Malware Triage IOCs - Using Open Data to Help Develop Robust Indicators presented at hacklu 2016

by Sean Wilson, Sergei Frankoff,

Summary : Whether you are in the enterprise using malware triage as a gate to your incident response process, or a researcher using triage as a way to identify interesting malware samples, Indicators of Compromise (IOCs) will serve as the feedback loop in your triage process.
As a malware sample makes its way through your triage process the output should be an IOC. Not only will the IOC be used as part of your malware hunting process but it can also be used in future triage to avoid re-analyzing similar samples. The key to an efficient triage process is robust IOCs, the more robust your IOC the more variations of malware it will cover and the less time you will have to spend on re-analyzing similar samples.
We present an iterative approach to building robust malware indicators; first developing primary indicators, then mining open data for related malware samples, using the collection of similar samples to build robust IOCs, and finally testing the IOCs for effectiveness. We will cover multiple free tools that can assist with the use of primary indicators as pivots to mine open data repositories, as well as test the effectiveness of your IOCs. During the presentation we will use real malware samples with demonstrations to walk through each step in the process.
This is not a workshop about IOC formats, it is about the process used to build an IOC. We briefly cover the basics for Yara and OpenIOC but any format can be used with the process we teach.
Key takeaways include;
familiarization with the use of IOCs in the malware triage process
a standardized process for developing robust IOCs
exposure to a quiver of free tools useful for indicator pivot searching
how to test IOC effectiveness with unknown samples
Equipment you need;
You must have a computer (preferably a VM) that you are comfortable analyzing malware with, if it is a work computer please check with your IT staff.
You must have Administrator/Root privileges and the ability to install software on your computer.
You must have the ability to disable any anti-virus software on your computer.
This workshop is aimed at incident responders and malware analysts who have a basic understanding of malware and the malware triage process. However this is not an advanced course and deep knowledge of reverse engineering and malware analysis is NOT required.