Improve Enterprise Security with Memory Forensics, Malware Analysis & Digital DNA

Air Force Research Labs Dept Homeland Security (HSARPA) HBGary Background Founded in 2003 Government R&D Solutions: Enterprise Host Intrusion Detection Live Windows Memory Forensics & Incident Response Malicious Code Detection Automated Reverse Engineering R&D Funding HBGary has been around since 2003. First 5 years performing services for US Govt Started selling products in 2008. Air Force Research Labs Next Generation Software Reverse Engineering Tools Kernel Virtual Machine Host Analyzer Virtual Machine Debugger Dept Homeland Security (HSARPA) Botnet Detection and Mitigation H/W Assisted System Security Monitor Subcontractor to AFCO Systems Development

The Problem - Cybercrime Hacking Embezzlement Intellectual property theft Espionage Child Exploitation Etc… These are the problems HBGary is working to solve. HBGary solutions can be used to help solve all kinds of cybercrime.

# of New Malware Every Day! 1986 – 2006 there were a total of 700,000 pieces of malware on the Internet. 2007 – there were 700,000 NEW pieces of malware. 2008 – there were 1,300,000 NEW Pieces of malware 2009 – So far this year between 25,000 – 75,000 NEW pieces of malware every day!

Top 3 AV companies don’t detect 80% of new malware Anti-virus Shortcomings Source: “Eighty percent of new malware defeats antivirus”, ZDNet Australia, July 19, 2006 Top 3 AV companies don’t detect 80% of new malware This is obvious. 5

Cybercrime Evolution Cybercrime Authors have evolved over the last 30 years Continued improvement and innovation Capitalistic Shadow Economy - Competition Malware Authors Professional Software Development Lifecycle model Professional Quality Assurance Product doesn’t ship until code is undetected by latest Antivirus products

Bad Guys use Memory Tricks Memory injection attacks never touch the disk Public and commercial hacker tools have used these techniques for over 4+ years Metasploit Framework (meterpreter) www.metasploit.com Canvas www.immunitysec.com Core Impact www.coresecurity.com No good detection mechanism without memory preservation and offline analysis Remember: you cannot trust the operating system!

Drive-by Download – Legitimate website Your users are compromised today just by visiting a legitimate web site like www.foxnews.com... - Foxnews.com was compromising Dept of Defense computers for over 2 weeks as users read the web page. The web site had been compromised and was serving up a hidden I-Frame that installed malicious code.

White-listing on disk doesn’t prevent malware from being in memory Internet Browsers PDF, Active X, Flash Office Document, Video, etc… DISK FILE IN MEMORY IMAGE Public Attack-kits have used memory-only injection for over 5 years OS Loader White-listing on disk doesn’t prevent malware from being in memory MD5 Checksum is white listed Process is trusted??

HBGary Solution Live Memory (RAM) Forensics

Why Live Memory Forensics? Today it’s Easy! Mission-critical systems 99.999999% availability Anti-forensic techniques used by bad guys Hax0rs Cyber spies Cybercriminals Valuable info in RAM cannot be found on disk Passwords, encryption keys Network packets, screen shots Private chat sessions, unencrypted data, unsaved documents, etc.

Why Live Memory Forensics? Detect Malware that Anti-Virus cannot Detect Malware that Host Based IDS/IPS cannot Verify the “Run-Time” state of the system

Useful Information in RAM Processes and Drivers Loaded Modules Network Socket Info Passwords Encryption Keys Decrypted files Order of execution Runtime State Information Rootkits Configuration Information Logged in Users NDIS buffers Open Files Unsaved Documents Live Registry Video Buffers – screen shots BIOS Memory VOIP Phone calls Advanced Malware Instant Messenger chat

Why Memory Analysis is Unique Better Detection Traditional Forensics & Security Software

A suspicious file… Anti-Virus doesn’t Detect it! Now what?

Perform Malware Analysis This looks suspicious! Understand Malware: Create Signatures Bolster defenses Attribution Computer Network Defense (CND) Identify a binary’s capabilities Recover Command and Control functions Recover passwords and encryption keys View decrypted packets and files Computer Forensics

Why Perform Malware Analysis? I have Anti-Virus…. Goes beyond anti-virus applications… Detection and remediation based on signatures for malware is out dated Answer the following questions: What happened? What is being stolen? How did it happen? How do we clean it up? When did the infection occur? Possibly Who is behind it?

HBGary Core Technology

Physical Memory Forensics Core Technology Digital DNA (Behavioral Analysis) Engineering Reverse Code Physical Memory Forensics

Offline Physical Memory Analysis The Core Technology Offline Physical Memory Analysis Rootkit Detection Automated Malware Analysis Digital DNA Alerting & Reporting Offline physical memory analysis: Rebuilding windows without windows All physical to virtual address translations This is The Advantage! Rebuilds underlying undocumented data structures Rebuilds running state of machine “exposes all objects ” Malware cannot hide itself actively

The Core Technology Offline Physical Memory Analysis Rootkit Detection Automated Malware Analysis Digital DNA Alerting & Reporting Offline physical memory analysis: Rebuilding windows without windows All physical to virtual address translations Direct Kernel Object Manipulation Detection Hook Detection IDT/SSDT/Driver Chains These tricks expose themselves by interacting with OS Crossview Based Analysis

The Core Technology Offline Physical Memory Analysis Rootkit Detection Automated Malware Analysis Digital DNA Alerting & Reporting Offline physical memory analysis: Rebuilding windows without windows All physical to virtual address translations Code is Disassembled Integration with Flypaper & RECon Code is extracted from RAM Code Visualization

The Core Technology Offline Physical Memory Analysis Rootkit Detection Automated Malware Analysis Digital DNA Alerting & Reporting Offline physical memory analysis: Rebuilding windows without windows All physical to virtual address translations ALL Memory is Scanned A Threat Score is provided for all code Code Behavior Identification White & Black List Code /Behaviors

The Core Technology Offline Physical Memory Analysis Rootkit Detection Automated Malware Analysis Digital DNA Alerting & Reporting Reports can be sent to Enterprise Console Behavioral Analysis Scan and others Custom Reports in XML, RTF, PDF, other Alert on Suspicious Behaviors and coding tricks

Advantages of our approach Forensic Quality Approach Analysis is 100% offline Like Crash Dump Analysis – No Code Running! Automated Reverse Engineering Engine Digital DNA™ detects zero-day threats 5+ years of reverse engineering technology AUTOMATED! No Reverse Engineering expertise required

Client Testimonial 1 of the Largest Pharmaceutical Co’s Under attack every day Uses Enterprise Anti Virus Sends malware to vendor Waits for signature 1-8 hours - Uses Responder Pro – Aids in detection of malware – Responder provides immediate critical intelligence to secure the network and mitigate the threat to the data while waiting for AV signature

Client Testimonial 2 1 of the largest Entertainment Co’s Under attack every day & Uses Enterprise Anti Virus When a machine is compromised, they perform various levels of remediation with their antivirus vendor signatures. Once the machine is determined clean by the AntiVirus software, they use our technology to verify the machine is no longer infected… Findings: about 50% of machines are still infected…

Client Testimonial 3 1 of the largest PC Manufacturer’s Malware Outbreak - Enterprise Anti Virus was failing Responder Pro with Digital DNA detected the malware The Forensics Team provided Symantec with copies of the malware and also critical behavioral intelligence about the malware too. The Forensic investigator was NOT a reverse engineer however was able extract meaningful data rapidly to mitigate the threat.

Conclusion If You’re Not Performing Memory Forensics You Don’t Know if You’re Secure. Period. Memory Forensics can detect malicious code that nothing else can… Memory Forensics is not only for Incident Response Security Assessments too Malware Analysis should be brought in house Malware Analysis can help you… minimize costs and impact ASAP identify the “Scope of Breach” mitigate the threat before you have a anti-virus signature

Questions? Thank you very much sales@hbgary.com