An Adversarial View of SaaS Malware Sandboxes

BSidesDC 2015

Presented by: Aaron Shelmire, Jason Trost
Date: Saturday October 17, 2015
Time: 14:30 - 15:20
Location: Salon D
Track: Blue Team

Anyone attending this conference knows the usefulness of running malware in a sandbox to perform triage, speed security analysts' workflow, extract indicators of compromise (IOCs), and to gather useful information for detection and mitigation. When analysts do this, what are the OPSEC concerns regarding tipping the adversary off? Which sandbox providers are better than others in this regard? In this talk we will present some research on taking an adversarial view of the free and widely used SaaS malware sandboxes. When an adversary's malware is detonated in a sandbox, what network artifacts can they see? Can they determine which sandbox provider based on the network? How do malware and related IOCs submitted to these sandboxes propagate to security companies and ultimately threat intelligence feeds? In this talk, we will answer all these questions and more.

Jason Trost

Jason Trost is Director of Research at ThreatStream and is deeply interested in network security, DFIR, big data and machine learning. He has worked in security for almost ten years, and he has several years of experience leveraging big data technologies for security data mining. He is currently focused on building highly scalable systems for processing, analyzing, and visualizing high speed network/security events in real-time as well as systems for analyzing massive amounts of malware. He is a regular attendee of Big Data and security conferences, and he has spoken at Blackhat, BSidesSF, FloCon, and Hadoop Summit. He has contributed to several security and big data related open source projects including the Modern Honey Network (MHN), BinaryPig, ElasticSearch, Apache Accumulo, and Apache Storm.

Aaron Shelmire

While having "played around" with computers as far back as high school, Aaron held out hope to become a famous dj or video game creator in the 90s. It wasn't until 2004 when he began his long twisted journey into information security, when the super computers he was working on at PSC were hacked by a dire and sophisticated threat that penetrated over a thousand organizations over a multi-year periodâ€_that turned out to be a 16 year old kid in Uppsala, Sweden during the Stakkato attacks. Aaron switched gears, began piecing together a security practice at the PSC, went to grad school at Carnegie Mellon, and hopped gigs to go work at CERT/CC. He then began sharing his knowledge with graduate students at CMU as adjunct faculty. After a few years of "applied research", he jumped gigs for more "applied"-ness / less "research"-ness in the Dell SecureWorks CounterThreatUnit's Special Ops team, which created and operated an end point detection platform in Targeted Incident Response engagements. Recently he has been focused on sharing threat intelligence in a programmatic way at ThreatStream.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats