PRESENTATION MATERIALS: conference.hitb.org PRESENTATION ABSTRACT: For more than two years, ThreatGRID has been building a threat intelligence service where samples and content are cross-indexed and related. This allows for tremendous amounts of derived analysis, building relationships based on timing, behavioral, structural, and communications characteristics. We are able to determine origin, aims, and targets of specific samples via second and third order relationships. We track all artifacts and beheaviors, both host and network, and correlate between any of them. Content is generated through dynamic and static malware analysis. We do perform de-duplication of samples that are collected in the wild and submitted through various sources. Even though a piece of malware can be identified as belonging to a particular family of rootkit or dropper, their characteristics change and evolve over time. These ephemeral behavioral characteristics are vital to identifying relationships between malware, and this is content that we don't want to miss. We've been submitting and analyzing a sample for about a year now, tracking how its functionality, content and relationships have changed over time. This approach of not deduping submissions leads to some interesting issues related to scaling, storage and infrastructure design. This talk covers the infrastructure requirements and architectural decisions made to facilitate being able to analyze the entire worldwide output of malware ...
Thursday, December 20, 2012
#HITB2012KUL D1T2 - Wes Brown - Supercomputing, Malware and Correlation
#HITB2012KUL D1T2 - Wes Brown - Supercomputing, Malware and Correlation Video Clips. Duration : 48.78 Mins.
PRESENTATION MATERIALS: conference.hitb.org PRESENTATION ABSTRACT: For more than two years, ThreatGRID has been building a threat intelligence service where samples and content are cross-indexed and related. This allows for tremendous amounts of derived analysis, building relationships based on timing, behavioral, structural, and communications characteristics. We are able to determine origin, aims, and targets of specific samples via second and third order relationships. We track all artifacts and beheaviors, both host and network, and correlate between any of them. Content is generated through dynamic and static malware analysis. We do perform de-duplication of samples that are collected in the wild and submitted through various sources. Even though a piece of malware can be identified as belonging to a particular family of rootkit or dropper, their characteristics change and evolve over time. These ephemeral behavioral characteristics are vital to identifying relationships between malware, and this is content that we don't want to miss. We've been submitting and analyzing a sample for about a year now, tracking how its functionality, content and relationships have changed over time. This approach of not deduping submissions leads to some interesting issues related to scaling, storage and infrastructure design. This talk covers the infrastructure requirements and architectural decisions made to facilitate being able to analyze the entire worldwide output of malware ...
PRESENTATION MATERIALS: conference.hitb.org PRESENTATION ABSTRACT: For more than two years, ThreatGRID has been building a threat intelligence service where samples and content are cross-indexed and related. This allows for tremendous amounts of derived analysis, building relationships based on timing, behavioral, structural, and communications characteristics. We are able to determine origin, aims, and targets of specific samples via second and third order relationships. We track all artifacts and beheaviors, both host and network, and correlate between any of them. Content is generated through dynamic and static malware analysis. We do perform de-duplication of samples that are collected in the wild and submitted through various sources. Even though a piece of malware can be identified as belonging to a particular family of rootkit or dropper, their characteristics change and evolve over time. These ephemeral behavioral characteristics are vital to identifying relationships between malware, and this is content that we don't want to miss. We've been submitting and analyzing a sample for about a year now, tracking how its functionality, content and relationships have changed over time. This approach of not deduping submissions leads to some interesting issues related to scaling, storage and infrastructure design. This talk covers the infrastructure requirements and architectural decisions made to facilitate being able to analyze the entire worldwide output of malware ...
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment