Security B-Sides DC 2018
October 26 - 28, 2018 (Fri - Sun)
Deadbolting Malware Backdoors using 8th Grade Math Sun, 28 Oct 2018 9:00am (50m) Track 1, Grand South - Talk 12
A common tactic in the initial stages of a malware-based attack is to establish a communication channel back to the adversary. Detecting this command and control (C2) activity without prior knowledge is a very difficult undertaking over the long-term.
Security analysts consistently search for the same signals when pillaging through threat intelligence hits, IDS alerts for C2, and triggered SIEM correlation rules. Commonalities of C2 tend to include a mix of new user-agents, rare domains, uncommon top-level domains, similar URI structure, absent referers, high frequencies of connections, and many more characteristics. Additionally, behaviors of C2 can be simulated in controlled environments using historical malware samples. These are the ingredients that collectively enable security analysts to add predictive analytics to their detection arsenal.
In this talk, the presenter will demonstrate how to use 8th grade math and supervised machine learning to proactively hunt malicious software running in enterprise environments.
Wes currently leads threat research efforts for PatternEx, a security startup in Silicon Valley. He previously spent 5 years doing machine learning and intrusion analysis for a threat analytics team at Northrop Grumman. He is especially motivated and passionate for dramatically improving data hunting tradecraft within the cyber security domain. When he's not hacking the planet, he enjoys playing more golf than is healthy and rooting for the Washington Capitals.