TECH TRAINING 7 – ADVANCED MALCODE THREAT ANALYSIS

OVERVIEW

As the pace of challenges facing every network – and the people who have to defend them – grows, the need for more comprehensive information grows with it. When you can’t wait for AV firms and IPS vendors to provide a remedy on your timescale, you need to take matters into your own hands: “I need to protect the network, but I don’t have a lot of time or resources.”

This course is designed for information security professionals and enthusiasts who are tasked with protecting networks and businesses from a broad range of threats. This course will also suit people who are interested in learning more about the current Internet threat landscape. Students will learn how to identify new threats to their own networks and the internet at large, and how to protect against them.

Rather than focusing on reverse engineering and malcode dissection, we will instead focus on a simple approach that many people can use to quickly gather specific, usable information about threats. This course is not designed to be tool specific but rather it discusses a broad approach and multiple techniques that can be used quickly to assess new threats and determine how to respond to them. This class focuses on open, freely available tools to facilitate analysis. No programming or networking experience is required, but some operational experience is expected in order to get the most out of the training.

At the end of the two-day session, you should be able to

* Detect new malware and quickly gather information about it
* Identify malicious websites and discover their attack vectors
* Identify and react to phishing attacks
* Analyze vulnerability reports and translate this into a defensive posture
* Analyze exploit code to determine how to defend against it
* Build a knowledge repository for yourself and your team

WHO SHOULD ATTEND

* Network security staff
* System administrators
* People interested in learning about malcode and threats

PREREQUISITES

* Decent knowledge of TCP/IP
* Decent knowledge of Windows systems and major APIs
* Participants should bring their own laptop (VMWare system optional but not a bad idea)
* Choice of Operating System is optional (either Windows, OSX, or Linux)
- While we handle malicious artifacts, you’ll want to make sure you don’t get infected

AGENDA

Day 1

i.) New malware analysis and response
ii.) Thinking like an analyst
iii.) WHOIS and DNS investigations
iv.) Analyzing software vulnerability reports
v.) Malicious and drive-by websites

Day 2

i.) Analyzing exploit code
ii.) Malware analysis advanced topics
iii.) Detecting scans and probes

WHAT TO BRING:

A working laptop with the following hardware/software requirements:

Hardware Requirements

• Intel 64-bit machine.

  Hardware must be able to run a 64-bit VM

  If you can only get an Intel 32-bit machine you will still be able to do 85% of the labs, so don’t fret.

• MINIMUM 2048 MB RAM required.

  If you can only get 1GB then you will get by but just slowly.

• Wireless network card – no wired network provided

• 20 GB free Hard disk space

• USB 2.0 port to copy lab VMs

Operating Systems (one of the following)

• Windows XP SP2/SP3 or Windows 7 (I don’t trust Vista so you are on your own, but go for it)

• Administrator access mandatory

• If it’s a company laptop with user access only, get your administrator to allow USB and install the latest version of VMWare Player

  • Ability to disable Anti-virus / Anti-spyware programs

  • Ability to disable Windows Firewall or personal firewalls

  • An SSH client, such as PuTTY

  • OR

  • Linux kernel 2.4 or 2.6

  • Kernel 2.4 or 2.6 required

  • Root access mandatory

  • Ability to use an X-windows based GUI environment

  • SSH should be available

ABOUT THE TRAINER

Dr. Jose Nazario

Dr. Jose Nazario is the senior manager of security research at Arbor Networks. In this capacity, he is responsible for analyzing burgeoning Internet security threats, reverse engineering malicious code, software development, and developing security mechanisms that are then distributed to Arbor’s platforms via the Active Threat Feed (ATF) and the ATLAS Intelligence Feed (AIF) threat detection services. Dr. Nazario is also heavily involved in the Internet security community, including efforts such as the Conficker Working Group, the FIRST community, and many more efforts.

Dr. Nazario’s research interests include large-scale Internet trends such as reachability and topology measurement, Internet-scale events such as DDoS attacks, botnets and worms, source code analysis tools, and data mining. He is the author of the books “Defense and Detection Strategies against Internet Worms” and “Secure Architectures with OpenBSD.” He earned a Ph.D. in biochemistry from Case Western Reserve University in 2002. Prior to joining Arbor Networks, he was an independent security consultant. Dr. Nazario regularly speaks at conferences worldwide, with past presentations at CanSecWest, PacSec, Blackhat, NANOG, FIRST, and USENIX Security.