Using Python to Fight Cybercrime

Transcript

1. Using Python to Fight Cybercrime Kyle Maxwell, PyData Dallas April

   26, 2015 @kylemaxwell http://goo.gl/oPQ8k2

2. What I Do Incident Response Threat Intelligence

3. What I Don’t Do Application Security Penetration Testing

4. Areas of Interest Reverse-engineer malware Analyze incidents for trends Track

   bad guys

5. Triage Malware What is it? ➔ hashing ➔ IOC matching

   What does it do? ➔ behavioral analysis

6. Manage Malware Maltrieve [ maltrieve.org ] ➔ web crawler to

   fetch malware Viper [ viper.li ] ➔ store and classify malware

7. Cuckoo Sandbox [ cuckoosandbox.org ] “Throw any suspicious file at

   it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.” Analyze Malware

8. Track bad guys Moving beyond technical indicators (IOCs) Enumerate infrastructure

   Attribution (with caveats) Describe methods

9. All About the APIs

10. Passive DNS What resolutions were seen, and when?

11. WHOIS Historical: ➔ registrant changes over time Reverse: ➔ domains

    with same registrant

12. Image credit The MITRE Corporation STIX

13. VERIS Image credit Verizon Communications

14. Python Bindings # extra changes to the template for this

    specific campaign template['campaign_id' ] = "104874B4-3EC7-4B09-95F1-930F007487B0" template['reference' ] = "http://www.fireeye.com/blog/technical/targeted-attack/2014/08/operation-poisoned- hurricane.html " template['reference' ] += ";http://blog.trendmicro.com/trendlabs-security-intelligence/unplugging-plugx- capabilities/ " template['actor']['external'] = {'variety':['Unknown'], 'motive':['Espionage' ], 'country':['Unknown']} template['attribute' ] = {'integrity' :{'variety':['Software installation' ]}} template['discovery_method' ] = "Ext - monitoring service" template['plus']['timeline'] = {'notification' :{'day':6, 'month':8, 'year':2014}} template['timeline']['incident'] = {'year':2014, } template['notes'] = "Operation Poisoned Hurricane" template['summary'] = "Targeted malware campaign targeting Internet infrastructure providers, a media organization, a financial services company, and an Asian government organization." Code clipped from http://nbviewer.ipython.org/gist/blackfist/b7a3e5bfbae571d8e024

15. Data Science Statistics! Image credit Kevin Thompson (@bfist)

16. So much else! ➔ Log analysis ➔ Web interfaces ➔

    Forensic examinations ➔ Red teaming / pentesting

17. What you can do Image credit David Whittaker (@rundavidrun)

18. Q&A @kylemaxwell || xwell.org github.com/krmaxwell Icons made by Freepik from

    www.flaticon.com and used under Creative Commons license