Hunting Malware across the Enterprise
Overview
New malware samples are discovered at a rate that has steadily and steeply risen of the last 10 to 15 years. Where finding a zero-day used to be unusual and an achievement, it is now what incident handlers do on an almost weekly basis.
The problem is that most corporations defenses and detection capabilities are based on signatures of known malware. How to hunt for malware when you don't have a signature and barely have a starting point is skill incident handlers need to have in today's threat landscape.
The second problem is scale. As enterprises continue to grow in size, we no longer have the luxury of focusing on a system at a time. We need to be able to work remotely, work quickly, and automate wherever we can.
The course will cover:
- Threat landscape. A short background and overview of the current threat landscape. Each attacker and malware type has different characteristics, thus we need to look for different indicators and in different ways.
- Indicators of Compromise. We will spend most of the first day walking though all of the artifacts, nooks, and crannies where we can find clues that lead us to locating the hidden malware.
- Scripting. We will spend the entire second day going over different ways we can remotely access the indicators we learned about on the first day and then scripting the collection so we can hit a single box remotely and then sweep hundreds of systems in an automated fashion.
This course will be completely based on leveraging tools built into the OS or freely and easily downloaded tools. The goal was the enable malware hunters using tools that were readily available to them so they could get to work immediately with no or limited out of pocket expense. We will discuss some paid-for tools and where they are or are not better.
Who Should Take this Course
This course is designed for incident handlers and others that may be tasked with malware hunting.
Student Requirements
Students should already have basic to intermediary knowledge of Windows internals, incident response procedures, and scripting basics.
What Students Should Bring
Students should bring their own laptop and a Windows 7 or Windows 10-based VM in order to follow along with the class exercises.
What Students Will Be Provided With
Students will be provided with a course manual and sample scripts.
Trainers
Greg is the co-founder and CEO of Outlier Security. He is a pioneer in the computer security industry and a recognized expert on many facets of security technology. Greg contributed a great deal of early research to the field of rootkits, software exploitation, buffer overflows, and online game hacking. His later work focused on computer forensics, incident response, physical memory forensics, malware detection, and attribution of hackers. He authored three security books: Exploiting Software: How to Break Code, Rootkits: Subverting the Windows Kernel, and Exploiting Online Games: Cheating Massively Distributed Systems. Greg is a frequent speaker at Black Hat, RSA and other security conferences, and has developed many computer security training programs.
Dr. Shane Shook is a well-known veteran of information security and response engagements with nearly 30 years of experience spanning government and industry issues. He has led forensic analysts and provided expert testimony in many of the most notorious breaches involving financial services, healthcare, retail, hospitality, transportation, energy, automotive, and entertainment corporate (and government) systems. He has also served as expert witness in related federal, civil and commercial disputes. He currently serves on the advisory boards of several emerging security technology companies.