i

On This Page

Hunting Malware across the Enterprise

Outlier Security | March 29 - 30

 Early

$2500

ENDS JANUARY 30 2359 ET
 Regular

$2700

ENDS MARCH 25 2359 ET
 Late

$2900

ENDS APRIL 1

Overview

The rate of new malware samples has increased dramatically over the last 10 to 15 years. Finding a zero-day used to be unusual and an achievement now it is common for incident handlers to find new malware.

The problem is that most organization's defenses and detection capabilities are based on signatures of known malware. Hunting for malware when you don't have a signature and barely have a starting point is a skill incident handlers require in today's threat landscape. And detecting lateral movement and rogue user accounts is even more challenging.

The second problem is scale. As enterprises continue to grow in size, we no longer have the luxury of focusing on a system at a time. We need to be able to work remotely, work quickly, and automate wherever we can.

The course will cover:

  • Threat landscape. A short background and overview of the current threat landscape. Each attacker and malware type has different characteristics, thus we need to look for different indicators and in different ways.
  • Indicators of Compromise. We will spend most of the first day walking though all of the artifacts, nooks, and crannies where we can find clues that lead us to locating the hidden malware.
  • Scripting. We will spend the entire second day going over different ways we can remotely access the indicators we learned about on the first day and then scripting the collection so we can hit a single box remotely and then sweep hundreds of systems in an automated fashion.

This course will be based on leveraging tools built into the OS or freely and easily downloaded tools. The goal was the enable malware hunters using tools that were readily available to them so they could get to work immediately with no or limited out of pocket expense. We will discuss some paid-for tools and where they are or are not better.

Who Should Take this Course

This course is designed for incident handlers and others that may be tasked with malware hunting.

Student Requirements

Students should already have basic to intermediary knowledge of Windows internals, incident response procedures, and scripting basics.

What Students Should Bring

Students should bring their own laptop and a Windows 7 or Windows 10-based VM in order to follow along with the class exercises.

What Students Will Be Provided With

Students will be provided with a course manual and sample scripts.

Trainers

Greg Hoglund is a pioneer in the area of software security. He created and documented the first Windows NT-based rootkit, founded www.rootkit.com, wrote several books on rootkits, exploits, and securing computers. He has founded and successfully sold several companies that were responsible for revolutionary security software breakthroughs.

Dr. Shane Shook is a well-known veteran of information security and response engagements with nearly 30 years of experience spanning government and industry issues. He has led forensic analysts and provided expert testimony in many of the most notorious breaches involving financial services, healthcare, retail, hospitality, transportation, energy, automotive, and entertainment corporate (and government) systems. He has also served as expert witness in related federal, civil and commercial disputes. He currently serves on the advisory boards of several emerging security technology companies.