Want to Speed Up Triage and Incident Response? Speak Malware’s Language
The below is adapted from a talk I gave at Cybersecurity World 2017.
When an attacker wants to steal information or money from you, the first thing they need to do is figure out a way to gain persistent access to your network. This means ensuring that their command and control infrastructure (C2) is both reliable and resilient to a takedown.
How do they accomplish this? By using the domain name system (DNS) for both command and control and data exfiltration. DNS provides the reliability and resilience they need to be successful. For defenders, the good news here is that this persistence can actually be used against attackers. It can be turned on them and used to find their weaknesses and develop the best possible response.
I wrote about this in detail on the MISTI Training Institute website, and you can read my post here. In it, I explain:
- Why chasing down malware can feel like a game of whack-a-mole
- The value of an intrusion-focused approach to malware attacks
- How to use C2 to get between the attacker and the victim (your machine or network)
This session will explore some interesting research on the subject and also offer practical approaches for engaging attackers once you find them. We will help you find other dependencies across their “kill chains” and then use those dependencies against them. We will wrap up with a shared brainstorming session to improve how everyone in the audience can respond when under attack.
Attendees will learn:
- Just how asymmetric being a passive defender is
- How “speaking malware” can speed up your forensics and incident response processes
- What are the technical and psychological benefits of attacker observation and control
- How important humans are in both attacks and defense
- What you can do to empower the people in your organization to stay safe
If you’ll be at Cybersecurity World 2017, we hope you’ll come by to learn more about how you can speed up triage and incident response by speaking to malware and people.