“Enterprise Malware Detection”

Slides:



Advertisements
Similar presentations
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
Advertisements

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.
Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.
ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.
Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,
Department Of Computer Engineering
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
Vijay Krishnan Avinesh Dupat. A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators.
©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.
A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
Monnappa KA  Info Security Cisco  Member of SecurityXploded  Reverse Engineering, Malware Analysis, Memory Forensics 
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Nexthink V5 Demo Security – Malicious Anomaly. Situation › Avoid damage resulting from the incident itself and the cost of the unplanned response › Protection.
November 19, 2008 CSC 682 Use of Virtualization to Thwart Malware Written by: Ryan Lehan Presented by: Ryan Lehan Directed By: Ryan Lehan Produced By:
Advanced Persistent Threats (APT) Sasha Browning.
Powerpoint presentation on Drive-by download attack -By Yogita Goyal.
Welcome Information Security Office Services Available to Counties Security Operations Center Questions.
Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.
©2014 Check Point Software Technologies Ltd Security Report “Critical Security Trends and What You Need to Know Today” Nick Hampson Security Engineering.
Tripwire Threat Intelligence Integrations. 2 Threat Landscape by the Numbers Over 390K malicious programs are found every day AV-Test.org On day 0, only.
Title Line Subtitle Line Top of Content Box Line Top of Footer Line Left Margin LineRight Margin Line Top of Footer Line Top of Content Box Line Subtitle.
Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Air Force Research Labs Dept Homeland Security (HSARPA)
Air Force Research Labs Dept Homeland Security (HSARPA)
ACTIVE DEFENSE Leveraging Threat Intelligence in the Enterprise
Advanced Endpoint Security Data Connectors-Charlotte January 2016
Sophos Intercept X Matt Cooke – Senior Product Marketing Manager.
History of Industry Leadership
ACTIVE DEFENSE Leveraging Threat Intelligence in the Enterprise
DHS Phase II SBIR Contract Vice President Business Development
Actionable Intelligence
Company Overview.
Sophos Intercept Next-Gen Endpoint Protection
Ilija Jovičić Sophos Consultant.
Detecting Tomorrows Threats Today
Live Malware Analysis for the Incident Responder
ARSTRAT Cyber Threat Center
Detect Malware No One Else Can… Rapidly Identify it’s capabilities, Mitigate the Threat with Actionable Risk Intelligence.
Malware Reverse Engineering Process
Company Overview.
Vikas Uberoy -Channel Director ANZ
Guidance Encase Enterprise Architecture
Enterprise Botnet Detection and Mitigation System DHS Phase II SBIR Contract QUESTION: By a show of hands, how many of you believe that your networks.
Enterprise Botnet Detection and Mitigation System
DHS Phase II SBIR Contract Senior Security Engineer
Rootkit Detection and Mitigation
Defeat Tomorrow’s Threats Today
Air Force Research Labs Dept Homeland Security (HSARPA)
Malware Reverse Engineering Process
Active Cyber Security, OnDemand
Overview.
Sophos Intercept Next-Gen Endpoint Protection
Defeat Tomorrow’s Threats Today
ACTIVE DEFENSE Leveraging Threat Intelligence in the Enterprise
BotCatch: A Behavior and Signature Correlated Bot Detection Approach
McAfee Security Connected – Next Generation Security
Part 1: Basic Analysis Chapter 1: Basic Static Techniques
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Chap 10 Malicious Software.
Professional Malware is Unstoppable
Panda Adaptive Defense Platform and Services
Chapter 4: Protecting the Organization
Hardware Security – Highlevel Survey Review for Exam 4
Chap 10 Malicious Software.
Basic Dynamic Analysis VMs and Sandboxes
AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations.
Presentation transcript:

“Enterprise Malware Detection” “Detect, Diagnose, & Respond with superior intelligence” Advanced Memory Analysis, Automated Code Reversing and Digital DNA 1

Air Force Research Labs Dept Homeland Security (HSARPA) HBGary Background Founded in 2003 Government R&D Solutions: Enterprise Host Intrusion Detection Live Windows Memory Forensics & Incident Response Malicious Code Detection Automated Reverse Engineering HBGary R&D Funding Air Force Research Labs Next Generation Software Reverse Engineering Tools Kernel Virtual Machine Host Analyzer Virtual Machine Debugger Dept Homeland Security (HSARPA) Botnet Detection and Mitigation H/W Assisted System Security Monitor Subcontractor to AFCO Systems Development 2

Strategic Partners Preferred Services Partner: Agilex HBGary Solutions Implementation HBGary Digital DNA Configuration and Management Information Assurance Services HBGary Solutions Integration McAfee Guidance Software

HBGary APPROACH DETECT: DIAGNOSE: RESPOND: Live Physical Memory Forensics Acquire Live – Analyze Offline = This is the advantage We rebuild the underlying data structures No code is executing to “actively” fool our analysis Rootkit Detection becomes easier with offline memory analysis DIAGNOSE: Code Reverse Engineering - Digital DNA - Malware Analysis Identify a binary’s capabilities and authors intent Does it steal my data? Where is my data being sent? How does it install itself? RESPOND: Respond with Actionable Intelligence Block URL’s and IP addresses at the gateway Determine Scope of breach Search & Remediate the malicious code artifacts (Encase Enterprise IA Suite) Create Signatures for IDS/IPS 4

Malware Growth 1987 - 2008 2000 New Malware Per Day in 2007 4000 New Malware Per Day in 2008 http://www.darkgovernment.com/news/the-online-shadow-economy-of-malware/ Source: “Eighty percent of new malware defeats antivirus”, ZDNet Australia, July 19, 2006 Top 3 AV companies don’t detect 80% of new malware

Modern Malware Anti Detection Defeat Anti-Virus & IDS Obfuscate code – pack code – encrypt code Almost unlimited permutations Anti Forensics In-memory only payloads – minimizes the footprint on disk Anti-Reverse Engineering Function level decryption, Packing, Encryption, Polymorphism Rootkit Techniques IDT, SSDT, IRP Hooking, DKOM, File System Hooks, Registry, Firmware Covert Channel Stealth Inject evil traffic into legitimate web browsing

State of malicious code

Why our approach is unique? Memory & Pagefile are analyzed offline malware cannot hide itself actively All code and data that is in use MUST exist in physical memory or Pagefile therefore we have access to it The OS points us to the running rootkit or malware by virtue that the malware interacts with the OS

The 3 Technologies of HBGary Digital DNA (Behavioral Analysis) Engineering Reverse Code Physical Memory Forensics

1. Physical Memory Analysis Can Identify executable code hidden from Antivirus Can overcome many of the advanced tricks posed by advanced malware Can detect modifications to the system Is the only way to detect some of the latest threats

2. Automated Reverse Engineering Once you detect suspicious or unknown code you need to identify if it’s malicious or not… Automated Reverse Engineering provides critical intelligence: How malware installs itself How to identify other compromised hosts How to clean it up How and to whom it communicates over the network What information it steals How it remains undetected….

3. Goals Digital DNA Rapidly identify: Identify traits of the malware Malicious behaviors inside of running applications in memory Identify traits of the malware There are thousands of traits Can be broadly grouped into six behavioral categories (“factors” )

Why Digital DNA is unique? The disassembled malware has code and data that reveals behavior Digital DNA is an abbreviated code for detected behaviors Behaviors can be “good” or “bad” Each behavior has a weight and when combined into a DDNA sequence, a sequence has a weight

Creating Digital DNA HBGary receives 4000+ malware samples per day The Overbeast is an ESX Server; it performs runtime analysis on 100 malware per hour Overbeast is part of the DDNA creation process Overbeast runs 40 Virtual Machines simultaneously Automatically runs malware with flypaper…

DDNA Building Blocks: Traits Trait codes look like this: 04 0F 51 Weight / Control flags Unique hash code Description is held in a database

Digital DNA Sequences This is a series of 3 octet trait codes 02 82 78 02 D6 F7 07 CD E3 05 51 87 05 A8 F1 02 FB 99 02 45 5B 02 7C 9A 02 AC CF 00 9F… This is a series of 3 octet trait codes Each trait can have a weight from -15 to +15. + means suspicious. – means trusted. The entire sequence is weighted by summing the weights of each trait. The summing of weights is performed using an algorithm known as the “discrete weight decay algorithm”. This algorithm will decay the effects of a repeated weight value over time. A malicious binary will usually score +40 points or more in weight.

Ranking Software Modules by Threat Severity Software Behavioral Traits Digital DNA Ranking Software Modules by Threat Severity Software Behavioral Traits

Digital DNA Screenshot

Client Testimonial 1 of the Largest Pharmaceutical companies Under attack every day Uses Responder and also one of the largest antivirus companies Responder provides immediate critical intelligence to secure the network and mitigate the threat to the data

Point Solutions Responder Professional v1.4 – Comprehensive physical memory and malware investigation platform Host Intrusion Detection & Incident Response Live Windows Forensics Automated Malware Analysis Digital DNA Responder Field Edition v1.4 – Comprehensive Memory Investigation platform. Geared towards Law Enforcement and computer forensic investigators

Enterprise Solutions Enterprise Responder – McAfee EPO 4.0 Integration Enterprise Malware/Rootkit Detection & Reporting Distributed Physical Memory Analysis with Digital DNA Enterprise Responder – Guidance Software Encase Enterprise Enterprise solution for remote suspicious behavior detection

McAfee ePO Integration

Thank you www.hbgary.com John Edwards Rich Cummings John.edwards@agilex.com 703-889-3939 Rich Cummings rich@hbgary.com 301-652-8885 x112 www.hbgary.com

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.