Earlier today I presented at the Kaspersky SAS 2014 conference hosted in the Dominican Republic. While I’ve have the Hypertotal engine and results for a number of years, I have never wanted to talk about it publicly to avoid major changes in actor behavior. I chose this specific conference to share some of my findings because I knew most of the material would not make it online and the researchers here are some of the best.
Based on Twitter postings, I have already gotten a several requests to share my slides and I would like to do so, but more in a controlled manner. I have password-protected the zip archive containing my slides and would ask anyone interested to email me directly for the password. If I don’t respond right away, please don’t take it personally! Oh, and if you already have the slides, don’t be a jerk and share them all over the place.
I have compiled a list of FAQ questions about the data if certain aspects of the research aren’t clear.
- How did you get this data? Virustotal and their MIS service.
- How can I get this data? You will need to hack around with some of the Virustotal APIs and then some to construct the data I was collecting.
- Will you look up submitter IDs or hashes? Sure, but would like some context if you are going to send something
- How many actors do you track? Around 200 or so.
- Do you plan to open source your code at some point? Ideally, this would be shared amongst those doing the same research I do, so we could all work off the same database, but I am not sure how to do that yet.
- Do you know how to reverse the hash algorithm? I wish I did.
- How many accounts do you have activity for? A few million.
- Are you ever 100% sure your actor/target/security classifications are correct? In some cases, yes, but in other cases I lack the data to fully understand the role of a given account. Using additional data points (attack information, file data, etc.) helps me achieve a greater confidence about the account.
- Can I help out with this project? This depends more on what you would be willing to work on, but I would say, yes. One of the most helpful things anyone could do is just share hashes of “interesting” or weird files.
- Is the system web scale? Yes. Yes it is.