from soc to analyst bridging automated and manual analyses
play

From SOC to Analyst: bridging automated and manual analyses - PowerPoint PPT Presentation

Jun 15, 2023 •19 likes •89 views

From SOC to Analyst: bridging automated and manual analyses Practical Considerations and Issues July, 10th 2017 Raphal Rigo Typical (ideal) workflow of a malware sample reverser binary SOC CERT special malware malware SOC

  1. From SOC to Analyst: bridging automated and manual analyses Practical Considerations and Issues July, 10th 2017 Raphaël Rigo

  2. Typical (ideal) workflow of a malware sample reverser binary SOC CERT “special” malware malware SOC Security Operations Center CERT Computer Emergency Response Team “Special” malware • Unknown, Targeted, Complex • Anything not handled automatically ? Our tools • Tools for automated malware analysis and triage, for SOC & CERT (bnew) • Tools for manual analysis by reverser – including our own, BinCAT R. Rigo :: From SOC to Analyst: bridging automated and manual analyses

  3. Links to the seminar issues The end of the chain “When automated processing ends/fails/is not sufficient” Overall issue • Sometimes a human is needed • = ⇒ what be done to help the human be more efficient ? End goals for the analyst • IOCs • automated tools for families to integrate in the SOC chain: • static unpackers • config extractors R. Rigo :: From SOC to Analyst: bridging automated and manual analyses

  4. Analyst view Which information from the automated process (SOC) can be presented to the analyst ? • generically unpacked sample • interesting code parts (in IDA) ? : • potential crypto loops (cf. IDAScope, crypton) • deobfuscated/decrypted strings • annotated trace (cf. pTra, MazeWalker) • visualization methods: bitmaps, dynamic graphs, etc. Helpful properties: • resolve indirect calls (C++ !) • dead code (no need to reverse) R. Rigo :: From SOC to Analyst: bridging automated and manual analyses

  5. Challenges (helping the analyst) Special cases for “usual” malwares: • complex packers: VMProtect-ed packed samples • obfuscation Other complex (“unusal”) cases: • implants/rootkits (harder to analyse dynamically): • Secure boot bypass (SMM code ?) • jailbreaks • rootkits (drivers) • embedded/network devices exploits/implants • vulnerability and exploit analysis: • need to analyse complex software behaviour • understand vulnerability to create efficient signatures • all in memory code (no imports, everything dynamic) R. Rigo :: From SOC to Analyst: bridging automated and manual analyses

  6. Room for improvements: tooling Manual reversing • interactive • integrated into IDA (for low level properties) • easy to install / use Ex: Ponce, IDAscope, BinCAT ;) For automated (static) handling • scriptable (of course) • versatile/expressive • OS agnostic Ex: Miasm R. Rigo :: From SOC to Analyst: bridging automated and manual analyses

  7. BinCAT • demo • slides R. Rigo :: From SOC to Analyst: bridging automated and manual analyses

Recommend

Burp Suite and Beyond Automated Scanning vs Manual Tes;ng

Burp Suite and Beyond Automated Scanning vs Manual Tes;ng

Adding Value to Automated Web Scans Burp Suite and Beyond Automated Scanning vs Manual Tes;ng Manual Tes;ng Tools/Suites At MSU -

837 views • 22 slides
Announcing the 2019 Pony Club WA Gear Checking Manual 2019 Bridging Document The manual is

Announcing the 2019 Pony Club WA Gear Checking Manual 2019 Bridging Document The manual is

Announcing the 2019 Pony Club WA Gear Checking Manual 2019 Bridging Document The manual is available for download (free) from Pony Club WA Gear Checking page Follow these steps to get there: 1. Pony Club WA website 2. Resources 3. Club

461 views • 10 slides
Automated Waitlist Arrives at PSU Overview Review of Current Manual Waitlist Function

Automated Waitlist Arrives at PSU Overview Review of Current Manual Waitlist Function

Automated Waitlist Arrives at PSU Overview Review of Current Manual Waitlist Function Manual waitlist activates when enrollment cap reached. Slot is reserved for waitlist student when enrollment drops below cap. Departments

461 views • 22 slides
Automated Test Data Generation on the Analyses of Feature Models A Metamorphic Testing Approach

Automated Test Data Generation on the Analyses of Feature Models A Metamorphic Testing Approach

Automated Test Data Generation on the Analyses of Feature Models A Metamorphic Testing Approach Sergio Segura 1 , Robert M. Hierons 2 , David Benavides 1 and Antonio Ruiz-Corts 1 1 Department of Computer Languages and Systems, Univesity of

330 views • 28 slides
Improving the Efficiency of Manual Ground Truth Labeling Using Automated Anatomy Segmentation

Improving the Efficiency of Manual Ground Truth Labeling Using Automated Anatomy Segmentation

Improving the Efficiency of Manual Ground Truth Labeling Using Automated Anatomy Segmentation Hongzhi Wang PhD, Prasanth Prasanna MD, Jose Morey MD, Tanveer F. Syeda-Mahmood PhD Medical Sieve Group, IBM Almaden Research Center Anatomy

469 views • 18 slides
GuideAutomator: Automated User Manual Generation with Markdown Allan dos Santos Oliveira

GuideAutomator: Automated User Manual Generation with Markdown Allan dos Santos Oliveira

GuideAutomator: Automated User Manual Generation with Markdown Allan dos Santos Oliveira Supervisor: Prof. Rodrigo Rocha Gomes e Souza Department of Computer Science Federal University of Bahia 1 Introduction User experience as rising

453 views • 27 slides
GDC 2012 March 5-9 Runtime CPU Performance Spike Detection using Manual and Compiler Automated

GDC 2012 March 5-9 Runtime CPU Performance Spike Detection using Manual and Compiler Automated

GDC 2012 March 5-9 Runtime CPU Performance Spike Detection using Manual and Compiler Automated Instrumentation Adisak Pochanayon : adisak@wbgames.com Principal Software Engineer, Mortal Kombat Team Netherrealm Studios (WB Games Chicago) This

366 views • 9 slides
An Empirical Evaluation and Comparison of f Manual and Automated Test Selection Milos Gligoric,

An Empirical Evaluation and Comparison of f Manual and Automated Test Selection Milos Gligoric,

An Empirical Evaluation and Comparison of f Manual and Automated Test Selection Milos Gligoric, Stas Negara, Owolabi Legunsen, and Darko Marinov ASE 2014 Vsters, Sweden September 18, 2014 ITI RPS #28 CCF-1012759, CCF-1439957

762 views • 26 slides
Program Realisation 2 Todays Topics Unit testing, manual versus automated

Program Realisation 2 Todays Topics Unit testing, manual versus automated

Program Realisation 2 Todays Topics Unit testing, manual versus automated http://www.win.tue.nl/hemerik/2IP20/ ADT relationships: Lecture 4 Multiple implementations of the same ADT contract Kees Hemerik Generalization,

181 views • 7 slides
Automated Observation 4 4 Automated Observation what when what to observe to observe to

Automated Observation 4 4 Automated Observation what when what to observe to observe to

Asserting Expectations Andreas Zeller 1 Search in Time variables During execution, the state becomes infected. time Basic idea: Observe a transition from sane to infected. 2 2 Manual Observation 3 3 Automated

450 views • 15 slides
Automated Pavement Faulting Method AASHTO Presentation Outline: Faulting (AASHTO R-36)

Automated Pavement Faulting Method AASHTO Presentation Outline: Faulting (AASHTO R-36)

AASHTO Automated Pavement Faulting Method AASHTO Presentation Outline: Faulting (AASHTO R-36) Manual and Automated Methods Automated Faulting Program Accuracy and Precision Conclusion AASHTO TECHNOLOGY IMPLEMENTATION GROUP

731 views • 16 slides
Automated Meter Reading Presentation to the Gallatin Lions Club May 28, 2019 Manual Reading

Automated Meter Reading Presentation to the Gallatin Lions Club May 28, 2019 Manual Reading

Automated Meter Reading Presentation to the Gallatin Lions Club May 28, 2019 Manual Reading of Approximately 15 15,445 45 Natural Gas Meters and 14, 4,665 65 Water Meters Each Month. Meters are Read By Five Meter Readers in 6 Cycles

416 views • 38 slides
Security proofs in the symbolic model web services security, manual and automated proofs

Security proofs in the symbolic model web services security, manual and automated proofs

Security proofs in the symbolic model web services security, manual and automated proofs Karthikeyan Bhargavan INRIA karthikeyan.bhargavan@inria.fr http://prosecco.inria.fr/personal/karthik September 2013 Karthikeyan Bhargavan (INRIA)

800 views • 58 slides
ADaM or SDTM? A Comparison of Pooling Strategies for Integrated Analyses in the Age of CDISC

ADaM or SDTM? A Comparison of Pooling Strategies for Integrated Analyses in the Age of CDISC

ADaM or SDTM? A Comparison of Pooling Strategies for Integrated Analyses in the Age of CDISC Joerg Guettner, Lead Statistical Analyst, Bayer Pharma, Wuppertal, Germany Alexandru Cuza, Project Statistical Programmer UCB Biosciences, Monheim,

175 views • 15 slides
Automated Reasoning: Some Successes and New Challenges Predrag Jani ci c

Automated Reasoning: Some Successes and New Challenges Predrag Jani ci c

What is this talk about? What is automated reasoning? Automated reasoning in propositional logic Automated reasoning in first-order logic Automated reasoning in higher-order logic Automated reasoning in geometry Conclusions Automated

806 views • 52 slides
Automated Generation of Platform-Variant Applications from Platform-Independent Models via

Automated Generation of Platform-Variant Applications from Platform-Independent Models via

Automated Generation of Platform-Variant Applications from Platform-Independent Models via Templates Nuno Amlio, Christian Glodt, Frederico Pinto, Pierre Kelsen University of Luxembourg Introduction Manual code development is expensive

243 views • 21 slides
Congressional Budget Office January 4, 2016 Frameworks for Distributional Analyses Annual

Congressional Budget Office January 4, 2016 Frameworks for Distributional Analyses Annual

Congressional Budget Office January 4, 2016 Frameworks for Distributional Analyses Annual Meeting of the Allied Social Science Associations San Francisco, California Kevin Perese Principal Analyst, Tax Analysis Division Frameworks for

481 views • 36 slides
Bridging Bridging Jean-Yves Le Boudec Fall 2009 1 1 Algorhyme I think that I shall never see

Bridging Bridging Jean-Yves Le Boudec Fall 2009 1 1 Algorhyme I think that I shall never see

COLE POLYTECHNIQUE FDRALE DE LAUSANNE Bridging Bridging Jean-Yves Le Boudec Fall 2009 1 1 Algorhyme I think that I shall never see a graph more lovely than a tree. h l l th t A tree whose crucial property is loop-free

564 views • 45 slides
Leveraging Electronic Health Records for Public Health: From Automated Disease Reporting to

Leveraging Electronic Health Records for Public Health: From Automated Disease Reporting to

PHSSR Research-In-Progress Series: Bridging Health and Health Care Wednesday, March 4, 2015 12:00-1:00pm ET Leveraging Electronic Health Records for Public Health: From Automated Disease Reporting to Developing Population Health Indicators

687 views • 50 slides
Manual Handling Risk Assessment Powerpoint Presentation Manual handling technique. Hansen Manual

Manual Handling Risk Assessment Powerpoint Presentation Manual handling technique. Hansen Manual

Manual Handling Risk Assessment Powerpoint Presentation Manual handling technique. Hansen Manual Handling Operations Regulations 1992. Hansen We must make a suitable and sufficient assessment of the risk SIS Key Manual Handling Issues.

601 views • 4 slides
Research on Race Bridging for 2020 Ben Bolender Assistant Division Chief Population Estimates

Research on Race Bridging for 2020 Ben Bolender Assistant Division Chief Population Estimates

Research on Race Bridging for 2020 Ben Bolender Assistant Division Chief Population Estimates and Projections Population Association of America April, 2018 1 Overview 1. Race bridging and reverse bridging 2. Bridging and imputation 3. Why

519 views • 29 slides
Bridging the Gap on Breaches: What Makes the Difference? Sponsored By: Bridging the Gap on

Bridging the Gap on Breaches: What Makes the Difference? Sponsored By: Bridging the Gap on

Bridging the Gap on Breaches: What Makes the Difference? Sponsored By: Bridging the Gap on Breaches: What Makes the Difference? Visit www.advisenltd.com at the end of this webinar to download: Copy of these slides Recording of

423 views • 21 slides
My very own experience in solving optimization problems Alessandro Zanarini - EPFL - 26 March

My very own experience in solving optimization problems Alessandro Zanarini - EPFL - 26 March

My very own experience in solving optimization problems Alessandro Zanarini - EPFL - 26 March 2019 Automated tools vs Optimization Shift from manual to automated tool is seen as the holy grail Underlying problem can be tough

844 views • 42 slides
Residential Bridging Residential Bridging (rate control; 2006Mar06) (rate control; 2006Mar06)

Residential Bridging Residential Bridging (rate control; 2006Mar06) (rate control; 2006Mar06)

Residential Bridging Residential Bridging (rate control; 2006Mar06) (rate control; 2006Mar06) Maintained by David V James IEEE 802.3 RE Study Group March 2006 1 Denver Credit is due to many others, whose reviews and comments drove this

408 views • 18 slides

More recommend