CodexGigas Malware DNA Profiling Search Engine
Similar to human fingerprints, every malware has its own unique digital fingerprint information that differentiates it from others. As a result, malware will always attempt to hide their true self by deleting or changing this information to avoid detection by antivirus companies and malware researchers.
Since malware developers go to great lengths to obfuscate the characteristics of their creation, it is often difficult to identify multiple characteristics and correlation points by researchers and malware analysts.
Through our studies we were able to create an algorithm and accompanying search engine that generates a unique thumbprint, catalogues it, compares and searches against millions of other samples that may have similar features or abilities.
By analyzing malware capabilities, the algorithm is able to build characteristic families to which a new sample can be categorized and therefore identified for specific behavior, enabling early identification and detection of new malware by comparing against previous existing ones.
In the presentation we are going to show the results of our studies and show the highlight commonalities that are only visible when a sample is compared against 35 million catalog equivalent of roughly 23.5 TB of binary data.
We will demonstrate the results of our work and the techniques used to derive these results. The framework, analysis plugins, and the portal, will be released as open source.
IOCs are Dead - Long Live IOCs!
Indicators of Compromise (IOCs) were meant to solve the failures of signature-based detection tools. Yet today's array of IOC standards, feeds, and products have hardly impeded attackers, and most intelligence remains shared in flat lists of hashes, IP addresses, domain names, or strings. Just as brittle as an anti-virus signature, and just as likely to fail - especially if used incorrectly.
This presentation will begin by contrasting the original intended design of IOCs with how they’re typically written and shared today. We’ll illustrate the challenges of building robust and reliable indicators, particularly when they need to be shared with 3rd parties. We’ll examine how organizations can compensate for these limitations and still get actionable results from brittle threat data. Finally, we’ll provide examples of endpoint outlier analysis and hunting techniques that can complement IOC searches and distinguish anomalies from the background noise of an environment.
Throughout the presentation, we’ll draw upon specific examples and lessons learned from responding to targeted attackers in real-world compromises.
Cyberdyne: Automatic bug-finding at scale
Creating a scalable, distributed bug-finding system that is more than just the sum of its parts is challenging. Finding bugs that occur deep within a program's execution requires the application of multiple bug-finding approaches (e.g. fuzzing, symbolic execution, static analysis). This talk will describe the practical aspects of how to design and implement a bug-finding system that combines multiple bug-finding approaches, using Cyberdyne as a running example.
Cyberdyne is a distributed, automatic bug-finding system, originally developed to compete in the DARPA Cyber Grand Challenge (CGC). Cyberdyne finds and fixes bugs in program binaries, without human intervention. Cyberdyne combines off-the-shelf and custom bug-finding tools into a unified, scalable system.
The first half of this talk describes Cyberdyne's exoskeleton: the service-oriented architecture (SOA) that coordinates Cyberdyne's bug-finding tools, triages and patches bugs, and validates that patches maintain program functionality. The second half of this talk describes Cyberdyne's "machine intelligence": the individual bug-finding tools, and the mechanism by which they cooperate to find deep program bugs.
Please press button to steal cash from the Teller Machine – An in-depth study of ATM Malware
An overly simplistic yet accurate description of an Automated Teller Machine (ATM) is: a computer system connected to a secure vault and the whole setup encased inside a housing unit; the computer accepts user input and dispenses cash from the vault. The time-tested way of robbing a Bank's ATM was to blow it up with explosives. Now criminal gangs have figured out how to infect ATMs with custom malware, which then instructs the ATM to dispense stored cash. This is a relatively easy, discrete, and persistent way of jackpotting ATMs.
One of the biggest challenges malware authors face is driver access to the specialized ATM hardware peripherals such as: PIN pad, card reader, cash dispenser, etc. so they can interact with the ATM and dispense stored cash. Another challenge is to incorporate a dynamic user authentication mechanism in the malware that ensures only trusted money mules can withdraw cash from the infected ATMs. The criminals also discovered that ATM malware can be used to steal bank account information, payment card data, and encrypted user PIN, all of which can be monetized.
ATM malware tends to be localized to a geographical area – criminal gang(s) operating in this area controls the development, deployment, and usage of the malware. This talk also provides an overview of the criminal organizations behind ATM malware – knowledge about “who” and “where” is very important for a holistic understanding of ATM malware. We conclude with some lessons learned and make recommendations on how to secure and protect ATMs.
Schoolbell and the Kingslayer
In this report, Mr. Backman will describe the investigation by RSA researchers into the threat actor infrastructure behind a global espionage-related network of thousands of infected servers, dubbed “Schoolbell.” In the course of the Schoolbell investigation, RSA uncovers “Kingslayer”, a sysadmin-targeting software supply-chain attack that otherwise would have gone unnoticed. This talk is recommended for sysadmins, and conference attendees interested in cyber espionage. Because Schoolbell and Kingslayer research is ongoing, expect late-breaking information to be dropped first at Countermeasure.
Building a Security Strategy Without a Security Staff
Where do I start? Am I at risk of being targeted? How much should it cost? What is the ROI? What happens if I do it wrong? What do I do?!?!
These are some of the questions that every organization is asking in the wake of some of the most prolific and highly publicized data security breaches in history. Most people have forgotten about the massive TJX credit card breach of 2007 but recent breaches, such as those experienced by Sony Pictures Entertainment, OPM, and Anthem, have found their way into typical conversations at coffee shops, family events, and holiday parties of the average consumer. The difference, however, is that most SMBs/SMEs or Government Departments/Agencies have neither the money, expertise, nor the forgiving customer base which would allow their business to survive a similar breach.
So how does a SMB/SME or Government Department/Agency, that is increasingly responsible for the security and privacy of customer and employee information, mitigate a serious and perhaps business-ending data breach? This session will present real world strategies to prepare for, mitigate, and respond to incidents posed by opportunistic attackers, malicious insiders, and targeted attackers - taking into account real-world constraints such as time, expertise, business continuity, and <gasp> money.
Hacking is Easy; Defending is Not
Hacking is cheap, easy, and difficult to prevent. Every day new vulnerabilities are found, new exploits are developed, malware is created. Trying to keep up is like plugging holes on a sinking ship. Taking a holistic view of security, however, can help us build-in cyber security from the start of a project. Join CSE for a conversation on determining protection priorities, and how to incorporate risk management into your IT projects.
Patching Human Vulnerabilities in Cyber Security
We can patch operating systems and software, segregate networks, and implement security policies. However, various cyber threat and intelligence reports indicate that approximately 95% of all cyber incidents investigated had human error as a contributing factor. From taking short-cuts in system design or software development to users clicking links in phishing e-mails, people are often the weakest link in IT security. Join CSE for a discussion on how human error can impact your IT security and, using example cases, learn how to we can help ‘patch’ potential human vulnerabilities in your organizations through non-technical interventions.
Fuzzflow Framework and Windows Guided Fuzzing
Fuzzflow is a distributed fuzzing management framework from Cisco Talos that offers virtual machine management, fuzzing job configuration, pluggable mutation engines, pre/post mutation scripting, and crash collection, and pluggable crash analysis. We have recently ported the code from crusty 90s era DHTML to a modern web application and opensourced it on GitHub! We will show off some of the workflow while discussing new mutation engine features driving the client side of the fuzzing system.
In the past year we have also added the Intel PT tracing mode as an engine for targeting Windows binaries in the widely used evolutionary fuzzer, American Fuzzy Lop. This fuzzer is capable of using random mutation fuzzing with a code coverage feedback loop to explore new areas. Using our new Intel PT driver for Windows, we provide the fastest hardware supported engine for targeting binaries with evolutionary fuzzing. We will discuss the design challenges involved with performantly harnessing Intel Processor Trace for fuzzing.
In addition, we have added new functionality to AFL for guided fuzzing, which allows users to specify targeted areas on a program control flow graph that are of interest. This can be combined with static analysis results or known-vulnerable locations to help automate the creation of trigger inputs to reproduce a vulnerability without the limits of symbolic execution. To keep performance as the highest priority, we have also created new methods for efficiently encoding weighted graphs into an efficiently comparable bytemap.
The Unbearable Lightness of Failure
The 19th century German philosopher Friedrich Nietzsche gave us his doctrine of the “eternal return”. This was the concept that everything in the universe is recurring and will continue to do so in perpetuity. But, what if we could step off that return? While Nietzsche was dealing with the meaning of existence, we can apply this to information security. We continue to witness failures recurring in the guise of data breaches and the like yet, we seem to accept it as the fabric of reality. We need to take the flat circle of time and put it on it’s edge and learn from our failures in such a way as to leverage them and embrace them to change the narrative.
Don’t Snag Your Line: 10 Pitfalls to Avoid in Implementing Your Employee Phishing Assessments
As a result of the steady increase in spear-phishing attacks aimed at compromising corporate networks, many businesses are starting to run employee phishing assessment initiatives. Automated measurement of employee responses to simulated phishing attacks can help organizations in determining their team’s level of vulnerability to these kinds of attacks, so they can prioritize where they need to focus awareness efforts. However, while phishing campaigns can be launched with just a small amount of effort, putting a phishing assessment initiative in place – even for a single test - is not a trivial task. There are many decisions that can adversely impact the success and usefulness of the program.
In this session, Scott Wright will shed light on 10 important decisions to be made in developing an employee phishing assessment campaign, and how making these decisions without careful preparation can cause undesirable consequences for stakeholders, and yield less useful results. Scott will also provide tips on how to avoid these pitfalls, while implementing a phishing assessment program that can be integrated into an effective and efficient security awareness education and assessment program.
Malware Triage: Using Open Data to Help Develop Robust Indicators
Whether you are in the enterprise using malware triage as a gate to your incident response process, or a researcher using triage as a way to identify interesting malware samples, building and maintaining robust Indicators of Compromise (IOCs) will be an integral part of your triage process.
Traditionally IOCs have been used to drive the malware hunting process but they also serve as an excellent feedback loop within the triage process itself, helping to filter out known malware samples and avoiding the need to re-analyze similar samples. The more robust the IOC the more variations of a malware family it will cover, leading to a more efficient triage process.
In this talk we present an iteractive approach to building robust malware indicators; first developing primary indicators, then mining open data for related malware samples, using the collection of similar samples to build robust IOCs, and finally testing the effectiveness of the IOC.
During the presentation we will use demonstrations with real malware samples to work through each step in the process. Demonstrations will include the use of multiple free online tools and open data sources as well as an introduction to our free malware data mining browser plugin; OAPivot.
Counterproductive Security Behaviors That Must End
You’ve heard it all before: “The security industry has failed.” “Developers just don’t care.” “They deserved to be breached.” These and many other overused themes are promulgated by security practitioners at conferences, in social media, and worst of all, in their day jobs. Security practitioners, particularly those new to the industry, regurgitate the same counterproductive ideas and behaviors to the extent they have become clichés. This ultimately damages our collective credibility and creates unnecessary barriers to what we are trying to accomplish. We often lack empathy and pragmatism, reverting to stereotypical one-dimensional attitudes rather than focusing on the positive outcomes we are trying to achieve. We are, at times, caricatures of ourselves. In this presentation, we will take a light-hearted look at many of these problematic themes and discuss how we as security professionals can do better.
We’ve been hacked ! Recent Cases at the Office of the Privacy Commissioner of Canada
Personal Information Leaks on the Internet unfortunately remain headline news. What can be done ? Recent cases dealt with by the Office of the Privacy Commissioner of Canada, including the Ashley Madison breach, will be discussed and hopefully shed some light on preventative steps organisations can take.
Vulnerability Hunting in Access Control Systems
Join the presenter as he recounts the process of reverse engineering a common access control system to hunt for vulnerabilities both on the hardware itself, the communications protocol, and the client software. He'll go into the methodology, both hardware and software, the techniques, and the design of the device and its countermeasures, trips to the ER, and the impact of the vulnerabilities discovered. The talk with a discussion of more effective controls that could be implemented to make a reverse engineer’s job more frustrating.
Measuring The Ability to Respond to The UnExpected
As everyone is discovering, no single solution or security model that can defend against all attacks. The attackers are still getting in. How do you know how well you're doing in terms of maturity? This presentation applies a model based on a white paper titled “The Role of Community Resilience in Advancing Security”, written by Stephen E. Flynn and Peter Boynton from Kostas Research Institute for Homeland Security at Northeastern University. This presentation maps their framework for measuring Resilience to IT Security, and has been used to measure and ensure the effectiveness of physical crisis response, to the world of cyber security operations. It will show how to measure the maturity of an organization's ability to respond to the ‘Unexpected’, and how to determine the weak points and important assets that need to be protected. This presentation is targeted to those practitioners who are involved in developing and improving overall security program response for large enterprises, government and global organizations. This presentation will also provide a high-level framework of how to measure your effectiveness in incident and crisis response. It can be molded to the individual needs of the security organization so that they can be better prepared. It is presented with the support of the George J. Kostas Institute for Homeland Security, who are focused on advancing the development of societal resilience in the face of 21st Century risks.
Blockchain-Based Cyber Security
Starting from a quick introduction to Blockchains, we will cover the concepts behind Bitcoin and Ethereum to understand the DAO exploitation hack. We will explore how Bitcoin Decentralized Blockchain using Proof of Work as resilience to double-spending is influencing current research. How it is inspiring ideas in Cyber Security including holistic approach to user identity security, transaction and communication infrastructure security, business security through transparency and audit, and security from malicious insiders, compromised nodes or server failure.
Cultivating your cybersecurity operations
Let’s outline the conception, development, and evolution of cybersecurity operations, starting with business objectives. A cyber operation built arbitrarily or with vague goals in mind cannot succeed. We will examine a high-level framework that can be used to develop a cyber operation from the ground up, or add focus and context to existing cyber ops. We will observe, orient, decide, and act our way toward developing situational awareness, an enhanced security posture, decreased response time for cyber events, and accurate metrics to help drive the practice forward. Not every organization has the same cybersecurity needs, and so one must discard the cookie cutter when developing a new cybersecurity operation, and be prepared to tailor a solution that fits with business requirements. That is where I come in…
Tracking Ransomware - Using Behavior to Find New Threats
This presentation discuss the latest ransomware trends, as well as how to defend your enterprise against this threat. Attendees to understand what is ransomware, what are the attack vectors, what are the commonalities between variants, how to track ransomware with dynamic analysis of behavior, and what is the sophistication of the perpetrators. For Law Enforcement, attendees will learn how to obtain state-of-the art dynamic malware analysis at no or little cost.
The Security + Agile + DevOps Journey
In this session, Sandra and Graham will explore the challenges of integrating a Security practice across independently operating teams of engineers, building positive relationships between developers, administrators and stakeholders. Starting from a deficit and building an effective security practice in four months. They will discuss the journey, collaboration techniques, the tools and processes involved in securing continuous integration and deployment to cloud service providers, designing new controls and making allies of auditors.
Changing How We Do Security To Match A Modern World
Innovation has changed how technology operates and how business is run. Why haven't we adapted how security matches this new world vision? This keynote speech will focus on what has changed in the world and what we as security professionals can do to keep up with the shifting threat landscape.
An Inside Look at a Bug Bounty Program
So what's it like to run a public bug bounty program? Shopify first launched its program in 2013, and since then we've received thousands of submissions and paid hundreds of bounties. In this presentation we'll give you an inside look into our White Hat program. We'll share some of the best (and worst) reports we've received, and provide advice on setting up your own program.
Red Team Operations. Train as you fight.
Most organizations with a mature IT security program understand the requirement to perform vulnerability assessments and penetration tests.
A good penetration test will attempt to exploit the vulnerabilities identified in a vulnerability assessment. These observations can then be prioritized and presented to the client for remediation.
A Red Team assessment, by contrast, provides further insight into the organizations overall security posture by simulating an advanced threat actor with specific goals in mind. With a much broader scope than a typical pen test, a red team assessment allows you to explore the real-world risks the client is exposed to. Multiple non-critical vulnerabilities may be utilized to achieve the goal in question therefore highlighting the requirement to view security from a holistic perspective.
Cyber Security: from signatures to Deep Learning and AI
In the past years, machine learning has advanced significantly making it possible for machines to outperform humans in several cognitive tasks, such as recognizing images, playing computer games even creating art. Those results are attributed to the breakthroughs in Deep Learning that resurrected the dreams for AI. Cyber Security is heavily affected by the AI revolution. In this talk we will see how the Cyber Security industry can take advantage of newly developed algorithms to become more effective. We will also investigate how AI can create new types of threats and what tools the industry needs to develop to secure its assets.
AI for Cyber Security: An Unsupervised Anomaly Detection Approach
Erin will discuss the latest AI advancement in cyber security to come out of of ASI's lab: an AI that can learn to detect IOCs and anomalies without reyling on labeled training data or large databases.
Security Eat, Pray, Love - One Woman's Search for Everything that Will Secure Our World
Plagued with decades of watching the Internet, security threats, and threat actors evolve. Join one woman's security journey from the pleasures of the flesh (hacking), to asceticism and rules (ISO standards & export controls), to that state of "betwixt and between" where balance is the goal for an imperfect, but incredible information evolution. Must we change our industry approach? In many ways yes.
But doing so without acknowledgement of the fact that we have much of the right knowledge already, we have simply lacked the compelling incentives to inculcate the Internet with our wisdom would be insanity itself. Instead of creating more standards and rules, or repeating our work interminably, we must meta information share. What *actually* worked? What does the data tell us? What false conclusions and absolutes have we failed see in the system as a whole because w drew the wrong conclusions from our data?
To seek perfection in security is to stifle productivity and innovation. This is no romantic comedy. This is our digital, spiritual, human evolution on the wabi sabi world wide web.