Evolution of Threat Intel & Modern APT Threat Landscape

great to meet you [Applause] yeah great great to be here guys um first off you might be wondering why i've rolled my sleeves up i don't know if it was like the rest of you but when i arrived here this morning and i put my shirt on the first time in like what is it two years now discovered that i've not only got a bit bolder around the edge of those covered calories but i somehow got longer arms um so that's why i'm doing that much because but anyway down to business so today what we're going to talk about is the evolution of threat intelligence in the context of apt threat landscapes so my name is andy yates i work for

reversing labs i'm one of the solutions architects here at reversing labs so over the next sort of 45 minutes maybe a bit more maybe a bit less we're going to go into a number of key topics so first off we're going to look at what is the typical latest threat intelligence we have around the constructive objects and files now what we see in how these ept actors are really trying to function in today's world what kind of techniques evasion techniques um you know how they're getting into the organization how they're trying to actually um you know cause harm to the organization and and what does that look like in the context of those traditional security tools

now what we're not talking about is you know things like anti-viral softwares and sandboxes and not saying that you know they're not really important because fundamentally when we get into this what we're looking at is that they actually have a right place in the right time but we're looking at the latest and greatest of really advanced persistent threat techniques in this particular marketplace and how we need to adapt and evolve to really protect against those really advanced persistent threats as we go forward so we're going to start looking at how we unpack and look at those traditional methods right so sandboxes navies are going to be the two major components i talk about and we're going to bring in the concept

of things like static file analysis just quick show of hands anybody familiar with stack file analysis yeah i've got one over there he says he does but he really doesn't so i joke anyway um but uh okay great and then we're gonna talk about sandboxes in a bit more detail so why why is it that these threat actors are able to actually compromise an organization despite the fact of the millions and pounds that these organizations are putting in place today um and we're starting packing that a little bit more detail how we need to evolve so what are these fundamental changes today's session is not really about being a sales pitch to you guys at

all it's about giving you this intelligence really about understanding where do we actually see the property the market needs to go and evolve and that's not about what we do it's about what actually needs to come in the future and then what we're going to do is actually a very quick live demo we've got two scenarios so fingers crossed the malware actually works but we're going to look at the everb anybody familiar with everbee ransomware attack yes and sodium kenobi solid kenobi base64 encoded payload there we go all right cool awesome so we'll have a look at some of those all right so first thing and let's keep this clean yeah um but what do you guys let's i'll get some

opinions around room what do you lose sleep over the most do you feel like from a cyber perspective what type of things and what you're most concerned about any volunteers you guys going to be quiet the whole time ransomware yeah it's a really great one that's a really common one any others climate change yeah it's a great great point i mean it definitely has an impact even within cyber security right people going after those types of organizations change control another really great great point there absolutely so these are all topics that we've heard about over the last sort of two to three years and absolutely really prevalent especially things like ransomware and change control and you know more kind of

social political type attacks but something that i when i was asked to do this session i tried to think about what are the conversations i've had over the last year and a half that i feel is a really prevalent topic and really it's about being patient zero so what do we mean by patient zero does anybody want to take that anybody want to give their their kind of opinion on what patient zero is the entry point yeah yeah the first person that might have been attacked by that particular malicious object right and this is again really starting to understand some of the fundamental drawbacks of that traditional threat intelligence component right because it fundamentally works on signatures

somebody has to be breached first somebody has to have had that attack they have to have been compromised in order for that to really been seen before and you could be that patient zero a great example of that is stuxnet and i know this is a really really old example right but we go back way back then um during i think it's 2009 when stuxnet came out you know there was loads of zero-day type attacks that were embedded within that attack it was well orchestrated you know fundamentally somebody had to be the zero day but half the computers across the network had already had some form of this and it was an indirect impact to their organization in some

form or another so today's session is really going to start thinking about being patient zero right so that's the core focus so as you go through these slides i want you to keep that in mind and remember that we're focusing this around zero trust and being that patient zero and how you could potentially think about these organizations whether it's your future career or your current career that you're working in how do we prevent being patient zero so the latest types of constructs of attacks that i've seen over the last uh um is really that we're starting to see a real influx and increase in the amount of attacks that start to use unique payload wrappers so fundamentally what

an apt actually does and we're actually going to look at this with i think it's the other b attack what the threat acted group does is they have the same malicious script and then what they're doing is they're wrapping it in a unique payload which changes the overall signature of the file and then sending that to every organization now the problem with that is at some point the organization probably will detect based on their vast array of other security investment products that they've been attacked and that will get pushed out to some wider threat intelligence company they'll update a feed and it'll get pushed down again but fundamentally you're going to end up in the same situation where it's it's a

unique payload right it's not going to look the same and a lot of these traditional kind of approaches that a lot of us have in our organization they're really looking at it from the perspective probably going one or two layers down within that file to actually understand what's embedded within it or even things like sandbox and as we look at in a bit later there's fundamentally a lot of uh kind of limitations to those types of tools with these types of attacks as well um next thing is about obscure file types so look i think the kind of the flavor here is that you know the threat actor groups what they're trying to do is whenever we put something in place

they're trying to find a way around what we're doing and so another thing is really obscure file types right again sandboxes really great powerful technology but something i've really seen over the last year or two years there's been a huge increase in the different types of those those different file types so you're not just looking at things like word documents and pdfs and portable executable files it's a really obscure stuff like you know android and abk stuff um os flash and all these other various different flavors within that and that's the difficulties because they're trying to find ways that we won't be able to analyze or inspect those particular objects and again sandboxes they only

handle a very small you know small volume of certain file types and maintaining those environments can be very very complex and challenging the next thing is just quite simply embedding evasion techniques within those particular types of pieces of malware and scripting that actually obfuscate or hide themselves from the overall detection within those platforms so again we'll come on to this a little bit later when we talk about some of the limitations but things like logic bombs is a great example looking at hardware specifications and so forth of course it wouldn't be really a proper slide if i didn't put up supply chain attacks i think everybody in the room is probably familiar with solarwinds i'm

not going to go into detail i've got another session that goes into that but of course coda cove is another great example and then of course things like you know fancy bear coming out with things like more firmware attacks again the real flavor here is that they're just trying to find ways to get around whatever security measures are put in place so again even what i'm talking about or that future landscape at some point 5 10 15 years time we're gonna have to evolve again right it's gonna be that constant cycle we can't just say you know no if any vendor ever came to you and says this is your silver bullet for life i

would show them the door because they're talking absolute rubbish there's no such thing as a silver bullet but there's certain things we can put in place to really significantly increase how we protect ourselves so let's talk about the construction of objects today right so what's how has it changed over the last 10 10 15 20 years um and how we typically kind of saw those files originally well you know we're looking at super large objects now you know before um you know you probably have one or two uh 100 megabyte files maybe a couple of gig files you know some files that organizations are using today hundreds of gigs right if you're getting some kind of let's say a virtual machine you

could be getting a virtual machine from somebody embedded within that virtual machine could be malicious content right and that could be hundreds of gigs to analyze so actually the job of the security operations centre is increasingly more difficult and more time consuming because it's just unfeasible to do that in a manual approach next thing is just the volume of different file formats i mean i think you know we're looking at thousands of different file formats now and you know fundamentally when we look at the analysis part of what you do when you do malware analysis and and perhaps some of you in the room may be specialists in this there's there's fundamentally two major ways in which you analyze malware you

either detonate it which is dynamic analysis right so you're putting it in a sandbox you know it's nice safe little environment and you let it run and you see what the output is you see the capability of the file it's very much a black box right you don't care what the inner workings of that file does what you care is the extraction of it where does it link out to what does it change on the disk of the file what modifications is it making the second thing is static file analysis and this goes back years and years and years ago this is a really traditional way took huge amounts of technical knowledge you had to be absolutely skilled in it

and what you're fundamentally doing is understanding against the specification of a file so let's say a word document a word document's going to have a header it's going to have rcscs it's going to have resource components within the date within the format structure of that file what you're doing with static file analysis is looking at that specification and saying against what we see here is there anything that isn't quite right and you do that looking at the actual binaries of the data from the file itself now the problems with stack file analysis traditionally is that stack file analysis is very much a manual step right it requires a lot of technical knowledge as well and so fundamentally

the problem there is you'd probably only go three or four levels now again if we're looking at super large objects that could be hours and hours to really analyze every one of those objects okay so again you know there's especially with file formats it's something that really aggravates that situation doing stack file analysis you've got to understand what the specification of that file is rogue containers so road containers essentially things like um what's that ibm product they've just purchased i can't i used to work for ibm this is really embarrassing i should know this yeah it's red hat but there's a product within it and container stuff open shift yes good man that's that's what i was thinking of so that's that's

fundamentally containers containers is about being able to move applications that are all pre-packaged up it has all the resources all the files all the certificates apa keys everything you need to essentially run it and the great thing about that is that you can move that application from one os to another os and there's no problem it's easy but it creates additional security risks because now you've got all this other stuff that's packaged up with it you've got large products you've got certificates in there you've got apa keys you've got sensitive data again you know another headache for organizations to really try and understand the next thing is really about certificates again it's a common thing

these days we all try to put in additional security measures whether it's crypto or certificates and all these other components but fundamentally you know threat actors then try to use that against us one way or another and then finally i think i've kind of touched on this but that layer upon layer right you know it's just you could be having a file that has four or five thousand different um objects within that file that you've gotta inspect and analyze and you know you've gotta find that needle in the haystack it could be one file it could be one class you look at the codakov attack you know over a period of time every time there was a

spread he actually made modifications uh to their actual code base he actually just introduced a blank code a blank cake um class within the code initially and then all it was was just an ip address that was siphoning off data really really difficult to detect that kind of stuff right because it's a behavioral change there's nothing malicious about picking an ip address and it's not using like wincrypt32.dll to encrypt the hard drive it's just quite simply siphoning stuff off to an ip and that was within you know typical kind of behavior so yeah this is where we are today this is the challenges that not just organizations but all of us really kind of face it's just the organizations you

know in the context of those actor groups they're going to go after them because that's where the money is that's where the political gain is you know our risk vector as individuals is probably significantly less to that so let's talk a little about avs right now avs again absolutely have a place in our organization really important they're going to protect us from 90 of those threats you know the script kiddies um you know the people that are buying commonality malware to be perfectly honest like i'm not really too worried about you know those kind of people that necessarily are finding that malware what i'm really worried and what keeps me up at night sorry about that is the the apt threats

right but you know in terms of how av works and where we start to think about the limitation with these platforms is that they're extracting data from you know website scraping um you might looking at honey buckets uh honeypots where they're just you know scraping out trying to capture people you've got malware flying across the internet and dark web crawling this type of stuff you know people the malware that's already been seen before okay it's kind of what we're getting at now in terms of an av process it could look like this right so an organization could get a number of different files it could be ransomware it could be an encrypted pdf it could be

a phishing attack of some kind with an attachment or any one of thousands of different file types the first thing you're going to do as an organization is you're probably going to send that into your av tour it can execute on the endpoint your av is going to kick off and it's going to be like right have i seen the signature and it's going to think all right awesome haven't seen it so what does navy do av comes back and says it's either malicious or it's unknown what happens if it's unknown because it's not good wear but because it's just it's malicious we've just not seen it again first problem typical kind of threat intelligence

when we look at these these types of tools that we've got in place today it's very difficult in the world of automation it's something when we're not actually calling out when something is good wear and you might stand in the room today and say well it's really difficult to know for certain if that that is good wear but again we've got to start making gains in that space to really start to highlight when we know for certain something is good where or what alternatively could happen is it could go to an av vendor itself and it could actually be analyzed and it's that kind of i my really bad skill at designing powerpoints you know this is

like a 20-minute gun um but you know trying to push into the av the av might actually reach out to the av scanner because it's not seen it before and they might do some analysis it might require actually some manual intervention somebody might sit there they might try and unpack it they might even apply stack file analysis maybe you can use a sandbox or something and that's probably going to take in excess of eight hours right and that's then eventually going to get pushed to it pushed to an av signature list and then that's going to go back down to the av scanner result and the long and short of all of this is that

you may get an alert right but again that patient zero so we'll look at some of these attacks um the other b1 is a great example of this avs are just not going to detect everything because the way that they're wrapping a lot of their stuff and unique payloads now and so actually when it comes to detecting the real patient zero stuff we need to change the way that we're actually approaching some of these um you know these processes in which we investigate an incident so let's jump over to more of the kind of sandbox side of things right so okay right avs have a place let's let's talk about sandboxes okay you know absolutely great detonate a

file see what it's capable of doing get the extraction of the from the uh you know the network counts is it pulling down additional droppers to install you know it's all about do we see anything that we think is malicious and typically i've never had a bad experience with a sandbox i think sandboxes are great i think actually in the context of broader security tools like seams the actual amount of false positives is actually not too bad i think they're pretty good um of course that requires a bit of tuning as as it would with any of these kind of uh scene platforms and so forth but you know the limitation is like again as it sinks down today a lot of these

threat groups they know full well um that organizations are using sandboxes and they're detonating the malware to see what happens so they put an evadive evasive technique such as it requires some kind of user interaction if they don't see that the malware doesn't see that their mouse is wiggling and you know somebody's actually going to click on it and all that stuff it's not going to trigger off or it could be system calculators characteristics does it look like that machine is used by an actual person and like by that i mean is this you know as it you know the the amount of time that the machine's been up how often it's used is it particular

time ranges there's loads and loads of different characteristics they fundamentally embed within a lot of this malware for the evadive side of things you've got the environmental side of things the specific nics involved right so you got your vmware or whatever the hypervisor that's sitting under it it's actually understanding what's going on they're trying to detect a lot of that stuff i mean there's some threat groups when i've been looking at malware the last um sort of six months and they've put in really interesting things that are more kind of political based such as if it has a language pack that is russian it won't detonate and that's that's because obviously you know if you're a hacker in russia you do

not want to be hacking a russian laptop or computer accidentally because they don't take that very kindly they don't care if you know you go out and necessarily do something outside of um you know those types of countries but you know having that kind of stuff within your computer gives a real insight to you know that kind of geopolitical landscape um and then finally logic bombs you know so we're not going to detonate for the first 30 days okay just simple things like that you know specific things just to evade the standard processes in which how organizations would use something like this just a quick time check okay so time consumption you know takes 15 minutes on average you you know most

organizations are getting thousands and thousands of files a day minimum you know we have some customers that actually are doing millions of files per day and that's really difficult when you know probably got a limit of around you know with scalability most sandbox is probably about 20 000. i have seen some theoretically go up to about nine hundred thousand but again it's hugely expensive it's very difficult and we then start you know thinking about what is the roi and organizations just can't keep pumping money off the money off the money because security cost is just going to get out of hand and it's the end users that are going to pay for it and then you know limited file file type

recognition so what i've done here is just a comparison between what stack file analysis does and what you know dynamic analysis so the advantage advantage of the dynamic analysis is that you get any additional network um component if you're downloading a dropper or something like that that's a great advantage to using something for dynamic analysis but in reality i think organizations probably only need to use it a very small amount of time we've come along a long way now with stack file analysis in fact there's loads of tools out there that are fully automated in applying static file analysis so the idea is that you could actually analyze thousands of thousands of files in a very short time frame get a very

quick verdict over what is malicious within that and then only send a very small amount of that to your dynamic analysis but again we'll come on to this in a little bit more detail around you know the approaches that could be possible and and how we need to adapt as we go forward but that's my next slide so you know how do we need to evolve right and we start to unpack some of those challenges so on the left hand side you know just examples of the different types of files that you might have coming into your organization right we need to be very consciously aware that whatever solution the organization or processor they're putting in place they need to understand

maybe even from a policy standpoint to their organization limit what are we gonna say is acceptable um different file formats okay we can't just allow everything potentially because the organization just wouldn't be able to analyze everything like that you know we need to have an ability to actually understand and identify those various different file formats in that in that regard you know um the organization and how we actually analyze these files as we go forward we need to really think about how we're able to unpack and de-obscene you know a great example is portable executable files pe files um you know there's like 400 different packers that's very very difficult and again it's another technique that through

active groups are using to pack files that are simply then being evaded through other detection methods such as again sandboxes for reputation lookup there's existing threat intelligence stuff again you know it's really really important we need to get better at sharing information you know i think there's absolutely a time and a place for certain threat feeds and threat sharing information but we don't just need to get better at sharing information but also keeping it private to the correct individuals and the correct organizations because you know virustotal is a great example where you upload a file you know it could be a sensitive document it could be a sensitive hash and that gets shared with loads of other organizations and threat

groups actually monitor things like virustotal now um to keep an eye out to see if that file that piece of malware that they've got out there again if you've got a unique payload that's what they're looking for and once they see that they're just gonna play all their cards and they're gonna get out as quickly as they can so you don't want to spook a threat actor so again far reputation and picking not just the right one but you know thinking about that privacy is incredibly important threat indications we need to do huge amounts of work in this industry to really understand you know those threat indicators how to extract that what are the types of capabilities that these

threat groups are going after and what are they looking at how can we identify and improve the overall behavior detection of it functional similarity just you know trying to evaluate and actually understand you know how do these malwares actually relate to each other because this is very much a saw concept right so your process in which how you approach every single attack you know as you approach a ransomware that's going to be very different to how you approach let's say a trojan horse or a ddos attack or you know commonality malware or even something like lost usb standing the various different flavors of malware let's say is really important to actually dictate how you actually throw flow through that

process and then finally we need to think about how we classify these various different threat levels you know amount of times i've seen threat fees come in from various different vendors over the years and everything's always flagged as super malicious and it's just like where's the priority like guys you know everything can't be a p1 so picking again a threat intelligence that really helps you to understand the impact right the risk at the impact of these threats and put it in the context of your organization is incredibly important and of course we need to work on how we actually do that dynamic analysis as a uh as an industry right and you know just along the bottom right millions of files

per day our organizations are going to grow we're going to be taking more files this has got to get it's just going to get bigger and bigger results in milliseconds we cannot be waiting 15 minutes for us to get a result back from a sandbox that's just not gonna scale when we have a zero trust methodology which is the big end thing now isn't it and that's the kind of capabilities we need to get as an output from this so are you all still with me i haven't bored you all to death yeah i'm good yeah don't don't talk much go on get rolled um right so this is where i was always told never to do live demos because they go

wrong but uh we're gonna do it anyway so who wants to start with sandbox and who wants to start with threat intelligence who wants to go first put your hand up for threat intelligence we've got one two three four all right cool oh five yeah he wants to go for uh sandbox yeah i think it's sandbox first and to be honest we might only have time for one because i talk too much so oh now you guys laugh um okay all right good stuff so let's go for the uh soldering kenobi all right so um some of you put your hand up and said you were familiar with sodom kenobi right okay yeah cool so sold in kenobi this is a part of the

chain of attack we're only going to start looking at the entry point um what happens here is it's actually an agent.clt that's a certificate file this certificate file is actually got some malware embedded within it and what we're going to do is go through the process of actually unpacking and seeing what they've done here it's a very quick kind of demo and probably will have time to look at it now where this really evades detection with a lot of sandboxes um is actually this particular um agent.crt and how they approach it and evade that detection is within that certificate itself i don't know if any of you want to take a stab at what that is

yeah it's code yeah yeah and it's encoded so it's base64 so again what happens in a sandbox you're going to load that certificate into your sandbox and when it goes into your sandbox it's going to boot up set util and it's going to try and run it and then it's going to realize it's basic c4 and code and it's just going to throw a wobbly and it probably won't do anything and again it's a really simple technique it's going to evade detection by a lot of other security tools because it's b64 encoded and you know only if it's on a customer's environment an actual endpoint is being used by an end user that probably has various

different modules running in it might even download to say hey you know i've got to do xyz and the user's not going to think anything of it so what happens when we actually unpack that base64 and so we'll have a look at this in a little bit more detail unfortunately there's not using this particular tool today this a1000 um it makes the investigation it sounds like such a salesy thing but if you go through the investigation quite quickly but what we do is so if i decode that base64 which is done there for me i drill into it actually what happens with this agent.crt file is embedded within it was actually the revel attack within it so

again if we start to actually look down at the particular capabilities of what that reveal attack was we can see here based on some of this stuff like we spoke before there's evasion techniques to prevent uh security products products from actually detecting it so even if the base64 itself was decoded and somehow somebody did that via manual detection or maybe some other security products they're doing layer upon layer of evasion techniques this is a great example where you know they're targeting very specific security tools within that to actually evade that now in in terms of the overall capability of this rival attack um you know what they're doing there is they've got ability around execution you know

it's an executing file being able to terminate processes again could be used from an evasion technique terminating certain processes that prevent additional access um you know any references to service modules as well so again allowing some capability around the net run time so this this is a very quick kind of look at you know a great example where a sandbox just simply would not detect that type of attack now what what i'm going to do now is i'll flick over to the everbee i think this is probably going we've got nine minutes left we'll just skip over to this so this here and we would do this as a great example right so i actually loaded

up virus title and again let no no beef with virustill right they're really great they've got lots of data on av stuff and it absolutely has a place and so they've detected this right so 50 of av scanners right um flagged up and said yeah this this instance of everb we've seen it before um no biggie you're all good well the apt group um that actually put it together they were actually wrapping it in a unique payload every single time so again maybe what we could do here is we'll go down to that extracted files and it's a pe file so it was actually using upx there was a packed file so again evades detection by some of those

other different tools and doesn't realize there's something packed within it that is actually the malicious component so it was originally actually branded as ransom crypt against a lot of threat intelligence kind of feeds when i was initially looking at this attack now what i do here is i'm just going to very quickly take that hash of the embedded malicious script of everbee that was within that as a packed upx file and now put it through virustotal it doesn't find it no avs ever seen that before even though it's been circulated thousands thousands of times it's always going to be wrapped in a unique payload and that particular file had never been seen so to me and this isn't the first

instance there's loads and loads of examples of particular files where when you really break down what's going on they're wrapping it every single time and so those av scanners your threat intelligence feeds all of that they absolutely have a place they're going to protect you 90 of it but what about that small volume of different attacks where they're really targeting you how are you gonna how are you gonna unpack and understand those particular types of malicious software so great question so i'm not a crowdstrike um engineer but they do that's next generation av um so nextgen av does have essentially the crowdstrike stuff is more like an edr type platform so what they're looking at is

essentially the execution on the endpoint so it's very similar to what happens with uh things like sandboxes right so it probably would have detected the other b attack but could have in theory um allowed some execution of things like the sodding kenobi type attack the um yeah so edrs definitely have a place and they are important but you're putting a lot it's your final wall of defense before execution the idea here and something i probably haven't mentioned is that you know how we apply security should be zero trust before we get to an end point it should be layered security so you know something i was actually about to finish on is that as soon as something comes

into your organization whether it's a firewall that does it or it just dumps onto something like an smb or s3 bucket we should be applying um you know security measures to zero trust that particular object before it even gets to an end point right because it gets to the end point you you know if there's something goes wrong or the agent isn't available or it's overloaded that's that's too late isn't it so it's about layered security with these things does that hopefully answer your question with crown shot it's probably the best i can do i'm not a crowdstrike engineer right so sorry but edr's definitely have a place right um okay so and i'm just going to do my closing

statement right so all right so can i work so my idea is look zero trust is absolutely where we should be going towards there's never going to be one tool that is going to solve everything and i think that's a really great point there you know there's absolutely going to be other tools that are going to have great approaches of detecting stuff crowdstrike is a fantastic platform it has an av that is more like an edr and edrs are good but if edrs were so amazing we wouldn't be hearing about breaches in the news every single day and my idea here is not about coming along and saying hey you know by reversing labs it's trying to give you

the reality in the picture of what is actually going on today's world and how these attacks are working fundamentally what we're seeing in the marketplace and where we're going to have to evolve over the next few years is trying to apply multiple different techniques and stack file analysis is just one of those that could potentially help with that that kind of picture but whatever we put in whatever organizations are thinking about investing it's got to be around a zero trust approach right we cannot be um you know going along this typical kind of route of saying here's a sandbox and it only does 20 000 files per day because that's just not going to scale and how

do you select what those 20 files are because it's probably already executed on the endpoint by that point um avs you know they're fundamentally great again but they're not going to detect everything and so you know if you're a small medium-sized enterprise your risk vector is probably quite small maybe that suits where you are and you've gone through your cyber essentials but if you're a large corporation then you've got to start thinking about other things you know stack file analysis dynamic analysis you know edr's and so forth um things like saw right we talked about that av earlier eight out eight hours potentially to get a feed updated you know within an av feed um you know within saw

one of the key things everybody brought saw for is because the reduction in time to respond and how the talk of you know minutes matter right and if you've got eight hours it's a ransomware attack those eight hours is a hell of a long time for that to be encrypting across your estate so in terms of reducing that saw we need to start understanding what files are good and really get better around how can we actually improve the overall triage of an incident taking an ingestion of data and actually having a higher degree of just saying you know this is malicious or suspicious and getting better with those playbooks again augmenting sandboxes with you know

some level of stack file analysis i think is probably the biggest change i've seen over the last probably one or two years and i think it's definitely where i think organizations will start to invest over the next coming uh sort of five ten years to augment that sandbox because we're now starting to get to that point of limitation with it and then finally yes just incorporate something that starts to do the ability to unpack encoded or packed files especially ones that are going to start recursively analyzing a lot of those attackers are really starting to embed these attacks within you know one or two files within thousands so you could wait for the behavior to be detected but by

that point i personally think it's too late um anyway so with that i'm gonna pause there thank you ever so much for your time i think i've got two minutes for questions um and i'll open up you do indeed hi can we get rid of applause first actually yeah

if you have questions we do have two minutes so awesome uh and your first uh description on there for the uh solomon uh nokia or uh kenobi yeah yeah uh you seen the the uh sort of like a package that was delivered and how it was embedded in the certificate yeah surely you should be able to look at the the size of that certificate and say this is too right so you that is another method of doing the analysis but you'd be surprised how few organizations look at the overall info of that file and say crikey 800 still on that god's sake um yeah three times the size of it yeah yes 800 and 860

890 kilobytes of file it's basically one code obviously basically paul could reduce the overall size of it but that could be an indicator problem is though is that enough to really say it's malicious or not and that's the problem it goes to somebody to say manually investigate it and that brings us back to the skills problem you know the volume problem rather um so it could be an indicator but i think what we need to do here being able to detect that space64 is a bigger indicator that's something malicious than the overall file size but it's absolutely an indicator of it does that make sense yeah yeah awesome thank you very much i think we

are running out of time for questions so i think we deserve another round of applause for that point thanks very much