Notes from Belfast BSides 2017

Ain’t Nobody Got Time For That: Dynamic Malware Analysis for the Overworked Analyst

Presenter: Edmund Brumaghin

Software for lab

Setting up a malware lab? Here are some tools.

• IPFire

• REMnux

  • INETSim (Simulate services)
  • FakeDNS - Might not be the one he was referring to. But you get the idea.

• RegShot (Registry Snapshot, and Directory contents)

  • Able to identify some IOCs

• ProcessHacker (Real-time PID monitoring with colours)

• ProcessMonitor (Filters for specific use-cases can be found online)

• Filewatch - Might not be this one.

• ILSpy

Indicator of Compromise (IOCs)

Places to find some IOC/Malware.

• Twitter
• RSS
• VirusTotal
• Modern Honeypot Network (MHN)
  • Quickly deploy honeypot

Open Source Intelligence (OSINT)

• Malware samples

  • theZooo
  • KernelMode.info

• Domains

  • DarkNet Stats
  • CollecTor - Couldn’t find a link. -URLS
  • URL Query
  • URLVoid

The Path To Self-Securing Software

Presenters: Gary Robinson & Yan Haung

• Automatic identification of attack vectors from source code.

  • Chomsky Hierarchy of grammar
  • Java parser, creates abstract Syntax Tree (AST), Can generate new source code
  • ANTLR (Another tool for Language Recognition)
    • To parse any language, need to know the grammar of the language
  • Parser will output the tree into JSON format, which can then be used by other software.

• Create a Security Model

• Create Engine to apply security model to project model (JSON from parser)

• [Patent] Detect where data is going on the network and generate and apply firewall rules.

• Currently automate security tests, but tests are manually written.

• Annotate code with the security flags.

7 Sep 2017