Learn, hack!

URL

https://media.blackhat.com/bh-dc-11/Eisenbarth/BlackHat_DC_2011_Eisenbarth_Active_Exploit-Slides.pdf

File name

BlackHat_DC_2011_Eisenbarth_Active_Exploit-Slides.pdf

File size

1.9 MB

MD5

0b961d9884898c3ba1d2be61ac4c5ae0

SHA1

38d4892c2cc136858c71c6024e08d92ff7e8049a

Security professionals have a massive number of acronyms at their disposal: IPS, VA, VM, SIEM, NBAD, and more. This talk is about a tool that resists classification by these acronyms. The goal of Active Exploitation Detection (AED) is to actively monitor and identify compromise of arbitrary, remote systems with the express intent to discover novel exploitation methods, track down elusive zero-day details, compile a list of known-compromised hosts, and most importantly get into the mind of today’s cyber criminals. Simplistically, AED correlates changes visible to the remote monitoring system with external stimuli such as software patch schedules and security media sources in order to gain unique insight into the security threat landscape on an Internet scale. AED is a framework which is driven by arbitrary pluggable modules that must provide four high level implementations, namely port scanning, application identification via static and dynamic methods, and a data mining engine. The primary goal of this talk is to both present findings that trend the threat landscape of the Internet as a whole, and the tool itself, which is a means to introduce the audience to a number of best-of-breed open-source tools which have been integrated into this project.