Finding drive-by rookies using an automated active observation platform

Presented at VB2019, Oct. 3, 2019, 2 p.m. (30 minutes).

Drive-by download attacks remain a prominent cyber threat on the Internet today. For instance, we recently spotted new exploit kits such as the Azera, Radio and Lord exploit kits, all found during the summer of 2019. To continuously observe drive-by download attacks, one has to address some problems such as a chain of network access redirection and IP-based access control by ad-networks and exploit kits. It is thus difficult to understand the drive-by download attack landscape.

We have already released open-source tools for exploit kit-related threat analysis. Furthermore, we are operating an integrated platform for continuous observation of exploit kits. The primary objective of this platform is to help establish an independent view of the current cyber threat trends.

In this presentation, we will introduce the design, effectiveness and practical use cases of an automated active analysis platform for malicious traffic. Also, we will show the changes to the threat landscape over the last 10 months by using the results from our platform. In particular, we will talk about how we continue to discover and track new attack campaigns and exploit kits, such as the Fallout and Radio exploit kits.

Presenters:

• Rintaro Koike - NTT Security
  Rintaro Koike Rintaro Koike is a security analyst at NTT Security (Japan) KK. In addition, he is the founder of 'nao_sec' and a malicious traffic/script/document analyst. He was a speaker at the Japan Security Analyst Conference 2018/19 hosted by JPCERT/CC and has spoken at SECCON 2018 Conference, HITCON Community 2019 and Black Hat USA 2018 Arsenal.
• Yosuke Chubachi - Active Defense Institute, Ltd / nao_sec
  Yosuke Chubachi Yosuke Chubachi is Founder and CEO of Active Defense Institute, Ltd, Japan. He is also a member of nao_sec. His research interests are in system security and collecting cyber threat intelligence from the web. He has spoken at Black Hat Europe 2014, PacSec 2014 and Black Hat Asia 2015. He has been a lecturer at Security Camp (a national human resource development program in information security) since 2011 and a member of the SECCON (SECurity CONtest, the largest CTF organizer in Japan) operation team since 2012.

Links:

• https://www.virusbulletin.com/conference/vb2019/abstracts/finding-drive-rookies-using-automated-active-observation-platform
• https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-KoikeChubachi.pdf

Similar Presentations:

• Hackfest 2016 / Exploit Kits: The Biggest Threat You Know Nothing About
• BSidesLV 2019 / From EK to DEK: An Analysis of Modern Document Exploit Kits
• VB2016 / Inside Exploit Kits