2016 - Ian Trump - Basic Malware Analysis – dispelling Malware FUD

thanks guys I just really excited to be here although I am a little bit jet-lagged because I've done Miami and a week of shenanigans at Def Con I'm a security operations goon I've been there for two years of security operations goon but I've actually been to DEFCON since 2000 and tried never to miss a year my whole approach to this presentation is really going to be from some of the personal experiences have had a lot of support from the IT security community please stop follow me on Twitter I'm at fat underscore hobbit for obvious reasons when I'm fat I look like Sean Austin but when I'm thin I look like Henry Roland so that's a

that's a pretty good thing um so I'll just tell you about my role a little bit as global security leak come on in guys Wow didn't think I was going to be this popular but no malware is fun in my role is global security lead I kind of pick up the basket for a sauce company with 17,000 customers worldwide and about 3.5 million m points so these are normally small medium in bins and businesses using our application to monitor and provide a platform to deliver security on what I'm going to talk about in a lot of cases is really about today an investigation that I was brought into when one of our customers picked up the phone and said we're kind

of screwed we've been attacked what can you do to help us out and this is going to inform this story quite a bit I tend to do a lot of traveling I'm located in edinburgh scotland on my second home is Heathrow Terminal five yeah you and now it's the be a lounge at Heathrow Terminal five and i hail from winnipeg manitoba and one of my gigs which I'm really proud of was I was the lead architect and project manager for something called the canadian centre of human rights and we put together from basically layer one all the way up to layer 7 a security regime to protect the information within this building from advanced persistent threat actors okay

which of course lasted fur until the last three days when the shadow brokers dropped a whole bunch of 0 days for cisco ASAS making our lives really miserable and you know one of the things is i was asked to comment I think it was for SC magazine on this 34 years ago now we have the hacking team breach right at the shady Italians that were building surveillance software using zero day flash exploits while 600 gigabits of their gigabytes of their data ended up on the web which spawned off our current you know flock of exploits I tend to think that these zero days for Juniper or Cisco and other manufacturers are going to result in a

free feeding frenzy by cybercriminals I want to share a really seminal event that happened at Def Con I don't know if you saw coverage anyone here go to DEFCON all right good okay sorry if I yelled at you and my role is it good but it happens um so this is really interesting because autonomous work there has now come to the security pen testing environment what we're seeing is essentially on computers that are building exploits and patching systems autonomously now the fact that it was at DEFCON and there is a 22,000 handies roughly and more attendees was really important because this sent a very powerful message to nation states that the united states now have the

technology and I'm Canadian by the way but the United States has the technology to [ __ ] swing hoc networks now the good news is is who's here is a pen tester badass novel writer who are those people in the audience okay no one puts their hands up thats good bop stack y'all but the point here is is that this is message saying listen we are building the capability to unleash how on a nation-state adversary okay autonomously so it's something to keep in mind now the good news is is this machine went up against some of those skilled hackers that are allowed to travel to the United States and the good news here was that

they soundly takes this machine's ass okay so we're not in a situation where the Machine won against the humans yet but they didn't go up against IBM Watson now this was presentation was designed to engage and talk about malware but my opinion is backed up by the numbers from the FBI our biggest problem in cyber crime hasn't anything to do with my work folks you would think from you know Gavin's presentation this morning you would think this is all about you don't ransomware denial service this stuff in red that you see but look at what our top victims are at least in the United States non payment on delivery okay ah 419 overpayment that's where i sent you

a check and you get to keep some of the check to test to make sure your bank accounts working identity theft and auction certainly identity theft as a result of malware okay but the biggest loss is happening here now at auction is basically i put a picture of a tractor up you pay for it and then i will resent you the tack tractor so one of the things that is really interesting whoops let's go back is we're seeing a trend where business email compromised that's the hackers asking nicely for you to send money okay no malware really used in this type of attack so when you think about the security stock the technology piece that's designed around anti-malware one

of the biggest things that we could do collectively to win against cyber criminals is do that user security awareness training because user security awareness training doesn't just work inside the business it works in the home and on the mobile platform and the biggest problem that we're having in cyber crime right now building excellent business bunkers but we're not talking about the home pcs and the mobile platforms as much which are really leading to the number-one losses that are out there and if you listen to to the media hysterical reporting around Brad somewhere think about the individual experience of Brad somewhere what is it it's generally how do you think it's a brick through your car

window okay it's not something that is in sense of the word costing 246 million dollars the way business email compromise is now I'm pretty sure the other problem that we have with these statistics is that are you really going to call the police and file a police report for something that's considered petty theft for you know papa Bitcoin and ran so we're to Bitcoin and ransom right you can't even get a police constable of once your home is broken into so i would suggest that probably the ransomware issue is underreported overall so which brings us to how are we going to combat this fight well we have to move away from sensationalism who here remembers the hospital they got

breach in the US right read which one right exactly development breach so initially it was what 3.2 million dollars for the ransom and then when somebody looked up how much an actual bitcoin cost it went down to 17 grand university calgary another one you know twenty thousand dollars in ransomware these are the sensational things that were talking about in general what is the cost of a ransomware attack 150 200 300 dollars right the actual cost now there's in cleanup costs and some other stuff like that a couple of problems that we're having is we're having there's great presentation by to the top security researchers at Kaspersky that talk about the problems with attribution to finish the argument

on attribution I'll just say it right now the only people qualified to do attribution is the various Department of Justice's because once they have enough information to lay down they can go to a court and the court will actually say you know I think these are bad people right the problem that we had is we have a lot of administrative talking heads in the media that are going to pin things on the Russians because it's politically convenient to do so and that the attribution again is very difficult to do the other thing that we have especially in the small/medium business world is gigantic reports that come out from like Cisco and from verizon they talk about Enterprise

struggles but are not talking about the small/medium business experience and what is the difference the bottom line difference between an SMB SME getting attacked by cybercriminals is it's an extinction-level event potentially for that okay it is not an extinction-level event for Lockheed Martin right and we all know about Titan rain the attacks that went on now close to what 15 years ago we're walking mark got breached as a result of the RSA hack and they lost hundreds of millions of dollars in intellectual property okay they are not out of business so that's something to consider so if you're going to do some malware research really basic malware research where is the best place to find out where it's

sewing content sites okay so this is one of those slides I like to put up if you're on the offense and you want to look at things like drive-by downloads with hopefully a vehement not your actual own PC these are great places to find malware and script based attacks and JavaScript injections and stuff like this which absolutely tells me that preventing users from going in places like this with their work pcs and with their home pcs is probably in the best interest of all of us that perhaps don't like you know getting that phone call saying hey something's renamed all my files to loc KY on the end of them what does that mean so this is a great place

to actually find malware I'm also email not surprising these are some stats that just blew my line that 93% of phishing emails contain around somewhere pal right so if you don't have some sort of mail gateway filter and you're running an unpatched old exchange server or send mail you're you're just asking for a world of pain okay so really if you're in front of your customers or business and you want to make a little bit more of an investment in security mean email at the perimeter some sort of filtering device or into the cloud first and grab it and actually funny story-- here office 365 and Google are getting a lot better at detecting malware embedded into emails

and by a lot better I mean you know one out of five okay it's not exactly a tremendous amount so here's the threat actor that we talk about a lot of the time you'll see that this was delivered bought by a visual basic script so the question becomes in malware if this is designed to be delivered by a visual basic script what is the exploit the exploit is the human the exploit is the human that perhaps wasn't paying attention during security awareness training or in the last presentation about enabling macro content okay so this is where we as security practitioners rely too heavily on our technology stack and you can see all the different layers that this threat

bypassed right and essentially it hos the end point with ransomware okay so my point is this is the number one takeaway here is accept the fact that you're secure stock is going to fail okay and accept the fact that your job or your customer your continued relationship of your customer comes down to you being able to recover from when the security stack fails because it will and we'll be talking about how to make it fail in a moment but first I want to turn some attention to what i call the threat landscape from a from the perspective of the attacker okay so when we look at the inventory of software across all of the machines in the u.s. we can get a good

idea of where the attack surface is going to come from and this is a great example look at number one right courtesy of the hacking team as i said earlier on about three years ago bunches your own any flashes cybercriminals generally are lazy so they are going to take that stuff and reiterate it the reader it reiterated finally to the point where major vendors like google say enough is enough we're pulling flash support completely on a chrome and I think that's starting soon so that's really good news here's where we have been left out okay so apple pulled support for quicktime on pcs not on map products okay but you guys are all about half hackers so you're using mac but the

point here is is back in the day when we were building our base images who here was installing quick time and then occasionally had to install itunes which sir dishes lee install quicktime right so we have a gaping vulnerability here because when these 20 de advisories came out apple's response was Matt we're not supporting quicktime on pcs anymore now that's a problem okay because eighty percent of the install base out there has quicktime in one version or another and that's a clear and present danger which kind of goes to what i said in terms of ransomware marketing you got university of calgary here average ransom around 300 and you know millions of dollars being made and read somewhere

these are depressing stats and the fact that cyber criminals are kicking our butts in a lot of ways leads to what I'm going to call IT depressions why we drink too much possibly why we don't get enough exercise a whole bunch a personal reasons go into that the point here is to look at a couple since four Reds where it's a free contest okay it's going to make you more aware of the organization's lack of investment in security now I do not recommend pointing the finger saying I told you so when it happens but you want to get into a constructive dialogue about this kind of stuff and say well it could be a lot

worse and here's why right so look at it as an opportunity I also think that cybercriminals really enjoy ransomware because they know that they could actually end that business and it is more profitable to them to revisit that business occasionally maybe every six months they have a little outlook reminder saying hey we should go and see if these guys have cleaned up their rents aware and tighten their security from last time so that's the way that we need to approach this the other thing that we need to do is we need to understand fundamentally how malware gets on the systems and it's not magical okay it all has to do something has to exploit a system vulnerabilities for a

user vulnerability for access it has to do that thing has to install some code in the system memory modify the registry or w live for persistence generate network traffic to command and control node possibly drop files on the system although there is violence malware and run an encryption protest against your files if if the payload which were pretty certainly in the SMB SME space is going to be some sort of ransomware attack if it's not doing the above it's not malware okay so that's a couple of things to keep in mind when you are looking at malware and specifically the cyber kill chain brought to us by Lockheed Martin so I just want to go

through this a little bit so that you understand when we're picking apart a piece of malware where we can see the opportunities and look at what is failing at our business now I tend to think that recon or weaponizing unless you have big dollars to get something like dark trays for a threat Intel feed for type of squatting or something like that recounted weaponization aren't things that we can really do much about okay because it's all happening how they're in the cloud or whatever we call it but delivery exploitation installation situ and the resulting actions we can do something about okay we have tools and technologies that belong that part of the infection and that part of the exploit and that part

of the activity we have tools that we can do something about that situation so that this slide is up here to suggest you that we should not become demoralized but in fact we have odds are the opportunity to interdict the malware using a variety of different technologies in each of these categories and some of them do overlap and we'll talk about what that is so with seven-time Grammy award-winner Taylor Swift she is going to help us understand exploitation okay so as I mentioned the hacking team hack right well look at some of the pricing on how much 0 days go for that they were selling okay previous to this disclosure it was all kind of shady and made up numbers and

now we know what they were selling this stuff for we understand the relationship between the cost of these exploits to this cyber criminal under God's hence a huge rise and bug bounty programs in order to combat this in order to make it more likely that a cyber criminal or want to be cyber criminal or a black or gray hat is turned towards white hat ISM by selling to a bug bounty program instead of going down the road of criminality okay and again you know there's a direct correlation between what hacking team build and to what we're here in terms of the exploit so this is recording futures data eighty percent of the exploit kits that are in

use today are targeting adobe flash either unpatched or zero games so what is our first lesson uninstall adobe flash and we have a hundred percent defense against attacks attacking adobe flash we have a few internet explorer attacks out there about ten percent and who's the super nerd that knows what that symbol is silverlight installed by default for no goddamn reason i can figure out other than to login is Emmett to an msdn portal because somebody told me that it was required for that not a hundred percent sure if not [ __ ] or not but the point here is is it's lurking in the air on all of our machines and I can't figure out at least in our enterprise

what the hell anyone would need a full all right so I would like to get rid of silverlight which brings us down to about a ninety percent defense now again what i want but i really want to see you guys is it's really funny that this one relatively obscure company comes up with this kind of stuff by does this gap mainstream media attention no not at all and we all know that this is much more effective defense than any of the security stock we can get the far more common problem that we have in malware builds is malware that specifically targets the lack of a patch okay so think about this we have burned monday

where i push all of my exploits that our road to the bug bounty people we have patch tuesday and then we have i to pro wednesday where I figure out what the actual patch fixed so I can write an exploit for anyone that doesn't have a patch so this is the problem that we have matching right now is every time Microsoft issues out a patch it's actually a blueprint for an exploit okay so the point here is is that if we are catching orderly or monthly we behind the times folks we have to look at patching weekly our infrastructure okay because the problem is the reverse engineers out there are going to build the exploits or the lack of a patch in

record time because guess what they use agile development like many of you dubs do they all sit around saying how are we going to host people this week so they're all kind of doing that and it's really interesting because this is where there's two folks making a lot of money in cyber crime and it's not who you think it's not these folks there reverse engineering hatches all that takes is a little bit of time without a pro in a test lock the guys making big money are the bloggers and the money launderers those are the folks that are really are really making out like gangsters so exploit kits for salecheap the cyber underground is filled with folks pimping

their exploit cats okay now this is really interesting because remember when we talked about commanding control ccnc notes cyber criminals are collecting analytics about the success of their exploit kits that are landing because they are marketing their products to other want to be cyber criminals okay so one of the important things about command and control is it tells you your rate of success your rate of click your rate of infection the forecasted amount of money you're going to make from ransomware attacks all of this data is being compiled and as you see sometimes excellent kits go dark right angular and nuclear no longer popular anymore in fact went dark the targeting of law enforcement and something new and that

are coming along right like Rick for instance all of a sudden we have it shift in the attack patterns that are going on out there so this is important stuff to pay attention to when you're thinking of your defenses so exploit mitigation you know we talked about reduced the attack surface if you're not using the software uninstall it okay it makes a lot of sense there's lots of good stuff that's free out there on the internet to prevent malware to prevent ransomware I do a little bit of research and look at what those tools are there's also now a lot of online services that you can upload a file that's been encrypted and if it's possible for them

to either brute force or they already have the key ready to go to decrypt your files so do everything you can to never pay a ransom okay because the money the decipher criminals make goes into iterations of their malware to make it more and more dangerous thank you very much NSA for leaking a whole bunch of new exploits out onto the internet that's going to be good for everyone a couple more things here to just think about lots of great resources including your own UK government for user awareness training this is the biggest investment that you can make in your user population your home your home your loved ones really this is the kind of

thing that we can focus on and you know the technology stock unfortunately will let us down so again we're going to we're going to talk with Taylor Swift care and we're going to take a look at an example payload of [ __ ] x three point one hundred okay not surprising this is a Rams more attack but what was interesting is that it also dropped a credential ceiling deal up and what is his tells it tells us the decipher criminals plan on visiting you several times after ransomware on your ass they now want to pull your credentials and find any other way to make a mess out of your life okay so this is where I'm

saying is it once you've had a ransomware incident it's not like blue we restore the files we're all good no there's a lot more work to be done when we do I are for ransom or now how did we sort of come across this issue the the FDA in the United States and the HIPAA legislation suggested that rent somewhere in a healthcare setting is considered a data breach and is reportable okay for this very reason because the cybercriminal that gets access to system with medical records is going to monetize that attack in addition to holding you at ransom so this is the threat that I talked about here and we're gonna we're going to talk

a little bit about this this was a nike provider in the UK who got phone call after phone call Monday morning and discovered that about 40 of their clients have been infected with ransomware all at the same time okay that's known enit as a shitty day okay so they asked for some help and I was able to kind of engage and help out and this is ongoing investigation we got a hold of the Trojan that was used in the entire and it pushing it through virustotal yielded a detection rate of about seven out of 54 commercial antivirus engines okay not awesome and the hilarious thing is is that a Microsoft actually detected it and Microsoft doesn't detect [ __ ] so I

was like wow okay this is uh this is not good um later on I'll kind of do the big reveal but I'll do it now the sad thing is is that this Trojan was from 2012 okay 2012 and 7 out of 54 not cool at all now later on I ran it so look at the dates there that's 2016 124 so January by um i guess it's like the 5th that's may right we now have 37 on a 56 commercial antivirus engines to tacking it okay so that's something to consider if your approach to security none of you here are of this mindset because you probably wouldn't be at bsides Manchester if you were but if your

approach is I'm just kidding you know rely on like thirsty and I'm good to go for security it's not good freighter your odds of hitting something are pretty bad because this is again keep in mind a Trojan that delivered the ransomware payload to these end points from 2012 so I got to playing around a bit if you think I know a little bit of a ransomware there are a whole bunch of people up there that know a heck of a lot more than me check out Graceland security is a good example but I was able to rename the file to not that and then edit it and this is like using a hex editor okay because I'm not a

programmer northern I stay at a Holiday Inn last night but I just copied some tax from the binary and put it at the end of this file where all the zeros were and that's how I got it down to 22 out of 53 commercial antivirus engines okay I'm not a hacker right there are people that can write this [ __ ] from scratched that will continue to put it through iteration and iterations of virus total until they get something that passes right through their targeted attack okay so keep that in mind with anybody with a hex editor all of these zeros in here are what excellent kids will use to drop extra text or extra

binary information into to again change those virus definitions to bypass it also introduces some entropy in the file so that if it's encrypted binary you put the entropy and now doesn't look like an encrypted binary you've got you now have another way of getting past antivirus the sole point here is that antivirus is not particularly good so this was used as an attack do so the attack came the Trojan was landed from this IP addresses in a European country okay a friendly European country so let's be clear there and then again 2012 it was a trojan designed to deliver a cryptolocker payload it wasn't actually cryptolocker okay so that's an important thing we had to put a program that then

called the malware from someplace else from that server there and the encryption key was a one-time key generator is the first thing I did was run it and thought well maybe if the keys Saints the same we can just quickly write a Python script get everything back no so working with a law enforcement we found different IP addresses using the attack and rather than put out a grandiose report about this the only thing we have to suggest that it's Russian cybercriminals was an IP address that the was the origin of a great deal of spam for a ransomware campaign ok so again I'm not rushing off and saying that this is you know Russian cybercriminals what I am saying is that

this was obviously a cybercrime group that had a pretty elaborate infrastructure that used a whole bunch of different IP addresses all over the world in an attack on that particular customer so um we got that slide thank you ok so basic malware analysis what are we really doing here essentially there's two ways to look at malware analysis one is run damn thing and see what happens the other is a look at the actual binary and do some really nerdy stuff and I'm more of a let's just run it and see what happens so platform to use XP service pack 3 you can use Windows 7 but if it's something from 2012 chances are even windows

defender will get in the way of it you want to install your apps so then let us to be infected so boulder Adobe Flash job with silverlight Adobe Reader unpatch Microsoft Office viewers and with the file converters don't install AV on your testing platform and the two things that I really use here are Wireshark and something called red shot ok Wireshark who here knows what wire truck is all the hands of the rooms you go hard cool red shot you might not have heard of it but you can use anything what you're looking for is something that shows you the registry before the malware is right and then the registry after okay and just to see what some

conclusions are here so um this was a file that was sent to us and it was named as the person zip okay so little stealthy they're pretty pretty cool but you know you're gonna open something that has your name on it I guess is what that what they thought as you can see the file has a detection 3556 commercial antivirus engines detected you know now at the time but you ought it not so much you'll see that the command and control URL is hard-coded hard-coded into the binary and again six out of 68 web standing engines are only throwing out that binary or that URL as being dangerous which you know it's damn dangerous I'm going to sit and just some

stuff on that pulled out of more of an advanced tool kit that will talk about but basically cuckoo sandbox shows that you know it performs some HTTP crests it does process injection who hears going to a computer and asked how come there's like 20 notepads spawn in cast manager but um no pad is that running on the machine that's definitely a sign of our because what they've done is they've injected they are processed into notepad to to maintain persistence or doing whatever they're doing you can also see it as explored on easy and any sort of other app and then again it installs itself for auto run at windows startup okay so I've got a short video here that

I'm just going to figure out how to pay I think I just click this okay and this is just basically what we did here so the first thing you want to do is really check out to make sure that your network stock is working properly okay and then you're also in the DMZ or better yet on an IP address that is not inside the corporate network okay up here uh and and also if your binary is and that's why you do a little bit of research on first if it is aware of a virtual environment then you're then be very careful because that's how you blow up a macbook pro so first thing we're doing here is we're

taking a snapshot of the VMS registry before we're going to run it so there we go and that way we can compare the compare the two and then because i'm a bit of a not here i'm going to make sure that i know that i know my network stack is working properly because what I'm very interested here in is what does this zip file actually do from a network perspective because malware will reveal itself at the network layer generally so here I'm just paying and look at that Wow icmp words yay me ok and then so we're seeing the echoing replies which is really great so we know everything's ready to go we go to our

live malware and there's a few selections there but we're going to open up that one this is other stuff that I was working on morning and check it out so this is JavaScript so this doesn't require user interaction the idea here is the zip files received gosh she clicks on it she clicks again and then nothing right but something so here we can see what happened is it checked with dns and it found the IP address of that server which tells us that at one point nasser was probably compromised and working as the command and control for the bad guys now you'll notice the HTTP GET request okay or I think I don't come up again

but the point is because I think a really short out now we're doing our second shot so we've got two things we've got the network capture and we have what happened when we ran the binary and what it did to the registry now let me ask you this question if you receive a document is it reasonable that you would have 60 set registry changes happen when you open that dog right no okay cuz the answer including a whole bunch of interesting things including a windows script call right there okay so this is just one of those things where if you take a regular word document you open it up you may see some registry changes but nothing like this right so

you you definitely have a feeling that you've got some malware going on and then here I'm just doing a quick tour of what it is I want to go back to that get request so please scroll down so we can see it thank you okay this Geor sgod etsy is the actual ransomware payload okay that is the actual thing it is going to download and crimp your files so that's kind of the end of the basic malware analysis and I want to I'll take us to the next slide here because there's a lot more you can do but I just wanted to say something show he does something quick and dirty and also cover the whole Randy part of my presentation

earlier but cuckoo sandbox anybody using that playing around with that yeah kind of cool right I'm thug I'm really great for analysis of drive-by download attacks okay bro again some people like Mark to people like bro the most important thing is to be able to follow a session if you're going to go into more depth on this you want to maybe go down to the packet capture layer and really look at the packets coming across the volatility is really excellent and I to pro of course who here is I to pro play with it yet ok so awesome everybody's on the same page there I just coming back yes no problem with getting windows seven

multan of multiple I ate where Microsoft girl provide free VMS pre-installed with all the kitten but it's 2010 license whatever it is that very much togetherness and license you know help utopia yeah combined with that it means you grow fresh p.m. absolutely and one of the things that I mentioned is the first thing you do is you snapshot your vm that's not infected first okay kind of been other recipe of restoring your vm but really good point the other thing go and this is the one caution about using somebody elses young for this is that you'll find that you'll want to fine tune it so a good example is if your vm has chrome installed on

the first thing chrome does when it launches is checks with Google to see if there's an update for chrome and a lot of apps are like that so you'll want to customize your malware analysis platform with wireshark on and fine tune it so that you don't get this all this extra network traffic that's going to confuse your analysis so VM snapshot read shall run wireshark on we infect all the things red shot to compare observe the Wireshark traffic trace the IP address the host country just for shits and giggles see where the attacks coming from a post base and the restore the vm from snapshot that's kind of what happens so uh right malware dependencies so the number

one thing for malware and it's dependent on you not backing up your pops okay so my advice is to make sure that you have solid solid backups this is the thing that keeps your job when everything else hits the proverbial fan super important um this is a major problem right now with malware command and control wordpress is basically the old way of exploiting a website was I just exploit the website I put up my banner and I'm super cool right uh what those cyber criminals are doing now is they're going after WordPress site specifically to hide their command-and-control to use it to blast out tons of spam okay so what I'm saying to you guys I'm pleading with you

guys here don't be part of the problem and and absolutely if you have WordPress inside your organization this should be um you know segment it off in the network so that you can have a really good idea and control and logging about for this box it's so bad that there's a threat Intel fee just for wordpress blogging brute forces okay so if you do have a website a wordpress site this will tell you at least who is attacking it in so it comes up on twitter and you can follow it or right there so um duka 2.0 i just want to talk about this one a little bit this was these raleys it was a pretty serious advanced

persistent threat actor type of attack it was use a whole bunch of 0 days okay and then the question I always get well if that's the case like it's 0 days what can we do to defend myself against it and you know I'm a not-for-profit and I have no money or I have a for-profit business and I don't want to spend any money which are the two types of things that we hear about all the time so what's really interesting here is that the attackers figured out servers to generally act as command control and they also gated the command and control through different protocols okay so when we think about malware and the next generation of malware we're

really talking now about protocol changes for the command and control so that we can't see it the way we could hear we're talking about command and control over HTTPS right with a stolen certificate to further obscures that we can't peek inside without something like the burp suite to do a man-in-the-middle attack however there's a couple of things here that even though this is an advanced persistent threat could have given up the fact that something here was if we had some egress filtering okay that said work stations inside my domain cannot communicate directly to the internet through DNS we would have caught these guys right because one of their tactics was descent fake tcp/ip pockets to ip8 Dottie Dottie now who

here can tell me when 88 days right pretty much everybody there right Google's DNS service would you be sending IP to Google's DNS servers no you would be sent in DNS right so think about this from a number of different areas there's an opportunity to catch these guys at your firewall right so you have your workstation in one VLAN segment that says DNS traffic can only go to my active directory domain controller with chives DNS on alright so there are opportunities to get these guys the other thing is these IP addresses ok you when if you were doing some logging on your system you would see connections being made out of your organization to these IP addresses even when the

humilation had gone home for the day and if you look at your logs from say one o'clock and warrant six a.m. in the morning and you see browsers that you won't have installed on any of your endpoints surfing HTTP or HTTPS you have a problem ok so there are ways to combat these advanced persistent threat actors and that's why I feel kind of optimistic that from the technology perspective we actually can win against these guys fairly easily we just have to stop building black networks ok and if we segment our different pieces of our network and if we put in firewall rules to catch those indications and compromise like DNS from a workstation directly in Pakistan who here thinks

that's a good idea or normal no right but and who here thinks putting printers on is an awesome idea directly on the internet right and because then we've gets to send you anti-semitic messages to all your universities so I just really feel that that even though I rail kinda against that security technology stack in my presentations there's so much more we could be doing at the firewall there and looking at our traffic and understanding that malware will be trained itself add the network layer and one of the ways is is really to look at what does business need to accomplish its business goals and ask them what relevant splash and Silverlight has for the right um

so again I leave he found a whole bunch of the printers 94 9600 exposed on TV Internet and he said anti-semitic messages with giant penises on them so that was not good for not good for your network security so what really do we doesn't come down to this is sort of the keys to success in combating what I'm going to say average normal run-of-the-mill routes where is there's lots of stuff we can do that user where this training program just really has to get on board if you don't want to do it or you feel that it's not good that's what interns are for you bring one in you say I'm going to give you a

cybersecurity internship and your job is to execute this user term cyber security astray that they are so enthusiastic to get experience it's only later on in life they become jaded and twisted like the rest of us so give them a chance to get jaded and twisted right again you know the number one thing down here is just be prepared for the technology sock to fail I'm not a super gifty programmer I cannot right now let from scratch the reality is nor can most of the cyber criminals out there a lot there's this great study that came out from from the University of it suggested that sixty percent of the cyber criminals that they arrest have had

previous criminal history so what does that mean it means that they used to break into cars are they used to break into houses they got tired of being chased by dogs and they much rather work from the comfort of their living room just like the rest of us so keep that in mind that a lot of the majority of these attacks and again it goes back to the sensationalism of the of the media are not like the lex luthor's of cyber crime here okay it's pretty low hanging fruit that's out there and again you're not alone there's from comptia there's great training and support and organizational certification that you can you can latch on to um

the other thing that is really good is to be aware of some of the threats and the things that are coming out I like the comptia smartbrief recorded future and daily Sentinel the first three paragraphs of data Sentinel are really great and then they try to sell you ISO 27001 is this yeah so great i love the first three paragraphs but i'm like hey now we're talking about like business email compromise and i'm like hardly going to try and sell me iso 27001 for this and somehow they figure out how to get that in there so i created great job i wrote a pamphlet you can download it goes through seven attacks it's sort of

that companion guide to one of my other presentations called meaningful measurement that i'm getting giving up 44 con I'm super pumped about that but this runs through all sorts of attacks stuff that you should care about stuff that you probably don't want to hear about and I do i do kind of think this is what happens when marketing gets a hold of it cyber bullets are a thing y'all okay yeah um so where are we here uh yeah we've got um Taylor Smith and kind of a harbinger of destruction hear that so we all remember the movie hackers you know it's just so filled with awesome ah but but we do remember the idea that

putting IP addresses on nuclear power pants on boats and honor well rigs are really anything potentially they can go boom is probably on a good idea so I wrote a piece for USA Today on the future of cybercrime and truly I believe and it is even reinforced now with the shadow brokers exploits what we're going to see our attacks could be rad to learn to the other talks honor Internet of Things infrastructure this is I now go back to my firewall slide and saying you should have a VLAN for your internet of things so that you can see what traffic they're going to and what type of information they might be sending I think that's

really really important because you know we do not want the ship to sink as it were so this is my view of the things cyber top kill chain this is where we can map our security technology to the five things that we can actually do about it okay and notice my friends that when we're talking about when tool and communication that's network layer endpoint endpoint we're talking now about our users land to when we're talking about egress and finally again endpoint stuff that even users can perhaps assist themselves with so um if you want to we can have a discussion around what technologies um you may need in your business what it comes down to

in my view is put in a layered defense build your security stock around proactive reactive and detective with user awareness training being the most proactive manage it from one console or a few consoles if you have to use hosted services and scalable services so that you can adopt and with that I think we have like three minutes for Q&A or we outline we got five minutes for Q&A I got my yellow card there so I and you are there any questions and now that I see a little one I apologize for any passing that I might have said i didn't use really bad words but a few bad words right it's okay all right nobody's going to jail

question

yeah so it seems like it'd be quite easy to write some continuing all those tools this is a great point so it did and this blew my mind so I looked at some commercial antivirus software and I looked at into the memory of it and I saw some VMware house in the antivirus software I don't like what what the what that makes no sense one of the things you can do to trick malware that is aware of it being in a vm environment is for it to look and think that it's in a VMware environment and then it doesn't execute so you're absolutely correct and that's why a lot of folks will jump an operating system as well so if it's

windows malware they might be working in linux for instance to obscure the fact that it is in a vm environment that is trying to run and yes it will do an inventory that's actually one of the DLLs that draw was they did an inventory of the software that was installed and it's very easy to write to code it to say if Wireshark is installed do not in fact on the vo yes because have to do that yeah you could do it on windows and things like tripwire more expensive type software will allow you to monitor for registry changes and alert a good logging on a monitor operating system and I mean windows 8.1 or Windows 10

anytime there is a registry change you can have an audit setting and then that can be pushed to your logging or even you can build your own alert saying if you know I see this whatever Microsoft's error code is you know then you know hurt me that that is that is taking place great points though for sure any other questions I just met olivia question sure seems to reduce not Asian and my where does he carry more about virtualization to most as a virtualized dating way with a client so nothing around will the window system they do care that

yeah there's some there's a couple families and malware that arm are exploiting Ahmet now the and breaking out with administrative credentials from that sandbox there's also one of the first things the exploit kits are designed to do is hose whatever brand of antivirus you have but keep the icon down in the corner um so you're you're right like I'm I was really trying to make it very easy to follow kind of demonstration but in general yes that's been my experience so far that if I'm trying to just figure out what has gone wrong or if I suspect on that this is a some sort of threat putting it through that will will really help you

there's more advanced stuff absolutely that looks to see for the vmware hooks looks to see what type of software is installed and then says no one I'm not going to participate I opted out brexit that joke I just hope they don't round up all the Canadians and throw them out of the country that would be very bad but I'm turning into a pole so that's gonna be good any other questions sure at the back

other than cutting and pasting um so cook yeah coo coo sandbox does a great job of generating kind of a good rapport that again you can just pull out four or five the line saying this URLs for command and control this is the IP address you know if you should blocked or two in a business environment in general because there are strings of malware now that use tor proxies in order to get to their command and control so yeah there's a variety different things but yeah in general that's what I like about recorded future is they usually give you the top 10 malware IP addresses for command and control on a daily basis so it's like

copy paste send to DevOps copy paste sent devil eyes gobby they send to deadlocks right so cool yes sir yes analysis yeah absolutely you can it's not just the registry it's also in the memory and one of the nice things about memory analysis is that um if it's an encrypted binary in memory it won't be encrypted so you can actually see what's going on so I like I said that's this skill set for me on memory forensics is like here right now and it needs to be up there for sure I'm just not a programmer anything else awesome thank you so much you