ACTIVE DEFENSE Leveraging Threat Intelligence in the Enterprise USING HBGARY’S ACTIVE DEFENSE

HBGary Enterprise software product company 7 years old Experts on malicious software threats Products: Integrations: Active Defense Digital DNA™ (patent pending) Responder Recon FastDump EnCase Enterprise McAfee ePO

Evolving Risk Most intellectual property and valuable data is stored online digitally within the Enterprise Attackers are motivated and well funded Cyber-weapons work, existing security solutions don’t, end of story.

Security Efficacy Curve Efficacy is rising DDNA Detecting more than not (> 50%) ZERO KNOWLEDGE DETECTION RATE Detecting very little Signatures And scaling issue getting worse

HBGary’s Approach Focus on malicious behavior, not signatures There are only so many ways to do something bad on a Windows machine Bad guys don’t write 50,000 new malware every morning Their techniques, algorithms, and protocols stay the same, day in day out Once executing in physical memory, the software is just software Physmem is the best information source available

The Big Picture Detect bad guys using a smallish genome of behaviors – and this means zeroday and APT – no signatures required Followup with strong incident response technology, enterprise scalable Back this with very low level & sophisticated deep-dive capability for attribution and forensics work

Active Defense Detect Advanced Malware & Persistent Threat No prior knowledge of the threat required Powered by Digital DNA™ Obtain actionable intelligence Registry keys & files URL’s used for communication Actionable = make your existing investment more effective - Detect & block at the network perimeter IDS signatures, egress firewalls - Clean machines of infection Ideal: No re-image costs

The Power of Action Using Responder + REcon, HBGary was able to trace Aurora malware and obtain actionable intel in about 5 minutes. This intel was then used to create an inoculation shot, downloaded over 10,000 times over a few days time. To automatically attempt a clean operation: ******************************************* InoculateAurora.exe -range 192.168.0.1 192.168.0.254 -clean

Active Defense Detection of unknown threats Obtain actionable intelligence Update IDS and egress, detect & block Clean machines Remission Monitoring Use regkeys and files is possible to Clean infection without re-image Use URL’s, IP’s, and protocol strings

A different team of humans Large Govt. Customer Proventia IDS alerts Team of Humans alerts we care about Remote memory snapshots, DDNA, Responder A different team of humans IF infected=true Image box with EnCase Include malware data in report Update Proventia IDS

Large Energy Company (I) WebSense Detected compromised VPN server alerts Query: “Find admin_epo interactive logins” Manual Log Analysis revealed compromised account RawVolume.File Where Path contains Documents and Settings\admin_epo Compromised account was admin_epo - Domain admin privs Look for a known file path that indicates account was used for an interactive logon Scan for interactive logons of the admin_epo account ~800 server machines 12 compromised servers detected, apprx 1 hour later

Large Energy Company (II) Find indicators of compromise EnCase EnCase used to scan filesystems: Found suspicious DLL in temp directory Found Cain and Abel password sniffer 12 server machines Find indicators of compromise Active Defense Query: “Find logger.dll” Thousands of machines RawVolume.File Where BinaryData contains “logontype: %s” Query: “Find cain password sniffer” RawVolume.File Where Path equals %SYSTEMROOT%\system32\drivers\winpcap.sys Query: “Find logger.dll in memory” Physmem.Process Where BinaryData contains “logontype: %s” Found machines are re-imaged. 8000+ user account passwords were reset.

Intel Value Window Lifetime  Minutes Hours Days Weeks Months Years Blacklists Digital DNA NIDS sans address Developer Toolmarks Signatures Algorithms Hooks Protocol Install DNS name IP Address Checksums

Active Defense Technical Discussion

Alert!

Hmm..

Active Defense Queries What happened? What is being stolen? How did it happen? Who is behind it? How do I bolster network defenses?

Active Defense Queries

Active Defense Queries QUERY: “detect use of password hash dumping” Physmem.BinaryData CONTAINS PATTERN “B[a-fA-F0-9]{32}:B[a-fA-F0-9]{32}“ QUERY: “detect deleted rootkit” (RawVolume.File.Name = “mssrv.sys“ OR RawVolume.File.Name = “acxts.sys“) AND RawVolume.File.Deleted = TRUE QUERY: “detect chinese password stealer” LiveOS.Process.BinaryData CONTAINS PATTERN “LogonType: %s-%s“ QUERY: “detect malware infection san diego” LiveOS.Module.BinaryData CONTAINS PATTERN “.aspack“ OFFSET < 1024 OR RawVolume.File.BinaryData CONTAINS PATTERN “.aspack“ OFFSET < 1024 No NDA no Pattern…

Enterprise Systems Digital DNA for McAfee ePO Digital DNA for HBGary Active Defense Digital DNA for Guidance EnCase Enterprise Digital DNA for Verdaysys Digital Guardian Traditional methods to analyze memory and malware are difficult. It requires expertise, is time consuming and expensive, and it doesn’t scale. 20

Integration with McAfee ePO Responder Professional ePO Console ePO Server ePO Agents (Endpoints) DDNA is automatically installed across the enterprise by ePO. We give a ePO a couple of zip files. ePO installs HBGary code onto the ePO server and onto each endpoint. The ePO scheduler tells DDNA when to run on each endpoint. We run, examine memory, create DDNA alerts, hand the alerts and traits to the ePO agent which sends them to the ePO SQL server. The DDNA alerts are displayed on the ePO console. DDNA is not installed as an agent. It is a command line utility that loads runs when ePO tells it to. After executing DDNA exits memory. ePO’s AV, firewall and HIDS runs 24x7 as a service. DDNA runs at a point in time to find malware. Schedule SQL Events HBG Extension HBGary DDNA

Fuzzy Search

Steal Credentials Outlook Email Password Generic stored passwords

All the file types that are exfiltrated Steal Files All the file types that are exfiltrated

Drop-point is in Reston, VA in the AOL netblock

Digital DNA™ Technical Discussion

Digital DNA™ Performance 4 gigs per minute, thousands of patterns in parallel, NTFS raw disk, end node 2 gig memory, 5 minute scan, end node Hi/Med/Low throttle = 10,000 machine scan completes in < 1 hour

Under the hood These images show the volume of decompiled information produced by the DDNA engine. Both malware use stealth to hide on the system. To DDNA, they read like an open book.

Ranking Software Modules by Threat Severity Software Behavioral Traits Digital DNA™ Ranking Software Modules by Threat Severity 0B 8A C2 05 0F 51 03 0F 64 27 27 7B ED 06 19 42 00 C2 02 21 3D 00 63 02 21 8A C2 Malware shows up as a red alert. Suspicious binaries are orange. For each binary we show its underlying behavioral traits. Examples of traits might be “packed with UPX”, “uses IRC to communicate”, or “uses kernel hooking with may indicate a presence of a rootkit”. The blue bar shows the Digital DNA sequence for the binary iimo.sys. 0F 51 0F 64 Software Behavioral Traits

B[00 24 73 ??]k ANDS[>004] C”QueueAPC”{arg0:0A,arg} What’s in a Trait? 04 0F 51 B[00 24 73 ??]k ANDS[>004] C”QueueAPC”{arg0:0A,arg} The rule is a specified like a regular expression, it matches against automatically reverse engineered details and contains boolean logic. These rules are considered intellectual property and not shown to the user. Unique hash code Weight / Control flags The trait, description, and underlying rule are held in a database

White listing on disk doesn’t prevent malware from being in memory Internet Document PDF, Active X, Flash Office Document, Video, etc… DISK FILE IN MEMORY IMAGE Public Attack-kits have used memory-only injection for over 5 years OS Loader White listing on disk doesn’t prevent malware from being in memory MD5 Checksum is white listed Whitelisting typically works by have a list of good hashes with the assumption that you’re loading only good binaries for execution into memory. But bad code can get injected into good programs. White listing does not mean secure code. DDNA will find the bad injected code. White listed code does not mean secure code Process is trusted

Digital DNA defeats packers IN MEMORY IMAGE Packer #1 Packer #2 Decrypted Original OS Loader Digital DNA defeats packers Starting Malware As you know most malware is packed. The bad guy does this to avoid detection. For every packer used, you need another signature. But a program must unpack itself in memory to execute. Its underlying behaviors remain the same, so its DDNA remains the same. Packed Malware Digital DNA remains consistent

Same malware compiled in three different ways DISK FILE IN MEMORY IMAGE Same malware compiled in three different ways OS Loader If the same malware is compiled e different ways you would need 3 different hashes or signatures to see it. DDNA still detects because the program is logically the same and has the same behaviors. MD5 Checksums all different Digital DNA remains consistent

The Future Vision Technical Discussion

Immune System Digital DNA™ Sweeps Threat Real-time protection Indicators of Compromise Inoculation Sweep (scheduled) Inoculation Shot Behavior Blocking (antibody) Long-term protection (6-12 month lifecycle)