The Endgame research team will be out in force this weekend for BSides Charm in Towson, MD. We’ll present five research projects that cover a broad range of topics, including four open source or publicly available projects with current and imminent releases. If you can’t make it to the Baltimore area this weekend, our blog also provides additional means to explore our research.

We have already written about three of these research efforts in previous blogs, such as our recently released Red Team Automation tool and our research into data localization as governments across the globe seek to control data within their borders. Just last week, we released Ember, our open source malware classifier and dataset. Our talks will provide deep dives into these research areas and hopefully encourage greater discussion and interaction with the community as we evolve each of these efforts.

In the near future, we will also detail two additional projects – one on Powershell deobfuscation and one on detecting DNS tunnels – with tools that will be released shortly in conjunction with detailed blogs on the projects. Please stay tuned for these releases.

Endgame @BSides Charm: Schedule and Topics

Our talks and their abstracts are listed below. If you’ll be in the Baltimore area this weekend, we hope to get a chance to meet, share ideas on these topics, and learn about all of the great, ongoing research in the community.

An Open Source Malware Classifier and Dataset

Research in machine learning for static malware detection has been stymied because of stale, biased, and otherwise limited public datasets. In this talk, I will introduce an open source dataset of labels for a diverse and representative set of Windows PE files. The dataset also includes feature vectors for machine learning model building, a high-performing pre-trained model for research, and source code to reproducibly generate the features and model. I’ll also detail the reasoning behind the features and labels and demonstrate how the machine learning model performs on samples in the wild.

Presenter: Phil Roth (@mrphilroth)

Time: Saturday, 2-3 pm

Quantify Your Hunt: Not Your Parents’ Red Teaming

The security marketplace is saturated with product claims of detection coverage that have been almost impossible to evaluate, all while intrusions continue to make headlines. To help organizations better understand what detections a commercial or open source technology platform provides, a framework is necessary to measure depth and breadth of coverage. This presentation builds upon the MITRE ATT&CK framework by explaining how to measure coverage and quality of ATT&CK while demonstrating open source red team tools and automation that generate artifacts of post-exploitation. The community of security professionals and the organizations for which they work will gain new or improved abilities to measure detection capabilities.

Finally, this presentation will articulate a call to action for the industry: adopt this common language that describes these detection capabilities in a tangible and quantifiable way.

Presenters: Devon Kerr (@_devonkerr_) and Roberto Rodriquez (@Cyb3rWard0g)

Time: Saturday, 4-5 pm

Powershell Deobfuscation: Putting the Toothpaste Back in the Tube

In an effort to provide analysts with a clearer picture of what happened after exploitation and save them time, we've developed a tool for detecting and deobfuscating obfuscated Powershell scripts. This starts with a machine learning classifier to determine if a file is obfuscated or encoded, reversing any encoding any easy to decipher obfuscation found, and then finishing up the more difficult deobfuscation tasks using a neural network text translation framework.

Presenter: Daniel Grant

Time: Saturday 5-5:30 pm

Internet Anarchy & The Global March toward Data Localization

Lacking a global institution to harmonize internet governance, countries are formulating local data governance, privacy, and security regulations. This Splinternet poses logistical challenges for corporations and has strategic implications for geopolitics, democracy, and individual freedoms. This will be demonstrated through the GDPR, Chinese, and Russian approaches to data localization.

Presenter: Andrea Little Limbago (@limbagoa)

Time: Saturday, 5-5:30

Plight at the End of the Tunnel

DNS is one of the most ubiquitous and yet least analyzed network protocols. DNS tunnels are frequently employed to sneak traffic in and out of restricted environments, without ever making a direct connection to the attacker's remote endpoint.

This talk discusses a holistic approach to detect DNS tunnels, and provides an open source implementation of these techniques to scan network traffic.

Presenter: Anjum Ahuja (@jack8daniels2)

Time: Sunday, 10-10:30 am