An Adversarial View of SaaS Malware Sandboxes

Presented at BSidesLV 2016, Aug. 2, 2016, 5 p.m. (55 minutes)

Anyone attending this conference knows the usefulness of running malware in a sandbox to perform triage, speed security analysts' workflow, extract indicators of compromise (IOCs), and to gather useful information for detection and mitigation. When analysts do this, what are the OPSEC concerns regarding tipping the adversary off? Which sandbox providers are better than others in this regard?

In this talk we will present some research on taking an adversarial view of the free and widely used SaaS malware sandboxes. When an adversary's malware is detonated in a sandbox, what network artifacts can they see? Can they determine which sandbox provider based on the network? How do malware and related IOCs submitted to these sandboxes propagate to security companies and ultimately threat intelligence feeds? In this talk, we will answer all these questions and more.

Presenters:

• Aaron Shelmire
• Jason Trost - VP of Threat Research - Anomali, Inc.
  Jason Trost is the VP of Threat Research at Anomali, Inc. and leads Anomali Labs, the research team. He has worked in security for more than ten years, and he has several years of experience leveraging big data technologies for security data mining and analytics. He is deeply interested in network security, DFIR, honeypots, big data and machine learning. He is currently focused on building highly scalable systems for processing, analyzing, and visualizing high speed network/security events in real-time as well as systems for analyzing massive amounts of malware. He is a regular attendee of Big Data and security conferences, and he has spoken at Blackhat, SANS CTI Summit, BSidesSF, BSidesLV, BSidesDC, BSidesNYC, FloCon, and Hadoop Summit. He has contributed to several security and big data related open source projects including the Modern Honey Network (MHN), BinaryPig, ElasticSearch, Apache Accumulo, and Apache Storm. He has held senior technical positions with the U.S. Department of Defense, Booz Allen Hamilton, and Endgame Inc.

Links:

• https://bsideslv2016.sched.com/event/7gre/an-adversarial-view-of-saas-malware-sandboxes

Similar Presentations:

• VB2016 / Defeating Sandbox Evasion: How to Increase Successful Emulation Rate in your Virtualized Environment
• DEF CON 24 (2016) / Escaping The Sandbox By Not Breaking It
• BSidesDC 2015 / An Adversarial View of SaaS Malware Sandboxes