DHS Phase II SBIR Contract Vice President Business Development Enterprise Botnet Detection & Mitigation DHS Phase II SBIR Contract Bob Slapnik Vice President Business Development
Agenda NABC Technical Accomplishments Milestones, Deliverables, and Schedule Recent Public Relations Technology Transition Plan Quad Chart
Are Cybercriminals Targeting You? Next Generation Software to Detect, Diagnose, & respond See what you’ve been missing
Business Needs Sophisticated attackers Have time, resources and skill Criminals motivated by financial gain State sponsored espionage Any cyber defense can and will be defeated
Business Needs Loss of sensitive data and intellectual property FBI - $100 Billion lost annually National security is compromised
SANS Institute’s Top 5 Attacks for 2008 Web Browser exploits Botnets Cyber Espionage Mobile Phone Threats Insider Threat 6
Problems 80% of new malware is not detected Stealthy rootkits Malware variants Targeted attacks Lack of endpoint visibility Traditional disk security and forensics tools are not enough
Traditional Forensics HBGary’s Approach HBGary Responder Memory Analytics Volatile Data Traditional Forensics Traditional Security Data at rest
Information found in RAM Running processes and drivers Unpacked bots and malware Unencrypted network data Open ports and network sockets Open files and file contents Strings and symbols Passwords and keys in clear text Registry info
Why Reverse Engineer Binaries? Computer Forensics Identify a binary’s capabilities Recover Command & Control functions Recover passwords and encryption keys View decrypted packets and files Computer Network Defense Understand bots and malware Create signatures Bolster defenses Attribution This looks suspicious!
HBGary’s Approach Automated host analysis Detect, Diagnose, Respond Physical Memory (RAM) Binaries, bots and malware Detect, Diagnose, Respond Find the bad guy on computers and tell you what he is doing Workstation product Enterprise product
Benefits Best memory analysis system Automated behavioral detection to identify suspect binaries Automated bot and malware forensics Lower the skills bar Enterprise host visibility
Competition Memory Analysis KnTTools Various open source Malware Analysis IDA Pro OllyDbg Norman Analyzer CWSandbox
NABC Technical Accomplishments Milestones, Deliverables, and Schedule Recent Public Relations Technology Transition Plan Quad Chart
Technical Accomplishments Commercial software released in April 2008 HBGary Responder
16
RAM Analytics RESPONDER Offline Memory Analysis Object Manager Reconstruction Rootkit & Zero-Day Detection Object Extraction Live Physical Memory Preservation 17
Runtime & Binary Forensics RESPONDER Runtime & Binary Forensics Automated Malware Analysis & Reporting Runtime Forensics “live binary” Analysis Binary Forensics “static Analysis” Analyze Packed & Obfuscated Malware Recover Malware executed instructions 18
Malware Analysis Plugin RESPONDER Malware Analysis Plugin Stealth Techniques Network Communications How is it installed? File System Access & Modifications Registry Access & Modifications Malware Survivability Cryptographic Routines File Packing & Obfuscation Remote Command and Control Intelligence 19
Responder Screenshot
Responder Screenshot
Interactive Binary Graphing
Enterprise Software (Developed, not released) Host Agent DLL plug-in, Command line utility, or Service Management console Remote node management Concentrator / project server Network Recon module
Active Defense (5) HBGary Responder
Enterprise Mgt. Console
Digital DNA In-memory fuzzy hashing Detect malware variants Partial matching Calculate DDNA from disk object Detection within memory Detect malware variants Developed with HBGary IR&D private funds outside of the SBIR contract Patent pending
Flypaper New runtime analysis system Observe binary behaviors Causes processes to “stick” in memory Analyze “droppers” Used with Responder Developed with HBGary IR&D private funds outside of the SBIR contract
NABC Technical Accomplishments Milestones, Deliverables, and Schedule Recent Public Relations Technology Transition Plan Quad Chart
Milestones HBGary Responder™ Enterprise Active Defense Released April 2008 Enterprise Active Defense Pilot site in Q1 2009 Bayesian Reasoning Engine Q2 2009
Schedule Oct 2008 Recover passwords and keys from RAM Nov 2008 Recover page file Dec 2008 Recover hiberfil.sys file Jan 2009 FIPS compliant encryption (openSSL) Feb 2009 Pilot enterprise deployment / “1000 nodes” Mar 2009 Recover NDIS buffers and PCAP files Apr 2009 Complete first set of reasoning models May 2009 Integrate the Bayesian Reasoning Engine Jul 2009 Extend detection rules for indirect indicators
NABC Technical Accomplishments Milestones, Deliverables, and Schedule Recent Public Relations Technology Transition Plan Quad Chart
Press Releases Guidance Software to Offer HBGary Responder for Live Memory Analysis in Digital Investigations, May 22, 2008 HBGary Joins McAfee Partner Program, the McAfee Security Innovation Alliance, August 25, 2008
Conference Trade Shows Guidance’s CEIC May 2008 BlackHat August 2008 McAfee FOCUS 2008 Oct 20-23, 2008
NABC Technical Accomplishments Milestones, Deliverables, and Schedule Recent Public Relations Technology Transition Plan Quad Chart
Technology Transition Plan Sell HBGary Responder as a workstation product now Go to market with an enterprise product in near future Sell direct and through partners
Technology Transition Current Customers Customer Type DoD Civilian Agencies Government Contractors Fortune 500 Foreign Governments Universities No. of Customers 13 12 5 4 3
Multiple strategies for enterprise deployable solution Strategic Partners Guidance Software (Encase) Reselling Responder worldwide Integrating Responder to Encase Enterprise McAfee Integration with ePolicy Orchestrator DoD’s HBSS Program Multiple strategies for enterprise deployable solution
NABC Technical Accomplishments Milestones, Deliverables, and Schedule Recent Public Relations Technology Transition Plan Quad Chart
SBIR H-SB06.1-008 Title: Enterprise Botnet Detection and Mitigation Contractor Name: HBGary, Inc. Date: September 10, 2008 Operational Capabilities: Host agents deployed throughout the enterprise Achieve enterprise scalability with hierarchical concentrators Remotely configurable agent operation Centralized, hierarchical, automated reasoners Actionable information for computer incident response teams Low Total Cost of Ownership: Lightweight host agents deployable as command line utility Provide host visibility remotely across the enterprise Distributed reasoning with centralized control Performance Targets: Deploy first enterprise pilot installations for at least 500 nodes Detect previously undetected bots and botnets Proposed Technical Approach: Automated physical memory analysis Collect vast amount of evidence from physical memory Organize evidence into a structured user interface Start with workstation product and expand to enterprise solution Reason over evidence using Bayesian Network models Automated bot and malware analysis Leverage enterprise technologies of large strategic partners Status: Had alpha workstation software before start of Phase II contract Released workstation product, HBGary Responder, April 2008 Excellent marketplace acceptance with growing customer base Enterprise pilot deployment scheduled for Q1 2009 Schedule and Cost: Year 1 Development Year 2 Development Year 2 Deployment Total: Team: HBGary, SAIC Contact: Deliverables: Software Code, User Manuals, Empirical Test Data, Reports, and Solution Demonstration Bob Slapnik Vice President 301-652-8885 x104 bob@hbgary.com HBGary, Inc. 3941 Park Drive, Suite 20-305 El Dorado Hills, CA 95762 www.hbgary.com
Thank you Any Questions? www.hbgary.com 40