so excited here because in my like personal experience we have like two parallel worlds I mean between anti-malware researchers and you guys like experts and forensic analysis I do just like all your faces are completely new for me you know um this morning I just told to one of my colleagues I feel like you know it’s like two different schools like karate school and war from Russia so it’s like that but I’m very happy to be here and I would like to share with you some experience we got while analyzing complex threats you can make your questions if you like I don’t know right after the my presentation or even like next days just by following me on Twitter if you like many things that we are probably going to say today I will ask to the organizers not to put them online so just feel free to make any question you want by the end of the presentation the sanitized version of the PPT is going to be different seriously so yeah let’s start when we speak about malware we have like well traditional Mulder right what is traditional malware way that it’s small were built by cyber criminals mostly where the motivation is money so the way you fight it all the way you analyze it is completely different basically just like four pieces or four steps you have to follow in order to say that your analysis is complete you make the reversion you make the detection or the signature you make the update and then you disinfect the environment right that’s it why this because the main motivation is money so you have to stop basically the bad guys from stealing money in in many cases this is like the the oil analysis people may have for Mahler however we have to remember that where we actually live in a age of something with that people like to call like apts have you heard that name apts it’s a very fancy name actually I hated that name because it’s like not all complex attacks I actually a PT’s not all targeted attacks I actually advanced or persistent and such right so apt it’s just like for you know mtv-style what we call it like welcomes attacks or targeted attacks or cyber espionage attacks in the point here is like you cannot fight that attacks and analyze that attack same way you do with traditional malware why do they say face we have to remember that malware itself adjust a vehicle vehicle which allows to achieve goals and when we speak about complex attacks or targeted attacks we should remember that most probably in most of the cases the threat actor behind it it’s a government yeah guys it’s a government so malware is not a problem it’s just an artifact which is used to achieve certain goals what kind of goals political economical goals espionage goals even like destructive goals and so on so the focus we should follow here it’s a lot a lot a lot different guys it’s not about like yeah yeah you found a mother okay let’s detect it no it’s a game actually it’s a big game like this one you know it’s a very popular game in the US you know the name right even if you don’t like it or even if you don’t play you’re just a part of the game even like sitting there like yeah so same for us for the analysts well when they find a model which comes like from a very powerful threat actor you just start the game what I mean you can’t provide the detection immediately if you do that you’re suck because you will just destroy the operation you will make know the guys that well call them however bad guys intelligence office government agency whatever but if you make it affection like an immediate detection you will just burn the operation you will just let them know the attacker that you know that they are talking so what the bad guys are going to do they might take several like actions counter actions even on you just like okay I’m smart alright guys so I’m going to infect you now I want to know what do you know or they will just destroy the operation and to build a new mother and we’ll come back and you all say like yeah we detect we detected that sample

so we are fine like we’re very first so the idea here is different when you get a sample don’t detect it start making all kind of analysis like reversing you know exfiltrating like indicators of compromise look for SI toos look for what kind of data does it look in the system and play the game let the attacker think that he is successful okay how to do that first you have like your bandwidth right to the internet just limited instead of Kevin let’s say 10 gigabytes per second okay give him like 1 megabit that’s it and then start sitting like false information or just that information you want them to steal that will give you time to Toomey’s inform your adversary first then to investigate it all to get the complete picture and finally when you have it all I mean everything everything about the attacker everything you can just cut down the pipe and provide the detection if you don’t do that this way and you will always lose always because that guys will just always like keep changing the strategy and we’ll get just get back to you with like a lot more complex stuff or please remember if it’s a government agency they have also another vehicles they don’t use only malware they kept traditional spam they can just even like send real-life spies and to see what are you doing like where do you go like which is your business man we’re detecting our stuff well why are you just trying to break our operations so there is always a cost so while analyzing complex threat in your company in the companies of your customers think like this don’t think like yeah we found it we detected that and we removed it it’s like you did nothing basically right well speaking about complex threats there are like different stages probably one of the most complex stages is how to find complex threats because it’s easy to read the report it’s easy to make a reversion when you have a sample or if you don’t have it so it’s a problem right and this is the one of the biggest problems nowadays so the strategy you may follow is phase think if you were already infected don’t work on prevention it won’t work it won’t work guys because it’s everything that’s about cost like okay how much are you worth for the attacker if you are a lot Worf they will just assign a lot of resources which includes money scientific resources and they will get infected like completely your machine so think different think like okay I already I’m already infected like my machines in fact that my network is in fact and then act but what like can you do serious or like in the real life well you have to do you may do like different things first it’s like to work with your network traffic right the network traffic is something very important since it doesn’t matter who is the actor and which is his motivations which which is he like where he lives it doesn’t matter that because each malware each piece of malware once inside of the network has to take your information away somehow yeah there are some cases we found let’s say like one apt called bua hero of my charity we also call it my charity you know that guys they come from Latin America it’s an intelligence office from one of the South American countries and basically they infect another governments and the exfiltration of the information is by USB sticks a special specially crafted USB sticks which should be inserted into the Machine and then the serial number matched and perfect it just automatically copied to the flash however in the most of the cases the bad guys they just still use the same protocols same traffic as you use guys when you just bros so probably one of the things you can do is to have intelligence on your outgoing traffic the old school used to say that like yeah incoming traffic like ids/ips firewall and blah blah blah that’s nothing guys I mean that’s nothing when you analyze here is like a complex trap look the outgoing traffic not being common traffic I don’t care about incoming traffic at all seriously I need to know what is going on with my outgoing traffic so one of the simple things is just to build like a small box I call it like Happy Meal box any device

just buy the cheapest one built up with links like machine and install so ricotta and they make a passive collection collection of the DNS requests right the advantage here all DNS packets are not encrypted so look perfect it’s a plaintext and collect it all and then you will make the verb first step because you’re gonna see first like there are a lot of data you can collect like in 24 hours mean like gigabytes like hundreds of gigabytes but this is the very first step everybody must do if you don’t have intelligence on your outgoing traffic basically you’re like a blind man you can’t do anything well the problems like because if like everything sounds like perfect like yeah so we’re gonna build it this box and then like we’re fine the problems of this some serious threat actors also understand this that you may monitor outgoing traffic so what they did have you heard about the equation apt equation pity we announce it by February the guys are behind that they’re very smart it’s a very powerful government actually so what they did they knew like all right if we just send it traffic I would just like to an external web server with any domain even like the most fancy domain basically we’re gonna get we’re gonna be like you know caught in the act so what they did first way that guys that threat actor behind the equation group they they had infected some universities here in u.s. and that universities served as proxies to get connected to the real c2s so if you’re looking in sericata logs you will see like well it’s somebody just like visiting I don’t know like the University of Phoenix of Miami like well who knows maybe they just study something there so this is a like a disadvantage or a problem when you’re just like you know working with a very advanced threat actors another problem is do could – we also announced it recently that guys also they thought like similar they said like we can just send like plane traffic I mean right from infected machines to be c2s so what they did they built like a kind of – now between the infected machines and your main gateway your main gateway which gets which gives access to the Internet so basically it was like an internal tunnel and then everything what happens like between your external firewall in the internet like you don’t have any vision so probably the idea is also like to collect DNS logs on both sides like internally and externally after the gate after you get wet right right so you will have like two different pictures here all right another idea guys how to catch an advanced attack or complex attacks well the military doctrine says that sometimes it’s a lot useful to install bombs or mines yeah you’ll just protect yourself and if a bomb explodes you will know something’s going on around so my idea guys is to make you you might probably already heard about that like honey dogs right build a server inside of a network in seed honey dogs there don’t tell anyone of you employees like there is a server we have like they’d be honey dogs but just have it inside once one of that document is opened you’re gonna get like a payment trigger message you’re gonna get an advice and you know somebody got access to that document so just put the mines like in your network right and this is very easy if they in fact that you if they use like I don’t know very crazy technique like packets fragmentation encryption the bloodline like transmitting on the like few bytes so you took while you’re lost but then the document is open like whoo yeah so we got a problem this is a very very like simple thing you can do you will know like something’s going on in my network and then of course like another investigation and you’ll find the guy another thing you can do also it took have some similar idea that is similar by habit in memory just run like very simple like pieces of strings which are extremely interesting for the attackers like fake user credentials they fake

like calm you know username fake password and once the memory that range of the memory is accessed you’re gonna get also like in notifications about that about that incident and also cut again so this is like a very very easy technique but again it will only work if you like think different you were cannot on the Prevention you work like Allah in the East in error when you think like okay my network is already infected right once we’ve got this sample what we do well we have to do the technical analysis of the sample right I think today it’s not a problem we have a lot of reverse engineers and probably this is I would say like the easiest way this is a stage of the analysis however there are so many pieces of code that you should have like photographic coast code base memory I call it because sometimes indications you’re gonna see that hey this code this particular code looks like I saw it like a couple of years ago like hey there’s something very interesting indeed so I don’t know if you recognize this code guys I know it’s drinking but like just make it try what is that and I’m at least one guy in the here in the auditorium he knows it well basically to the left is dooku 1.0 version and to the right it’s do could 2.0 so it’s the same threat actor but then death threat actor came back to us but you could do 2.0 he tried to mislead us I mean like our investigation like making us thinking that like that yeah they come like from they use them like Chinese drinks they use like stuff like Romanian antique hacker and such stuff so but if you have like a code based photographic memory you will recognize that the projects at least are the same the projects using in occasions when you uncovered an operation you just analyze it completely you get at all and you cut it yeah but the guys had invested a lot of money how much millions of dollars millions of dollars imagine I mean like that projects are really like I mean just a lot of budget it’s just like a government so they recycle certain parts of the code certain like platforms and then they get bad with new code but there’s still platform they are not going to throw away the platform itself this is why if you have this kind of memory so like on the human side it’s not like there’s no such tool try to memorize the curve just like I mean the how it looks like it will help you a lot when you also like work at the analysis you say like hey these guys they our friends we already know them it’s the same guys all right and then when we analyze them however you should be able to make the correlation of the attacks I mean okay this particular complex threat here we seen it before somewhere is it the same threat actor is it the new one because nowadays we have so many threat actors but you just gonna get crazy with all of them like Chinese people Chinese government Russian government United States government everybody I mean there is no rule if you want to attack go do that and if they say like if you like me no no way like how can it be mean like come on we’re friends so just denied like no it’s not me so we have a map actually about all a PT’s you can see here and it’s pretty black complex because if you see if you look like yeah we have Dooku – we have cozy Duke we have Shamoon Red October how they are related how they related at all well yes for instance you may see here flame is somehow connected to startling to Dooku – mini flame – equation into Dooku the 2.0 say like wow because tark’s net is one thing flame is another thing if you have a chance to to look at the code you might probably know that the threat actor behind is like is different I mean between these a PT’s however there are somehow connected yet so probably despite of being like that too protectors they had like mutual operations like may merge operation like they are not related I mean politically probably they’re just like two different

countries but they have a very good relationship they drink beer together on Fridays so some operations they just run ran together despite of like the code is different so how do we know where that how can you know that yeah of course you can trust in us in Kaspersky you can do our your own research but the idea is this if you have a intelligence on the network traffic you will see that some of the threat actors you were following are just working with other guys too or your very first rat actor which used to be a cyber criminal like yeah he was still in like money for some reason right now is also like working on stealing information from governments so what is that just build a system again something like Linux I don’t know anything and just start feeding your database start feeding it you find a piece of malware brazilian trojan banker alright if you say like it’s nothing special well it could be so if it would not have any domain name to use to send the information any IP address to contact to so it’s still it’s a vulnerable piece of malware so extract first extract that information network information the main name in context to where it’s dropping like credentials IP address and then register it register it in your database and put a tag alright it’s like a gang boleto gank and blah blah blah blah and then in a some perfect day you will find that probably the same domain is gonna be used like in another campaign you say man like same guys they just like use the same network infrastructure now they just got back and now they are not targeting money they’re just targeting like government so if you feed their database things now in a year you’re gonna have like a very nice source do it now guys this is like the future of detection of the all a PT’s I mean guys if you don’t have intelligence on the domain names and i am i say intelligence I don’t mean like have you ever seen this domain oh yeah it’s malicious come on yeah thank you I know it’s malicious that’s why I’m asking but what do you know about that oh yeah because I know that but first I saw it by 2011 and then I saw it in that campaign in that campaign that place they changed the IP address and landline the threat actor changed and blah blah and then I saw that it’s been used it was used also like by this group and this group probably they just share data so this is intelligence and we have to have it if you don’t have it well so you see this is a like a very interesting thing here we have a also like an example of are some c2 is used in the equation attack and you see some of them also like belongs same server let’s say locate them in the Czech Republic belongs it belongs to the Double Fantasy stuff which is a company after the equation direct of the equation in apt and such now all right now you found the sample you made the reverse him now we need to map who are the victims right because if you don’t know who are the victims well it’s still nothing because now you know how does it work I mean the modern you know what does it steal you might think like okay that guys probably stole like all my information because you can also go to your altars and see like okay wish or like what times I mean like and when this or that machine kept like connection to the c2 for how much time how much data it was transferred and so on and so on now you need to know who are the victims how to do that first of course being an antivirus company any antivirus company nowadays has something called like cloud cloud allows you to bring like a in a very efficient and quick way and also to map the victims all antivirus solutions has such future of course you been an owner of your own installation you can disable it say like I don’t want to use cloud protection that’s it like that’s this is up to you but even like Microsoft guys all our competitors they just also use the cloud cloud detection this is a very important thing because you can use in your cloud you can also map the victims however you are limited limited in the if the victim is not using your antivirus solution you don’t

see anything imagine if we speak about like some countries where you antivirus solution is not so popular because of politic reasons probably you gonna see like I don’t know very few percents like 5% of all picture right so how what to do how to find it like the full picture of the weekend you can also use Yara rules in virustotal there’s a service called virus total intelligence you might probably also have access to that if not considered like having access it’s it’s work guys so yeah our rules it’s something very easy to write you can just read it by yourself it’s very simple and then you go to you a virustotal account you submit that rules and you just sit down you drink beer and waiting and then somebody started like uploading that samples and you start like getting like messages thun thun thun thun to your email of course it’s a if it’s like a really bad error rule you’re gonna die because you’re gonna have like so much spam like so you will disable it so try to write like very high quality your rules and when you get that anticipations you just go and you see like alright guys from which countries my submissions come and in this particular case I use the sample which is like email message this is a very interesting sample it is just like mark wrote in fact it was sent to us in the name of the customer saying like yeah guys I won to use you into virus anymore just give my money back and I’m sending you like this document it was sent to a bunch of people in the company so I got the sample analyzed it in yeah the dropper the final dropper was like a very interesting sample used to even to make the exploration to explore the LD AP I mean Active Directory it’s a pass or steal is just like per file and the message itself was crafted completely like forward to infect Kaspersky people and to extract the information and then I went to wires Toto and I saw that they also sent this at least people from France Great Britain Taiwan and Russia we to you they also submitted that virus total that means probably that guys are not only like tried they didn’t try to infect Kaspersky on probably they have like several templates and try to infect like several companies antivirus companies and they sent it to like different people so in this case I see like yeah the factor is like smart enough they basically wanted to know like well what does like what the antivirus companies are really like doing like maybe to steal something maybe just to you know there are also some people they feel like yeah like I’m a great man because I hacked this network I hacked that security guys old I’m the most like skilled guy in the world well but virustotal will help you also to expand the picture the map of the victims so this is how you will see like yeah this right actor is not only active in this country where see like a very good coverage but also their active let’s say in Taiwan yeah I know that because people from Taiwan they just like submitting samples two wires total so like I know their operations like a worldwide or these guys are not only like limited to one region but also to in other regions or you’ll see like oh yeah like basically the map is bigger so this is not a thing you can use another way you can use just to to map the victims right finally they sing : do you use it the idea is very simple guys you need to own the domain name using the attack so make your partnership with the domain providers like go dating others and yes there are many things like little stuff and lalala the good thing is in occasions threat actors they also use like not only second-level domains but also third level domains which are very easy to own so you get the domain you just like get it’s yours now and you redirect the traffic to your server with your IP address and you will see all the victims knock in your door because if that victims are still infected they’re gonna send packages to the c2 server and that c2 server is going to be you and you will see where are the victims who they are from which country are they coming from so you can even like you know you’ll see everything basically like this operation system to the use which country do the leave well even in occasions like which organizations is because the IP address may be not dynamic one but something like you know

just like fixed right you need to drink a lot of beer if guys like from go date is like like people like you know who work like with domain names you must be a friend of em like beer tequila beer tequila tequila beer vodka and then you’re gonna be like able to make like magic yeah so this is also like a real-life example of how we manage showers in clothes it doesn’t reveal any information so this way no it’s just we just use this yeah which is it’s like an official template if another researcher like C’s luck what’s going on with this IP address and he will just access the API O’s he will see like oh yeah it’s a kaspersky scan hole you can detect if yeah it’s up to you I mean like being a victim like you can do many things right but this is something which allows us to see like where are the weakened sexual like there there are all the victims right and this is very useful because when you analyze complex attacks it is not about only like yeah it’s a malware it’s a very interesting piece of malware it’s also about cooperation with law enforcement agencies and we can help victims than to disinfect in Kaspersky has a meaning like very good like big success stories working with Interpol in Europe that guys have very like active very where especially the guys from Netherlands they are very funny people they look like I mean they don’t look like a police it’s like Michael Jackson yeah and they just catch the bad guys like wow crazy so we got this right now the attribution this morning I heard it like many things about the attribution however guys I want to say you something this is a very complex task seriously it’s not that easy because of many techniques which can be used to mislead you for example using lies so-called like a false flag operations right because there is a chance just think about that you are working on a very like complex attack so you are a security officer you work for the government and now you’re like building your campaign to infect another country a foreign country of course you’re gonna think about like a possible situation then you’re gonna be caught or discovered you should be have to be fooled not to do anything in advance so that techniques in advance are proactively used nowadays and all complex attacks just to mislead people and sometimes I read the news and so yeah Chinese they again they attacked us come so like me and did you conclude that yeah because I saw strings in Chinese or because the server the server is located in China so what so what it’s like it’s crazy I mean this is like attribution you know like you have just to go to the street and to catch any guy yeah because that guy looks like the the guy who just told like things on the other Street why because of he’s like skin colour yeah all right we have like 15 people more here at the same skin color so it’s not an option to use attributions like buying you know things like very simple things so how to attribute properly first think from the side of the attacker the attacker use Malvar as a vehicle to achieve its politic economic and other goals thinking the goals and not only like signs in the code the code can be in which is the motivation real motivation right who are the victims by the victims and by the newspapers you can understand who is the attacker in most cases the events will leave they already in the newspapers how people know how to read lines but rarely can really understand what does that line say seriously in most cases like yeah so did you get the story yeah he went with the official visit third country it’s not the story the story behind it is different so you you should have like I’m also not only like technician skills

I also like politicians yeah just to like to understand the geopolitical situation right also see the level of of expertise used in the code biggest threat actors have biggest budget budget right they can invest money like and crazy like exploits man like really like expensive like small countries can’t do that just can’t do that because they don’t have enough money for that so by the resources of sophistication of the code you can understand more or less who is behind that the times time zones using time stamps to compile the Malheur it’s tricky yeah cuz you can fake it you can erase it completely but we’re gonna see an example very nice example in the next slide where you can just like just don’t give up try to find the the time zones used time stamps used like while compiling the modules and then you will also like understand who can be behind that another point is like you should have even like a linguist expert like somebody who seriously guys not not like somebody in that different in the language let’s select you know we are looking to hire somebody who’s native in the Russian language be native doesn’t mean like be a linguist in this it was we speak sometimes like you know when people ask me like how to say in Russian like this I say like this why who knows I just noticed like we say these like this way I can’t explain why but when you have like a linguist you might like find the very interesting mistakes grammar mistakes in the code we shall allow you to see like hey these guys are like from that place and as I said also there are some like techniques let’s call them like our techniques to recover access to the SI toos right not to sinkhole it to recover can’t passwords to these SI toos if you recover passwords to the sea to you can just get inside and also see the logs of the guys who I just connect him from which places which kind of which IP addresses they use so it’s also very very interesting because everybody knows like we should use VPN the bad guys they also know they should use VPN but there are hours then they’re so tired working the 2 a.m. he got like a couple of beers and yeah he forgot to establish the VPN connection so he got access to the c2 with no VPN and you ah yeah you got it so you know the real IP address of the guy who is managing team the master behind the c2 right here’s an example of the also a piece of code used in do code to do co2 the word I mean the expression are using they in the quality its exceed exceeded exceed it but it’s it’s meals misspelt it’s like with CC e x c c d e d one mistake only one mistake the rest is just perfect thing was just perfect man you just read it like with somebody who’s from you doesn’t say like wow who knows that just like somebody from us but no this particular grammar I mean like drama mistake shows that the guys come from some place where like yeah it’s like it’s like for people like who might speak on languages like European language or by the area of Europe like by that area it’s not like I mean it’s not from here it’s definitely not an Asian guy because exceed it’s like the way like we used to pronounce living in that place of the world so just one mistake one small mistake like yeah one letter yeah unfortunately I can’t say when like I can’t be more specific like which nation like you know Falls like all that I made this mistake but if you have a linguistics expert in your team he will tell you like oh yeah these guys like they come from that country right do you remember we spoke about the time stamps right well the time stamps it’s here in Dooku 2.0 all the modules more than 100 modules got the time stamp completely wiped completely wiped you just go on like I mean crazy things like 1970s stuff like that so you just don’t threat it off but there is a small module small DLL which is a actually zero day zero day which was parched by Microsoft once we announced the Dooku it was complete

No and that zero day that DLL keeps the original time stamp only one model between like 100 models so let’s think together what does it mean first what does it mean if only one module has the original time time and the rest not just gas guys don’t be shy yeah of course yeah well how could that happen I mean which is the scenario why if you just wipe like 99 modules like 9999 times times you just wipe land completely like x times and that one like no is it a mistake seriously not that means there is a joint operation somebody just passed that exploit that zero day to that team said like all right guys like you know we can’t do that with you or we can help you if you like just don’t tell anyone what do you need like I need an exploit yeah what can it exploit I need a zero-day exploit in the kernel okay we’re gonna give it to you that exploit and they give it and if you see the timezone it’s definitely like not Europe so yeah like a grammar language shows like yeah that guys are from that part of that it’s not here about that part of the world in here like well it’s not from that part of the world so it says basically yeah that particular exploit was a kind of gift or like yeah I all support you like under ectly like I will give you what I need and then you’re gonna share with me like stuff you find like is it okay deal so this one mistake just set us a lot about like who is behind that it’s not only one nation at least that our two nations behind that yeah well if they buy it they will also like first to wipe the time stamp because this looks like to be because it’s it’s logical they get something from somebody strange so first let’s see the time stamp did you follow us our manual but at this point they just go to like in a very trust like relationship so like yeah you know like like two friends are talking okay so take it okay thank you so like the security awareness was really low like oh yeah thank you thank you like we’re gonna use it so you see that well the epic fail attributions first strings in the code I already mentioned that and we’re gonna see like a very short video soon and also a mail addresses used to register see two domains we’ll see some examples of how bad is it by February we also released the report called desert desert Falcons desert Falcons it’s a very first apt come coming from the Middle East region the guys were very active another friends from a be IND industry they also we didn’t know that that but they also were working working on the same like our project so we went more or less the same day with reports and the guys the friends they committed a very big mistake they published their tribution to the press to the media and if it was a false attribution so Forbes wrote an article Gaza resident linked to cyber attacks on Israel security company has put my life in danger this is the guy you see the laugh this is like real it’s a real guy somebody just used his gmail account to register it the main name using that attack and then our friends from AV industry they told yeah we found him because he’s a man also on Facebook on Twitter so this is the bad guy and the guy was really really upset he had to move his family out of Gaza into run for his life this is his picture when he had a conversation with Forbes completely just like I mean like like I’m going to die just because somebody said lucky I know how to attribute because these email address is used to register the main name which is used it see to come on spirit dangerous it’s pretty clear we can’t do that and this is the video like how easy is to also you know guys to cheat death analysts who used to attribute by I think I can you know I can you should yeah thank you

alright so this is a sample you’re gonna see like a sample I’m just opening that and I go to the strings I found the string which is a path to the compilation of the Marburg this one you see the FDD BC tools now I’m going to edit it and I’m going to write something like yeah Ukraine we gonna hack you attack you yeah alright safe that’s it and yeah I can use this malware steel I mean and then if there is a young analyst and he’ll say I know that guys come from Ukraine because there is a path to the source code which says it’s from Ukraine we got all proofs so like yeah Ukraine like it’s an aggressor you know we have even the partial source code even in the machine like they do you see like it’s so easy to fake this they stuff it just like it’s easy you see we did it just like in ten seconds come on alright so the protection the protection is the most complex task actually because you have just researched like everything you know the threat actor who is him you know like his Sutter of further of operations you know like everything about the attacker but now go and protect your customers or yourself and this is a very very hard task because you know once you stop that guys you will have to stop them someday once you stop them they are not going to stop you say so like oh you discovered us okay just give me a couple of days I will be back so you should like take like very serious like measures I mean to protect yourself right so we think about this the Australian signals direct rate they published like a top 35 list of how to stop 85% of all complex attacks and I believe they are pretty close to what we think what we think if you just follow with these four basic steps you may stop 85% of all threat actors right I don’t mean like threat actors who just still like create Carson and bank accounts I don’t care about that guys I care like about security agencies intelligence agencies and such so first it’s white listening and default deny there are many people who speak about white listen is a like solution of the man like this is going to solve all problems including like aids cancer and such come on it’s fake you’re not going to solve anything we’re fight listing only why because we have also another research which shows like many threat actors they use completely white listed applications to penetrate networks completely white just guys just say like tools from sysinternals whitelist it blacklisted whitelist it of course but with says using sysinternals tools you can completely Justin crack it like a full Network I mean image because this is just like set a full two tools which can be used like to to do everything in the network right so if you have a whitelist and only it’s not them you should use default deny what does the fall deny you can just say okay these applications these particular applications I mean like this version v75 this stuff is allowed in my network everything else by default it’s always prohibited just always like no chance to execute it I mean it’s not like yeah let’s run it like I never strict it not know prohibited why because there is no chance to survive a PT’s complex attacks if you don’t use the faulty knives and especially because in the corporate networks there is no need to have like new files every single day it’s not like a end user machine we’re like oh yeah let’s install this version of the player now let’s remove it I want to give this this this incorporate networks I mean really well we’re well administrated the like the process of briefing like all the files it’s um it’s very static there is nothing like to change like every day yeah we got like 100 new files no it’s just like from update to update once minecraft Microsoft released an update all right you’ve got the new update you just went through the files you just go to md5 you

select a 75s like I explicitly allow to execute the rest bye-bye so using whitelist in the faulty 9 it’s a key guys seriously it’s a very very important thing again on the end user or the endpoint side right also yeah patching and restricting administrative privilege privileges as it sits it’s also important but however people don’t use it often like well what can we do also I on the network system layer to use yarra rules – guys I’m a very big fan of yarra seriously I believe personally I believe that this is a standard in the industry if you don’t use the era rules you are dated you need to get updated seriously yells it’s just perfect some some also like there are many like scanners available for different platforms you can use so just use the arrow rules guys which is the advantage well we just release a report and we together the report where at least get a rule so you just go you grab the yellow rules you just video scan or you just your network so dumb even like if you don’t know if you AV vendor is detecting it or not who cares about the Vav vendor you have your rules right you can use also internal instrumentation which your own operations system has sometimes we have it but we don’t know how to use that or we just disable it but we should use it to audit the system especially when it’s about like lateral movement inside of the network just use it guys and DNS filtering we already talked a lot about that Tina’s filtering like yeah when you have intelligence on the DNS and IP addresses just block them even like if you steal oh you found like me and I have like 500 machines and packet in my network what to do first block the network I mean not cut the internet just plug by the mains you already know like that I see tools you just block them and they say yeah machines infected but there is no way to get information out of the network that will that’s fine and then another beer and then cleaning like thank you very much this is on my presentation again you just guys you if you like make big quite make me questions like after these presentations just in Taylor welcome thank you thank you thank you I got the coin