These cookies are used to collect information about how you interact with our website and allow us to remember you.
We use this information in order to improve and customize your browsing experience and for analytics and metrics about our visitors both on this website and other media.
If you decline, your information won't be tracked when you visit this website.
A single cookie will be used in your browser to remember your preference not to be tracked.
Infection chains used by commodity malware are constantly evolving and use various tricks to bypass security measures and/or user awareness.
BumbleBee, QNAPWorm, IcedID and Qakbot are all often used as first-stage malicious code, allowing other more specific payloads to be dropped.
An overview of the infection chains and common detection methods used against them, an outline of how generic detection rules on these infection chains can help in the fight against botnets, and finally a look at how threat intelligence at scale, combined with the rest, creates a solid defence.
First, we provide our analysis of the evolution in the infection chains of a few of the most common botnets seen in 2022 and early 2023.
Our study shows how quickly their techniques evolve.
It also cover some detection use cases for these techniques to show how pointless it can be to build overly specific detection rules for these types of threats.
Secondly, we dig into the creation of more generic rules against known infection chains to detect future threats.
We show how these rules can be relevant and more effective than classic detection rules, which are focused on one technique inside an infection chain.
These generic rules are based on Sigma correlation, which allows the use of multiple Sigma rules, which will be triggered depending on different criteria, such as time range.
Finally, and as an opening to further discussions, we detail our own threat intelligence and detection pipeline which, thanks to command-and-control server tracking, samples configuration extraction and detonation, allows testing detection rules for non regression, all in a common workflow.
This Cyber News was published on blog.sekoia.io. Publication date: Wed, 06 Dec 2023 18:43:05 +0000