Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Using Python to Fight Cybercrime
Search
Kyle Maxwell
April 26, 2015
Technology
240
2
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Using Python to Fight Cybercrime
A survey of the ways I use Python as a DFIR / threat intel professional
Kyle Maxwell
April 26, 2015
More Decks by Kyle Maxwell
See All by Kyle Maxwell
In the Lair of the Beholder
krmaxwell
0
120
Incident Patterns
krmaxwell
0
460
Hackertainment
krmaxwell
1
240
Threat Intelligence for Incident Response
krmaxwell
0
210
From Minion to Engineer
krmaxwell
0
140
Why XOR Crypto Sucks
krmaxwell
0
220
Open Source Threat Intelligence - Shakacon
krmaxwell
1
910
Secure Blogging
krmaxwell
0
150
Grabbing fresh evil bits: Maltrieve
krmaxwell
1
170
Other Decks in Technology
See All in Technology
Claude Code公式skillで 自分の仕事を少しずつ手放そう!(Claude Code開発ノウハウ大公開スペシャル by クラスメソッド)
kaym
0
120
勉強会企画をアプリで構造化してみた 〜そこで見えた、AIとの付き合い方〜 / I've structured a study group plan using an app.
pauli
0
340
グローバルチームと挑むプロダクト開発
sansantech
PRO
1
170
DatabricksにおけるMCPソリューション
taka_aki
1
190
Mastraエージェント、どのクラウドにデプロイする?
minorun365
PRO
2
180
KiCAD講習会②
tutcreators
0
100
知らん間に、回ってる
ming_ayami
0
380
AIと共生する開発者プラットフォーム:バクラクのモノレポ×マイクロサービス基盤
sakajunquality
2
3.2k
SRE本の知られざる名シーン / The Hidden Gems of Google SRE Book
nari_ex
1
330
SREとQA 二人三脚で進めるSLO運用/sre-qa-slo
sugitak
0
280
貴方はどのエンジニアリングを磨くのか
hatyibei
0
110
AI Agent SaaS を支える自社仮想化基盤への挑戦と実運用 / ai-agent-saas-virtualization
flatt_security
2
3.6k
Featured
See All Featured
How GitHub (no longer) Works
holman
316
150k
Keith and Marios Guide to Fast Websites
keithpitt
413
23k
Site-Speed That Sticks
csswizardry
13
1.2k
Neural Spatial Audio Processing for Sound Field Analysis and Control
skoyamalab
0
370
The B2B funnel & how to create a winning content strategy
katarinadahlin
PRO
1
420
Designing for Performance
lara
611
70k
Everyday Curiosity
cassininazir
0
250
Jess Joyce - The Pitfalls of Following Frameworks
techseoconnect
PRO
1
190
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
25
2k
職位にかかわらず全員がリーダーシップを発揮するチーム作り / Building a team where everyone can demonstrate leadership regardless of position
madoxten
63
55k
Building a Scalable Design System with Sketch
lauravandoore
463
34k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
Transcript
Using Python to Fight Cybercrime Kyle Maxwell, PyData Dallas April
26, 2015 @kylemaxwell http://goo.gl/oPQ8k2
What I Do Incident Response Threat Intelligence
What I Don’t Do Application Security Penetration Testing
Areas of Interest Reverse-engineer malware Analyze incidents for trends Track
bad guys
Triage Malware What is it? ➔ hashing ➔ IOC matching
What does it do? ➔ behavioral analysis
Manage Malware Maltrieve [ maltrieve.org ] ➔ web crawler to
fetch malware Viper [ viper.li ] ➔ store and classify malware
Cuckoo Sandbox [ cuckoosandbox.org ] “Throw any suspicious file at
it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.” Analyze Malware
Track bad guys Moving beyond technical indicators (IOCs) Enumerate infrastructure
Attribution (with caveats) Describe methods
All About the APIs
Passive DNS What resolutions were seen, and when?
WHOIS Historical: ➔ registrant changes over time Reverse: ➔ domains
with same registrant
Image credit The MITRE Corporation STIX
VERIS Image credit Verizon Communications
Python Bindings # extra changes to the template for this
specific campaign template['campaign_id' ] = "104874B4-3EC7-4B09-95F1-930F007487B0" template['reference' ] = "http://www.fireeye.com/blog/technical/targeted-attack/2014/08/operation-poisoned- hurricane.html " template['reference' ] += ";http://blog.trendmicro.com/trendlabs-security-intelligence/unplugging-plugx- capabilities/ " template['actor']['external'] = {'variety':['Unknown'], 'motive':['Espionage' ], 'country':['Unknown']} template['attribute' ] = {'integrity' :{'variety':['Software installation' ]}} template['discovery_method' ] = "Ext - monitoring service" template['plus']['timeline'] = {'notification' :{'day':6, 'month':8, 'year':2014}} template['timeline']['incident'] = {'year':2014, } template['notes'] = "Operation Poisoned Hurricane" template['summary'] = "Targeted malware campaign targeting Internet infrastructure providers, a media organization, a financial services company, and an Asian government organization." Code clipped from http://nbviewer.ipython.org/gist/blackfist/b7a3e5bfbae571d8e024
Data Science Statistics! Image credit Kevin Thompson (@bfist)
So much else! ➔ Log analysis ➔ Web interfaces ➔
Forensic examinations ➔ Red teaming / pentesting
What you can do Image credit David Whittaker (@rundavidrun)
Q&A @kylemaxwell || xwell.org github.com/krmaxwell Icons made by Freepik from
www.flaticon.com and used under Creative Commons license