-
- Current Site
Security Training- Choose a different site Help
Security Certification
Internet Storm Center
College Cybersecurity Programs
Security Awareness Training
Blue Team Operations
Forensics & Incident Response
Offensive Operations
Industrial Control Systems
Cloud Security
Cybersecurity Leadership
Government Private Training
Bonus Session Registration
Pwn'ing APT1 with YARA Signatures
- Jake Williams
- Wednesday, February 19th, 6:30pm - 9:30pm
This presentation is free, but space is limited and will be allocated on a first-registered basis. Please register by clicking on the *Get Registered* button below.
6:30 - 7:00 Registration
7:00 - 8:00 Presentation
8:00 - 8:15 Q & A
8:15 - 9:30 Networking Cocktail and High Snacks
Whether your job is security administration, incident response, or malware reverse engineering, you know that malware is more prolific than ever. We get more new malware every week than we will ever have time to fully analyze. The problem then becomes deciding which samples to spend our time analyzing. For the incident responder, knowing whether a new suspicious binary is related to previously known malware offers great insight (without having to wait for your malware shop).
In this talk, we will introduce a tool for quickly identifying relationships between known malware and unknown files. The tool is YARA. YARA works using rules that search files for specific content and patterns. The YARA rule language is fully featured and offers massive flexibility in the types of operations that are supported.
In SANS, we like to teach by example. So rather than just talking about YARA rules, we will write some to detect some binaries from the Mandiant APT1 report. Bring a laptop and you can play along as we walk through the examples. By the end of the session, you'll be building YARA signatures like a champ!
We will rewind time to before the infamous report and assume you have located a malicious binary in your environment. Now we want to find other unknown samples from the same attacker group.
We will work through simple rules that you can build with YARA to identify samples that may be related to known attacker groups. YARA allows you to build the kind of knowledge base you've always wanted to have in your organization and check samples automatically for those insights.
BIO:
Jake Williams is Certified Instrucutor for the SANS Institute and a technical analyst with the Department of Defense (DoD) where he has over a decade of experience in systems engineering, computer security, forensics, and malware analysis.
Jake has been providing technical instruction for years, primarily with HBGary, where he was the principal courseware developer and instructor for their products. He also maintains malware reverse engineering courses for CSRgroup Computer Security Consultants. Recently, he has been researching the application of digital forensic techniques to public and private cloud environments. Jake has been involved in numerous incident response events with industry partners in various consulting roles.
Jake led the winning government team for the 2011 and 2012 DC3 Digital Forensics Challenge. He has spoken at numerous events, including the ISSA events, SANS @Night, the DC3 conference, Shmoocon, and Blackhat.
Jake holds a Bachelor's degree in CIS, a Master's Degree in Information Assurance, and is currently pursuing a PhD in Computer Science. His research interests include protocol analysis, binary analysis, malware RE methods, and methods for identifying malware Command and Control (C2) techniques. He holds numerous certifications, including GREM, GCFE, GSNA, GCIA, GCIH, GCWN, GPEN, RHCSA, and CISSP.
Listen to Jake discuss "50 Shades of Hidden - Diving deep into code injection " in this SANS webcast that every DFIR professional should listen to.
https://www.sans.org/webcasts/50-shades-hidden-diving-deep-code-injection-96665
