Presentation is loading. Please wait.

Presentation is loading. Please wait.

ACTIVE DEFENSE Leveraging Threat Intelligence in the Enterprise

Published byMorgan Farmer Modified over 6 years ago

Similar presentations

Presentation on theme: "ACTIVE DEFENSE Leveraging Threat Intelligence in the Enterprise"— Presentation transcript:

1 ACTIVE DEFENSE Leveraging Threat Intelligence in the Enterprise
USING HBGARY’S ACTIVE DEFENSE

2 HBGary Enterprise software product company 7 years old
Experts on malicious software threats Products: Integrations: Active Defense Digital DNA™ (patent pending) Responder Recon FastDump EnCase Enterprise McAfee ePO

3 Evolving Risk Most intellectual property and valuable data is stored online digitally within the Enterprise Attackers are motivated and well funded Cyber-weapons work, existing security solutions don’t, end of story.

4 Security Efficacy Curve
Efficacy is rising DDNA Detecting more than not (> 50%) ZERO KNOWLEDGE DETECTION RATE Detecting very little Signatures And scaling issue getting worse

5 HBGary’s Approach Focus on malicious behavior, not signatures
There are only so many ways to do something bad on a Windows machine Bad guys don’t write 50,000 new malware every morning Their techniques, algorithms, and protocols stay the same, day in day out Once executing in physical memory, the software is just software Physmem is the best information source available

6 The Big Picture Detect bad guys using a smallish genome of behaviors – and this means zeroday and APT – no signatures required Followup with strong incident response technology, enterprise scalable Back this with very low level & sophisticated deep-dive capability for attribution and forensics work

7 Active Defense Detect Advanced Malware & Persistent Threat
No prior knowledge of the threat required Powered by Digital DNA™ Obtain actionable intelligence Registry keys & files URL’s used for communication Actionable = make your existing investment more effective - Detect & block at the network perimeter IDS signatures, egress firewalls - Clean machines of infection Ideal: No re-image costs

8 The Power of Action Using Responder + REcon, HBGary was able to trace
Aurora malware and obtain actionable intel in about 5 minutes. This intel was then used to create an inoculation shot, downloaded over 10,000 times over a few days time. To automatically attempt a clean operation: ******************************************* InoculateAurora.exe -range clean

9 Active Defense Use regkeys and files is possible to
Detection of unknown threats Obtain actionable intelligence Update IDS and egress, detect & block Clean machines Remission Monitoring Use regkeys and files is possible to Clean infection without re-image Use URL’s, IP’s, and protocol strings

10 A different team of humans
Large Govt. Customer Proventia IDS alerts Team of Humans alerts we care about Remote memory snapshots, DDNA, Responder A different team of humans IF infected=true Image box with EnCase Include malware data in report Update Proventia IDS

11 Large Energy Company (I)
WebSense Detected compromised VPN server alerts Query: “Find admin_epo interactive logins” Manual Log Analysis revealed compromised account RawVolume.File Where Path contains Documents and Settings\admin_epo Compromised account was admin_epo - Domain admin privs Look for a known file path that indicates account was used for an interactive logon Scan for interactive logons of the admin_epo account ~800 server machines 12 compromised servers detected, apprx 1 hour later

12 Large Energy Company (II)
Find indicators of compromise EnCase EnCase used to scan filesystems: Found suspicious DLL in temp directory Found Cain and Abel password sniffer 12 server machines Find indicators of compromise Active Defense Query: “Find logger.dll” Thousands of machines RawVolume.File Where BinaryData contains “logontype: %s” Query: “Find cain password sniffer” RawVolume.File Where Path equals %SYSTEMROOT%\system32\drivers\winpcap.sys Query: “Find logger.dll in memory” Physmem.Process Where BinaryData contains “logontype: %s” Found machines are re-imaged user account passwords were reset.

13 Alert!

14 Hmm..

15 Active Defense Queries
What happened? What is being stolen? How did it happen? Who is behind it? How do I bolster network defenses?

16 Active Defense Queries

17 Active Defense Queries
QUERY: “detect use of password hash dumping” Physmem.BinaryData CONTAINS PATTERN “B[a-fA-F0-9]{32}:B[a-fA-F0-9]{32}“ QUERY: “detect deleted rootkit” (RawVolume.File.Name = “mssrv.sys“ OR RawVolume.File.Name = “acxts.sys“) AND RawVolume.File.Deleted = TRUE QUERY: “detect chinese password stealer” LiveOS.Process.BinaryData CONTAINS PATTERN “LogonType: %s-%s“ QUERY: “detect malware infection san diego” LiveOS.Module.BinaryData CONTAINS PATTERN “.aspack“ OFFSET < 1024 OR RawVolume.File.BinaryData CONTAINS PATTERN “.aspack“ OFFSET < 1024 No NDA no Pattern…

18 Enterprise Systems Digital DNA for McAfee ePO
Digital DNA for HBGary Active Defense Digital DNA for Guidance EnCase Enterprise Digital DNA for Verdaysys Digital Guardian Traditional methods to analyze memory and malware are difficult. It requires expertise, is time consuming and expensive, and it doesn’t scale. 18

19 Integration with McAfee ePO
Responder Professional ePO Console ePO Server ePO Agents (Endpoints) DDNA is automatically installed across the enterprise by ePO. We give a ePO a couple of zip files. ePO installs HBGary code onto the ePO server and onto each endpoint. The ePO scheduler tells DDNA when to run on each endpoint. We run, examine memory, create DDNA alerts, hand the alerts and traits to the ePO agent which sends them to the ePO SQL server. The DDNA alerts are displayed on the ePO console. DDNA is not installed as an agent. It is a command line utility that loads runs when ePO tells it to. After executing DDNA exits memory. ePO’s AV, firewall and HIDS runs 24x7 as a service. DDNA runs at a point in time to find malware. Schedule SQL Events HBG Extension HBGary DDNA

20

21 Fuzzy Search

22 Digital DNA™

23 Digital DNA™ Automated malware detection
Software classification system 5000 software and malware behavioral traits Example Huge number of key logger variants in the wild About 10 logical ways to build a key logger

24 Digital DNA™ Benefits = Better cyber defense
Enterprise detection of zero-day threats Lowers the skill required for actionable response What files, keys, and methods used for infection What URL’s, addresses, protocols, ports “At a glance” threat assessment What does it steal? Keystrokes? Bank Information? Word documents and powerpoints? = Better cyber defense

25 Digital DNA™ Performance
4 gigs per minute, thousands of patterns in parallel, NTFS raw disk, end node 2 gig memory, 5 minute scan, end node Hi/Med/Low throttle = 10,000 machine scan completes in < 1 hour

26 Under the hood These images show the volume of decompiled information produced by the DDNA engine. Both malware use stealth to hide on the system. To DDNA, they read like an open book.

27 Ranking Software Modules by Threat Severity Software Behavioral Traits
Digital DNA™ Ranking Software Modules by Threat Severity 0B 8A C2 05 0F F B ED C D 8A C2 Malware shows up as a red alert. Suspicious binaries are orange. For each binary we show its underlying behavioral traits. Examples of traits might be “packed with UPX”, “uses IRC to communicate”, or “uses kernel hooking with may indicate a presence of a rootkit”. The blue bar shows the Digital DNA sequence for the binary iimo.sys. 0F 51 0F 64 Software Behavioral Traits

28 B[00 24 73 ??]k ANDS[>004] C”QueueAPC”{arg0:0A,arg}
What’s in a Trait? 04 0F 51 B[ ??]k ANDS[>004] C”QueueAPC”{arg0:0A,arg} The rule is a specified like a regular expression, it matches against automatically reverse engineered details and contains boolean logic. These rules are considered intellectual property and not shown to the user. Unique hash code Weight / Control flags The trait, description, and underlying rule are held in a database

29 Digital DNA™ (in Memory) vs
Digital DNA™ (in Memory) vs. Disk Based Hashing, Signatures, and other schematic approaches

30 White listing on disk doesn’t prevent malware from being in memory
Internet Document PDF, Active X, Flash Office Document, Video, etc… DISK FILE IN MEMORY IMAGE Public Attack-kits have used memory-only injection for over 5 years OS Loader White listing on disk doesn’t prevent malware from being in memory MD5 Checksum is white listed Whitelisting typically works by have a list of good hashes with the assumption that you’re loading only good binaries for execution into memory. But bad code can get injected into good programs. White listing does not mean secure code. DDNA will find the bad injected code. White listed code does not mean secure code Process is trusted

31 Digital DNA defeats packers
IN MEMORY IMAGE Packer #1 Packer #2 Decrypted Original OS Loader Digital DNA defeats packers Starting Malware As you know most malware is packed. The bad guy does this to avoid detection. For every packer used, you need another signature. But a program must unpack itself in memory to execute. Its underlying behaviors remain the same, so its DDNA remains the same. Packed Malware Digital DNA remains consistent

32 Same malware compiled in three different ways
DISK FILE IN MEMORY IMAGE Same malware compiled in three different ways OS Loader If the same malware is compiled e different ways you would need 3 different hashes or signatures to see it. DDNA still detects because the program is logically the same and has the same behaviors. MD5 Checksums all different Digital DNA remains consistent

33 Responder

34 HBGary Responder Professional
Standalone system for incident response Memory forensics Malware reverse engineering Static and dynamic analysis Digital DNA module REcon module

35 Responder Professional

36 REcon

37 REcon Records the entire lifecycle of a software program, from first instruction to the last. It records data samples at every step, including arguments to functions and pointers to objects. Offline physical memory analysis: Rebuilding windows without windows All physical to virtual address translations

38 Advanced Discussion: How HBGary maintains DDNA with Threat Intelligence

39 Partnership Feed Agreements
Intelligence Feed Partnership Feed Agreements Feed Processor Machine Farm Meta Data Sources Digital DNA

40 From raw data to intelligence
Malware Analysis Feed Processor Responder Active Defense Data Integration Meta Data Link Analysis Stalker primary Digital DNA Palantir Stats

41 Ops path Malware Attack Tracking Digital DNA™ Active Threat Tracking
Mr. A Mr. B Mr. C Malware Attack Tracking Digital DNA™ Active Threat Tracking Detect relevant attacks in progress. Determine the scope of the attack. Focus is placed on Botnet / Web / Spam Distribution systems Potentially targeted spear/whalefishing Internal network infections at customer sites Development idioms are fingerprinted. Malware is classified into attribution domains. Special attention is placed on: Specialized attacks Targeted attacks Newly emergent methods Determine the person(s) operating the attack, and their intent: Leasing Botnet / Spam Financial Fraud Identity Theft Pump and Dump Targeted Threat & Documents Theft Intellectual Property Theft Deeper penetration

42 Malware sequenced every 24 hours

43 Over 5,000 Traits are categorized into Factor, Group, and Subgroup.
This is our “Genome”

44 Country of Origin Country of origin
Is the bot designed for use by certain nationality? Geolocation of IP is NOT a strong indicator However, there are notable examples Is the IP in a network that is very unlikely to have a third-party proxy installed? For example, it lies within a government installation C&C map from Shadowserver, C&C for 24 hour period

45 C&C server source code. Written in PHP Specific “Hello” response (note, can be queried from remote to fingerprint server) Clearly written in Russian In many cases, the authors make no attempt to hide…. You can purchase many kits and just read the source code…

46 A GIF file included in a C&C server package.

47 GhostNet: Screen Capture Algorithm
Loops, scanning every 50th line (cY) of the display. Reads screenshot data, creates a special DIFF buffer LOOP: Compare new screenshot to previous, 4 bytes at a time If they differ, enter secondary loop here, writing a ‘data run’ for as long as there is no match. Offset in screenshot Len in bytes Data….

48 ‘SoySauce’ C&C Hello Message
this queries the uptime of the machine.. checks whether it's a laptop or desktop machine... enumerates all the drives attached to the system, including USB and network... gets the windows username and computername... gets the CPU info... and finally, the version and build number of windows.

49 Aurora C&C parser Command is stored as a number, not text. It is checked here. Each individual command handler is clearly visible below the numerical check After the command handler processes the command, the result is sent back to the C&C server

50 Link Analysis We want to find a connection here C&C Fingerprint
Botmaster URL artifact Affiliate ID Developer Protocol Fingerprint Endpoints Developer C&C products

51 Example: Link Analysis with Palantir™
Implant Forensic Toolmark specific to Implant Searching the ‘Net reveals source code that leads to Actor Actor is supplying a backdoor Group of people asking for technical support on their copies of the backdoor

52 Questions?

Download ppt "ACTIVE DEFENSE Leveraging Threat Intelligence in the Enterprise"

Similar presentations

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Viruses.

Viruses.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
APT29 HAMMERTOSS Jayakrishnan M.

APT29 HAMMERTOSS Jayakrishnan M.
Supplied on \web site. on January 10 th, 2008 Reducing Risk Through Incremental Malware Detection January 2008.

Supplied on \web site. on January 10 th, 2008 Reducing Risk Through Incremental Malware Detection January 2008.
©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.

©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Advanced Persistent Threats (APT) Sasha Browning.

Advanced Persistent Threats (APT) Sasha Browning.
Homework tar file Download your course tarball from web page – Named using your PSU ID – Chapter labeled for each binary.

Homework tar file Download your course tarball from web page – Named using your PSU ID – Chapter labeled for each binary.
Intrusion Detection Systems. 1980-Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.

Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
Cyber Safety Mohammad Abbas Alamdar Teacher of ICT STS Ajman – Boys School.

Cyber Safety Mohammad Abbas Alamdar Teacher of ICT STS Ajman – Boys School.
Role Of Network IDS in Network Perimeter Defense.

Role Of Network IDS in Network Perimeter Defense.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,

Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,

Similar presentations

Ads by Google