FireEye Stories

Countdown to Black Hat USA 2020 — Come (Virtually) See FireEye!

Even though we won’t be able to join you physically in the Las Vegas desert this year, we are looking forward to joining you virtually from our homes for Black Hat USA 2020 this August 1 to August 6. Attendees can expect all of the same sessions, keynotes, trainings and more, but just without the crowds, heat, and lines for coffee and the restrooms.

So, grab the family, gather around with roommates, hop into a chat room with your peers and colleagues, or just tune in by yourself and listen as our FireEye experts share their insights on the latest from the front lines of cyber security.

The following is a chronological guide to everywhere FireEye will be virtually speaking at Black Hat so attendees can make the most of their time (note that all listed times are Pacific Time).

WINDOWS ENTERPRISE INCIDENT RESPONSE

Dates: Aug. 3-4
Type: Training
Instructor(s):

Attacks against computer systems continue to increase in frequency and sophistication. In order to effectively defend data and intellectual property, organizations must have the ability to rapidly detect and respond to threats. This intensive two-day course is designed to teach the fundamental investigative techniques needed to respond to today's landscape of threat actors and intrusion scenarios. Regularly updated to include interesting attacker techniques and the most useful information for students, the class is built upon a series of hands-on labs that highlight the phases of a targeted attack, key sources of evidence, and the forensic analysis know-how required to analyze them. Students will learn how to conduct rapid triage on a system to determine if it is compromised, uncover evidence of initial attack vectors, recognize persistence mechanisms, develop indicators of compromise to further scope an incident, and much more.

REPURPOSING NEURAL NETWORKS TO GENERATE SYNTHETIC MEDIA FOR INFORMATION OPERATIONS

Date: Aug. 5 | 11:00am-11:40am
Type: Briefing
Presenter(s):

  • Philip Tully, Staff Data Scientist (@phtully)
  • Lee Foster, Senior Manager, Information Operations Analysis (@LeeFosterIntel)

Deep neural networks routinely achieve near human-level performances on a variety of tasks, but each new breakthrough demands massive volumes of quality data, access to expensive GPU clusters, and weeks or even months to train from scratch. AI researchers commonly release model checkpoints to avoid the wasteful duplication of these costly training runs, since fine-tuning pre-trained neural networks for custom tasks requires less data, time, and money compared to training them from scratch. While this emerging model sharing ecosystem beneficially lowers the barrier to entry for non-experts, it also gives a leg up to those seeking to leverage open source models for malicious purposes. Using open source pre-trained natural language processing, computer vision, and speech recognition neural networks, we demonstrate the relative ease with which fine tuning in the text, image, and audio domains can be adopted for generative impersonation. We quantify the effort involved in generating credible synthetic media, along with the challenges that time- and resource-limited investigators face in detecting generations produced by fine-tuned models. We wargame out these capabilities in the context of social media-driven information operations, and assess the challenges underlying detection, attribution, and response in scenarios where actors can anonymously generate and distribute credible fake content. Our resulting analysis suggests meaningful paths forward for a future where synthetically generated media increasingly looks, speaks, and writes like us.

CAPA: AUTOMATICALLY IDENTIFY MALWARE CAPABILITIES

Date: Aug. 5 | 11:00am-12:00pm
Type: Arsenal
Presenter(s):

  • Moritz Raabe, Staff Reverse Engineer (@m_r_tz)
  • William Ballenthin, Senior Staff Reverse Engineer (@williballenthin)

capa is an open-source tool that detects capabilities in programs to reduce the time-to-triage and make malware analysis more accessible. Anyone dealing with potentially malicious programs and especially forensic, intelligence, and malware analysts can use capa to understand a sample's capabilities, role (downloader, backdoor, etc.), and any suspicious or unique functionality. capa takes automated malware triage to the next level going from simply saying "this is probably bad" to providing a concise description of what a program actually does. This report provides critical, decision-making information to anyone dealing with malware. capa uses a new algorithm that reasons over the features found in a file to identify its capabilities. The lowest level features range from disassembly tricks to coding constructs, while intermediate features include references to recognized strings or API calls. Users compose rules that train capa how to reason about features – and even the significance of other rules. This makes it easy for the community to extend the tool's abilities. We will describe how and why our tool works. We will also show to use it to enhance every malware analysis workflow. Furthermore, you will learn how to develop capability detections that extend capa.

MY CLOUD IS APT'S CLOUD: INVESTIGATING AND DEFENDING OFFICE 365

Date: Aug. 6 | 1:30pm-2:10pm
Type: Briefing
Presenter(s):

  • Doug Bienstock, Principal Consultant
  • Josh Madeley, Manager

As organizations increase their adoption of cloud services, we see attackers following them to the cloud. Microsoft Office 365 is becoming the most common email platform in enterprises across the world and it is also becoming an increasingly interesting target for threat actors. Office 365 encompasses not only Exchange, but also Teams, SharePoint, OneDrive, and more. The sheer volume of data stored in Office 365 means that in many cases an attacker need not compromise the on-premise network to complete their mission. In this talk, we walk through a number of case studies taken from real APT intrusions that we've been a part of. We will begin with relatively unsophisticated techniques that are used by small-time actors and have been widely discussed. From there, we work our way up to the most sophisticated and stealthy techniques that we have only observed in the wild on a few occasions. These techniques utilize parts of Office 365 that are often poorly understood and not closely monitored. Along the way, we will provide insight into the various forensic artifacts available to an investigator and their many nuances. We will discuss some important gotchas that can trip up inexperienced analysts. Lastly, we will also discuss important best practices for administrators to defend their tenants against these increasingly sophisticated threats.

Socialize With FireEye

Remember to follow @FireEye, @Mandiant for our event news, and don’t forget to use the #BHUSA event hashtag when discussing Black Hat happenings.