1 I Know You Want Me - Unplugging PlugX Takahiro Haruyama / Hiroshi Suzuki Internet Initiative Japan Inc.
2 Who are we? Takahiro Haruyama Forensic Investigator & Malware Analyst Presenter & Hands-on Trainer SANS DFIR Summit, BlackHat USA/EU, CEIC, FIRST, RSA Conference JP, etc.. EnCase Certified Examiner since Hiroshi Suzuki Malware Analyst & Forensic Investigator Presenter & Hands-on Trainer Co-author of Haruyama s presentation of BlackHat USA/EU, FIRST, domestic conference in Japan (MWS, and others)
3 Overview Motivation Evolution of PlugX Parsing PlugX Config Associating PlugX samples with known targeted attack groups Classifying PlugX samples Finding relationships between PlugX groups and known attacker groups Wrap-up
5 What s PlugX? RAT used for targeted attacks Also known as Korplug/Gulpix/Sogu/Thoper/Destory RAT Acknowledged in earlier 2012 Trend Micro pointed out it was part of a campaign that has been since 2008  The author extends its implementation aggressively AlienVault identified the author?  AhnLab acquired PlugX builder/controller 
6 Motivation PlugX includes config data like PoisonIvy e.g., C2 hostname/ip/domain, installed service name/registry value The config information can be used for identifying attacker groups FireEye published the analysis result about PoisonIvy configs  So, what about PlugX? The author's continual update makes it difficult 10 config size versions frequently-changed encryption algorithms We tried to categorize PlugX samples in terms of attackers based on intelligence extracted from config data and code
7 EVOLUTION OF PLUGX
8 Type I: Behavior Summary create&run Dropper (exe) create load (DLL load order abuse) signed executable (exe) PlugX Loader (DLL) Cont.
9 Type I: Behavior Summary PlugX Loader (DLL) decrypt & decompress (Cont.) create & inject code (depend on config) 1 st injected process (e.g., svchost.exe) create & inject code Config Original PE (DLL) PlugX Payload(only resident in RAM) 2 nd injected process (msiexec.exe)
10 Type I: Encrypted Data Table
11 Type I: Config (Xsetting) C2 Setting protocol, port, hostname C2 Setting URL download C2 Setting from the URL Install Options type (service, registry, registered_by_loader) install folder path service name, registry value Others Proxy Setting stand alone flag (not inject code) code injection target mutex name
12 Type I: Downloading C2 Setting C2 Setting URL examples content.com/s/eg3qu sm8pl4iz49/index.txt 77 Download data from the URL and decode a string between DZKS and "DZJS"
13 Type I: Debug Strings Some samples include debug string file name function name version path etc Useful information for analysis
14 Type I: Debug Strings (Version Path)
15 Type I: Functions and Plugins Functions File/Registry operations Keylogging, screenshot, remote shell portscan, SQL command, etc Plugins install path + %d.plg (use LdrLoadShellcode to load)
16 Type I: Protocols Supported Protocols TCP, HTTP, UDP, ICMP (not implemented) Traffic data is encrypted the same algorithm as PlugX Payload dword value used as key (date?)
17 Type I: Bypassing UAC Dialog For default UAC setting Win7 machines (ConsentPromptBehaviorAdmin!= 2) PlugX: create msiexec.exe process and inject code to it msiexec.exe: abuse DLL load order to execute malicious code in sysprep.exe process sysprep.exe (privileged): run PlugX again
18 Type II: Summary Observed since 2013/3Q The differences Anti-reversing/forensic techniques Encryption algorithm changed Config extended More protocols ICMP DNS  (not sure) More functions e.g., network sniffing to steal proxy auth info Debug strings suppressed
19 Type II: Anti-reversing/forensic techniques PlugX payload MZ/PE signatures replaced by XV magic GULP in encrypted data table eliminated string obfuscation (decode/clear) massive API wrappers added for anti code diffing Type I Type II
20 Type I Type II: Encryption algorithm changed Type II
21 Type II: Config Extended magic word for message authentication multiple code injection targets (1 -> 4) configuration for screenshots
22 Type III: Summary Observed since mid 2012 It may be ancestor of Type I & II, but still evolving The differences Very different implementation from Type I & II no PlugX Payload, no encrypted data table More advanced anti-reversing string obfuscation (200->1000) code obfuscation Config shrunk C2 Setting/C2 Setting URL/Proxy Setting merged Recently Type II members (e.g., magic word) added TCP & HTTP supported
23 Type III: Code Obfuscation junk code inserted
24 Type III: DESTORY? Type III checks the consistency of its decrypted config If not successful, pop up a message The correct spelling seems to be DESTROY
25 executable loading PlugX encrypted data table Type I Type II Type III Comparison signed exe signed exe rundll32 Yes Yes (no GULP ) protocols TCP,HTTP,UDP TCP,HTTP,UDP, ICMP,DNS? Functions compared with Type I Debug Strings (Version Path) string obfuscation No TCP,HTTP - more much more sometimes rarely not at all No Yes Yes (much more) code obfuscation date dword value No No Yes , , , ,
26 PARSING PLUGX CONFIG
27 Related Works PlugXExtract for Type I  decrypt, but not parse plugxdecoder for Type I  decode PlugX traffic then extract encrypted artifacts (not parse) Volatility Plugin for Type I & II  decrypt then parse supported 6 config size versions 0xbe4, 0x150c, 0x1510, 0x1b18, 0x1d18, 0x2540
28 Implementation Type I & II Immunity Debugger script Search encrypted data table in injected process GULP signature for Type I PIC (Position Independent Code) for Type II Decrypt (&decompress if needed) config/original PE Parse config supported: 0x150C, 0x1510, 0x1B18, 0x1D18, 0x2540 Type III IDAPython script Deobfuscate strings and identify config decryption routine You need to specify the deobfuscation function Decrypt and parse config supported: 0x72C, 0x76C, 0x7AC, 0x840, 0xDF0
29 ASSOCIATING PLUGX SAMPLES WITH KNOWN TARGETED ATTACK GROUPS
30 Summary We analyzed over 150 samples About 30 samples do not contain configurations. These are DEMO version. So we classified other 123 samples at this time. Procedure Categorize samples into some groups 1. Make groups based on service name (registry value) except default service name (SxS, XXX, TVT) 1 group includes at least 4 samples 2. Merge groups by using following information C2 (IP address, hostname, domain, owner ) debug string (version path), date dword etc Check relations between the groups and published targeted attack reports Are they connected to famous targeted attack groups?
31 The Main Source of the Intelligence for the C2 Connection VirusTotal passive DNS https://www.virustotal.com/en/documentation/sear ching/ AlienVault Open Threat Exchange TEAM CYMRU IP to ASN Mapping https://www.team-cymru.org/services/ip-toasn.html Many targeted attack reports - Our internal Passive DNS and IP2DNS system dig, nslookup, whois command And other whois sites
32 CLASSIFYING PLUGX SAMPLES
33 Summary of PlugX Groups We found seven groups. *Sys group *Http group Starter group graphedt group WS group 360 group cochin group
34 *SYS GROUP
35 *Sys Group Some samples use *Sys as the service name.
36 *Sys Group Some another samples share the domain of *Sys group samples.
37 *Sys Group Some another samples share the domain of *Sys group samples.
38 *Sys Group This is the overall *Sys group.
39 *Sys Group Most samples of *Sys group use the same network. C2s are managed by the same domain owner.
40 WS GROUP
41 WS Group Some samples use WS as the service name.
42 WS Group This is the overall WS group.
43 WS Group Most samples of WS group use the same IP address. All samples of the WS group share these domains as the C2s.
44 *HTTP GROUP
45 *Http Group Some samples use *Http as the service name.
46 *Http Group Sample 16 and sample 24 use the same domain.
47 *Http Group Sample 13 and sample 69 use the same IP address.
48 *Http Group Sample 69 and sample 60, 61 have the same registry value.
49 *Http Group Sample 24 and sample 23, 53, 20 use *Gf value as the service name. And similar debug strings.
50 *Http Group Characteristics of the *Http group Some C2s are connected to the same network.
51 *Http Group Characteristics of the *Http group Some domains are managed by the same owner.
52 STARTER GROUP
53 Starter Group Some samples use Starter as the service name.
54 Starter Group Sample 71 and 56 use the same IP address. Sample 56 and several samples use the same domain.
55 Starter Group Sample 66 and several samples use the same domain. Sample 66 and other ones use the same IP address. Sample 26, 123 and 54 use the same domain.
56 Starter Group Sample 67 and several samples use the same IP address. Sample 52 and 18 use the same domain.
57 Starter Group Sample54, 55 and 56 use SxS[a-z] as the service name. And these samples use the same debug string.
58 Starter Group This is the overall Starter group.
59 GRAPHEDT GROUP
60 Graphedt Group Some samples use graphedt as the service name.
61 Graphedt Group This is the overall graphedt group.
62 Graphedt Group Graphedt group characteristics Most samples of the Graphedt group Some domains are managed by the same owner. The C2s belong to these networks.
63 360 GROUP
64 360 Group Some samples use 360 as the service name.
65 COCHIN GROUP
66 Cochin Group The subdomain of some samples includes cochin*.
67 FINDING RELATIONSHIPS BETWEEN PLUGX GROUPS AND KNOWN ATTACKER GROUPS
68 MAUDI OPERATION
69 Maudi Operation *Sys group and sample 97 connect to Maudi operation .
70 Maudi Operation The domain owners of *Sys group and sample 97 match this operation.
71 Maudi Operation Norman Shark said, Maudi operation targets Mongolian Korean Local Chinese interests and human rights activists
73 1.php A poison ivy sample of 1.php  connects to Starter group.
74 1.php 1.php may be related to APT1, zscaler said. flower-show.org targets Japan, China, Taiwan / USA relationship .
76 Sykipot The IP address of the C2 used by sample 62 belonging to WS group is the same as the one used by Sykipot .
77 Sykipot The companies attacked by this latest wave of Sykipot include, but aren t limited to, organizations in the following market sectors, primarily based in the US or UK:  Defense contractors Telecommunications Computer Hardware Chemical Energy Government Departments
78 Sykipot Another C2 of 1.php PosinIvy sample connects to This connects to Sykipot C2.
79 Sykipot Another C2 of 1.php PosinIvy sample connects to This connects to Sykipot C2.
81 menupass Graphedt group is actually the same as menupass . Some of our customers were targeted from menupass in Aug to Oct, 2013 .
83 APT1 The C2 of sample 55 belonging to Starter group is the same IP address as the one used by APT1 .
84 APT1 The C2 of the sample 88 has the same IP address as the one used by APT1.
85 APT1 Many C2s of APT1 samples and graphedt / WS group belong to the same network range.
86 APT1 Many C2 of APT1 samples and graphedt / WS group belong to the same network range.
87 APT1 Many C2 of APT1 samples and graphedt / WS group belong to the same network range.
88 APT1 Many C2 of APT1 samples and graphedt / WS group belong to the same network range.
89 APT1 Many C2 of APT1 samples and graphedt / WS group belong to the same network range.
91 Winnti The C2s of some samples are the same as the C2s used by Winnti  .
92 Winnti Those Winnti samples are also related to APT1.
93 Winnti Those Winnti samples are also related to APT1.
95 Hangover WS group is the same as Hangover group .
96 Hangover All samples of WS group connect to two domains. Those are the same as sample 62 s C2.
98 Night Dragon Sample 95 related to Winnti is also related to Night Dragon .
100 Ke3Chang Many C2s of *Http / Starter group and Ke3Chang  samples belong to the same network range.
102 ICEFOG Many C2s of *Http / Starter group and ICEFOG  samples belong to the same network range.
103 KHAAN QUEST
104 Khaan Quest 
105 Khaan Quest
106 Summary for relation We found some known attacker groups from PlugX samples.
108 Wrap-up Analyzed 3 types of PlugX samples Implemented PlugX config parsers for all types categorized samples into groups based on PlugX config and code Some groups are connected to known targeted attack groups The tools and results are available on BlackHat archives
109 Questions? Please scan your badges for evaluation surveys!
110 References  PlugX: New Tool For a Not So New Campaign <http://blog.trendmicro.com/trendlabs-security-intelligence/plugx-newtool-for-a-not-so-new-campaign/>  Tracking down the author of the PlugX RAT <http://www.alienvault.com/open-threat-exchange/blog/tracking-downthe-author-of-the-plugx-rat>  ETSO APT Attacks Analysis <http://image.ahnlab.com/global/upload/download/documents/ pdf>  Poison Ivy: Assessing Damage and Extracting Intelligence <http://www.fireeye.com/blog/technical/targeted-attack/2013/08/pivyassessing-damage-and-extracting-intel.html>  PlugX "v2": meet "SController <http://blog.cassidiancybersecurity.com/post/2014/01/plugx-v2%3ameet-scontroller>  PLUGX - PAYLOAD EXTRACTION <http://www.contextis.com/research/white-papers/plugx-payloadextraction/>  plugxdecoder <https://github.com/kcreyts/plugxdecoder> 110
111  The Chinese Malware Complexes : The Maudi Surveillance Operation <http://normanshark.com/wp-content/uploads/2013/06/normanshark- MaudiOperation.pdf>  Alleged APT Intrusion Set: 1.php Group <http://www.zscaler.com/pdf/technicalbriefs/tb_advanced_persistent_threats.p df>  Jul 5 CVE PDF invitation.pdf with Poison Ivy from pu.flower-show.org <http://contagiodump.blogspot.jp/2011/07/message-targeting-experts-onjapan.html>  The Sykipot Attacks References (Cont.) <http://www.symantec.com/connect/blogs/sykipot-attacks>  Poison Ivy: Assessing Damage and Extracting Intelligence <http://www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf>  Internet Infrastructure Review (IIR) Vol.21 <http://www.iij.ad.jp/en/company/development/iir/pdf/iir_vol21_en.pdf> 111
112 References (Cont.)  APT1: Exposing One of China's Cyber Espionage Units <http://intelreport.mandiant.com/mandiant_apt1_report.pdf>  Winnti More than just a game - Securelist <https://www.securelist.com/en/downloads/vlpdfs/winnti-more-than-just-agame pdf>  The rush for CVE a hot commodity <http://www.securelist.com/en/blog/ /the_rush_for_cve_2013_39 06_a_hot_commodity>  Exploit Proliferation: Additional Threat Groups Acquire CVE <http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/exploitproliferation-additional-threat-groups-acquire-cve html>  Command and Control in the Fifth Domain <http://www.commandfive.com/papers/c5_apt_c2inthefifthdomain.pdf>  Operation Ke3chang - Targeted Attacks Against Ministries of Foreign Affairs <http://www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf> 112
113 References (Cont.)  THE ICEFOG APT: A TALE OF CLOAK AND THREE DAGGERS <http://www.securelist.com/en/downloads/vlpdfs/icefog.pdf>  Khaan Quest: Chinese Cyber Espionage Targeting Mongolia <http://www.threatconnect.com/news/khaan-quest-chinese-cyber-espionagetargeting-mongolia/> 113
G DATA SECURITYLABS CASE STUDY OPERATION TOOHASH HOW TARGETED ATTACKS WORK CONTENTS Executive Summary... 2 The Malware used 2 Information Stealing 2 Campaign Analysis... 3 Targets 3 Spear Phishing Campaign
The Nitro Attacks Stealing Secrets from the Chemical Industry Eric Chien and Gavin O Gorman Contents Introduction... 1 Targets... 1 Attack methodology... 2 Geographic Spread... 3 Attribution... 4 Technical
A perspective to incident response or another set of recommendations for malware authors Alexandre Dulaunoy - TLP:WHITE email@example.com June 7, 2013 CIRCL, national CERT of Luxembourg CIRCL
Hide and seek - how targeted attacks hide behind clean applications Szappanos Gábor Principal Malware Researcher 1 Honourable mentions: 2010. Stuxnet digitally signed drivers: stolen certificate June 2012.
Sandy The Malicious Exploit Analysis. http://exploit-analysis.com/ Static Analysis and Dynamic exploit analysis About Me! I work as a Researcher for a Global Threat Research firm.! Spoke at the few security
PEERING INTO GLASSRAT A Zero Detection Trojan from China Authors: Kent Backman, primary research Jared Myers, contributing Chris Ahearn, contributing Maor Franco, contributing Peter Beardmore, contributing
PAGE 5 Check Point Malware Research Group HIMAN Malware Analysis December 12, 2013 Researcher: Overview This report is a detailed analysis of the dropper and the payload of the HIMAN malware. This malware
A Study on the Live Forensic Techniques for Anomaly Detection in User Terminals Ae Chan Kim 1, Won Hyung Park 2 and Dong Hoon Lee 3 1 Dept. of Financial Security, Graduate School of Information Security,
Disclaimer: All Information is derived from Mandiant consulting in a non-classified environment. Case Studies are representative of industry trends and have been derived from multiple client engagements.
Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A firstname.lastname@example.org A number of devices are running Linux due to its flexibility and open source nature. This has made Linux platform
A Cloud Security Primer : WHAT ARE YOU OVERLOOKING? LEGAL DISCLAIMER The information provided herein is for general information and educational purposes only. It is not intended and should not be construed
G Data Red Paper 2014 Uroburos Highly complex espionage software with Russian roots G Data discovers alleged intelligence agency software G Data SecurityLabs Contact: email@example.com Red Paper_February-2014
From Georgia, with Love Win32/Georbot Is someone trying to spy on Georgians? At the beginning of the year, a curious piece of malware came to our attention. An analyst in our virus laboratory noticed that
Tespok Kenya icsirt: Enterprise Cyber Threat Attack Targets Report About this Report This report was compiled and published by the Tespok icsirt in partnership with the Serianu Cyber Threat Intelligence
5 Steps to Advanced Threat Protection Agenda Endpoint Protection Gap Profile of Advanced Threats Consensus Audit Guidelines 5 Steps to Advanced Threat Protection Resources 20 Years of Chasing Malicious
Evolving Threat Landscape Briefing Overview Changing Threat Landscape Profile of the Attack Bit9 Solution Architecture Demonstartion Questions Growing Risks of Advanced Threats APT is on the rise 71% increase
Course: Malicious Network Traffic Analysis Duration: 5 Day Hands-On Lab & Lecture Course Price: $ 3,495.00 Description: There are a tremendous amount of network based attacks to be aware of on the internet
Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant What infrastructure security really means? Infrastructure Security is Making sure that your system services are always running
CopyKittens Attack Group Version 1.0 23/11/2015 All Rights Reserved To Minerva Labs LTD and ClearSky Cyber Security, 2015 Contents Executive Summary... 3 The Group Attack Cycle... 4 Step One Spear Phishing...
Malicious Network Traffic Analysis Uncover system intrusions by identifying malicious network activity. There are a tremendous amount of network based attacks to be aware of on the internet today and the
RSA Security Anatomy of an Attack Lessons learned Malcolm Dundas Account Executive John Hurley Senior Technology Consultant 1 Agenda Advanced Enterprise/ Threats The RSA Breach A chronology of the attack
Botnets: The Advanced Malware Threat in Kenya's Cyberspace AfricaHackon 28 th February 2014 Who we Are! Paula Musuva-Kigen Research Associate Director, Centre for Informatics Research and Innovation (CIRI)
Operation Liberpy : Keyloggers and information theft in Latin America Diego Pérez Magallanes Malware Analyst Pablo Ramos HEAD of LATAM Research Lab 7/7/2015 version 1.1 Contents Introduction... 3 Operation
The Value of Physical Memory for Incident Response MCSI 3604 Fair Oaks Blvd Suite 250 Sacramento, CA 95864 www.mcsi.mantech.com 2003-2015 ManTech Cyber Solutions International, All Rights Reserved. Physical
Trend Micro Incorporated Research Paper 2012 Adding Android and Mac OS X Malware to the APT Toolbox Contents Abstract... 1 Introduction... 1 Technical Analysis... 2 Remote Access Trojan Functionality...
CENTER FOR ADVANCED SECURITY TRAINING 619 Advanced SQLi Attacks and Countermeasures Make The Difference About Center of Advanced Security Training () The rapidly evolving information security landscape
Exploiting Fundamental Weaknesses in Command and Control (C&C) Panels What Goes Around Comes Back Around! Aditya K Sood Senior Security Researcher and Engineer 1 Dr. Aditya K Sood About the Speaker! Senior
WildFire Overview WildFire provides detection and prevention of zero-day malware using a combination of malware sandboxing and signature-based detection and blocking of malware. WildFire extends the capabilities
ThreatSpike Dome: A New Approach To Security Monitoring 2015 ThreatSpike Labs Limited The problem with SIEM Hacking, insider and advanced persistent threats can be difficult to detect with existing product
https://elearn.zdresearch.com https://training.zdresearch.com/course/pentesting Chapter 1 1. Introducing Penetration Testing 1.1 What is penetration testing 1.2 Different types of test 1.2.1 External Tests
Indicator Expansion Techniques Tracking Cyber Threats via DNS and Netflow Analysis United States Computer Emergency Readiness Team (US-CERT) Detection and Analysis January 2011 Background As the number
H E R A LAB ID: 10 SNIFFING Sniffing in a switched network ARP Poisoning Analyzing a network traffic Extracting files from a network trace Stealing credentials Mapping/exploring network resources 1. LAB
RSA Security Analytics This is what SIEM was Meant to Be 1 The Original Intent of SIEM Single compliance & security interface Compliance yes, but security? Analyze & prioritize alerts across various sources
Controlling Risk, Conserving Bandwidth, and Monitoring Productivity with Websense Web Security and Websense Content Gateway Websense Support Webinar January 2010 web security data security email security
Port Scanning and Vulnerability Assessment ECE4893 Internetwork Security Georgia Institute of Technology Agenda Reconnaissance Scanning Network Mapping OS detection Vulnerability assessment Reconnaissance
Firewall August, 2003 1 Firewall and Access Control This product also serves as an Internet firewall, not only does it provide a natural firewall function (Network Address Translation, NAT), but it also
Unknown threats in Sweden Study publication August 27, 2014 Executive summary To many international organisations today, cyber attacks are no longer a matter of if but when. Recent cyber breaches at large
Let s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service Ashley@teamt5.org Ashley Ashley Shen Threat Analyst in Team T5 APT research, Malware analysis Malicious Document Detection
When less is more (Spear-Phishing and Other Methods to Steal Data) Alexander Raczyński 1 Agenda Spear-Fishing the new CEO Fear How to Fight Spear-Fishing It s All About the Data Evolution of the bad guys
Practical Threat Intelligence with Bromium LAVA Practical Threat Intelligence Executive Summary Threat intelligence today is costly and time consuming and does not always result in a reduction of successful
Trend Micro Worry- Free Business Security 8.0 WFBS installation best practise, preparations and how to Preparation for 2008 Server IIS: Configuring the required Internet Information Services (IIS) roles
RSA Incident Response incident response RSA Incident Response: Threat Detection Techniques - Point of Sale Attacks RSA Security January 2014 RSA Threat Detection Techniques - - Point of Sale Attacks Table
Threat Advisory: Accellion File Transfer Appliance Vulnerability Niara Threat Advisories provide timely information regarding new attacks along with how Niara helps companies quickly detect an attack to
Sophos for Microsoft SharePoint startup guide Product version: 2.0 Document date: March 2011 Contents 1 About this guide...3 2 About Sophos for Microsoft SharePoint...3 3 System requirements...3 4 Planning
Cyber Security in Taiwan's Government Institutions: From APT To Investigation Policies Ching-Yu, Hung Investigation Bureau, Ministry of Justice, Taiwan, R.O.C. Abstract In this article, we introduce some
ASEC REPORT VOL.29 2012.06 AhnLab Monthly Security Report Disclosure to or reproduction for others without the specific written authorization of AhnLab is prohibited. Copyright (c) AhnLab, Inc. All rights
Storm Worm & Botnet Analysis Jun Zhang Security Researcher, Websense Security Labs June 2008 Introduction This month, we caught a new Worm/Trojan sample on ours labs. This worm uses email and various phishing
Using big data analytics to identify malicious content: a case study on spam emails Mamoun Alazab & Roderic Broadhurst Mamoun.firstname.lastname@example.org http://cybercrime.anu.edu.au 2 Outline Background Cybercrime
RSA Incident Response incident response RSA Incident Response: An APT Case Study RSA Security 8 April 2015 RSA Incident Response Case Study Table of Contents 1. Executive Summary... 5 2. Security Analytics
Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability WWW Based upon HTTP and HTML Runs in TCP s application layer Runs on top of the Internet Used to exchange
Post-Access Cyber Defense Dr. Vipin Swarup Chief Scientist, Cyber Security The MITRE Corporation November 2015 Approved for Public Release; Distribution Unlimited. 15-3647. 2 Cyber Security Technical Center
Penetration Testing with Kali Linux PWK Copyright 2014 Offensive Security Ltd. All rights reserved. Page 1 of 11 All rights reserved to Offensive Security, 2014 No part of this publication, in whole or
DATA SHEET What Darktrace Finds Darktrace finds anomalies that bypass other security tools, due to the uniqueness of the Enterprise Immune System, capable of detecting threats without reliance on rules,
ZeroAccess James Wyke SophosLabs UK Abstract ZeroAccess is a sophisticated kernel-mode rootkit that is rapidly becoming one of the most widespread threats in the current malware ecosystem. ZeroAccess ability
Keeping Eyes on Malicious Websites ChkDeface against Fraudulent Sites Hiroshi KOBAYASHI, Takayuki UCHIYAMA Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) Agenda Background Increase
GOOD GUYS VS BAD GUYS: USING BIG DATA TO COUNTERACT ADVANCED THREATS Joe Goldberg Splunk Session ID: SPO-W09 Session Classification: Intermediate About Me Joe Goldberg Current: Splunk - Security Evangelist
Game changing Technology für Ihre Kunden Thomas Bürgis System Engineering Manager CEE Threats have evolved traditional firewalls & IPS have not Protection centered around ports & protocols Expensive to
SYMANTEC Unified Security, ATP and more TAKE THE NEXT STEP Martin Werner PreSales Consultant, Symantec Switzerland AG MEET SWISS INFOSEC! 27.01.2016 Unified Security 2 Symantec Enterprise Security Users
Websense Web Security Gateway: What to do when a Web site does not load as expected Websense Support Webinar November 2011 web security data security email security Support Webinars 2009 Websense, Inc.
Abuse and Prevention Stanford University Stanford Computer Security Lab TrackBack Spam: Introduction Many users nowadays post information on cloud computing sites Sites sometimes need to link to each other
The Leader in Cloud Security RESEARCH REPORT Botnet Analysis Leveraging Domain Ratio Analysis Uncovering malicious activity through statistical analysis of web log traffic ABSTRACT Zscaler is a cloud-computing,
BANDWIDTH METER FOR HYPER-V NEW FEATURES OF 2.0 The Bandwidth Meter is an active application now, not just a passive observer. It can send email notifications if some bandwidth threshold reached, run scripts
Blind Spot Analysis Finding RAT Communications through Entropy and Analytics Customer Profile EMC CIRC ANDREW RUTKIEWICZ Principle IT Security Analyst Numerical weakness comes from having to prepare against
Insecurity breeds at home - Vulnerabilities in SOHO routers Amrita Center for Cyber Security Amrita University Small Office Home Office(SOHO) Routers 2 Problem at hand No technology available to detect/prevent
Copyright 2014 Splunk Inc. Security & Threat Detection: Go Beyond Monitoring Philip Sow, CISSP Sales Engineering Manager SEA Security: We have come a long way.. FIG 1: New Malware Sample Over Years Advanced
APT Advanced Persistent Threat Time to rethink? 23 November 2012 Gergely Tóth Senior Manager, Security & Privacy Agenda APT examples How to get inside? Remote control Once we are inside Conclusion 2 APT
April 2007 About RemotelyAnywhere... 2 About RemotelyAnywhere... 2 About this Guide... 2 Installation of RemotelyAnywhere... 2 Software Activation...3 Accessing RemotelyAnywhere... 4 About Dynamic IP Addresses...
The Advanced Attack Challenge Creating a Government Private Threat Intelligence Cloud The Advanced Attack Challenge One of the most prominent and advanced threats to government networks is advanced delivery
Palo Alto Networks October 6 Agenda Malware Trends by the numbers Protect Locally Share Globally Delivery methods 21.5% ~14% OF MALWARE HAS BEEN DELIVERED OVER APPS OTHER THAN WEB AND EMAIL IN 2015 8.2%
Kaspersky Security Intelligence Services. Cybersecurity training www.kaspersky.com CYBERSECURITY TRAINING Leverage Kaspersky Lab s cybersecurity knowledge, experience and intelligence through these innovative
APNIC elearning: Network Security Fundamentals 20 March 2013 10:30 pm Brisbane Time (GMT+10) Introduction Presenter/s Nurul Islam Roman Senior Training Specialist email@example.com Specialties: Routing &
Penetration Testing Report Client: Business Solutions June 15 th 2015 Acumen Innovations 80 S.W 8 th St Suite 2000 Miami, FL 33130 United States of America Tel: 1-888-995-7803 Email: firstname.lastname@example.org