Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Using Python to Fight Cybercrime
Search
Kyle Maxwell
April 26, 2015
Technology
2
230
Using Python to Fight Cybercrime
A survey of the ways I use Python as a DFIR / threat intel professional
Kyle Maxwell
April 26, 2015
Tweet
Share
More Decks by Kyle Maxwell
See All by Kyle Maxwell
In the Lair of the Beholder
krmaxwell
0
110
Incident Patterns
krmaxwell
0
440
Hackertainment
krmaxwell
1
230
Threat Intelligence for Incident Response
krmaxwell
0
200
From Minion to Engineer
krmaxwell
0
130
Why XOR Crypto Sucks
krmaxwell
0
220
Open Source Threat Intelligence - Shakacon
krmaxwell
1
900
Secure Blogging
krmaxwell
0
150
Grabbing fresh evil bits: Maltrieve
krmaxwell
1
160
Other Decks in Technology
See All in Technology
20年以上続く PHP 大規模プロダクトを Kubernetes へ ── クラウド基盤刷新プロジェクトの4年間
oogfranz
PRO
0
180
テストプロセスにおけるAI活用 :人間とAIの共存
hacomono
PRO
0
160
SaaSに宿る21g
kanyamaguc
2
160
Phase07_実務適用
overflowinc
0
1.8k
品質を経営にどう語るか #jassttokyo / Communicating the Strategic Value of Quality to Executive Leadership
kyonmm
PRO
3
1.2k
Physical AI on AWS リファレンスアーキテクチャ / Physical AI on AWS Reference Architecture
aws_shota
1
130
AIエージェント×GitHubで実現するQAナレッジの資産化と業務活用 / QA Knowledge as Assets with AI Agents & GitHub
tknw_hitsuji
0
220
Phase09_自動化_仕組み化
overflowinc
0
1.6k
Bill One 開発エンジニア 紹介資料
sansan33
PRO
5
18k
FastMCP OAuth Proxy with Cognito
hironobuiga
3
190
夢の無限スパゲッティ製造機 #phperkaigi
o0h
PRO
0
360
イベントで大活躍する電子ペーパー名札を作る(その2) 〜 M5PaperとM5PaperS3 〜 / IoTLT @ JLCPCB オープンハードカンファレンス
you
PRO
0
200
Featured
See All Featured
技術選定の審美眼(2025年版) / Understanding the Spiral of Technologies 2025 edition
twada
PRO
118
110k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
49
3.3k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
31
2.7k
Fantastic passwords and where to find them - at NoRuKo
philnash
52
3.6k
AI Search: Where Are We & What Can We Do About It?
aleyda
0
7.2k
コードの90%をAIが書く世界で何が待っているのか / What awaits us in a world where 90% of the code is written by AI
rkaga
61
43k
Agile that works and the tools we love
rasmusluckow
331
21k
Claude Code のすすめ
schroneko
67
220k
StorybookのUI Testing Handbookを読んだ
zakiyama
31
6.6k
Building an army of robots
kneath
306
46k
Reality Check: Gamification 10 Years Later
codingconduct
0
2.1k
Optimising Largest Contentful Paint
csswizardry
37
3.6k
Transcript
Using Python to Fight Cybercrime Kyle Maxwell, PyData Dallas April
26, 2015 @kylemaxwell http://goo.gl/oPQ8k2
What I Do Incident Response Threat Intelligence
What I Don’t Do Application Security Penetration Testing
Areas of Interest Reverse-engineer malware Analyze incidents for trends Track
bad guys
Triage Malware What is it? ➔ hashing ➔ IOC matching
What does it do? ➔ behavioral analysis
Manage Malware Maltrieve [ maltrieve.org ] ➔ web crawler to
fetch malware Viper [ viper.li ] ➔ store and classify malware
Cuckoo Sandbox [ cuckoosandbox.org ] “Throw any suspicious file at
it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.” Analyze Malware
Track bad guys Moving beyond technical indicators (IOCs) Enumerate infrastructure
Attribution (with caveats) Describe methods
All About the APIs
Passive DNS What resolutions were seen, and when?
WHOIS Historical: ➔ registrant changes over time Reverse: ➔ domains
with same registrant
Image credit The MITRE Corporation STIX
VERIS Image credit Verizon Communications
Python Bindings # extra changes to the template for this
specific campaign template['campaign_id' ] = "104874B4-3EC7-4B09-95F1-930F007487B0" template['reference' ] = "http://www.fireeye.com/blog/technical/targeted-attack/2014/08/operation-poisoned- hurricane.html " template['reference' ] += ";http://blog.trendmicro.com/trendlabs-security-intelligence/unplugging-plugx- capabilities/ " template['actor']['external'] = {'variety':['Unknown'], 'motive':['Espionage' ], 'country':['Unknown']} template['attribute' ] = {'integrity' :{'variety':['Software installation' ]}} template['discovery_method' ] = "Ext - monitoring service" template['plus']['timeline'] = {'notification' :{'day':6, 'month':8, 'year':2014}} template['timeline']['incident'] = {'year':2014, } template['notes'] = "Operation Poisoned Hurricane" template['summary'] = "Targeted malware campaign targeting Internet infrastructure providers, a media organization, a financial services company, and an Asian government organization." Code clipped from http://nbviewer.ipython.org/gist/blackfist/b7a3e5bfbae571d8e024
Data Science Statistics! Image credit Kevin Thompson (@bfist)
So much else! ➔ Log analysis ➔ Web interfaces ➔
Forensic examinations ➔ Red teaming / pentesting
What you can do Image credit David Whittaker (@rundavidrun)
Q&A @kylemaxwell || xwell.org github.com/krmaxwell Icons made by Freepik from
www.flaticon.com and used under Creative Commons license
krmaxwell
oogfranz
hacomono
kanyamaguc
overflowinc
kyonmm
aws_shota
tknw_hitsuji
sansan33
hironobuiga
o0h
you
twada
tammyeverts
marktimemedia
philnash
aleyda
rkaga
rasmusluckow
schroneko
zakiyama
kneath
codingconduct
csswizardry
![Manage Malware Maltrieve [ maltrieve.org ] ➔ web crawler to](https://files.speakerdeck.com/presentations/608c448ffdef40cfa17a6df00c7ba980/slide_5.jpg){kind=link}
![Cuckoo Sandbox [ cuckoosandbox.org ] “Throw any suspicious file at](https://files.speakerdeck.com/presentations/608c448ffdef40cfa17a6df00c7ba980/slide_6.jpg){kind=link}
