Knowledge Graph driven threat intelligence for cross platform security research
In this talk, we will first discuss the most recent competitive coevolution traits of the emerging malware families targeting cross platform compute environments. The coevolution will tabulate the top 30 new features/behavior changes introduced by the modern OperatingSystems and how the malware authors are counter attacking these new features. These families include but not limited to the following:
- Rootkits (Linux and Android)
- Bots targeting banking applications and premium services (Android)
- Ransomware families (Linux)
- Aggressive adloaders and potentially unwanted apps (macOS)
Based on the competitive coevolution baseline we establish in the first part of the talk, we will formally define a framework powered by the Knowledge Graph that is relevant to the security researchers and Threat Intel analysts investigating/responding to the real world security incidents. As part of the talk, we will also cover a very detailed deep dive reverse engineering case study of a popular bank bot malware targeting android platform and a ransomware variant targeting linux platform. This case study will highlight the use case of the graph based approach for deep dive malware reverse engineering tasks. The second part of the talk will walk through the audience on
- how a malware family continuously evolves against the newer security defenses deployed by the platform and security products.
- How can researchers and TI analysts can automate the process of mining actionable threat intel using graph based approach
- How can this framework be plugged into the existing analysis environments to produce standard research artifacts such as Mitre ATT&CK matrix for a given malware.
The talk will also conclude with how the audience can apply the concepts discussed using open source libraries and frameworks to create Proof of Concepts customized to their individual research problems.