WEBVTT 1 00:00:00.000 --> 00:00:01.290 In this lesson, 2 00:00:01.290 --> 00:00:04.020 we will learn about code stylometry. 3 00:00:04.020 --> 00:00:07.470 Code stylometry is the process of analyzing 4 00:00:07.470 --> 00:00:12.000 a developer's coding style to identify unique patterns 5 00:00:12.000 --> 00:00:14.850 that could be used for malware attribution 6 00:00:14.850 --> 00:00:18.270 or to trace the origin of specific software. 7 00:00:18.270 --> 00:00:22.350 Code stylometry concepts include variant matching, 8 00:00:22.350 --> 00:00:26.130 code similarity, and malware attribution. 9 00:00:26.130 --> 00:00:28.680 Variant matching looks for similarities 10 00:00:28.680 --> 00:00:31.050 between different versions or variants 11 00:00:31.050 --> 00:00:33.030 of the same malware family. 12 00:00:33.030 --> 00:00:37.326 Next, code similarity focuses on comparing segments of code 13 00:00:37.326 --> 00:00:40.530 across multiple samples to detect 14 00:00:40.530 --> 00:00:44.310 shared structures, functions, or techniques. 15 00:00:44.310 --> 00:00:48.390 And finally, malware attribution uses these findings 16 00:00:48.390 --> 00:00:50.014 to potentially link malware 17 00:00:50.014 --> 00:00:53.550 to a specific threat actor or group 18 00:00:53.550 --> 00:00:57.990 by recognizing unique coding habits or a reused code. 19 00:00:57.990 --> 00:01:00.450 Let's learn more about variant matching, 20 00:01:00.450 --> 00:01:03.630 code similarity, and malware attribution. 21 00:01:03.630 --> 00:01:06.630 First, we have variant matching. 22 00:01:06.630 --> 00:01:10.530 Variant matching is a technique used in code stylometry 23 00:01:10.530 --> 00:01:14.106 to identify similarities between different versions 24 00:01:14.106 --> 00:01:18.360 or variants of the same malware family. 25 00:01:18.360 --> 00:01:21.780 This method is particularly valuable when new strains 26 00:01:21.780 --> 00:01:25.110 of malware are released with slight modifications, 27 00:01:25.110 --> 00:01:29.190 such as changes in the code structure or functionality. 28 00:01:29.190 --> 00:01:33.510 Modifications are often made to malware to evade detection 29 00:01:33.510 --> 00:01:38.070 by security tools that recognize known malware signatures. 30 00:01:38.070 --> 00:01:41.914 So attackers tweak the code structure or functionality 31 00:01:41.914 --> 00:01:45.270 to bypass these defenses while keeping 32 00:01:45.270 --> 00:01:48.330 the core malicious behavior intact. 33 00:01:48.330 --> 00:01:52.054 By analyzing these variants, security teams can recognize 34 00:01:52.054 --> 00:01:56.070 evolving threats before they cause significant harm. 35 00:01:56.070 --> 00:01:59.310 For example, a new malware strain might have 36 00:01:59.310 --> 00:02:02.490 a different payload or obfuscation technique, 37 00:02:02.490 --> 00:02:04.230 but still carry remnants 38 00:02:04.230 --> 00:02:07.170 of the original coding style or structure. 39 00:02:07.170 --> 00:02:10.890 Variant matching enables analysts to link these changes 40 00:02:10.890 --> 00:02:13.380 back to the same malware family, 41 00:02:13.380 --> 00:02:16.920 ensuring rapid identification and response. 42 00:02:16.920 --> 00:02:18.990 In an enterprise environment, 43 00:02:18.990 --> 00:02:21.660 variant matching plays an important role 44 00:02:21.660 --> 00:02:25.320 in improving threat detection and incident response. 45 00:02:25.320 --> 00:02:28.290 When a security team encounters new malware, 46 00:02:28.290 --> 00:02:30.616 variant matching helps them quickly determine 47 00:02:30.616 --> 00:02:35.250 if it's a previously known threat or something entirely new. 48 00:02:35.250 --> 00:02:37.530 This is important because enterprises 49 00:02:37.530 --> 00:02:40.020 often face continuous attacks 50 00:02:40.020 --> 00:02:43.260 from malware families that evolve over time. 51 00:02:43.260 --> 00:02:46.440 By using variant matching, organizations can stay 52 00:02:46.440 --> 00:02:50.711 one step ahead by recognizing how the malware is adapting 53 00:02:50.711 --> 00:02:54.360 and developing appropriate countermeasures. 54 00:02:54.360 --> 00:02:57.030 This proactive approach can save 55 00:02:57.030 --> 00:03:01.050 significant time and resources during incident response, 56 00:03:01.050 --> 00:03:05.040 preventing further damage from known malware families. 57 00:03:05.040 --> 00:03:07.800 Second, we have code similarity. 58 00:03:07.800 --> 00:03:10.650 Code similarity is another important concept 59 00:03:10.650 --> 00:03:13.530 in code stylometry, focusing on comparing 60 00:03:13.530 --> 00:03:17.430 segments of code across different samples to identify 61 00:03:17.430 --> 00:03:20.700 shared structures, techniques, or functions. 62 00:03:20.700 --> 00:03:24.090 It helps security analysts discover common code snippets 63 00:03:24.090 --> 00:03:27.330 or algorithms reused across malware 64 00:03:27.330 --> 00:03:29.670 or even legitimate software. 65 00:03:29.670 --> 00:03:32.613 This process enables security teams to link 66 00:03:32.613 --> 00:03:36.660 seemingly unrelated pieces of software or malware 67 00:03:36.660 --> 00:03:38.910 based on shared characteristics. 68 00:03:38.910 --> 00:03:42.360 So, code similarity allows teams to find 69 00:03:42.360 --> 00:03:45.660 relationships between different malware families, 70 00:03:45.660 --> 00:03:47.520 providing broader insights 71 00:03:47.520 --> 00:03:50.340 into an attacker's coding practices. 72 00:03:50.340 --> 00:03:53.610 In an enterprise setting, code similarity can be used 73 00:03:53.610 --> 00:03:56.820 to detect malware or software vulnerabilities 74 00:03:56.820 --> 00:03:59.760 by comparing a new code against a database 75 00:03:59.760 --> 00:04:03.180 of known malware samples or exploits. 76 00:04:03.180 --> 00:04:07.860 This helps organizations identify potential threats early 77 00:04:07.860 --> 00:04:10.700 and understand the methods attackers use 78 00:04:10.700 --> 00:04:13.470 to craft their malicious software. 79 00:04:13.470 --> 00:04:17.100 For example, if a security team finds that 80 00:04:17.100 --> 00:04:20.790 a piece of malicious code shares a significant portion 81 00:04:20.790 --> 00:04:24.690 of its structure with a known exploit, they can quickly 82 00:04:24.690 --> 00:04:29.550 identify the threat and take steps to protect their systems. 83 00:04:29.550 --> 00:04:34.550 Also, code similarity can help identify software plagiarism 84 00:04:35.010 --> 00:04:38.460 where developers copy significant parts of code 85 00:04:38.460 --> 00:04:42.510 from other sources without permission or attribution. 86 00:04:42.510 --> 00:04:46.440 A practical example of code similarity could involve 87 00:04:46.440 --> 00:04:50.460 a security team analyzing a new piece of malware. 88 00:04:50.460 --> 00:04:54.510 Upon comparing its code to previous malware samples, 89 00:04:54.510 --> 00:04:57.570 the security team could find that malware uses 90 00:04:57.570 --> 00:05:01.920 the same encryption algorithm as a known banking trojan. 91 00:05:01.920 --> 00:05:05.760 So despite their differences in the malware structure 92 00:05:05.760 --> 00:05:09.480 and delivery method, this similarity could help the team 93 00:05:09.480 --> 00:05:13.470 link the new malware to a specific group of attackers 94 00:05:13.470 --> 00:05:16.176 known for targeting financial institutions. 95 00:05:16.176 --> 00:05:21.176 This allows the enterprise to adapt its security defenses 96 00:05:21.300 --> 00:05:24.900 to mitigate future attacks from this group. 97 00:05:24.900 --> 00:05:29.310 Third and last, we have malware attribution. 98 00:05:29.310 --> 00:05:32.640 Malware attribution is the process of linking 99 00:05:32.640 --> 00:05:37.050 a particular piece of malware to a specific developer, 100 00:05:37.050 --> 00:05:40.440 group, or threat actor, often by analyzing 101 00:05:40.440 --> 00:05:43.350 their unique coding habits and patterns. 102 00:05:43.350 --> 00:05:47.580 By identifying specific markers such as coding style, 103 00:05:47.580 --> 00:05:51.210 reused libraries, or preferred algorithms, 104 00:05:51.210 --> 00:05:55.170 security analysts can trace the origin of the malware. 105 00:05:55.170 --> 00:05:59.674 This process helps enterprises and law enforcement agencies 106 00:05:59.674 --> 00:06:04.020 understand who is behind certain attacks, which can aid 107 00:06:04.020 --> 00:06:07.770 in broader investigations or defense strategies. 108 00:06:07.770 --> 00:06:12.240 In essence, malware attribution turns code stylometry 109 00:06:12.240 --> 00:06:15.390 into a tool for cyber forensics. 110 00:06:15.390 --> 00:06:19.462 Within an enterprise malware attribution helps organizations 111 00:06:19.462 --> 00:06:24.120 understand the nature of the threats they face. 112 00:06:24.120 --> 00:06:27.180 Knowing the threat actors behind an attack 113 00:06:27.180 --> 00:06:30.570 can help enterprises predict future risks 114 00:06:30.570 --> 00:06:34.380 and adapt their cybersecurity strategies accordingly. 115 00:06:34.380 --> 00:06:37.530 For example, if an organization knows 116 00:06:37.530 --> 00:06:41.430 that a particular group tends to target their industry, 117 00:06:41.430 --> 00:06:44.010 they can prepare by strengthening defenses 118 00:06:44.010 --> 00:06:46.710 against that group's known tactics. 119 00:06:46.710 --> 00:06:50.160 Additionally, attributing discovered malware 120 00:06:50.160 --> 00:06:52.920 to a specific threat actor can help 121 00:06:52.920 --> 00:06:55.410 in collaborating with law enforcement 122 00:06:55.410 --> 00:06:58.800 or sharing intelligence with industry partners. 123 00:06:58.800 --> 00:07:03.240 An example of malware attribution could involve identifying 124 00:07:03.240 --> 00:07:07.440 a piece of ransomware targeting a company's systems. 125 00:07:07.440 --> 00:07:10.740 In this situation, the security team discovers 126 00:07:10.740 --> 00:07:14.340 that the malware shares several unique coding features 127 00:07:14.340 --> 00:07:16.770 with past attacks attributed to 128 00:07:16.770 --> 00:07:19.350 a specific cyber criminal group. 129 00:07:19.350 --> 00:07:21.690 These features include the use 130 00:07:21.690 --> 00:07:24.420 of a particular encryption library 131 00:07:24.420 --> 00:07:27.930 and a distinct way of handling error logging. 132 00:07:27.930 --> 00:07:31.710 By recognizing these patterns, the team can competently 133 00:07:31.710 --> 00:07:35.004 attribute the attack to this group, giving the enterprise 134 00:07:35.004 --> 00:07:39.180 valuable insight into the attacker's motives 135 00:07:39.180 --> 00:07:42.840 and helping prevent future attacks from the same source 136 00:07:42.840 --> 00:07:45.851 by enabling specific defenses to be put in place 137 00:07:45.851 --> 00:07:48.960 for the tactics, techniques, and procedures 138 00:07:48.960 --> 00:07:51.840 that the attributed threat group uses. 139 00:07:51.840 --> 00:07:56.220 So remember, code stylometry is the study 140 00:07:56.220 --> 00:08:00.990 of a developer's coding style to uncover unique patterns 141 00:08:00.990 --> 00:08:03.810 that can help with malware attribution 142 00:08:03.810 --> 00:08:07.620 or identifying the origin of specific software. 143 00:08:07.620 --> 00:08:10.590 This involves three key concepts, 144 00:08:10.590 --> 00:08:15.360 variant matching, code similarity, and malware attribution. 145 00:08:15.360 --> 00:08:18.858 Variant matching helps detect new malware strains 146 00:08:18.858 --> 00:08:22.470 by spotting similarities with older versions, 147 00:08:22.470 --> 00:08:25.110 despite any slight modifications. 148 00:08:25.110 --> 00:08:28.770 Next, code similarity compares different pieces 149 00:08:28.770 --> 00:08:32.700 of software or malware to identify common structures 150 00:08:32.700 --> 00:08:35.820 or techniques, which can reveal connections 151 00:08:35.820 --> 00:08:38.820 between seemingly unrelated samples. 152 00:08:38.820 --> 00:08:43.050 Finally, malware attribution links malicious software 153 00:08:43.050 --> 00:08:46.380 to specific developers or threat groups 154 00:08:46.380 --> 00:08:50.190 based on unique coding habits aiding in tracking 155 00:08:50.190 --> 00:08:53.733 and understanding cyber criminal activities.