Name: Applying YARA to Uncover Hidden Phishing Threats
Start: 2020-11-03T17:00:00Z
End: 2020-11-03T17:40:00.000Z
Location: BrightTALK

ReversingLabs is the leading provider of explainable threat intelligence solutions that shed the necessary light on complex file-based threats for enterprises stretched for time and expertise. Its hybrid-cloud Titanium Platform enables digital business resiliency, protects against new modern architecture exposures, and automates manual SOC processes with a transparency that arms junior analysts to confidently take action.

According to Microsoft, Nobelium — the threat actor behind the successful Sunburst attack —targeted over 140 software and service providers in 2021, and likely breached 14 of them. Other sophisticated attackers, such as Lazarus Group and HoneyMyte, were also focused on the tampering of software from trusted providers to gain entry into target enterprises. 

The problem at hand is that these new malicious methods are often invisible to traditional code reviews, especially if modifications were made to binaries during the final integration and release stage. There are a number of questions engineering and security teams are starting to ask now that software integration and delivery pipelines are directly targeted by attackers.

What new application security challenges will software engineering teams face? 
How can software engineering evolve its security assessments going forward? 
What role will the cybersecurity Executive Order and other new regulations play in that evolution? 
What practical steps can be taken to identify tampering and protect downstream users?

How Nobelium Exposed the Software Release Process for Future Attacks

With malicious actors focusing on compromising software development and delivery processes, adding software assessments to identify software tampering is critical for protecting customers and partners.
 
During this session Erik Thoen, Vice President of Product Management - ReversingLabs, will discuss why software vendors have struggled to detect indicators of supply chain attacks with existing vulnerability scanning approaches.  He’ll also demonstrate how software engineering and release teams use ReversingLabs Software Assurance to improve observability, assess release readiness, and prioritize remediation efforts to reduce supply chain risks.
 
What will you learn:
Why defending against the next attack requires a new approach
How release candidates can be assessed without access to source code or build manifests
How to identify new attack indicators such as unexpected behaviors or suspicious behavioral changes
How to find and prioritize other software issues that increase the risk profile
Why phased implementation plans set you up for success

A Step-by-Step Walk Through of the ReversingLabs Software Assurance Service

How to Put Ransomware Analysis, Protection & Hunting Into Action

Reviewing the REvil Ransomware Timeline to Secure the Future

Cobalt Strike, the popular penetration tool, has been abused by threat actors for years with thousands of abuse instances being recorded. Existing abuse can range from ransomware deployment to surveillance to data exfiltration and it’s presence can be the only noticeable precursor to a ransomware infection.

During this session, Patrick Knight, Sr. Threat Researcher & Architect at ReversingLabs, will discuss how penetration tools like Cobalt Strike, PsExec and Mimikatz variants are abused by cybercriminals and common tools for APT groups. Patrick will use Cobalt Strike as an example to cover the different stages of a ransomware infection, why response plans need to map to a particular stage of an attack, the common tools involved at each stage of the attack, and the hunting methods required to analyze artifacts in order to prevent becoming a victim.

You’ve found Cobalt Strike on your Network. Is it Being Weaponized?

The risk of supply chain attacks is only increasing as malicious actors target development environments and delivery processes to morph trusted software into a weapon. Today various stages of supply chain attacks can be executed with tampered software or malware masquerading as trusted applications and updates.

During this webinar, Jasmine Noel, Sr. Product & Solutions Marketing, will cover why existing application security testing and software composition analysis have struggled to reliably detect indicators of tampering, the differences between tampering and vulnerabilities, and the three tampering detection techniques required to improve visibility across the software supply chain. This will include covering which indicators must be detected, what software artifacts must be assessed, and when assessments must occur.

3 Ways Detecting Software Tampering Differs From Finding Vulnerabilities

Over the past year, a major change in tactics employed by ransomware adversaries has been to exfiltrate data from the victim's environment. This data then serves as the material for an extortion threat on top of the ransom for encrypted data, and has become a common tactic by most major ransomware families. To support this tactic, some ransomware operators have added a specific type of malware to perform this exfiltration to their intrusion set.

During this webinar, Rob Simmons, Independent Malware & Threat Researcher at ReversingLabs, will analyze a ransomware sample that performs data exfiltration in his malware lab. Rob will show how the malware uploads a set of files from the victim's computer to command and control servers, how to identify anti-analysis behavior, and then how to hunt for related variants of the same malware.

How to Hunt for Ransomware Variants in Your Malware Lab - Data Exfiltration

The industry is quickly maturing beyond the need to just respond to attacks. Given the increasing risk associated with digitized business, organizations are realizing they need to assess threats targeting their own organization and stay ahead of attackers. They need to understand what might happen next, as well as what has already happened. This requires actively looking at the files across all sources of incoming digital content including email, web, file shares, file upload applications and storage, software releases and supply chain. This is the underlying driver behind the Malware Lab- to centralize malware analysis and research, consolidate tools, and automate processes in order to gain visibility into how threat actors might attack their organization, as well as serve the needs of incident responders.

In this session, we’ll discuss:

- Why organizations are moving toward understanding adversary and attack behaviors locally, and those trends likely to impact their business.
- What key capabilities are required as part of the “Malware Lab” to not only respond to attacks, but to provide the needed visibility to thwart adversaries before they attack.
- How to consolidate and optimize file analysis tools, (e.g. static and dynamic analysis), accelerate investigation times and hunt for latent threats.
- How to apply more explainable IOCs and actionable insights on malicious payloads to prepare for an adversary's attack in advance.

Automating File Analysis: 5 Key Capabilities for Your Malware Lab

The SolarWinds breach was a wake up call to organizations worldwide - a sophisticated attack that applied time and patience to circumvent the developer build and release process in order to gain access to thousands of trusting customers.  During this session, Tomislav Peričin, Chief Software Architect & Co-Founder at ReversingLabs, will pull back the curtain offering insights into how ReversingLabs helped to expose the origins of the SunBurst attack, discuss security gaps every developer and IT software management function must prioritize, and detail solutions necessary to mitigate these new risks. This will include:  

• Walking through the anatomy of the SunBurst attack. 
• Detailing how the build server and source code was compromised.
• Highlighting what contributed to the hunt and investigative process. 
• Discussing why xAST and AV need to be augmented to detect these attack types. 
• Recommending necessary technology and process requirements to detect similar future attacks.

Lessons Learned from the SolarWinds SunBurst Attack

Digital transformation represents perhaps the most significant business challenge facing organizations today, with the promise of improving business productivity, expanding market reach, optimizing product and service delivery, and improving customer satisfaction. Software has a big role to play, and has introduced new technologies, processes, and associated skills required to capitalize on this transformation. However, with this new dynamic environment comes some risk, as attackers are already exploiting vulnerabilities in the supply chain. Watch our webinar to hear how software supply chains are evolving and how security processes and controls can automate SOC response to potential risk by:  
- Validating open-source packages and other dependencies 
- Running build-time analysis and retro-scans of archived repositories for additional detection 
- Validating third-party software before re-packaging and distribution  We'll review the fundamental construct of contemporary supply chains, show examples of recent attacks targeting these environments, and how ReversingLabs file reputation and static analysis controls intervene to prevent the propagation of malware.

How to Inject Security Into the Software Development Lifecycle

Keeping up with the innovation in malware tactics can be a full-time job. Companies are learning the value of doing their own research into attacks and are building dedicated labs to learn how the attacks work. ReversingLabs has been helping a number of our customers build unified malware labs into their business processes that removes the complexity of supporting multiple tools and adds automation to effectively help security teams understand the malware and take action.

During this session, we’ll discuss:

- The value of safely adding a unified malware lab to your organization
- How customers are using their labs to understand attacks and respond faster
- The organizational benefits of providing malware as a service to business units
- Why having a dedicated lab will reduce the possibility of accidental infection

Building a Better Malware Lab

Developing your digital business means developing new web and mobile applications, migrating to cloud, and evolving DevSecOps practices to accelerate time to market. Yet cyberattackers have aggressively been targeting your software supply chain, including open-source repositories, to act as malware distribution platforms. With today’s software more reliant on third-party and open-source software, your software development lifecycle (SDLC) demands more checks to validate the integrity of your build, release and production software. In this session we discuss:  • How to secure your supply chain with rapid analysis, authoritative file intelligence, and increased threat visibility. • How to integrate security monitoring and Application Lifecycle Security into your SDLC • How to leverage CVE data against a list of IOCs to proactively prioritize patches and fixes • How to apply tools like YARA to retroactively scan for your risks across your release history.

5 Ways to Mitigate Costly Software Supply Chain Attacks

Ransomware isn’t going away. Many ransomware families have changed their tactics and victim-targeting in recent years. Rather than indiscriminate attacks against anyone they’re able to infect, they have moved to a process called “big game hunting”. The reality is many organizations simply don’t have the capabilities to find or remediate the threat in time. With the FBI reporting attackers generating over $61 million dollars from the Ryuk family alone we can be sure the evolution will continue.

Security teams are under increased pressure to build more effective solutions which includes the ability to proactively hunt for new attacks. In this webinar we will discuss the ways threats like ransomware operate and act as a conduit for other forms of attacks. 

• The current state of Ransomware and how it is becoming more targeted
• How to use the A1000 to hunt for threats using YARA
• How to bring new visibility about file risks into your SOC process
• How to apply this new intelligence on Ryuk to actively update your defenses

Understanding Attacks Like Ryuk Before It's Too Late

There's a big difference between having data and creating threat intelligence. ReversingLabs provides a modular, high volume file classification system that when integrated with Anomali Threatstream allows organizations to identify threats across your security landscape and create actionable threat intelligence. Together we allow analysts to speed the detection of threats and automate tasks typically assigned to security professionals.

ReversingLabs Enrichment for Anomaly ThreatStream

What if todays security analysts had access to the most timely and relevant threat intelligence, in a consumable easy to understand manner that was interpretable, verifiable, and explainable?  Watch our webinar as we examine the next generation of explainable threat intelligence solutions and how ReversingLabs has taken a fresh look at machine learning classification.  In this session, well discuss:  - How contemporary malware is challenging security teams, and why destructive object insights are so relevant; - How new explainable machine learning models are improving analyst malware knowledge and SOC productivity over time; - How the concept of transparency and being able to defend a classification decision is empowering the SOC team and facilitating cross functional collaboration; - How this new threat intelligence integrates to existing environments (e.g. SIEM, SOAR) and maps to common attack frameworks (MITRE ATT&CK).

Explainable Threat Intelligence - Moving Beyond "Black Box" Threat Convictions

Digital transformation, accelerated by COVID-19, is fueling expansion in rich new functionality for web and mobile applications. New digital processes rely on the creation, transfer, and sharing of rich content as files or binary objects that embody all the components needed to deliver the right experience to the recipient. A massive new problem is that applications now need to support thousands of different file formats that define the specific structures necessary to render that experience, even when they are simply classified as documents, archives, images or multimedia. Unfortunately these same files can be leveraged by attackers who insert malware into these objects, which often goes undetected by traditional security.  In this session, well discuss:  • How complex file structures are defined, and how high risk document, multimedia, and archive formats are commonly exploited within businesses today • How new digital business processes such as web and mobile app file uploads can unknowing deliver infected files into your organization • How you can leverage file analysis technologies within your new digital platforms to securely enable your digital business, and • How these technologies can be applied to detect destructive objects and accelerate your response actions without impacting the business.

How Dangerous File Uploads Disrupt Critical Business Web & Mobile Apps

Phishing continues to be a primary attack vector, preying on unsuspecting yet targeted end users who unintentionally infect their systems. Often these attacks introduce new or updated malware which can go undetected for months. And to exacerbate the security challenge, EDR systems don’t often retain histories of the binaries executed on local endpoints. So organizations are faced with the dilemma- how do I uncover phishing payloads across my endpoints months after their IOCs are known?  

In this webinar, we’ll discuss: 
 
● How to leverage an Email AbuseBox or “local repository” for suspicious Phishing attachments, and have this available for retro-hunting 

● How to create a custom YARA rule to search for a particular byte sequence indicative of new IOCs 

● How to apply these YARA rules across local repositories

● How to automate the retro-hunting process and alert on detections for action.

Applying YARA to Uncover Hidden Phishing Threats

Threat Hunting

Malware

Threat Intelligence

Threat Detection

Cyber Threats

Threat Assessment

Threat Analysis

Phishing

Cyber Attacks

Are you an IT service management professional interested in developing your knowledge and improving your job performance? Join the IT service management community to access the latest updates from industry experts. Learn and share insights related to IT service management (ITSM) including topics such as the service desk, service catalog, problem and incident management, ITIL v4 and more. Engage with industry experts on current best practices and participate in active discussions that address the needs and challenges of the ITSM community.

IT Service Management

The IT security community on BrightTALK is composed of more than 200,000 IT security professionals trading relevant information on software assurance, network security and mobile security. Join the conversation by watching on-demand and live information security webinars and asking questions of experts and industry leaders.

IT Security

Increasing expectations for good governance, effective risk management and complex demands for corporate compliance are presenting a growing challenge for organizations of all sizes. Join industry thought leaders as they provide you with practical advice on how to implement successful risk and compliance management strategies across your organization. Browse risk management resources in the form of interactive webinars and videos and ask questions of expert GRC professionals.

IT Governance, Risk and Compliance

As an IT professional, many of the problems you face are multifaceted, complex and don’t lend themselves to simple solutions. The information technology community features useful and free information technology resources. Join to browse thousands of videos and webinars on ITIL best practices, IT security strategy and more presented by leading CTOs, CIOs and other technology experts.

Applying YARA to Uncover Hidden Phishing Threats

Presented by

About this talk

More from this channel