The Irrelevance of K-Bytes Detection - Building a Robust Pipeline for Malicious Documents

Presented at Black Hat Asia 2017, March 30, 2017, 3:30 p.m. (60 minutes)

Security teams must address the countless vulnerabilities in popular document formats like PDFs, Office files and legacy textual formats. This session will cover the best practices on how to build a document analysis pipeline including the pros and cons of true type detection, sandboxing, signatures, dynamic/static content inspection, isolation and content disarming and reconstruction. We will also cover the attackers view and the different evasion techniques of malicious payloads going through a carefully designed document analysis pipeline.<br><br> We suggest mandatory building blocks for designing such a pipeline: a mapping component to handle classification of byte arrays, a prepare component to support morphism to a more accurate file representation, analysis component to run the different heuristics, an isolation component and then a CDR component. And then finally a workflow that orchestrates and ties these components together to yield low false positive/negatives rate. <br><br> Real war stories will be shared including defining the right amount of tolerance for balancing between productivity, performance, vendor integration and success rates, future adaptability of the pipeline and practical implementation details.

Presenters:

  • Dor Knafo - Security Research Team Leader, Fireglass
    Dor Knafo leads the security research at FireGlass and is responsible for all malware, web attacks and reverse engineering research. Prior to FireGlass, Knafo spent five years in the IDF Intelligence as a security and research engineer.
  • Dan Amiga - CTO & Co-Founder, Fireglass
    Dan Amiga is the Co-Founder and CTO of FireGlass, a cybersecurity startup which commercializes military grade network security concepts into paradigm shifting enterprise security products. Amiga has spent years doing IT security in the IDF intelligence where he was focused on inventing and developing new security solutions that go far beyond firewalls, proxies or heuristic based anti-malware solutions. After moving to the private sector, Amiga has worked for the Microsoft Technology Center as a senior consultant for highly secure organizations, governments and critical infrastructure companies. He then moved to the energy giant Schneider Electric where he held the position of Chief Software Architect. Amiga has given talks in major international security and software conferences and is also an adjunct professor in the Interdisciplinary Center, Israel, teaching advanced cloud computing topics.

Links:

Similar Presentations: