from soc to analyst bridging automated and manual analyses
play

From SOC to Analyst: bridging automated and manual analyses - PowerPoint PPT Presentation

Jun 15, 2023 •19 likes •89 views

From SOC to Analyst: bridging automated and manual analyses Practical Considerations and Issues July, 10th 2017 Raphal Rigo Typical (ideal) workflow of a malware sample reverser binary SOC CERT special malware malware SOC

  1. From SOC to Analyst: bridging automated and manual analyses Practical Considerations and Issues July, 10th 2017 Raphaël Rigo

  2. Typical (ideal) workflow of a malware sample reverser binary SOC CERT “special” malware malware SOC Security Operations Center CERT Computer Emergency Response Team “Special” malware • Unknown, Targeted, Complex • Anything not handled automatically ? Our tools • Tools for automated malware analysis and triage, for SOC & CERT (bnew) • Tools for manual analysis by reverser – including our own, BinCAT R. Rigo :: From SOC to Analyst: bridging automated and manual analyses

  3. Links to the seminar issues The end of the chain “When automated processing ends/fails/is not sufficient” Overall issue • Sometimes a human is needed • = ⇒ what be done to help the human be more efficient ? End goals for the analyst • IOCs • automated tools for families to integrate in the SOC chain: • static unpackers • config extractors R. Rigo :: From SOC to Analyst: bridging automated and manual analyses

  4. Analyst view Which information from the automated process (SOC) can be presented to the analyst ? • generically unpacked sample • interesting code parts (in IDA) ? : • potential crypto loops (cf. IDAScope, crypton) • deobfuscated/decrypted strings • annotated trace (cf. pTra, MazeWalker) • visualization methods: bitmaps, dynamic graphs, etc. Helpful properties: • resolve indirect calls (C++ !) • dead code (no need to reverse) R. Rigo :: From SOC to Analyst: bridging automated and manual analyses

  5. Challenges (helping the analyst) Special cases for “usual” malwares: • complex packers: VMProtect-ed packed samples • obfuscation Other complex (“unusal”) cases: • implants/rootkits (harder to analyse dynamically): • Secure boot bypass (SMM code ?) • jailbreaks • rootkits (drivers) • embedded/network devices exploits/implants • vulnerability and exploit analysis: • need to analyse complex software behaviour • understand vulnerability to create efficient signatures • all in memory code (no imports, everything dynamic) R. Rigo :: From SOC to Analyst: bridging automated and manual analyses

  6. Room for improvements: tooling Manual reversing • interactive • integrated into IDA (for low level properties) • easy to install / use Ex: Ponce, IDAscope, BinCAT ;) For automated (static) handling • scriptable (of course) • versatile/expressive • OS agnostic Ex: Miasm R. Rigo :: From SOC to Analyst: bridging automated and manual analyses

  7. BinCAT • demo • slides R. Rigo :: From SOC to Analyst: bridging automated and manual analyses

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Burp Suite and Beyond Automated Scanning vs Manual Tes;ng

Burp Suite and Beyond Automated Scanning vs Manual Tes;ng

Adding Value to Automated Web Scans Burp Suite and Beyond Automated Scanning vs Manual Tes;ng Manual Tes;ng Tools/Suites At MSU -

837 views • 22 slides
Announcing the 2019 Pony Club WA Gear Checking Manual 2019 Bridging Document The manual is

Announcing the 2019 Pony Club WA Gear Checking Manual 2019 Bridging Document The manual is

Announcing the 2019 Pony Club WA Gear Checking Manual 2019 Bridging Document The manual is available for download (free) from Pony Club WA Gear Checking page Follow these steps to get there: 1. Pony Club WA website 2. Resources 3. Club

461 views • 10 slides
Automated Waitlist Arrives at PSU Overview Review of Current Manual Waitlist Function

Automated Waitlist Arrives at PSU Overview Review of Current Manual Waitlist Function

Automated Waitlist Arrives at PSU Overview Review of Current Manual Waitlist Function Manual waitlist activates when enrollment cap reached. Slot is reserved for waitlist student when enrollment drops below cap. Departments

461 views • 22 slides
Automated Test Data Generation on the Analyses of Feature Models A Metamorphic Testing Approach

Automated Test Data Generation on the Analyses of Feature Models A Metamorphic Testing Approach

Automated Test Data Generation on the Analyses of Feature Models A Metamorphic Testing Approach Sergio Segura 1 , Robert M. Hierons 2 , David Benavides 1 and Antonio Ruiz-Corts 1 1 Department of Computer Languages and Systems, Univesity of

330 views • 28 slides
Improving the Efficiency of Manual Ground Truth Labeling Using Automated Anatomy Segmentation

Improving the Efficiency of Manual Ground Truth Labeling Using Automated Anatomy Segmentation

Improving the Efficiency of Manual Ground Truth Labeling Using Automated Anatomy Segmentation Hongzhi Wang PhD, Prasanth Prasanna MD, Jose Morey MD, Tanveer F. Syeda-Mahmood PhD Medical Sieve Group, IBM Almaden Research Center Anatomy

469 views • 18 slides
GuideAutomator: Automated User Manual Generation with Markdown Allan dos Santos Oliveira

GuideAutomator: Automated User Manual Generation with Markdown Allan dos Santos Oliveira

GuideAutomator: Automated User Manual Generation with Markdown Allan dos Santos Oliveira Supervisor: Prof. Rodrigo Rocha Gomes e Souza Department of Computer Science Federal University of Bahia 1 Introduction User experience as rising

453 views • 27 slides
GDC 2012 March 5-9 Runtime CPU Performance Spike Detection using Manual and Compiler Automated

GDC 2012 March 5-9 Runtime CPU Performance Spike Detection using Manual and Compiler Automated

GDC 2012 March 5-9 Runtime CPU Performance Spike Detection using Manual and Compiler Automated Instrumentation Adisak Pochanayon : adisak@wbgames.com Principal Software Engineer, Mortal Kombat Team Netherrealm Studios (WB Games Chicago) This

366 views • 9 slides
An Empirical Evaluation and Comparison of f Manual and Automated Test Selection Milos Gligoric,

An Empirical Evaluation and Comparison of f Manual and Automated Test Selection Milos Gligoric,

An Empirical Evaluation and Comparison of f Manual and Automated Test Selection Milos Gligoric, Stas Negara, Owolabi Legunsen, and Darko Marinov ASE 2014 Vsters, Sweden September 18, 2014 ITI RPS #28 CCF-1012759, CCF-1439957

762 views • 26 slides
Program Realisation 2 Todays Topics Unit testing, manual versus automated

Program Realisation 2 Todays Topics Unit testing, manual versus automated

Program Realisation 2 Todays Topics Unit testing, manual versus automated http://www.win.tue.nl/hemerik/2IP20/ ADT relationships: Lecture 4 Multiple implementations of the same ADT contract Kees Hemerik Generalization,

181 views • 7 slides
Automated Observation 4 4 Automated Observation what when what to observe to observe to

Automated Observation 4 4 Automated Observation what when what to observe to observe to

Asserting Expectations Andreas Zeller 1 Search in Time variables During execution, the state becomes infected. time Basic idea: Observe a transition from sane to infected. 2 2 Manual Observation 3 3 Automated

450 views • 15 slides
Automated Pavement Faulting Method AASHTO Presentation Outline: Faulting (AASHTO R-36)

Automated Pavement Faulting Method AASHTO Presentation Outline: Faulting (AASHTO R-36)

AASHTO Automated Pavement Faulting Method AASHTO Presentation Outline: Faulting (AASHTO R-36) Manual and Automated Methods Automated Faulting Program Accuracy and Precision Conclusion AASHTO TECHNOLOGY IMPLEMENTATION GROUP

731 views • 16 slides
Automated Meter Reading Presentation to the Gallatin Lions Club May 28, 2019 Manual Reading

Automated Meter Reading Presentation to the Gallatin Lions Club May 28, 2019 Manual Reading

Automated Meter Reading Presentation to the Gallatin Lions Club May 28, 2019 Manual Reading of Approximately 15 15,445 45 Natural Gas Meters and 14, 4,665 65 Water Meters Each Month. Meters are Read By Five Meter Readers in 6 Cycles

416 views • 38 slides
Security proofs in the symbolic model web services security, manual and automated proofs

Security proofs in the symbolic model web services security, manual and automated proofs

Security proofs in the symbolic model web services security, manual and automated proofs Karthikeyan Bhargavan INRIA karthikeyan.bhargavan@inria.fr http://prosecco.inria.fr/personal/karthik September 2013 Karthikeyan Bhargavan (INRIA)

800 views • 58 slides
ADaM or SDTM? A Comparison of Pooling Strategies for Integrated Analyses in the Age of CDISC

ADaM or SDTM? A Comparison of Pooling Strategies for Integrated Analyses in the Age of CDISC

ADaM or SDTM? A Comparison of Pooling Strategies for Integrated Analyses in the Age of CDISC Joerg Guettner, Lead Statistical Analyst, Bayer Pharma, Wuppertal, Germany Alexandru Cuza, Project Statistical Programmer UCB Biosciences, Monheim,

174 views • 15 slides
Automated Reasoning: Some Successes and New Challenges Predrag Jani ci c

Automated Reasoning: Some Successes and New Challenges Predrag Jani ci c

What is this talk about? What is automated reasoning? Automated reasoning in propositional logic Automated reasoning in first-order logic Automated reasoning in higher-order logic Automated reasoning in geometry Conclusions Automated

806 views • 52 slides
Automated Generation of Platform-Variant Applications from Platform-Independent Models via

Automated Generation of Platform-Variant Applications from Platform-Independent Models via

Automated Generation of Platform-Variant Applications from Platform-Independent Models via Templates Nuno Amlio, Christian Glodt, Frederico Pinto, Pierre Kelsen University of Luxembourg Introduction Manual code development is expensive

243 views • 21 slides
Merge Strategies for Merge-and-Shrink Masters Thesis Daniel Federau 13th February 2017

Merge Strategies for Merge-and-Shrink Masters Thesis Daniel Federau 13th February 2017

Merge Strategies for Merge-and-Shrink Masters Thesis Daniel Federau 13th February 2017 Introduction Merge-and-Shrink Evaluation of Merge Strategies Implementation Conclusion Motivation An important factor for the performance of

489 views • 22 slides
An Analysis of Merge Strategies for Merge-and-Shrink Heuristics Silvan Sievers Martin Wehrle

An Analysis of Merge Strategies for Merge-and-Shrink Heuristics Silvan Sievers Martin Wehrle

Background Evaluation An Analysis of Merge Strategies for Merge-and-Shrink Heuristics Silvan Sievers Martin Wehrle Malte Helmert University of Basel Switzerland June 15, 2016 Background Evaluation Outline Background 1 Evaluation 2

413 views • 23 slides
Overengineered : 1337 * crackme- 100 Generated by machines for machines Camille MOUGEY Florent

Overengineered : 1337 * crackme- 100 Generated by machines for machines Camille MOUGEY Florent

Overengineered : 1337 * crackme- 100 Generated by machines for machines Camille MOUGEY Florent MONJALET Commissariat lnergie Atomique et aux nergies alternatives Direction des Applications Militaires 17 novembre 2017 Guidelines :

672 views • 49 slides
Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan,

Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan,

Playing with Binary Analysis Deobfuscation of VM based software protection Jonathan Salwan, Sbastien Bardin and Marie-Laure Potet SSTIC 2017 Topic Binary protection Virtualization-based software protection Automatic

933 views • 72 slides
Bypassing Different Defense Schemes via Crash-Resistant Probing of Address Space Robert Gawlik

Bypassing Different Defense Schemes via Crash-Resistant Probing of Address Space Robert Gawlik

Bypassing Different Defense Schemes via Crash-Resistant Probing of Address Space Robert Gawlik Ruhr University Bochum Horst Grtz Institute for IT-Security Bochum, Germany About me Playing with InfoSec since 2010 Currently in academia

1.13k views • 84 slides
Soundfield Navigation using an Array of Higher-Order Ambisonics Microphones AES International

Soundfield Navigation using an Array of Higher-Order Ambisonics Microphones AES International

Soundfield Navigation using an Array of Higher-Order Ambisonics Microphones AES International Conference on Audio for Virtual and Augmented Reality September 30th, 2016 Joseph G. Tylka (presenter) Edgar Y. Choueiri 3D Audio and Applied

441 views • 22 slides
Channel Compensation for Speaker Recognition Using MAP Adapted PLDA and Denoising DNNs Frederick

Channel Compensation for Speaker Recognition Using MAP Adapted PLDA and Denoising DNNs Frederick

Channel Compensation for Speaker Recognition Using MAP Adapted PLDA and Denoising DNNs Frederick Richardson, Brian Nemsick and Douglas Reynolds Odyssey 2016 June 22, 2016 This work was sponsored by the Department of Defense under Air Force

413 views • 18 slides
Recording Slides and Webcam PowerPoint (O365) and Streaming (O365) This method of capture allows

Recording Slides and Webcam PowerPoint (O365) and Streaming (O365) This method of capture allows

Recording Slides and Webcam PowerPoint (O365) and Streaming (O365) This method of capture allows the recording of audio and video ( via webcam ) and slides together which can be shared with students. Its not a live broadcast and can be used

404 views • 11 slides

More recommend