Speeding Up Triage and Incident Response By Speaking to Malware

  • Webcast Aired Monday, 01 May 2017 1:00PM EDT (01 May 2017 17:00 UTC)
  • Speaker: Todd O'Boyle

In order for an attacker to steal from you, they need persistent access. This means ensuring their C2 is reliable and resilient to takedown. That's the main reason why over 90% of malware uses DNS for command & control and exfiltration.* The good news is that this persistence is something we can use against the attackers in order to find their accesses and then improve how we respond. In this session geared toward security operators and incident responders, Todd O'Boyle of Strongarm will explain a new approach that goes beyond simply blocking and dropping malware C2. Attendees will learn how to 'speak malware. ' A critical and important step of knowing how to respond to a threat is being able to communicate with it to understand where it's operating and what it is trying to do. Maintaining a connection with the infected device offers critical information that saves analysts time and accelerates the time to resolution. Attendees of this session will learn how 'speaking malware ' can eradicate an infection by using the malware's own communications against the attacker.

To learn more on this topic, attend the 10th annual SANS Digital Forensics & Incident Response (DFIR) Summit & Training. This training event brings together the most influential group of experts, the highest quality training, and the greatest industry networking opportunities in one place. Over the course of this eight-day training event, you'll enjoy:

  • Highly technical digital forensics and incident response presentations from the industry's top practitioners during the two-day Summit
  • Nine SANS DFIR courses to choose from to advance your training, build your arsenal of defenses, and learn how to better protect your organization
  • The opportunity to network with fellow attendees at receptions and community-building events
  • A DFIR NetWars tournament to sharpen your skills and solve incident-related challenges