Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Me Myself and I, Robot

11236_afc74c3d-babf-4777-a189-120150aeec74Growing up I read every book my library had to offer by Jules Verne and Isaac Asimov. These and many other similarly minded authors inspired me to think far beyond "what is" into "what might be". I was so excited about the ideas proposed by some of these early science fiction writers that I seriously considered post-graduate study in Artificial Intelligence (A.I.) before ultimately accepting a job as a Pentester. Yeah, I sold out early - so what. However, those initial seeds have stuck with me through my life and have continued their influence into my eventual career in computing and security. Imagination and idea creation are still invaluable tools that I credit directly to my world being expanded while reading under the covers with a flashlight as a boy.

"That's right. When I was your age, television was called books."
--The Princess Bride (1987)

Now, ████ years later as a Security Researcher with Trustwave SpiderLabs I get to spend a percentage of my time working on pet1 research projects. I am in the opportune position to be able to come full circle and attempt to seriously explore some of those exciting buds of ideas I once only day dreamed about while flipping through the pages of whichever Philip K Dick novel I had just discovered.

The purpose of this post is actually several fold. The first is to publicly announce the project I am about to work on because I am excited about it, and because by doing so I have taken the first step in being accountable for its progress. Secondly, by self-admission, I am no expert in this advanced field but I hope to document my progress here on this blog, both the happy successes AND the inevitable failures. Lastly, by posting here with my progress it is my hope that a discussion will be created with others out there who are also interested in this topic. To share ideas, and to brainstorm new approaches in such a way that the whole community can benefit from them.

 

So that all sounds pretty good right, but what am I talking about? What is the project actually about already?! Ok, you've read this far, so let me explain... no, there is too much, let me summarize here the best I can.

High Level Goals:

  1. To categorize, define, and otherwise classify potential malware based on the data and meta-data collected from existing automated forms of dynamic and static analysis tools.
  2. To apply the results to gigabytes of malware that we are currently processing daily in such a way to give us a clearer and deeper insights into the malware itself.
  3. To collaborate and breed in-depth technical discussions on these common problem sets that we as a security community share as a whole.

General Process:

  1. Meaningfully parse the output from tooled sandbox and static analysis tool execution
  2. Create a categorization scheme from scratch, leverage existing, or some hybrid
  3. Study, develop and apply ML/NLP algorithms to categorize malware
  4. Review and refine processes and algorithms
  5. Rinse and Repeat

Probable/Potential Tools:

  1. Cuckoo Sandbox
  2. MAEC
  3. R
  4. PySci/RubySci(?)
  5. Python/Ruby

Make sense? I want to use some form of AI/ML/NLP to help make sense of the crazy amounts of malware report output we produce everyday. I know this is not a new idea by any stretch of my previously mentioned overactive imagination. I was lucky enough to attend REcon last year in Montreal. While attending, there were more than a couple of talks that discussed similar goals, whether it was through automatically analyzing call graphs of disassembled binaries, or just talking about applying machine learning at an abstract level in the computer security world. I left the conference very excited and my head was swimming with ideas. So I know some very smart people are already looking into these very sorts of issues. It is clear that my first goal will be to tackle the large amount of reading and discussions it will take to catch up on the current state of work in this field. Maybe someone is already working on this EXACT sort of thing, and that could take me 95% of the way to achieving my goals (please, oh please!), or maybe there is an existing Open Source project out there that is established and well on its way? Maybe there are some obvious tools and/or resources that I have not listed here. What are they? Leave a comment below or hit me up on Twitter. Whatever the answers are, I am looking forward to this upcoming research quite a bit and I hope a few of you might be interested as well.

The most exciting phrase to hear in science, the one that heralds new discoveries, is not 'Eureka!' but 'That's funny...' -Isaac Asimov

Anyone come across anything "that's funny" lately?
-@Rnast

---

1Obvious caveat statement about the "pet project" work being relevant to our goals goes here.

Latest SpiderLabs Blogs

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising

During an Advanced Continual Threat Hunt (ACTH) investigation that took place in early December 2023, Trustwave SpiderLabs discovered Ov3r_Stealer, an infostealer distributed using Facebook...

Read More