Signatures Are Dead - Long Live Resilient Signatures

Explore the intricacies of creating resilient, high-fidelity threat detections in this 57-minute conference talk from BruCON Security Conference. Delve into the challenges of developing signatures that withstand evasion attempts by dedicated attackers and researchers. Learn from FireEye's Advanced Practices Team as they share insights on their processes and approaches to detection development, including practical examples derived from real-world attacks. Discover the importance of proper tools, visibility, and a methodical, iterative approach in crafting effective detections. Gain valuable knowledge on various topics, including signature definition, detection methodologies, sample set assembly, existing protection testing, data generation, rule writing, and intelligence gathering. Examine specific examples such as register32 detection, FTP WebDAV, argument reordering, and HTTPS SCT Detection. Understand the attack lifecycle and the significance of knowing your tools and new application techniques in the ever-evolving landscape of cybersecurity.

Intro
Presentation Outline
Background
What is a signature
What are the other opportunities
What are good signatures
How we think about detection
What is it
How to find it
Assembling sample sets
Testing existing protections
Generating data
Writing rules
Intelligence Gathering
Example
Group Samples
Detection
Mutual Support
enumerate
test
register32 overview
register32 detection
FTP WebDAV
Argument reordering
Arguments
Changing Arguments
Double Quotes
HTTP
SCT Detection
Class ID
Script Tags
Script Language
Whitespace
Attack Lifecycle
Summary
Know your tools
New application techniques