Incident response to live cyberattacks requires silent navigation through compromised assets, sometimes in large distributed networks. The popular approach relies on EDR or other live agent-based solutions. However, the activation of security agents and obvious activities on live compromised systems may trigger alerts of advanced threat actors. Once alerted, a cleanup operation and destruction of evidence can happen. Moreover, offline system analysis may not be easy due to the physical distance to the compromised system or scale of the network. This is where remote stealthy threat discovery with “scoutware”, software for threat hunting and instant system analysis, becomes incredibly useful.
In our training you will be introduced to the free, open-source scoutware tool Bitscout developed by Vitaly Kamluk from Kaspersky GReAT in collaboration with INTERPOL, that has been successfully used by Kaspersky researchers for years. The cases demonstrated in the training were developed by Vitaly Kamluk and Nicolas Collery, Executive Director at DBS Bank, primary incident responder. During the training you will create your own remote analysis tool and practice it right away in the provided virtual lab!
Syllabus
- Day 1: Static Analysis
- Introduction and theory
- Crafting and customising your own scoutware
- Exercises
- Day 2: Dynamic Analysis*
- Introduction to remote Dynamic Analysis
- Bypassing Windows authentication
- Stripping off full disk encryption
- Discovering various malware, including kernel mode rootkit
- Reconstructing malware startup chain
- Running custom LiveCD on top of Bitscout
