Tuesday, June 28, 2016

Key points from "A year in the wild: fighting malware at the corporate level"

Key points from the BSlides, San Francisco 2016 video presentation from "Kubo Sendor" , A year in the wild: fighting malware at the corporate level.

Full 33 mins long video can be found here
osquery
    ● kernel extensions
    ● user logins
    ● config file hashes
    ● browser extensions
    ● startup items
    ● launchd

Detection Various alert sources:
    ● endpoint monitoring
      ○ antivirus
      ○ osquery
    ● network traffic monitoring
    ● SIEM (Security Incident and Event Management)
    ● email (phishing, adware, popups, etc.)

ElastAlert rules
    ● frequency
    ● spikes
    ● flatline
    ● timeframes
  Alerting out of data in Elasticsearch indexes.
  https://github.com/Yelp/elastalert

Spikes in DNS block
    ● False positive?
    ● Wrong OS?
    ● Who is it?
    ● How did that malware get there?
    ● Is the machine really infected?

OSXCollector
  https://github.com/Yelp/osxcollector

Threat Intel API
  https://github.com/Yelp/threat_intell

Analyzing phishing emails
    ● analyze message headers
    ● detonate attachments
    ● past user interaction
    ● who else received it?
    ● https://www.phishtank.com/

Remediation, more seriously
    ● DNS/firewall blocking
    ● update IoCs (Indicators of Compromise)
    ● block/quarantine email senders
    ● whitelisting
    ● communication