According to VirusTotal, almost 500,000 unique malware samples are seen by them every day. That doesn’t include all the malware VirusTotal doesn’t see. The shear deluge of unique malware samples makes it difficult for incident responders to keep up to protect their networks. Even more difficult is the task to investigators and law enforcement to keep up with the size and number of command-and-control networks and criminal operations.
The size and scope of malware may seem daunting, but these repositories can be mined for intelligence in a programmatic way to build not only threat intelligence feeds for current threats, but a historical encyclopedia for attacks seen in previous months and years. The ability to correlate attacks and malicious infrastructure historically has opened up new methods to attribute attackers and to support long-term disruptive activity.
This talk will discuss how a massive historical intelligence database can be used to correlate historical attacks and what the possibilities hold for this kind of analysis. The audience will come away with the knowledge in how to build a system of their own, what open source tools and repositories are available for defenders and the basics in how to apply threat intelligence techniques to automated threat data collection of this type.