DCART: Decoupled Components for Automated Ransomware Testing
Date: 15th Oct – TuesdayTime: 15:00-16:00Location: Ballroom B
Detonating ransomware is not difficult. However, detonating ransomware in a controlled, repeatable manner for the purposes of testing a behavioral detection framework can be an arduous task. System services, background processes, and other concurrent file system activity may lead to inconsistent true positive detections (e.g. varying level of file / process activity or elapsed time until detection thresholds are met). The best method we have discovered to avoid this variance between test runs is through decoupling the detonation and detection components and carrying out these tasks separately.
In this talk, I will guide the audience through the design and development of a behavioral ransomware detonation and detection framework, test the framework against a few well-known ransomware families, and detail a thorough automated testing methodology. I will also be releasing the framework source code to the public on the day of the talk.