• FIRST Slides and Incubations Introduction

    by  • July 15, 2013 • Uncategorized


    Last month I was privileged enough to speak at the 25th annual FIRST conference hosted in Bangkok, Thailand and wanted to explain my slides a bit. I am not sure if FIRST will put the videos of the talks on the Internet, but until they do, I think it’s valuable for those who weren’t at the talk to understand the concept of “incubations”. For those who follow this blog or just know me from conferences, I travel quite a bit. I spent a considerable amount of time in different parts of the USA and Asia last year and began a little experiment to begin identifying/profiling cyber espionage operators later coined incubations. Simply put, incubations are short/long-term analysis environments emulating target networks (real or fake) with complete logging of registry, file system and network activity streaming in a real-time fashion

    My talk at FIRST was an extension of the concept that began last year. Essentially, what I did was host several different virtual machines on my research laptop. Once I was in another country, I would take the malware I was researching, execute it in a specially crafted environment made to look like a real target, monitor for any changes and then go to sleep. In the morning, I was always pleased to find that the operators from the malware would visit my machine, collect data or deploy new tools and then decide what to do with my setup. I managed to run over 35 of these little operations in over 5 countries with pretty good results.

    Earlier this year, a colleague and myself embarked on a mission to create a system capable of deploying a network to emulate any target by simply specifying a few trivial details. As of now, this system is operational and has shown to be extremely valuable in profiling operators as they perform their collection objectives on our fake systems. My talk at FIRST detailed this architecture, how it came to be and results from incubations compared to the traditional sandbox/honeypot/honeynet. While caveats exist in the concept of incubations, I am excited to see how we will be able to use the data we collect in the future to truly understand which countries are interested in which data.

    Here are my slides for those interested. Please feel free to reach out with questions or comments! Also, big thanks to Greg Sinclair for his role and help on the project.