Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Using Python to Fight Cybercrime
Search
Kyle Maxwell
April 26, 2015
Technology
2
230
Using Python to Fight Cybercrime
A survey of the ways I use Python as a DFIR / threat intel professional
Kyle Maxwell
April 26, 2015
Tweet
Share
More Decks by Kyle Maxwell
See All by Kyle Maxwell
In the Lair of the Beholder
krmaxwell
0
110
Incident Patterns
krmaxwell
0
440
Hackertainment
krmaxwell
1
230
Threat Intelligence for Incident Response
krmaxwell
0
200
From Minion to Engineer
krmaxwell
0
120
Why XOR Crypto Sucks
krmaxwell
0
210
Open Source Threat Intelligence - Shakacon
krmaxwell
1
890
Secure Blogging
krmaxwell
0
140
Grabbing fresh evil bits: Maltrieve
krmaxwell
1
160
Other Decks in Technology
See All in Technology
Proxmoxで作る自宅クラウド入門
koinunopochi
0
170
Web Intelligence and Visual Media Analytics
weblyzard
PRO
1
6.8k
GitHub Copilot CLI 現状確認会議
torumakabe
10
3.3k
Riverpod3.xで実現する実践的UI実装
fumiyasac0921
1
140
Introduction to Sansan Meishi Maker Development Engineer
sansan33
PRO
0
340
旬のブリと旬の技術で楽しむ AI エージェント設計開発レシピ
chack411
1
300
Behind the Stream - How AbemaTV Engineers Build Video Apps at Scale
ygoto3
0
120
コミュニティが持つ「学びと成長の場」としての作用 / RSGT2026
ama_ch
2
420
The Engineer with a Three-Year Cycle
e99h2121
0
160
[Iceberg Meetup #4] ゼロからはじめる: Apache Icebergとはなにか? / Apache Iceberg for Beginners
databricksjapan
0
290
SOC2は、取った瞬間よりその後が面白い
3flower
0
140
Vivre en Bitcoin : le tutoriel que votre banquier ne veut pas que vous voyiez
rlifchitz
0
340
Featured
See All Featured
Bootstrapping a Software Product
garrettdimon
PRO
307
120k
The Cult of Friendly URLs
andyhume
79
6.8k
Navigating Algorithm Shifts & AI Overviews - #SMXNext
aleyda
0
1.1k
How to Get Subject Matter Experts Bought In and Actively Contributing to SEO & PR Initiatives.
livdayseo
0
49
Ethics towards AI in product and experience design
skipperchong
2
180
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
162
16k
Leveraging Curiosity to Care for An Aging Population
cassininazir
1
150
Designing for Performance
lara
610
70k
Un-Boring Meetings
codingconduct
0
180
How to Talk to Developers About Accessibility
jct
1
100
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
4.1k
Leo the Paperboy
mayatellez
4
1.3k
Transcript
Using Python to Fight Cybercrime Kyle Maxwell, PyData Dallas April
26, 2015 @kylemaxwell http://goo.gl/oPQ8k2
What I Do Incident Response Threat Intelligence
What I Don’t Do Application Security Penetration Testing
Areas of Interest Reverse-engineer malware Analyze incidents for trends Track
bad guys
Triage Malware What is it? ➔ hashing ➔ IOC matching
What does it do? ➔ behavioral analysis
Manage Malware Maltrieve [ maltrieve.org ] ➔ web crawler to
fetch malware Viper [ viper.li ] ➔ store and classify malware
Cuckoo Sandbox [ cuckoosandbox.org ] “Throw any suspicious file at
it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.” Analyze Malware
Track bad guys Moving beyond technical indicators (IOCs) Enumerate infrastructure
Attribution (with caveats) Describe methods
All About the APIs
Passive DNS What resolutions were seen, and when?
WHOIS Historical: ➔ registrant changes over time Reverse: ➔ domains
with same registrant
Image credit The MITRE Corporation STIX
VERIS Image credit Verizon Communications
Python Bindings # extra changes to the template for this
specific campaign template['campaign_id' ] = "104874B4-3EC7-4B09-95F1-930F007487B0" template['reference' ] = "http://www.fireeye.com/blog/technical/targeted-attack/2014/08/operation-poisoned- hurricane.html " template['reference' ] += ";http://blog.trendmicro.com/trendlabs-security-intelligence/unplugging-plugx- capabilities/ " template['actor']['external'] = {'variety':['Unknown'], 'motive':['Espionage' ], 'country':['Unknown']} template['attribute' ] = {'integrity' :{'variety':['Software installation' ]}} template['discovery_method' ] = "Ext - monitoring service" template['plus']['timeline'] = {'notification' :{'day':6, 'month':8, 'year':2014}} template['timeline']['incident'] = {'year':2014, } template['notes'] = "Operation Poisoned Hurricane" template['summary'] = "Targeted malware campaign targeting Internet infrastructure providers, a media organization, a financial services company, and an Asian government organization." Code clipped from http://nbviewer.ipython.org/gist/blackfist/b7a3e5bfbae571d8e024
Data Science Statistics! Image credit Kevin Thompson (@bfist)
So much else! ➔ Log analysis ➔ Web interfaces ➔
Forensic examinations ➔ Red teaming / pentesting
What you can do Image credit David Whittaker (@rundavidrun)
Q&A @kylemaxwell || xwell.org github.com/krmaxwell Icons made by Freepik from
www.flaticon.com and used under Creative Commons license
krmaxwell
.jpeg){kind=avatar}
koinunopochi
weblyzard
torumakabe
fumiyasac0921
sansan33
chack411
ygoto3
ama_ch
e99h2121
databricksjapan
3flower
rlifchitz
garrettdimon
andyhume
aleyda
livdayseo
skipperchong
sstephenson
cassininazir
lara
codingconduct
jct
kastner
mayatellez
![Manage Malware Maltrieve [ maltrieve.org ] ➔ web crawler to](https://files.speakerdeck.com/presentations/608c448ffdef40cfa17a6df00c7ba980/slide_5.jpg){kind=link}
![Cuckoo Sandbox [ cuckoosandbox.org ] “Throw any suspicious file at](https://files.speakerdeck.com/presentations/608c448ffdef40cfa17a6df00c7ba980/slide_6.jpg){kind=link}
