Learn real-world skills from real-world cyber security practitioners. View upcoming Live Online Events.


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

Hiding in Plain Sight: When Malware Abuses Legitimate Services for Communications

  • Friday, April 21, 2017 at 11:00 AM EDT (2017-04-21 15:00:00 UTC)
  • Josh Reynolds


  • Cisco Systems

You can now attend the webcast using your mobile device!



Malicious actors increasingly use modern hosting providers, such as Pastebin and Imgur, to quickly and effectively serve malicious content to users. Using legitimate services to host malicious content makes it easier for threat actors to make it past traditional defenses and blacklisting. It is difficult for hosting providers to detect malicious content within their services due to obfuscation techniques used by threat actors, and the massive amount of hosting content they provide. Although the content can be inspected, it is not possible for networks to block these domains and IP addresses as theyre legitimate services.


This webinar will give you a glimpse into a number of modern malware variants abusing hosting services and discuss how they can be stopped.

In this technical webinar you will learn:

1.           The type of hosting services that threat actors are abusing

2.           The type of communications these services are being leveraged for

3.           Common obfuscation and evasion mechanisms used within these communication channels when abusing cloud hosting services

Speaker Bio

Josh Reynolds

Joshua Reynolds is a part of the Research & Efficacy Team at Cisco Systems that assists in increasing the detection capabilities of the AMP for Endpoints and AMP Threat Grid product lines through a number of development efforts. He has spoken at BSides Calgary, RSAC, and SecRETs regarding his Ransomware research efforts.

Joshua joined Cisco Systems, Inc. through the Sourcefire, Inc. acquisition where he performed quality assurance for the AMP for Endpoints product line.

Prior to joining Sourcefire, Joshua interned at Red Hat Asia Pacific's Penetration Testing team while finishing his Bachelor's degree in Information Technology at Griffith University in Australia.

Joshua also holds a diploma of Information Technology from the Southern Alberta Institute of Technology where he graduated with honors.

Need Help? Visit our FAQ page or email webcast-support@sans.org.

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.