Presentation is loading. Please wait.

Presentation is loading. Please wait.

ACTIVE DEFENSE Leveraging Threat Intelligence in the Enterprise

Published byElisabeth Hamilton Modified over 6 years ago

Similar presentations

Presentation on theme: "ACTIVE DEFENSE Leveraging Threat Intelligence in the Enterprise"— Presentation transcript:

1 ACTIVE DEFENSE Leveraging Threat Intelligence in the Enterprise
USING HBGARY’S ACTIVE DEFENSE

2 IR Challenges Disk imaging does not scale
Network indicators can be masked by RFC-Compliant protocols Targeted attacks affect a large user base, not necessarily a sample of high-profile systems

3 Security Efficacy Curve
Efficacy is rising DDNA Detecting more than not (> 50%) ZERO KNOWLEDGE DETECTION RATE Detecting very little Signatures And scaling issue getting worse

4 HBGary’s Approach Focus on malicious behavior, not signatures
There are only so many ways to do something bad on a Windows machine Bad guys don’t write 50,000 new malware every morning Their techniques, algorithms, and protocols stay the same, day in day out Once executing in physical memory, the software is just software Physmem is the best information source available

5 The Answer! HBGary detects bad guys using a smallish genome of behaviors – and this means zero-day and APT – no signatures required Perform distributed and simultaneous physmem analysis across thousands of systems Back this with very low level & sophisticated deep-dive capability for attribution and forensics work

6 Active Defense Detect Advanced Malware & Persistent Threat
No prior knowledge of the threat required Powered by Digital DNA™ Obtain actionable intelligence Registry keys & files URL’s used for communication Actionable = make your existing investment more effective - Detect & block at the network perimeter IDS signatures, egress firewalls - Clean machines of infection Ideal: No re-image costs

7 The Power of Action Using Responder + REcon, HBGary was able to trace
Aurora malware and obtain actionable intel in about 5 minutes. This intel was then used to create an inoculation shot, downloaded over 10,000 times over a few days time. To automatically attempt a clean operation: ******************************************* InoculateAurora.exe -range clean

8 Active Defense Detection of unknown threats
Obtain actionable intelligence Update IDS and egress, detect & block Clean machines Remission Monitoring Use regkeys and files is possible to Clean infection without re-image Use URL’s, IP’s, and protocol strings

9 A different team of humans
Large Govt. Customer Proventia IDS alerts Team of Humans alerts we care about Remote memory snapshots, DDNA, Responder A different team of humans IF infected=true Image box with EnCase Include malware data in report Update Proventia IDS

10 Large Energy Company (I)
WebSense Detected compromised VPN server alerts Query: “Find admin_epo interactive logins” Manual Log Analysis revealed compromised account RawVolume.File Where Path contains Documents and Settings\admin_epo Compromised account was admin_epo - Domain admin privs Look for a known file path that indicates account was used for an interactive logon Scan for interactive logons of the admin_epo account ~800 server machines 12 compromised servers detected, apprx 1 hour later

11 Large Energy Company (II)
Find indicators of compromise EnCase EnCase used to scan filesystems: Found suspicious DLL in temp directory Found Cain and Abel password sniffer 12 server machines Find indicators of compromise Active Defense Query: “Find logger.dll” Thousands of machines RawVolume.File Where BinaryData contains “logontype: %s” Query: “Find cain password sniffer” RawVolume.File Where Path equals %SYSTEMROOT%\system32\drivers\winpcap.sys Query: “Find logger.dll in memory” Physmem.Process Where BinaryData contains “logontype: %s” Found machines are re-imaged user account passwords were reset.

12 Intel Value Window Lifetime  Minutes Hours Days Weeks Months Years
Blacklists Digital DNA NIDS sans address Developer Toolmarks Signatures Algorithms Hooks Protocol Install DNS name IP Address Checksums

13 Active Defense Technical Discussion

14 Alert!

15 Hmm..

16 Active Defense Queries
What happened? What is being stolen? How did it happen? Who is behind it? How do I bolster network defenses?

17 Active Defense Queries

18 Active Defense Queries
QUERY: “detect use of password hash dumping” Physmem.BinaryData CONTAINS PATTERN “B[a-fA-F0-9]{32}:B[a-fA-F0-9]{32}“ QUERY: “detect deleted rootkit” (RawVolume.File.Name = “mssrv.sys“ OR RawVolume.File.Name = “acxts.sys“) AND RawVolume.File.Deleted = TRUE QUERY: “detect Chinese password stealer” LiveOS.Process.BinaryData CONTAINS PATTERN “LogonType: %s-%s“ QUERY: “detect malware infection san diego” LiveOS.Module.BinaryData CONTAINS PATTERN “.aspack“ OFFSET < 1024 OR RawVolume.File.BinaryData CONTAINS PATTERN “.aspack“ OFFSET < 1024 No NDA no Pattern…

19 Steal Credentials Outlook Password Generic stored passwords

20 All the file types that are exfiltrated
Steal Files All the file types that are exfiltrated

21 Drop-point is in Reston, VA in the AOL netblock

22 Enterprise Systems Digital DNA for McAfee ePO
Digital DNA for HBGary Active Defense Digital DNA for Guidance EnCase Enterprise Digital DNA for Verdasys Digital Guardian Traditional methods to analyze memory and malware are difficult. It requires expertise, is time consuming and expensive, and it doesn’t scale. 22

23 Digital DNA™ Technical Discussion

24 Digital DNA™ Performance
4 gigs per minute, thousands of patterns in parallel, NTFS raw disk, end node 2 gig memory, 5 minute scan, end node Hi/Med/Low throttle = 10,000 machine scan completes in < 1 hour

25 Under the hood These images show the volume of decompiled information produced by the DDNA engine. Both malware use stealth to hide on the system. To DDNA, they read like an open book.

26 White listing on disk doesn’t prevent malware from being in memory
Internet Document PDF, Active X, Flash Office Document, Video, etc… DISK FILE IN MEMORY IMAGE Public Attack-kits have used memory-only injection for over 5 years OS Loader White listing on disk doesn’t prevent malware from being in memory MD5 Checksum is white listed Whitelisting typically works by have a list of good hashes with the assumption that you’re loading only good binaries for execution into memory. But bad code can get injected into good programs. White listing does not mean secure code. DDNA will find the bad injected code. White listed code does not mean secure code Process is trusted

27 Digital DNA defeats packers
IN MEMORY IMAGE Packer #1 Packer #2 Decrypted Original OS Loader Digital DNA defeats packers Starting Malware As you know most malware is packed. The bad guy does this to avoid detection. For every packer used, you need another signature. But a program must unpack itself in memory to execute. Its underlying behaviors remain the same, so its DDNA remains the same. Packed Malware Digital DNA remains consistent

28 Same malware compiled in three different ways
DISK FILE IN MEMORY IMAGE Same malware compiled in three different ways OS Loader If the same malware is compiled e different ways you would need 3 different hashes or signatures to see it. DDNA still detects because the program is logically the same and has the same behaviors. MD5 Checksums all different Digital DNA remains consistent

29 The Future Vision Technical Discussion

30 Immune System Digital DNA™ Sweeps Threat Real-time protection
Indicators of Compromise Inoculation Sweep (scheduled) Inoculation Shot Behavior Blocking (antibody) Long-term protection (6-12 month lifecycle)

31 Managed Services Leave Active Defense appliances behind at the customer site Remotely manage the Appliance scan cycle Reoccurring revenue $$$$$$$$

Download ppt "ACTIVE DEFENSE Leveraging Threat Intelligence in the Enterprise"

Similar presentations

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares.

Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares.
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
APT29 HAMMERTOSS Jayakrishnan M.

APT29 HAMMERTOSS Jayakrishnan M.
Supplied on \web site. on January 10 th, 2008 Reducing Risk Through Incremental Malware Detection January 2008.

Supplied on \web site. on January 10 th, 2008 Reducing Risk Through Incremental Malware Detection January 2008.
A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.

A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.

Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.
Chapter 10 Malicious software. Viruses and ” Malicious Programs Computer “ Viruses ” and related programs have the ability to replicate themselves on.

Chapter 10 Malicious software. Viruses and ” Malicious Programs Computer “ Viruses ” and related programs have the ability to replicate themselves on.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Computer security virus, hacking and backups. Computer viruses are small software programs that are designed to spread from one computer to another.

Computer security virus, hacking and backups. Computer viruses are small software programs that are designed to spread from one computer to another.
Advanced Persistent Threats (APT) Sasha Browning.

Advanced Persistent Threats (APT) Sasha Browning.
n Just as a human virus is passed from person from person, a computer virus is passed from computer to computer. n A virus can be attached to any file.

n Just as a human virus is passed from person from person, a computer virus is passed from computer to computer. n A virus can be attached to any file.
Rapid Detection & Incident Response What, Why and How March 2016 Ft Gordon.

Rapid Detection & Incident Response What, Why and How March 2016 Ft Gordon.
Enterprise’ Ever-Evolving Challenge & Constraints Dealing with BYOD Challenges Enable Compliance to Regulations Stay Current with New Consumption Models.

Enterprise’ Ever-Evolving Challenge & Constraints Dealing with BYOD Challenges Enable Compliance to Regulations Stay Current with New Consumption Models.
Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.

Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.

Similar presentations

Ads by Google