Company Overview

HBGary Background Built with Government Services & Grants Founded in 2003 (6 years old) Built with Government Services & Grants No outside funding Solutions: Digital DNA to detect Malicious Code Leader in Memory Forensics Advanced Malware Threat Assessment Services & Training Offensive Aspects of Malicious Software Software Exploitation and Tooling “Rapid Response” Malware Assessment 2

Strategic Partners McAfee Guidance Software (Encase) Agilex

Air Force Research Labs Dept Homeland Security (HSARPA) HBGary R&D Funding Air Force Research Labs Next Generation Software Reverse Engineering Tools (Phases I and II) Kernel Virtual Machine Host Analyzer (Phases I and II) Virtual Machine Debugger (Phase I) Dept Homeland Security (HSARPA) Botnet Detection and Mitigation (Phases I and II) H/W Assisted System Security Monitor (Phases I and II) Subcontractor to AFCO Systems Development Small Business Innovative Research (SBIR) Program 4

HBGary has grown into a full product company: DoD 12,500 Nodes Civilian Agencies 31,000 Nodes Government Contractors & Consulting 23 Customers Fortune 500 23 Customers * Foreign Governments 15 Customers Universities & Law Enforcement 16 Customers * Multiple site license discussions in the pipeline

Responder Field Edition Stand Alone Enterprise Memory Forensics Responder Field Edition Integrated with EnCase Enterprise (Guidance) Enterprise Malware Detection Digital DNA for ePO (HBSS) Active Defense (Q1) Response Responder Professional w/ Digital DNA Intrinsic to all Enterprise products Policy Enforcement and Mitigation Integrated with Verdasys Digital Guardian

Why HBGary is Better Forensic Quality Approach Analysis is done 100% offline using 2+ years of parsing technology developed under USAF grant Host-centric “Windows without relying on Windows” RAM analysis Digital DNA™ detects zero-day threats 5+ years of reverse engineering technology developed for multiple govt. agencies AUTOMATED !

Why HBGary is Better Physical memory is “Windows without Windows”- it exposes everything about the OS without actually using a potentially subverted OS. Automatic decompilation of every software object exposes true software behaviors – this is not a signature. This catches unknown malware with no prior knowledge. A few traits will detect a great many variants, so it scales.

Under the hood These images show the volume of decompiled information produced by the DDNA engine. Both malware use stealth to hide on the system. To DDNA, they read like an open book.

Benefits = Better cyber defense Enterprise detection of zero-day threats Lowers the skill required for actionable response What files, keys, and methods used for infection What URL’s, addresses, protocols, ports “At a glance” threat assessment What does it steal? Keystrokes? Bank Information? Word documents and powerpoints? = Better cyber defense

Today’s Cybercrime Problem There is a lot worth stealing Information is 100% digital and exposed Identities are digital Attackers are motivated and well-funded Funded Criminal and State-sponsored Malware is sophisticated and targeted Existing security isn’t stopping the attacks

Anti-virus Shortcomings Source: “Eighty percent of new malware defeats antivirus”, ZDNet Australia, July 19, 2006 Top 3 AV companies don’t detect 80% of new malware The sheer volume and complexity of computer viruses being released on the Internet today has the anti-virus industry on the defensive, experts say, underscoring the need for consumers to avoid relying on anti-virus software alone to keep their…computers safe and secure. Source: “Anti-Virus Firms Scrambling to Keep Up ”, The Washington Post, March 19, 2008 12

Digital DNA™

Ranking Software Modules by Threat Severity Software Behavioral Traits Digital DNA Ranking Software Modules by Threat Severity 0B 8A C2 05 0F 51 03 0F 64 27 27 7B ED 06 19 42 00 C2 02 21 3D 00 63 02 21 8A C2 0F 51 0F 64 Software Behavioral Traits

5,000 Malware every 24 hours is sequenced

Over 5,000 Traits are categorized into Factor, Group, and Subgroup. This is our “Genome”

B[00 24 73 ??]k ANDS[>004] C”QueueAPC”{arg0:0A,arg} What’s in a Trait? 04 0F 51 B[00 24 73 ??]k ANDS[>004] C”QueueAPC”{arg0:0A,arg} The rule is a specified like a regular expression, it matches against automatically reverse engineered details and contains boolean logic. These rules are considered intellectual property and not shown to the user. Unique hash code Weight / Control flags The trait, description, and underlying rule are held in a database

DDNA Sequence Weighting 02 82 78 02 D6 F7 07 CD E3 05 51 87 05 A8 F1 02 FB 99 02 45 5B 02 7C 9A 02 AC CF 00 9F… This is a series of 3 octet trait codes Each trait can have a weight from -15 to +15. + means suspicious – means trusted The entire sequence is weighted by summing the weights of each trait. Discrete weight decay algorithm The summing of weights is performed using an algorithm known as the This algorithm will decay the effects of a repeated weight value over time. +40 points or more in weight = Suspicious or potentially “Evil”

Why Digital DNA? Detect Malware regardless of how it was packaged or compiled Does the same things = same malware Detect variants across the Enterprise Digital DNA is FUZZY! It tells you what the threat is! Traits are categorized and have descriptions It really can’t get any easier than this

How Digital DNA goes beyond MD5 Checksums In memory, once executing, a file is represented in a new way that cannot be easily be back referenced to a file checksum Digital DNA™ does not change, even if the underlying file does Digital DNA is calculated from what the software DOES (it’s behavior), not how it was compiled or packaged

In memory, traditional checksums don’t work DISK FILE IN MEMORY IMAGE 100% dynamic Copied in full Copied in part OS Loader In memory, traditional checksums don’t work MD5 Checksum is not consistent Digital DNA remains consistent MD5 Checksum reliable

Whitelisting on disk doesn’t prevent malware from being in memory Internet Document PDF, Active X, Flash Office Document, Video, etc… DISK FILE IN MEMORY IMAGE Public Attack-kits have used memory-only injection for over 5 years OS Loader Whitelisting on disk doesn’t prevent malware from being in memory MD5 Checksum is whitelisted Whitelisted code does not mean secure code Process is trusted

Same malware compiled in three different ways DISK FILE IN MEMORY IMAGE Same malware compiled in three different ways OS Loader MD5 Checksums all different Digital DNA remains consistent

Digital DNA defeats packers IN MEMORY IMAGE Packer #1 Packer #2 Decrypted Original OS Loader Digital DNA defeats packers Starting Malware Packed Malware Digital DNA remains consistent

Digital DNA detects toolkits IN MEMORY IMAGE OS Loader Digital DNA detects toolkits Malware Tookit Different Malware Authors Using Same Toolkit Toolkit DNA Detected Packed

Digital DNA Screenshot

Threat Assessment Engines Integration with McAfee ePO Shipping Next Year Threat Assessment Engines HBGary Portal ePO Console Responder Workstation ePO Server ePO Agents (Endpoints) Schedule HBGary Evidence Processor (Q1) SQL Events HBG Extension HBG WPMA WPMA = Windows Physical Memory Analysis

Fuzzy Search

New: REcon

REcon Records the entire lifecycle of a software program, from first instruction to the last. It records data samples at every step, including arguments to functions and pointers to objects. Offline physical memory analysis: Rebuilding windows without windows All physical to virtual address translations