Ross Gibb is a security researcher based in Calgary. Since 2015, he has worked at Cisco improving the efficacy of Cisco’s Advanced Malware Protection (AMP) product line. Prior to joining Cisco, Ross analyzed malware used in targeted attacks, and actively worked to take down botnets. Ross has previously presented his research at BSides Calgary in 2016.

Joshua Reynolds is a part of the Research & Efficacy Team at Cisco Systems that assists in increasing the efficacy of the AMP for Endpoints and Threat Grid product lines through a number of development efforts. Joshua joined Cisco through the Sourcefire, Inc. acquisition by Cisco Systems where he performed quality assurance for the AMP for Endpoints product line.

Prior to joining Sourcefire, Joshua was a System Administrator at the Calgary based consulting company Graycon Group LTD, and interned at Red Hat Asia Pacific's Penetration Testing team while finishing his Bachelor's degree in Information Technology at Griffith University in Australia. Joshua also holds a diploma of Information Technology from the Southern Alberta Institute of Technology where he graduated with honors.

Topic: Attack of the Document Clones

As evidenced by the sheer volume of malicious attachments detected, Microsoft Office documents sent by email remain an excellent infection vector. Despite security awareness training and Microsoft's best efforts, users still open malicious documents and enable the macros within.

This presentation will examine in-the-wild malicious documents sent to a variety of targets over time, and will introduce techniques to programmatically group and cluster malicious documents. In addition to improving detection, these techniques can also be used to track the actors creating and disseminating document clones.