Presentation is loading. Please wait.

Presentation is loading. Please wait.

Continuous Protection

Published byCalvin Shepherd Modified over 6 years ago

Similar presentations

Presentation on theme: "Continuous Protection"— Presentation transcript:

1 Continuous Protection
12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

2 History of Industry Leadership
Founded in 2003 to perform offensive cyber security consulting for the CIA and other high profile government agencies Shifted focus from government consulting to developing security software products Launched first product, Responder Pro, April 2008 Offices in Sacramento, and DC Area Now serve critical infrastructure customers across the government and private sectors including entertainment, financial, healthcare 12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

3 Management Team Greg Hoglund, Founder, CEO Penny Leavy, President
Sam Maccherola, VP Worldwide Sales Jim Butterworth, VP of Services 12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

4 High Profile Customers CONFIDENTIAL Covered by NDA
Government Agencies: Fortune 500 Corporations: Government Contractors: Department of Homeland Security Morgan Stanley L-3 National Security Agency Blue Team Sony General Dynamics 92nd Airborne Citigroup Merlin International Federal Bureau of Investigation IBM Northrop Grumman Congressional Budget Office General Electric SAIC Department of Justice Cox Cable Booz Allen Hamilton Centers for Disease Control eBay United Technologies Transportation Security Administration JP Morgan ManTech Defense Intelligence Agency Best Buy TASC Defense Information Systems Agency Pfizer Blackbird Technologies US Immigration and Customs Enforcement Baker Hughes COB US Air Force Fidelity 12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010 4

5 Install Base/2011 CONFIDENTIAL Covered by NDA
DDNA Nodes 400 standalone/800 DDNA for ePO- 71,000/moving to AD for ePO DDNA OEM-12000/300,000 Active Defense-54,000/800,000 Responder Pro 320/530 Responder Field 1200/2400 FastDumpPro-3000 (plus FastDump Pro is included in all of above) 12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

6 High-Value Partnerships Drive Strong Growth in Sales
12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010 6

7 The Evolved Risk Environment
All data is digital and can be stolen by motivated and well funded attackers from 3,000 miles away. They are entrenched already. Existing Host-level and perimeter protection is ineffective at detecting emerging threats. The network is becoming perimeterless and the host is the key to protecting the enterprise 12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

8 There is NO RISK REDUCTION
Incident Response & Reimage is the traditional model – but…. Reimaging doesn’t fix the vulnerability - over 50% of reimaged machines will end up re-infected with the same malware After the IR team leaves, the bad guys come crawling back out of their holes using multiple layers of entrenched malware and sleeper agents (hey, remember, these guys are hackers) 12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

9 The Breakdowns #1 – Trusting the AV/HIDS
AV doesn’t detect most malware, even variants of malware that it’s supposed to detect. HIDS/HIPS are too cumbersome and throw a lot false +’s #2 – Not using threat intelligence The only way to get better at detecting intrusion is to learn how to detect them next time #3 – Not preventing re-infection If you don’t harden your network then you are just throwing money away 12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

10 Continuous Protection
The bad guys are going to get in. Accept it. Because intruders are always present, you need to have a continuous countering force to detect and remove them. Your continuous protection solution needs to get smarter over time – it must learn how the attackers work and get better at detecting them. Security is an intelligence problem. 12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

11 Efficient & Scalable Visibility
To detect advanced intruders, the security team needs whole-host remote live-forensics at the click of a button To be efficient, the team needs to search over tens of thousands of machines in minutes The solution needs to support all levels of analysis, from simple search to low-level disassembly The longer malware is not dealt with the more damage is caused 12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

12 The Big Picture of HBGary
Detect bad guys using a smallish genome of behaviors – and this means zeroday and APT – no signatures required Followup with strong incident response technology, enterprise scalable Inoculate to protect against known malware Back this with very low level & sophisticated deep-dive capability for attribution and forensics work=Smarter Security 12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

13 HBGary’s take on all this
Focus on malicious behavior, not signatures Based upon disassembled and RE’d software Bad guys don’t write 50,000 new malware every morning Their techniques, algorithms, and protocols stay the same, day in day out Once executing in PHYSICAL memory (not virtual), the software is just software Physmem is the best information source available 12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

14 Continuous Protection
Inoculate Update NIDS Adverse Event Breakdown #3 Check AV Log Breakdown #1 More Compromise Check with AD Scan for BI’s Breakdown #2 Compromise Detected Reimage Machine Get Threat Intel 12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

15 Intel Value Window Lifetime  Minutes Hours Days Weeks Months Years
Blacklists ATTRIBUTION-Derived Developer Toolmarks Signatures Algorithms NIDS sans address Hooks Protocol Install DNS name IP Address Checksums 12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

16 Types of Threat Intelligence
Long Lasting – patterns last for years Not packaged as a feed Strong initial value Value drops off quickly over time Cannot be packaged as a feed Behavioral Detection not signatures This is the value line Very Short Lifetime Minimal Value Typically sold as a ‘feed’ External Vendor Supplied Blacklists Signatures for known threats custom to your environment Signatures for threats not based on your environment 12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

17 External Vendor Supplied Blacklists
Digital DNA™ Virtual Machine Execution Engines Heuristics Managed Services Internal SOC’s / CERT’s Long Lasting – patterns last for years Not packaged as a feed Traditional AV DAT Files NIDS signatures IP/DNS Blacklists Strong initial value Value drops off quickly over time Cannot be packaged as a feed Behavioral Detection not signatures IOC Query Subscriptions Very Short Lifetime Minimal Value Typically sold as a ‘feed’ External Vendor Supplied Blacklists Signatures for known threats custom to your environment Signatures for threats not based on your environment 12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

18 HBGary’s Focus Behavioral Detection not signatures
Long Lasting – patterns last for years Not packaged as a feed Strong initial value Value drops off quickly over time Cannot be packaged as a feed Behavioral Detection not signatures Very Short Lifetime Minimal Value Typically sold as a ‘feed’ External Vendor Supplied Blacklists Signatures for known threats custom to your environment Signatures for threats not based on your environment 12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

19 Threat Intelligence Data Flow
Inoculate Update NIDS Intelligent Perimeter COMS Adverse Event More Compromise Compromise Detected Scan Hosts Artifacts Malware Analysis Timelines Host Analysis Reimage Machine Get Threat Intel 12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

20 Key Competitive Differentiators
Behavior based detection Lowest level possible (physical memory) Disassembled and RE programs on fly Attribution-IR, feeds and malware Visibility into all areas of computer Highly scalable, high speed, concurrent Easy to use and full OS support No open source/product quality, (not a bunch of scripts) 12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

21 Products 12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

22 Technology Block Diagram
12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

23 Enterprise Cyber Defense Enterprise Incident Response
Active Defense Active Defense McAfee Verdasys EnCase Enterprise Cyber Defense Enterprise Incident Response Digital DNA™ Responder™ TMC’s support in Federal space. REcon Ruleset (‘genome’) Threat Monitoring Mature product in market Automated Reverse Engineering Automated Feed Farm Windows Physical Memory Forensics NTFS Drive Forensics Could be productized… 12/29/2017 Product, extremely flexible, SDK available Copyright HBGary, Inc 2008, 2009, 2010

24 Digital DNA™ 12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

25 Digital DNA™ Automated PROACTIVE malware detection
Software classification system 5000 software and malware behavioral traits Example Huge number of key logger variants in the wild About 10 logical ways to build a key logger 12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

26 Digital DNA™ Benefits = Better cyber defense
Enterprise detection of zero-day threats Lowers the skill required for actionable response What files, keys, and methods used for infection What URL’s, addresses, protocols, ports “At a glance” threat assessment What does it steal? Keystrokes? Bank Information? Word documents and powerpoints? = Better cyber defense 12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

27 How an AV vendor can use DDNA
Digital DNA uses a smallish genome file (a few hundred K) to detect ALL threats If something is detected as suspicious, that object can be extracted from the surrounding memory (Active Defense™ does this already) The sample can then be analyzed with a larger, more complete virus database for known-threat identification If a known threat is not identified, the sample can be sent to the AV vendor automatically 12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

28 Digital DNA™ Performance
4 gigs per minute, thousands of patterns in parallel, NTFS raw disk, end node 2 gig memory, 5 minute scan, end node Hi/Med/Low throttle = 10,000 machine scan completes in < 1 hour 12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

29 Under the hood These images show the volume of decompiled information produced by the DDNA engine. Both malware use stealth to hide on the system. To DDNA, they read like an open book. 12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

30 Ranking Software Modules by Threat Severity Software Behavioral Traits
Digital DNA™ Ranking Software Modules by Threat Severity 0B 8A C2 05 0F F B ED C D 8A C2 Malware shows up as a red alert. Suspicious binaries are orange. For each binary we show its underlying behavioral traits. Examples of traits might be “packed with UPX”, “uses IRC to communicate”, or “uses kernel hooking with may indicate a presence of a rootkit”. The blue bar shows the Digital DNA sequence for the binary iimo.sys. 0F 51 0F 64 Software Behavioral Traits 12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

31 B[00 24 73 ??]k ANDS[>004] C”QueueAPC”{arg0:0A,arg}
What’s in a Trait? 04 0F 51 B[ ??]k ANDS[>004] C”QueueAPC”{arg0:0A,arg} The rule is a specified like a regular expression, it matches against automatically reverse engineered details and contains boolean logic. These rules are considered intellectual property and not shown to the user. Unique hash code Weight / Control flags The trait, description, and underlying rule are held in a database 12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

32 Digital DNA™ (in Memory) vs
Digital DNA™ (in Memory) vs. Disk Based Hashing, Signatures, and other schematic approaches 12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

33 White listing on disk doesn’t prevent malware from being in memory
Internet Document PDF, Active X, Flash Office Document, Video, etc… DISK FILE IN MEMORY IMAGE Public Attack-kits have used memory-only injection for over 5 years OS Loader White listing on disk doesn’t prevent malware from being in memory MD5 Checksum is white listed Whitelisting typically works by have a list of good hashes with the assumption that you’re loading only good binaries for execution into memory. But bad code can get injected into good programs. White listing does not mean secure code. DDNA will find the bad injected code. White listed code does not mean secure code Process is trusted 12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

34 Digital DNA defeats packers
IN MEMORY IMAGE Packer #1 Packer #2 Decrypted Original OS Loader Digital DNA defeats packers Starting Malware As you know most malware is packed. The bad guy does this to avoid detection. For every packer used, you need another signature. But a program must unpack itself in memory to execute. Its underlying behaviors remain the same, so its DDNA remains the same. Packed Malware Digital DNA remains consistent 12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

35 Same malware compiled in three different ways
DISK FILE IN MEMORY IMAGE Same malware compiled in three different ways OS Loader If the same malware is compiled e different ways you would need 3 different hashes or signatures to see it. DDNA still detects because the program is logically the same and has the same behaviors. MD5 Checksums all different Digital DNA remains consistent 12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

36 Compromised computers… Now what?
12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

37 Active Defense™ 12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

38 Why Active Defense? ONLY vendor that can concurrently search
-Physical Memory -Live OS -Raw Disk -OVERLAID with BEHAVIOR based detection, based upon Physical memory snapshot PLUS BI’s -NO open source, real product -Easy to Use no complex RegX -Support for ALL Windows Platforms/Big name endorsements 12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

39 Alert! 12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

40 Hmm.. 12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

41 Active Defense Queries
What happened? What is being stolen? How did it happen? Who is behind it? How do I bolster network defenses? 12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

42 Active Defense Queries
12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

43 Responder 12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

44 HBGary Responder Professional
Standalone system for incident response Memory forensics Malware reverse engineering Static and dynamic analysis NO knowledge of assembly code needed/Fast and complete Digital DNA module REcon module 12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

45 Responder Professional
12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

46 Recon/Inoculator 12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

47 REcon Records the entire lifecycle of a software program, from first instruction to the last. It records data samples at every step, including arguments to functions and pointers to objects. Offline physical memory analysis: Rebuilding windows without windows All physical to virtual address translations 12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

48 Inoculation Example Using Responder + REcon, HBGary was able to trace
Aurora malware and obtain actionable intel in about 5 minutes. This intel was then used to create an inoculation shot, downloaded over 10,000 times over a few days time. To automatically attempt a clean operation: ******************************************* InoculateAurora.exe -range clean 12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

49 Inoculator™ 12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

50 Future Products CONFIDENTIAL Covered by NDA
Razor-FireEye Competitor- Q1 2011 Active Defense for the Cloud-Q1 2011 12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

51 Reimage or Remove Malware
HBGary Products Inoculate Update Perimeter IDS Razor (TBD) Inoculator Active Defense™ More Compromise Inoculator Active Defense™ for the cloud (TBD) Responder™ Active Defense™ Digital DNA™ Active Defense™ Scan Hosts Compromise Detected Digital DNA™ Inoculator Reimage or Remove Malware Get Threat Intel 12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

52 Advanced Discussion: How HBGary maintains DDNA with Threat Intelligence

53 Partnership Feed Agreements
Intelligence Feed Partnership Feed Agreements Feed Processor Machine Farm Meta Data Sources Digital DNA

54 From raw data to intelligence
Malware Analysis Feed Processor Responder Active Defense Data Integration Meta Data Link Analysis Stalker primary Digital DNA Palantir Stats

55 Ops path Malware Attack Tracking Digital DNA™ Active Threat Tracking
Mr. A Mr. B Mr. C Malware Attack Tracking Digital DNA™ Active Threat Tracking Detect relevant attacks in progress. Determine the scope of the attack. Focus is placed on Botnet / Web / Spam Distribution systems Potentially targeted spear/whalefishing Internal network infections at customer sites Development idioms are fingerprinted. Malware is classified into attribution domains. Special attention is placed on: Specialized attacks Targeted attacks Newly emergent methods Determine the person(s) operating the attack, and their intent: Leasing Botnet / Spam Financial Fraud Identity Theft Pump and Dump Targeted Threat & Documents Theft Intellectual Property Theft Deeper penetration

56 Over 5,000 Traits are categorized into Factor, Group, and Subgroup.
This is our “Genome”

57 Country of Origin Country of origin
Is the bot designed for use by certain nationality? Geolocation of IP is NOT a strong indicator However, there are notable examples Is the IP in a network that is very unlikely to have a third-party proxy installed? For example, it lies within a government installation C&C map from Shadowserver, C&C for 24 hour period

58 C&C server source code. Written in PHP Specific “Hello” response (note, can be queried from remote to fingerprint server) Clearly written in Russian In many cases, the authors make no attempt to hide…. You can purchase many kits and just read the source code…

59 A GIF file included in a C&C server package.

60 GhostNet: Screen Capture Algorithm
Loops, scanning every 50th line (cY) of the display. Reads screenshot data, creates a special DIFF buffer LOOP: Compare new screenshot to previous, 4 bytes at a time If they differ, enter secondary loop here, writing a ‘data run’ for as long as there is no match. Offset in screenshot Len in bytes Data….

61 ‘SoySauce’ C&C Hello Message
this queries the uptime of the machine.. checks whether it's a laptop or desktop machine... enumerates all the drives attached to the system, including USB and network... gets the windows username and computername... gets the CPU info... and finally, the version and build number of windows.

62 Aurora C&C parser Command is stored as a number, not text. It is checked here. Each individual command handler is clearly visible below the numerical check After the command handler processes the command, the result is sent back to the C&C server

63 Link Analysis Link Analysis We want to find a connection here
C&C Fingerprint Botmaster URL artifact Affiliate ID Developer Protocol Fingerprint Endpoints Developer C&C products Link Analysis

64 Example: Link Analysis with Palantir™
Implant Forensic Toolmark specific to Implant Searching the ‘Net reveals source code that leads to Actor Actor is supplying a backdoor Group of people asking for technical support on their copies of the backdoor

65 Managed Service Weekly, enterprise-wide scanning with DDNA & updated BI’s (using HBGary Product) Includes extraction of threat-intelligence from compromised systems and malware Includes creation of new IDS signatures Includes inoculation shot development Includes option for network monitoring specifically for C2 traffic and exfiltration

66 Questions? 12/29/2017 Copyright HBGary, Inc 2008, 2009, 2010

Download ppt "Continuous Protection"

Similar presentations

CLEARSPACE Digital Document Archiving system INTRODUCTION Digital Document Archiving is the process of capturing paper documents through scanning and.

CLEARSPACE Digital Document Archiving system INTRODUCTION Digital Document Archiving is the process of capturing paper documents through scanning and.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Viruses.

Viruses.
Www.softwareassist.net Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.

Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
APT29 HAMMERTOSS Jayakrishnan M.

APT29 HAMMERTOSS Jayakrishnan M.
Supplied on \web site. on January 10 th, 2008 Reducing Risk Through Incremental Malware Detection January 2008.

Supplied on \web site. on January 10 th, 2008 Reducing Risk Through Incremental Malware Detection January 2008.
©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.

©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.

1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Advanced Persistent Threats (APT) Sasha Browning.

Advanced Persistent Threats (APT) Sasha Browning.
Connected Security Your best defense against advanced threats Anne Aarness – Intel Security.

Connected Security Your best defense against advanced threats Anne Aarness – Intel Security.
Role Of Network IDS in Network Perimeter Defense.

Role Of Network IDS in Network Perimeter Defense.
©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.

©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.
©2015 Check Point Software Technologies Ltd. 1 Website Watering Holes Endpoints are at risk in numerous ways, especially when social engineering is applied.

©2015 Check Point Software Technologies Ltd. 1 Website Watering Holes Endpoints are at risk in numerous ways, especially when social engineering is applied.
ECAT 4.1 – Rule Your Endpoints What’s New Customer Overview.

ECAT 4.1 – Rule Your Endpoints What’s New Customer Overview.
Enterprise’ Ever-Evolving Challenge & Constraints Dealing with BYOD Challenges Enable Compliance to Regulations Stay Current with New Consumption Models.

Enterprise’ Ever-Evolving Challenge & Constraints Dealing with BYOD Challenges Enable Compliance to Regulations Stay Current with New Consumption Models.

Similar presentations

Ads by Google