BSidesSF 2018 has ended
Back To Schedule
Sunday, April 15 • 2:50pm - 3:20pm
Using ancient math to speed up security assessments of Windows executables

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
This is about greatly speeding up risk reduction when evaluating Windows programs. Reverse engineering binary programs tends to go one of two ways: either a quick static analysis using utilities like "strings", or a time consuming dive down the rabbit hole monitoring API calls or debugging with tools like IDA Pro. The payoff from reverse engineering can be great, *if* one picks the right targets. Over several years performing assessments in a highly regulated environment, often under pressure, it became imperative to quickly triage Windows programs to decide which are worth the effort.

I found no tool to do this triage, so I gradually developed one. Eventually I settled on applying the math of Euclidean Distance and Bayes Theorem to static metadata taken from Windows executables. This can identify within seconds which executable (out of dozens or hundreds) to focus on. That triage used to take hours or days. I will demonstrate the tool, give a couple of success stories (anonymized by necessity) and explain the learnings from its evolution. The underlying approach can be applied by individuals with slim resources to many areas of security analysis.


Cole Thompson

Cyber Security Consultant, Kaiser Permanente
I'm a cyber security consultant with Kaiser Permanente. About 22 years total in information technology. Have been a UNIX sysadmin, Java/C developer, and now fulltime security guy for six years.

Sunday April 15, 2018 2:50pm - 3:20pm PDT
AMC - Theatre 7