Upload
roberto-sponchioni
View
28
Download
0
Tags:
Embed Size (px)
Citation preview
IT Professions in the Anti-Malware Industry
Roberto Sponchioni
Sr. Anti-Malware Engineer
Who am I?
Working as a Senior Anti-Malware Engineer @ Symantec
Worked as a Security Consultant (PT/VA, Incident Response)
Graduated from University of Milan (DTI)
Copyright 2014 Symantec Corporation2
A long series of data breachesSome examples
Copyright 2014 Symantec Corporation 3
A long series of data breaches in the US
Copyright 2014 Symantec Corporation4Ref.: http://www.bloomberg.com/graphics/2014-data-breaches/
A long series of data breaches in the US
Copyright 2014 Symantec Corporation5Ref.: http://www.bloomberg.com/graphics/2014-data-breaches/
A long series of data breaches in the US
Copyright 2014 Symantec Corporation6Ref.: http://www.bloomberg.com/graphics/2014-data-breaches/
Malware, its everywhereWhat is it? Whats its purpose? Whos behind it?
Copyright 2014 Symantec Corporation 7
Different types of malware, different purposes
DDoS botnet (Backdoor.Zemra, Linux.Shelldos, Linux.Xnote, etc.)
Banking malware (Zbot, Carberp, etc.)
Ransomlock & Cryptolocker
Mobile malware
Information-stealing malware (Rodagose, Rawpos, Steem, etc.)
APT (zero-day-exploits, ad-hoc malware, spearphishing, etc.)
State sponsored / cyberespionage (Stuxnet, etc.)
Exploit kits (Blackhole, Angler, Rig, etc.)
Copyright 2014 Symantec Corporation8
Its easy to build your own malware
Copyright 2014 Symantec Corporation9
What would you do to protect yourself / your company?
User education
Antivirus / security products
Reputation systems
Firewall
IDS/IPS sensors within the network
Follow best practices (ISO-27001, etc.)
Copyright 2014 Symantec Corporation10
Lets look at some figures
Copyright 2014 Symantec Corporation 11
Lets look at some figures
How much malware/adware/PUAs do we see?
Copyright 2014 Symantec Corporation12
Its ~190M in 1 month. Its ~ 6M per day
Lets look at some figures
In total: network and files are...
Copyright 2014 Symantec Corporation13
Its ~250M in 1 month. Its ~ 8M per day
Lets look at some figures
Number of reputation queries?
Copyright 2014 Symantec Corporation14
~ 40 + 35 billion (URLs + Files)
The need for specialists!
IT professionals work hard to protect our data
Malware Researchers, QA, Developers, Network Security Specialists, IR
Symantec Security Response - 24/7
Copyright 2014 Symantec Corporation16
What do we do in Security Response?Lets have a look at some examples
Copyright 2014 Symantec Corporation 17
Lets try to identify a malware sample What would you do to identify a malicious file?
Copyright 2014 Symantec Corporation18
File structure analysis
Behavioural analysis
Network analysis
File system changes
Registry changes
Etc.
Code analysis & debugging
Identify hidden functionalities
Forcing the code to follow different branches
Etc.
File structure analysisWhat would you do to identify a malicious file?
Copyright 2014 Symantec Corporation19
EXE icon
Packer identification
Header
Code
Data
Header
Compressed / encrypted
code + data
Packerscode
Normal executable Packed executable
Suspicious data
Behavioural analysisWhat would you do to identify a malicious behavior?
Copyright 2014 Symantec Corporation20
File system (e.g. Lower security settings)
Registry changes (e.g.. Autorun keys)
Network Traffic
Code analysis & debuggingWhat can you do if you have the ASM code?
Copyright 2014 Symantec Corporation21
Identify hidden functionalities
Identify malware capabilities such as propagation, load points, infection, and C&C server communications
Identify encryption and compression algorithms used
Identify portion of code/data that can be used to identify the threat
Malware is getting smarter
Copyright 2014 Symantec Corporation 22
Examples of evasions are
Sandbox evasion
Anti-VM tricks
Anti-analysis tricks
Signature evasion
Copyright 2014 Symantec Corporation23
How can they do that?
What we do in Symantec Security Response
Analyse new malware (e.g.. Stuxnet, Regin)
Analyse malware submitted by customers
Analyse and write reports for internal use and for customers
Write automation tools and systems
Write decryptors, decoders, and DGA-decoders
Write generic detections and remediation routines
Develop FixTools (e.g. Poweliks, Ramnit)
Write blog entries about new malware and trends
Copyright 2014 Symantec Corporation24
What we do in Symantec Security ResponseDecryptors. Just an example
Copyright 2014 Symantec Corporation25
What we do in Symantec Security ResponseDecryptors. Just an example
Copyright 2014 Symantec Corporation26
What we do in Symantec Security ResponseDecryptors. Just an example
Copyright 2014 Symantec Corporation27
What we do in Symantec Security ResponseDecryptors. Just an example
Copyright 2014 Symantec Corporation28
IT professionals involved in malware protection
Malware Researchers
Automation Developers
Network Analysis Specialists
QA Engineers
Incident Responders / Incident Handlers
Engine Developers
Copyright 2014 Symantec Corporation29
On-site analysisIncident Handlers/Responders
Copyright 2014 Symantec Corporation 30
Incident Responders on-siteWere not talking about Event Analysts here
Copyright 2014 Symantec Corporation31
Data collection (order of volatility must be preserved)
Timeline of operations
Chain of custody
Data analysis
Memory analysis (live analysis)
Log analysis
File analysis (EnCase, FTK, Sleuthkit, malware analysis)
Network traffic analysis
Customer machine replication on VMWare
How to get a job in IT securitySome tips
Copyright 2014 Symantec Corporation 32
Some tips
Be passionate
Work on external projects
Work hard on your university projects
Work hard on your dissertation
Copyright 2014 Symantec Corporation33
We are hiring!
Lets talk! Scenario time!Youre a security specialist now
Copyright 2014 Symantec Corporation 34
&Q A
Copyright 2014 Symantec Corporation 35
Roberto Sponchioni
Thank you!