BG - “Malware Management Framework” – We detected WinNTI with it! - Michael Gough

her happy mara my name is michael gough my partner and crime Ian Robertson's here in spirit he did text me to stay home with kids but hail I'll try to do as good a job as I can but as a presence but a lot of credit to what we've done here goes to Ian as well so I just want to get them to shout out to toes next a lot of time about me you want to find me hacker hurricane and the b-sides Austin leave besides Texas partner so if you can't use google then failed should beautiful sir

really it's not gonna work it Oh

so much for Amy so participation is required I want this to be interactive hold the questions to the end but if you need some clarification then ask for it so I can expand upon it in the slides okay fair know it will spend as much time talking about the end I will rip through some of these slides pretty quick you can read as well as I can read I don't want to read powerpoint to you I want you to get the points across and I want you to understand what I'm what I'm talking about this presentation will be posted on the web page how about to tell you about and you guys can download it will

be minus a few slides but all the rest will be intact so you can download it delve in and send us questions but definitely participation of b-sides right it's all about community and on my being challenged we don't have a screwball throw at me you want to call [ __ ] call [ __ ] so let's start off with problem is this present soon Street things you will be pwned you've already been pwned where you don't know right so that's where we're at today we're no longer comfortable saying now this won't happen to me there's a joke there about my former florida state of texas who lets to say that but nevertheless it will have to do or

already has how many people here have it happened to some where they were every hand in this room should go up right so it's a reality I found this interesting i don't really take vendors information heart but when I find something good I do like to provide this information to you for management okay that's what this stuff's good for words right and cyber Ark if you don't know where they are they make a password management solution but nevertheless the thing to take out of here is do you believe a cyber attacker is currently in your network or has breached your network in the past year 51-percent to say yes okay those numbers are we're low

years ago a few years ago and now they're high people are starting to be honest it used to be you been owned you haven't been owned or you don't know which is meteor liar so they're starting to admit it that's a good thing you can't fix the problem to admit there's problem now where is exploding folks if you haven't or don't track this information you should talk about that but the takeaway here is this is the graph starting about two thousand seven eight nine ten eleven notice where 11 is 2012 of total malware same same timeline new malware 2012 right here 2011 right here all 2011 in 2013 January first and main force has already exceeded that

number right there on 2011 we are looking at almost a doubling for more from two years ago in dhoom our development right it's powering up it is getting ready to blow you away it is the problem anybody read this has anybody read it was anybody familiar with one NT I show hands let's just say here's the disclaimer I'm not here representing the company I work for but I know a lot about this and I can't necessarily talk about it until I finish dealing with these guys ok so i will gladly take that offline and discuss any information you might be curious about notice the date april 2013 I've known about this stuff since May of 2012 we have known about

this stuff so the reality is this is problem is growing fast it's growing really fast it's not going away they're getting stickier still near and smarter how long does look how long it took to detect come on stuxnet duco flame sky wiper and when NT i took years ok took years we do need a new way that's the basis of this presentation the experts again good management information but we're going to pick on this a little bit more and pick it apart verizon data breach parking they are we all love it no it is everybody in this room reddit who hasn't written you're really do need to read need to read it live it and understand what it says and

how where you fit in that picture okay really do it's a required info SEC reading material but the reality is the average of detection of it for each are compromised we won't debate what they need reach compromise our differences it's 210 days so three quarters of a year two thirds of the year that's what that's a long time and by the way ninety percent or so third-party this is an older one so sixty four percent but it seemed up from this year you're being told by someone else that's the crappy part your own people are not detecting the hard Koufax up roughly 30 miles we've uploaded the buyers total in our research in our events we have a

fantastic detection rate of this includes phishing emails by the way what do you think learn about come on participation 03 % 0 0 13 anybody higher than 35 518 three percent that is only because of the phishing emails so take the phishing emails out slowly count on apt that we get zero and that's because they usually use a bad launcher to get the [ __ ] goin that gets detected than their other stuff drops in still stuff we have from last year is not being detected we have notified 12 companies one of which I have a friend for I said I need you to look at this their lab came back and said there's nothing wrong

with this no you don't understand you really need to look at this remember the second slide back here that I can't talk about they really need to look at this that's what we're dealing with the baby yes do you have any DJ know how many samples do you have a the rest of the car word and you both you also covered and some of the family you covered and we're still they have no idea now at the end of the present age you know right there's something understands so what buyers total to tag and cover what we know and cover there's something about Amy that everybody need to understand everybody says Amy sucks it doesn't

trigger on stuff you think it's your trigger up if you don't understand this concept of don't tell Davey companies all doing there is stuff that they detect you are not alerted to even owning the product having a support contract they will not tell you they want your money whether it's litigation feds you name it they won't say so don't tell is a piece of that so there's no way for us to answer that question because we don't know what they're detecting on the backing because they won't even tell the end user ok so our defenses are failing us I've heard some great talks here renegade talked about using the tools you already have myself and Michael's my buddy over here at Greg

Smith will tell you how the default configuration of tools will fail you even myself had multiple conversations with companies like big nine and tripwire sharing flaws in their products saying we want you to understand this we've been pretty harsh I've been pretty arch from midnight but that's because they have malware in the repository and they still haven't taken out and we've given it to them why is it in there so again we need to understand what's failing and we need to quit relying on these tools because a folded tool is still a fool without the knowledge to apply it default conditions of tools will burn you something fierce so if you rely on that what the box that and it

will work man you need to seriously referring tweak and find every option and capability of that tool you can squeak everything out of it for it to really help you because if we know it they know and I'm various near dwellers we prefer to pass so they use valid certs let's pick on midnight what is bit9 justify their trust with a lot of times certs in their console I trust blob I trust until Microsoft lenovo maybe 10 set and if you do that all this now are would have taken you out while Donald broken why because they're using real certificates and in bid nine for example other solutions as well you actually can trust a payload based on who signs it yeah if

I find out Microsoft got popped they'll revoke the certificate and I can go in and deal with it later look at that list anybody wants proof by the way there is a limo back door yeah there is this is a pet this of bad what's worse positive certificates are not only are they using them so first i thought was they pop some of these companies in our stealing certificates in re-signing i'm not absent certain now that had some time to tear them apart for finding indications of using a valid microsoft file or valid signed file tweaking the headers and the information to bypass the area that's signed a whole file side by the way and

launching their bad code keeping a certificate the sign file on time it's tricky but son-of-a-bitch they do it okay so we just cannot trust this this is broken do not rely on certificates how do you love the green bars shades of green man they need to go back to the old well I have in the next slides because I detect it okay don't bother reading this just look at the boxes but this is the time that compromise really fast this is the time to detect and eradicate really slow but we need to be questioned here what's that so between the the malware appears and effective machines to know to you that we have signature to call Regina the gap a known

it all along you know how do you seen i would say 210 days is probably pretty good i would say more member those are the companies are being studied well what do i need a 210 days is the average some are talking years my personal opinion is those big companies that are getting detected 200 make the average most companies are way longer than that if at all I don't believe most companies can detect that there are compromised period that's my personal opinion I would say it's an 8020 rule and on the other side what's the time for it to get in in fact get data and lead right minutes alright yeah that's what Christmas a 3 minutes 3 minutes it may

be so where we need to be which we have no control over is compromised believe this man they are in and out in a matter of hours I mean right there hours days falls off littles nothing after that they are in and out of your environment probably less than a week if they're doing whatever they're doing and the reason saying this long as they're trying to find stuff it's kind of initial days minutes or hours by personals yeah the only reason it's taking days is because once they're being poking around and they started to do stuff they've gained a foothold and they are bleeding you dry and you're about to make the paper that is not what you want to happen to you

that is game over and there's a matter of hours you're screwed in a matter of days that's the reality where the slight really says in your big black labs in this life is that a positive correlation between being friend finding the presence of being right the problem is this number here is being told to you by third party I found your data on paste in our particular case or a breach that I was involved with Texas largest someone else let us know there was some data on a server that probably shouldn't be there so that's not necessarily data this is you discovering you have a compromised data is something that comes later you're not sure what's lost until you figure it out

it's backwards but that's what I'm trying to make your apt always are you find me Isis day is terrible are you finding the compromise or an inviting actual code this is this is a crisis data so you have to clarify with them what exactly this description is this is time to compromise a box whatever that means this is the time the people us are detecting the compromise the reality is I'd love the bad guys to be here hi base security right which worked out whole time us is cold turning the gun lower the gun boats under the gun BAM ship blows up they didn't give enough time to react I'd love for this to be the case

we really have no control over this but we have full control for this about our management framework deals with this blue box right here it's totally broken now you just beyond the dominant thing to shrink that that the time time window on I know what you guys in solitude try do is shrink of that 210 days that's the app no its you in 10 days I can tell you why it's this either a we lack skilled labor be management's stupid meaning they don't fund us they don't give us the tools we need I'll talk about tools a little later but the reality is we need to get better the information I'm sharing here if you

practice what I am preaching today you are going to be in this blue box I guarantee it I'll guarantee it money-back guarantee since what you can do here by the way is also free let's blow your mind with that money so we would love to shift this that way but we really need to shift this one this way because that's just something you're going to do the better you are at this the harder will be for them at that you want to be a good red team person you better be a good blue team person first so here's the old verizon slide this is clear as can be yep bummer time between compromise and fixing it that's real

easy there ain't nobody fixing it or detecting it at all fast seconds minutes hours starting to in days getting to around doing week's biggest chunk in months 210 down this is far clearer so Trustwave has theirs but look at the number this is a can't read it 10 to 30 days less than 10 days 10 to 30 days less than 10 days four percent fiber simple people we need to be here and here when it comes to our defenses okay everything you do in infosec should be focused and solving this problem I don't care what management tells you this is the reality usually slides convince them you need to get better what does that mean start focusing on that so how does

it affect you participation what do you guys do blurt it out when one workstation gets popped come on learn it out what do you do why don't you do right wiping easy done move on speed of business what about 10 more stations how many people had to deal with 10 workstations being popped what did you do well I bit wipe it and cry wipe it a crime to cry did anybody go into deep forensics hmm on one of two two hands on one of them what about a hundred workstations now what do you do oh [ __ ] is what you do a thousand workstations someone just got fired okay that's the reality of those previous

slides what about servers how many people here in our image one sir ok 10 servers lovely 100 servers thousand servers I work for a gaming company not going to happen you're taking down money-making I've got to find a way to deal with this problem and not reimage ok so if you're in this boat yeah manageable yeah manageable this big numbers or not so what do you do ki forensic gigabyte drives terabyte drive how about headed by drugs you want to buy drugs the government's NSA gente my driver lr kool Kone acid is how its sands Greg and I had a decommission of sand man we did magic to make sure we couldn't get data off that damn thing

because it had no white capability so we've cracked it up all over the days of sunday there is no way to deal with this problem it's not reality I can't take this thing out and dupid you don't have time to and you don't have time to its money so what about the downtime what about customer perception what about labor to recover hope for the best you need to move to speed of business that's the reality today all your management wants to know is how fast you get the scrap out of here and move on we got bigger problems we have money to make okay management expects that fast answer lack of budget we all have this issue

we've got to use what we have do a better job with it refining finding renegade six talked earlier perfect he took what he had refined it started finding our lack of resources well 20 cent growth rate I someone said earlier the guy who's been here six month to start to train someone who's been there a week okay we need to get some of us senior people training people like you like that old guy their training people and this old guy training people so that you guys all get better that's why we do this but the goal get up and running fast I don't care about deep forensics I do but I don't are you're going to do it what I'm

telling you has no effect funky for instance so how much does it cost how much does it cost if you fail cost of South Carolina we talked about this in the breach thing I quoted a number of 35 million dollars the state of South Carolina suspect and I updated that number when I was in the meetings I looked up they have spent 12 million alone on notifying are doing the credit monitoring of a million people 12 million they spent one is this actually accurate is that a lot of dog powell at yay we have a breach now we can fund all our initiatives this is open records thank God open records this is published required by law data i can tell you

roughly what i feel we have sweet we ended up spending at the floor and after i left comptroller the texas but its millions and millions and millions and dollars i can buy a lot of security soldiers and we did not it's about reputational saving and stuff like that get low figure but what's it cost of the stand once it cost of a stand and then write a madea records world's 39 million records time cost two and a half million dollars just to notify by letter no requirements take long to do so flush to an appt million new one you know what Reagan active internet they know pretty much solve the problem be honest so these numbers are real this is what you

sell to management thank God Republic disclosure because this is look big companies would do as well how about little companies how about somebody who's typical small SMBs i can tell you these are real numbers this is a typical expected cost of you have man you come in and do everything I don't know but it's popped go find it one or one hundred or a thousand it will cost you that a week or that an engagement plus or minus that go back right reforms it still takes home the same amount of time till six in the same amount of time if you don't help them they can't help you you're going to cause Anna cost you a

lot of money so what do I tell management I'm going to save you that amount of money I'm going to justify my salary this won't be needed again yes I will put my job on the line and say I can clean those servers and I did justify my existence and if it loves that you're starting to make headway so expect 100k minimum per incident that would buy an awful lot of security tools how many people have been popped and use the provider more than once we feed enhance do I have so sucks to be you it's getting hot right powered up here comes you're about to go down so what's the solution just give up go find a job

take your resume Cheyenne's how many of you work for organizations that do the following with responding to suspect it malware I accept that Amy cleaned it moved on if anybody can it varies in their hands in this one Greg's like well that's what they do but I don't agree with it how about run another ad scan and say we did two of them Rheem is a workstation very common we've seen a lot of talks are starting to say just free image it move on yeah but you don't learn and you don't fix it there's a lot to be learned about deep forensics I agree with you 19 / image you just like nuclear from space we don't even care

what it smells like this that's how are the imaging of the reimaging it may be yeah I happen to believe someone asked me recently an interview what do you do when users are getting constantly popped maybe it's not one guy five times five people competing over the head if you allow your environment to the point where these users can get popped you really can't reimaging is a great educator it's downtime for the user they don't like it you just be nice about an educated in the process say you want to avoid this keep your data off the c drive so i can reach you faster put your data somewhere else preferably on the network weird be

backed up and we get you up running it out it's not really the user you call it isn't the user school it's usually you know we're making around six you're going to get caught Donald first website it's our fault a lot we're going to BSU oh there we're definitely anything my dream a great year get manage them to get rid of ie6 oh you get a firebox you get a groan but educate your users no not in no script not script in a web of trust let me start educating them in course of reimaging reimage server maybe one or two here you've got to domain controllers you can reimage one go through the other one you got a couple

mail servers blah blah blah at the point spend investigating manually using forensic tool a few hours a few days a few weeks how many people here spend a few hours to move on to the next thing how many people that spend a few days how many people spend a few weeks right it's a lot of time and you're on one system take an incase image before the last version we just will try not to take great and I'm talking about this and turn it into something you can actually use and surf and all that stuff is days in and of itself to the point where even getting the point you can start doing some real research so the

concept concepts simple understand what you have used a good to find the bed sounds simple enough but you may never understand everything you have and you don't have to but you can eliminate more than ninety percent of the check this is what you call taking the hay away from the hay pile so the needle sticks out in some cases it will glow bright red or green and purple and the needle will appear well that's not a very Star Wars the picture but you really can't see what's hiding there but you get fun so introducing the malware magic framework this president minus a few slides about the beginning several at the end will be on this in a couple days

so I highly recommend everybody go start reading what's on here everything I'm talking about is in there in a little more detail there's also the concept of malware reporting standard and if we have a little time to the end I'll pop those up the internets and cooperate with Sarah divs power management framework or am I to security com will also get you to so what is it it's virtually no cost to set up a solution that's free yes if you can get a VC that can run some sort of vm you are halfway there that's pretty much the biggest of setup costs you don't have to buy a product you can but you don't have to

it's easy enough to maintain and it will significantly help reduce incident response cops remember that man the mandiant or protiviti cost i showed there it'll spread sheet that money would go down for 132 25 30 40 50 if you did this before they got there I'm telling you that based on which I've done so thank Lorne Billy management but just with dark hauler so advantages remember we said it will happen to you so you do have to prepare do not ignore this point you can identify bad jar jar you can keep moving at the speed of business that's the goal that's the premise of the malware management framework you can put a flowchart together and offshoot it

and say eat forensics you replace the workstation you take that workstation your hand into gray you move on great we'll deal with the forensics leader if you need help Romanian fertility or Ian and I people say you boatloads of money because you've taken a bunch of a moved it aside and said it's somewhere in here but I don't have the talent time or resources you can use it for incidents you can use it to verify your systems clean how many here are absolutely positively sure the image that use or the workstations or servers are clean how did our guys build those how do you verify that image is clean no hands really see a couple I've got one here

too pretty good it's tough phul he's using our stuff so I know he's from the logic that we have missed this and again way faster than traditional forensics I'm replacement it's a different parallel something you make a decision you split sniper forensics deep forensics traditional friends so how do you do it three components master file repository tools whatever you want I don't care I'll give you a couple examples of and then malware management first master file repository build a TM okay you got a windows box version whatever server version whatever esxi several VMS build it from scratch use media nothing on disk don't think they don't drop files in your repository it sits on a server build it for medium

from scratch go get it from the IT guys your info SEC guys you can do this you can build a box all your own there are roughly 200,000 files on a windows box depending on the apps you have installed okay for again we're looking for the hey we're looking to get rid of 200,000 we're looking to get rid of 160 or more thousands why not [Music] so let me get this straight you trust the government repository of data that totally can be altered I'll talk about the hash thing in a second but again what you have and what you know is what the goal of this is you are not trusting anybody else at this moment you built

this Windows machine in this VM off the network you plug it in you patch it you bring it all current you unplug you now have a base windows image you hash that sucker you take that little descripton thing tool you come up with you go to the suspect box with a thumb drive in this hash pile with a lot of stuff in it and you compare the two you took this problem that this many files down to some subset and now you have a deeper focus on what the unknown is and again it doesn't require you a lot of time started sawing the application you got exchange of Saul exchange it's a workstation installing your PDF reader

adobe whatever this that and the other thing install install install you're trying to put as much as you keen into that box it does not have to be on the wire you bring it up you let it go out you let it download patch everything once a week month whatever you want to do that's part of the process but what you're trying to do is fill this as much as possible guess he's dead it can it does not have the function if i have an application I can't install I can extrac the files onto the box good enough yeah lots of police sounds good but it would be elet you just back to your point

company they have like yeah but if they're windows-based ninety percent of all windows images are the same files you are eliminating an incredible amount of those horrid systems if it's windows right same thing Lennox first for a penny system any applications on the system post base that you installed that your users use your servers run is where we're at my folks value anything outside them and again install the application to the US put your office put your Adobe put your whatever your core apps on okay unplug the system when you're done do not leave this thing plugged in update it whenever you're bigger your systems we monitor this every time we have a program file

thing fix analysis we monitor this if something changes we see it's uninstalled something we now know that we have to go up seeing that put it in our repository so do choose to do something okay we deal with big things some analysis but jedec tip combine this with an application software approval process I want to download application XYZ subversion whatever yay yeah let me do that for you let me do that for you here's a copy for you here's a copy repository they didn't take very long totally doable you will have a bell curve you first do this but it will fall out pretty quick remember you're trying to take as much Chapman hey out of the

picture as possible it is really not that hard we do it with a thousand user base and thousand plus servers and gaming it's surprising how little really changes week to week from a user it is easily maintainable by a greenhorn so here for the process looks like and just right so we basically have the mfi or master file repository to run our script whatever it may be tool what have you to produce some output there is no connection here do not put this thing in your network there's no need unless you're plugging it into update download you are not making calls to it you're not net using to it do not make the mistake that nine did oh sorry you get

the vm machine [ __ ] up and malware phone home strip it's gone who are man don't do that this is clean sanitizing on the way you trust it as if it's unplugged so then you take your analysis system however you want to do it you can run your scripts using this data you can put it on here that's fine but make sure your ways use clean version keep it somewhere safe and then look at your suspect system with the data yes how do you have apache see done that other patch every day every meetings every alrighty about offering your passion dip w so every time you do a monster fly over 43 that's really you gotta plug it

in and updated weather you manually bring the media / download whatever however you're doing your patches you know it's your company's cash cycle is if you're doing your testing and you're doing your since your patches okay I've got to plug this in go get the Microsoft latest greatest pile of crap updated I got to go to Adobe update while I'm doing that I'm going to go run so keenya anybody notes pdpsi is CSI use that run it powered up plug the cable in let it check everything say you need these updates go update then unplug it you're done rerun the script it really isn't a lot of work surprising I think the important thing note is like if the

higher you can set the baseline that let the more hey you're throwing off like that's what people like evening there you can get everything that's great but like my computer ships with a billion files on it right that's crazy it is what is out the door on my window system I can lease say well we know about these and you know every day that goes by there adding more and change more but at least don't have to check those and I can keep reiterating and learning and getting that baseline higher if all you do is just keep adding to your repository it will get better as you use it it does not take very long so

again think our save at nine opera do not leave this on the network I've said this at least 10 * trust the system because it's unplugged I manage when it's connected a probability of them finding that box when I plug that in is almost nothing especially your practice fitness every day you can highly isolate it there are souls that are good enough to do this don't do this that's my recommendation and again you want one from each type of system and you'll be mall or free right these systems have got to be more guards all winter so it's a response okay I'll try my Yoda incident you had he'd help you with this thing if you run

this and you can give mandate proper tivity for myself and Ian that short list of files I'll be in and out in your environment in a week and I will tell you the system's clean or not Mannion sorting gagement is two weeks and they're off sites on the time so big savings and money want to convince management show them the money savings you investigate the suspect system use your repository eliminate the files you know we're good if you bring in Manion trust late they'll love it because they don't have to look through it as much either remember how many works agent goes in a box scan everything give me that stuff that's fishy yeah but I just

eliminated eighty ninety ninety-five percent of what you're looking at so don't look at that oh cool they'll love it Mears not intelligent enough to use this but that's their problem you're constantly far less this is a money saver is real you know the buy anything here just go get some decent RTC workstation or server build these beams on tech a lot of us have private files to capitalize on so how again use traditional forensic techniques which is low you shot 1m v5 v6 check etc whatever you want to do a Python script I don't care there's a million ways to accomplish this these tools I'll tell you right here is what we use it's not art it spits out a nice

text file you can do a diff between text file a text file be good bad systems what's the diff all out great I now know where to focus check the bad ashes compare the good ashes scripted so you can do it faster but here you go tag you're it community effort the malware management framework is public community effort and I are saying please come out use renegade sixes talk use what you have if you've got a tweak to mcafee or whatever tool or write a script and you want to publish it to say i'm using this i'm doing this and i want to let other people have it will publish it for you on our website not a problem crank your

stuff use your clever come up with something to better this scenario close your ideas give you full credit I so-and-so links to whatever you want it's this for the community for the world so again what do we do use in love think tools yep the ones we have default configuration don't work tripwire does not monitor with those attempt by default we're as well now against yeah where's my wardrobe yes we're all of our goals not to mention the scripts that your fire makes also go there and they show up in the reports there's no way to get rid of it kind of theme money and again we're big we're big fix house I do not

patch with big things that's its core purpose they have an analysis languaging taniam would be another example of cheaper you don't want to deal with idea the analysis we create at a big fix look for all these things which we'll talk about a minute and again you set up analysis filters and scans of file location file types registry locations as anything change anything new in the last 24 hours anything added to the list of stuff I already know use your own tools to monitor what's left figure it out spunk awesome stuff any sim can do it well I think one thing that's interesting is people are so fixated on real-time absolute detection and when you look at the numbers you know things

are going days and days and days and days and days without being detected if you put basic controls in place okay that's lame that it took you five days this was added to the startup bottom then you look at your eyeballs you're like that's not good that's bad hey congratulations you detected it in five days we look at several thousand systems you would think the report to come out of this thing would be to noise it is shocking how small they are the actual changes that occur I have one big fix analysis to add a renegade spot lon bigfix analysis I send to the service team just won if anything new in wpm show up call everybody mad words on the box

dll objection with wmi done BAM number one thing they love to do so that's what we look at it that's the kind of stuff I'm talking about I don't care what extension it is I don't care what the file name is I don't need to know anything about them our sloppy can't say enough about the ability just to create real queries on your own but you do have the log you got turn stuff on everything else okay logging by default is not there you have to enable it takes up storage you've got to work with your team yes yes yes but man when you do it's awesome in fact two top tools I have budget no tools if I taenia more

big fix and at my splunk and obviously tell itne the storage to upload all those files and I can protect you I will be in that hours or minutes box the blue that I talked about earlier and again you want to use the misc stuff post comment earlier you are aware that that got popped right no I don't trust that I don't trust the maintenance of it I don't trust the fact that it has more stuff in there then I'll ever need so why why should I look at stuff that someone else is giving me when I can take and build a box i know that's exactly like my environment and use that list that's what I'm looking for if I

want a supplement and there's some intelligence that I can trust that hash but again I mean if you go outside start trusting someone else's hash it better have some high level of trust so valor management third component treat now are like vulnerabilities there's no different here microsoft says this thing is vulnerable eat the patch coming out or set this reg or block this court or what bowers the same way what directory what location what extension what can I learn from it what reg keys instead of the analysis or your batch files of scripts and go look for exclusion of unknowns exclude the domes and your unknowns will fall out unknowns unknowns no no no I

could start right look at these key points here's the path of the mauers taking goes up an analysis or check to go look for remember you've got that short list now go look though here's the key here's a filename here's so whatever that's in here some more programs and locations and variables take that information out of all these analysis take a short list create some scripts use your tools and monitor these areas wbm don't worry too much about system32 windows apnea program data look for new directors being created all that the other thing I think it's really important is your you're talking about windows with these steps work really great on mac and linux yeah anything

this is a list agnostic here i just have had windows examples so again next step go i'd use the repository build one you can prove that you're building one of these and using it to us there's more about this in a second follow us Twitter am I to security I'm hacker hurricane follow the both of us sign up for an early adopter program what's that so if I could ask for the recording to said stop I will we are not recording your slides because we all want this right you can't do it it is doable we approve