PRESENTATION MATERIALS: http://conference.hitb.org/hitbsecconf2012kul/materials/ PRESENTATION ABSTRACT: For more than two years, ThreatGRID has been building a threat intelligence service where samples and content are cross-indexed and related. This allows for tremendous amounts of derived analysis, building relationships based on timing, behavioral, structural, and communications characteristics. We are able to determine origin, aims, and targets of specific samples via second and third order relationships. We track all artifacts and beheaviors, both host and network, and correlate between any of them. Content is generated through dynamic and static malware analysis. We do perform de-duplication of samples that are collected in the wild and submitted through various sources. Even though a piece of malware can be identified as belonging to a particular family of rootkit or dropper, their characteristics change and evolve over time. These ephemeral behavioral characteristics are vital to identifying relationships between malware, and this is content that we don't want to miss. We've been submitting and analyzing a sample for about a year now, tracking how its functionality, content and relationships have changed over time. This approach of not deduping submissions leads to some interesting issues related to scaling, storage and infrastructure design. This talk covers the infrastructure requirements and architectural decisions made to facilitate being able to analyze the entire worldwide output of malware samples multiple times; we have built our own in-house supercomputing cluster, with petabyte scalable storage, and a 40gbps interconnect. We will also show the value of such correlation, and why everyone should be building these relationships between content. ABOUT WES BROWN Wes Brown is currently Chief Architect at ThreatGRID working on scalable systems for malware intelligence collection and correlation; he leads a small expert team and greatly enjoys the challenges of building a high performance cluster from a software engineering and architectural point of view. Liberal application of statistics, kernel hacking, hypervisor development, alcohol, coffee, cursing, his wife's home cooking, and his fellow engineers make his job possible. Brown is an expert at reverse engineering, having worked with security biometric devices, Intel's HECI transport, encryption algorithms, and proprietary communication and switching protocols. He has developed protocol intercept code, device communication protocols, test and fuzzing frameworks. He is also a highly respected speaker at conferences, pioneering the concept of injectable virtual machines, and discussing malware analysis from a manual and automated perspective.

Source: https://www.youtube.com/watch?v=mZG2DVuZn2M
Uploader: Hack In The Box Security Conference

plus-circle Add Review

comment

Reviews