Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Using Python to Fight Cybercrime
Search
Kyle Maxwell
April 26, 2015
Technology
230
2
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Using Python to Fight Cybercrime
A survey of the ways I use Python as a DFIR / threat intel professional
Kyle Maxwell
April 26, 2015
More Decks by Kyle Maxwell
See All by Kyle Maxwell
In the Lair of the Beholder
krmaxwell
0
120
Incident Patterns
krmaxwell
0
460
Hackertainment
krmaxwell
1
240
Threat Intelligence for Incident Response
krmaxwell
0
210
From Minion to Engineer
krmaxwell
0
130
Why XOR Crypto Sucks
krmaxwell
0
220
Open Source Threat Intelligence - Shakacon
krmaxwell
1
910
Secure Blogging
krmaxwell
0
150
Grabbing fresh evil bits: Maltrieve
krmaxwell
1
170
Other Decks in Technology
See All in Technology
Oracle AI Database@Azure:サービス概要のご紹介
oracle4engineer
PRO
6
1.9k
EventBridge Connection
_kensh
4
580
AI駆動開発が変える、大規模開発の前提 ーHuman in the Loop から Human on the Loop へ / AIE2026
visional_engineering_and_design
19
9.8k
Databricks における 生成AIガバナンスの実践
taka_aki
1
330
個人の発見を、組織の知恵に 〜生成AI活用を"探索"から"組織の仕組み"へ〜
kintotechdev
2
1k
BigQuery の Cross-cloud Lakehouse への歩み
phaya72
2
570
Cloud Run のアップデート 触ってみる&紹介
gre212
0
320
AI Testing Talks: Challenges of Applying AI in Software Testing: From Hype to Practical Use
exactpro
PRO
1
130
「嘘をつくテスト」の失敗例から学ぶ 良いテストコード #frontend_phpcon_do
asumikam
0
490
AI と創る新たな世界 / A New World Created with AI
ks91
PRO
0
110
探して_入れて_作って_使う_Agent_Skills___LT.pdf
peintangos
2
160
データ基盤をDataformで整えた話 〜 開発環境を添えて 〜
takapy
0
110
Featured
See All Featured
Scaling GitHub
holman
464
140k
Building a Modern Day E-commerce SEO Strategy
aleyda
45
9.1k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
52
6k
How to optimise 3,500 product descriptions for ecommerce in one day using ChatGPT
katarinadahlin
PRO
1
3.6k
Keith and Marios Guide to Fast Websites
keithpitt
413
23k
WENDY [Excerpt]
tessaabrams
11
38k
Optimising Largest Contentful Paint
csswizardry
37
3.7k
New Earth Scene 8
popppiees
3
2.3k
State of Search Keynote: SEO is Dead Long Live SEO
ryanjones
0
200
The Director’s Chair: Orchestrating AI for Truly Effective Learning
tmiket
1
190
Git: the NoSQL Database
bkeepers
PRO
432
67k
The Limits of Empathy - UXLibs8
cassininazir
1
350
Transcript
Using Python to Fight Cybercrime Kyle Maxwell, PyData Dallas April
26, 2015 @kylemaxwell http://goo.gl/oPQ8k2
What I Do Incident Response Threat Intelligence
What I Don’t Do Application Security Penetration Testing
Areas of Interest Reverse-engineer malware Analyze incidents for trends Track
bad guys
Triage Malware What is it? ➔ hashing ➔ IOC matching
What does it do? ➔ behavioral analysis
Manage Malware Maltrieve [ maltrieve.org ] ➔ web crawler to
fetch malware Viper [ viper.li ] ➔ store and classify malware
Cuckoo Sandbox [ cuckoosandbox.org ] “Throw any suspicious file at
it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.” Analyze Malware
Track bad guys Moving beyond technical indicators (IOCs) Enumerate infrastructure
Attribution (with caveats) Describe methods
All About the APIs
Passive DNS What resolutions were seen, and when?
WHOIS Historical: ➔ registrant changes over time Reverse: ➔ domains
with same registrant
Image credit The MITRE Corporation STIX
VERIS Image credit Verizon Communications
Python Bindings # extra changes to the template for this
specific campaign template['campaign_id' ] = "104874B4-3EC7-4B09-95F1-930F007487B0" template['reference' ] = "http://www.fireeye.com/blog/technical/targeted-attack/2014/08/operation-poisoned- hurricane.html " template['reference' ] += ";http://blog.trendmicro.com/trendlabs-security-intelligence/unplugging-plugx- capabilities/ " template['actor']['external'] = {'variety':['Unknown'], 'motive':['Espionage' ], 'country':['Unknown']} template['attribute' ] = {'integrity' :{'variety':['Software installation' ]}} template['discovery_method' ] = "Ext - monitoring service" template['plus']['timeline'] = {'notification' :{'day':6, 'month':8, 'year':2014}} template['timeline']['incident'] = {'year':2014, } template['notes'] = "Operation Poisoned Hurricane" template['summary'] = "Targeted malware campaign targeting Internet infrastructure providers, a media organization, a financial services company, and an Asian government organization." Code clipped from http://nbviewer.ipython.org/gist/blackfist/b7a3e5bfbae571d8e024
Data Science Statistics! Image credit Kevin Thompson (@bfist)
So much else! ➔ Log analysis ➔ Web interfaces ➔
Forensic examinations ➔ Red teaming / pentesting
What you can do Image credit David Whittaker (@rundavidrun)
Q&A @kylemaxwell || xwell.org github.com/krmaxwell Icons made by Freepik from
www.flaticon.com and used under Creative Commons license
krmaxwell
oracle4engineer
_kensh
visional_engineering_and_design
taka_aki
kintotechdev
phaya72
gre212
exactpro
asumikam
ks91
peintangos
takapy
holman
aleyda
reverentgeek
katarinadahlin
keithpitt
tessaabrams
csswizardry
popppiees
ryanjones
tmiket
bkeepers
cassininazir
![Manage Malware Maltrieve [ maltrieve.org ] ➔ web crawler to](https://files.speakerdeck.com/presentations/608c448ffdef40cfa17a6df00c7ba980/slide_5.jpg){kind=link}
![Cuckoo Sandbox [ cuckoosandbox.org ] “Throw any suspicious file at](https://files.speakerdeck.com/presentations/608c448ffdef40cfa17a6df00c7ba980/slide_6.jpg){kind=link}
