Presented at the VB2023 conference in London, 4 - 6 October 2023.
↓ Slides: www.virusbulle...
↓ Paper: www.virusbulle...
→ Details: www.virusbulle...
✪ PRESENTED BY ✪
• Guillaume Couchard (Sekoia.io)
• Erwan Chevalier (Sekoia.io)
✪ ABSTRACT ✪
Infection chains used by commodity malware are frequently evolving and use various tricks to bypass security measures and/or user awareness. BumbleBee, QNAPWorm, IcedID and Qakbot, all of these threats are frequently used as a first-stage malicious code, allowing other, more specific payloads to be dropped.
This presentation will be in three parts: an overview of the infection chains and common detection methods used against them, how generic detection rules on these infection chains can help in the fight against botnets, and finally how threat intelligence at scale, combined with the rest, creates a solid defence.
First, we will share our analysis of the evolution in the infection chains of a few of the most common botnets seen in 2022 and early 2023. This study will show how quickly their techniques evolve. It will also cover some detection use cases for these techniques to finally show how pointless it can be to build too specific detection rules for these types of threats.
Secondly, we will dig into the creation of more generic rules against known infection chains to detect future threats. Moreover, we will show how these rules can be relevant and more effective than classic detection rules which are focused on one technique inside an infection chain. These generic rules are based on Sigma correlation, which allows multiple Sigma rules to perform, which will be triggered depending on different criteria such as time range.
Finally, and as an opening to further discussions, we will present our own threat intelligence and detection pipeline, which, thanks to command-and-control server tracking, samples configuration extraction and detonation, allows testing detection rules for non regression, all in a common workflow.
Негізгі бет When a botnet cries detecting botnet infection chains - Guillaume Couchard & Erwan Chevalier
Пікірлер