Download presentation
Presentation is loading. Please wait.
Published byBarnard Gilbert Modified over 6 years ago
1
Improve Enterprise Security with Memory Forensics, Malware Analysis & Digital DNA
2
Air Force Research Labs Dept Homeland Security (HSARPA)
HBGary Background Founded in 2003 Government R&D Solutions: Enterprise Host Intrusion Detection Live Windows Memory Forensics & Incident Response Malicious Code Detection Automated Reverse Engineering R&D Funding Air Force Research Labs Next Generation Software Reverse Engineering Tools Kernel Virtual Machine Host Analyzer Virtual Machine Debugger Dept Homeland Security (HSARPA) Botnet Detection and Mitigation H/W Assisted System Security Monitor Subcontractor to AFCO Systems Development
3
The Problem - Cybercrime
Hacking Embezzlement Intellectual property theft Espionage Child Exploitation Etc…
4
# of New Malware Every Day!
5
Top 3 AV companies don’t detect 80% of new malware
Anti-virus Shortcomings Source: “Eighty percent of new malware defeats antivirus”, ZDNet Australia, July 19, 2006 Top 3 AV companies don’t detect 80% of new malware 5
6
Cybercrime Evolution Cybercrime Authors have evolved over the last 30 years Continued improvement and innovation Capitalistic Shadow Economy - Competition Malware Authors Professional Software Development Lifecycle model Professional Quality Assurance Product doesn’t ship until code is undetected by latest Antivirus products
7
Bad Guys use Memory Tricks
Memory injection attacks never touch the disk Public and commercial hacker tools have used these techniques for over 4+ years Metasploit Framework (meterpreter) Canvas Core Impact No good detection mechanism without memory preservation and offline analysis Remember: you cannot trust the operating system!
8
Drive-by Download – Legitimate website
9
White-listing on disk doesn’t prevent malware from being in memory
Internet Browsers PDF, Active X, Flash Office Document, Video, etc… DISK FILE IN MEMORY IMAGE Public Attack-kits have used memory-only injection for over 5 years OS Loader White-listing on disk doesn’t prevent malware from being in memory MD5 Checksum is white listed Process is trusted??
10
HBGary Solution Live Memory (RAM) Forensics
11
Why Live Memory Forensics?
Today it’s Easy! Mission-critical systems % availability Anti-forensic techniques used by bad guys Hax0rs Cyber spies Cybercriminals Valuable info in RAM cannot be found on disk Passwords, encryption keys Network packets, screen shots Private chat sessions, unencrypted data, unsaved documents, etc.
12
Why Live Memory Forensics?
Detect Malware that Anti-Virus cannot Detect Malware that Host Based IDS/IPS cannot Verify the “Run-Time” state of the system
13
Useful Information in RAM
Processes and Drivers Loaded Modules Network Socket Info Passwords Encryption Keys Decrypted files Order of execution Runtime State Information Rootkits Configuration Information Logged in Users NDIS buffers Open Files Unsaved Documents Live Registry Video Buffers – screen shots BIOS Memory VOIP Phone calls Advanced Malware Instant Messenger chat
14
Why Memory Analysis is Unique
Better Detection Traditional Forensics & Security Software
15
Demo 1 Preserve Memory & Memory Forensic Analysis
16
Collect & Preserve Memory
HBGary Fastdump Pro Collect and Preserve ALL memory Collect and Preserve Pagefile too… Runs on All Windows Operating Systems Win 2000 – Win 2008 Server 32 and 64 Bit Larger than 4 GB of RAM We’ve imaged up to 64 GB of RAM
17
A suspicious file… Anti-Virus doesn’t Detect it! Now what?
18
Perform Malware Analysis
This looks suspicious! Understand Malware: Create Signatures Bolster defenses Attribution Computer Network Defense (CND) Identify a binary’s capabilities Recover Command and Control functions Recover passwords and encryption keys View decrypted packets and files Computer Forensics
19
Why Perform Malware Analysis? I have Anti-Virus….
Goes beyond anti-virus applications… Detection and remediation based on signatures for malware is out dated Answer the following questions: What happened? What is being stolen? How did it happen? How do we clean it up? When did the infection occur? Possibly Who is behind it?
20
Demo 2 Rapid Malware Analysis “Suspicious DLL”
21
HBGary Core Technology
22
Physical Memory Forensics
Core Technology Digital DNA (Behavioral Analysis) Engineering Reverse Code Physical Memory Forensics
23
Offline Physical Memory Analysis
The Core Technology Offline Physical Memory Analysis Rootkit Detection Automated Malware Analysis Digital DNA Alerting & Reporting Offline physical memory analysis: Rebuilding windows without windows All physical to virtual address translations This is The Advantage! Rebuilds underlying undocumented data structures Rebuilds running state of machine “exposes all objects ” Malware cannot hide itself actively
24
The Core Technology Offline Physical Memory Analysis Rootkit Detection
Automated Malware Analysis Digital DNA Alerting & Reporting Offline physical memory analysis: Rebuilding windows without windows All physical to virtual address translations Direct Kernel Object Manipulation Detection Hook Detection IDT/SSDT/Driver Chains These tricks expose themselves by interacting with OS Crossview Based Analysis
25
The Core Technology Offline Physical Memory Analysis Rootkit Detection
Automated Malware Analysis Digital DNA Alerting & Reporting Offline physical memory analysis: Rebuilding windows without windows All physical to virtual address translations Code is Disassembled Integration with Flypaper & RECon Code is extracted from RAM Code Visualization
26
The Core Technology Offline Physical Memory Analysis Rootkit Detection
Automated Malware Analysis Digital DNA Alerting & Reporting Offline physical memory analysis: Rebuilding windows without windows All physical to virtual address translations ALL Memory is Scanned A Threat Score is provided for all code Code Behavior Identification White & Black List Code /Behaviors
27
The Core Technology Offline Physical Memory Analysis Rootkit Detection
Automated Malware Analysis Digital DNA Alerting & Reporting Reports can be sent to Enterprise Console Behavioral Analysis Scan and others Custom Reports in XML, RTF, PDF, other Alert on Suspicious Behaviors and coding tricks
28
Advantages of our approach
Forensic Quality Approach Analysis is 100% offline Like Crash Dump Analysis – No Code Running! Automated Reverse Engineering Engine Digital DNA™ detects zero-day threats 5+ years of reverse engineering technology AUTOMATED! No Reverse Engineering expertise required
29
Memory Forensics and Incident Response Products
30
Stand Alone Products 1 Analyst : 1 Machine
Responder Professional Comprehensive physical memory and malware investigation platform Host Intrusion Detection & Incident Response Live Windows Forensics Automated Malware Analysis Computer incident responders, malware analysts, security assessments Digital DNA Responder Field Edition Comprehensive Memory Investigation platform. Geared towards Law Enforcement and computer forensic investigators Basic Malware Analysis
31
HBGary Enterprise Malware Detection
32
Enterprise Products 1 Analyst : N machines
Enterprise Digital DNA – McAfee EPO Solution Enterprise Malware/Rootkit Detection & Reporting Distributed Physical Memory Analysis with Digital DNA Rapid Response Policy Lockdown Enterprise Responder – Guidance Software Encase Enterprise Solution Suspicious & Malicious Code Detection
33
Integration with McAfee ePO
Available Now! ePO Agents (Endpoints) Digital DNA Module Server SQL HBGary Server Module ePO Console Responder Workstation Schedule Events HBGary Portal WPMA = Windows Physical Memory Analysis
34
Digital DNA™ for Enterprise Malware Detection, Diagnosis and Response
35
Design Goals of Digital DNA
Rapidly predict and identify: Malicious behaviors inside of running applications in memory and the pagefile Identify DNA (traits) of the malware There are 2500 traits currently Grouped into six behavioral categories
36
Ranking Software Modules by Threat Severity Software Behavioral Traits
Digital DNA Ranking Software Modules by Threat Severity 0B 8A C2 05 0F F B ED C D 8A C2 0F 51 0F 64 Software Behavioral Traits
37
B[00 24 73 ??]k ANDS[>004] C”QueueAPC”{arg0:0A,arg}
What’s in a Trait? 04 0F 51 B[ ??]k ANDS[>004] C”QueueAPC”{arg0:0A,arg} The rule is a specified like a regular expression, it matches against automatically reverse engineered details and contains Boolean logic. These rules are considered intellectual property and not shown to the user. Unique hash code Weight / Control flags The trait, description, and underlying rule are held in a database
38
How Digital DNA goes beyond MD5 Checksums
In memory, once executing, a file is represented in a new way that cannot be easily be back referenced to a file checksum Digital DNA™ does not change, even if the underlying file does Digital DNA is calculated from what the software DOES (it’s behavior), not how it was compiled or packaged
39
In memory, traditional checksums don’t work
DISK FILE IN MEMORY IMAGE 100% dynamic Copied in full Copied in part OS Loader In memory, traditional checksums don’t work MD5 Checksum is not consistent Digital DNA remains consistent MD5 Checksum reliable
40
Same malware compiled in three different ways
DISK FILE IN MEMORY IMAGE Same malware compiled in three different ways OS Loader MD5 Checksums all different Digital DNA remains consistent
41
Digital DNA defeats packers
IN MEMORY IMAGE Packer #1 Packer #2 Decrypted Original OS Loader Digital DNA defeats packers Starting Malware Packed Malware Digital DNA remains consistent
42
Digital DNA detects toolkits
IN MEMORY IMAGE OS Loader Digital DNA detects toolkits Malware Tookit Different Malware Authors Using Same Toolkit Toolkit DNA Detected Packed
43
Digital DNA Screenshot
45
Fuzzy Search
46
5,000 Malware is sequenced every 24 hours
47
Over 2,500 Traits are categorized into Factor, Group, and Subgroup.
This is our “Genome” We expect to have 10,000 Traits by end of year
48
Demo 3 Memory Forensic Analysis “Conficker.C in Memory”
49
Client Testimonials
50
Client Testimonial 1 of the Largest Pharmaceutical Co’s
Under attack every day Uses Enterprise Anti Virus Sends malware to vendor Waits for signature 1-8 hours - Uses Responder Pro – Responder provides immediate critical intelligence to secure the network and mitigate the threat to the data
51
Client Testimonial 2 1 of the largest Entertainment Co’s
Under attack every day & Uses Enterprise Anti Virus When a machine is compromised, they perform various levels of remediation with their antivirus vendor signatures. Once the machine is determined clean by the AntiVirus software, they use our technology to verify the machine is no longer infected… Findings: about 50% of machines are still infected…
52
Conclusion Improve Enterprise Security Posture With
Memory Forensics & Malware Analysis Memory Forensics can detect malicious code that nothing else can… Memory Forensics is not only for Incident Response Memory Forensics can be used during Security Assessments too Malware Analysis should be brought in house Malware Analysis can help you… minimize costs and impact. identify the “Scope of Breach” mitigate the threat before you have a anti-virus signature
53
Questions? Thank you very much
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.