Write a Blog >>
Tue 16 Nov 2021 14:00 - 14:20 at Grand Auditorium - Cyber Threat Intelligence Chair(s): Gurvan LE GUERNIC

De nombreuses sources ouvertes de binaires, et particulièrement de malware ont émergé dans le paysage ces dernières années. Et leur qualité n’a rien à envier aux sources commerciales comme le soulignait Thibaut Binetruy (HMiser, CERT Société Generale, 2020), “Integrating operational threat intel in your defense mechanisms doesn’t mean buying Threat Intel. You can start by using the [mass] of open source indicators available for free.”. Certaines sont mises à disposition par des sources officielles (Abuse.ch, alimenté entre autre par le CERT national Suisse), d’autres beaucoup plus obscures voire anonymes (VirusShare, Vx-underground…). Le panorama que nous en avons dressé souligne la grande disparité qualitative et quantitative de ces sources. Il nous a fallu prendre en compte cette diversité dans le cadre de nos travaux de recherche, afin de rendre possible l’analyse quotidienne des corrélations inter- et intra-familles de malwares à grande échelle. Ces travaux permettent une application sur des cas concrets tels que Babuk, Ryuk et Conti. Nous avons ainsi pu mettre en évidence les liens sur les échantillons de ces familles grâce à l’identification immédiate de corrélations, complétée par une analyse manuelle qui a ainsi permis de confirmer précisément la généalogie des échantillons.

Many open feeds of binary files, especially malware, have emerged in the landscape in recent years. And their quality has nothing to envy to commercial sources as emphasized by Thibaut Binetruy (HMiser, CERT Société Generale, 2020), “Integrating operational threat intel in your defense mechanisms doesn’t mean buying Threat Intel. You can start by using the [mass] of open source indicators available for free”. Some are made available by official sources (Abuse.ch, supplied among others by the Swiss national CERT), others much more obscure or even anonymous (VirusShare, Vx-underground…). The panorama that we have drawn up underlines the great qualitative and quantitative disparity of these sources. We had to take this diversity into account in the context of our research, in order to make possible the daily analysis of inter- and intra-family correlations of malware at large scale. These works allow an application on concrete cases such as Babuk, Ryuk and Conti. We were able to highlight the links between the samples in those families thanks to the immediate identification of correlations, supplemented by a manual analysis which thus made it possible to precisely confirm the genealogy of the samples.

Tue 16 Nov

Displayed time zone: Brussels, Copenhagen, Madrid, Paris change

13:30 - 15:00
Cyber Threat IntelligenceCall for Papers at Grand Auditorium
Chair(s): Gurvan LE GUERNIC DGA MI & Université de Rennes 1
13:30
30m
Talk
La Threat Intelligence comme vecteur d’automatisation de la Cyberdéfense
Call for Papers
Laurent Cordival BEIJAFLORE, Matthieu Riche BEIJAFLORE
Media Attached File Attached
14:00
20m
Talk
Automatisation de l'analyse de binaires : de la collecte source ouverte à la Threat Intel
Call for Papers
Media Attached
14:20
20m
Talk
Automated Risk Analysis of a Vulnerability Disclosure Using Active Learning
Call for Papers
Clément Elbaz Univ Rennes, Inria, CNRS, IRISA, DGA, Louis RILLING DGA-MI, Christine Morin Inria
Media Attached
14:40
20m
Talk
Attack Forecast and Prediction
Call for Papers
Florian Kaiser Karlsruhe Institute of Technology, Tobias Budig Karlsruhe Institute of Technology, Elisabeth Goebel Karlsruhe Institute of Technology, Tessa Fischer Karlsruhe Institute of Technology, Jurek Muff Karlsruhe Institute of Technology, Marcus Wiens Karlsruhe Institute of Technology, Frank Schultmann Karlsruhe Institute of Technology
Media Attached