Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Using Python to Fight Cybercrime
Search
Kyle Maxwell
April 26, 2015
Technology
2
220
Using Python to Fight Cybercrime
A survey of the ways I use Python as a DFIR / threat intel professional
Kyle Maxwell
April 26, 2015
Tweet
Share
More Decks by Kyle Maxwell
See All by Kyle Maxwell
In the Lair of the Beholder
krmaxwell
0
97
Incident Patterns
krmaxwell
0
400
Hackertainment
krmaxwell
1
220
Threat Intelligence for Incident Response
krmaxwell
0
170
From Minion to Engineer
krmaxwell
0
120
Why XOR Crypto Sucks
krmaxwell
0
210
Open Source Threat Intelligence - Shakacon
krmaxwell
1
880
Secure Blogging
krmaxwell
0
140
Grabbing fresh evil bits: Maltrieve
krmaxwell
1
150
Other Decks in Technology
See All in Technology
ペアプログラミングにQAが加わった!職能を超えたモブプログラミングの事例と学び
tonionagauzzi
1
140
caching_sha2_passwordのはなし
boro1234
0
210
日本MySQLユーザ会ができるまで / making MyNA
tmtms
1
360
Keynote - KCD Brazil - Platform Engineering on K8s (portuguese)
salaboy
0
120
Amazon GuardDuty Malware Protection for Amazon S3を使おう
ryder472
2
100
年末調整プロダクトの内部品質改善活動について
kaomi_wombat
0
200
IAMのマニアックな話 2025 ~40分バージョン ~
nrinetcom
PRO
8
910
Amazon EKS Auto ModeでKubernetesの運用をシンプルにする
sshota0809
0
110
Multitenant 23ai の全貌 - 機能・設計・実装・運用からマイクロサービスまで
oracle4engineer
PRO
2
120
セマンティックレイヤー入門
ikkimiyazaki
8
3.2k
アプリケーション固有の「ロジックの脆弱性」を防ぐ開発者のためのセキュリティ観点
flatt_security
25
9.3k
SaaSプロダクト開発におけるバグの早期検出のためのAcceptance testの取り組み
kworkdev
PRO
0
430
Featured
See All Featured
Thoughts on Productivity
jonyablonski
69
4.5k
A Tale of Four Properties
chriscoyier
158
23k
A Modern Web Designer's Workflow
chriscoyier
693
190k
Documentation Writing (for coders)
carmenintech
69
4.7k
Facilitating Awesome Meetings
lara
53
6.3k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
7
620
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
233
17k
Imperfection Machines: The Place of Print at Facebook
scottboms
267
13k
We Have a Design System, Now What?
morganepeng
51
7.5k
jQuery: Nuts, Bolts and Bling
dougneiner
63
7.7k
Docker and Python
trallard
44
3.3k
Optimising Largest Contentful Paint
csswizardry
35
3.2k
Transcript
Using Python to Fight Cybercrime Kyle Maxwell, PyData Dallas April
26, 2015 @kylemaxwell http://goo.gl/oPQ8k2
What I Do Incident Response Threat Intelligence
What I Don’t Do Application Security Penetration Testing
Areas of Interest Reverse-engineer malware Analyze incidents for trends Track
bad guys
Triage Malware What is it? ➔ hashing ➔ IOC matching
What does it do? ➔ behavioral analysis
Manage Malware Maltrieve [ maltrieve.org ] ➔ web crawler to
fetch malware Viper [ viper.li ] ➔ store and classify malware
Cuckoo Sandbox [ cuckoosandbox.org ] “Throw any suspicious file at
it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.” Analyze Malware
Track bad guys Moving beyond technical indicators (IOCs) Enumerate infrastructure
Attribution (with caveats) Describe methods
All About the APIs
Passive DNS What resolutions were seen, and when?
WHOIS Historical: ➔ registrant changes over time Reverse: ➔ domains
with same registrant
Image credit The MITRE Corporation STIX
VERIS Image credit Verizon Communications
Python Bindings # extra changes to the template for this
specific campaign template['campaign_id' ] = "104874B4-3EC7-4B09-95F1-930F007487B0" template['reference' ] = "http://www.fireeye.com/blog/technical/targeted-attack/2014/08/operation-poisoned- hurricane.html " template['reference' ] += ";http://blog.trendmicro.com/trendlabs-security-intelligence/unplugging-plugx- capabilities/ " template['actor']['external'] = {'variety':['Unknown'], 'motive':['Espionage' ], 'country':['Unknown']} template['attribute' ] = {'integrity' :{'variety':['Software installation' ]}} template['discovery_method' ] = "Ext - monitoring service" template['plus']['timeline'] = {'notification' :{'day':6, 'month':8, 'year':2014}} template['timeline']['incident'] = {'year':2014, } template['notes'] = "Operation Poisoned Hurricane" template['summary'] = "Targeted malware campaign targeting Internet infrastructure providers, a media organization, a financial services company, and an Asian government organization." Code clipped from http://nbviewer.ipython.org/gist/blackfist/b7a3e5bfbae571d8e024
Data Science Statistics! Image credit Kevin Thompson (@bfist)
So much else! ➔ Log analysis ➔ Web interfaces ➔
Forensic examinations ➔ Red teaming / pentesting
What you can do Image credit David Whittaker (@rundavidrun)
Q&A @kylemaxwell || xwell.org github.com/krmaxwell Icons made by Freepik from
www.flaticon.com and used under Creative Commons license