Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Using Python to Fight Cybercrime
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
Kyle Maxwell
April 26, 2015
Technology
2
230
Using Python to Fight Cybercrime
A survey of the ways I use Python as a DFIR / threat intel professional
Kyle Maxwell
April 26, 2015
Tweet
Share
More Decks by Kyle Maxwell
See All by Kyle Maxwell
In the Lair of the Beholder
krmaxwell
0
110
Incident Patterns
krmaxwell
0
440
Hackertainment
krmaxwell
1
230
Threat Intelligence for Incident Response
krmaxwell
0
200
From Minion to Engineer
krmaxwell
0
120
Why XOR Crypto Sucks
krmaxwell
0
210
Open Source Threat Intelligence - Shakacon
krmaxwell
1
890
Secure Blogging
krmaxwell
0
140
Grabbing fresh evil bits: Maltrieve
krmaxwell
1
160
Other Decks in Technology
See All in Technology
Ruby版 JSXのRuxが気になる
sansantech
PRO
0
110
Context Engineeringの取り組み
nutslove
0
290
SREのプラクティスを用いた3領域同時 マネジメントへの挑戦 〜SRE・情シス・セキュリティを統合した チーム運営術〜
coconala_engineer
2
600
入社1ヶ月でデータパイプライン講座を作った話
waiwai2111
1
250
AIと新時代を切り拓く。これからのSREとメルカリIBISの挑戦
0gm
0
780
Databricks Free Edition講座 データサイエンス編
taka_aki
0
290
顧客との商談議事録をみんなで読んで顧客解像度を上げよう
shibayu36
0
170
インフラエンジニア必見!Kubernetesを用いたクラウドネイティブ設計ポイント大全
daitak
0
330
学生・新卒・ジュニアから目指すSRE
hiroyaonoe
2
560
Azure Durable Functions で作った NL2SQL Agent の精度向上に取り組んだ話/jat08
thara0402
0
150
Data Hubグループ 紹介資料
sansan33
PRO
0
2.7k
オープンウェイトのLLMリランカーを契約書で評価する / searchtechjp
sansan_randd
3
650
Featured
See All Featured
Joys of Absence: A Defence of Solitary Play
codingconduct
1
290
Agile Leadership in an Agile Organization
kimpetersen
PRO
0
79
The Anti-SEO Checklist Checklist. Pubcon Cyber Week
ryanjones
0
55
The AI Revolution Will Not Be Monopolized: How open-source beats economies of scale, even for LLMs
inesmontani
PRO
3
3k
Breaking role norms: Why Content Design is so much more than writing copy - Taylor Woolridge
uxyall
0
160
Producing Creativity
orderedlist
PRO
348
40k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
PRO
196
71k
HU Berlin: Industrial-Strength Natural Language Processing with spaCy and Prodigy
inesmontani
PRO
0
200
Building a A Zero-Code AI SEO Workflow
portentint
PRO
0
300
The Cult of Friendly URLs
andyhume
79
6.8k
Max Prin - Stacking Signals: How International SEO Comes Together (And Falls Apart)
techseoconnect
PRO
0
82
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
31
9.9k
Transcript
Using Python to Fight Cybercrime Kyle Maxwell, PyData Dallas April
26, 2015 @kylemaxwell http://goo.gl/oPQ8k2
What I Do Incident Response Threat Intelligence
What I Don’t Do Application Security Penetration Testing
Areas of Interest Reverse-engineer malware Analyze incidents for trends Track
bad guys
Triage Malware What is it? ➔ hashing ➔ IOC matching
What does it do? ➔ behavioral analysis
Manage Malware Maltrieve [ maltrieve.org ] ➔ web crawler to
fetch malware Viper [ viper.li ] ➔ store and classify malware
Cuckoo Sandbox [ cuckoosandbox.org ] “Throw any suspicious file at
it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.” Analyze Malware
Track bad guys Moving beyond technical indicators (IOCs) Enumerate infrastructure
Attribution (with caveats) Describe methods
All About the APIs
Passive DNS What resolutions were seen, and when?
WHOIS Historical: ➔ registrant changes over time Reverse: ➔ domains
with same registrant
Image credit The MITRE Corporation STIX
VERIS Image credit Verizon Communications
Python Bindings # extra changes to the template for this
specific campaign template['campaign_id' ] = "104874B4-3EC7-4B09-95F1-930F007487B0" template['reference' ] = "http://www.fireeye.com/blog/technical/targeted-attack/2014/08/operation-poisoned- hurricane.html " template['reference' ] += ";http://blog.trendmicro.com/trendlabs-security-intelligence/unplugging-plugx- capabilities/ " template['actor']['external'] = {'variety':['Unknown'], 'motive':['Espionage' ], 'country':['Unknown']} template['attribute' ] = {'integrity' :{'variety':['Software installation' ]}} template['discovery_method' ] = "Ext - monitoring service" template['plus']['timeline'] = {'notification' :{'day':6, 'month':8, 'year':2014}} template['timeline']['incident'] = {'year':2014, } template['notes'] = "Operation Poisoned Hurricane" template['summary'] = "Targeted malware campaign targeting Internet infrastructure providers, a media organization, a financial services company, and an Asian government organization." Code clipped from http://nbviewer.ipython.org/gist/blackfist/b7a3e5bfbae571d8e024
Data Science Statistics! Image credit Kevin Thompson (@bfist)
So much else! ➔ Log analysis ➔ Web interfaces ➔
Forensic examinations ➔ Red teaming / pentesting
What you can do Image credit David Whittaker (@rundavidrun)
Q&A @kylemaxwell || xwell.org github.com/krmaxwell Icons made by Freepik from
www.flaticon.com and used under Creative Commons license
krmaxwell
sansantech
nutslove
coconala_engineer
waiwai2111
0gm
taka_aki
shibayu36
daitak
hiroyaonoe
thara0402
sansan33
sansan_randd
codingconduct
kimpetersen
ryanjones
inesmontani
uxyall
orderedlist
soudai
portentint
andyhume
techseoconnect
eileencodes
![Manage Malware Maltrieve [ maltrieve.org ] ➔ web crawler to](https://files.speakerdeck.com/presentations/608c448ffdef40cfa17a6df00c7ba980/slide_5.jpg){kind=link}
![Cuckoo Sandbox [ cuckoosandbox.org ] “Throw any suspicious file at](https://files.speakerdeck.com/presentations/608c448ffdef40cfa17a6df00c7ba980/slide_6.jpg){kind=link}
