Using Python to Fight Cybercrime

Slide 1

Slide 1 text

Using Python to Fight Cybercrime Kyle Maxwell, PyData Dallas April 26, 2015 @kylemaxwell http://goo.gl/oPQ8k2

Slide 2

Slide 2 text

What I Do Incident Response Threat Intelligence

Slide 3

Slide 3 text

What I Don’t Do Application Security Penetration Testing

Slide 4

Slide 4 text

Areas of Interest Reverse-engineer malware Analyze incidents for trends Track bad guys

Slide 5

Slide 5 text

Triage Malware What is it? ➔ hashing ➔ IOC matching What does it do? ➔ behavioral analysis

Slide 6

Slide 6 text

Manage Malware Maltrieve [ maltrieve.org ] ➔ web crawler to fetch malware Viper [ viper.li ] ➔ store and classify malware

Slide 7

Slide 7 text

Cuckoo Sandbox [ cuckoosandbox.org ] “Throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.” Analyze Malware

Slide 8

Slide 8 text

Track bad guys Moving beyond technical indicators (IOCs) Enumerate infrastructure Attribution (with caveats) Describe methods

Slide 9

Slide 9 text

All About the APIs

Slide 10

Slide 10 text

Passive DNS What resolutions were seen, and when?

Slide 11

Slide 11 text

WHOIS Historical: ➔ registrant changes over time Reverse: ➔ domains with same registrant

Slide 12

Slide 12 text

Image credit The MITRE Corporation STIX

Slide 13

Slide 13 text

VERIS Image credit Verizon Communications

Slide 14

Slide 14 text

Python Bindings # extra changes to the template for this specific campaign template['campaign_id' ] = "104874B4-3EC7-4B09-95F1-930F007487B0" template['reference' ] = "http://www.fireeye.com/blog/technical/targeted-attack/2014/08/operation-poisoned- hurricane.html " template['reference' ] += ";http://blog.trendmicro.com/trendlabs-security-intelligence/unplugging-plugx- capabilities/ " template['actor']['external'] = {'variety':['Unknown'], 'motive':['Espionage' ], 'country':['Unknown']} template['attribute' ] = {'integrity' :{'variety':['Software installation' ]}} template['discovery_method' ] = "Ext - monitoring service" template['plus']['timeline'] = {'notification' :{'day':6, 'month':8, 'year':2014}} template['timeline']['incident'] = {'year':2014, } template['notes'] = "Operation Poisoned Hurricane" template['summary'] = "Targeted malware campaign targeting Internet infrastructure providers, a media organization, a financial services company, and an Asian government organization." Code clipped from http://nbviewer.ipython.org/gist/blackfist/b7a3e5bfbae571d8e024

Slide 15

Slide 15 text

Data Science Statistics! Image credit Kevin Thompson (@bfist)

Slide 16

Slide 16 text

So much else! ➔ Log analysis ➔ Web interfaces ➔ Forensic examinations ➔ Red teaming / pentesting

Slide 17

Slide 17 text

What you can do Image credit David Whittaker (@rundavidrun)

Slide 18

Slide 18 text

Q&A @kylemaxwell || xwell.org github.com/krmaxwell Icons made by Freepik from www.flaticon.com and used under Creative Commons license