Incident Response Response

Presented at THOTCON 0x4 (2013), April 26, 2013, 11:30 a.m. (25 minutes).

Attackers intending to maintain persistence in a network need to keep their tools and malware away from prying eyes. We regularly detect and identify systems compromised during campaigns, then acquire and analyze the tools and malware used in the attack. We are the prying eyes. Common mistakes made by attackers get their intrusions noticed, and their persistence removed. As a result, the attacker's tool or piece of malware finds its way into our instances of IDA Pro. In this talk we examine common mistakes made by attackers during targeted attacks. We also present approaches to remedy these mistakes. We will be releasing an open source tool that aims to thwart the identification of an attacker's tools or malware on a compromised system, and is thus, a response to incident response.

Presenters:

• int0x80
  int0x80 is the rapper in Dual Core.
• Josh Schwartz / FuzzyNop   as FuzzyNop
  FuzzyNop is a guy who knows how to computer. As a child his parents always told him he should do computers and now he spends his free time making malware go backwards (aka reverse engineering malware). He is hopelessly addicted to CTF, and has competed in a number of CTFs including the US Cyber Challenge the past two years. This year his team won the DerbyCon CTF. At his day job he performs incident response and investigates intrusions related to targeted attacks, otherwise known as APT.

Similar Presentations:

• Black Hat USA 2014 / The State of Incident Response
• THOTCON 0x5 (2014) / Targeted Malware Final Form (APTrololol)
• BSidesLV 2016 / Don't Repeat Yourself: Automating Malware Incident Response for Fun and Profit