According to VirusTotal, almost 500,000 unique malware samples are seen by them every day. That doesn’t include all the malware VirusTotal doesn’t see. The shear deluge of unique malware samples makes it difficult for incident responders to keep up to protect their networks. Even more difficult is the task to investigators and law enforcement to keep up with the size and number of command-and-control networks and criminal operations.
The size and scope of malware may seem daunting, but these repositories can be mined for intelligence in a programmatic way to build not only threat intelligence feeds for current threats, but a historical encyclopedia for attacks seen in previous months and years. The ability to correlate attacks and malicious infrastructure historically has opened up new methods to attribute attackers and to support long-term disruptive activity.
This talk will discuss how a massive historical intelligence database can be used to correlate historical attacks and what the possibilities hold for this kind of analysis. The audience will come away with the knowledge in how to build a system of their own, what open source tools and repositories are available for defenders and the basics in how to apply threat intelligence techniques to automated threat data collection of this type.
John Bambenek (@bambenek) is a Sr. Threat Analyst at Fidelis Cybersecurity and an incident handler with the Internet Storm Center. He has been engaged in security for 15 years researching security threats. He is a published author of several articles, book chapters, and one book. He has contributed to IT security courses and certification exams covering such subjects as penetration testing, reverse engineering malware, forensics, and network security. He has participated in many incident investigations spanning the globe. He speaks at conferences around the world and runs several private intelligence groups focusing on takedowns and disruption of criminal entities.