Friday, July 12, 2013
This year I decided to step out of my comfort zone by presenting at conferences. I’m not a public speaker but I wanted to reach an audience beyond jIIr to provide information that may be helpful to combat malware. Specifically, a triage technique I have been using to find malware extremely fast (in less than 15 minutes). Below are my CFPs and links to the slide decks for the talk I gave at the SANs Digital Forensic and Incident Response Summit and New York State Cyber Security Conference.
FYI, both presentations are pretty much the same except for the lead in to the triage technique. I tailored that to the audience.
Finding Malware Like Iron Man – SANs DFIR Summit Version
When confronted with a system impacted by unknown malware time is of the essence. Triage needs to be done, information technology units need guidance, and the business needs to get back up and running. Questions have to be answered quickly: is the system infected, what malware is involved, and how did the infection occur in the first place. The available triage options all take time: scanning with antivirus, dumping and analyzing memory, performing live analysis, or performing a full post mortem examination. Mass malware makes triage even more challenging with new variants being released at a pace faster than signatures and IOCs are generated.
This presentation discusses how to perform triage on a system infected with malware in three examination steps. Within minutes not only can the majority of malware be detected but the initial infection vector can be identified as well. Topics will include: malware indicators, program execution artifacts, auto-start extensibility points (ASEPs) artifacts, and NTFS artifacts and then there will be a mock case study tying everything together.
Finding Malware Like Iron Man – SANs DFIR Summit Version slide deck can be downloaded from: PDF format or viewable online
Finding Malware Like Iron Man – NYS Cyber Security Conference Version
There are several common misconceptions about malware. One being that malware is just a nuisance, and is usually the product of bored teenagers sitting in their bedrooms. As a result, the typical response to a malware incident is to reimage, rebuild, and redeploy. The primary focus of this response is getting the system back into production as quickly as possible. Analysis of the malware and further research on the system is not a priority or goal.
Malware is not a nuisance or a minor disruption; it can pose significant risks to an organization. Malware is a tool that is leveraged by numerous threat groups to accomplish specific goals. When malware impacts a system the system does not become sick, it becomes compromised, and our incident response processes need to reflect this accordingly.
Root case analysis needs to be performed on systems impacted by malware to improve decision making. Questions need to be answered including: how did this happen, when did it happen, what (if anything) was taken, were we targeted, or what can be done to mitigate this from re-occurring. By re-imaging and re-deploying malware infected systems we no longer answer these questions, and we lose critical intelligence to better protect our organizations. The first step in root cause analysis is locating the malware.
In this technical presentation Corey will discuss three steps to locate malware on a computer running the Windows operating system. The topics will include the following: what is malware, why perform root cause analysis, program execution artifacts, persistence mechanism artifacts, NTFS artifacts, and freely available tools.
At the conclusion of the presentation, attendees will know how to perform three specific examination steps that help to identify common artifacts that point to where malware is located on the infected system.
Finding Malware Like Iron Man – NYS Cyber Security Conference Version slide deck can be downloaded from: PDF format or viewable online