Attacker Attribution through Antivirus Network Indicators

No ratings

Presented at BsidesMinneapolis-Saint 2014 by

Steve Gifford

Indicators of Compromise (IOC) are the best way to identify that a system has been breached. In this day of polymorphic and custom malware, antivirus signatures along are not longer enough to let you know when you have a problem. This presentation explores extending traditional antivirus to a an IOC system, with a focus on AVAST as a proof of concept system. It will focus on identifying users of Virtual Private Network (VPN) sessions and linking them to specific computer systems based on non-attack related network activity. These techniques can be useful when an attacker is using VPNs to bypass network-level detection.