Presentation is loading. Please wait.

Presentation is loading. Please wait.

Air Force Research Labs Dept Homeland Security (HSARPA)

PublishColeen Warren Modified over 7 years ago

Similar presentations

Presentation on theme: "Air Force Research Labs Dept Homeland Security (HSARPA)"— Presentation transcript:

1 Improve Enterprise Security with Memory Forensics, Malware Analysis & Digital DNA

2 Air Force Research Labs Dept Homeland Security (HSARPA)
HBGary Background Founded in 2003 Government R&D Solutions: Enterprise Host Intrusion Detection Live Windows Memory Forensics & Incident Response Malicious Code Detection Automated Reverse Engineering R&D Funding HBGary has been around since 2003. First 5 years performing services for US Govt Started selling products in 2008. Air Force Research Labs Next Generation Software Reverse Engineering Tools Kernel Virtual Machine Host Analyzer Virtual Machine Debugger Dept Homeland Security (HSARPA) Botnet Detection and Mitigation H/W Assisted System Security Monitor Subcontractor to AFCO Systems Development

3 The Problem - Cybercrime
Hacking Embezzlement Intellectual property theft Espionage Child Exploitation Etc… These are the problems HBGary is working to solve. HBGary solutions can be used to help solve all kinds of cybercrime.

4 # of New Malware Every Day!
1986 – 2006 there were a total of 700,000 pieces of malware on the Internet. 2007 – there were 700,000 NEW pieces of malware. 2008 – there were 1,300,000 NEW Pieces of malware 2009 – So far this year between 25,000 – 75,000 NEW pieces of malware every day!

5 Top 3 AV companies don’t detect 80% of new malware
Anti-virus Shortcomings Source: “Eighty percent of new malware defeats antivirus”, ZDNet Australia, July 19, 2006 Top 3 AV companies don’t detect 80% of new malware This is obvious. 5

6 Cybercrime Evolution Cybercrime Authors have evolved over the last 30 years Continued improvement and innovation Capitalistic Shadow Economy - Competition Malware Authors Professional Software Development Lifecycle model Professional Quality Assurance Product doesn’t ship until code is undetected by latest Antivirus products

7 Bad Guys use Memory Tricks
Memory injection attacks never touch the disk Public and commercial hacker tools have used these techniques for over 4+ years Metasploit Framework (meterpreter) Canvas Core Impact No good detection mechanism without memory preservation and offline analysis Remember: you cannot trust the operating system!

8 Drive-by Download – Legitimate website
Your users are compromised today just by visiting a legitimate web site like - Foxnews.com was compromising Dept of Defense computers for over 2 weeks as users read the web page. The web site had been compromised and was serving up a hidden I-Frame that installed malicious code.

9 White-listing on disk doesn’t prevent malware from being in memory
Internet Browsers PDF, Active X, Flash Office Document, Video, etc… DISK FILE IN MEMORY IMAGE Public Attack-kits have used memory-only injection for over 5 years OS Loader White-listing on disk doesn’t prevent malware from being in memory MD5 Checksum is white listed Process is trusted??

10 HBGary Solution Live Memory (RAM) Forensics

11 Why Live Memory Forensics?
Today it’s Easy! Mission-critical systems % availability Anti-forensic techniques used by bad guys Hax0rs Cyber spies Cybercriminals Valuable info in RAM cannot be found on disk Passwords, encryption keys Network packets, screen shots Private chat sessions, unencrypted data, unsaved documents, etc.

12 Why Live Memory Forensics?
Detect Malware that Anti-Virus cannot Detect Malware that Host Based IDS/IPS cannot Verify the “Run-Time” state of the system

13 Useful Information in RAM
Processes and Drivers Loaded Modules Network Socket Info Passwords Encryption Keys Decrypted files Order of execution Runtime State Information Rootkits Configuration Information Logged in Users NDIS buffers Open Files Unsaved Documents Live Registry Video Buffers – screen shots BIOS Memory VOIP Phone calls Advanced Malware Instant Messenger chat

14 Why Memory Analysis is Unique
Better Detection Traditional Forensics & Security Software

15 A suspicious file… Anti-Virus doesn’t Detect it! Now what?

16 Perform Malware Analysis
This looks suspicious! Understand Malware: Create Signatures Bolster defenses Attribution Computer Network Defense (CND) Identify a binary’s capabilities Recover Command and Control functions Recover passwords and encryption keys View decrypted packets and files Computer Forensics

17 Why Perform Malware Analysis? I have Anti-Virus….
Goes beyond anti-virus applications… Detection and remediation based on signatures for malware is out dated Answer the following questions: What happened? What is being stolen? How did it happen? How do we clean it up? When did the infection occur? Possibly Who is behind it?

18 HBGary Core Technology

19 Physical Memory Forensics
Core Technology Digital DNA (Behavioral Analysis) Engineering Reverse Code Physical Memory Forensics

20 Offline Physical Memory Analysis
The Core Technology Offline Physical Memory Analysis Rootkit Detection Automated Malware Analysis Digital DNA Alerting & Reporting Offline physical memory analysis: Rebuilding windows without windows All physical to virtual address translations This is The Advantage! Rebuilds underlying undocumented data structures Rebuilds running state of machine “exposes all objects ” Malware cannot hide itself actively

21 The Core Technology Offline Physical Memory Analysis Rootkit Detection
Automated Malware Analysis Digital DNA Alerting & Reporting Offline physical memory analysis: Rebuilding windows without windows All physical to virtual address translations Direct Kernel Object Manipulation Detection Hook Detection IDT/SSDT/Driver Chains These tricks expose themselves by interacting with OS Crossview Based Analysis

22 The Core Technology Offline Physical Memory Analysis Rootkit Detection
Automated Malware Analysis Digital DNA Alerting & Reporting Offline physical memory analysis: Rebuilding windows without windows All physical to virtual address translations Code is Disassembled Integration with Flypaper & RECon Code is extracted from RAM Code Visualization

23 The Core Technology Offline Physical Memory Analysis Rootkit Detection
Automated Malware Analysis Digital DNA Alerting & Reporting Offline physical memory analysis: Rebuilding windows without windows All physical to virtual address translations ALL Memory is Scanned A Threat Score is provided for all code Code Behavior Identification White & Black List Code /Behaviors

24 The Core Technology Offline Physical Memory Analysis Rootkit Detection
Automated Malware Analysis Digital DNA Alerting & Reporting Reports can be sent to Enterprise Console Behavioral Analysis Scan and others Custom Reports in XML, RTF, PDF, other Alert on Suspicious Behaviors and coding tricks

25 Advantages of our approach
Forensic Quality Approach Analysis is 100% offline Like Crash Dump Analysis – No Code Running! Automated Reverse Engineering Engine Digital DNA™ detects zero-day threats 5+ years of reverse engineering technology AUTOMATED! No Reverse Engineering expertise required

26 Client Testimonial 1 of the Largest Pharmaceutical Co’s
Under attack every day Uses Enterprise Anti Virus Sends malware to vendor Waits for signature 1-8 hours - Uses Responder Pro – Aids in detection of malware – Responder provides immediate critical intelligence to secure the network and mitigate the threat to the data while waiting for AV signature

27 Client Testimonial 2 1 of the largest Entertainment Co’s
Under attack every day & Uses Enterprise Anti Virus When a machine is compromised, they perform various levels of remediation with their antivirus vendor signatures. Once the machine is determined clean by the AntiVirus software, they use our technology to verify the machine is no longer infected… Findings: about 50% of machines are still infected…

28 Client Testimonial 3 1 of the largest PC Manufacturer’s
Malware Outbreak - Enterprise Anti Virus was failing Responder Pro with Digital DNA detected the malware The Forensics Team provided Symantec with copies of the malware and also critical behavioral intelligence about the malware too. The Forensic investigator was NOT a reverse engineer however was able extract meaningful data rapidly to mitigate the threat.

29 Conclusion If You’re Not Performing Memory Forensics You Don’t Know if You’re Secure. Period. Memory Forensics can detect malicious code that nothing else can… Memory Forensics is not only for Incident Response Security Assessments too Malware Analysis should be brought in house Malware Analysis can help you… minimize costs and impact ASAP identify the “Scope of Breach” mitigate the threat before you have a anti-virus signature

30 Questions? Thank you very much

Download ppt "Air Force Research Labs Dept Homeland Security (HSARPA)"

Similar presentations

Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Www.accessdata.com Digital Investigations of Any Kind ONE COMPANY Cyber Intelligence Response Technology (CIRT)

Digital Investigations of Any Kind ONE COMPANY Cyber Intelligence Response Technology (CIRT)
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Www.encase.com Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,

Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Internet Safety CSA 105 1.0 September 21, 2010. Internet Threats Malware (viruses) Spyware Spam Hackers Cyber-criminals.

Internet Safety CSA September 21, Internet Threats Malware (viruses) Spyware Spam Hackers Cyber-criminals.
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
13Computer Intrusions Dr. John P. Abraham Professor UTPA.

13Computer Intrusions Dr. John P. Abraham Professor UTPA.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Spyware and Viruses Group 6 Magen Price, Candice Fitzgerald, & Brittnee Breze.

Spyware and Viruses Group 6 Magen Price, Candice Fitzgerald, & Brittnee Breze.
©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.

©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.
Honeypot and Intrusion Detection System

Honeypot and Intrusion Detection System
BUFFERZONE Advanced Endpoint Security Data Connectors-Charlotte January 2016 Company Confidential.

BUFFERZONE Advanced Endpoint Security Data Connectors-Charlotte January 2016 Company Confidential.
Role Of Network IDS in Network Perimeter Defense.

Role Of Network IDS in Network Perimeter Defense.
©2015 Check Point Software Technologies Ltd. 1 Website Watering Holes Endpoints are at risk in numerous ways, especially when social engineering is applied.

©2015 Check Point Software Technologies Ltd. 1 Website Watering Holes Endpoints are at risk in numerous ways, especially when social engineering is applied.
Enterprise’ Ever-Evolving Challenge & Constraints Dealing with BYOD Challenges Enable Compliance to Regulations Stay Current with New Consumption Models.

Enterprise’ Ever-Evolving Challenge & Constraints Dealing with BYOD Challenges Enable Compliance to Regulations Stay Current with New Consumption Models.
Powerpoint presentation on Drive-by download attack -By Yogita Goyal.

Powerpoint presentation on Drive-by download attack -By Yogita Goyal.

Similar presentations

Ads by Google