Defensive Security

Transcript

1. Defensive Security Reverse engineering malware to stop cyberattacks

2. chris@nm:~$ whoami

3. Malware: any piece of software designed to interfere with a

   computer’s normal operation, i.e. malicious software

4. TROJAN A method of delivering malware. Poses as a legitimate

   program, and is used in a variety of ways by attackers. RANSOMWARE Encrypts your files and often locks you out of your computer. Demands a ransom payment, often with threat of destroying data. BACKDOOR Provides remote access to a computer, giving near complete control of the system. Gives total control over files, communications, keystrokes, webcam, etc. Delivery Methods Capabilities ROOTKIT The ability to run malware with full operating system access. Rootkits hide the presence of malware the activities of the attackers. ADVERTISMENT Attackers will put malicious code into legitimate ad networks, displayed on legitimate websites. Exploits unpatched systems to install malware. WORM Once installed, a worm will attempt to infect other computers across networks. Worms commonly exploit unpatched systems or guessable passwords. PHISHING Phishing emails are one of the most common ways computers are infected. People are easily fooled by legitimate looking messages. DDoS Distributed Denial of Service attack. Malicious software on many computers under the control of one person will flood websites with traffic, knocking them offline. INFOSTEALER Software specifically designed to steal information to be used later, most commonly passwords to email, banking, phone company, shopping etc. MALDOCS Microsoft Office, Adobe PDFs and other documents can contain embedded code, often referred to as macros. Malicious macro code is often used to plant malware.

5. A word of warning…

6. 18 USC § 1030 - Fraud and related activity in

   connection with computers “ Whoever having knowingly accessed a computer without authorization or exceeding authorized access… and thereby obtains… information from any protected computer… knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct… intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss… ” Breaking this law can result in massive fines and up to 20 years of jail time per offense!

7. Hunting Malware

8. Prepare Identify Contain Eradicate Recover Lessons Learned Incident Response Lifecycle

9. Preparation Organizations capable of responding to malware incidents need to

   be prepared for getting hacked. It’s not a matter of if you’ll get hacked, but when… When it happens, how will you know?

10. Identification Incident Response team is alerted: 1. Anti-virus software 2.

    Email filtering systems 3. Intrusion detection systems The alert is triaged: 1. Was the infection prevented? 2. How many people / systems are affected? 3. Do the victims have access to sensitive information? Analysis begins to start containment: 1. Malicious links and phishing messages are analyzed. 2. Malware and related files are gathered. 3. Malware is “blown up” in a controlled environment to gather behavioral information.

11. Malware Operations Command & Control Servers Victim Company Info Passwords

    13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

12. Demo: Malware Analysis

13. Additional Resources This Presentation: speakerdeck.com/porkch0p Sites to examine malware: hybrid-analysis.com

    virustotal.com malware-traffic-analysis.net Malware Analysis Blogs: blog.malwarebytes.com blog.trendmicro.com securelist.com malwarebreakdown.com Blogs on Cybercrime: krebsonsecurity.com isc.sans.edu