Endgame Presents: Hacker Summer Camp 2018

In just a few weeks, the security industry will flock to Las Vegas for Black Hat, DEF CON, and BSides Las Vegas, also known as “Hacker Summer Camp”. It is one of the biggest weeks in security, and we’re excited to be active contributors at each of the conferences. Our team will be introducing some of our latest research, with presentations on everything from kernel mode threats to phishing detection through artificial vision systems to automated disassembly for malware analysis.

At Endgame, we believe contributing and collaborating with the community is essential to help elevate the game of defenders, and raise the costs for attackers. We’ll be sharing our independent research at each event, with two talks at Black Hat, one presentation and two workshops at DEF CON, and four talks at BSides Las Vegas. We also are sponsoring and giving a talk at the Diana Initiative, and hope to continue to elevate the voices of gender minorities in security.

Below are the abstracts, times, dates, and locations for our talks. We also will be at booth #1328 at Black Hat. Swing by and say hi and take a look at the Endgame platform, named Visionary by Gartner, and proven to empower even novice analysts to conduct complex and necessary security activities to protect against targeted attacks. See you in Vegas!



 

Endgame Presents:

 

BSidesLV

August 7-8

Tuscany Suites

 

 

Presentation: Stop and Step Away from the Data: Rapid Anomaly Detection via Ransom Note File Classification

Speaker: Mark Mager, Senior Malware Researcher

Date and Time: August 7, 3:00 PM

The proliferation of ransomware has become a widespread problem culminating in numerous incidents that have affected users worldwide. Current ransomware detection approaches are limited in that they either take too long to determine if a process is truly malicious or tend to miss certain processes due to focusing solely on static analysis of executables. To address these shortcomings, we developed a machine learning model to classify forensic artifacts common to ransomware infections: ransom notes. Leveraging this model, we built a ransomware detection capability that is more efficient and effective than the status quo.

I will highlight the limitations to current ransomware detection technologies and how that instigated our new approach, including our research design, data collection, high value features, and how we performed testing to ensure acceptable detection rates while being resilient to false positives. I will also be conducting a live demonstration with ransomware samples to demonstrate our technology's effectiveness. Additionally, we will be releasing all related source code and our model to the public, which will enable users to generate and test their own models, as we hope to further push innovative research on effective ransomware detection capabilities.


 

Presentation: Sight Beyond Sight: Detecting Phishing with Computer Vision

Speaker: Daniel Grant, Data Scientist

Date and Time: August 7, 5:00 PM

Even with all our advances in security and automated detection, the old cliché still holds true - users are the weakest link. Attacks are crafted to trick users into simple mistakes, such as clicking on a malicious link, enabling macros on a illegitimate document, or entering credentials on a masqueraded website.  The best attackers exploit human perception and create reliable and consistent methods to gain unauthorized access to a system without needing to exploit technical vulnerabilities. Although some organizations invest in phishing training and simulation, relying on user attentiveness to detect all attacks that exploit visual similarities is bound to be incomplete. With that in mind, we’ll discuss the option of using machine learning to mimic human perception to detect the visual cues of phishing attacks.

Deep learning architectures have been used with great success to mimic or exceed human visual perception in well-scoped tasks ranging from identifying cats in Youtube videos to cars in self driving systems. Rarely have these techniques been applied to information security. Attacks that attempt to exploit human visual perception, such as phishing documents that persuade humans to enable malicious macros and URL (e.g., www. rnicrosoft.com) and file-based (e.g., chr0me.exe) homoglyph attacks, are ripe for similar automated analysis.

Our research introduces two methods - SpeedGrapher and Blazar -  for leveraging artificial vision systems and features generated by image creation to detect phishing. SpeedGrapher analyzes the appearance of Microsoft (MS) Word documents via a preview from the Word Interop class to gather images of potential phishing attempts to enable macros and leverages an object detection network to identify relevant visual cues to classify the sample. Blazar analyzes strings for possible domain or filename spoofing and uses a siamese convolutional neural network and a nearest neighbor index to compare visual similarity of spoofs to known domain or file names with a much greater accuracy than edit distance techniques.

Examples of these methods in action will demonstrate the usefulness of integrating an artificial vision system approach to detect a range of phishing attacks, and we’ll provide some open source tools we’ve used and created in developing these approaches. [If 50 minutes] However, just as the human visual system can be tricked, these machine vision systems can also be exploited. We also show the risk and resilience of these vision systems to evasion attacks.

 

Presentation: Increasing Retention Capacity: Research from the Field

Speaker: Andrea Little Limbago, Chief Social Scientist

Date and Time: August 8, 11:00 AM

Why do organizations work so hard to recruit a talented workforce, but fall flat when it comes to retention? After all, rapid turnover negates investments in recruiting and training, stalls projects and innovation, and is often a gauge for the health of a company. Given the growing workforce deficit, it is essential to improve retention in security, especially among underrepresented groups.  But what are those factors that improve and hinder retention in security? I conducted a survey and integrated existing social science research to identify those core factors. I will first describe the research design and the main findings. Next, and building upon existing social science research on social change and organizational structure, I will offer several concrete steps organizations can take to improve retention, including a nuanced approach to professional growth and addressing burnout, as well as key cultural factors within the workplace environment. This discussion also includes what the security industry writ large can do to help augment retention, especially when it comes to professional conferences, marketing, and some of the biases embedded in them.

Presentation: Who Maed Dis; A Beginners Guide to Malware Provenance Based on Compiler Type

Speaker: Lucien Brule, Malware Research Intern

Date and Time: August 8, 2:00 PM

Malware Researchers must take into account a wide range of factors in order to effectively triage, reverse, and address the threat of modern malware. Provenance, or being able to infer the origins of a given sample, is an important but often overlooked characteristic of most malware that may not be apparent to those entering this field. With added knowledge, and new tooling we can make our lives easier. Being able to determine the compiler provenance of a sample is valuable to a reverse engineer as it can speed up the detection of anomalous or otherwise interesting sections of a given binary.  I’ll discuss how different compilers and build systems produce different Windows (PE) binaries, where ‘interesting’ bits of code exist across different kinds of binaries, their expected behaviour and defining characteristics and most importantly how to leverage this information to make heuristic conclusions that will improve one’s reverse engineering efficiency.

The talk also coincides with the public release of two things; 1. A package of Yara rules to fingerprint binaries by compiler type and 2. A tool which facilitates the analysis of a given binary by providing a graphic and diagnostic output that can denote malicious and benign segments. This tool acts as a hinting system to a researcher so they can spend less time searching through boring segments of code and more time looking at interesting segments. The tool, combined with the yara rules empower one to extend their own definitions and provide definitions for that which they deem interesting.



 

Black Hat

August 8-9

Mandalay Bay

 

Presentation: Finding Xori: Malware Analysis Triage with Automated Disassembly

Speakers: Amanda Rousseau (Senior Malware Researcher) and Rich Seymour (Senior Data Scientist)

Date and Time: August 8, 10:30 AM, South Seas CDF

In a world of high volume malware and limited researchers, we need a dramatic improvement in our ability to process and analyze new and old malware at scale. Unfortunately, what is currently available to the community is incredibly cost prohibitive or does not rise to the challenge. As malware authors and distributors share code and prepackaged tool kits, the white hat community is dominated by solutions aimed at profit as opposed to augmenting capabilities available to the broader community. With that in mind, we are introducing our library for malware disassembly called Xori as an open source project. Xori is focused on helping reverse engineers analyze binaries, optimizing for time and effort spent per sample.

Xori is an automation-ready disassembly and static analysis library that consumes shellcode or PE binaries and provides triage analysis data. This Rust library emulates the stack, register states, and reference tables to identify suspicious functionality for manual analysis. Xori extracts structured data from binaries to use in machine learning and data science pipelines.

We will go over the pain-points of conventional open source disassemblers that Xori solves, examples of identifying suspicious functionality, and some of the interesting things we've done with the library. We invite everyone in the community to use it, help contribute and make it an increasingly valuable tool in this arms race.

 

Presentation: Kernel Mode Threats and Practical Defenses

Speakers: Gabriel Landau (Principal Software Engineer) and Joe Desimone (Senior Malware Researcher)

Date and Time: August 9, 9:45 AM, South Seas ABE

Recent advancements in OS security from Microsoft such as PatchGuard, Driver Signature Enforcement, and SecureBoot have helped curtail once-widespread commodity kernel mode malware such as TDL4 and ZeroAccess. However, advanced attackers have found ways of evading these protections and continue to leverage kernel mode malware to stay one step ahead of the defenders. We will examine the techniques from malware such as DoublePulsar, SlingShot, and Turla that help attackers evade endpoint defenses. We will also reveal a novel method to execute a fully kernel mode implant without hitting disk or being detected by security products. The method builds on publicly available tools which makes it easily within grasp of novice adversaries.

While attacker techniques have evolved to evade endpoint protections, the current state of the art in kernel malware detection has also advanced to hinder these new kernel mode threats. We will discuss these new defensive techniques to counter kernel mode threats, including real-time detection techniques that leverage hypervisors along with an innovative hardware assisted approach that utilizes performance monitoring units. In addition, we will discuss on-demand techniques that leverage page table entry remapping to hunt for kernel malware at scale. To give defenders a leg up, we will release a tool that is effective at thwarting advanced kernel mode threats. Kernel mode threats will only continue to grow in prominence and impact. This talk will provide both the latest attacker techniques in this area, and a new tool to curtail these attacks, proving real-world strategies for immediate implementation.




 

DEF CON

August 9-12

Caesar’s Palace

 

Presentation: Finding Xori: Malware Analysis Triage with Automated Disassembly

Speakers: Amanda Rousseau (Senior Malware Researcher) and Rich Seymour (Senior Data Scientist)

Date and Time: August 10, 1:00 PM, Track 2

In a world of high volume malware and limited researchers, we need a dramatic improvement in our ability to process and analyze new and old malware at scale. Unfortunately, what is currently available to the community is incredibly cost prohibitive or does not rise to the challenge. As malware authors and distributors share code and prepackaged tool kits, the white hat community is dominated by solutions aimed at profit as opposed to augmenting capabilities available to the broader community. With that in mind, we are introducing our library for malware disassembly called Xori as an open source project. Xori is focused on helping reverse engineers analyze binaries, optimizing for time and effort spent per sample.

Xori is an automation-ready disassembly and static analysis library that consumes shellcode or PE binaries and provides triage analysis data. This Rust library emulates the stack, register states, and reference tables to identify suspicious functionality for manual analysis. Xori extracts structured data from binaries to use in machine learning and data science pipelines.

We will go over the pain-points of conventional open source disassemblers that Xori solves, examples of identifying suspicious functionality, and some of the interesting things we've done with the library. We invite everyone in the community to use it, help contribute and make it an increasingly valuable tool in this arms race.

 

Workshop: AI Village

Endgame Speakers: Bobby Filar (Principal Data Scientist), Hyrum Anderson (Technical Director- Data Science), Amanda Rousseau (Senior Malware Researcher), Mark Mager (Senior Malware Researcher), Sven Cattell (Data Scientist)

Dates: August 10-12, Caesar’s Palace

The AI Village at DEF CON is a place where experts in AI and security (or both!) can come together to learn and discuss the use, and misuse, of artificial intelligence in traditional security. Artificial Learning techniques are rapidly being deployed in core security technologies like malware detection and network traffic analysis, but their use has also opened up a variety of new attack vectors against the systems that use them. Using techniques such as Generative Adversarial Networks, would-be attackers could target non-traditional platforms, such as deep learning based image recognition systems used in self driving cars. These same attack methods could be leveraged to extract confidential training data from a deployed model itself, adding another layer of privacy and security risks to an ever-growing list of concerns.

The AI Village will explore these issues and encourage open discussion for possible solutions (and any interesting attacks the attendees can come up with). For those who would rather learn through practice, a practice workshop session will also be available.

Come participate in introductory workshops where you can learn how to use (and misuse!) machine learning models as part of your arsenal. Talks include:

 

  • A discussion of the recently released report on the Malicious Use of AI
  • Red-teaming machine learning systems using adversarial techniques
  • Vulnerabilities of machine learning tools
  • (ICYMI) Mark Mager’s BSidesLV talk on ransom note file classification and detection

 

Workshop: Reverse Engineering Malware 101 (Part of Packet Hacking Village & Workshop)

Speaker: Amanda Rousseau, Senior Malware Researcher

Date and Time: August 10, 11-12:30, Caesar’s Palace, Promenade Level

This workshop provides the fundamentals of reversing engineering (RE) Windows malware using a hands-on experience with RE tools and techniques. Attendees will be introduced to RE terms and processes, followed by basic x86 assembly, and reviewing RE tools and malware techniques. It will conclude by attendees performing a hands-on malware analysis that consists of Triage, Static, and Dynamic analysis.

Prerequisites: Basic understanding of programming C/C++, Python, or Java.

Provided: A virtual machine and tools will be provided.

Features: 5 Sections in 1.5 hours:

  • ~15 min Fundamentals

  • ~15 min Tools/Techniques

  • ~30 min Triage Static Analysis + Lab

  • ~30 min Dynamic Analysis + Lab




 

The Diana Initiative

August 9-10

Caesar’s Palace

Presentation: Yes You Can: An Interactive Discussion on CFP Submissions and Presenting at Cons

Speakers: Andrea Little Limbago, Chief Social Scientist and Kathleen Smith, Chief Marketing Officer at ClearedJobs.net & CyberSecJobs.com

Date and Time: August 9, 1:30 PM, Track 2

 

There are (at least) two common and inter-related misperceptions that continue to limit female participation on conference panels and as speakers. First, many conference organizers contend there simply aren’t enough women in the field. Second, many women believe they do not possess the expertise or qualifications to speak at conferences, or even meetups. Neither of these are true, but they reinforce the persistent dearth of technical women speaking at technical conferences. This is especially problematic in security, where we need more visible and prominent women. Moreover, conference participation is a great way to build your brand, grow professionally, and receive useful feedback for a project or research. In this discussion, we’ll share lessons learned and writing tips for pursuing technical speaking opportunities. Participants will leave equipped with the tools and encouragement required to move the needle for greater female speaker representation at security conferences.