OSINT Barn Cat: Mining Malware for Intelligence at Scale

Presented at DeepSec 2015 „DeepSec No. 9“, Nov. 19, 2015, 2:50 p.m. (50 minutes).

According to Virus Total, on January 4th, 2015 they received over 500,000 samples of potential malware per day. At times this has peaked to over 1,000,000. The shear deluge of unique malware samples makes it difficult for incident responders to keep up to protect their networks. Even more difficult is the task to investigators and law enforcement to keep up with the size and number of command-and-control networks and criminal operations. OSINT Barn Cat was designed to help deal with this problem. This system analyzes incoming streams of malware to identify known malware and then strip out the configurations from them to produce near time intelligence of known malware command-and-control hostnames and IP addresses. The goal is to create automated surveillance tools that can monitor criminal infrastructure to make it easy for incident handlers to identify problems on their network, for security analysts to protect their networks and for law enforcement to have reliable near-time information for their operations. This talk will discuss how the tool generates information and what the possibilities hold for this kind of analysis.

Presenters:

  • John Bambenek - Fidelis Cybersecurity & SANS Internet Storm Center
    John Bambenek is a Sr. Threat Analyst with Fidelis Cybersecurity and an incident handler with the Internet Storm Center. He has been engaged in security for 15 years researching security threats. He is a published author of several articles, book chapters and one book. He has contributed to IT security courses and certification exams covering such subjects as penetration testing, reverse engineering malware, forensics, and network security. He has participated in many incident investigations spanning the globe. He speaks at conferences around the world and runs several private intelligence groups focusing on takedowns and disruption of criminal entities.

Links:

Similar Presentations: