Presentation is loading. Please wait.

Presentation is loading. Please wait.

Defense Against the Dark Arts Defense Against The Dark Arts Christiaan Beek McAfee.

Published byRaymond McGee Modified over 9 years ago

Similar presentations

Presentation on theme: "Defense Against the Dark Arts Defense Against The Dark Arts Christiaan Beek McAfee."— Presentation transcript:

1 Defense Against the Dark Arts Defense Against The Dark Arts Christiaan Beek McAfee

2 Defense Against the Dark Arts Malware terms & definitions Naming conventions Online analysis services and tools Basic replication & setup Sample execution Tools

3 Defense Against the Dark Arts APT’s Forensic, Static, and Code analysis Continue replication discussion

4 Defense Against the Dark Arts Term created in 2006 by US Air-force analysts Describes three aspects of attackers that represent their profile, intent, and structure: –Advanced – The attacker is fluent with cyber intrusion methods and administrative techniques, and is capable of crafting custom exploits and related tools. –Persistent – The attacker has an objective (or mission in longer-term campaigns) and works to achieve their goals without detection. –Threat – The attacker is organized, receives instructions, is sufficiently funded to perform their (sometimes extended) operations, and is motivated.

5 Defense Against the Dark Arts Characteristics of an APT: –Actors –Motives –Targets –Goals Actors: –Terrorists/activists –Governments –Organized crime groups –Competitors –Malicious insiders/ex-employee

6 Defense Against the Dark Arts Motives: –Money –Disgruntlement or revenge –Ideology –Excitement Targets: –Large corporations –Governments –Defense Contractors –Anyone

7 Defense Against the Dark Arts Goals: –Use stealth during intrusion to avoid detection –Create backdoors to allow greater access, especially if other access points have been discovered and patched – Initiating the primary mission: Stealing sensitive data Monitoring communications Disrupting operations – Leaving undetected

8 8 Start Step 2 Weaponization Step 5 Installation Step 1 Reconnaissance Step 4 Exploitation Step 3 Delivery Step 6 Command and Control Actions on Objectives Step 7

9 Defense Against the Dark Arts Chinese Gh0st RAT

10 Defense Against the Dark Arts RAT used: Zwshell Pwd: zw.china

11 Defense Against the Dark Arts Hidden menu

12 Defense Against the Dark Arts What is forensic analysis? –Contextual metadata leading researcher to this point Customer submission Anecdotal details about attack Honeypot Association with other threats

13 Defense Against the Dark Arts Dynamic analysis

14 Defense Against the Dark Arts What is static analysis? –Sample analysis performed without the benefit of dynamic execution environment –Pros? –Cons?

15 Defense Against the Dark Arts -Get sample from share called “gimmegimme.zip” -Extract to desktop -Did you have your snapshot made? -Run tools like process- explorer/procmon/fakenet/antispy/flypaper -Execute the sample -Investigate what this sample is doing -What is the purpose of this sample?

16 Defense Against the Dark Arts Elements of static analysis? –String analysis –Binary analysis –Source analysis

17 Defense Against the Dark Arts 0x00001840: 'px.exe' 0x00001850: 'gmfa' 0x00001860: 'G2013\av' 0x00001880: 'G\AV' 0x00001892: 'DosDevices\C:\Arquivos de programas\AV' 0x000018E0: 'vc.exe' 0x000018F0: 'stS' 0x00001900: 'st\Ava' 0x00001910: 'ST Software\Ava' 0x00001932: 'DosDevices\C:\Arquivos de programas\AVA' … 0x00001F0A: 'ZwDeleteFile'

18 Defense Against the Dark Arts

19 Defense Against the Dark Arts AutoIT Keytools CHM decompiler DJJavaDecompiler dotPeek.NET decompiler

20 Defense Against the Dark Arts Use Forensic Information to Rate Sample

21 Defense Against the Dark Arts Right-click flypaper.exe and choose SendTo->FileInsight

22 Defense Against the Dark Arts Open Sample 1 in FileInsight Use the tool to decode Sample 1 and extract strings Take 20 minutes –Using string analysis, what can be said about these 3 samples Class2\Labs\Lab1\Strings/Sample 1 Class2\Labs\Lab1\Strings/Sample 2 Class2\Labs\Lab1\Strings/Sample 3 –How would you prioritize these samples for further research? Why?

23 Defense Against the Dark Arts Use FileInsight and investigate the follwong samples For each sample, what type of file is it? How would you replicate it? What dependencies would you expect? –Class2\Labs\Lab1\Binary\Sample 1 –Class2\Labs\Lab1\Binary\Sample 2 –Class2\Labs\Lab1\Binary\Sample 4

24 Defense Against the Dark Arts Christiaan_Beek@Intelsecurity.com

Download ppt "Defense Against the Dark Arts Defense Against The Dark Arts Christiaan Beek McAfee."

Similar presentations

Next Generation Threat Protection

Next Generation Threat Protection
Malware\Host Analysis for Level 1 Analysts “Decrease exposure time from detection to eradication” Garrett Schubert – EMC Corporation Critical Incident.

Malware\Host Analysis for Level 1 Analysts “Decrease exposure time from detection to eradication” Garrett Schubert – EMC Corporation Critical Incident.
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta.

1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta.
Cyber Metrics in the DoD or How Do We Know What We Don’t Know? John S. Bay, Ph.D. Executive Director.

Cyber Metrics in the DoD or How Do We Know What We Don’t Know? John S. Bay, Ph.D. Executive Director.
The Way to Protect The Smartest Way to Protect Websites and Web Apps from Attacks.

The Way to Protect The Smartest Way to Protect Websites and Web Apps from Attacks.
Cyber Security Discussion Craig D’Abreo – VP Security Operations.

Cyber Security Discussion Craig D’Abreo – VP Security Operations.
Red Team “You keep using that word, I do not think it means what you think it means” – Inigo Montoya.

Red Team “You keep using that word, I do not think it means what you think it means” – Inigo Montoya.
IBM Security Network Protection (XGS)

IBM Security Network Protection (XGS)
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
Cyber Crime Tanmay S Dikshit.

Cyber Crime Tanmay S Dikshit.
90% of EU exports consist of product and services of IPR-intensive industries. Among 269 senior risk managers, 53% said IP loss or theft had inflicted.

90% of EU exports consist of product and services of IPR-intensive industries. Among 269 senior risk managers, 53% said IP loss or theft had inflicted.
APT29 HAMMERTOSS Jayakrishnan M.

APT29 HAMMERTOSS Jayakrishnan M.
 By Tom Madden, Chief Information Security Officer, Centers for Disease Control and Prevention.

 By Tom Madden, Chief Information Security Officer, Centers for Disease Control and Prevention.
CCS APPS CODE COVERAGE. CCS APPS Code Coverage Definition: –The amount of code within a program that is exercised Uses: –Important for discovering code.

CCS APPS CODE COVERAGE. CCS APPS Code Coverage Definition: –The amount of code within a program that is exercised Uses: –Important for discovering code.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute of Technology School of Electrical and Computer Engineering.

Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute of Technology School of Electrical and Computer Engineering.
Security Innovation & Startup. OPEN THREAT EXCHANGE (OTX): THE HISTORY AND FUTURE OF OPEN THREAT INTELLIGENCE COMMUNITY ALIENVAULT OTX.

Security Innovation & Startup. OPEN THREAT EXCHANGE (OTX): THE HISTORY AND FUTURE OF OPEN THREAT INTELLIGENCE COMMUNITY ALIENVAULT OTX.

Similar presentations

Ads by Google