Notes from Belfast BSides 2017
Ain’t Nobody Got Time For That: Dynamic Malware Analysis for the Overworked Analyst
Presenter: Edmund Brumaghin
Software for lab
Setting up a malware lab? Here are some tools.
RegShot (Registry Snapshot, and Directory contents)
- Able to identify some IOCs
ProcessHacker (Real-time PID monitoring with colours)
ProcessMonitor (Filters for specific use-cases can be found online)
Filewatch - Might not be this one.
Indicator of Compromise (IOCs)
Places to find some IOC/Malware.
- Modern Honeypot Network (MHN)
- Quickly deploy honeypot
Open Source Intelligence (OSINT)
The Path To Self-Securing Software
Automatic identification of attack vectors from source code.
- Chomsky Hierarchy of grammar
- Java parser, creates abstract Syntax Tree (AST), Can generate new source code
- ANTLR (Another tool for Language Recognition)
- To parse any language, need to know the grammar of the language
- Parser will output the tree into JSON format, which can then be used by other software.
Create a Security Model
Create Engine to apply security model to project model (JSON from parser)
[Patent] Detect where data is going on the network and generate and apply firewall rules.
Currently automate security tests, but tests are manually written.
Annotate code with the security flags.