SlideShare a Scribd company logo

Sandbox kiev

Download as PPTX, PDF
U
uisgslide

This document discusses using a cloud-based sandbox called SitC for malware analysis. It provides two use case examples of analyzing the CosmicDuke and Epic Turla advanced persistent threats. It then compares the report features of various sandbox solutions and provides sample SitC reports. It outlines the incident response workflow and technical requirements for deploying SitC. The document concludes that SitC could be useful for malware detection and analysis tasks and offers one of the most comprehensive reports currently available.

Internet
1 of 35
Malware Analysis with Sandbox email: alex.adamoff@gmail.com LinkedIn: https://ua.linkedin.com/in/alexanderadamov
About Author Alexander Adamov is a malware researcher and a security trainer with over nine years’ experience in the antivirus industry working for Kaspersky Lab and Lavasoft. Alexander is a university lecturer who develops new courses for EU universities and gives lectures and trainings in network security, reverse engineering, and malware analysis at the same time. At present he is running Cloud Sandbox startup.
Outline 1) Use Cases 2) Sandbox Intro 3) Sandbox Report 4) Features 5) Web Interface 6) Incident Response and Data Flow 7) Technical Requirements 8) Demo 9) Conclusions
USE CASES
Case 1: APT “CosmicDuke” Analysis APT* “CosmicDuke/MiniDuke” – July 2014 The malware can steal a variety of information, including files based on extensions and file name keywords: *.exe;*.ndb;*.mp3;*.avi;*.rar;*.docx;*.url;*.xlsx;*.pptx;*.ppsx;*.pst;*.ost;*psw*;*pass*; *login*;*admin*;*sifr*;*sifer*;*vpn;*.jpg;*.txt;*.lnk; *.dll;*.tmp;*.obj;*.ocx;*.js Also, the backdoor has many other capabilities including: – Keylogger – Skype password stealer – General network information harvester – Screen grabber (grabs images every 5 minutes) – Clipboard grabber (grabs clipboard contents every 30 seconds) – Microsoft Outlook, Windows Address Book stealer – Google Chrome password stealer – Google Talk password stealer – Opera password stealer – TheBat! password stealer – Firefox, Thunderbird password stealer – Drives/location/locale/installed software harvester – WiFi network/adapter information harvester – LSA secrets harvester – Protected Storage secrets harvester – Certificate/private keys exporter – URL History harvester – InteliForms secrets harvester – IE Autocomplete, Outlook Express secrets harvester – and more...
Example: “CosmicDuke” Builds • 7 builds per day in average • Spoofs legitimate Apps • Uses polymorphic encryption by UPolyXv05_v6 to harden AV detection.
Example: “CosmicDuke” Victims The victims of “CosmicDuke” fall into these categories: • government • diplomatic • energy • telecom operators • military, including military contractors • individuals involved in the traffic and selling of illegal and controlled substances
Analysis in Sandbox Old CosmicDuke 2013 Report: https://www.dropbox.com/s/avxyrtcdkqtaqfq/report_edf7a81dab0bf0520bfb8204a010b730.htm?dl=0 New CosmicDuke 2014: • NVIDIA WLMerger App Report: https://www.dropbox.com/s/41t111saz3jy5yl/report_1276d0aa5ad16fb57426be3050a9bb0b.htm?dl=0 • Adobe Acrobat Updater Report: https://www.dropbox.com/s/kvmp6rrc8f43s5t/report_d92faef56fa25120cb092f1b69838731.htm?dl=0 12 minutes
Case 2: APT “Epic Turla” Attack The attackers behind Epic Turla have infected several hundreds computers in more than 45 countries, including: • government institutions, • embassies, • military, • education, • research and pharmaceutical companies. “Epic Turla” – is a massive cyber-espionage operation.
Type of “Epic Turla” Attacks • Spearphishing e-mails with Adobe PDF exploits (CVE-2013- 3346 + CVE-2013-5065) • Social engineering to trick the user into running malware installers with ".SCR" extension, sometimes packed with RAR • Watering hole attacks using Java exploits (CVE-2012-1723), Flash exploits (unknown) or Internet Explorer 6,7,8 exploits (unknown) • Watering hole attacks that rely on social engineering to trick the user into running fake "Flash Player" malware installers. Watering Hole example: Infected Palestinian Authority Ministry of Foreign Affairs The attacks in this campaign fall into several different categories depending on the vector used in the initial compromise:
Analysis in Sandbox • Adobe PDF Exploits (Note_№107-41D.pdf CVE-2013-5065) Report: https://www.dropbox.com/s/6l25orn9nlgl6ea/report_6776bda19a3a8ed4c2870c34279dbaa9.htm – Dropped file (Epic/Tavdig/Wipbot backdoor): Report: https://www.dropbox.com/s/lqw3vvzeudyt4kq/report_111ed2f02d8af54d0b982d8c9dd4932e.htm • Spearphishing files: – NATO position on Syria.scr https://www.dropbox.com/s/6powxf2vo4y3fjp/4d667af648047f2bd24511ef8f36c9cc_report.htm • Dropped Epic/Tavdig/Wipbot backdoor: https://www.dropbox.com/s/citfclr08eul04x/report_ab686acde338c67bec8ab42519714273.htm • Turla Carbon package Report: https://www.dropbox.com/s/rivavmk8w2d56io/report_cb1b68d9971c2353c2d6a8119c49b51f.htm 20 minutes
Similar Solutions on the Market • Norman G2 Analyzer • ThreatAnalyzer (former GFI Sandbox, CWSandbox ) • Cuckoo Sandbox • VirusTotal online service • FireEye MAS • AlienVault Reputation Monitor • Kaspersky Application Advisor (Beta)
SANDBOX REPORT
A Comparison of Sandbox Reports - 1 Data Type Cuckoo Sandbox Norman G2 MalwareAnalyze r GFI/ ThreatTrack Sandbox VirusTotal ==SitC== Summary/File Details YES YES YES YES YES Static Analysis Dropped from no no no no YES Downloaded by no no no no YES Polymorphic no no no no YES PE Sections no no no YES YES VersionInfo no no no YES YES
A Comparison of Sandbox Reports - 2 Dynamic Analysis Cuckoo Sandbox Norman G2 MalwareAnaly zer GFI/ ThreatTrack Sandbox VirusTotal ==SitC== Payload=Behavior class no no no no YES Process activities YES YES YES YES YES File Activities YES YES YES no YES Registry activity YES YES YES no YES Rootkit activity no no no no YES Dropped PE Files YES no no no YES HOSTS file anomalies no no no no YES Propagation no no no no YES Named Objects (Mutexes, Events) YES YES YES YES YES
A Comparison of Sandbox Reports - 3 Network Activities Cuckoo Sandbox Norman G2 MalwareAnaly zer GFI/ ThreatTrack Sandbox VirusTotal ==SitC== URLs/DNS YES YES YES YES YES IDS Verdicts no no no YES YES Traffic no YES YES YES YES Detections Virus Total no YES YES YES YES Internal Verdicts - YES YES YES YES Yara YES no no YES YES Threat Type no no YES no YES Behavior class no no YES no YES Danger level no YES YES no no
A Comparison of Sandbox Reports - 4 Others Cuckoo Sandbox Norman G2 MalwareAnaly zer GFI/ ThreatTrack Sandbox VirusTotal ==SitC== Screenshot YES YES YES no YES Map no no no no YES Strings from dumps no no no no YES Removal Instructions no no no no YES Architecture Sandbox Hypervisor Type Ubuntu/Virtual Box IntelliVM - - VMWare ESX/Workstation Scalability no YES YES YES YES Custom sandbox instances YES YES YES - YES
A Comparison of Sandbox Reports - 5 User Interface Cuckoo Sandbox Norman G2 MalwareAnaly zer GFI/ ThreatTrack Sandbox VirusTotal ==SitC== UI Type Console (Python scripts) Web Web Web Web Dashboard No YES YES No No Queue Manager No YES YES No YES Report Type HTML PDF PDF Web report HTML/ PDF/Blog Sales Freeware Direct Direct Direct - Total number of “YES” 10 15 17 12 30
More Report Examples https://www.dropbox.com/s/kh7dm8rngokd2f6/7a500c46d62f6f39e4bb2716a323bc3 4_report.htm https://www.dropbox.com/s/rz7vzueqyxy53hy/e046da1b39202825155947371254a4e 6_report.htm https://www.dropbox.com/s/cl5h1fi91dkbt0d/e76d42578057862b5823ac926304cc22 _report.htm
VMRay Analyzer Source: http://www.vmray.com/vmray-analyzer-features/ Covers all kind of behavior • All kind of low-level control flow (API function calls, system calls, interrupts, APCs, DPCs, ..) • All kind of high-level semantics (filesystem, registry, network, user/group administration, ..) • Monitors user- and kernel-mode code • All process creation, code injection, and driver installation methods are tracked and detected • Layer7 protocols (HTTP, FTP, IRC, SMTP, DNS, …) are identified and parsed Comprehensive Data Collection • Enriched output with function prototype information, geoip lookup information, and process dependency graphs • Takes screenshots from running execution • Monitors network traffic and stores PCAP files • Detects and stores all files that are generated or modified by the malware
VMRay Analyzer Process dependency graphs
LastLine Source: http://advancedmalware.lastline.com/discovery-report-for- 2/21/2015-to-2/27/2015 Lastline Malware Risk Assessment
Sandbox Intro • Sandbox in-the-cloud (SitC) – is a new malware analysis system in the cloud for IS professionals and advanced users. • It allows to get a comprehensive analysis report in 4-5 minutes.
Integration to ISP Infrastructure
SANDBOX FEATURES
Sandbox Features • Get analysis report/verdict by hash/file. • Searching and tracking for analyzed malware samples. • Custom Yara rules are supported. • Analysis time ~4 min. • Scalable architecture (no limits in number of processing samples) under VMWare ESX. • Web interface • >5000 analyzed samples on 8 CPU cores (iCore7) daily.
Yara Rules are Supported • Add your own signature to detect files/memory dumps/traffic:
SANDBOX INTERFACE
Web Interface • Search by MD5 • Manual upload sample via the web form (high priority) • Stream analysis (low priority) • Advanced search in Sandbox database by time frame, verdicts, Yara rule, etc. • Report (HTML, PDF) can be sent by email.
INCIDENT RESPONSE AND DATA FLOW
Incident Response with SitC Detection Investigation Analysis Remediation Prevention Unknown threats can be sent for analysis to SitC as files or metadata when entering a trust perimeter. SitC can assign a severity level for a submitted threat, so the most critical ones will go to IRT immediately. Malware analysis takes ~4 mins. All malicious activities are presented in the SitC report, as well as removal recommendations. The removal script or tool can be generated in advance. SitC report contains information about propagation which helps understanding an attack vector.
Operational Modes 1. On-Demand Analysis (High Priority) – The user submits an object (file/traffic) via Web page which will be analyzed and kept on the storage. – The report will be generated and sent to a user’s email. – The user can choose type of a virtual machine (pre-defined) to be used for the analysis when submitting an object. 2. Stream Analysis (Low Priority) – The input object (file/traffic) can be also copied to the sandbox incoming folder and will be processed in automated way with low priority. – The user can get access to the analysis data saved on the storage to do extra analysis. – The user can search for already analyzed object by MD5 hash via Web page to get HTML report. 3. Sandbox Configuration – The user can insert new Yara rules via Web page to detect files/dumps/traffic.
Technical Requirements for SitC Deployment • VMWare ESXi Server 5.1 (free use up to 32 GB RAM): • 8 CPU cores • 16 Gb RAM • 4 Tb low speed HDD and 2 x SSD 120 GB • Internet access (so malware can connect to remote servers and download updates) • Incoming traffic (PE files, PCAP dumps) to the Sandbox • Remote access via vSphere to setup and control Sandbox • Sandbox server should be well isolated inside the local network to prevent unsolicited malware spreading.
DEMO • Cloud Sandbox Video – 2:38
Conclusions 1) SitC can be potentially used for: • Analysis and detection of malicious or suspicious files. • Analysis and detection of network traffic (PCAP). • Triggering for custom Indicators-of-Compromise (IoCs) using Yara. • Finding 0-day cyber attacks and APT (via traffic analysis). • Discovering infected hosts by malicious traffic (connections to C&C servers). 2) SitC prototype has the most comprehensive malware analysis report in the industry and we want to test it in real life environment.

Recommended

Windows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul RascagneresWindows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul Rascagneres
Shakacon
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판
Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판
Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판
Minseok(Jacky) Cha
 
The Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageThe Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query Language
Ross Wolf
 
Understanding and hiding your operations
Understanding and hiding your operationsUnderstanding and hiding your operations
Understanding and hiding your operations
Daniel López Jiménez
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
Sunny Neo
 
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】
Hacks in Taiwan (HITCON)
 
Hacking the Gateways
Hacking the GatewaysHacking the Gateways
Hacking the Gateways
Onur Alanbel
 

Recommended

Windows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul RascagneresWindows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul Rascagneres
Shakacon
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판
Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판
Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판
Minseok(Jacky) Cha
 
The Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageThe Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query Language
Ross Wolf
 
Understanding and hiding your operations
Understanding and hiding your operationsUnderstanding and hiding your operations
Understanding and hiding your operations
Daniel López Jiménez
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
Sunny Neo
 
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】
Hacks in Taiwan (HITCON)
 
Hacking the Gateways
Hacking the GatewaysHacking the Gateways
Hacking the Gateways
Onur Alanbel
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
B.A.
 
【HITCON FreeTalk 2018 - 從晶片設計角度看硬體安全】
【HITCON FreeTalk 2018 - 從晶片設計角度看硬體安全】【HITCON FreeTalk 2018 - 從晶片設計角度看硬體安全】
【HITCON FreeTalk 2018 - 從晶片設計角度看硬體安全】
Hacks in Taiwan (HITCON)
 
Масштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromeМасштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google Chrome
Positive Hack Days
 
RootedCON 2015 - Deep inside the Java framework Apache Struts
RootedCON 2015 - Deep inside the Java framework Apache StrutsRootedCON 2015 - Deep inside the Java framework Apache Struts
RootedCON 2015 - Deep inside the Java framework Apache Struts
testpurposes
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.
Jakub Kałużny
 
Threat detection-report-backoff-pos
Threat detection-report-backoff-posThreat detection-report-backoff-pos
Threat detection-report-backoff-pos
EMC
 
RootedCON 2014 - Kicking around SCADA!
RootedCON 2014 - Kicking around SCADA!RootedCON 2014 - Kicking around SCADA!
RootedCON 2014 - Kicking around SCADA!
testpurposes
 
US-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-Slides
US-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-SlidesUS-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-Slides
US-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-Slides
Abhishek Singh
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack aws
Jen Andre
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Jakub Kałużny
 
Cyber Grand Challenge及DEFCON 24 CTF决赛介绍
Cyber Grand Challenge及DEFCON 24 CTF决赛介绍Cyber Grand Challenge及DEFCON 24 CTF决赛介绍
Cyber Grand Challenge及DEFCON 24 CTF决赛介绍
Ray Song
 
I can be apple and so can you
I can be apple and so can youI can be apple and so can you
I can be apple and so can you
Shakacon
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
Sunny Neo
 
RSA OSX Malware
RSA OSX MalwareRSA OSX Malware
RSA OSX Malware
Synack
 
Bug bounties - cén scéal?
Bug bounties - cén scéal?Bug bounties - cén scéal?
Bug bounties - cén scéal?
Ciaran McNally
 
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
RootedCON
 
Web (dis)assembly
Web (dis)assemblyWeb (dis)assembly
Web (dis)assembly
Shakacon
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
RootedCON
 
Black Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XBlack Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS X
Synack
 
Zeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces securityZeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces security
Jakub Kałużny
 
What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018
Ken DeSouza
 
Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212
Florian Roth
 

More Related Content

What's hot

Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
B.A.
 
【HITCON FreeTalk 2018 - 從晶片設計角度看硬體安全】
【HITCON FreeTalk 2018 - 從晶片設計角度看硬體安全】【HITCON FreeTalk 2018 - 從晶片設計角度看硬體安全】
【HITCON FreeTalk 2018 - 從晶片設計角度看硬體安全】
Hacks in Taiwan (HITCON)
 
Масштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromeМасштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google Chrome
Positive Hack Days
 
RootedCON 2015 - Deep inside the Java framework Apache Struts
RootedCON 2015 - Deep inside the Java framework Apache StrutsRootedCON 2015 - Deep inside the Java framework Apache Struts
RootedCON 2015 - Deep inside the Java framework Apache Struts
testpurposes
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.
Jakub Kałużny
 
Threat detection-report-backoff-pos
Threat detection-report-backoff-posThreat detection-report-backoff-pos
Threat detection-report-backoff-pos
EMC
 
RootedCON 2014 - Kicking around SCADA!
RootedCON 2014 - Kicking around SCADA!RootedCON 2014 - Kicking around SCADA!
RootedCON 2014 - Kicking around SCADA!
testpurposes
 
US-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-Slides
US-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-SlidesUS-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-Slides
US-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-Slides
Abhishek Singh
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack aws
Jen Andre
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Jakub Kałużny
 
Cyber Grand Challenge及DEFCON 24 CTF决赛介绍
Cyber Grand Challenge及DEFCON 24 CTF决赛介绍Cyber Grand Challenge及DEFCON 24 CTF决赛介绍
Cyber Grand Challenge及DEFCON 24 CTF决赛介绍
Ray Song
 
I can be apple and so can you
I can be apple and so can youI can be apple and so can you
I can be apple and so can you
Shakacon
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
Sunny Neo
 
RSA OSX Malware
RSA OSX MalwareRSA OSX Malware
RSA OSX Malware
Synack
 
Bug bounties - cén scéal?
Bug bounties - cén scéal?Bug bounties - cén scéal?
Bug bounties - cén scéal?
Ciaran McNally
 
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
RootedCON
 
Web (dis)assembly
Web (dis)assemblyWeb (dis)assembly
Web (dis)assembly
Shakacon
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
RootedCON
 
Black Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XBlack Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS X
Synack
 
Zeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces securityZeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces security
Jakub Kałużny
 

What's hot (20)

Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
 
【HITCON FreeTalk 2018 - 從晶片設計角度看硬體安全】
【HITCON FreeTalk 2018 - 從晶片設計角度看硬體安全】【HITCON FreeTalk 2018 - 從晶片設計角度看硬體安全】
【HITCON FreeTalk 2018 - 從晶片設計角度看硬體安全】
 
Масштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromeМасштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google Chrome
 
RootedCON 2015 - Deep inside the Java framework Apache Struts
RootedCON 2015 - Deep inside the Java framework Apache StrutsRootedCON 2015 - Deep inside the Java framework Apache Struts
RootedCON 2015 - Deep inside the Java framework Apache Struts
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.
 
Threat detection-report-backoff-pos
Threat detection-report-backoff-posThreat detection-report-backoff-pos
Threat detection-report-backoff-pos
 
RootedCON 2014 - Kicking around SCADA!
RootedCON 2014 - Kicking around SCADA!RootedCON 2014 - Kicking around SCADA!
RootedCON 2014 - Kicking around SCADA!
 
US-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-Slides
US-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-SlidesUS-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-Slides
US-13-Singh-Hot-Knives-Through-Butter-Evading-File-Based-Sandboxes-Slides
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack aws
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
 
Cyber Grand Challenge及DEFCON 24 CTF决赛介绍
Cyber Grand Challenge及DEFCON 24 CTF决赛介绍Cyber Grand Challenge及DEFCON 24 CTF决赛介绍
Cyber Grand Challenge及DEFCON 24 CTF决赛介绍
 
I can be apple and so can you
I can be apple and so can youI can be apple and so can you
I can be apple and so can you
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
RSA OSX Malware
RSA OSX MalwareRSA OSX Malware
RSA OSX Malware
 
Bug bounties - cén scéal?
Bug bounties - cén scéal?Bug bounties - cén scéal?
Bug bounties - cén scéal?
 
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
 
Web (dis)assembly
Web (dis)assemblyWeb (dis)assembly
Web (dis)assembly
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
 
Black Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XBlack Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS X
 
Zeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces securityZeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces security
 

Similar to Sandbox kiev

What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018
Ken DeSouza
 
Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212
Florian Roth
 
Penetration testing by Burpsuite
Penetration testing by BurpsuitePenetration testing by Burpsuite
Penetration testing by Burpsuite
AyonDebnathCertified
 
Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314
Florian Roth
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
ssusercb4686
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
amiable_indian
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS Communications
Digital Bond
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
Paul Melson
 
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptCHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
ManjuAppukuttan2
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secure
Kaspersky
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0
Dinis Cruz
 
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Tzung-Bi Shih
 
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
PROIDEA
 
So You Want a Job in Cybersecurity
So You Want a Job in CybersecuritySo You Want a Job in Cybersecurity
So You Want a Job in Cybersecurity
Teri Radichel
 
cybersecurity-careers.pdf
cybersecurity-careers.pdfcybersecurity-careers.pdf
cybersecurity-careers.pdf
RakeshKumar442494
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for Everyone
Paul Melson
 
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
Amazon Web Services
 
VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )
Kashyap Mandaliya
 
End of Studies project: Malware Repsonse Center
End of Studies project: Malware Repsonse CenterEnd of Studies project: Malware Repsonse Center
End of Studies project: Malware Repsonse Center
Abdessabour Arous
 
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
EC-Council
 

Similar to Sandbox kiev (20)

What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018
 
Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212
 
Penetration testing by Burpsuite
Penetration testing by BurpsuitePenetration testing by Burpsuite
Penetration testing by Burpsuite
 
Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS Communications
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
 
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptCHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secure
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0
 
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
 
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
 
So You Want a Job in Cybersecurity
So You Want a Job in CybersecuritySo You Want a Job in Cybersecurity
So You Want a Job in Cybersecurity
 
cybersecurity-careers.pdf
cybersecurity-careers.pdfcybersecurity-careers.pdf
cybersecurity-careers.pdf
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for Everyone
 
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
 
VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )
 
End of Studies project: Malware Repsonse Center
End of Studies project: Malware Repsonse CenterEnd of Studies project: Malware Repsonse Center
End of Studies project: Malware Repsonse Center
 
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
 

More from uisgslide

Стандарт верифікації безпеки веб-додатків ASVS 3.0
Стандарт верифікації безпеки веб-додатків ASVS 3.0Стандарт верифікації безпеки веб-додатків ASVS 3.0
Стандарт верифікації безпеки веб-додатків ASVS 3.0
uisgslide
 
Коментарі до концепції інформаційної безпеки
Коментарі до концепції інформаційної безпекиКоментарі до концепції інформаційної безпеки
Коментарі до концепції інформаційної безпекиuisgslide
 
Кращи практики з аудиту та підтвердження довіри до інформаційних системи (ITA...
Кращи практики з аудиту та підтвердження довіри до інформаційних системи (ITA...Кращи практики з аудиту та підтвердження довіри до інформаційних системи (ITA...
Кращи практики з аудиту та підтвердження довіри до інформаційних системи (ITA...
uisgslide
 
Необхідність реформи галузі захисту інформації в Україні
Необхідність реформи галузі захисту інформації в УкраїніНеобхідність реформи галузі захисту інформації в Україні
Необхідність реформи галузі захисту інформації в Україні
uisgslide
 
Comments glib pakharenko
Comments glib pakharenkoComments glib pakharenko
Comments glib pakharenko
uisgslide
 
War between Russia and Ukraine in cyber space
War between Russia and Ukraine in cyber spaceWar between Russia and Ukraine in cyber space
War between Russia and Ukraine in cyber space
uisgslide
 
Актуальні кібер-загрози АСУ ТП
Актуальні кібер-загрози АСУ ТПАктуальні кібер-загрози АСУ ТП
Актуальні кібер-загрози АСУ ТП
uisgslide
 
Circl eco
Circl ecoCircl eco
Circl eco
uisgslide
 
Group fs owasp_26-11-14
Group fs owasp_26-11-14Group fs owasp_26-11-14
Group fs owasp_26-11-14
uisgslide
 
Owasp healthcare cms
Owasp healthcare cmsOwasp healthcare cms
Owasp healthcare cms
uisgslide
 
OWASP Ukraine Thomas George presentation
OWASP Ukraine Thomas George presentationOWASP Ukraine Thomas George presentation
OWASP Ukraine Thomas George presentation
uisgslide
 
Isaca kyiv chapter vygody v3
Isaca kyiv chapter vygody v3Isaca kyiv chapter vygody v3
Isaca kyiv chapter vygody v3
uisgslide
 
Uisg infosec 10_crypto
Uisg infosec 10_cryptoUisg infosec 10_crypto
Uisg infosec 10_cryptouisgslide
 
Uisg itgov 7_top10
Uisg itgov 7_top10Uisg itgov 7_top10
Uisg itgov 7_top10uisgslide
 
Uuisg itgov 10_bcp
Uuisg itgov 10_bcpUuisg itgov 10_bcp
Uuisg itgov 10_bcpuisgslide
 
Uuisg itgov 9_itfinance
Uuisg itgov 9_itfinanceUuisg itgov 9_itfinance
Uuisg itgov 9_itfinanceuisgslide
 
Uisg itgov 19_cloud
Uisg itgov 19_cloudUisg itgov 19_cloud
Uisg itgov 19_clouduisgslide
 
Uisg itgov 15_nda
Uisg itgov 15_ndaUisg itgov 15_nda
Uisg itgov 15_ndauisgslide
 
Uisg itgov 8_i_taudit
Uisg itgov 8_i_tauditUisg itgov 8_i_taudit
Uisg itgov 8_i_taudituisgslide
 
Uisg itgov 7_top10
Uisg itgov 7_top10Uisg itgov 7_top10
Uisg itgov 7_top10uisgslide
 

More from uisgslide (20)

Стандарт верифікації безпеки веб-додатків ASVS 3.0
Стандарт верифікації безпеки веб-додатків ASVS 3.0Стандарт верифікації безпеки веб-додатків ASVS 3.0
Стандарт верифікації безпеки веб-додатків ASVS 3.0
 
Коментарі до концепції інформаційної безпеки
Коментарі до концепції інформаційної безпекиКоментарі до концепції інформаційної безпеки
Коментарі до концепції інформаційної безпеки
 
Кращи практики з аудиту та підтвердження довіри до інформаційних системи (ITA...
Кращи практики з аудиту та підтвердження довіри до інформаційних системи (ITA...Кращи практики з аудиту та підтвердження довіри до інформаційних системи (ITA...
Кращи практики з аудиту та підтвердження довіри до інформаційних системи (ITA...
 
Необхідність реформи галузі захисту інформації в Україні
Необхідність реформи галузі захисту інформації в УкраїніНеобхідність реформи галузі захисту інформації в Україні
Необхідність реформи галузі захисту інформації в Україні
 
Comments glib pakharenko
Comments glib pakharenkoComments glib pakharenko
Comments glib pakharenko
 
War between Russia and Ukraine in cyber space
War between Russia and Ukraine in cyber spaceWar between Russia and Ukraine in cyber space
War between Russia and Ukraine in cyber space
 
Актуальні кібер-загрози АСУ ТП
Актуальні кібер-загрози АСУ ТПАктуальні кібер-загрози АСУ ТП
Актуальні кібер-загрози АСУ ТП
 
Circl eco
Circl ecoCircl eco
Circl eco
 
Group fs owasp_26-11-14
Group fs owasp_26-11-14Group fs owasp_26-11-14
Group fs owasp_26-11-14
 
Owasp healthcare cms
Owasp healthcare cmsOwasp healthcare cms
Owasp healthcare cms
 
OWASP Ukraine Thomas George presentation
OWASP Ukraine Thomas George presentationOWASP Ukraine Thomas George presentation
OWASP Ukraine Thomas George presentation
 
Isaca kyiv chapter vygody v3
Isaca kyiv chapter vygody v3Isaca kyiv chapter vygody v3
Isaca kyiv chapter vygody v3
 
Uisg infosec 10_crypto
Uisg infosec 10_cryptoUisg infosec 10_crypto
Uisg infosec 10_crypto
 
Uisg itgov 7_top10
Uisg itgov 7_top10Uisg itgov 7_top10
Uisg itgov 7_top10
 
Uuisg itgov 10_bcp
Uuisg itgov 10_bcpUuisg itgov 10_bcp
Uuisg itgov 10_bcp
 
Uuisg itgov 9_itfinance
Uuisg itgov 9_itfinanceUuisg itgov 9_itfinance
Uuisg itgov 9_itfinance
 
Uisg itgov 19_cloud
Uisg itgov 19_cloudUisg itgov 19_cloud
Uisg itgov 19_cloud
 
Uisg itgov 15_nda
Uisg itgov 15_ndaUisg itgov 15_nda
Uisg itgov 15_nda
 
Uisg itgov 8_i_taudit
Uisg itgov 8_i_tauditUisg itgov 8_i_taudit
Uisg itgov 8_i_taudit
 
Uisg itgov 7_top10
Uisg itgov 7_top10Uisg itgov 7_top10
Uisg itgov 7_top10
 

Recently uploaded

7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
Danica Gill
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
vmemo1
 
Design Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptxDesign Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptx
saathvikreddy2003
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
ysasp1
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
uehowe
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
SEO Article Boost
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
davidjhones387
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
Trish Parr
 
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
bseovas
 
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
uehowe
 
Explore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories SecretlyExplore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories Secretly
Trending Blogers
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
xjq03c34
 
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
bseovas
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
cuobya
 
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalmanuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
wolfsoftcompanyco
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
zoowe
 
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
uehowe
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
Paul Walk
 
Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
Toptal Tech
 
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
cuobya
 

Recently uploaded (20)

7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
 
Design Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptxDesign Thinking NETFLIX using all techniques.pptx
Design Thinking NETFLIX using all techniques.pptx
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
 
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
 
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
 
Explore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories SecretlyExplore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories Secretly
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
 
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
 
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalmanuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
 
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
 
Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
 
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
 

Sandbox kiev

  • 1. Malware Analysis with Sandbox email: alex.adamoff@gmail.com LinkedIn: https://ua.linkedin.com/in/alexanderadamov
  • 2. About Author Alexander Adamov is a malware researcher and a security trainer with over nine years’ experience in the antivirus industry working for Kaspersky Lab and Lavasoft. Alexander is a university lecturer who develops new courses for EU universities and gives lectures and trainings in network security, reverse engineering, and malware analysis at the same time. At present he is running Cloud Sandbox startup.
  • 3. Outline 1) Use Cases 2) Sandbox Intro 3) Sandbox Report 4) Features 5) Web Interface 6) Incident Response and Data Flow 7) Technical Requirements 8) Demo 9) Conclusions
  • 5. Case 1: APT “CosmicDuke” Analysis APT* “CosmicDuke/MiniDuke” – July 2014 The malware can steal a variety of information, including files based on extensions and file name keywords: *.exe;*.ndb;*.mp3;*.avi;*.rar;*.docx;*.url;*.xlsx;*.pptx;*.ppsx;*.pst;*.ost;*psw*;*pass*; *login*;*admin*;*sifr*;*sifer*;*vpn;*.jpg;*.txt;*.lnk; *.dll;*.tmp;*.obj;*.ocx;*.js Also, the backdoor has many other capabilities including: – Keylogger – Skype password stealer – General network information harvester – Screen grabber (grabs images every 5 minutes) – Clipboard grabber (grabs clipboard contents every 30 seconds) – Microsoft Outlook, Windows Address Book stealer – Google Chrome password stealer – Google Talk password stealer – Opera password stealer – TheBat! password stealer – Firefox, Thunderbird password stealer – Drives/location/locale/installed software harvester – WiFi network/adapter information harvester – LSA secrets harvester – Protected Storage secrets harvester – Certificate/private keys exporter – URL History harvester – InteliForms secrets harvester – IE Autocomplete, Outlook Express secrets harvester – and more...
  • 6. Example: “CosmicDuke” Builds • 7 builds per day in average • Spoofs legitimate Apps • Uses polymorphic encryption by UPolyXv05_v6 to harden AV detection.
  • 7. Example: “CosmicDuke” Victims The victims of “CosmicDuke” fall into these categories: • government • diplomatic • energy • telecom operators • military, including military contractors • individuals involved in the traffic and selling of illegal and controlled substances
  • 8. Analysis in Sandbox Old CosmicDuke 2013 Report: https://www.dropbox.com/s/avxyrtcdkqtaqfq/report_edf7a81dab0bf0520bfb8204a010b730.htm?dl=0 New CosmicDuke 2014: • NVIDIA WLMerger App Report: https://www.dropbox.com/s/41t111saz3jy5yl/report_1276d0aa5ad16fb57426be3050a9bb0b.htm?dl=0 • Adobe Acrobat Updater Report: https://www.dropbox.com/s/kvmp6rrc8f43s5t/report_d92faef56fa25120cb092f1b69838731.htm?dl=0 12 minutes
  • 9. Case 2: APT “Epic Turla” Attack The attackers behind Epic Turla have infected several hundreds computers in more than 45 countries, including: • government institutions, • embassies, • military, • education, • research and pharmaceutical companies. “Epic Turla” – is a massive cyber-espionage operation.
  • 10. Type of “Epic Turla” Attacks • Spearphishing e-mails with Adobe PDF exploits (CVE-2013- 3346 + CVE-2013-5065) • Social engineering to trick the user into running malware installers with ".SCR" extension, sometimes packed with RAR • Watering hole attacks using Java exploits (CVE-2012-1723), Flash exploits (unknown) or Internet Explorer 6,7,8 exploits (unknown) • Watering hole attacks that rely on social engineering to trick the user into running fake "Flash Player" malware installers. Watering Hole example: Infected Palestinian Authority Ministry of Foreign Affairs The attacks in this campaign fall into several different categories depending on the vector used in the initial compromise:
  • 11. Analysis in Sandbox • Adobe PDF Exploits (Note_№107-41D.pdf CVE-2013-5065) Report: https://www.dropbox.com/s/6l25orn9nlgl6ea/report_6776bda19a3a8ed4c2870c34279dbaa9.htm – Dropped file (Epic/Tavdig/Wipbot backdoor): Report: https://www.dropbox.com/s/lqw3vvzeudyt4kq/report_111ed2f02d8af54d0b982d8c9dd4932e.htm • Spearphishing files: – NATO position on Syria.scr https://www.dropbox.com/s/6powxf2vo4y3fjp/4d667af648047f2bd24511ef8f36c9cc_report.htm • Dropped Epic/Tavdig/Wipbot backdoor: https://www.dropbox.com/s/citfclr08eul04x/report_ab686acde338c67bec8ab42519714273.htm • Turla Carbon package Report: https://www.dropbox.com/s/rivavmk8w2d56io/report_cb1b68d9971c2353c2d6a8119c49b51f.htm 20 minutes
  • 12. Similar Solutions on the Market • Norman G2 Analyzer • ThreatAnalyzer (former GFI Sandbox, CWSandbox ) • Cuckoo Sandbox • VirusTotal online service • FireEye MAS • AlienVault Reputation Monitor • Kaspersky Application Advisor (Beta)
  • 14. A Comparison of Sandbox Reports - 1 Data Type Cuckoo Sandbox Norman G2 MalwareAnalyze r GFI/ ThreatTrack Sandbox VirusTotal ==SitC== Summary/File Details YES YES YES YES YES Static Analysis Dropped from no no no no YES Downloaded by no no no no YES Polymorphic no no no no YES PE Sections no no no YES YES VersionInfo no no no YES YES
  • 15. A Comparison of Sandbox Reports - 2 Dynamic Analysis Cuckoo Sandbox Norman G2 MalwareAnaly zer GFI/ ThreatTrack Sandbox VirusTotal ==SitC== Payload=Behavior class no no no no YES Process activities YES YES YES YES YES File Activities YES YES YES no YES Registry activity YES YES YES no YES Rootkit activity no no no no YES Dropped PE Files YES no no no YES HOSTS file anomalies no no no no YES Propagation no no no no YES Named Objects (Mutexes, Events) YES YES YES YES YES
  • 16. A Comparison of Sandbox Reports - 3 Network Activities Cuckoo Sandbox Norman G2 MalwareAnaly zer GFI/ ThreatTrack Sandbox VirusTotal ==SitC== URLs/DNS YES YES YES YES YES IDS Verdicts no no no YES YES Traffic no YES YES YES YES Detections Virus Total no YES YES YES YES Internal Verdicts - YES YES YES YES Yara YES no no YES YES Threat Type no no YES no YES Behavior class no no YES no YES Danger level no YES YES no no
  • 17. A Comparison of Sandbox Reports - 4 Others Cuckoo Sandbox Norman G2 MalwareAnaly zer GFI/ ThreatTrack Sandbox VirusTotal ==SitC== Screenshot YES YES YES no YES Map no no no no YES Strings from dumps no no no no YES Removal Instructions no no no no YES Architecture Sandbox Hypervisor Type Ubuntu/Virtual Box IntelliVM - - VMWare ESX/Workstation Scalability no YES YES YES YES Custom sandbox instances YES YES YES - YES
  • 18. A Comparison of Sandbox Reports - 5 User Interface Cuckoo Sandbox Norman G2 MalwareAnaly zer GFI/ ThreatTrack Sandbox VirusTotal ==SitC== UI Type Console (Python scripts) Web Web Web Web Dashboard No YES YES No No Queue Manager No YES YES No YES Report Type HTML PDF PDF Web report HTML/ PDF/Blog Sales Freeware Direct Direct Direct - Total number of “YES” 10 15 17 12 30
  • 20. VMRay Analyzer Source: http://www.vmray.com/vmray-analyzer-features/ Covers all kind of behavior • All kind of low-level control flow (API function calls, system calls, interrupts, APCs, DPCs, ..) • All kind of high-level semantics (filesystem, registry, network, user/group administration, ..) • Monitors user- and kernel-mode code • All process creation, code injection, and driver installation methods are tracked and detected • Layer7 protocols (HTTP, FTP, IRC, SMTP, DNS, …) are identified and parsed Comprehensive Data Collection • Enriched output with function prototype information, geoip lookup information, and process dependency graphs • Takes screenshots from running execution • Monitors network traffic and stores PCAP files • Detects and stores all files that are generated or modified by the malware
  • 23. Sandbox Intro • Sandbox in-the-cloud (SitC) – is a new malware analysis system in the cloud for IS professionals and advanced users. • It allows to get a comprehensive analysis report in 4-5 minutes.
  • 24. Integration to ISP Infrastructure
  • 26. Sandbox Features • Get analysis report/verdict by hash/file. • Searching and tracking for analyzed malware samples. • Custom Yara rules are supported. • Analysis time ~4 min. • Scalable architecture (no limits in number of processing samples) under VMWare ESX. • Web interface • >5000 analyzed samples on 8 CPU cores (iCore7) daily.
  • 27. Yara Rules are Supported • Add your own signature to detect files/memory dumps/traffic:
  • 29. Web Interface • Search by MD5 • Manual upload sample via the web form (high priority) • Stream analysis (low priority) • Advanced search in Sandbox database by time frame, verdicts, Yara rule, etc. • Report (HTML, PDF) can be sent by email.
  • 31. Incident Response with SitC Detection Investigation Analysis Remediation Prevention Unknown threats can be sent for analysis to SitC as files or metadata when entering a trust perimeter. SitC can assign a severity level for a submitted threat, so the most critical ones will go to IRT immediately. Malware analysis takes ~4 mins. All malicious activities are presented in the SitC report, as well as removal recommendations. The removal script or tool can be generated in advance. SitC report contains information about propagation which helps understanding an attack vector.
  • 32. Operational Modes 1. On-Demand Analysis (High Priority) – The user submits an object (file/traffic) via Web page which will be analyzed and kept on the storage. – The report will be generated and sent to a user’s email. – The user can choose type of a virtual machine (pre-defined) to be used for the analysis when submitting an object. 2. Stream Analysis (Low Priority) – The input object (file/traffic) can be also copied to the sandbox incoming folder and will be processed in automated way with low priority. – The user can get access to the analysis data saved on the storage to do extra analysis. – The user can search for already analyzed object by MD5 hash via Web page to get HTML report. 3. Sandbox Configuration – The user can insert new Yara rules via Web page to detect files/dumps/traffic.
  • 33. Technical Requirements for SitC Deployment • VMWare ESXi Server 5.1 (free use up to 32 GB RAM): • 8 CPU cores • 16 Gb RAM • 4 Tb low speed HDD and 2 x SSD 120 GB • Internet access (so malware can connect to remote servers and download updates) • Incoming traffic (PE files, PCAP dumps) to the Sandbox • Remote access via vSphere to setup and control Sandbox • Sandbox server should be well isolated inside the local network to prevent unsolicited malware spreading.
  • 34. DEMO • Cloud Sandbox Video – 2:38
  • 35. Conclusions 1) SitC can be potentially used for: • Analysis and detection of malicious or suspicious files. • Analysis and detection of network traffic (PCAP). • Triggering for custom Indicators-of-Compromise (IoCs) using Yara. • Finding 0-day cyber attacks and APT (via traffic analysis). • Discovering infected hosts by malicious traffic (connections to C&C servers). 2) SitC prototype has the most comprehensive malware analysis report in the industry and we want to test it in real life environment.

Editor's Notes

  1. *APT – Advanced Persistent Threat Source: http://securelist.com/blog/incidents/64107/miniduke-is-back-nemesis-gemina-and-the-botgen-studio/
  2. Source: http://securelist.com/blog/incidents/64107/miniduke-is-back-nemesis-gemina-and-the-botgen-studio/
  3. Source: http://securelist.com/blog/incidents/64107/miniduke-is-back-nemesis-gemina-and-the-botgen-studio/
  4. Source: http://securelist.com/analysis/publications/65545/the-epic-turla-operation/
  5. Source: http://securelist.com/analysis/publications/65545/the-epic-turla-operation/
  6. SitC ver 1.0 UI: Dashboard, report format, scheduler, queue manager, etc. UI Type: Standalone App, Web UI. How they sell products.
  7. SitC ver 1.0 UI: Dashboard, report format, scheduler, queue manager, etc. UI Type: Standalone App, Web UI. How they sell products.
  8. https://www.brighttalk.com/webcast/8303/81677 Old comment: Example with SitC on board: AV detection (Quarantine)->Analyze and find all downloaded/dropped files not detected-> !!!!Use case: Classic vs. SitC.