Building The ATT&CK Pipeline For Linux - Tim Wadhwa-Brown

hands up if you're ready for this last talk to be over and done with so you can get to the pub the restaurant to see your family your friends we're all done after a hard days listening to talks some to clear up okay so next question who here is used attack how many of you are blue how many of you are red blue hands red hands so this presentation is for all of you um very much a considered view from someone who's played both sides of the fence over the last 20 years I started in a sock um I spent a good deal of time red teaming I'm currently doing detection engineering for interesting customers

and interesting places but anyway who am I so I'm Tim so as I said I started life in a sock this was before as a Cisco person this was before Splunk this is before seams even existed the first sock I ever built we used SQL Server to collect our audit data and then we' ran hunts overnight using SQL queries to get results out then I spent probably 15 years doing offensive stuff for critical National infrastructure um today I work inside of Cisco um bridging that gap for Cisco's customers you can see there I collect cves I may have rather a few to my name uh but more recently I've been collecting mitro attack techniques um I

kind of sat there and went well we're really not doing detection as well as we would like how might we do it better so previously as I said I've played both sides of the fence done an awful lot of offensive research on Unix platforms ranging from looking at how our banking infrastructure worked the bank I worked at in that sock all those years ago right through some more Modern Day stuff looking at how ad integration works with Unix systems but then on the other side of the fence I've spent a fair bit of time Consulting on how to build better socks um if you didn't see it there was a great talk in the rookie track earlier

um from a guy called Tim um fantastic um summary of the problems Bas in which we all inhabit but yeah I spent a fair bit of time on both sides of the fence and I would like to make sure that we remember we are all in it together we should be one team and if you're a red team that turns up delivers your report and brutally [ __ ] off you're not helping your customer you're probably not helping the country and you're certainly not keeping humans safe and secure so the agenda introducing Linux malware so Linux malware was a project I started about four years ago um looking at how we tackle this gap between what

the blue team think of the world and what the red team think of the world and going to go a little into what the attack landscape looks like for those of you you that don't know I'm one of the community representatives for miter based in the UK I am probably the UK's main representative into the mitro attack framework um but I'm going to go into a little about what we've been doing there how we've been helping mitro improve attack for Linux um I'm going to talk a little bit about what that looks like from a technological perspective because it's clearly not just a problem of we don't have the information sometimes it's about making sure the

information ends up in the right places with the right people and they know what to do with it going to touch upon detection engineering um because everyone will tell you that edrs are the only way to go not everyone necessarily wants to deploy an EDR to their core banking system or their packet cor inside a service provider so what else can you do and then I'm going to wrap it up some conclusions based on yeah four years of trying to fight the fight fight the good fight and make us better so Linux malware Linux malware is a project that attempts to categorize qualify and reanalyze every source of threat intelligence that exists from a Linux

perspective in the public domain we do not go back through Cisco's own stuff um this is an entirely siloed project so that we can share it with people like MIT but essentially if we found a piece of offensive tooling if we found a piece of offensive research if we've seen a threat intelligence report from one of the msps out there if we found anything that tells us a little more about how as hackers work on Linux it gets pushed into Linux malware and then we use that to refine miter attack and when I say refine that involves sitting down with MIT having long in-depth conversations discussing what has been reported perhaps in some cases explaining what's

been reported and why it matters giving them context around what CIS that was and why that cisal matters and which files on the file system Perhaps Perhaps should be being monitored yeah real real technical stuff about taking threat intelligence and making it useful to all people that's how the project kind of came into being um essentially I was complaining that Linux mappings in attack work very good and M said how about you come and help us and I said well I like nothing more than that kind of problem um I'm very much a believer in helping Society rather than necessarily commercializing every piece of thought that goes through my head so yeah for the last four years

I've been building a repository that hopefully will make us better at Defenders and I think actually the statistics and the yeah the threat intelligence reporting we're seeing in the world probably Bears out the fact that actually things are improving things are getting better uh there's a timeline of some of the threats and some of the malware sources that we've seen over the the last four or five years um we're certainly seeing more sophisticated attacks is it because there are more sophisticated attacks I think actually it's probably because we're slightly better at spotting them at least I'd like to think so so where all of this started was I build a Honeypot or I build a series of Honey

Poots I deployed honey Poots across the globe um at one stage or other I had a honey pot that purported to be a bank in Brazil cuz they' used an IP address in one of the VPS for their bank then they'd Clos that particular VPS and I'd got the IP address and it turns out I was getting SSL connection to my honey PO with with a host name that was a Brazilian BN that was kind of quite interesting but it was a good way of seeing what what adversaries we're actually doing There's a summary on the screen i r two types of Honeypot um an IBM mq um those of you don't know what IBM mq is it's a

message bus it's a way of allowing Enterprise organizations yeah the likes of your footy 100 an equivalent to pass data around our organization so if you have an application that sits on the internet and you have a core banking system that sits at the back of your organization that holds all your customers data chance are you're using a message bus to pass data between them db2 hopefully people are aware of what databases are and how they work but essentially very similar the idea was put two standard Enterprise applications on the internet um leave them with some open doors and see how people get on do adversaries for them do they do interesting things sadly not um I was

pretty disappointed by this um I'd really hoped I was going to catch lots of interesting malware but as you can probably imagine most Enterprises at least the competent ones don't necessarily leave these systems in the internet so perhaps UNS surprising that adversaries weren necessarily looking for them but it was certainly a first chance to see how people were behaving what adversaries might do then we moved on to well what malware is available and I have access to virus tital but I wanted to make this repeatable so for those of you who don't know Mal web Bazar is run by a team in Switzerland on a nonprofit basis it's free to use um you can run your own

hunts you can upload y files you can run queries you can do more or less what you like and you can see the results and a lot of malware gets pushed into it so you get to see some really quite interesting samples but it's yeah anybody can do it so if you're if you're a college student and you don't have the ability to come and get a corporate virus total license Mal web desar is definitely somewhere you should be looking and that's what I was really looking for Unix malware the really interesting stuff most of what goes into most of the anti virus sandboxes the destination engines Etc in way of Linux stuff is pretty dull um those perhaps

not the right word but it's um it's iot it's your your rout in your house it's the um it's the the coffee part it's the mobile phone Etc that wasn't really what I was interested but it was again an interesting opportunity to sample what was was already available there you go that's the kind of thing you find in my web bizar um lots of meay uh are you all familiar what Mirai is anyone not okay Hannah so Mirai is a particular bot net that affects iot devices typically it's targeting things like power PC architecture arm embedded systems Etc um but as you can imagine sitting on the internet there's an awful of those types of devices so no surprise

that there's an awful of that type of malware kicking around but more interestingly um we can see what types of malware were being delivered what types of um distribution mechanisms were being used whether they were compiled whether they were python code Etc and it certainly gave us another view about what was happening so I took it a little bit further um I started writing y rules to go and look for things I was interested in and you'll see up there um there some obvious examples of things that perhaps um you might understand why I'm looking for them Cisco tools is an interesting one so Cisco tools I went and wrote a signature for all of our open source

offensive tooling on the basis I'd like to know if people are using that for bad things and you'll see why in a couple of slides time but essentially I wrote a bunch of signatures some those signatures matched on things I got quite [Music] excited until I got sad so it turns out and this may be true for other sandboxes also but particularly web Biz are it didn't actually know what ax even was go back to that problem space that we had at the start that we want to understand the more interesting threat actors we want to understand what's happening could be impacting businesses Etc if all of detonation tools miss the fact that there's even an ax binary

being submitted that's probably a problem because if we don't identify what it is how do we effectively analyze it to work out whether it's doing bad things and whether we should be worried about it um in the case of a binaries they present in a very similar way to Windows 32 binaries so every time we got a match on our previous slide that said it was an ax binary turns out with the exceptions of the ones that I uploaded it was actually windows binaries that it triggered on and of course when you start to look at it from a Unix reverse Engineers perspective you very quickly realize that you're not looking at the exciting holy gra that you hoped you

were but anyway the good news the bad news weren't many useful matches on my hunts I think it it's been running for four years now so you saw the numbers from most recently but not as much as I would like so that's kind of quite good um but it's not the only place that malware goes so I went and had a look at what virus toal does so this is one of our tools um I submit all of our tools to virus tital um as a matter of course so that I can see when they're being used and I can see if they're being used for things that I think might be problematic um in some cases those tools

aren't necessary things that are fully public um and so yeah the signatures and the detection of those tools is pretty important to us um the first line is linat the tool I wrote to attack ad joined Unix systems um in its natural default State I grabbed it from GitHub I uploaded it and not too bad detection yeah we got a reasonable success rate um the problem is you change one bite nothing now detects it or very little detects it um again symptomatic of the problem if we can't identify when it's a when it's an important binary if we can't identify when it's unnown piece of malware because of a s single bite change that's a real problem and

actually I talked to a friend of mine who works for a financial services organization they've been working with one of the EDR vendors for 6 to 12 months to try and get to a point that they can detect Lin house and every time they detect it my friend changes a bike and then runs the EDR again and every time it misses it yeah so yeah Financial Services organization that's processing billions of dollars a year kind of thing they can't detect a shell script when a bite changes this is the problem space I'm trying to help people solve so does it matter so the binaries the a binaries were for fast cash fast cash is a piece of malware from the

North Koreans so very much people a matter um they had used that particular piece of binary to manipulate the Swift Network into giving them loads of money um and as well you might expect some analysts found it they'd had a look at it and yeah they they' found some interesting things um I'll come on to perhaps some more observations about Fast Cash in particular later but it's yeah as an example of a particular high-end piece of malware that was used being being used by a particularly interesting threat actor this is really good example of the kinds of things the best red teams let's call the North Koreans the red team this is exactly the kind of thing that the best

red teams are capable of doing and if our organizations can't stop it we will have serious problems so from there we have three hypothesis one attackers may be using our tools curious to test that hypothesis at scale two attack is already fine it's already a good job of detection um three perhaps it's not perhaps there are some areas we can improve it and that's pretty much the pitch I gave to M was well okay so can you detect the stuff I do can I tell you things that you're missing that I see other malware do um how do we fix this and they said yeah come come and help us and that was that was the start

of a fouryear conversation that's um still ongoing and still not resolved so do adversaries use our tools um certainly to some degree um we ended up adding new techniques to attack to cover some of the things that our tools were doing um specifically in the case of lats adding um mappings through to the same tools that you would find on Windows for dumping hashes for dumping cash credentials we went and wrote the um the mappings for for lin hats for for Linux of AD joined Unix systems um the mappings there are pretty good they perhaps weren't quite aligned to the full gamut of tools are available but it was it was a solvable problem and from

M's perspective they can only include stuff in a attack that could be citable the fact that my tool existed and they could look at it and they could see it meant we could fact the the equation we could improve a tack in that fashion second question are they using techniques to Target uni systems again largely the answer is yes the example I picked up here is another threat actor at the higher end um hidden Cobra um and yeah they were definitely doing things that would fit into what attack was already documenting perhaps not the way that attack div is being used nation state Etc but there was some good mappings there and are they T targeting uni

systems yeah well light Basin um targets telecoms providers um and yeah they they're using the stuff that you'll find in mitro but they're also using stuff that we've missed for decades like light Bas are using a tool that I remember seeing a full disclosure of bug track about 20 years ago I spotted it when I saw the reporting from from crowd strike because I recognized the strings in the file in the in the screenshot that was in the um the crowd strike reporting that's the kind of thing that I wanted to be able to draw back to it's the kind of thing I wanted to use before others if we can't spot something that's been used from 2001 onwards we've got no

idea where it it's been what it's been used for but can you imagine somebody sitting there well we'll go and download a 2001 to no of course not they've been using it for ages or lots of differents for lots of different things we need to be able to detect that properly thirdly attack is not representative um I think my answer to that would be is it wasn't it's becoming more representative um and indeed I should talk a little on why and how any questions so far you can throw questions up at any time I may choose to park them to the end if they're particularly interesting I don't want to expand on them but ask questions as you

go along so yeah that's a loose summary of what the threat landscape looks like for unic systems you've got the bot Nets that sit on iot networks you've got the access brokers who want to compromise embedded network devices you've got people that are in the ransomware game more likely interestingly to Target the hypervisor of a Linux system necessarily than a Linux system itself um yeah you can see malware examples that are specifically targeting VMware Etc you have the cloud enthusiasts I don't know who saw Rory's um presentation earlier but Rory and data dog very much focus on the cloud stuff and yeah there are definitely threat actors that are interested in borrowing your compute borrowing your CP memory Etc maybe

because they will to M Bitcoins maybe because they want to um play around with AI but yeah they're out there and then at the highest end you have the Specialists so light Basin UNC 1945 um the kinds of people that were in that previous reporting um from crowd strike that are targeting very specific systems with really interesting protocols to do maximum damage quickly and get out either because they want to damage the infrastructure or because they want to steal the money that's on the infrastructure so you see things like networks being wiped in totality you'll see things like people targeting IBM mq because they know that they can use that to talk to the payment platform inside a

service provider and now they can reduce their monthly bills or worse so we have some notable threats this is kind of a timeline of how things have changed over time fast cach was my patient zero it was the thing that got me interested in the first place in this um but more recently we've seen GTP door GTP door is a specific piece of malware that gets deployed into telecom's environments to Target GTP which is one of the signaling protocols for making receiving phone calls um very highend very interesting stuff but you know the example of xed being compromised earlier in the year another good example of a modern piece of maware interestingly if you're a pentester today um there was a

report two three weeks ago but one of the favorite pen testing tools of the UK Market Lin peas um had been modified to have a cool home um and if you grabbed the version of GitHub you didn't get the cool home but if you grabbed the version of Li lmsh you did um yeah we are seeing this kind of thing happen on a regular basis and indeed in some of the cases we're seeing things that retrospectively we now see us looking fishy if you look at how xed worked at exploit level or rather how payload work you can go back and find other examples of threat actors doing similar types of things either with other pieces of commercial software

or indeed with other proof of concept exploit code that then gets run on pentesters laptops and ends up compromising pentesters so there's yeah there's a there's a fair amount of interesting stuff there it's just that we're perhaps not historically great at sifting through it so you go that's attack in numbers so when I started working on attack in 2021 uh yeah there were 328 techniques and about 120 or so were targeting or or purported to Target Linux systems today there's less techniques because MIT have been working on cleaning up their data um mapping things more effectively looking at how two techniques could be one technique with mulle sub techniques um so perhaps slightly less techniques

um but certainly a higher prance of relevant techniques if you happen to operate a Linux system um and the same is true with the other aspects also you we're seeing more advances advances in tooling we're seeing more advances in malware families and yeah that's why I say we are getting better but if you look at the graph on the whole you can kind of see what that looks like um over time MIT attack version one in the left hand side didn't know about a huge man by the time you get up to kind of 11 and 12 there's an awful lot of stuff that's now properly mapped into Mitra attack and then as MIT been cleaning up the

data we've seen a little bit of a crash in terms of the raw numbers between 14 and 16 But ultimately the techniques themselves are purported by the left hand side um yeah we we're still seeing increased um visibility and increased knowledge about the kinds of things that versies are doing there's my little contribution so I said i' started collecting techniques um those are the ones that I've worked on personally with MIT so if you've got an idea for something you want to talk to M about doesn't matter it's Linux although clearly that's my area of Interest come and speak to me afterwards and I can facilitate some conversations with the people that might better help

you get it on other people's Radars but yeah we've got the stuff that I did around manipulation of libraries and Link linkers we've got the stuff that I did around active directory we've got other things too um break process trees is interesting one I speculated in a Twitter post that this might be possible um a couple of DFI people then took it on I wrote up some really nice detailed descriptions of my tweet um we've actually found Mal doing it now um so that hypothesis view of the world that there are things that we we would expect adversaries to do that they are either doing and we're not spotting or that they haven't started doing but they

could be doing is definitely true and that's why I wanted to get involved to try and catch some of that stuff before it becomes prevalent so how do we build a better attack would anybody here like to build a better would anybody here like to have an attack that's more relevant to their industry to their vertical of the systems they care about all right so this is how I did it I automated everything I possibly could do the automation's not as good as I would like there are shell scripts and Pearl and python it's it's very much not a software developers view of the cicd process um very much a Tim's view about how can we do things quickly view of it

but we have the ability to take a URL um triage if it's a piece of malware triage if it's a new piece of tooling from a red team a pentest company Etc triage if it's a piece of threat intelligence from that we then have the ability to start to dynamically allocate um techniques and sub techniques based on the the data that we've pulled in so I can take all of the threat intelligence that gets published by all of the threat intelligence companies grab the Euro drop it in and it will give me a summary of what techniques are in there even if the threat intelligence company didn't put the technique in themselves or if they've missed one they've yeah they've

got a screenshot that shows a particular thing that I'm interested in um I can now see that and I can now feed that back into M so M sit there and they go do we have any evidence of this and I'm like yes here's here the list of issues in GitHub that shows you all of the places that it's been reported either from a threat intelligence perspective a malware perspective or indeed yeah an offensive researcher perspective so if you have no better way to do it GitHub can work as a threat intelligence platform for my purposes it works quite nicely I have templates allow people to ingest information effectively worst case they give me a

URL best case they give me a lot more information I have the ability to label it up quite nicely so I can start to see Trends I can start to see clusters of intelligence about a particular thing um and then I can put work plays on that so I can trig out automatic triage I can trig out analysis of that threat intelligence report Etc it's PDF it's a it's a Word document it's a text file Etc all of that can be automatically triaged um gearhub aren't always friendly to malware it's a very upset that they pulled um the I leak um for those that don't know um I was a commercial entity in China that was

working ostensibly as a penetration Testing Research company um but we're probably working on behalf of the Chinese government there was a leak of a bunch of their stuff which is kind of quite interesting you could see what kinds of things they were targeting they were interested in db2 um but unfortunately GitHub decided to pull it um allegedly because the amount of data that was in the repository but you can only speculate that possibly From github's perspective it wasn't the best thing in the world to have a whole bunch of stuff that purported to be from a state aligned actor um sitting on their GitHub um that anybody could look at but yeah there's value in automation so even

if you don't have the ability to go and buy the biggest flashiest tools even if you don't have the budget to go on buy Splunk like Cisco did um you can still do quite useful things with a little bit of time a little bit of thought and a little bit of um creativity so you go that's kind of how the analysis engine that I've built Works um broadly speaking it scores everything it scores everything by keywords it scores everything by the reporter um it correlates things I can then start to say well actually these three issues relate to the same thing show me all of the issues that relate to this thing um I'm not a data

scientist um I work with data scientists and they're helping me improve them the scoring and the modeling mechanism um but what does it look like in practice these are some of the kinds the fun things that I've been doing with it the ability to go and clam scan everything that comes out of my web bizar the ability to run my own custom Yara rules outside of my web bizar because from my perspective maybe the stuff that I want to do that I don't necessarily want to immediately share with the rest of the community run things like kapper um do things like file analysis look for the kinds of indicators I would be interested in as a as a threat

intelligence analyst or as a responder or as a a red tea that wants to go bad Etc and you get to learn interesting things like this you'd have thought that a malware operator would be writing secure code right I mean if they're busy taking the mick out of everyone else for not keeping their system secure the last thing you'd expect to do is write code that uses HTTP that uses hardcoded credentials they're just as bad as the rest as unfortunately I think a few of them need a few um lessons from Dennis in the software development life cycle so this is all stuff that isn't yet in attack that maybe should be an attack some of it on the left hand side

is kind of there just about we're kind of getting our heads around what the problem space looks like we start to understand how we want to Define it from a a technique perspective what how we want to scope the technique Etc um uses go we capture whether it uses python or JavaScript or power shell VBS we don't check whether it uses go go is very popular with malware operators because guess what you can compile it anywhere and it secure so they've they've met this their sdlc requirement for the for the year um process tree spoofing that one is actually now in I think but yeah some of those are non obvious read direction to no if you have

a unic system and you know what's running on it as if it's a business workload you should do anything that writes to devn that isn't something that you know writes to devn should be an alarm Bell to go and have a look at it it's a really DFT indicator in the sense that well everything uses death yeah but if you know what your system runs you know which scripts are on there anything that you didn't recognize or put on probably something you should know about so yeah there's a whole bunch of stuff we're doing to kind of pick out things that will be interesting for future future techniques Etc yeah you get that analysis that is

produced inside of that so inside of that you have analyze articles which does analysis word based analysis on threat intelligence reports you have triage finary and binary link which do a very similar process across binary binary data crudely is a combination of strings and Yara um for for the binaries in particular in the case of the analyzed articles actually it's just correct this really is that dumb and simple but essentially yeah so every time I see anything that has a string in it SL devd shm or/ temp that goes into ah R to a nonpersistent part of the fire system why would you do that as an adversary because if it's nonpersistent when the Box reboots that file is potentially

gone um may not necessarily be an indicator on its own that you've got myw but it's certainly something that we want to we to be able to track and understand and be able to back to that piece around understand your applications and correlate effectively you should know what applications are right into your temporary file systems you probably should have some controls about what which applications can cuz a lot of exploits will Rite to those locations um but yeah so that one's not a particularly useful indicator in isolation but like defn you put it together with other things you now start to see behaviors that ar ar common and consistent with how your applications work so can we do better EDS are

fantastic if you can deploy them you can't deploy them everywhere um because it's operational technology because it's telecoms in structure because it's a banking Red Hat 7.9 we can do a lot with audit D I talked earlier about working in that sock at the bank using secet server we wrote rules in that organization that would allow us to mitigate the Swift we found a vulnerability during our Harding process yes [Music] it's cuz I'm standing yeah CU I'm standing side but yeah um so yeah the bank we we wrote rules to mitigate a vulnerability we found in the Swiss software we using there was a world rable location that anybody that had any level of access to the system could use

to write to and then yeah manipulate pay payment transactions across the globe um we couldn't get the Swift vendor to fix it in a timely fashion so we wrote audit D rules that were basically monit those locations for anyone writing to it that we didn't expect that's the kind of thing that audit de help you do it's there in most linuxes in a way that ebbf perhaps isn't it doesn't require you to put an EDR platform in place it just requires you to write a configuration file definitely something to explore if you're R uni systems and you have no way of knowing what's going on on them so as an example we wrote a set of

detections for BPF door they are publicly available elsewhere but essentially walking you through it I mapped through the different parts of the attack life cycle what it was doing when it was doing it why it was doing it which system calls were being used which files were being accessed and from that we could write an audit e policy that would allow us to reliably detect BPF door's existence this is the example from the bank it's done with audit D rather than the tool we used at the bank but really trivial everything that's a world writable file Becomes Of Interest to an attacker let's have a let's have a rule that tells us when someone writes that

file that was running on my Honeypot so I could see if anybody compromised any of the applications on the Honeypot Network and what they did next so as a crib sheet here's some things you need to know if you're using audit D um not everything gets logged as easily as you would like um there are some places where you need to recognize the limitations of the technology also true for ebpf but for example once you've got a kernel exploit running all bets are sadly off if you've got the ability to rewrite col memory then well yeah anything that happens post that point um if you talk to the ebbf people they'll tell you very clearly capture the events

on the way in don't wait for the system called to terminate um good advice uh similar can be applied to audit D but yeah there there is detection capabilities we could be using today that we're probably not and with that some conclusions hypothesis one adversaries are using the tooling that I've written um not anywhere near as much as I was worried about um and in fact the Yara rules that triggered on my web bizar weren't actually for the tools I was hoping to find Triggers on they were actually for a PHP socket um that would serve up a shell um but yeah we we've seen examples of people using our tools um in terms of attack techniques

yeah yeah they are um they're using the tech techniques that MIT describing and we're seeing them using them in any ever more creative ways um Can attack be more representative yes yes it absolutely can be and that's that's the purpose of my mission with mitro is to try and make that happen um but we've helped other people too right so there are Linux distributions that are now taking on board to work and using it um in fact the paper that I've linked to there um was a piece of work done by chain guard who are a cloud native um distribution vendor um and they've essentially taken on Linux malware as one of their seed sources for all of their detection

engineering capability uh because they recognize that it's a single source of Mal content should we say not necessarily malware because sometimes it's pentesters tools but it's a good place to to be looking if you want to be able to test your detection capabilities effectively just because attack aren't being reported breaking into systems daily um doesn't mean they actually AR adversaries will still use the most simple mechanism they possibly can do which to you and I in many cases is passwords um the number of Unix systems that I order each year that still have default passwords of one form or another on them um that would be an obvious place to start if you're doing adversary

simulations I would argue that Linux malware is probably as good a place to go to collect the information you need to start that Adventure um and if you're a Defender I'd argue it's probably as good a place as any to start if you want to understand what you should be defending from and what that attack might look like we can do better uh and indeed mitro have acknowledged that um they are now spinning up a working group to do similar things to Linux on networking devices so if you Haven an interest in routers and switches I might do um you can go along and have conversations with about that also there's a separate slack space

specifically for network devices and they are looking to refresh the way that they map the techniques there um I'd like to think it was being going to happen anyway but I did complain to them about that I put my mouth up where it probably shouldn't yet again um but yeah come and help come and pitch in I'd love to see the UK Market before more responsive and and contributory to to what MIT are doing it's a mission that everybody should be able to get behind unlike most of the stuff you see from cyber security company Cisco included there's a commercial requirement Yeah by redr by our firewall by our detection capability by our sock um Mitra none of

that just a bunch of really good um helpful people who are trying to make the world a little bit better place um so that's that's the pitch on MIT and there you go if you cannot detect anything else these five rules would be things I think would be a good starting point the ability to detect whether someone ss8 is onto your box the ability to see when they're running privilege processes the ability to see when they're running a raw socket so pretty much GTP door um The Fast Cash stuff pretty much most of the higher mware will create a raw socket as part of that um attack so that's a good one to go and detect the

ability to write to non-persistent F storage it's pretty common that malware is going to drop it malware somewhere that it can do that's generally Temple Dev hm um and modifications to the two key sources of persistence cron and the runtime Linker to set those five things and you'll probably catch 99% of malware today and one form or another um yeah even the stuff that got published just last week those five things probably would have and with that far too many people to thank and there were names that I couldn't put on there for various reasons but there are an awful lot of people that are working with me now on this um and some those people deserve a

bit of thanks for the work they put in not least which the my crew themselves who've been very open and receptive to my ideas um and been willing to listen work with me rather than sit there and go we we know better that is about it so questions or do we shut the [ __ ] up and go through the [Music] pub

yes sorry add how get

how will I get that

[Music] name up so I think I understood the question I was a bit confused confused by it but yeah ww is my wife's time um ask how did you get not give you oh I seea all right well that that's just Cisco's format it's a lucky number generator basically you can go and ask for for usernames um I may have played around with that a little bit in the past but that's a different story for a different audience I think any um liit l or whatever you want to call B like from whenever I got

[Music] yeah so the question was what happens with L bins um and in Linux land we call that gtfa bins um there's a separate project for gtfi bins for Linux and it's essentially a list of commands that have have alternate uses so the most trivial example of that would be something like find where you can run a find command and then execute something based on the output of the find query um and you might use that to go and find files that you should have two minutes left um you might go and use that to look for files that um CU you're assis app in but you might also use it to trigger execution because you've got the ability to

control part of the parameters um we've mapped some of that um but I don't think we've done as good a job as we might is the short answer I think so there's more work to be done

there the classification yeah is therey use to arrive those or even like when you process or that dat that you get you find [Music] there is there is no perfect taxonomy it's like compression right you're essentially reducing a massive Nam space down to a smaller name space and you're going to potentially lose information along the way the taxonomy that I have is probably as good as I found for the stuff that's not known about for the stuff that is known about MIT mit's various different sources of information be that attack or cwe or whatever else they're probably the best taxonomies are available um vendors might tell you otherwise one of [Applause] [Music] slides Glen I can't hear you can you sh

yeah 14 vulnerabilities yes you've been watching it for a while tring up or down it will have gone up so like are they addressing it at all are we are we to oh I see what do we think do I think it's lyia or do I think it's going to escalate um they're doing a pretty good job of squashing the places that they know they've got problems it's lucky it's been modern it's modern engineering and it's been built by a team that are security Savvy and security conscious so I don't think we're going to see that but I do supect over time we'll see a continue trickle as new um pieces of code get introduced because inevitably

when write code you introduce

bugs that you're you guys are collecting extracting greatting so much data yeah I was wondering whether you happen to have any uh publicly available data sets that infos academics could potentially conduct studies

on okay back far enough that's all public it's a huge data center it's all public and every open- source project that we find in GitHub we subm module so anything that we think is already available in source code form there will be a sub module so if you do get clone and then you pull the sub modules you'll get everyone's code from every piece of malware or every piece of offensive research we've seen over the last four years this quite a lot time thank you