BSidesIA 2017 Keynote: Exploit Kits and Indicators of Compromise – Brad Duncan

this is Brad Duncan Brad Duncan specializes network traffic analysis and exploit hit detection after more than 21 years of classified intelligence work for the US air force brand transition to the cybersecurity in 2010 he's currently a threat intelligence analyst from Palo Alto Networks unit 42 Brad is also a volunteer handler for the internet storm center and has posted more than 80 Diaries that I have see that stands on TV you hear attuning routinely blogs technical details and analysis of an infection traffic at malware traffic analysis net which is you have that awesome resource so we're glad to have Brad here ooop thank you all right he just went over all that so I won't go into it

other than my current job at Palo Alto Networks allows me plenty of latitude to post samples of traffic analysis and the peak apps and malware samples on my blog so we're gonna look at exploit kits in April 2017 the original title of this was called exploits and indicators of compromise however I find I tend to update this thing every time I do it to where it's almost a completely different presentation by the time I give it in about three four months time however some parts are still fairly static like what an exploit kit is looking at an exploit kit ecosystem those things the introductory parts are things that we that don't really change because we're

talking about concepts everything else tends to evolve over time and the last time I gave this in a public forum was in 'besides Augusta and the presentation has changed significantly since then so to understand exploit kits you have to understand that there are two strategies to distribute malware now the first strategy requires some sort of user action the user you must do something in order to get yourself infected with malware that somehow being distributed to you that makes it in your hands the most popular way of malware distribution is through mass emails malicious spam this is what we call it and in many times you'll have an attachment or you'll have a link that you'll download an

attachment and in this case this is from Monday of this past week I believe it was distributing dry decks or something like that this one is pretty ingenious because it involves a passcode that you actually have to type into a Word document a password protected Word document several steps there that you got to do to get yourself infected and then once the infection happens you know exactly how it happened because it was something you took part in here's another thing about the first strategy another method is the pop-up web browser windows that ask you to install stuff like your java is out of date or your Flash Player is out of date and at best

you're looking at some unwanted programs or adware or something along the lines at worst you're looking at some sort of actual information stealer or ransomware infection although in this example if you were to download and install a video player setup file from Chuck lafoon head comm I would argue that you deserve what you get with this first strategy there usually is plenty of warning that you're what you're doing will have negative consequences for example that chuckle fund head comm file you'll get a little warning saying do you want to run or save it let's knock the file will harm your computer the word document and that previous email it has malicious macro and there's always a security warning

for default installations of Microsoft Office they do not enable macros by default so you get a little pop-up that'll say are you sure you want to do this but the second strategy is when the malware authors in trying to distribute their malware try and do it behind the scenes and you're none the wiser you don't you you're doing regular routine internet browsing activity and somehow your computer gets infected and you don't know why and that is the concept behind exploit kits where you take a criminal groups malware to an average users computer and you do it behind the scenes now when we're talking about exploit kits you must understand that exploit kits distribute malware targeting systems running Microsoft

Windows that's not to say that other platforms don't get targeted by malware they just don't get targeted by malware in this particular fashion to fully understand what a exploit kit is you must first define a vulnerability and an exploit and we'll do that here right now a vulnerability is a flaw basically a flaw that somebody can take advantage of so the definition up here says an unintended flaw in software and code that leaves it opened exploitation in the form of unauthorized access or malicious behavior kind of a wordy definition to say hey this is a flaw that somebody can take advantage of and do stuff that they shouldn't be able to do vulnerabilities are generally

cataloged by uve number common vulnerability and exposures database this one is see me 27 29 95 now it's only April and this has been out for a little while so almost I'm sure there's over three thousand by well over three thousand by now fuller abilities have been catalogued in the first four months of this year alone this one's about Adobe Flash Player version twenty four point zero point zero point one nine four I love these definitions because what they say is successful exploitation could lead to arbitrary code execution there's nothing arbitrary about the code that's executed whenever these are successfully exploited it's just a way of saying we don't know what type of code your computer can be hit with they

should say malicious code execution but they say arbitrary so an exploit is filed a piece of code that actually does the exploitation taking advantage it takes advantage of a vulnerability exploits by themselves although they are malicious they are not in and of themselves harmful to your computer and I'll explain what I mean here so earlier this week I got an example of rig exploit kit infecting a host in my lab and I can go through the pcap of the traffic and I can extract the the flash exploit that was used in this infection I can take that out and it's malicious code your antivirus should be able to detect this and especially now it's been

out for a few days and will probably delete it from your system however if you had that code you could click on it you can do whatever it won't work just as a file that's sitting on your computer it has to be it has to be specifically utilized within the construct of an exploit kit so X place yeah they're bad but they're not inherently nuclear or dynamite or handle with care' there they're just part of a bigger a bigger mechanism so this is probably the best definition of exploit kits that doesn't use the word kit in the definition a server-based framework that uses exploits to take advantage of vulnerabilities and browser-based applications to infect a client which we

mean a desktop or laptop or a server if it's being used as a client I've seen that happen before without the users knowledge what are some of the vulnerabilities that exploit kits targeting what do you suppose we're talking browser-based applications so what's one of the biggest ones out there right now flash flash is still the big one even though even though I don't really see anything along the lines of zero days or a flash at least the last one I'd remember that found its way into the exploit kit scene was about a year and two or three months ago I want to say February 2016 some time around the early part of the year there was an actual

zero day that had about 24 hours out in the wild that even if your machines were specifically patched and fully up to date there was a 24 hour window where exploit kits were able to use that and infect computers the browser the browser itself is a browser-based application and that is probably the second biggest thing that gets targeted or hit when I'm testing exploit kits in my lab Microsoft edge Internet Explorer are the two big ones that you'll see vulnerabilities out in the CVE list for at this point in time I haven't been able to successfully infect a computer using exploit kits while I've been using Chrome I know that there have been some firefox vulnerabilities for a while but

I generally don't even use that anymore in my test environment Silverlight is another application browser-based application that I've seen exploits for and in the past we used to see a lot of Java in PDF exploits up through about 2014-2015 after about 2015 sometime during that year we really stopped stopped seeing them there are some exploit kits I actually still use these exploits one of them is called Kaizen that's a that I've seen generally associated with websites that are in South Korea and I want to say it's a Chinese actor behind it but that's that's one of those where I actually have to regress to a much earlier even more out-of-date machine in order to get

infected through Kaizen an exploit kit another key point in the exploit kit concept is that exploit kit authors sell their exploit kits as a service software as a service or platform as a service which is easy to say as an acronym SAS or pass but when you try and make the acronym an exploit kit as a service it's kind of hard to say that right so you can say phonetically which just kind of sounds weird or you can say it like I say it's a ek ass and get slapped across the face so how much is it cost well usually anywhere from two to four thousand dollars a month depending on the exploit kit that's that's being

discussed this image is taken from an advertisement there's a site called malware breakdown comm and the guide there ran across an advertisement for I believe this is called at the time nebula exploit kit back in March he published this so back in March they were asking their top tier package that would hit they exploits possibly available that it had in its arsenal at four thousand dollars per month seems like a lot but I don't know I don't deal in that sort of large-scale malware distribution so I wouldn't know so how's the how does an exploit kit work well first when a potential host is connected to an exploit kit server they hit the landing page basically when we say landing page

we mean the initial page that a victim's computer will hit when they connect through web traffic to that website the landing page will profile the victims computer the landing page will then figure out exactly what vulnerable browser-based applications are on the computer that is connecting that is communicating with the exploit server and then it will send the appropriate exploit if that exploit is successful then the payload which is the malware that's being distributed by the exploit kit will be downloaded sent to the system and through the mechanism of the exploit kit through that particular exploit will infect the host and the victim will be none the wiser but exploit kits cannot exist on their own

so if I were to pay that four thousand dollars a month and set myself up an exploit kit server somewhere why would people even bother to visit it you would have to set it up and kind of either disguise the exploit kit server which doesn't happen or you could set up a system that will allow traffic to go through these exploit kit servers and that happens with any ecosystem this eco system consists of actors and campaigns an actor when we're talking about XY kits is an individual or criminal group behind a particular piece of malware now you'll hear the two terms used to refer to actors because there are plenty of actors in this theater of cyber war

we're all actors in that were the good actors the good guys and then they have a term that they'll use though they'll call the criminals bad actors and I don't like the term bad actor because it reminds me of 1960s era William Shatner on the original Star Trek television show and I recently tried to rewatch that through a Netflix subscription and while I enjoyed the shows they actually had a much more profound effect on me as a much younger person so no I don't like to call a number one I don't really enjoy the the original series of Star Trek as much as I used to and number two I don't like to call actors in the

theatre of cyberwar bad actors I like to call them threat actors the preferred term

so we have campaigns so these actors are trying to distribute their malware and they want to do it through they have to set up a campaign in order to do that when we're talking about exploit kits we're talking about an interesting situation it's basically like laying a bunch of mouse traps all over the web that people during casual web browsing will stumble across all right a lot of people when they look at campaigns they think of it in a military sense I won't even know in the political sense here but in the military sense you're organizing forces and you're planning objectives and you're you're attacking stuff and when it comes to exploit kits I don't like using the word

attack yeah you can you know technically it might be an attack but if you step on a mousetrap that somebody instead carefully set out for you were you attacked by the mousetrap you can say you were possibly attacked by the person that set the mousetrap but it kind of overlooks the actual mousetrap itself campaign in the context of x/y kids is a systems that consists of the exploit kit plus an infrastructure that directs potential victims to that particular exploit kit that you have set up so if we look at exploit kick campaigns here's a simple chain of events you have a compromised server somewhere and these compromised servers of legitimate sites all right they just happen to be not

very well administered they have some vulnerabilities that somebody on the criminal side was able to get into their server and set it up to where it will redirect traffic to an exploit kit server they do this they're injected code so these compromised websites every time you visit them assuming the conditions are right any page on that website will have injected code this script will connect behind the scenes through the exploit gate and kick off that process described earlier we'll try an example here so this this page the fecal transplant foundation org is a compromised website I checked it last night so for you to go to this fairly shitty website you'll find injected code this is from

the pseudo I'm sorry this is from what we call the e I test campaign that was first published about some time around 2014 malwarebytes I believe was the first organization that identified it as the e I test campaign basically because strings strings in the injected code one of them they consistently had one of the string the variable strings was I test they had since long ago moved away from that but the patterns of the injected script are still the same and I've had people ask me before well how do you know that's the e I test campaign now I can say well I just recognize some patterns first of all you got an opening and closing body tag there at the very

beginning of it which is odd and then the rest of the stuff it just follows a pretty set pattern it's like if you're learning a new vocabulary word and there's a string letters that represents a word how do you recognize it it's through sheer repetition right you see this stuff often enough you start to recognize it anyway this code as I check this out out last night yeah I saw the injecting code and the traffic if I looked at the traffic here's a peak app at the traffic filtered in Wireshark I can look and I can find URL patterns that are associated with rig exploit kit and in this case I I've seen it off

enough I could recognize it last night and about I'm going to have to say about 7 p.m. 7 p.m. our time here it was 188 25 36 196 was the IP address and DSA dot new pond bioenergy dot-com the interesting thing about the IP addresses and the domains used for rig exploit kit under this particular campaign is that the prefixes and the suffixes will change quite frequently usually about every hour so if I were to hit this again it could be an they're random three-letter prefix before Nippon bio-energy yeah I also had a setup of security onion running monitoring the traffic while I was infecting the host and I used the emerging threat I used sir kata as the

IDS engine and I used the emerging threats Pro ruleset which I currently have access to in that case you can see triggering on that particular IP identified you've got rig exploit kit alerts that are showing up and then what you didn't see in the image of for the particular payload by Riddick exploit kit in this instance was a piece of software piece of malware called quat loader which is basically just a loader that will load other software other malware so in this case quanto derp loaded something that's been identified as e loader or de loader which generates a lot of Tor base traffic and supposably is a back door that can download additional malware some exploit kit

campaigns will use a gate which is just another server between the compromised website and the exploit kit server and I used to call it a redirect because that's what it always looked like to me they always look like a redirect that would take traffic from the compromised website and redirect at the exploit server but the technical term is a gate so if we're looking at a gate in the 1984 movie Ghost Busters where Sigourney Weaver's character is possessed by the spirit of Zul she is the gatekeeper and he got Bill Murray's character there representing in this case the users computer and she keeps asking him if he's the key master and at first he says

no I don't know what you're talking about I forget the exact dialogue but then he eventually says yes I'm the keymaster so he actually he actually provided the right conditions to the gate for the gate to let him in so that's what a gate does in this framework a gate all the gate does is check to see if it's okay to send a descent a particularly computer that visit the compromised website and is hitting the gate to go on to the exploit kit server sometimes there's more than one gate I don't really see gates much I haven't seen gates much in the past in the past six to eight months as far as exploit kid activity is

concerned and maybe they'll make it come back but I used to see gates all the time quite frequently almost every day instead what we're seeing instead of necessarily multiple gates is malvert isin campaigns they're pretty big so you've got a blue guy there who's the computer user and this hitting a normal website which is the smiley guy and then the there's a malicious advertisement right or the advertisement not even necessarily as malicious but the advertiser the advertisement has injected code which then redirects usually to another iframe somewhere and then goes to the exploit kit so the thing about malvert isin campaigns and magnitude exploit kit is where I see the the vast majority of this malvert sizing

happening I don't like them because I can never replicate them because they're usually short duration so give me a traditional exploit kit campaign where you got a compromised website that's redirecting traffic to an exploit kit server I can find that compromised website they generally say compromised for months at a time and I can regenerate that traffic but show me a malvert icing campaign which has a bunch of stops in between and normally lasts from about one or two hours and then moves on to the next thing I'm not going to be able to do anything with that because the the gate domains that pop up that are associated with these malformed tyson campaigns are generally very short

short-lived they'll they'll be registered and used and day later they'll be gone or they'll the domains will still be there they just won't be used common exploit kits who here has an idea of what the most common exploit kit currently is as of 2017 Rick you are correct rig is currently right now by far the most common exploit kit that that I see on a day to day basis on a daily basis rig is also the one that's what's right we're not private rig is sold to openly advertised on the underground market and people are able to use it and build campaigns around it to distribute their malware magnitude exploit kit is actually what they would say is private

is just being used by one particular actor to distribute I believe it's been server ransomware for probably well over a year now another one is terror exploit kit which is they should rename it so the guy it has renamed it quite a few times trying to market it earnest exploit kit Neptune exploit kit blaze exploit kit since it popped up around January this year it's had like four or five names and I always like to call it what it originally was when researchers first started writing and discovered it but terror exploit kit is a terrible exploit kit in that it's a it rips off a bunch of stuff from other people it's a shoddily code

it's it's like some clown decided to get into cybersecurity and start writing stuff and couldn't couldn't quite keep the comedy and the error out of his work neutrino I exploit kitten is still around but as of late last year sometime I want to say around October November September October November somewhere around there neutrino just like fell off the map and so at work at Palo Alto Networks I'm able to access a bunch of certain types of customer data in order to search for exploit kids and will occasionally still see indicators that neutrino exploit kit is still out there and still active but I've never been able to find any actual warfarin being and I've never been able to generate any

traffic myself after neutrino exploit kit went private Kaizen exploit kit one that I mentioned earlier the one I generally see associated with South Korean websites compromised sites that are generating this traffic who believe it's a Chinese act behind it that one I'll still occasionally see something and this is very old exploit kit it uses it still uses Java and PDF exploits and I never see that with any of the other exploit kits two of the big ones last year angler exploit kit which I think some of you may have heard about was 2015's number one exploit kit probably the most professional the most advanced of the mall that disappeared in June 2016 when Russian authorities arrested

criminals associated with lurk lurked malware I believe nuclear exploit kit which was a big one for several years just all of a sudden disappeared in April 2016 and finally as of last month of sundown exploit kit which I think may have been advertised under another name before it disappeared disappeared as well now the interesting thing about sundown exploit kit is it was it used to rob steal beg and borrow from all the other exploit kits so you might see sundown exploit kit and mistake it for nuclear or neutrino or especially rigged so it looked a lot like rigged in some cases but it rigged exploit kit when it first appeared was in I've always considered it like a mid tier exploit

kit nothing too fancy there really isn't anything innovative in exploit kits and like I said we don't really see much of the way a zero-day exploits anymore from exploit kits it was all it's all kind of gone downhill in recent years now get more into that later so as I was searching for terror exploit kit one of the things I can do with Palo Alto is particulars solution is the thing that we're able to search the easiest for is flash files because flash files flash exploits I should say when they're sent over the wire they're usually sent in the clear almost always in every case so when an exploit kit uses a flash while it may be compressed but it's still

noticeably a flash file that we can get information from so in this case tera exploit kit was for up until the 16th which is last time I saw a reliable indicator it was on IP address 45 77 31 17 with a bunch of domains that ended with the suffix the top level domain dot info so to give you an idea of what we're seeing what I call the top three at this given point in time that may change by the time next month comes around rig exploit kit saw 507 hits since April first magnitude exploit kit the private exploit kits 169 and then way down there on the scale is a terror exploit kit I didn't notice anything on

neutrino although I have noticed a couple of hits here and there this year and there are other exploit kits like Stegen Oh which I think Trend Micro wrote about which was a version of a basically a new name for an exploit kit that has been out for a while astrum that's it it's trying to remember it so occasionally we'll see indicators for some other exploit kits but they're not common rig exploit kit by far by far is the most common exploit kit that we'll see out in the wild so if we're going to examine exploit kit traffic you'll have a few prerequisites if you for example if you want to set up a lab to to

generate exploit queue traffic on you and won't be able to look at it and see what's going on first of all if you're doing it work you need to do it on a non corporate network in many cases this means using a VPN which is how I generally do it when I before I started working at Palo Alto Networks I was working at Rackspace I could use a VPN to bypass the corporate network in fact as many hosts as I want and then it was only on occasion when I would forget to put the VPN on that I would start triggering alerts and people would go Brad again is affecting another computer but yeah by and large you

probably don't want to trigger malicious alerts on your company's network if you're doing from home VPN is also a pretty good idea just because if you have an infected computer on your home network there are some forms of malware that might start scanning around and seeing if there's anything else that it can reach out to and touch and try and break into and finally as far as the VPN service when you're coming at a compromised website or an exploit kit if he come from the same source IP address repeatedly it will in many cases either the exploit kit or the website itself will not generate the code needed to complete that infection chain if you do

it multiple times from the same IP address so a VPN is good to say switch IP addresses and come at a compromised website or an exploit kit from a different IP and be able to generate some traffic you'll also need a vulnerable Windows host it could be a VM it could be a physical host so I prefer working with physical hosts while I when I can so in my home environment my home lab I've got setup I've got it set up where I could use they compromised those not necessarily for the exploit kits because the exploit kits while some of them kind of look for a virtual environment or security tools it's usually the malware

that they send that's very aware of its environment you'll need a compromised website and I'll get into where you can get that information a little later and finally if you're going to actually generate exploit kit traffic you'll need a way to actually capture the packets of that network traffic so you can look at it the way I do it is I do it I do it a number of ways Wireshark is probably the the best tool to use for examining the traffic use security onion as a way to set up an IDs so I can generate so I can generate traffic to figure out what I've got if I don't know what I've got rig

exploit kit for me by this time I've seen it so often I recognize it on site but some of the other stuff some of the malware the post infection traffic I'll see something I've never seen before and I'll break out my security onion VM I'll set it up I'll replay the pcap of the network traffic and be able to generate a oh okay it's a Zeus panda banker or quanta loader or whatever but you'll need to understand snort or sericata as your IDs engine and a lot of times what I'll do is I'll just use a just a regular Linux host and use dumpy cap or TCP dump to record the traffic before I do anything with it so who has examples

of exploit cute traffic on the web I know I do but there are other people that are that have within the past year or so kind of jumped on that bandwagon for providing malware samples and examples of pcaps of network traffic one is the site malware break down this guy's twitter handle is dynamic analysis and dynamic analysis malware break down calm okay this is a guy that within the past year has been fairly active fairly consistently and has a lot of interesting and up-to-date things he also has a little bit of a visibility into areas that I don't so I always enjoy reading this guy's tweets I always enjoy reading this guy's blog post on

exploit kid activity another one is zero phage now this website I had somebody told me tell me that this is probably the the tackiest website devoted to exploit kid traffic that he has ever seen and he's right it's aesthetically you know when you're trying to convey a lot of complex technical information that color scheme and that you know all the fancy graphics and stuff is little garish kind of distracts from it nonetheless it's a good resource the interesting thing is on the peak apps that this guy provides and I'm saying guy this could be a gal I don't know because I've never met zero phage or the guy or gal behind we're breakdown but zero phases pcaps

tend to be run through a proxy so they don't look they weren't recorded on the network like my peak apps are that are fairly straightforward they look those peak apps look like they were recorded through a proxy another guy that I've known for a while who I can specifically state is a guy is at broad analysis whose website is broad analysis calm he has many examples of X what kid traffic probably my favorite at the moment is someone in Japan who uses the Twitter handle at now underscore sec now the website I've got there this person this Japanese individual does not does not have I think maybe has one blog post right now on how he or she looked into X

what kid traffic an example the reason I like this Twitter feed is because at now SEC will routinely tweet information on compromised websites that he or she has found that lead to exploit kid traffic and at any given time I'll just check whatever now SEC has posted on the Twitter feed and be able to generate exploited traffic and of course if you didn't get my site my Twitter handle is at now where i underscore traffic and malware - traffic - analysis net so I've got a lot of stuff on there a lot of it's repetitive because I'll see the same stuff day after day after day after day and interesting thing is when people are

reporting exploit queued activity or anything really generally something new comes up the report about it now if it happens for 10 12 20 days in a row you know there may be a tweet about it or something like that what I'll generally tend to do is try and full entry that provides new traffic examples and new malware samples of the same activity as it keeps going on day by day but there really is only so many hours in the day to do that some of my observations looking into x-point kid traffic is number one exploit indicators are constantly changing I'd already mentioned earlier that rig exploit get those domain names change the suffixes and prefixes and the actual domain names

themselves will change at least daily if not more than once or twice a day and the suffixes and prefixes will change hourly legitimate sites and domains are frequently associated with exploit get traffic so just because the fecal transplant foundation.org is compromised and generating a kicking off links to exploit gates doesn't mean that it's not a valid site and that you can hop on a Chromebook or something and look at that site and give the information that you need god help you if you need it ransomware is big and he talked about ransomware earlier it's very good talk I was kind of trying to divide my time between the two talks but it's good that it's recorded so I can get a look at it

and see your particular spin on it a few of us have talks about ransomware ransomware is big for a while it was probably the by far the number one payload that I would see from expert KITT traffic starting about mid 2015 it was always there however about a week to a week and a half ago through exploit kits through rig exploit kit which is the big one I stopped seeing ransomware now I'm seeing information stealers want loaders even on the the public the I'm sorry the MAL spam the malicious spam mass email distribution we're ransomware will reigned supreme now we're starting to see a resurgence and stuff like dried X and Coulter and some other families of

malware that are not ransomware so ransomware is big but I think it may they may be falling out of favor and we'll see what happens in the next couple of weeks if I start seeing ransomware back on the exploit kit assignment last month security researcher caffeine from the site malware dot don't need coffee he doesn't provide P Kappa samples or malware samples that maybe he does on his malware don't need coffee site but he doesn't post as frequently as some of the other guys that I adore rave mentioned anyway caffeine gave a tweet some time back in March and I can't fit it all on one screen so I'm going to fit the top part in the bottom part so on

the top part of this quad chart he had exploit get hunting in 2012 people hunting exploit kits it was kind of a desert but by 2017 we got a lot of people looking into this stuff now because it's interesting I found it interesting because I started looking into it about 2012 when I started working at Rackspace as a sock analyst and was really finding out about this stuff wow this is cool I want to understand it more however the exploit kit landscape has done an inverse right so in 2012 the exploit landscape there were a lot of different exploit kits out there a lot of different actors in the criminal market that we're selling exploit kit

services 2012 was still the black hole exploit kits heyday if anybody remembers the term black hole exploit kit 2012 was its year and been around since 2010 but 2012 was big and everybody was trying to copy the success of the black hole exploit kit now by 2017 in comparison is kind of a desert because really the only huge mass volumes of traffic that we're seeing from an exploit kit is only rig exploit kit everything else is by far much lower in volume why do you suppose that is the case well if we look at the browser market we see that chrome is at fifty eight point six four percent of the browser market as of the last time I

checked earlier this month I just googled it it could be a bogus site but I'm gonna treat this as the type of information that I've heard about before so chrome I have never been able to infect a machine through exploit kits using Google Chrome don't know why or you can make the guess that chrome is a better browser Internet Explorer is just at under 19 percent of the market some of the some of the exploits that are applicable to Microsoft edge have found their way into exploit kits and that's it roughly under six percent so take those together a little under 25 percent of the browser market is a browser that's commonly exploited by exploit

kits right and we're not even talking about the the share of computers that are Microsoft Windows as opposed to Mac books or androids or Linux or Internet of Things or whatever that a lot of lucrative markets out there right now there aren't windows so the bottom line is exploit kits are really on the wane so if you're just now hearing about exploit kits and you're curious about them well it's not that they're not going to be around they're just not really that much of an issue as far as in my case actual threat if you're running Windows run Windows 10 and you shouldn't have much of a problem with the current exploit kits that are out there if you're

running Windows 10 I would suggest you move to Linux or something and then you wouldn't have to worry about it at all but yeah Windows 7 really you're you're rolling the dice security wise if you're still running Windows 7 even though it from a user experience the interface it's much much better than Windows 10 so what's your best defense against this waning exploit kit threat well one is to backup your critical data and we already kind of went over earlier in the keynote on disaster recovery right so an exploit kit for some people could be a disaster waiting to happen especially if you get hit with ransomware so backup your critical data and make sure that you can

access it if you need to so it does you no good to backup that data if you can't recover it especially if you're in a business and cannot afford downtime if you keep your computers up-to-date and fully patched that will really help a lot against exploit kits training and awareness is another one you can't properly defend against something that you don't know anything about it works really well with phishing emails but it also works as far as exploit kids in finally browsing restrictions if you're on a corporate network you can have some sort of proxy or some sort of internet web filtering that will filter out specific types of sites that are prone to leading to

exploit get traffic what types of sites do you think might lead to exploit get traffic shout anything pardon porn and I hear porn pornography yes it's it's interesting because that guy now sec the twitter account sometimes they'll check out these sites and they have some really weird esoteric names it was like ah it's a porn site and usually they're just not anything I wouldn't care to look at anyway so a porn gambling gambling sites so stay away from porn sites stay away from gambling sites stay away from file-sharing sites so you know illegal file sharing sites especially but when you're talking about torrent type sites where they're advertising the latest season of 24 The X Files or whatnot and

you're downloading them for free you're kind of opening yourself up to not just exploit kids but other types of infection vectors so that pretty much does it this is what we went over and now it's time if you guys have any questions yes sir

I guess I have a lot of time so I'm looking personally at Facebook I'm looking on my phone yeah and then I'll generally get something that pops up that not an exploit kit in the case of Android phone but it'll be you need to install this app and that's the type of thing where if I were looking at it on a Windows host I could almost guarantee you you'd probably be redirected to an excellent kid at the worst or the best you know a similar type of site but yeah I've seen it happen before when I was looking at working at Rackspace searching for exploit kid indicators and tracing it back to what ended up

somebody being on Facebook and looking at a particular something like that all that stuff that's you know basically a time waster any other questions no no personally I haven't seen it I think it is feasible but normally that's that software access policies are a good a good method of just preventing malware in general so from the users app data local temp directory in a Windows 7 or Windows 10 host there are certain conditions that you can set up with the software policy that would prevent your computer from getting infected regardless of whether it's an exploit kit or malicious fan word macro or something like that but no I personally haven't seen exploit kit activity that can bypass

software access policies so as good preventative measure I should probably put that up on the slide anything else sir

regex yes but it also changes fairly constantly so for example the emerging threats rule said they'll generally keep on top of that if if we go back

jeez no here we go so if you look at the dates on these the rig exploit landing URL April 4th was the last time that they did a major change that they had to rewrite the pcre for the rule detection on that but so it occasionally happens the time before that I believe was March 13th as we see out there but so yeah you can identify in a company like proof point with the emerging threats rule set that's how they do it the company I work for Palo Alto Networks has a different method of doing it there there are there are definitely area targeted campaigns where I will have to VPN from European IP in order to get infected so I won't

say platforms specific but location specific ok I haven't seen anything platform specific but normally when people are telling me hey I tried this compromised website it wasn't able to generate the traffic I will ask them if they're using the VPN and trying to get at it from a different IP address and their IP or whatever location but they're at repeatedly and they're not able to get it but yeah there are some campaigns that are specific so I'm getting the wrap-up for time right now I'll be around so I can take some questions if anybody has any for me one on one and thank you very much you