Taking the Red Pill: Make Malware Analysis Great Again #MMAGA

present our next keynote or introduce rather our next keynote crane hassled is former FBI and it's now the senior director of threat research at AG re so without further ado please give a warm welcome to crane hustle all right thank you I'm super excited to be here I'm very excited about this presentation I was telling Paul and TJ earlier this might be one of my favorite presentations I've gotten to review and you'll see here a little bit why that is I think it's gonna generate some awesome discussion as you can see sort of the purpose of this presentation is going to be looking at malware analysis how we use it today sort of seeing what the

output is and seeing how we can make it better let me get just an idea of how many people here are malware analysts are very interested in malware analysis or reverse engineers how many people in the room a good number okay I will give you a trigger warning for those of you who do that the first quarter of this presentation you may have some issues with ah and you'll see while I here in just a second but don't worry this is sort of a we're gonna go on a journey together we're gonna talk about malware analysis and how we can improve it and hopefully by the end of this presentation we can all sort of come to

an understanding of you know when we talk about malware analysis and how we report it to people how we can make it more effective so let's start that journey so as a as an industry as a community we do a lot of reporting about malware right I'll tell you each one of these titles on this page I believe came from a different company or a different vendor and you can see that's mostly if you look at the past couple years we've you see a lot of ransomware reporting a lot of reporting about things like banking Trojans and when we look at these blogs or other types of articles usually this is what they contain they're very technical in nature they

contain you know we look through your binary execution analysis looks the source code in depth some shell code look at what files or keys are created as well as an in-depth look at some of the functions and processes and strings of the malware itself there's a lot of articles out there that go through disassembly and debugging right walk you through those types of things looking at you know what network behavior can we see what specific i/o sees come out of these samples we're analyzing and what are some of the defensive mechanisms there right so this is where some of you that our malware analysts now may be like what the hell is this guy talking

about so I've just gone over what all of these reports look like how we report this type of malware I'm gonna ask you this so what what does this mean why do we do this why is this relevant to anyone really so when you look at a lot of the malware reports that come out the general public can't understand most of it most people who are the intended audience of these reports of these articles really couldn't get through the first couple sentences before they completely tuned out because they don't understand it and really the purpose of external reporting why we're publishing something is to help a specific audience inform them about certain threats so they can protect themselves from the

threats and if they can't understand it then why should they care when you think about cyberattacks these days for the most part the technical components of these attacks are secondary concerns it's what happens after someone has already clicked a button and really the what we should be concerned about number one is preventing the delivery of these threats before the malicious technical components of it or even a problem and really that infection vector when you look at the infection vector is usually very non-technical general it's going to be social engineering generally it's going to be fishing and when you talk about psy type things that's not very cyber II it's really just behavioral exploitation and nothing more the technical concepts

of cyberattacks happen after the fact also what people are interested in except especially when you look at businesses and enterprises what the decision-makers at those places are actually worried about and actually care about or what's the impact if someone does click a button and one of these these pieces of malware does go off in my environment what's the actual impact there how much money is it gonna cost me how much time offline is there going to be that I'm not gonna have access to data is anything being taken from my environment and what does my brand for like a brand reputation perspective how does it hurt my brand so when we're talking about malware and why we care

about malware it's not the malware itself really it's before and after the malware actually goes off so when we think about what's the purpose of these reports and we'll talk about this more as we go through this presentation but what's the purpose of this these reports should be to inform our audience about these types of things how do you prevent an actual attack from happening and how through the analysis of malware we can prevent that and that also in the event that it does go off and it does enter my environment what's actually going to happen why should I care after the fact so I invite you guys to think about a bank robbery right think about someone

going into a bank and robbing it could be a picture like this I'll tell you that looking for actual images of a bank robbery on Google Images is actually quite difficult this is the best one I could find but and it's still even not that good but take this guy right he's gone to a bank he's wearing this hoodie and a jacket sunglasses trove bandana over his over his mouth and he's got a handgun right and so this is sort of like generic what you might think of when you think of a bank robbery and I want to make this sort of analogy to what we do in malware analysis this is the attack right this is the attack this

is what has actually happened in malware analysis what we do is we go hyper focused on the weapon that was used to rob the bank right if this was a cyber attack and a lot of the malware reporting we see out there we would go into great detail about what type of gun was this what were the detailed components of this gun how did it function what was the result if once it went off if it went off but we don't care about anything else outside of that gun we don't care about who who was who's holding the gun we don't care about the environment that he was in when he came into the bank all of those

types of things so when you think about a bank robbery when someone's investigating a bank robbery do the investigators really care about the intricate details about the weapon that was used to rob the bank no no they don't they care about the context around the actual attack they care about what I was actually going happening outside of that perspective what they really want to know are things like who robbed the bank what was the robber wearing when was the bank robbed why did the robber choose this specific bank what defensive defenses if any did the robber have to overcome in order to enter the bank to robbing how was the robber behaving during the robbery was

he nervous was he sort of practiced have there been any other similar robberies in the area and how much money was stolen and when you think about sort of a general description of this from an intelligence perspective sort of this is really what we want to know when we're talking about a bank robbery attribution a general description of the threat the temporal indicators around around the attack itself the motivation of the attacker how much preparation was needed by the attacker to commit this crime the sophistication of the attacker any types of case linkages and ultimately the impact how much impact the this attack actually have and so I ask you this why is this what investigators of bank

robberies actually care about because at the end of the day what they want to do is to prevent this from happening is identify the person behind that behind the robbery and put them to justice so now we'll move on to this and we'll talk about cyber threat intelligence because this is really where we're moving in this discussion and so I took this this quote is from from I site partners probably one of the the best sort of condensed descriptions of cyber threat intelligence that I've seen and we'll walk through this so based on what what I cite partner says in this quote is cyber threat intelligence is knowledge about adversaries we'll stop there so essentially we want to know who is

targeting us we want to know who is attacking us so cyber threat intelligence is not is knowledge about adversaries and their motivations and tensions and methods essentially the how and the why something is occurring that is collected analyzed and disseminated so one of the things about cyber threat intelligence that I think most sort of most people out there have a misrepresentation of is that when we're talking about things like AI OCS right data that they call that intelligence but really what intelligence is is looking at that data looking at those IOC s interpreting it and coming up with an analysis and a good some good recommendations out of that interpretation in ways that help security and business death at all

levels so I want to point that out because this means that not only is your sock or your threat Intel team supposed to be aware and is able to be sort of read the recommendations of the reports that come out but also c-level folks executives people that don't have an in-depth understanding of this but need to know the problem to protect the critical assets of the enterprise at the end of the day the purpose of this the purpose of what we do is to try to proactively make it that a an attack does not happen right so to sum it up to some of this description of cyber threat intelligence what is it so it's actor

centric we want we want to know more about the why and the how why is something happening how is it happening it's more than just raw data right it's an interpretation and analysis of that data its consumable by everyone and not just a small subset of technical people and it's used for proactive defense and so one of the issues out there is that you have intelligence and analysis and malware analysis even intelligence analysts and malware analysts and one of the things that I've found is that the ways of thinking zuv these two groups are diametrically opposed to one another the way that intelligence analysts think about a problem versus the way that malware analysts think about a problem

is generally very different intelligence analysts usually look at something from a macro level they want to look at the high level understanding of a problem and understanding what it means whereas malware analysts in my experience usually take a very micro look at a problem they want to dig in to a single thing and understand what that thing means and what it does and I think part of this is not and there's nothing wrong with this but I think a lot of this has to do with training and how each of these two groups are trained to think right from a malware analysts perspective that is what you are supposed to you're supposed to understand what a

single piece of malware does how it behaves and and and what the output of that is an intelligence analyst is it is trained to look at the big picture to understand the why and the how of a problem and to not look into the weeds of any specific artifact and both of these sort of groups and training of these groups have been around for a very long time and it was only because only once sort of cyber became a problem that they sort of had to coexist with one another and that is sort of what we're in the middle of right now is trying to get these two groups that have historically done different things to

think similarly to one another and it's not just malware analysts thinking like intelligence analysts but it's also intelligence analysts thinking like malware analysts right and so so we have this conflict of how these different these two groups think so let's talk about malware analysis and we'll talk about how we can turn malware analysis into malware intelligence analysis and really these are the three things that I think when you're thinking about malware if you're analyzing malware what you should be thinking about the so what aspect of it so the first part is prepare preparation what do I need to know to protect my users or someone else's users from this threat what is the initial infection vector right how

does it get into my environment potentially and what do I need to look out what do I need to look out for to make sure that doesn't happen now I could proactively detect it before someone actually receives it what is my risk level for a certain type of threat when we're talking about threat actors and we're talking about their motivations right motivation is very important if you are a if you're a company because if I know that group a is motivated by whatever but my company doesn't do that or probably doesn't that the risk level for that group that that group poses for my business is minimal but if group B is a primarily financially motivated group

and I'm a bank then I might see them as a higher risk level so what I'm trying to prepare and prioritize threats targeting my organization motivation is a very important aspect of that what security holes do I need to close so the biggest sorry the biggest the biggest example of this I don't know if any of you have heard of wanna cry show of hands no yeah okay so that was kind of a big deal right but how easy was wanna cry technically to prevent super super easy right there was one exploit that it used that came from you know the NSA tool dump and all companies had to do was to patch that hole and their risk level for

wanna cry and later in NATO not Pena was almost zero so what security holes do I need to close what types of suspicious behaviors should I block or alert so when I'm looking at malware right if you're doing malware analysis and you're looking at the behavior of that I don't need to know in the weeds specifically what the code looks like to create this this certain behaviors I just need to know what the behavior is and what the audience that I'm reporting to would need to know in order to implement protections against that behavior and then we also talked about prioritization as well so preparation from a malware intelligence analysis perspective is number one number two if something does

enter my environment if one of my users does like on something that causes this malware to explode essentially in my environment virtually what do I need to know to quickly remediate this type of attack what pwned means that essentially what is it what artifacts should I be looking for to help me clean this up how do I contain the threat quickly without infecting other users what's the business impact again we go back to what's the financial impact what is the exposure impact from from this malware they go back again to think about last year and they're in the ransomware issues with wanna cryin and not petty yeah think about Maersk right Maris was one of the big victims of of wanna cry

not ped yeah one of you yeah now Pena think about them not just from a financial perspective in the hundreds of millions of dollars that that caused but also from the corporate exposure perspective what the reputation of Maris looks like after that happened and then drove that move this merges into the next category but what evidence can I collect while I'm doing Incident Response that can be used in the investigation to hopefully identify who these guys are behind the scenes

so investigate right so what do I know about the actor or group behind this attack so not just the the what pwned me but who who was it actually can this actor be linked to other attacks so that case linkage aspect that we talked about with the bank robberies how do we fully mitigate this threat and what I mean by fully is how do I take the person responsible for an attack and take them offline because you can mitigate an attack technically but it's not going to stop right it's not going to stop until the person behind that attack is motivated to stop so how do you do that and then and this really gets into the

reporting aspect of malware analysis but what actionable intelligence can I provide to others so this doesn't impact them and so we have prepare respond and investigate and really what we have here at the end of the day is sort of a modified intelligence cycle right so you have and it all sort of flows in to one another you have the preparation that then if you once you prepare and something does happen then you can respond to it once the I our process if you're responding to it then your investigating after the fact you're collecting evidence to investigate and then you have the reporting aspect of it and this is really where so I added a

report here because this is where when we talked about the very beginning of this presentation this is where it really comes into play if my reporting only focuses on the in-depth technical artifacts that I see from a threat then the preparation side of it doesn't benefit it doesn't benefit at all because I'm not giving the audience anything that will help them prepare there may it be a little bit of a little bit of information that will help me from an incident response perspective if you're talking about you know what files are being dropped this things like that but from a preparation perspective which is really what we should be doing overall it doesn't really help me so I

want to talk about a couple of examples here just sort of discuss this a little bit further so ransomware right it's a problem I asked you again so what so what so what about ransomware so if you think about a couple of couple years ago ransomware has kind of been a thing a little bit lately in 2016 I'm sure most of you know sort of ransomware blew up especially from a media perspective I love this chart from from f-secure it was a great visual representation of what the hell actually happened in 2016 almost 200 different variants and families of ransomware were identified and you better believe most of those were reported in some sort of blog by

different vendors and really most of these families they were around for what a couple days a week maybe there was really a small handful of families of ransomware that really persisted throughout 2016 and still persist today and so when you look at the intelligence aspect of ransomware we'll go back to the three things we were looking at before prevention response and investigation really with ransomware prevention is key so if I'm communicating to an audience about what I should care about with ransomware prevention should be the number one thing right then the biggest recommendation for for ransomware is backups right everyone should back up their stuff well there are some variants of ransomware that infiltrate backups as

well and from an awareness perspective from an intelligence perspective that is extremely important what are some signatures that I can look at for when it is coming into my environment again we're looking at generally generally speaking phishing emails for the most part what do those phishing emails look what signatures can I build off of that so my inbound protections can detect them and then the behavioral indicators of ransomware what type of behavior does this type of ransomware exhibit if it has been clicked on what can I look for I'm not talking about threat data I'm not talking about IO C's or anything like that I'm not I don't care about the hash I don't care I want to know what

kind of behavior is being exhibited to prevent an infection the incident response side of it really this is what people care about if they're ever infected with ransomware how do I get access to my files back that's all they care about right and they will and if you're an enterprise if you are a business all you really want to do is minimize and assess the damage of this attack so when you think about what happened a couple of years ago on the second half of 2016 when the big groups started targeting businesses health care hospitals things like that the reason they did this is because they knew that the value of data to those companies was

extremely high that they needed access to data constantly and if they didn't have access to it they would be more likely to pay right and so from a response perspective how do I minimize that damage if possible from an investigation perspective after the fact so we can do you know we can look at malware and understand how it ties together and see if there's any ransomware that's associated with any other families of ransomware but really from an investigation perspective how do we get to the who behind the scenes one of the most useful ways of doing this is crypto currency wallet analysis targeting targeting wallets tying walls together and trying to identify the characteristics with that so the so what

aspect of ransomware is essentially this type of stuff this is what we really care about really should be reporting about when we're talking about ransomware so the next one I want to talk about here banking Trojans so what so what who cares about baking Trojans and some people here in the room and I've had very detailed discussions about banking Trojans and my thoughts about them but really when you think about banking Trojans it is very challenging to actually care about them the challenge with them is that for the most part they target non-technical individual users on their home computers or mobile phones right so prevention you know we talked about prevention this is what we should

be sure we should be reporting but prevention essentially relies on antivirus on desktop machines and App Store controls for mobile devices that's essentially how you prevent banking Trojans and unless you're in one of those industries if you're if you're in the AV industry or your Google essentially then prevention is very difficult or you really not care about prevention we always talk about security awareness training how great that is and how that you can inform users about how to look for specific threats phishing emails coming in but educating individual users is almost impossible you're not going to be able to educate that 65 year old grandma in in Iowa because she probably won't take the time

to look in dating to that and if she does she's going to even from a high level not understand what you're talking about so at scale you can't educate individual users incident response from the respond acts aspect of this is not possible because you're not in a closed environment you're not in an environment that you can control you're in individual devices owned by individual people and so you can't do incident response on those infected machines and then infrastructure mitigation so taking down if you were actioning the actual c2 infrastructure for a banking Trojan it sounds really good but at the end of the day just actually have an impact if you're someone like trick bot that has access

to likely hundreds of thousands of different IPS that they can use if one gets taken down does that have any any impact I would argue it probably doesn't so how do we actually handle this problem of banking Trojans when we're reporting information about banking Trojans what should we actually care about well there are two things here one I believe that the problem of banking Trojans is primarily a law enforcement issue there's so little that we can do to actually control and prevent and respond to these things that they will not be mitigated until the people behind them are mitigated you'll see that happened a little bit with Dyer right when Dyer went offline a couple years

ago they were taken down their activity was taken down until trip bot came back and likely some of the group members from Dyer moved over to trick bot there was a lull in activity but now there's trick by the interesting thing about banking Trojans is that there are relatively there's a relatively small number of them on both the desktop and mobile side that actually make an impact to the overall threat ecosystem right I would say that on the desktop there are probably five to seven actual families run by a group that actually makes the dent that is that makes up the predominant threat within the banking Trojan Start landscape on mobile it's growing but it's essentially the same thing is that

you have a small number of families that are run by individual groups that make the impact and the only way to get that to minimize and limit that impact is to take the group out of the equation until you do that they're not gonna stop and there's very little way to actually prevent that I would say the other thing from an intelligence perspective what we care about and what we could report to people to try to minimize the impact is the behavior of the malware right the behavior of the malware what if so since since you can't control individual users devices and you can't unless your let's you have a V on those machines what you

could do is look at the behavior of the malware and if it's applicable how that infected host interacts with something like a bank Network and identifying that signature so the bank at the end of the day the person will probably still get infected but at least the person who's losing the money which is the bank can protect themselves we were also vitally eye were also talking about earlier sort of you know the evolution of banking Trojans and how eventually banking Trojans that term may not even be applicable because what is happening and I think is probably from a threat actors perspective probably the way that I would go is that they're moving through some slowly away from

banks and individual users and targeting organizations and businesses with the same tactics that they use with a with a banking Trojan on a on a banks website but targeting organizations really acting more like a rat than a banking Trojan that type of behavior that evolution that that evolution of threat is extremely important for someone to understand how a threat is evolving over time so when we talk about the so what of banking Trojans why I should care when I'm reporting information about banking Trojans these are the types of things that I should focus on so sort of to sum up to wrap up here you know we've gone from looking at malware analysis in a bubble looking at a single piece of

malware and sort of extrapolated that taking this journey to how we can evolve our thinking for malware analysis to a malware intelligence analysis and a lot of this has to do with how we report our findings about whatever we're analyzing and so really communicating to so what why should someone care about what I'm reporting makes malware analysis much more valuable I say don't state the problem solve the problem tell me how I can solve this problem based on what you're showing me if I'm just stating this is malware X and this is what it does I'm sure it's interesting I'm sure from a marketing perspective it's great right but why does that actually matter why

does it actually matter to someone who's reading it what we want to do is try to impact the problem as much as we can and give other people the information that they can impact that problem keep thinking of the bigger picture when you're analyzing malware don't just look at a piece of malware in a vacuum think about how it connects to the overall threat landscape and why it does that and who is behind the scenes and then also know your audience know who you're trying to communicate to right and how they're going to use this information don't just assume that you're reporting to other malware analysts or reverse engineers assume that you're reporting to c-level

executives or sis's that actually have control and a intense interest in protecting against the threats you're reporting about so know your audience and so the title of my presentation was taking the red pill and you're probably most of your like where the hell's the matrix references right we brought this entire presentation and there hasn't been a single matrix reference I'll give you this on the right you have malware analyst neo who's just sitting at his desk he's taking the blue pill he's gone back to his day job he hasn't opened his mind and then on the Left we have malware intelligence analyst neo who has taken the red pill and by opening his mind by thinking of the bigger picture

he's now able to do things like this he's able to stop bullets it's amazing so I want you to be able to stop bullets I want you to think of it that the bigger picture so that's all I've got for you today does anyone have any questions yeah

yeah so there are a lot of great templates out there so the minor attack attack template is one of the best ones out there there's a lot of different not templates but true of analytical thinking methodologies that are out there that will will be a template for reporting but will allow you to think about things in in a in a more analytical way so things the things that I thought I always that I was talk about are things like even like report the way that you report as in like bottom line out front right the bluff method where you are putting what's actually important at the beginning of any type of report so whoever's reading it will

be like why does this matter to me so what they'll know it they don't have to read the whole thing they can if they want to but at least you're doing two things there you're forcing yourself to think about the so what of your reporting but you're also giving them what they need to know right the right at the right at the top so make sense perfect any other questions yeah

yeah so it so it really depends on what you're looking at so what I talked about report I'm I'm talking about reporting to whoever is appropriate for that type of analysis it could be simply just internal it could be when you're doin like instant response it could just be an internal internal report to your Incident Response Team and your sis o to let them know the so what aspect of what you found it could be sharing and reporting externally from a marketing perspective and blogs and articles and things like that it could be sharing to like trusted partner working groups and it could absolutely also be for for law enforcement purposes as well and if you

think about it the context I want you to actually want to report to each one of those groups is different and so when I talk about know your audience it sort of goes into that as well so you want to know what's going to be important for each one of those groups any other

yeah so so I'm not I'm not I'm a pract I'm practical I'm a realist I understand that a lot of this reporting is for marketing use right and it's not really for operational use and I think that you know that's great and all but I think that we need to you know both us as security professionals and sort of our marketing teams need to get into the mindset that we need to understand why we're reporting stuff out there so yeah there's absolutely a marketing and journalism aspect of that to get someone's name out to say look how much I know about a certain subject absolutely but I think that we need to sort of do better than that so make

sense any other questions cool thanks guys I appreciate it [Applause]