Sometimes, APT researchers can be compared to paleontologists that find bones of a long-gone dinosaur. In these circles, it often happens that some paleontologists have an unusual or rare bone but nobody has the full skeleton. While a normal person finding a dinosaur bone might discard it and keep traveling, in security research we like to collect things. Sometimes we join efforts with other “paleontologists” and share our discoveries. Once we collect enough of bones from a monster to understand potential size, danger and possible habitat, we can start the next phase which is a real active investigation that might lead us to the mysterious mountain lake.

At Kaspersky Lab, we are processing hundreds of thousands of samples every day. The art of figuring out which ones are significant and further yet which ones belong together as part of a big APT attack is akin to finding dinosaur bones in a huge haystack and then figuring out which ones belong to the same skeleton. We are grateful for every bone we discover, because this makes the world a little safer.

Key take-aways from this speech:

How do you find which bones are interesting and which are not
Using Yara to hunt cyber-dinosaur skeletons
The story of how Yara helped us find a zero-day

[ Ссылка ]

свернуть