Corporate, state, and federal networks are at great risk and a decade of security spending has not increased our security. Hundreds of thousands of malware samples are released daily that escape undetected by antivirus. Cyber-spies are able to take intellectual property like source code formulas and CAD diagrams at their whim. We are at a crisis point and we need to rethink how we address malware.
Malware is a human problem. We can clean malware from a host but the bad guy will be back again tomorrow. By tracing malware infections back to the human attacker we can understand what they are after, what to protect, and counter their technical capabilities. Every step in the development of malware has the potential to leave a forensic toolmark that can be used to trace developers, and ideally can lead to the operators of the malware. Social cyberspaces exist where malware developers converse with one another and their clients. A global economy of cyber spies and digital criminals support the development of malware and subsequent monetization of information. This talk focuses on how code artifacts and toolmarks can be used to trace those threat actors.
We will study GhostNet and Aurora, among others. Example toolmarks will include compiler and programming language fingerprints, native language artifacts (was it written for Chinese operators, etc), mutations or extensions to algorithms, command and control protocols, and more. We will discuss link analysis (using Palantir, etc) against open-source data such as internet forums and network scans. Ultimately this information will lead to a greater understanding of the malware operation as a whole, and feeds directly back into actionable defenses.
HBGary, Inc. Greg Hoglund has been a pioneer in the area of software security. After writing one of the first network vulnerability scanners (installed in over half of all Fortune 500 companies), he created and documented the first Windows NT-based rootkit, founding www.rootkit.com (rootkit.com) in the process. Greg went on to co-found Cenzic, Inc. (cenzic.com) through which he orchestrated numerous innovations in the area of software fault injection. He holds two patents. Greg is a frequent speaker at Black Hat, RSA and other security conferences. He is co-author of _Exploiting Online Games_ (Addison Wesley 2007) and _Rootkits: Subverting the Windows Kernel_ (Addison Wesley 2005) and _Exploiting Software: How to Break Code_ (Addison Wesley 2004).