Download presentation
Presentation is loading. Please wait.
1
Actionable Intelligence
How to Detect Malware Using Digital DNA for McAfee ePO Detect Malware Diagnose it Respond with Actionable Intelligence Quick Start Flip Book v1.0
2
Getting Started with Digital DNA
HBGary Digital DNA is a revolutionary capability for malicious code detection that goes beyond current solutions to identify and report advanced malicious code in Random Access Memory. The system is extremely powerful, flexible and effective out of the box but should be fine tuned in order to maximize the efficiency and success of your DDNA deployment. Digital DNA is a learning system that will continually get smarter over time as HBGary continues to populate new malware traits and build out the Global Threat Genome. This guide is written to help you become an effective analyst of Digital DNA to defend your enterprise against malicious code. In order to detect malicious code in the enterprise as rapidly as possible HBGary recommends you adopt the following best practices. Detecting malware with DDNA traits. When you first look at the DDNA Traits list consider the following: High scoring are at the top of the list in Red. Do I recognize the names of the associated process name and module? What behaviors are reported by DDNA – are they suspicious? Filter Out the Noise DDNA CONFIGURATION BEST PRACTICES Start by filtering all machines that have a score of 40 and higher - Then filter for all machines that have a score of 20 and higher and “unknown process names” Create White Lists to Identify “Known” Code in RAM Knowing the DDNA of each authorized process, driver, and module on your systems will enhance zero day malware detection. Work with your HBGary Team to create White Lists specific to your environment and baseline machine builds. This should be done as soon as possible. During implementation or before. A White list should be created for all “gold builds” your organization supports. This includes servers and workstations. The White List includes DDNA scores for all system executables and applications installed inside the image. This includes all processes, drivers, DLL’s, etc. The White List defines what traits should be present on a particular system based on the installed applications and operating system binaries. A Digital DNA score will be generated for all trusted applications, modules, and drivers. In practice, look for scores above 40.0 colored in RED. Scores colored in ORANGE are most often** not suspicious and BLUE are not considered suspicious.
3
Getting Started with Digital DNA
What If I Don’t Have DDNA Whitelists? No Whitelist? No problem, DDNA still provides tremendous value. If you don’t have a current DDNA white list for your environment you can best prepare your organization to respond to an to identify malware rapidly by following these simple rules. Have available a list of ALL supported and installed applications and programs authorized by your organization. This list is used to cross reference with process, modules, and driver names with DDNA data to deduce known, unknown The Digital DNA database includes an HBGary provided whitelist for common Microsoft Operating system programs and system files. Keep in mind this list is not all inclusive*. Detecting malware with DDNA traits. When you first look at the DDNA Traits list consider the following: High scoring are at the top of the list in Red. Do I recognize the names of the associated process name and module? What behaviors are reported by DDNA – are they suspicious? Filter Out the Noise Start by filtering all machines that have a score of 40 and higher - Then filter for all machines that have a score of 20 and higher and “unknown process names” Fine Tuning DDNA Is A Process In practice, look for scores above 40.0 colored in RED. Scores colored in ORANGE are most often** not suspicious and BLUE are not considered suspicious. Digital DNA is about mapping code behaviors and knowing all executable code running on machines in your enterprise. You should always strive to “know” all processes, modules and drivers running on your workstations and servers by name and DDNA. All “unknown” processes, drivers and modules should be investigated and proven to be 1 of 3 options. Trusted and “Known Good” Known Bad - malware Unknown – “guilty until proven innocent” Getting Started continues on next page… Digital DNA Report Tab
4
Getting Started - Network View
Global View of Your Network – Report Tab To Start, log in to the ePO console and browse to the HBGary Digital DNA Tab under the Reporting section. The Report Tab provides a Global View of HBGary DDNA nodes that are installed and have reported DDNA scanning results to the ePO database. In the graphic above we have 7 machines in RED that are High Risk and 8 machines that are Low Risk. The Pie Chart highlights the breakdown of machines found to be High Risk, Med Risk, Low Risk and No Risk. Below the Pie Chart is a list of all machines by Name, last scan time and Score. Machines in RED are considered High Risk and score 40 and higher. Getting Started continues on next page…
5
Getting Started - Approach
Best Practices for Scanning 10,000’s of Machines for Malicious Code – To effectively scan physical memory across 10,000’s of machines HBGary recommends an approach in order to limit data over load. There are potentially millions of processes, drivers, and modules in an enterprise network on all workstations and servers. The goal is to remove 99% of the noise and focus on signal which is usually malware. Try to develop a systematic repeatable process that can be used effectively and efficiently on a regular basis. White Listing your standard system images will make this process much easier. In practice, look for scores above 40.0 colored in RED. Scores colored in ORANGE are most often** not suspicious and BLUE are not considered suspicious. Getting Started continues on next page…
6
Getting Started with Digital DNA
Filtering Process – Start with 40 and Higher Start by analyzing all nodes that have a score of 40 and higher (RED) Keep in mind: Some malware can score lower than 40! Some legitimate programs can score higher than 40! Until your DDNA system is tuned you will need to follow this recursive process to bless all code on the computers in your network. Then filter through the machines that have a score of 30 and higher and 20 and higher. Continue through this process until you can verify the integrity of every process, driver and module on all machines by name and DDNA score. In practice, look for scores above 40.0 colored in RED. Scores colored in ORANGE are most often** not suspicious and BLUE are not considered suspicious. Getting Started continues on next page…
7
How to Interpret Digital DNA Results?
Detect Is it Malicious Code? How to Interpret Digital DNA Results? The score of a host is the score of the highest weighted process or module in memory Digital DNA traits and sequences are weighted and scored. The higher the score, the more likely the program is malware or has malware-like capabilities. Review Highest Scoring Items First In practice, look for scores above 40.0 colored in RED. Scores colored in ORANGE are most often** not suspicious and BLUE are not considered suspicious. Detecting malware with DDNA traits. When you first look at the DDNA Traits list consider the following: High scoring are at the top of the list in Red. Do I recognize the names of the associated process name and module? What behaviors are reported by DDNA – are they suspicious? Next Step: Identify Suspicious Behavior with Traits Goal: Is it Malware or not?
8
Detect Identify Suspicious Behaviors of software with DDNA Traits
What To Look For? The Highest Scoring Processes and Modules combined with: Process names you recognize or not recognize Processes by name that are not authorized by policy Process that have known malicious traits Be aware that malware can score below 40 Example – A process not using all of its capabilities at once might score low or a piece of malware performing a staged execution or installation Detecting Malware Rapidly With Traits Digital DNA contains a few behavioral traits that when found either alone or combined are very strong indicators of malware . These traits should be considered “evil and malicious” until you can prove otherwise that they are considered “approved or authorized” by your policy. Known Bad Malware Traits Packing like UPX, aspack, & Themida IRC Protocol Changing Memory Permissions Changing security permissions Searching for security software Screen Shot Capture Audio Capture SSDT Hooks IDT Hooks Detour Patching Attaching to TCP Stack Next Step: Nature of the Threat…
9
The Nature of the Threat?
Detect The Nature of the Threat? The DDNA traits listed below are common to specific types of malware. Usually a single trait by itself does not indicate malware (see exceptions on previous slide). It is usually a combination of traits acting together that indicate malicious capability. Example - If the program ‘Solitaire.exe’ is capturing keystrokes, injecting dll, and connecting to the internet, it is behaving in an non-standard manner, and should be considered malware and analyzed in more depth. Example - A Program like Skype contains many traits common to malware like packing and IRC functionality. Keyloggers Rootkits Intercepting keystrokes Look for multiple DDNA traits for Keystroke logging Walking list of open windows Reading memory from other processes Writing to temp file Rootkit or Hidden Driver Network driver is accessing file system System call table hooks Installs as a service Attaches to internal IP stack Attempts to act as administrator Injecting into other processes Botnets Bank Info Stealers Communicate to IRC server Supports IRC protocols Support a proxy server Backdoor may be supported Appears to use encryption Currency Watching Intercepting keystrokes Install itself as explorer extension
10
Intellectual Property Theft Other Key Malware Traits
Detect The Nature of the Threat? Identity Theft Intellectual Property Theft Reading memory from other processes Backdoor may be supported Appears to use encryption Acts a backup program to read files Attempts to act as administrator Is deleting files Is Searching files Backdoor may be supported Appears to use encryption Acts a backup program to read files Attempts to act as administrator Reading memory from other processes Other Key Malware Traits Walking list of open windows Reading memory from other processes Manipulates other processes May load a dll into svchost.exe Can kill other processes Modifying access control list Uses registry to survive reboot Creates a service walking list of open windows Uses shell startup directory Monitor video screen What Next? Diagnose Suspected Malware Send To McAfee for Signature Acquire Memory from suspected hosts “Freeze the Crime Scene”… What Next? Download LiveBin Send To McAfee for Signature Acquire Memory from suspected hosts
11
Get A Copy of The Malware - “LiveBin” Importing into Responder
Diagnose You Found Something Suspicious…. How to Analyze the Binary to Gain Real Intelligence… Get A Copy of The Malware - “LiveBin” Livebins can be thought of as a “live binary” that has been extracted from memory. Livebins are non-executable and eliminate the risk of accidental infection for the analyst. You must obtain a Livebin to perform malware analysis and gather critical intelligence to remediate the threat. To obtain the LiveBin of a suspected process, click the ‘Request LiveBin ‘link of the suspect process. Once the livebin has been retrieved by ePO, the ‘Retrieve LiveBin’ link will change to ‘Download Livebin’ and be ready for downloading and importing into Responder. Importing into Responder Once the livebin has been downloaded, it can be analyzed in Responder Professional to obtain critical intelligence. You can view strings, functions, and visualize the code and other data within the suspicious binary. Be sure to run the Malware Assessment Plugin and review the automatically generated report. This 5 minute report can highlight key objectives rapidly but should not be considered a full malware analysis report. What Next? Machine is Compromised! Take Action – Mitigate the Threat with Intelligence Gathered from Responder Pro
12
Actionable Intelligence- What to Look For
Respond Actions to Take Actionable Intelligence- What to Look For IP Addresses or DNS Names - Block or Monitor for use File Paths or Filenames – Search hosts for “intrusion footprints” Web URL’s with filenames – Monitor and Block Usage Unpacked strings and functions – Add these to IDS, IPS, Send to McAfee Current best practices dictate that you send recovered Livebin binaries to McAfee so they can develop a signature as quickly as possible. This facilitates updating endpoint protection for the enterprise as quickly as possible. Contact McAfee virus submission team for procedure for uploading suspected viruses. Send to HBGary Portal You can send binaries to HB Gary for further analysis by going to Create an Account Log In Go ‘My Analysis Jobs Zip the binary to be submitted Click ‘Add Job’ and upload zipped binary Multiple jobs can be uploaded at a time, up to 50, by including them all in a single zip file What Next? Search for other compromised hosts
13
Step 1. Obtain DDNA Sequences of Malware
Respond How to Search the Enterprise For Other Compromised Hosts DDNA sequences can be used to search the enterprise for all compromised hosts with the same malware or variants. Step 1. Obtain DDNA Sequences of Malware DDNA Sequences can be obtained by clicking the link ‘View Sequence’ of the suspected process or module. This allows you to right-click and copy the sequence to the clipboard for pasting into the search window below. Step 2. Search for DDNA Sequence Matches, Process or Module Name and % of Match To search, once the DDNA is copied, Open the ‘Filter’ from the Systems window and paste the DDNA sequence into the DDNA text box and hit Apply. The Threshold Box allows you to search for a % of match to a sequence to identify malware variants too. Searches can also be performed by module or process name. What to Look For Review hosts with DDNA matches Search running process list for additional suspected module, possibly with different names. What Next? Download LiveBin to examine memory Send To McAfee for Signature Acquire Memory from suspected hosts
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.