Presentation is loading. Please wait.

Presentation is loading. Please wait.

Air Force Research Labs Dept Homeland Security (HSARPA)

Similar presentations


Presentation on theme: "Air Force Research Labs Dept Homeland Security (HSARPA)"— Presentation transcript:

1 Improve Enterprise Security with Memory Forensics, Malware Analysis & Digital DNA

2 Air Force Research Labs Dept Homeland Security (HSARPA)
HBGary Background Founded in 2003 Government R&D Solutions: Enterprise Host Intrusion Detection Live Windows Memory Forensics & Incident Response Malicious Code Detection Automated Reverse Engineering R&D Funding Air Force Research Labs Next Generation Software Reverse Engineering Tools Kernel Virtual Machine Host Analyzer Virtual Machine Debugger Dept Homeland Security (HSARPA) Botnet Detection and Mitigation H/W Assisted System Security Monitor Subcontractor to AFCO Systems Development

3 The Problem - Cybercrime
Hacking Embezzlement Intellectual property theft Espionage Child Exploitation Etc…

4 # of New Malware Every Day!

5 Top 3 AV companies don’t detect 80% of new malware
Anti-virus Shortcomings Source: “Eighty percent of new malware defeats antivirus”, ZDNet Australia, July 19, 2006 Top 3 AV companies don’t detect 80% of new malware 5

6 Cybercrime Evolution Cybercrime Authors have evolved over the last 30 years Continued improvement and innovation Capitalistic Shadow Economy - Competition Malware Authors Professional Software Development Lifecycle model Professional Quality Assurance Product doesn’t ship until code is undetected by latest Antivirus products

7 Bad Guys use Memory Tricks
Memory injection attacks never touch the disk Public and commercial hacker tools have used these techniques for over 4+ years Metasploit Framework (meterpreter) Canvas Core Impact No good detection mechanism without memory preservation and offline analysis Remember: you cannot trust the operating system!

8 Drive-by Download – Legitimate website

9 White-listing on disk doesn’t prevent malware from being in memory
Internet Browsers PDF, Active X, Flash Office Document, Video, etc… DISK FILE IN MEMORY IMAGE Public Attack-kits have used memory-only injection for over 5 years OS Loader White-listing on disk doesn’t prevent malware from being in memory MD5 Checksum is white listed Process is trusted??

10 HBGary Solution Live Memory (RAM) Forensics

11 Why Live Memory Forensics?
Today it’s Easy! Mission-critical systems % availability Anti-forensic techniques used by bad guys Hax0rs Cyber spies Cybercriminals Valuable info in RAM cannot be found on disk Passwords, encryption keys Network packets, screen shots Private chat sessions, unencrypted data, unsaved documents, etc.

12 Why Live Memory Forensics?
Detect Malware that Anti-Virus cannot Detect Malware that Host Based IDS/IPS cannot Verify the “Run-Time” state of the system

13 Useful Information in RAM
Processes and Drivers Loaded Modules Network Socket Info Passwords Encryption Keys Decrypted files Order of execution Runtime State Information Rootkits Configuration Information Logged in Users NDIS buffers Open Files Unsaved Documents Live Registry Video Buffers – screen shots BIOS Memory VOIP Phone calls Advanced Malware Instant Messenger chat

14 Why Memory Analysis is Unique
Better Detection Traditional Forensics & Security Software

15 Demo 1 Preserve Memory & Memory Forensic Analysis

16 Collect & Preserve Memory
HBGary Fastdump Pro Collect and Preserve ALL memory Collect and Preserve Pagefile too… Runs on All Windows Operating Systems Win 2000 – Win 2008 Server 32 and 64 Bit Larger than 4 GB of RAM We’ve imaged up to 64 GB of RAM

17 A suspicious file… Anti-Virus doesn’t Detect it! Now what?

18 Perform Malware Analysis
This looks suspicious! Understand Malware: Create Signatures Bolster defenses Attribution Computer Network Defense (CND) Identify a binary’s capabilities Recover Command and Control functions Recover passwords and encryption keys View decrypted packets and files Computer Forensics

19 Why Perform Malware Analysis? I have Anti-Virus….
Goes beyond anti-virus applications… Detection and remediation based on signatures for malware is out dated Answer the following questions: What happened? What is being stolen? How did it happen? How do we clean it up? When did the infection occur? Possibly Who is behind it?

20 Demo 2 Rapid Malware Analysis “Suspicious DLL”

21 HBGary Core Technology

22 Physical Memory Forensics
Core Technology Digital DNA (Behavioral Analysis) Engineering Reverse Code Physical Memory Forensics

23 Offline Physical Memory Analysis
The Core Technology Offline Physical Memory Analysis Rootkit Detection Automated Malware Analysis Digital DNA Alerting & Reporting Offline physical memory analysis: Rebuilding windows without windows All physical to virtual address translations This is The Advantage! Rebuilds underlying undocumented data structures Rebuilds running state of machine “exposes all objects ” Malware cannot hide itself actively

24 The Core Technology Offline Physical Memory Analysis Rootkit Detection
Automated Malware Analysis Digital DNA Alerting & Reporting Offline physical memory analysis: Rebuilding windows without windows All physical to virtual address translations Direct Kernel Object Manipulation Detection Hook Detection IDT/SSDT/Driver Chains These tricks expose themselves by interacting with OS Crossview Based Analysis

25 The Core Technology Offline Physical Memory Analysis Rootkit Detection
Automated Malware Analysis Digital DNA Alerting & Reporting Offline physical memory analysis: Rebuilding windows without windows All physical to virtual address translations Code is Disassembled Integration with Flypaper & RECon Code is extracted from RAM Code Visualization

26 The Core Technology Offline Physical Memory Analysis Rootkit Detection
Automated Malware Analysis Digital DNA Alerting & Reporting Offline physical memory analysis: Rebuilding windows without windows All physical to virtual address translations ALL Memory is Scanned A Threat Score is provided for all code Code Behavior Identification White & Black List Code /Behaviors

27 The Core Technology Offline Physical Memory Analysis Rootkit Detection
Automated Malware Analysis Digital DNA Alerting & Reporting Reports can be sent to Enterprise Console Behavioral Analysis Scan and others Custom Reports in XML, RTF, PDF, other Alert on Suspicious Behaviors and coding tricks

28 Advantages of our approach
Forensic Quality Approach Analysis is 100% offline Like Crash Dump Analysis – No Code Running! Automated Reverse Engineering Engine Digital DNA™ detects zero-day threats 5+ years of reverse engineering technology AUTOMATED! No Reverse Engineering expertise required

29 Memory Forensics and Incident Response Products

30 Stand Alone Products 1 Analyst : 1 Machine
Responder Professional Comprehensive physical memory and malware investigation platform Host Intrusion Detection & Incident Response Live Windows Forensics Automated Malware Analysis Computer incident responders, malware analysts, security assessments Digital DNA Responder Field Edition Comprehensive Memory Investigation platform. Geared towards Law Enforcement and computer forensic investigators Basic Malware Analysis

31 HBGary Enterprise Malware Detection

32 Enterprise Products 1 Analyst : N machines
Enterprise Digital DNA – McAfee EPO Solution Enterprise Malware/Rootkit Detection & Reporting Distributed Physical Memory Analysis with Digital DNA Rapid Response Policy Lockdown Enterprise Responder – Guidance Software Encase Enterprise Solution Suspicious & Malicious Code Detection

33 Integration with McAfee ePO
Available Now! ePO Agents (Endpoints) Digital DNA Module Server SQL HBGary Server Module ePO Console Responder Workstation Schedule Events HBGary Portal WPMA = Windows Physical Memory Analysis

34 Digital DNA™ for Enterprise Malware Detection, Diagnosis and Response

35 Design Goals of Digital DNA
Rapidly predict and identify: Malicious behaviors inside of running applications in memory and the pagefile Identify DNA (traits) of the malware There are 2500 traits currently Grouped into six behavioral categories

36 Ranking Software Modules by Threat Severity Software Behavioral Traits
Digital DNA Ranking Software Modules by Threat Severity 0B 8A C2 05 0F F B ED C D 8A C2 0F 51 0F 64 Software Behavioral Traits

37 B[00 24 73 ??]k ANDS[>004] C”QueueAPC”{arg0:0A,arg}
What’s in a Trait? 04 0F 51 B[ ??]k ANDS[>004] C”QueueAPC”{arg0:0A,arg} The rule is a specified like a regular expression, it matches against automatically reverse engineered details and contains Boolean logic. These rules are considered intellectual property and not shown to the user. Unique hash code Weight / Control flags The trait, description, and underlying rule are held in a database

38 How Digital DNA goes beyond MD5 Checksums
In memory, once executing, a file is represented in a new way that cannot be easily be back referenced to a file checksum Digital DNA™ does not change, even if the underlying file does Digital DNA is calculated from what the software DOES (it’s behavior), not how it was compiled or packaged

39 In memory, traditional checksums don’t work
DISK FILE IN MEMORY IMAGE 100% dynamic Copied in full Copied in part OS Loader In memory, traditional checksums don’t work MD5 Checksum is not consistent Digital DNA remains consistent MD5 Checksum reliable

40 Same malware compiled in three different ways
DISK FILE IN MEMORY IMAGE Same malware compiled in three different ways OS Loader MD5 Checksums all different Digital DNA remains consistent

41 Digital DNA defeats packers
IN MEMORY IMAGE Packer #1 Packer #2 Decrypted Original OS Loader Digital DNA defeats packers Starting Malware Packed Malware Digital DNA remains consistent

42 Digital DNA detects toolkits
IN MEMORY IMAGE OS Loader Digital DNA detects toolkits Malware Tookit Different Malware Authors Using Same Toolkit Toolkit DNA Detected Packed

43 Digital DNA Screenshot

44

45 Fuzzy Search

46 5,000 Malware is sequenced every 24 hours

47 Over 2,500 Traits are categorized into Factor, Group, and Subgroup.
This is our “Genome” We expect to have 10,000 Traits by end of year

48 Demo 3 Memory Forensic Analysis “Conficker.C in Memory”

49 Client Testimonials

50 Client Testimonial 1 of the Largest Pharmaceutical Co’s
Under attack every day Uses Enterprise Anti Virus Sends malware to vendor Waits for signature 1-8 hours - Uses Responder Pro – Responder provides immediate critical intelligence to secure the network and mitigate the threat to the data

51 Client Testimonial 2 1 of the largest Entertainment Co’s
Under attack every day & Uses Enterprise Anti Virus When a machine is compromised, they perform various levels of remediation with their antivirus vendor signatures. Once the machine is determined clean by the AntiVirus software, they use our technology to verify the machine is no longer infected… Findings: about 50% of machines are still infected…

52 Conclusion Improve Enterprise Security Posture With
Memory Forensics & Malware Analysis Memory Forensics can detect malicious code that nothing else can… Memory Forensics is not only for Incident Response Memory Forensics can be used during Security Assessments too Malware Analysis should be brought in house Malware Analysis can help you… minimize costs and impact. identify the “Scope of Breach” mitigate the threat before you have a anti-virus signature

53 Questions? Thank you very much


Download ppt "Air Force Research Labs Dept Homeland Security (HSARPA)"

Similar presentations


Ads by Google