InfoconDB

Presented at Summercon 2018, June 30, 2018, 3 p.m. (50 minutes).

Researching digital espionage involves a steep and unforgiving learning curve. Techniques come in waves, some more promising than others. Be it proprietary sandboxes, YARA retrohunting, passiveDNS analysis, or malware investigation platforms. Entire companies and niche industries have spawned to help researchers further their hunting at scale. The new hotness is code similarity analysis. By honing in on the particularities of the malware developer's coding conventions and setup, and their lazy reuse of code, researchers can identify clusters of shared activity. At scale, this technique yields fascinating results in otherwise unattributable cases. However, it has also proven a treacherous and uncertain technique, as fringe cases require manual analysis to avoid silly mistakes. And don't forget, threat hunting involves a puzzle that fights back. Just as we are testing and building up this new technique, adversaries have already begun to subvert its promise and turn it against us. Let's discuss the secrets and intricacies of this New Hotness.

Presenters:

Juan Andrés Guerrero-Saade as Juan Andres Guerrero-Saade
Juan Andrés Guerrero-Saade is Principal Security Researcher at Recorded Future's Insikt Group. Before joining Recorded Future, he worked as Principal Security Researcher at Kaspersky's GReAT and served as Senior Cybersecurity and National Security Advisor to the President of Ecuador. His latest publications include 'The Ethics and Perils of APT Research: An Unexpected Transition Into Intelligence Brokerage', 'Wave your False Flags! Deception Tactics Muddying Attribution in Targeted Attacks', and 'Walking in Your Enemy's Shadow: When Fourth-Party Collection Becomes Attribution Hell' @juanandres_gs

The New Hotness - Hunting for Code Similarity at Scale

Presenters:

Links:

Similar Presentations: