+ - 0:00:00
Notes for current slide
Notes for next slide

Hands on Threat Hunting Workshop

By
Rejah Rehim and Manieendar Mohan

1 / 166

Rejah

Founder of Beagle Security


Manieendar

Cyber Security Engineer at Beagle Security

2 / 166

What is a Malware?

3 / 166

What is a Malware?

A program that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system.

4 / 166

From pranks to nuclear sabotage

A brief history of major malware outbreaks

5 / 166

From pranks to nuclear sabotage

A brief history of major malware outbreaks

  • Creeper (1971) - Creeper was an experimental computer program written by Bob Thomas at BBN in 1971, it is considered as the first computer virus!
6 / 166

From pranks to nuclear sabotage

A brief history of major malware outbreaks

  • Creeper (1971) - Creeper was an experimental computer program written by Bob Thomas at BBN in 1971, it is considered as the first computer virus!

  • Morris Worm (1988) - The first Computer virus which spread extensively in the wild.

7 / 166

From pranks to nuclear sabotage

A brief history of major malware outbreaks

  • Creeper (1971) - Creeper was an experimental computer program written by Bob Thomas at BBN in 1971, it is considered as the first computer virus!

  • Morris Worm (1988) - The first Computer virus which spread extensively in the wild.

  • ILOVEYOU (2000) - It came via email however it sent itself to all contacts. It also overwrote office, image, and audio files. It infected over 50 million computers in less than 10 days!.

8 / 166

A brief history of major malware outbreaks

  • ZueS (2007) - A Trojan horse malware package with a lot of capabilities like steal banking information by man-in-the-browser keystroke logging and form grabbing.
9 / 166

A brief history of major malware outbreaks

  • ZueS (2007) - A Trojan horse malware package with a lot of capabilities like steal banking information by man-in-the-browser keystroke logging and form grabbing.

  • Stuxnet (2010) - It targets SCADA systems and is believed to be responsible for causing substantial damage to the nuclear program of Iran.

10 / 166

A brief history of major malware outbreaks

  • ZueS (2007) - A Trojan horse malware package with a lot of capabilities like steal banking information by man-in-the-browser keystroke logging and form grabbing.

  • Stuxnet (2010) - It targets SCADA systems and is believed to be responsible for causing substantial damage to the nuclear program of Iran.

  • WannaCry (2017) - Eternal Blue, NSA, The Shadow Brokers, Lazarus Group, Ransomeware, Boom!

11 / 166

Different Types of Malwares

12 / 166

Different Types of Malwares

Virus

Malware that is capable of copying itself and spreading to other computers.

13 / 166

Different Types of Malwares

Virus

Malware that is capable of copying itself and spreading to other computers.

Trojan

Malware that disguises itself as a normal file or program to trick users into downloading and installing malware.

14 / 166

Different Types of Malwares

Virus

Malware that is capable of copying itself and spreading to other computers.

Trojan

Malware that disguises itself as a normal file or program to trick users into downloading and installing malware.

Ransomware

Ransomware is a form of malware that essentially holds a computer system captive while demanding a ransom.

15 / 166

Different Types of Malwares

Virus

Malware that is capable of copying itself and spreading to other computers.

Trojan

Malware that disguises itself as a normal file or program to trick users into downloading and installing malware.

Ransomware

Ransomware is a form of malware that essentially holds a computer system captive while demanding a ransom.

Worm

They spread over computer networks by exploiting operating system vulnerabilities.

16 / 166

Different Types of Malwares

Rootkit

Malicious software designed to remotely access or control a computer without being detected by users or security programs.

17 / 166

Different Types of Malwares

Rootkit

Malicious software designed to remotely access or control a computer without being detected by users or security programs.

Spyware

Spyware is a type of malware that functions by spying on user activity without their knowledge.

18 / 166

Different Types of Malwares

Rootkit

Malicious software designed to remotely access or control a computer without being detected by users or security programs.

Spyware

Spyware is a type of malware that functions by spying on user activity without their knowledge.

Keyloggers

Malicious software developed to monitor and record the keystrokes that the user enters through the keyboard

19 / 166

The Malware Life Cycle

20 / 166

The Malware Life Cycle

Infection

Infection almost always has a social aspect, such as getting users to click on a bad link in a phishing e-mail, luring them to a social networking site, or sending them to a web page with an infected image, for example.

21 / 166

The Malware Life Cycle

Infection

Infection almost always has a social aspect, such as getting users to click on a bad link in a phishing e-mail, luring them to a social networking site, or sending them to a web page with an infected image, for example.

Persistance

Once a target machine is infected, the attacker needs to ensure persistence (the resilience or survivability of the bot).

22 / 166

Communication

Communication is fundamental to a successful attack. Malware must be able to communicate with other infected systems or controllers to enable command and control, and to extract stolen data from a target system or network.

23 / 166

Communication

Communication is fundamental to a successful attack. Malware must be able to communicate with other infected systems or controllers to enable command and control, and to extract stolen data from a target system or network.

Command and control

Command and control rides on top of the communication plat- form that is established but is really about making sure that the malware or attack is controllable, manageable, and updateable.

24 / 166

Common Infection Methods used by Adversaries

25 / 166

Common Infection Methods used by Adversaries

Social Engineering

The most common method for hackers to spread malwares is through social engineering. Hackers use carefully crafted methods to trick a victim into opening an attachment or clicking on a link that contains a malicious file.

Methods can be :

26 / 166

Common Infection Methods used by Adversaries

Social Engineering

The most common method for hackers to spread malwares is through social engineering. Hackers use carefully crafted methods to trick a victim into opening an attachment or clicking on a link that contains a malicious file.

Methods can be :

Email attachments

27 / 166

Common Infection Methods used by Adversaries

Social Engineering

The most common method for hackers to spread malwares is through social engineering. Hackers use carefully crafted methods to trick a victim into opening an attachment or clicking on a link that contains a malicious file.

Methods can be :

Email attachments

Malicious URLs

28 / 166

Common Infection Methods used by Adversaries

Social Engineering

The most common method for hackers to spread malwares is through social engineering. Hackers use carefully crafted methods to trick a victim into opening an attachment or clicking on a link that contains a malicious file.

Methods can be :

Email attachments

Malicious URLs

Malvertising

29 / 166

Network Protocols

30 / 166

Network Protocols

An increasingly popular mechanism in which attackers are infecting victims is through network protocols

Examples are RDP, SMB etc

31 / 166

Network Protocols

An increasingly popular mechanism in which attackers are infecting victims is through network protocols

Examples are RDP, SMB etc

Drive-by Downloads

32 / 166

Network Protocols

An increasingly popular mechanism in which attackers are infecting victims is through network protocols

Examples are RDP, SMB etc

Drive-by Downloads

Another entry path that attackers use to deliver ransomware is through what is known as drive-by downloads. These are malicious downloads that happen without a user’s knowledge when they visit a compromised website.

When you visit the infected website, the malicious content analyzes your device for specific vulnerabilities and automatically executes the malicious code in the background.

33 / 166

USB drives and portable media

34 / 166

USB drives and portable media

USB drives and portable computers are a common delivery vehicle for malwares. Connecting an infected device can lead to infecting the local machine and potentially spreading across the network.

35 / 166

USB drives and portable media

USB drives and portable computers are a common delivery vehicle for malwares. Connecting an infected device can lead to infecting the local machine and potentially spreading across the network.

In 2016, Australian police issued a warning to citizens about USB drives containing malicious software appearing in mailboxes. The USB drives masqueraded as a promotional Netflix application, then once opened deployed ransomware on to the unsuspecting user’s computer.

36 / 166

What is malware analysis?

37 / 166

What is malware analysis?

Malware analysis is the study or process of determining the functionality, origin and potential impact of a malware.

38 / 166

Malware analysis techniques

39 / 166

Malware analysis techniques

There are two fundamental approaches to malware analysis:

40 / 166

Malware analysis techniques

There are two fundamental approaches to malware analysis:

Static Analysis

41 / 166

Malware analysis techniques

There are two fundamental approaches to malware analysis:

Static Analysis

Dynamic Analysis

42 / 166

Analysis Complexity

43 / 166

Fully-Automated Analysis

The easiest way to assess the nature of a suspicious file is to scan it using fully-automated tools. Helps to handle large number of files.

Static Properties Analysis

An analyst interested in taking a closer look at the suspicious file might proceed by examining its static properties. Looking at static properties can sometimes be sufficient for defining basic indicators of compromise.

44 / 166

Hands-on

45 / 166

Hands-on

Initial Assessment

We are using PeStudio for Static Properties Analysis

Lab Setup

46 / 166

Hashes

This can be identified as the digital fingerprint of a program, in case of malicious programs this can be used for identifying the executable at online(virustotal.com, totalhash.com etc).

47 / 166

Strings

Strings can give us valuable information about the malware functionality. Malware will usually contain useful strings and other random strings, also known as garbage strings.

The types of strings we are looking for are:

File names

URL’s (Domains the malware connects to)

IP Addresses

Registry Keys

Attackers may also include fake strings to disrupt our analysis!. Completely Random looking strings can be a sign of packed malwares.

48 / 166

Embedded Artifacts(Libraries)

Windows executable requires dll's to interact with the environment. dll's help to intertact with hardware, filessytem, network etc. The lesser imports the higher chances to doubt the program.

49 / 166

Imports and Exports

The functions used by the program while it's running(Can be memory allocation, accessing disks, cryptography etc).

eg: VirtualAlloc - requesting extra memory from operating system, it can be misused by malicious program to expand and extract the packed code.

50 / 166

Interactive Behavior Analysis

After using automated tools and examining static properties of the file. This often entails infecting an isolated laboratory system with the malicious program to observe its behavior.

Manual Code Reversing

Reverse-engineering the code that comprises the specimen can add valuable insights to the findings available after completing interactive behavior analysis. Some characteristics of the specimen are simply impractical to exercise and examine without examining the code.

code reversing can provide include:

  • Decoding encrypted data stored or transferred by the sample;
  • Determining the logic of the malicious program’s domain generation algorithm;
  • Understanding other capabilities of the sample that didn’t exhibit themselves during behavior analysis.
51 / 166

Hands on

52 / 166

Preparing the Lab

53 / 166

Preparing the Lab

Before you can run malware to perform dynamic analysis, you must set up a safe environment.

54 / 166

Preparing the Lab

Before you can run malware to perform dynamic analysis, you must set up a safe environment.

Why you need a safe environment ?

55 / 166

Preparing the Lab

Before you can run malware to perform dynamic analysis, you must set up a safe environment.

Why you need a safe environment ?

So how we do it ?

56 / 166

Lab Setup

57 / 166

Creating the virtual machines

  • Windows
  • Linux - Remnex
58 / 166

Setup of the analysis machine: INetSim, Burp

sudo su
echo "deb http://www.inetsim.org/debian/ binary/" > /etc/apt/sources.list.d/inetsim.list
wget -O - http://www.inetsim.org/inetsim-archive-signing-key.asc | apt-key add -
apt update
apt install inetsim
bash ~/Downloads/burpsuite_free_linux_v1_7_23.sh
59 / 166

Setting up an isolated virtual network

  • We want to set up an isolated network containing our VMs.
  • This network will not be able to access the Internet
  • We want the analysis machine to act as a network gateway
60 / 166

VirtualBox Internal Network

For those familiar with VirtualBox, an internal network differs from a host-only network in that an internal network cannot access the host machine at all.

VB internal network

61 / 166

Analysis machine

Open the file /etc/network/interfaces as root, and add the following at the end

auto eth0
iface eth0 inet static
address 10.0.0.1
netmask 255.255.255.0

This will assign the machine the static IP 10.0.0.1 on our virtual network. We need to start it up using:

sudo ifup eth0

62 / 166

Windows 7 victim machine

Right-click on the network icon in the taskbar (or go to Start Menu > Control Panel > Network and Internet > Network and Sharing center), click on Local Area Connection 2 > Properties, select on Internet Protocol Version 4, and click on the Properties button.

Assign the static IP 10.0.0.3

Internet conf Windows

63 / 166

Check the Connection

ping 10.0.0.1

64 / 166

Ubuntu victim machine

Append the following at the end of the file /etc/network/interfaces

auto eth0
iface eth0 inet static
address 10.0.0.2
gateway 10.0.0.1
netmask 255.255.255.0
dns-nameservers 10.0.0.1

And run:

sudo ifup eth0
sudo service networking restart
65 / 166

Creating and restoring snapshots

Just select Machine > Take Snapshot.

You can name the snapshot Clean state. It doesn’t hurt to do it for your analysis machine as well.

Internet conf Windows

66 / 166

Static Malware Analysis

67 / 166

Static Malware Analysis

Taking a closer look at the suspicious file by examining its static properties.

68 / 166

Static Malware Analysis

Taking a closer look at the suspicious file by examining its static properties.

Static properties include the strings embedded into the file, header details, hashes, embedded resources, packer signatures, metadata such as the creation date, etc.

69 / 166

Static Malware Analysis

Taking a closer look at the suspicious file by examining its static properties.

Static properties include the strings embedded into the file, header details, hashes, embedded resources, packer signatures, metadata such as the creation date, etc.

This process also helps determine whether the analyst should take closer look at the specimen using more comprehensive techniques and where to focus the subsequent steps.

70 / 166

Program Analysis

71 / 166

Program Analysis

Determining the type of executable

72 / 166

Program Analysis

Determining the type of executable

ELF, EXE, APK.. etc

73 / 166

PE

Portable Executable

74 / 166

ELF

ELF

75 / 166

Portable Executable File

76 / 166

Portable Executable File

The Portable Executable (PE) file format is used by Windows execut- ables, object code, and DLLs. The PE file format is a data structure that contains the information necessary for the Windows OS loader to manage the wrapped executable code

77 / 166

PE Headers and Sections

78 / 166

PE Headers and Sections

PE file headers can provide considerably more information than just imports. The PE file format contains a header followed by a series of sections. The header contains metadata about the file itself.

79 / 166

PE Headers and Sections

PE file headers can provide considerably more information than just imports. The PE file format contains a header followed by a series of sections. The header contains metadata about the file itself.

PE Headers

80 / 166

PE Headers and Sections

PE file headers can provide considerably more information than just imports. The PE file format contains a header followed by a series of sections. The header contains metadata about the file itself.

PE Headers

Imports - Functions from other libraries that are used by the malware

Exports - Functions in the malware that are meant to be called by other programs or libraries

Time Date Stamp - Time when the program was compiled

Sections - Names of sections in the file and their sizes on disk and in memory

Subsystem - Indicates whether the program is a command-line or GUI application

Resources - Strings, icons, menus, and other information included in the file

81 / 166

PE Sections

82 / 166

PE Sections

.text - Contains the executable code

.rdata - Contains read-only data that is globally accessible within the program

.data - Stores global data accessed throughout the program

.rsrc - Stores resources needed by the executable

83 / 166

PE Sections

.text - Contains the executable code

.rdata - Contains read-only data that is globally accessible within the program

.data - Stores global data accessed throughout the program

.rsrc - Stores resources needed by the executable

Tools that can be used to analyse PE files

  • PEView
  • PEiD
  • PEStudio
  • Resouce Hacker
84 / 166

The baby steps

85 / 166

The baby steps

Look for strings

86 / 166

The baby steps

Look for strings

Calculate Hash of the executable

87 / 166

The baby steps

Look for strings

Calculate Hash of the executable

Look them up in online virustotal.com is a great resource for simple static analysis.

88 / 166

Reversing the executable

89 / 166

Reversing the executable

Advanced static analysis consists of reverse-engineering the malware’s internals by loading the executable into a disassembler and looking at the program instructions in order to discover what the program does.

The instructions are executed by the CPU, so advanced static analysis tells you exactly what the program does.

90 / 166

Dynamic Malware Analysis

91 / 166

Dynamic Malware Analysis

The basic dynamic analysis techniques involve running the malware and observing its behavior on the system in order to remove the infection, produce effective signatures, or both.

92 / 166

Dynamic Malware Analysis

The basic dynamic analysis techniques involve running the malware and observing its behavior on the system in order to remove the infection, produce effective signatures, or both.

Advanced dynamic analysis uses a debugger to examine the internal state of a running malicious executable.

93 / 166

Let's begin

94 / 166

Let's begin

Analysis Complexity

95 / 166

Diffing

96 / 166

Diffing

Take a snapshot of a clean system state and a snapshot of a compromised system state.

97 / 166

Diffing

Take a snapshot of a clean system state and a snapshot of a compromised system state.

By diffing the artifacts can be observed easily, although we can miss evidence that is created during malware activities and erased purposely by malware

98 / 166

Diffing

Take a snapshot of a clean system state and a snapshot of a compromised system state.

By diffing the artifacts can be observed easily, although we can miss evidence that is created during malware activities and erased purposely by malware

Tools - regshot, autoruns

99 / 166

System Monitoring

100 / 166

System Monitoring

From a clean system state, record every individual change on system and network traffic that appear after execution of made by the suspicious file

101 / 166

System Monitoring

From a clean system state, record every individual change on system and network traffic that appear after execution of made by the suspicious file

Tools - procmon, TCPView, Process Explorer, WinObj, strace, systrace, netstat

102 / 166

Network Monitoring

103 / 166

Network Monitoring

Malware often beacons out and eventually communicates with a command-and-control server.

104 / 166

Network Monitoring

Malware often beacons out and eventually communicates with a command-and-control server.

Packet Sniffing

Tools - wireshark, zap

105 / 166

Network Monitoring

Malware often beacons out and eventually communicates with a command-and-control server.

Packet Sniffing

Tools - wireshark, zap

Faking a Network

Tools - ApateDNS, INetSim, netcat

106 / 166

Hands-on

Setting up INetSim and Burp

First, create your own copy of INetSim .conf and data directory

mkdir malware-analysis
cp /etc/inetsim/inetsim.conf malware-analysis
sudo cp -r /var/lib/inetsim malware-analysis
sudo chmod -R 777 data
cd malware-analysis
107 / 166

Change the following line at the file inetsim.conf

#service_bind_address 10.0.0.1

to

service_bind_address 0.0.0.0
108 / 166

we have to disable systemd-resolved, which is a local DNS server shipped by default with Ubuntu and will conflict with INetSim’s DNS server.

sudo systemctl disable systemd-resolved.service
sudo service systemd-resolved stop
109 / 166

we have to disable systemd-resolved, which is a local DNS server shipped by default with Ubuntu and will conflict with INetSim’s DNS server.

sudo systemctl disable systemd-resolved.service
sudo service systemd-resolved stop

By default, INetSim’s DNS server will resolve all the domain names to 127.0.0.1. We want any domain name to resolve to 10.0.0.1 (the analysis machine IP) instead; uncomment the following line:

#dns_default_ip 10.0.0.1
110 / 166

Set up the https-binding-port for burp. Replace the following line

#https_bind_port 443

by

#https_bind_port 8443
111 / 166

let’s run INetSim!

sudo inetsim --data data --conf inetsim.conf

INetSim Running

112 / 166

Setting up BurpSuite for SSL interception

SSL Setup

To be able to analyze the SSL traffic, we also need to run Burp. We’ll run it as a transparent proxy in front of INetSim. When a victim machine will initiate a SSL connection, it will first go to Burp, which will then proxy it to INetSim.

Make sure that you run Burp as root.

113 / 166

Create a project -> Proxy -> Options -> Edit Default Interface

Binding tab
Bind to port: 443
Bind to address: all interfaces
Request handling tab:
Redirect to host: localhost
Redirect to port: 8443
Check Support invisible proxying
114 / 166

Installing Burp Certificates

In Burp, add a new proxy listener on port 8080, listening on all interfaces (tab Proxy > Options > button Add):

Then, from the victim machine, browse to http://10.0.0.1:8080.

Click on CA Certificate in the top-right corner to download Burp’s CA certificate.

Burp CA Cert

115 / 166

On the Windows 7 victim machine: open the file, click Install certificate >Next > Place all certificates in the following store: Trusted Root Certification Authorities > Next

116 / 166

On the Ubuntu victim machine:

Convert the certificate to the appropriate format (.crt) using

openssl x509 -in ~/Downloads/cacert.der -inform DER -out burp.crt

Copy it to /usr/local/share/ca-certificates

sudo cp burp.crt /usr/local/share/ca-certificates/
117 / 166

Run

sudo update-ca-certificates

Firefox by default doesn’t use the system’s certificate store. If you want the SSL connection to work properly in Firefox as well, go to the Firefox settings into Advanced > Certificates > Import. Choose burp.crt, check Trust this CA to identify websites

SSL Success!

118 / 166

Demonstration

Network Analysis of TeslaCrypt Ransomeware

119 / 166

Debugging

120 / 166

Debugging

Setting up breakpoints inside the suspicious file to stop its execution at a given location and inspect its state. Can break when it calls to important APIs.

121 / 166

Debugging

Setting up breakpoints inside the suspicious file to stop its execution at a given location and inspect its state. Can break when it calls to important APIs.

Tools - IDA, OllyDbg, x64dbg, WinDbg

122 / 166

Android Malware

123 / 166

Android Malware

Android software stack

124 / 166

Android Malware

Android software stack

Android Software Stack

125 / 166

The Attack Surface

Attack surface simply means the characteristics of a target that makes it vulnerable to attack.

126 / 166

The Attack Surface

Attack surface simply means the characteristics of a target that makes it vulnerable to attack.

Android Attack Surface

127 / 166

Android Malware Detection & Analysis

Malware detection as a discipline combines multiple techniques and principles

128 / 166

Android Malware Detection & Analysis

Malware detection as a discipline combines multiple techniques and principles

Detection Techniques

129 / 166

Android Malware Detection & Analysis

Malware detection as a discipline combines multiple techniques and principles

Detection Techniques

Signature Based Detection

Anomaly Based Detection

Specification Based Detection

130 / 166

Detection Analysis

131 / 166

Detection Analysis

Static Analysis

132 / 166

Detection Analysis

Static Analysis

  • Studying the AndroidManifest.xml
133 / 166

Detection Analysis

Static Analysis

  • Studying the AndroidManifest.xml

  • Analysing App Permissons

134 / 166

Detection Analysis

Static Analysis

  • Studying the AndroidManifest.xml

  • Analysing App Permissons

  • Looking up online!

135 / 166

Detection Analysis

Static Analysis

  • Studying the AndroidManifest.xml

  • Analysing App Permissons

  • Looking up online!

Dynamic Analysis

136 / 166

Detection Analysis

Static Analysis

  • Studying the AndroidManifest.xml

  • Analysing App Permissons

  • Looking up online!

Dynamic Analysis

  • Analysing Network Activity
137 / 166

Detection Analysis

Static Analysis

  • Studying the AndroidManifest.xml

  • Analysing App Permissons

  • Looking up online!

Dynamic Analysis

  • Analysing Network Activity

  • System monitoring (CPU, Memory, Storage. etc)

138 / 166

Tools for static analysis

ApkTool

Dex2jar

jadx

quark engine

139 / 166

Hands on

Please collect resources from here

140 / 166

Incident Response

141 / 166

Incident Response

Incident Response is an organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident). The goal is to handle the situation in a way that limits damage and reduces recovery time and costs.

142 / 166

Incident Response

Incident Response is an organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident). The goal is to handle the situation in a way that limits damage and reduces recovery time and costs.

Preparation

143 / 166

Incident Response

Incident Response is an organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident). The goal is to handle the situation in a way that limits damage and reduces recovery time and costs.

Preparation

The initial phase where we will perform preparatory measures to ensure that they can responsd effectively to incidents if and when they are uncovered.

144 / 166

Detect & Analyze

145 / 166

Detect & Analyze

In this phase we should strive to detect and validate incidents rapidly because infections can spread through the network within a matter of minutes. Early detection can help to minimize the number of infected systems, which will lessen the magnitude of the recovery effort and the amount of damage the organization sustains as a result of the incident.

146 / 166

Detect & Analyze

In this phase we should strive to detect and validate incidents rapidly because infections can spread through the network within a matter of minutes. Early detection can help to minimize the number of infected systems, which will lessen the magnitude of the recovery effort and the amount of damage the organization sustains as a result of the incident.

Contain, Eradicate& Recover

147 / 166

Detect & Analyze

In this phase we should strive to detect and validate incidents rapidly because infections can spread through the network within a matter of minutes. Early detection can help to minimize the number of infected systems, which will lessen the magnitude of the recovery effort and the amount of damage the organization sustains as a result of the incident.

Contain, Eradicate& Recover

The third phase, containment, has two major components: stopping the spread of the attack and preventing further damage to systems. It is important for an us to decide which methods of containment to employ early in the response. We should have strategies and procedures in place for making containment-related decisions that reflect the level of risk acceptable to the organization.

148 / 166

Post-Incident Handling

149 / 166

Post-Incident Handling

The cost of handling malware incidents can be extremely expensive, it is particularly important for organizations to conduct a robust assessment of lessons learned after major malware incidents to prevent similar incidents from occurring.

150 / 166

Honeypots & Honeynets

151 / 166

Honeypots & Honeynets

Honeypot is an information system resource whose value lies in the unauthorized or illicit use of that resource.

152 / 166

Honeypots & Honeynets

Honeypot is an information system resource whose value lies in the unauthorized or illicit use of that resource.

Honeypot systems have no production value, so any activity going to or from a honeypot is likely a probe, attack or compromise.

153 / 166

Honeypots & Honeynets

Honeypot is an information system resource whose value lies in the unauthorized or illicit use of that resource.

Honeypot systems have no production value, so any activity going to or from a honeypot is likely a probe, attack or compromise.

A honeynet is simply a network of honeypots.

154 / 166

Honeypots & Honeynets

Honeypot is an information system resource whose value lies in the unauthorized or illicit use of that resource.

Honeypot systems have no production value, so any activity going to or from a honeypot is likely a probe, attack or compromise.

A honeynet is simply a network of honeypots.

Information gathering and early warning are the primary benefits to most organisations.

155 / 166

Issues?

156 / 166

Issues?

In some cases, the data obtained from the honeypots lead to poor results, due to a limited amount of data

157 / 166

Issues?

In some cases, the data obtained from the honeypots lead to poor results, due to a limited amount of data

The attackers can detect the honeypots.

158 / 166

Issues?

In some cases, the data obtained from the honeypots lead to poor results, due to a limited amount of data

The attackers can detect the honeypots.

The honeypot may be used to attack against the real (non-honeypot) systems.

159 / 166

Types

160 / 166

Types

Low ­Interaction

161 / 166

Types

Low ­Interaction

High Interaction

162 / 166

Types

Low ­Interaction

High Interaction

Server Honeypots

163 / 166

Types

Low ­Interaction

High Interaction

Server Honeypots

Client Honeypots

164 / 166

Example and Demonstration

Dionea

Kippo

165 / 166

Thanks

166 / 166

Rejah

Founder of Beagle Security


Manieendar

Cyber Security Engineer at Beagle Security

2 / 166
Paused

Help

Keyboard shortcuts

, , Pg Up, k Go to previous slide
, , Pg Dn, Space, j Go to next slide
Home Go to first slide
End Go to last slide
Number + Return Go to specific slide
b / m / f Toggle blackout / mirrored / fullscreen mode
c Clone slideshow
p Toggle presenter mode
t Restart the presentation timer
?, h Toggle this help
Esc Back to slideshow