Cyber security is one of the most challenging topic in the current era. Cyber attacks are becoming day by day more sophisticated and difficult to be detected by automated systems. People who understand cyber threats and act to block cyber attacks are defined as cyber analysts. But what do they really do ? What dificulties do they meet and what background should they have before starting the "neverending" "cyber security" learning path ? Why is not enough an automated system ? Marco will talk about real experiences on the cyber analyst field.
4. Profilo aziendale YOROI
Today’s Host
● PhD in Bologna Joint UCDavis
○ Cyber Security, Penetration Testing US Voting Machines
○ Books and Publications
● NIST
○ OEVT
○ Penetration Testing methodologies to help US Democracy
● Palantir
○ Product Company
○ Intelligence Company
● Yoroi
○ One of the most extraordinary cyber security company founded
in Europe (Hakin9)
5. Profilo aziendale YOROI
Who they are!
Nowadays is not a trivial topic:
● Deep Learning Machines
● Cognitive Computing
● Machine Learning Algorithms
● Neural Networks
Undermine the Human side of Cyber Security Analysis.
But could that technology really take off the human side of this job ?
6. Profilo aziendale YOROI
Who they are!
Dark Avenger Mutation Algorithm (1993)
It could produce some decryptor cases
that appeared only in about 5% or less
of all cases. However, the engine had a
couple of minor limitations that were
enough to detect the virus reliably
using an instruction size disassembler
and a state machine. In fact, there is
only one constant byte in an MtE
decryptor, the 0x75 (JNZ), which is
followed by a negative offset—and
even that is placed at a variable
location (at the end of the decryptor,
whose length is not constant).
7. Profilo aziendale YOROI
Who they are!
Super Simple Malware Evasion Technique.
Credits: https://www.exploit-db.com/34591
8. Profilo aziendale YOROI
Who they are!
Red Pill Approach
credits: A fistful of red-pills: How to
automatically generate procedures to
detect CPU emulators
10. Profilo aziendale YOROI
What they do!
● Day 1, Morning. A phone call (from IT department) saying a server
is performing weird network requests.
● Day 1, Afternoon. A VMWare image is sent to Cyber Analyst email
box
he’ gotta run !
11. Profilo aziendale YOROI
What they do!
Apport -> Intercepts crashes right when they happen the first time, gathers system information and send back to
developers stack traces and useful infos to fixt the crash
package-data-downloader -> used by software installers such as dpkg and apt.
19. Profilo aziendale YOROI
What they do!
Ok, we’ve got password exfiltration every crash dump and every
software update and machine control since ssh is available.
But how they trigger persistence on a server ?
Maybe attackers trigger crashes from
outside ?
21. Profilo aziendale YOROI
What they do!
Ok, we know pretty much a lot of things about the intrusion even how
they get persistence...
But why the user reported a “strange
behavior” ?
Maybe attackers needed such a server as
pivot server ?
Oh..Oh !!
22. Profilo aziendale YOROI
What they do!
Here we go !
A nice SEH BOverflow on Windows
We need to asks for
another server Image
….. :D
Ok not today...
23. Profilo aziendale YOROI
What they do!
It was a quite original way to
penetrate a system… is it a new
fancy opportunistic way ?
30. Profilo aziendale YOROI
Where they are!
● Unfortunately there is not a full learning path to become Cyber
Security Analyst so far.
● There are a lot of classes on:
○ Reverse Engineer
○ Firmware Analyses
○ Forensic Analyses
○ Penetration Testing
○ Vulnerability Assessments
○ Secure Policy Assessment
○ . . . . .
● But a Cyber Security Analyst should be able to perform each of
these actions + human interactions + strategic thinking +
organization chart knowledge + problem solving