CYBERSEC 2022 uses cookies to provide you with the best user experience possible. By continuing to use this site, you agree to the terms in our Privacy Policy. I Agree

bg-inner
Hank Chen

SPEAKER

Hank Chen

TXOne Networks Threat Researcher

Hank Chen is a threat researcher at TXOne Networks. Hank is in charge of malware analysis, product security,and vulnerability research. Hank was a teaching assistant of Cryptography at National Tsing Hua University (NTHU), as well as joined in many CTF competitions with BalsiFox and 10sec to focus on crypto, reverse, and pwn challenges.

Speech

Ransomware Solution Forum

SEP 22

#

No More Ransomware in Critical Infrastructure!

09/22 (Thu) 14:00 - 14:30 7F 701C
TXOne Networks Manager, PSIRT and Threat Research / Mars Cheng
TXOne Networks Threat Researcher / Hank Chen

Attacks on critical infrastructure are becoming more and more rampant, especially since 2019. Ransomware has become a necessary subject of study for stakeholders and personnel, and has also had a substantial operational impact on industrial control system (ICS) environments. The continuous evolution of ransomware and the peculiarities of the ICS environment make it difficult to ensure that ICSes are protected from ransomware attacks under operating conditions. In this talk, in addition to in-depth analysis of the ransomware behaviors and ransomware-related techniques that have affected ICS environments, we also propose effective defense methods and strategies perfected to ICS environments to strengthen protection against ransomware.

Threat Research Forum

SEP 22

#

Building Next-Generation Semantic-aware Signature Engine from Disassembly

09/22 (Thu) 14:45 - 15:15 4F 4A
TXOne Networks Threat Researcher / Sheng-Hao Ma
TXOne Networks Threat Researcher / Hank Chen

In the era of endless new exploits, Active Defense of Antivirus have already collapsed. Also, the efficient Static Scan is the most important feature of modern antivirus against malware, designed to provide AV/EDR with the ability to detect immediately when it discovers an unknown file that is or is not a known threat, so as to avoid infection.

This technique has evolved from the originally file hash fingerprint, to the now well-known pattern matching (YARA), and even the heuristic-based ML methods to produce patterns automatically against high variant samples as much as possible.

As a result, hackers have advanced their pattern-bypassing tactics to identify and remove anti-virus signature in no time. This allows variant-enhanced malware in the wild to increase rather than decrease even against state-of-the-art AI based detections. However, do we want such detection techniques that chase behind attackers? The blame goes to the fact that classic pattern matching design never considers semantics of execution behavior, making it easy for hackers to bypass.

In this session, we will talk about how the latest variant samples can beat the major pattern matching techniques heavily with simple tricks such as obfuscation, FLA (OLLVM) and RC4 encryption.

To fight against this, we will present a next-generation static scanning idea. Instead of optical scanning of files, a full set of decompilers will be built in to analyze all the static functions in a program file and use symbolic definition of malicious functions to achieve a semantic-aware malware detection engine. Researchers can elastically define malware templates and use this engine to perform excellent detection results on multiple heavily obfuscated samples.