1. Continuous Protection

2. We can do better
IDS only works if you have the right patterns, but how do you make those patterns smarter and more real-time?
Stop depending on the security vendor for DAT files and signature databases
Tune your IDS to detect the threats that are custom to your environment
You need to extract & leverage the evidence that already exists in your own enterprise

3. Threat Intelligence Cycle
Update NIDS
Search Logs
Adverse Event
More Compromise
Compromise Detected
Scan for IOC’s
Get Threat Intel from the host
Reimage Machine

4. The Evolved Risk Environment
All data is digital and can be stolen by motivated and well funded attackers from 3,000 miles away. They are entrenched already.
Host-level protection is incomplete. Antivirus does not detect emerging threats. The host is highly vulnerable and this is where the bad guy gets in.

5. Signature based systems don’t scale

6. There is NO RISK REDUCTION
Incident Response & Reimage is the traditional model – but…. Reimaging doesn’t fix the vulnerability - over 50% of reimaged machines will end up re-infected with the same malware After the IR team leaves, the bad guys come crawling back out of their holes using multiple layers of entrenched malware and sleeper agents (hey, remember, these guys are hackers)

7. Social Networking
A new way to target individuals and workers within a specific industry group
It’s easy to create a false digital identity

8. Attack Vectors Spear-phishing
Booby-trapped documents
Fake-Links to drive-by websites
Trap postings on industry-focused social networks
Forums, Groups (clinician list-servs, AMDIS, web forums)
SQL injections into web-based portals
Employee benefit portals, external labs, etc.

9. Boobytrapped Documents
This is the current trend
Single most effective focused attack today
Human crafts text

10. you know they will click it

11. Social Networking Space
Web-based attack
Social Networking Space
Injected Java-script
Used heavily for large scale infections
Focused, Social network targeting is possible

12. Perimeter-less Network
Excuse me while I disconnect from the corporate network, I need to use my mobile hotspot to check facebook…
The host matters more than ever
Regardless of the network data path, the data ends up on the host

13. Cyber Weapons Market
Foreign Intelligence Services, Criminals, and Terrorist’s don’t need to have expert hackers, they can just buy exploits for money
Fully weaponized and ready to use
Mostly developed out of the Eastern Bloc

14. Selling Access to Your Network
Access to your networks is being auctioned

15. They will install for you
Minimum is 1,000 installs – this would be about $100,000 for US installs.

16. Recruiting All Exploiters
Pays per 1,000 infections *

17. Custom Crimeware Programming Houses

18. Eleonore (exploit pack)

19. Tornado (exploit pack)

20. Continuous Protection

21. Continuous Protection
The bad guys are going to get in. Accept it.
Because intruders are always present, you need to have a continuous countering force to detect and remove them.
Your continuous protection solution needs to get smarter over time – it must learn how the attackers work and get better at detecting them. Security is an intelligence problem.

22. Continuous Protection
Inoculate
Update NIDS
Adverse Event
Breakdown #3
Check AV Log
Breakdown #1
More Compromise
Check with AD
Scan for IOC’s
Breakdown #2
Compromise Detected
Reimage Machine
Get Threat Intel

23. The Breakdowns #1 – Trusting the AV #2 – Not using threat intelligence
AV doesn’t detect most malware, even variants of malware that it’s supposed to detect
#2 – Not using threat intelligence
The only way to get better at detecting intrusion is to learn how to detect them next time
#3 – Not preventing re-infection
If you don’t harden your network then you are just throwing money away

24. Efficient & Scalable Visibility
To detect advanced intruders, the IR team needs whole-host remote live-forensics at the click of a button
To be efficient, the team needs to search over tens of thousands of machines in minutes
The solution needs to support all levels of analysis, from simple search to low-level disassembly

25. Countermeasures
Once compromise is detected, data needs to be extracted that can be used for better intrusion detection
Registry keys, s, DNS names, URL’s, binary file signatures, in-memory signatures, etc.
At all times, you need to think about how you will detect the attacker NEXT WEEK.

26. HBGary Solutions

27. The Big Picture of HBGary
Detect bad guys using a smallish genome of behaviors – and this means zeroday and APT – no signatures required
Followup with strong incident response technology, enterprise scalable
Back this with very low level & sophisticated deep-dive capability for attribution and forensics work

28. HBGary’s take on all this
Focus on malicious behavior, not signatures
There are only so many ways to do something bad on a Windows machine
Bad guys don’t write 50,000 new malware every morning
Their techniques, algorithms, and protocols stay the same, day in day out
Once executing in physical memory, the software is just software
Physmem is the best information source available

29. Efficacy Curve Efficacy is rising ZERO KNOWLEDGE DETECTION RATE DDNA
Detecting more than not (> 50%)
ZERO KNOWLEDGE DETECTION RATE
Detecting very little
Signatures
And scaling issue getting worse

30. And The Very Near Future
Digital Antibodies, deployed persistent protection against specific threat patterns
This only works for known malware or attack patterns
This causes the attacker’s methods to stop working and limits their movement, forcing them to spend resources to maintain access

31. Inoculation Example Using Responder + REcon, HBGary was able to trace
Aurora malware and obtain actionable intel in about 5 minutes.
This intel was then used to create an inoculation shot,
downloaded over 10,000 times over a few days time.
To automatically attempt a clean operation:
*******************************************
InoculateAurora.exe -range clean

32. Products

33. Responder Field Edition
Stand Alone
Enterprise
Memory Forensics
Responder Field Edition
Integrated with EnCase Enterprise (Guidance)
Enterprise Malware Detection
Digital DNA for ePO (HBSS)
Active Defense
Response
Responder Professional
w/ Digital DNA
Intrinsic to all Enterprise products
Policy Enforcement and Mitigation
Integrated with Verdasys Digital Guardian

34. Customers DoD 26000 Nodes Civilian Agencies 36,000 Nodes
Government Contractors &
Consulting Customers
OEMS
Fortune Customers *
Foreign Governments & 38 Customers
Universities &
Law Enforcement 87 Customers
* Multiple site license discussions in the pipeline

35. Managed Service

36. Managed Service
Weekly, enterprise-wide scanning with DDNA & updated IOC’s (using HBGary Product)
Includes extraction of threat-intelligence from compromised systems and malware
Includes creation of new IDS signatures
Includes inoculation shot development
Includes option for network monitoring specifically for C2 traffic and exfiltration

37. Technology Block Diagram

38. Enterprise Cyber Defense Enterprise Incident Response
Active Defense
Active Defense
McAfee
Verdasys
EnCase
Enterprise Cyber Defense
Enterprise Incident Response
Digital DNA™
Responder™
TMC’s support in Federal space.
REcon
Ruleset (‘genome’)
Threat Monitoring
Mature product in market
Automated Reverse Engineering
Automated Feed Farm
Windows Physical Memory Forensics
NTFS Drive Forensics
Could be productized…
Product, extremely flexible, SDK available

39. Digital DNA™

40. Digital DNA™ Automated malware detection
Software classification system
5000 software and malware behavioral traits
Example
Huge number of key logger variants in the wild
About 10 logical ways to build a key logger

41. Digital DNA™ Benefits = Better cyber defense
Enterprise detection of zero-day threats
Lowers the skill required for actionable response
What files, keys, and methods used for infection
What URL’s, addresses, protocols, ports
“At a glance” threat assessment
What does it steal? Keystrokes? Bank Information? Word documents and powerpoints?
= Better cyber defense

42. How an AV vendor can use DDNA
Digital DNA uses a smallish genome file (a few hundred K) to detect ALL threats
If something is detected as suspicious, that object can be extracted from the surrounding memory (Active Defense™ does this already)
The sample can then be analyzed with a larger, more complete virus database for known-threat identification
If a known threat is not identified, the sample can be sent to the AV vendor automatically

43. Digital DNA™ Performance
4 gigs per minute, thousands of patterns in parallel, NTFS raw disk, end node
2 gig memory, 5 minute scan, end node
Hi/Med/Low throttle
= 10,000 machine scan completes in < 1 hour

44. Under the hood
These images show the volume of decompiled information produced by the DDNA engine. Both malware use stealth to hide on the system. To DDNA, they read like an open book.

45. Ranking Software Modules by Threat Severity Software Behavioral Traits
Digital DNA™
Ranking Software Modules by Threat Severity
0B 8A C2 05 0F F B ED C D
8A C2
Malware shows up as a red alert. Suspicious binaries are orange. For each binary we show its underlying behavioral traits. Examples of traits might be “packed with UPX”, “uses IRC to communicate”, or “uses kernel hooking with may indicate a presence of a rootkit”. The blue bar shows the Digital DNA sequence for the binary iimo.sys.
0F 51
0F 64
Software Behavioral Traits

46. B[00 24 73 ??]k ANDS[>004] C”QueueAPC”{arg0:0A,arg}
What’s in a Trait?
04 0F 51
B[ ??]k ANDS[>004] C”QueueAPC”{arg0:0A,arg}
The rule is a specified like a regular expression, it matches against automatically reverse engineered details and contains boolean logic. These rules are considered intellectual property and not shown to the user.
Unique hash code
Weight / Control flags
The trait, description, and underlying rule are held in a database

47. Digital DNA™ (in Memory) vs
Digital DNA™ (in Memory) vs. Disk Based Hashing, Signatures, and other schematic approaches

48. White listing on disk doesn’t prevent malware from being in memory
Internet Document
PDF, Active X, Flash
Office Document, Video, etc…
DISK FILE
IN MEMORY IMAGE
Public Attack-kits have used memory-only injection for
over 5 years
OS Loader
White listing on disk doesn’t prevent malware from being in memory
MD5 Checksum
is white listed
Whitelisting typically works by have a list of good hashes with the assumption that you’re loading only good binaries for execution into memory. But bad code can get injected into good programs. White listing does not mean secure code. DDNA will find the bad injected code.
White listed code does not mean secure code
Process is trusted

49. Digital DNA defeats packers
IN MEMORY IMAGE
Packer #1
Packer #2
Decrypted
Original
OS Loader
Digital DNA defeats packers
Starting Malware
As you know most malware is packed. The bad guy does this to avoid detection. For every packer used, you need another signature. But a program must unpack itself in memory to execute. Its underlying behaviors remain the same, so its DDNA remains the same.
Packed
Malware
Digital DNA remains consistent

50. Same malware compiled in three different ways
DISK FILE
IN MEMORY IMAGE
Same malware compiled in three different ways
OS Loader
If the same malware is compiled e different ways you would need 3 different hashes or signatures to see it. DDNA still detects because the program is logically the same and has the same behaviors.
MD5 Checksums
all different
Digital DNA remains consistent

51. Compromised computers… Now what?

52. Active Defense™

53. Alert!

54. Hmm..

55. Active Defense Queries
What happened?
What is being stolen?
How did it happen?
Who is behind it?
How do I bolster network defenses?

56. Active Defense Queries

57. Active Defense Queries
QUERY: “detect use of password hash dumping”
Physmem.BinaryData CONTAINS PATTERN “B[a-fA-F0-9]{32}:B[a-fA-F0-9]{32}“
QUERY: “detect deleted rootkit”
(RawVolume.File.Name = “mssrv.sys“ OR RawVolume.File.Name = “acxts.sys“)
AND RawVolume.File.Deleted = TRUE
QUERY: “detect chinese password stealer”
LiveOS.Process.BinaryData CONTAINS PATTERN “LogonType: %s-%s“
QUERY: “detect malware infection san diego”
LiveOS.Module.BinaryData CONTAINS PATTERN “.aspack“ OFFSET < 1024 OR
RawVolume.File.BinaryData CONTAINS PATTERN “.aspack“ OFFSET < 1024
No NDA no Pattern…

58. Enterprise Systems Digital DNA for McAfee ePO
Digital DNA for HBGary Active Defense
Digital DNA for Guidance EnCase Enterprise
Digital DNA for Verdaysys Digital Guardian
Traditional methods to analyze memory and malware are difficult. It requires expertise, is time consuming and expensive, and it doesn’t scale. 58

59. Integration with McAfee ePO
Responder
Professional
ePO
Console
ePO
Server
ePO
Agents
(Endpoints)
DDNA is automatically installed across the enterprise by ePO. We give a ePO a couple of zip files. ePO installs HBGary code onto the ePO server and onto each endpoint. The ePO scheduler tells DDNA when to run on each endpoint. We run, examine memory, create DDNA alerts, hand the alerts and traits to the ePO agent which sends them to the ePO SQL server. The DDNA alerts are displayed on the ePO console. DDNA is not installed as an agent. It is a command line utility that loads runs when ePO tells it to. After executing DDNA exits memory. ePO’s AV, firewall and HIDS runs 24x7 as a service. DDNA runs at a point in time to find malware.
Schedule
SQL
Events
HBG Extension
HBGary DDNA

61. Fuzzy Search

62. Inoculation

63. Example NO AGENT! INOCULATION: “IPRIP key for reboot”
LiveOS.Registry.Key ENDS WITH “SYSTEM\CurrentControlSet\Services\IPRIP“
Insert Block
Send Alert if Accessed
This places a dummy object at the location and sets permissions so it cannot easily be removed. This effectively blocks the attacker’s malware.
This sets the auditing policy so that an event is logged if anything touches the dummy object.
NO AGENT!

64. Responder

65. HBGary Responder Professional
Standalone system for incident response
Memory forensics
Malware reverse engineering
Static and dynamic analysis
Digital DNA module
REcon module

66. Responder Professional

67. REcon

68. REcon
Records the entire lifecycle of a software program, from first instruction to the last.
It records data samples at every step, including arguments to functions and pointers to
objects.
Offline physical memory analysis:
Rebuilding windows without windows
All physical to virtual address translations

69. Advanced Discussion: How HBGary maintains DDNA with Threat Intelligence

70. Partnership Feed Agreements
Intelligence Feed
Partnership Feed Agreements
Feed Processor
Machine Farm
Meta Data
Sources
Digital DNA

71. From raw data to intelligence
Malware Analysis
Feed Processor
Responder
Active Defense
Data Integration
Meta Data
Link Analysis
Stalker
primary
Digital DNA
Palantir
Stats

72. Ops path Malware Attack Tracking Digital DNA™ Active Threat Tracking
Mr. A
Mr. B
Mr. C
Malware Attack Tracking
Digital DNA™
Active Threat Tracking
Detect relevant attacks in progress. Determine the scope of the attack.
Focus is placed on
Botnet / Web / Spam Distribution systems
Potentially targeted spear/whalefishing
Internal network infections at customer sites
Development idioms are fingerprinted.
Malware is classified into attribution domains. Special attention is placed on:
Specialized attacks
Targeted attacks
Newly emergent methods
Determine the person(s) operating the attack, and their intent:
Leasing Botnet / Spam
Financial Fraud
Identity Theft
Pump and Dump
Targeted Threat
& Documents Theft Intellectual Property Theft
Deeper penetration

73. Malware sequenced every 24 hours

74. Over 5,000 Traits are categorized into Factor, Group, and Subgroup.
This is our “Genome”

75. Country of Origin Country of origin
Is the bot designed for use by certain nationality?
Geolocation of IP is NOT a strong indicator
However, there are notable examples
Is the IP in a network that is very unlikely to have a third-party proxy installed?
For example, it lies within a government installation
C&C map from Shadowserver, C&C for 24 hour period

76. C&C server source code.
Written in PHP
Specific “Hello” response (note, can be queried from remote to fingerprint server)
Clearly written in Russian
In many cases, the authors make no attempt to hide…. You can purchase many kits and just read the source code…

77. A GIF file included in a C&C server package.

78. GhostNet: Screen Capture Algorithm
Loops, scanning every 50th line (cY) of the display.
Reads screenshot data, creates a special DIFF buffer
LOOP: Compare new screenshot to previous, 4 bytes at a time
If they differ, enter secondary loop here, writing a ‘data run’ for as long as there is no match.
Offset in screenshot
Len in bytes
Data….

79. ‘SoySauce’ C&C Hello Message
this queries the uptime of the machine..
checks whether it's a laptop or desktop machine...
enumerates all the drives attached to the system, including USB and network...
gets the windows username and computername...
gets the CPU info... and finally,
the version and build number of windows.

80. Aurora C&C parser
Command is stored as a number, not text. It is checked here.
Each individual command handler is clearly visible below the numerical check
After the command handler processes the command, the result is sent back to the C&C server

81. Link Analysis Link Analysis We want to find a connection here
C&C Fingerprint
Botmaster
URL artifact
Affiliate ID
Developer
Protocol Fingerprint
Endpoints
Developer
C&C products
Link Analysis

82. Example: Link Analysis with Palantir™
Implant
Forensic Toolmark specific to Implant
Searching the ‘Net reveals source code that leads to Actor
Actor is supplying a backdoor
Group of people asking for technical support on their copies of the backdoor

83. Advanced Discussion: Why Whitelisting Doesn’t Work

84. White listing on disk doesn’t prevent malware from being in memory
Internet Document
PDF, Active X, Flash
Office Document, Video, etc…
DISK FILE
IN MEMORY IMAGE
Public Attack-kits have used memory-only injection for
over 6 years
OS Loader
White listing on disk doesn’t prevent malware from being in memory
MD5 Checksum
is white listed
Whitelisting typically works by have a list of good hashes with the assumption that you’re loading only good binaries for execution into memory. But bad code can get injected into good programs. White listing does not mean secure code. DDNA will find the bad injected code.
White listed code does not mean secure code
Process is trusted

85. In memory, traditional checksums don’t work
DISK FILE
IN MEMORY IMAGE
100% dynamic
Copied in full
Copied in part
OS Loader
In memory, traditional checksums don’t work
MD5 Checksum
is not consistent
Software Traits remain consistent
MD5 Checksum
reliable

86. OS Loader Physical memory tends to get around the ‘packing’ problem
IN MEMORY IMAGE
Packer #1
Packer #2
Decrypted
Original
OS Loader
Physical memory tends to get around the ‘packing’ problem
Starting Malware
As you know most malware is packed. The bad guy does this to avoid detection. For every packer used, you need another signature. But a program must unpack itself in memory to execute. Its underlying behaviors remain the same, so its DDNA remains the same.
Packed
Malware
Software Traits remain consistent

87. Same malware compiled in three different ways OS Loader
DISK FILE
IN MEMORY IMAGE
Same malware compiled in three different ways
OS Loader
If the same malware is compiled e different ways you would need 3 different hashes or signatures to see it. DDNA still detects because the program is logically the same and has the same behaviors.
MD5 Checksums
all different
Software Traits remain consistent

88. Advanced Discussion: Attribution

89. Humans
Attribution is about the human behind the malware, not the specific malware variants
Focus must be on human-influenced factors
Move this way 
 Binary
Human 
We must move our aperture of visibility towards the human behind the malware

90. Intel Value Window Lifetime  Minutes Hours Days Weeks Months Years
Blacklists
ATTRIBUTION-Derived
Developer Toolmarks
Signatures
Algorithms
NIDS sans address
Hooks
Protocol
Install
DNS name
IP Address
Checksums

91. Intelligence Spectrum
Blacklists
Net
Recon C2
Developer Fingerprints
TTP
Social Cyberspace DIGINT
Physical Surveillance HUMINT
 Nearly Useless
Nearly Impossible 
SSN & Missile
Coordinates of the Attacker
MD5 Checksum of a single malware sample
Sweet Spot
IDS signatures with long-term viability
Predict the attacker’s next moves

92. Developer Fingerprints
Communications Functions
Developer
Installation & Deployment Method
Sample
Malware
Command & Control Functions
Compiler Environment
Packing
Stealth & Antiforensic Techniques

93. The Flow of Forensic Toolmarks
Machine
Developer
Core ‘Backbone’ Sourcecode
Sample
Tweaks & Mods
Compiler
Malware
Time
3rd party Sourcecode
Paths
Packing
MAC address
3rd party libraries
Runtime Libraries

94. Developer Fingerprints
Archaeology layer
Net
Recon C2
Developer Fingerprints
TTP
Actions / Intent (attacker’s behavior, as opposed to code)
Installation + Deployment method
Command + Control (primary outer loops)
CNA (spreader) CNE (search and exfil tools)
COMS (code level view, as opposed to network sniff)
Defensive / Antiforensics (usually a packer, easily changed)
Exploit weaponization / delivery vehicle
Shellcode
DNS, C2 Protocol, Encryption Method (high rate of change)

95. Rule #1
The human is lazy
The use kits and systems to change checksums, hide from A/V, and get around IDS
They DON’T rewrite their code every morning

96. Rule #2
Most attackers are focused on rapid reaction to network-level filtering and black-holes
Multiple DynDNS C2 servers, multiple C2 protocols, obfuscation of network traffic
They are not-so-focused on host level stealth
Most malware is simple in nature, and works great
Enterprises rely on A/V for host, and A/V doesn’t work, and the attackers know this

97. Rule #3 Physical memory is King
Once executing in memory, code has to be revealed, data has to be decrypted

98. Questions?