
about 40,000,000 internet users in Russia
for every 10,000 server hosts 500 hosts trigger redirects to malicious
content per week
about 20-50 user machines (full AV installed, NAT, FW) get ..affected
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
7. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Introduction:terminology
Indicators of Compromise
Indicator of compromise (IOC) in computer forensics is an artifact observed on
network or in operating system that with high confidence indicates a computer
intrusion.
http://en.wikipedia.org/wiki/Indicator_of_compromise
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
8. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Why Indicators of compromise
Indicators of Compromise help us to answer questions like:
is this document/file/hash malicious?
is there any past history for this IP/domain?
what are the other similar/related domains/hashes/..?
who is the actor?
am I an APT target?!!;-)
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
9. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Workshop: hands-on part
If you’d like to try as we go, these are tools we are about to cover:
http://github.com/fygrave/ndf
http://github.com/fygrave/hntp
fiddler
elasticsearch && http://github.com/aol/moloch (vm)
yara (as moloch plugin)
hpfeeds
CIF
https://github.com/STIXProject/ - openioc-to-stix/
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
10. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
IOC representations
Multiple standards have been created to facilitate IOC exchanges.
Madiant: OpenIOC
Mitre: STIX (Structured Threat Information Expression), CyBOX
(CyberObservable Expression)
Mitre: CAPEC, TAXII
IODEF (Incident Object Description Format)
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
11. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Standards: OpenIOC
OpenIOC - Mandiant-backed effort for unform representation of IOC (now
FireEye) http://www.openioc.org/
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
12. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
OpenIOCs
D i g i t a l Appendices / Appendix G ( D i g i t a l ) − IOCs$ l s
0c7c902c −67f8 −479c−9f44 −4d985106365a . i o c 6bd24113 −2922−4d25
ad521068−6f18 −4ab1−899c−11007a18ec73 . i o c
12 a40bf7 −4834−49b0−a419−6abb5fe2b291 . i o c 70 b5be0c−8a94−44b4
af5f65fc −e1ca −45db−88b1−6ccb7191ee6a . i o c
2106 f0d2−a260 −4277−90ab−edd3455e31fa . i o c 7c739d52−c669−4d51
Appendix G IOCs README. pdf
26213db6−9d3b−4a39−abeb −73656acb913e . i o c 7 d2eaadf−a5ff −4199
c32b8af3 −28d0−47d3−801f−a2c2b0129650 . i o c
2 bff223f −9e46−47a7−ac35−d35f8138a4c7 . i o c 7 f9a6986−f00a −4071
c71b3305 −85e5−4d51−b07c−ff227181fb5a . i o c
2 fc55747 −6822−41d2−bcc1 −387fc1b2e67b . i o c 806 beff3 −7395−492e
c7fa2ea5 −36d5−4a52−a6cf−ddc2257cb6f9 . i o c
32b168e6−dbd6−4d56−ba2f −734553239 e f e . i o c 84 f04df2 −25cd−4f59
d14d5f09 −9050−4769−b00d−30fce9e6eb85 . i o c
3433dad8 −879e−40d9−98b3−92ddc75f0dcd . i o c 8695bb5e−29cd−41b9
d1c65316−cddd−4d9c−8efe −c539aa5965c0 . i o c
3e01b786−fe3a −4228−95fa−c3986e2353d6 . i o c 86 e9b8ec −7413−453bCompromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
13. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Standards: Mitre
Mitre CybOX: http://cybox.mitre.org/
https://github.com/CybOXProject/Tools
https://github.com/CybOXProject/openioc-to-cybox Mitre CAPEC:
http://capec.mitre.org/ Mitre STIX: http://stix.mitre.org/ Mitre
TAXII http://taxii.mitre.org/
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
14. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Mature: stix
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
15. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Indicators of Compromise
Complex IOCs covering all steps of attack
Dynamic creation of IOCs on the fly
Auto-reload of IOCs, TTLs
Dealing with different standards/import export
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
16. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Exploit pack trace
url ip mime type ref
http://cuba.eanuncios.net/1/zf3z9lr6ac8di6r4kw2r0hu3ee8ad.html 93.189.46.222 text/html http://www.smeysyatu
http://cuba.eanuncios.net/2909620968/1/1399422480.htm 93.189.46.222 text/html http://cuba.eanuncio
http://cuba.eanuncios.net/2909620968/1/1399422480.jar 93.189.46.222 application/java-archive -
http://cuba.eanuncios.net/2909620968/1/1399422480.jar 93.189.46.222 application/java-archive -
http://cuba.eanuncios.net/f/1/1399422480/2909620968/2 93.189.46.222 - -
http://cuba.eanuncios.net/f/1/1399422480/2909620968/2/2 93.189.46.222 - -
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
17. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Nuclearsploit pack
{ ’ N u c l e a r s p l o i t p a c k ’ : {
’ step1 ’ : {
’ f i l e s ’ : [ ’ w z 3 u 6 s i 8 e 5 l h 7 k 2 t k 5 o x 4 n e 6 d 8 g . html ’ , ’ t 3 f 5 y 9 a 2 b b 3 d l 7 z 8 g c 4 o 6 f . html ’ , ’ z f 3 z 9 l r 6 a c 8 d i 6 r 4 k
’ domains ’ : [ ’ f a t h e r . f e r r e m o v i l . com ’ , ’ t h a i . a l o h a t r a n s l l c . com ’ , ’ cuba . e a n u n c i o s . net ’ , ’ duncan .
’ arguments ’ : [ ] ,
’ d i r e c t o r i e s ’ : [ ’ 1 ’ ] ,
’ ip ’ : [ ’ 9 3 . 1 8 9 . 4 6 . 2 0 1 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 0 3 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 2 2 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 2 4 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 3 3 ’ ] } ,
’ step2 ’ : {
’ f i l e s ’ : [ ’ 1 3 9 9 4 2 2 4 8 0 . htm ’ , ’1 39 97 047 20 . htm ’ , ’1 399 51 34 40 . htm ’ , ’13 99 51 40 40 . htm ’ ,
’1 39 97 73 30 0. htm ’ ] ,
’ domains ’ : [ ’ cuba . e a n u n c i o s . net ’ , ’ duncan . d i s e n o c o r p o r a t i v o . com . ar ’ , ’ homany . c o l l e c t i v e i t . com .
’ arguments ’ : [ ] ,
’ d i r e c t o r i e s ’ : [ ’ 2 9 0 9 6 2 0 9 6 8 ’ , ’ 1 ’ , ’507640988 ’ , ’940276731 ’ , ’3957283574 ’ , ’ 9 5 2 2 1 1 7 0 4 ’ ] ,
’ ip ’ : [ ’ 9 3 . 1 8 9 . 4 6 . 2 2 2 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 2 4 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 3 3 ’ ] } ,
’ step3 ’ : {
’ f i l e s ’ : [ ’ 1 3 9 9 4 2 2 4 8 0 . j a r ’ , ’1 39 95 13 44 0. j a r ’ ] ,
’ domains ’ : [ ’ cuba . e a n u n c i o s . net ’ , ’ homany . c o l l e c t i v e i t . com . au ’ ] ,
’ arguments ’ : [ ] ,
’ d i r e c t o r i e s ’ : [ ’ 2 9 0 9 6 2 0 9 6 8 ’ , ’ 1 ’ , ’ 9 4 0 2 7 6 7 3 1 ’ ] ,
’ ip ’ : [ ’ 9 3 . 1 8 9 . 4 6 . 2 2 2 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 2 4 ’ ] } ,
’ step4 ’ : {
’ f i l e s ’ : [ ’ 2 ’ ] ,
’ domains ’ : [ ’ cuba . e a n u n c i o s . net ’ ] ,
’ arguments ’ : [ ] ,
’ d i r e c t o r i e s ’ : [ ’ f ’ , ’ 1 ’ , ’1399422480 ’ , ’2909620968 ’ , ’ 2 ’ ] ,
’ ip ’ : [ ’ 9 3 . 1 8 9 . 4 6 . 2 2 2 ’ ] }
}
}
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
18. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Redirect (example)
http://mysimuran.ru/forum/kZsjOiDMFb/
http://mysimuran.ru/forum/kZsjOiDMFb/js.js?4231
http://c.hit.ua/hit?i=59278&g=0&x=2
http://f-wake.browser-checks.info:28001/d1x/3/87475b26a521024ce78d7ea73164140a/http%3A%2F%2Fagency.accordinga.pw%2Fremain%2Funknown.h
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
19. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Redirect Example
{ ’ 2 8 0 0 1 ’ : {
’ step1 ’ : {
’ d i r e c t o r i e s ’ : [ ’ forum ’ , ’ kZsjOiDMFb ’ , ’ epygFrFsoU ’ ] ,
’ arguments ’ : [ ] ,
’ f i l e s ’ : [ ’ ’ ] ,
’ ip ’ : [ ’ 8 9 . 1 1 1 . 1 7 8 . 3 3 ’ ] ,
’ domains ’ : [ ’ mysimuran . ru ’ ] } ,
’ step2 ’ : {
’ d i r e c t o r i e s ’ : [ ’ forum ’ , ’ kZsjOiDMFb ’ , ’ epygFrFsoU ’ , ’kJXshWOMNC’ ] ,
’ arguments ’ : [ ’ 4 2 3 1 ’ , ’7697 ’ , ’9741 ’ ] ,
’ f i l e s ’ : [ ’ j s . j s ’ , ’ c n t . html ’ ] ,
’ ip ’ : [ ’ 8 9 . 1 1 1 . 1 7 8 . 3 3 ’ ] ,
’ domains ’ : [ ’ mysimuran . ru ’ ] } ,
’ step3 ’ : {
’ d i r e c t o r i e s ’ : [ ] ,
’ arguments ’ : [ ’ i ’ , ’ g ’ , ’ x ’ ] ,
’ f i l e s ’ : [ ’ h i t ’ ] ,
’ ip ’ : [ ’ 8 9 . 1 8 4 . 8 1 . 3 5 ’ ] ,
’ domains ’ : [ ’ c . h i t . ua ’ ] } ,
’ step4 ’ : {
’ d i r e c t o r i e s ’ : [ ’ d1x ’ , ’ 3 ’ , ’87475 b26a521024ce78d7ea73164140a ’ , ’ d36eb1fc80ebe9df515d043be1557
’ arguments ’ : [ ] ,
’ f i l e s ’ : [ ’ h t t p%3A%2F%2Fagency . a c c o r d i n g a . pw%2Fremain%2Funknown . html%3Fmods%3D8%26i d%3D26 ’ ,
’ ip ’ : [ ’ 4 6 . 2 5 4 . 1 6 . 2 0 9 ’ ] ,
’ domains ’ : [ ’ f−wake . browser−c h e c k s . i n f o ’ , ’ a−o p r z a y . browser−c h e c k s . pw ’ ] }
}
}
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
20. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
IOCs
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
21. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
IOCs3
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
22. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
IOCs viz
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
23. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
IOCs viz(02)
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
24. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
IOCs viz(3)
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
25. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
IOCs viz(4)
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
26. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
IOCs viz(5)
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
27. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Nuclear sploitpack
f u n c t i o n see_user_agent (){
var replace_user_agent =
[ ’ Lunascape ’ , ’ iPhone ’ , ’ Macintosh ’ , ’ Linux ’ , ’ iPad ’ , ’ Flock ’ , ’ Se
var low_user_agent = f a l s e ;
for ( var i in replace_user_agent ) {
i f ( s t r i p o s ( n a v i g a t o r . userAgent , replace_user_agent [ i ] ) ) {
low_user_agent = true ;
break ;
}
}
return low_user_agent
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
28. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Sourcing External IOCs
CIF - https:
//code.google.com/p/collective-intelligence-framework/
feeds (with scrappers):
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
29. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Sourcing External IOCs
feed your scrappers:
https://zeustracker.abuse.ch/blocklist.php?download=badips
http://malc0de.com/database/
https://reputation.alienvault.com/reputation.data . . .
VT intelligence
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
30. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Sourcing IOCs Internally
honeypot feeds
log analysis
traffic analysis
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
31. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Where to look for IOCs internally
Outbound Network Traffic
User Activities/Failed Logins
User profile folders
Administrative Access
Access from unsual IP addresses
Database IO: excessive READs
Size of responses of web pages
Unusual access to particular files within Web Application (backdoor)
Unusual port/protocol connections
DNS and HTTP traffic requests
Suspicious Scripts, Executables and Data Files
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
32. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Challenges
Why we need IOCs? because it makes it easier to systematically describe
knowledge about breaches.
Identifying intrusions is hard
Unfair game:
defender should protect all the assets
attacker only needs to ’poop’ one system.
Identifying targeted, organized intrusions is even harder
Minor anomalous events are important when put together
Seeing global picture is a mast
Details matter
Attribution is hard
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
33. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Use honeypots
Running honeypots gives enormous advantage in detecting emerging
threats
Stategically placing honeypots is extemely important
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
34. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
HPfeeds, Hpfriends and more
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
35. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
HPFeeds Architecture
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
36. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
HPFeeds API in nutshell:
import pygeoip
import hpfeeds
import json
HOST=’ broker ’
PORT = 20000
CHANNELS= [ ’ geoloc . events ’ ]
IDENT=’ i d e n t ’
SECRET=’ s e c r e t ’
g i = pygeoip . GeoIP ( ’ GeoLiteCity . dat ’ )
hpc = hpfeeds . new(HOST, PORT, IDENT , SECRET)
msg = { ’ l a t i t u d e ’ : g i . record_by_addr ( ip ) [ ’ l a t i t u d e ’ ] ,
’ l o n g i t u d e ’ : g i . record_by_addr ( ip ) [ ’ l o n g i t u d e ’ ] ,
’ type ’ : ’ honeypot ␣ h i t ’ }
hpc . p u b l i s h (CHANNELS, json . dumps(msg ))
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
37. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
hpfeeds integration
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
38. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
NTP probe collector
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
39. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
HPFeeds and honeymap
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
40. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Applying IOCs to your detection process
moloch moloch moloch :)
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
41. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Tools for Dynamic Detection of IOC
Snort
Yara + yara-enabled tools
Moloch
Splunk/Log search
roll-your-own:p
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
42. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Moloch
Moloch is awesome:
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
43. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Open-source tools
OpenIOC manipulation
https://github.com/STIXProject/openioc-to-stix
https://github.com/tklane/openiocscripts
Mantis Threat Intelligence Framework
https://github.com/siemens/django-mantis.git Mantis supports
STIX/CybOX/IODEF/OpenIOC etc via importers:
https://github.com/siemens/django-mantis-openioc-importer
Search splunk data for IOC indicators:
https://github.com/technoskald/splunk-search
Our framework: http://github.com/fygrave/iocmap/
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
44. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
iocmap
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
45. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
MISP
http://www.secure.edu.pl/pdf/2013/D2_1530_A_Socha.pdf
https://github.com/MISP
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
46. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Tools for Dynamic Detection
Moloch
Moloch supports Yara (IOCs can be directly applied)
Moloch has awesome tagger plugin:
# tagger . so
# p r o v i d e s a b i l i t y to import t e x t f i l e s with IP and/ or hostn
# i n t o a sensor that would cause autotagging of a l l matching
p l u g i n s=tagger . so
t a g g e r I p F i l e s=b l a c k l i s t , tag , tag , tag . . .
taggerDomainFiles=domainbasedblacklists , tag , tag , tag
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
47. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Moloch plugins
Moloch is easily extendable with your own plugins
https://github.com/fygrave/moloch_zmq - makes it easy to
integrate other things with moloch via zmq queue pub/sub or push/pull model
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
48. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Moloch ZMQ example
CEP-based analysis of network-traffic (using ESPER):
https://github.com/fygrave/clj-esptool/
( esp : add " c r e a t e ␣ context ␣SegmentedBySrc␣ p a r t i t i o n ␣by␣ s r c ␣fro
WebDataEvent" )
( esp : add " context ␣SegmentedBySrc␣ s e l e c t ␣ src , ␣ r a t e (30) ␣ as ␣ ra
avg ( r a t e (30)) ␣ as ␣ avgRate ␣from␣WebDataEvent . win : time (30) ␣ havi
r a t e (30) ␣<␣avg ( r a t e (30)) ␣∗␣ 0.75 ␣ output ␣ snapshot ␣ every ␣60␣ sec
( future −c a l l s t a r t −counting )
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
49. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Sources of IOCs
ioc bucket:
http://iocbucket.com
Public blacklists/trackers could also be used as source:
https:
//zeustracker.abuse.ch/blocklist.php?download=ipblocklist
https:
//zeustracker.abuse.ch/blocklist.php?download=domainblocklist
Eset IOC repository
https://github.com/eset/malware-ioc
more coming?
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
50. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
where to mine IOC
passive HTTP (keep your data recorded)
passive DNS
These platforms provide ability to mine traffic or patterns from the past based
on IOC similarity
show me all the packets similar to this IOC
We implemented a whois service for IOC look-ups
whois −h i o c . host . com a t t r i b u t e : value+a t t r i b u t e : value
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
51. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Mining IOCs from your own data
find and investigate incident
Or even read paper
determine indicators and test it in YOUR Environment
use new indicators in the future
see IOC cycle we mentioned earlier
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
52. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Example
If event chain leads to compromise
h t t p : / / l i a p o l a s e n s [ . ] i n f o / indexm . html
h t t p : / / l i a p o l a s e n s [ . ] i n f o / c o u n t e r . php ? t=f&v=win %2011 ,7 ,700 ,169& a=t r u e
h t t p : / / l i a p o l a s e n s [ . ] i n f o /354 RIcx
h t t p : / / l i a p o l a s e n s [ . ] i n f o /054 RIcx
What to do?
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
53. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Use YARA, or tune your own tools
r u l e susp_params_in_url_kind_of_fileless_bot_drive_by
{
meta :
date = " o c t ␣ 2013 "
d e s c r i p t i o n = " Landing ␣ hxxp : / / j d a t a s t o r e l a m e . i n f o / indexm . html ␣␣ 0 4 . 1 0 . 2 0 1 3 ␣ 1 3 : 1 4 ␣␣ 1 0 8 . 6
d e s c r i p t i o n 1 = "␣ Java ␣ S p l o i t ␣ hxxp : / / j d a t a s t o r e l a m e . i n f o /054 RIwj ␣␣␣␣␣"
s t r i n g s :
$ s t r i n g 0 = " h t t p "
$ s t r i n g 1 = " indexm . html "
$ s t r i n g 2 = " 054 RI "
c o n d i t i o n :
a l l o f them
}
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
54. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Use snort to catch suspicious traffic:
# many plugX d e p l o y m e n t s c o n n e c t to g o o g l e DNS when not i n use
a l e r t t c p ! $DNS_SERVERS any −> 8 . 8 . 8 . 8 53 ( msg : "APT␣ p o s s i b l e ␣ PlugX ␣ Google ␣DNS␣TCP
p o r t ␣53␣ c o n n e c t i o n ␣ attempt " ; c l a s s t y p e : misc−a c t i v i t y ; s i d : 5 0 0 0 0 0 1 1 2 ;
r e v : 1 ; )
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
55. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
GRR: Google Rapid Response:
http://code.google.com/p/grr/
Hunting IOC artifacts with GRR
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
56. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
GRR: Creating rules
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
57. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
GRR: hunt in progress
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
58. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Campaign walkthrough
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
59. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
An Example
A Network compromise case study:
Attackers broke via a web vuln.
Attackers gained local admin access
Attackers created a local user
Attackers started probing other machines for default user ids
Attackers launched tunneling tools – connecting back to C2
Attackers installed RATs to maintain access
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
60. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Indicators
So what are the compromise indicators here?
Where did attackers come from? (IP)
What vulnerability was exploited? (pattern)
What web backdoor was used? (pattern, hash)
What tools were uploaded? (hashes)
What users were created locally? (username)
What usernames were probed on other machines
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
61. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Good or Bad?
F i l e Name : RasTls . exe
F i l e S i z e : 105 kB
F i l e M o d i f i c a t i o n Date /Time : 2 0 0 9 : 0 2 : 0 9 1 9 : 4 2 : 0 5 + 0 8 : 0 0
F i l e Type : Win32 EXE
MIME Type : a p p l i c a t i o n / o c t e t −stream
Machine Type : I n t e l 386 o r l a t e r , and c o m p a t i b l e s
Time Stamp : 2 0 0 9 : 0 2 : 0 2 1 3 : 3 8 : 3 7 + 0 8 : 0 0
PE Type : PE32
L i n k e r V e r s i o n : 8 . 0
Code S i z e : 49152
I n i t i a l i z e d Data S i z e : 57344
U n i n i t i a l i z e d Data S i z e : 0
Entry P o i n t : 0 x3d76
OS V e r s i o n : 4 . 0
Image V e r s i o n : 0 . 0
Subsystem V e r s i o n : 4 . 0
Subsystem : Windows GUI
F i l e V e r s i o n Number : 1 1 . 0 . 4 0 1 0 . 7
Product V e r s i o n Number : 1 1 . 0 . 4 0 1 0 . 7
F i l e OS : Windows NT 32− b i t
Object F i l e Type : E x e c u t a b l e a p p l i c a t i o n
Language Code : E n g l i s h (U . S . )
C h a r a c t e r Set : Windows , L a t i n 1
Company Name : Symantec C o r p o r a t i o n
F i l e D e s c r i p t i o n : Symantec 8 0 2 . 1 x S u p p l i c a n t
F i l e V e r s i o n : 1 1 . 0 . 4 0 1 0 . 7
I n t e r n a l Name : d o t 1 x t r a y
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
62. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
It really depends on context
RasTls . DLL
RasTls . DLL . msc
RasTls . exe
http://msdn.microsoft.com/en-us/library/ms682586(v=VS.85).aspx
Dynamic-Link Library Search Order
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
63. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Catagorization based on public souces
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
64. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Catagorization based on historical data
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
65. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Catagorization based on cross source correlation
Visualizing the Threats
Filtering noisy extras
Making decisions
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
66. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Investigating using known IOCs
Investigating Static host based IOCs
Investigating Dynamic host based IOCs
Investigating Static network IOCs
Investigating Dynamic network IOCs
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
67. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Analyzing network traffic and DNS
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
68. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
analyzing HTTP traffic
User agents
suspicious domains
static analysis of HTTP headers
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
69. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Analyzing AV logs
23.01.13 19:56 Detected : Trojan−Spy . Win32 . Zbot . aymr
C:/ Documents and S e t t i n g s / user1 / A p p l i c a t i o n Data/
Sun/ Java /Deployment/ cache /6.0/27/4169865b−641d53c9/UPX
23.01.13 19:56 Detected : Trojan−Downloader . Java . OpenConnec
C:/ Documents and S e t t i n g s / user1 / A p p l i c a t i o n Data/
Sun/ Java /Deployment/ cache /6.0/48/38388 f30 −4a676b87/bpac/b . cl
23.01.13 19:56 Detected : Trojan−Downloader . Java . OpenConnec
C:/ Documents and S e t t i n g s / user1 / A p p l i c a t i o n
Data/Sun/ Java /Deployment/ cache /6.0/48/38388 f30 −4a676b87/ ot / p
23.01.13 19:58 Detected : HEUR: E x p l o i t . Java .CVE−2013−0422.g
C:/ Documents and S e t t i n g s / user1 / Local S e t t i n g s /
Temp/ jar_cache3538799837370652468 . tmp
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
70. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Analyzing AV logs
01/14/13 06:57 PM 178.238.141.19 http://machete0-yhis.me/ pictures/dem
01/14/13 06:57 PM 178.238.141.19 http://machete0-yhis.me/pictures/de
01/14/13 06:57 PM 178.238.141.19 http://loretaa0-shot.co/career...45
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
71. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Analyzing AV logs
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
72. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Analyzing AV logs
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
73. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Analyzing AV logs
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
74. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Creating host based IOCs
hashes, mutexes, threatexpert
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org
75. Introduction IOC Standards V:IOCs mining IOCs Applying IOCs Case studies Categirizing Incidents Practical tasks Analysing N
Questions
And answers :)
Compromise Indicator Magic: Living with Compromise Affilations: Academia Sinica, o0o.nu, chroot.org