1. Enterprise Botnet Detection and Mitigation System DHS Phase II SBIR Contract
QUESTION: By a show of hands, how many of you believe that your networks and computers are compromised to some degree or another?
Ok… great… Well if you’re running microsoft office, adobe acrobat, ie or firefox you’re prob right.
My name is xxx
At hbgary we believe that all computers can and will be compromised its just a matter of time…

2. Agenda NABC (need, approach, benefits, competition)
Technical Accomplishments
Milestones, Deliverables, and Schedule
Recent Public Relations
Technology Transition Plan
Quad Chart

3. The Need “Today’s malware is morphing far too rapidly
for the current detection methods to succeed”
“If our healthcare industry
was run like the malicious code detection industry,
then most of us would be dead today”
The malware detection has not kept up with the state of the art… the biggest problem facing enterprises today is…
I cannot detect the malware in my network

4. The Need (cont.) Targeted Attacks -PDFs, Docs, XLSs, PPTs
Drive-by Downloads
-Legitimate web sites compromised
-Exploit kits
DIY Malware kits
Zeus/Zbot
The malware detection has not kept up with the state of the art… the biggest problem facing enterprises today is…
I cannot detect the malware in my network

5. Malware is Unstoppable!
The Need – Recent Attacks Unstoppable
Drive-by Downloads – Legitimate websites
Malware is Unstoppable!

6. “Build a Better Mousetrap”
The Approach
“Build a Better Mousetrap”

7. Multiple Funding Sources
For HBGary’s Work
DHS SBIR Phase II Contract
Two AFRL SBIR Phase II Contracts
HBGary IRAD
e.g., Digital DNA
Instead of discussing only the work performed on the DHS Phase II SBIR contract, we have chosen to focus on the approach of HBGary’s commercial products which were funded from multiple sources. There were two other SBIR contracts with AFRL where we focused on reverse engineering tools. We are particularly product of a ground breaking technology called Digital DNA which was funded entirely through HBGary IRAD funds.

8. Physical Memory Forensics
HBGary DDNA Approach
Digital DNA
(Behavioral Analysis)
Engineering
Reverse
Code
Physical Memory Forensics
GOALS: Gain the lowest level of diagnostic visibility in order to detect malware and malicious behaviors
To obtain our goals we combined the latest advances in Memory Forensics & Reverse Engineering technology. The result was Digital DNA.

9. Approach – HBGary Digital DNA
New Approach to Detecting Zero Day Malware
Detects Malware regardless of how it was packed
Diagnose and Report on Code behaviors
Programming techniques are classified with clear descriptions
“Reverse Engineering for Dummies”
Identify variants across the Enterprise

10. Ranking Software Modules by Threat Severity Software Behavioral Traits
Approach - Digital DNA
Ranking Software Modules by Threat Severity
0B 8A C2 05 0F F B ED C D
8A C2
0F 51
0F 64
Software Behavioral Traits

11. Physical Memory Forensics
Benefits of Approach
Digital DNA
(Behavioral Analysis)
Engineering
Reverse
Code
Physical Memory Forensics
1. This is the lowest level of visibility into a running computer system without using hardware
2. Our approach combines the latest advances in Memory Forensics & Reverse Engineering technology.

12. Competition
Competition is starting to appear in the marketplace with similar point
Mandiant
Volatility
Other freeware

13. Technical Accomplishments
Two Shipping Enterprise Products
Two more released soon
Responder 2.0 Released in 2010
Recon – Malware Sandbox released
Improvements to Digital DNA
Fuzzy Hashing
Security Genomes
White-listing

14. Technical Accomplishments – Commercial Products
Enterprise Digital DNA – McAfee ePO, Guidance Software, Verdasys
Enterprise Malware/Rootkit Detection & Reporting
Distributed Physical Memory Analysis with Digital DNA
Responder Professional – workstation software for one analyst
Comprehensive physical memory and malware investigation platform
Host Intrusion Detection & Incident Response
Live Windows Forensics & Automated Malware Analysis

16. Fuzzy Search

17. Technical Accomplishments – Responder 2.0
Improved malware detection
Digital DNA fuzzy hashing
Windows 7 memory analysis
Sandbox integration
Remote memory acquisition

18. Technical Accomplishments – Responder 2.0 (cont.)

19. Technical Accomplishments – REcon
New runtime analysis system
Observe binary behaviors
Forces processes to “stick” in memory
Analyze “droppers”
Used with Responder
Developed with HBGary IR&D private funds
outside of the SBIR contract

20. Technical Accomplishments – REcon (cont.)

21. Milestones HBGary Responder™ 2.0 McAfee ePO Integration
Released February 2010
McAfee ePO Integration
45,000 nodes sold
Encase Enterprise Integration
Released January 2010
REcon Behavioral Analysis
Released June 2009

22. Recent Public Relations
HBGary Operation Aurora Report
Dark Reading Article – March 8, 2010

23. Technology Transition Plan
Continue to sell HBGary Responder as a workstation product
Continue to go to market with enterprise products
Integrate with new technology partners
Sell direct and through partners
Develop threat monitoring center

24. Quad Chart Contractor Name: HBGary, Inc. Date: March 10, 2010
SBIR H-SB
Title: Enterprise Botnet Detection and Mitigation
Operational Capabilities:
Host agents deployed throughout the enterprise
Achieve enterprise scalability with hierarchical concentrators
Remotely configurable agent operation
Centralized, hierarchical, automated reasoners
Actionable information for computer incident response teams
Low Total Cost of Ownership:
Lightweight host agents deployable as command line utility
Provide host visibility remotely across the enterprise
Distributed reasoning with centralized control
Performance Targets:
Deploy first enterprise pilot installations for at least 500 nodes
Detect previously undetected bots and botnets
Proposed Technical Approach:
Automated physical memory analysis
Collect vast amount of evidence from physical memory
Organize evidence into a structured user interface
Start with workstation product and expand to enterprise solution
Reason over evidence using Bayesian Network models
Automated bot and malware analysis
Leverage enterprise technologies of large strategic partners
Status:
Had alpha workstation software before start of Phase II contract
Released workstation product, HBGary Responder, April 2008
Excellent marketplace acceptance with growing customer base
Enterprise ePO deployment scheduled for Q1 2010
Schedule and Cost:
Year 1 Development
Year 2 Development
Year 2 Deployment
Total:
Team: HBGary, SAIC
Contact:
Deliverables:
Software Code, User Manuals, Empirical Test Data, Reports, and Solution Demonstration
Phil Wallisch
Sr. Security Engineer
x115
HBGary, Inc.
3941 Park Drive, Suite
El Dorado Hills, CA 95762

25. Dramatically Improve Host Security with:
Conclusion
Dramatically Improve Host Security with:
Memory Forensics can detect malicious code that nothing else can…
Not only for Incident Response
Should be used during Security Assessments
Today Malware Analysis should be brought in house
It can help you… minimize costs and impact.
Rapidly Identify the “Scope of Breach”
Mitigate the threat before you have a anti-virus signature
Minimize & Manage Enterprise Risk

26. Questions?
Thank you very much