SlideShare una empresa de Scribd logo

CYBER INTELLIGENCE & RESPONSE TECHNOLOGY

Descargar como PPTX, PDF
J
jmical
1 de 31
Digital Investigations of Any Kind ONE COMPANY Cyber Intelligence Response Technology (CIRT) www.accessdata.com
Who we are.. • AccessData has been in this industry for over 25 years • Offices in Utah, Houston, San Francisco, London, Virginia, Maryland, Frankfurt, Dubai, Australia and China • Market leader/ Best of breed technologies in Forensics and eDiscovery • 130,000+ Clients Globally • Train over 6000 customers each year • Sustained annual growth year after year of between 60% - 80% • Gartner recognized as an Innovator in the space
AccessData Product & Services
A Shift from Disparate Solutions Traditional Approach: Paradigm Shift: Point solutions do not provide a true Integrated Analysis in Single Platform “360-degree” look at what is with Built-in Remediation happening. Network Forensics Host-based Forensics Volatile Data Removable Media Audit Data Audit Malicious Code Analysis / Threat Scoring Security / Process Functions High Entropy Dynamic Loading Imports Process Manipulation Functions Imports Security Functions
CIRT Platform – Built on Validated Technology Network Forensics Host Based Forensics Data Audit Volatile Data
CIRT – The Value of Integrated Analysis CLASSIFIED DATA SPILLAGE VIRTUAL WORKFORCE INTRUSION ALERT Agency proactively audits using laptop checks in at intervals to be Unauthorized port 443 traffic. Visualize scanned for anomalies which are communications, drill down into suspect terms, such as “eyes only” and host. Perform behavioral forensic analysis. “top secret”. All instances all recorded, including network Honeypot avoidance, crypto, dynamic flagged for removal in and USB activity. Remote loading, high entropy and other criteria accordance with federal agency monitoring helps to identify any indicate malware. policies. instance of IP theft. Batch remediation function is leveraged. ADVANCED MALWARE CREDIT CARD AND ZERO DAY DETECTION INFORMATION REPORTED Proactive monitoring the identification Help desk is called alerting them of malicious codes behaviors from that employee discovered credit multiple computers. Perform card information on an unsecure differential analysis of volatile location. Company reactively data, perform malware analysis/ threat conducts PCI audit to locate scoring. Analysis reveals malicious exposed credit card holder info. processes. Scan large enterprise for Instances are wiped. Findings defined processes and/or similar are reported. behavior and issue batch remediation. Integrated Platform Monitor for recurrence.
Multi-Team Collaboration for Improved Emergency Response Incident Response Team Computer Information Forensics Security Team Team Network Compliance Security Team Team
Key capabilities of the agent core • Acts independently on/off network • Has it’s own scheduler and local policy cache • Agent can be installed as persistent or self-dissolving after x number of days • There is a run time version of the agent that allows full capability without the need to actually install the agent. (this mode does not allow for persistent/ scheduled functions) • Has protected storage area securely store payload until it can communicate back to site server.
The agent is made up of the following modules • Core: Responsible for managing communication, policy / job execution, and defensive measures, delivering payload, and updating itself • NetFS: Provides the filtering, searching, collection, and preservation capabilities (same technology in agent is what supports network share capability • Cerberus: The ability to identify malware (with no prior knowledge) based of search/filter criteria on running system or network shares across the enterprise. For example a job could be defined to Stage 1 Cerberus score all exe on a given set of systems. Any files that have a high threat score will be automatically sent to the Stage 2 Cerberus analysis. There are options to choose whether the files are preserved or just the metadata. • Volatile: Now users can setup jobs to scan the enterprise and capture volatile data and interact with the data in review. The volatile data includes pre-built facets and the ability to view details for all of the volatile data payload. Volatile data includes Processes, Network Sockets, Dll’s, Handles, Drivers, Services, Network Devices, registry, and users • RAM: Now users can setup jobs to scan the network and analyze RAM along with Volatile or just RAM analysis and interact with the data in review. The volatile data includes pre-built facets and the ability to view details for all of the RAM analysis. RAM analysis includes Processes, Network Sockets, Dll’s, Handles, Drivers, Services, Network, Devices, Processors, and registry. • RMM (removable media module): Enables the targeted monitoring of files coming from and going to removable media (USB/Firewire/CD/DVD). With job options to just record metadata or metadata and payload for documents based off of user defined extensions. Results can be viewed, filtered and searched on in the new review interface with the support of pre-made filter facets to quickly identify documents/files coming from or going to removable media. • SilentRunner : Advanced host based packet capture with robust filtering capabilities • Remediation: Allows for the killing of processes and wiping of files
CIRT – SilentRunner Agent Module Key Capabilities Define operating parameters for the agent collector: o on/off o filter based off of these IP address o filter based off of these ports or protocols or application o filter based off of these IP address <to-from> these ports/protocols o define how much data can be collected o define if it stops collecting once it hits max collection o Define if it just has an open rolling buffer. These settings would be applied as a policy/operating parameters o Specify beginning and end for application of the policy o Adhere to a schedule The Pcap payload would be securely stored on the agent Agent will store and forward for ingestion into centralized SilentRunner System for integrated and correlated analysis
Intro to Cerberus • CIRT is the first step towards automated reverse engineering so you can triage a binary before sending it for further analysis • We tally all of the attributes we think are “interesting” into a score that you can sort by • For each binary, you can then drill down into that score to see the attributes that we found that were similar to malicious binaries we’ve seen in the past
What is Cerberus? Cerberus reduces the level of expertise required to do malware analysis. Ideal for first responders. STATIC ANALYSIS / DATA FLOW ANALYSIS YIELDS SIMILAR RESULTS AS DYNAMIC ANALYSIS STAGE ONE: Generic File/Metadata Analysis • Identifies potentially malicious code, generates threat score. Mythology Trivia: STAGE TWO: Disassembly Analysis Cerberus guards the gates of the • Runs elements of the code, without running actual underworld to prevent those who executable. To find out what the binary is capable of. have crossed into Hades from escaping. WORKS AGAINST… • Binaries that live on disk or network share In other words… he prevents bad • System Memory – unpacked binaries things from breaking free.
Cerberus Analysis Approach Cerberus uses a different approach than other products on the market because it doesn’t rely on : • Dynamic Analysis, Often not reliable, because the binary could recognize that it is being analyzed and perform a different action in order to intentionally fool the analyst. • Traditional Heuristics, such as the monitoring of modifications to the registry and the insertion of hooks into certain library or system interfaces, are not based on the fundamental characteristics of malware. • High false positive / false negative rates. • Signature-based /byte string analysis: cannot detect new malware or new variants and requires prior knowledge in the form of an action or byte string. NOTE: We are not relying on whitelists or signatures. We are able to assess behavior and identify intent without the above methodologies.
What Does Cerberus Do? STAGE ONE ANALYSIS STAGE TWO ANALYSIS Basic Disassembly Analysis: Executable Binary Analysis: • •Integrated disassembly engine • Product Name • •If using network functionality, potentially what host it • Product Version is communicating with and over what protocol(s) • Company Name, etc. • •If using network functionality, can it bypass proxy • Functions included in the Import Table servers? • Network • For functions that require usernames and/or • Process passwords, does the executable contain static string • Security indicating insider or advanced knowledge? • Registry • Dynamic Loading, etc. Advanced Disassembly Analysis: • Does the binary have high entropy (obfuscated)? • Automated unpacking • Does the binary have signatures of: • Automated code and data flow analysis • Internet Relay Chat (“IRC”) • •More advanced Functionality Interpretation • Shellcode • IP addresses and Domain Names Used • Cryptography (“Crypto”) • Debugger and Sandbox avoidance • Does the binary contain strings associated with • Command and Control Functionality autoruns? • Hooking Techniques • Digital Signature Verification • Arbitrary Code Execution • Host Forensic Artifacts • Registry Settings • Temp Files • Configuration Files
CIRT – Cerberus Threat Analysis Report
Stage 1 Cerberus Analysis
Stage 1 Cerberus Analysis Continued
Has File Access Functions
Has Process Manipulation
Has Networking Functions
Arguments for Internet_Connect_ A
Show me in Real-Time…
Show me more…
Perform Interactive Review of Web Content
So what?! • This info will give you insight you’ve never had before, in seconds! • Your reverse engineering team will love you because you’ll finally know what causes you concern other than “it looked weird” • If you’re a reverse engineer, this will save you a ton of time!
CIRT – Removable Media Module Key Capabilities Administrative Capabilities Supports data copied to or from removable media The operator has a way to define parameters and apply o Data copied from computer with agent policy/operating rules to the agent(s) and check status o Data copied from removable media to machine with Ability to view activity in the form of reports agent  By user Configurable parameters of what gets capture on the  By source agent such as:  By Date range o File with a given set of extensions The metadata captured will be accessible to a 3rd party o Ability to turn it on/off application that can query for the tables that contain this o Ability for it turn on/off between a date range information such as Arcsight o Capture metadata only o Node name o Capture the entire file o Name and extension of files copied to removable media o Capture metadata for all files but preserve files o Date/time a given item was copied to/from removable based off of a given filter criteria media o Ability to trigger capture based off a filename Preserved data will be temporarily stored on the host machine o Ability to trigger capture based off of file metadata in protected storage until it is picked up for (extension/filename) processing/reporting Ability to have triggers Ability specify maximum amount of storage that could be o Does not track anything unless the file meets filter used criteria o Ability to specify what happens when the secure Ability to BLOCK any copy/paste operation to removable storage runs out of space media  Open buffer Ability to track files opened from a usb/removable media  Keep what it has and stop tracking on host computer Ability to view and analyze files that where captured as part of interactive review.
Perform Interactive Review of Removable Media
Perform Interactive Review of Removable Media
Perform Interactive Review of Volatile Data
CIRT – Architecture Nodes with Proxy Agent Public Site Server SilentRunner (DB/Processing) Network Shares (Non agent data sources) Private Site Server Application/Web Agents Logging DB (ms sql) (Workstations/Laptops Web Console /Servers ) Private Site Server
Thank You ! Jason Mical Director of Network Forensics AccessData Group

Recomendados

The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP Ireland
Tyler Shields
 
Survey of Rootkit Technologies and Their Impact on Digital Forensics
Survey of Rootkit Technologies and Their Impact on Digital ForensicsSurvey of Rootkit Technologies and Their Impact on Digital Forensics
Survey of Rootkit Technologies and Their Impact on Digital Forensics
Tyler Shields
 
Light And Dark Side Of Code Instrumentation
Light And Dark Side Of Code InstrumentationLight And Dark Side Of Code Instrumentation
Light And Dark Side Of Code Instrumentation
Positive Hack Days
 
Hh 2012-mberman-sds2
Hh 2012-mberman-sds2Hh 2012-mberman-sds2
Hh 2012-mberman-sds2
Michael Berman
 
Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log Management
Novell
 
IDS - Fact, Challenges and Future
IDS - Fact, Challenges and FutureIDS - Fact, Challenges and Future
IDS - Fact, Challenges and Future
amiable_indian
 
Cybersecurity - Jim Butterworth
Cybersecurity - Jim ButterworthCybersecurity - Jim Butterworth
Cybersecurity - Jim Butterworth
TechBiz Forense Digital
 
Splunk for Security Workshop
Splunk for Security WorkshopSplunk for Security Workshop
Splunk for Security Workshop
Splunk
 

Recomendados

The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP Ireland
Tyler Shields
 
Survey of Rootkit Technologies and Their Impact on Digital Forensics
Survey of Rootkit Technologies and Their Impact on Digital ForensicsSurvey of Rootkit Technologies and Their Impact on Digital Forensics
Survey of Rootkit Technologies and Their Impact on Digital Forensics
Tyler Shields
 
Light And Dark Side Of Code Instrumentation
Light And Dark Side Of Code InstrumentationLight And Dark Side Of Code Instrumentation
Light And Dark Side Of Code Instrumentation
Positive Hack Days
 
Hh 2012-mberman-sds2
Hh 2012-mberman-sds2Hh 2012-mberman-sds2
Hh 2012-mberman-sds2
Michael Berman
 
Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log Management
Novell
 
IDS - Fact, Challenges and Future
IDS - Fact, Challenges and FutureIDS - Fact, Challenges and Future
IDS - Fact, Challenges and Future
amiable_indian
 
Cybersecurity - Jim Butterworth
Cybersecurity - Jim ButterworthCybersecurity - Jim Butterworth
Cybersecurity - Jim Butterworth
TechBiz Forense Digital
 
Splunk for Security Workshop
Splunk for Security WorkshopSplunk for Security Workshop
Splunk for Security Workshop
Splunk
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Angeloluca Barba
 
eForensics Free Magazine 01.12. teaser
eForensics Free Magazine 01.12. teasereForensics Free Magazine 01.12. teaser
eForensics Free Magazine 01.12. teaser
eForensicsMag
 
ServicePilot NBA for z/OS Datasheet [EN]
ServicePilot NBA for z/OS Datasheet [EN]ServicePilot NBA for z/OS Datasheet [EN]
ServicePilot NBA for z/OS Datasheet [EN]
ServicePilot
 
Gtb Dlp &amp; Irm Solution Product And Deployment Overview
Gtb Dlp &amp; Irm Solution Product And Deployment OverviewGtb Dlp &amp; Irm Solution Product And Deployment Overview
Gtb Dlp &amp; Irm Solution Product And Deployment Overview
gtbsalesindia
 
Intrusion Detection Techniques for Mobile Wireless Networks
Intrusion Detection Techniques for Mobile Wireless NetworksIntrusion Detection Techniques for Mobile Wireless Networks
Intrusion Detection Techniques for Mobile Wireless Networks
guest1b5f71
 
GTB DLP Suite Presentation
GTB DLP Suite PresentationGTB DLP Suite Presentation
GTB DLP Suite Presentation
gtbsalesindia
 
Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection System
Devil's Cafe
 
RSA Anatomy of an Attack
RSA Anatomy of an AttackRSA Anatomy of an Attack
RSA Anatomy of an Attack
integritysolutions
 
Appendix g iocs readme
Appendix g iocs readmeAppendix g iocs readme
Appendix g iocs readme
Yury Chemerkin
 
DYNAMIC IDP SIGNATURE PROCESSING BY FAST ELIMINATION USING DFA
DYNAMIC IDP SIGNATURE PROCESSING BY FAST ELIMINATION USING DFADYNAMIC IDP SIGNATURE PROCESSING BY FAST ELIMINATION USING DFA
DYNAMIC IDP SIGNATURE PROCESSING BY FAST ELIMINATION USING DFA
IJNSA Journal
 
Security best practices
Security best practicesSecurity best practices
Security best practices
AVEVA
 
IDS (intrusion detection system)
IDS (intrusion detection system)IDS (intrusion detection system)
IDS (intrusion detection system)
Netwax Lab
 
Rationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the CloudRationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the Cloud
Bob Rhubart
 
Testingfor Sw Security
Testingfor Sw SecurityTestingfor Sw Security
Testingfor Sw Security
ankitmehta21
 
Symantec Web Security Solutions
Symantec Web Security SolutionsSymantec Web Security Solutions
Symantec Web Security Solutions
Symantec
 
Confidentiality policies UNIT 2 (CSS)
Confidentiality policies UNIT 2 (CSS)Confidentiality policies UNIT 2 (CSS)
Confidentiality policies UNIT 2 (CSS)
SURBHI SAROHA
 
Secure Decisions - Cyber Security Sensemaking
Secure Decisions - Cyber Security SensemakingSecure Decisions - Cyber Security Sensemaking
Secure Decisions - Cyber Security Sensemaking
Anita D'Amico
 
Efficient String Matching Algorithm for Intrusion Detection
Efficient String Matching Algorithm for Intrusion DetectionEfficient String Matching Algorithm for Intrusion Detection
Efficient String Matching Algorithm for Intrusion Detection
editor1knowledgecuddle
 
Netflow analyzer- Datasheet
Netflow analyzer- DatasheetNetflow analyzer- Datasheet
Netflow analyzer- Datasheet
INSPIRIT BRASIL
 
IPS Product Comparison of Cisco 4255 & TippingPoint 5000E
IPS Product Comparison of Cisco 4255 & TippingPoint 5000EIPS Product Comparison of Cisco 4255 & TippingPoint 5000E
IPS Product Comparison of Cisco 4255 & TippingPoint 5000E
allengalvan
 
2012 Data Center Security
2012 Data Center Security2012 Data Center Security
2012 Data Center Security
Szymon Dowgwillowicz-Nowicki
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
Splunk
 

Más contenido relacionado

La actualidad más candente

eForensics Free Magazine 01.12. teaser
eForensics Free Magazine 01.12. teasereForensics Free Magazine 01.12. teaser
eForensics Free Magazine 01.12. teaser
eForensicsMag
 
Gtb Dlp &amp; Irm Solution Product And Deployment Overview
Gtb Dlp &amp; Irm Solution Product And Deployment OverviewGtb Dlp &amp; Irm Solution Product And Deployment Overview
Gtb Dlp &amp; Irm Solution Product And Deployment Overview
gtbsalesindia
 
Intrusion Detection Techniques for Mobile Wireless Networks
Intrusion Detection Techniques for Mobile Wireless NetworksIntrusion Detection Techniques for Mobile Wireless Networks
Intrusion Detection Techniques for Mobile Wireless Networks
guest1b5f71
 
GTB DLP Suite Presentation
GTB DLP Suite PresentationGTB DLP Suite Presentation
GTB DLP Suite Presentation
gtbsalesindia
 
Appendix g iocs readme
Appendix g iocs readmeAppendix g iocs readme
Appendix g iocs readme
Yury Chemerkin
 
DYNAMIC IDP SIGNATURE PROCESSING BY FAST ELIMINATION USING DFA
DYNAMIC IDP SIGNATURE PROCESSING BY FAST ELIMINATION USING DFADYNAMIC IDP SIGNATURE PROCESSING BY FAST ELIMINATION USING DFA
DYNAMIC IDP SIGNATURE PROCESSING BY FAST ELIMINATION USING DFA
IJNSA Journal
 
Testingfor Sw Security
Testingfor Sw SecurityTestingfor Sw Security
Testingfor Sw Security
ankitmehta21
 
Symantec Web Security Solutions
Symantec Web Security SolutionsSymantec Web Security Solutions
Symantec Web Security Solutions
Symantec
 
Secure Decisions - Cyber Security Sensemaking
Secure Decisions - Cyber Security SensemakingSecure Decisions - Cyber Security Sensemaking
Secure Decisions - Cyber Security Sensemaking
Anita D'Amico
 
Efficient String Matching Algorithm for Intrusion Detection
Efficient String Matching Algorithm for Intrusion DetectionEfficient String Matching Algorithm for Intrusion Detection
Efficient String Matching Algorithm for Intrusion Detection
editor1knowledgecuddle
 

La actualidad más candente (20)

Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
 
eForensics Free Magazine 01.12. teaser
eForensics Free Magazine 01.12. teasereForensics Free Magazine 01.12. teaser
eForensics Free Magazine 01.12. teaser
 
ServicePilot NBA for z/OS Datasheet [EN]
ServicePilot NBA for z/OS Datasheet [EN]ServicePilot NBA for z/OS Datasheet [EN]
ServicePilot NBA for z/OS Datasheet [EN]
 
Gtb Dlp &amp; Irm Solution Product And Deployment Overview
Gtb Dlp &amp; Irm Solution Product And Deployment OverviewGtb Dlp &amp; Irm Solution Product And Deployment Overview
Gtb Dlp &amp; Irm Solution Product And Deployment Overview
 
Intrusion Detection Techniques for Mobile Wireless Networks
Intrusion Detection Techniques for Mobile Wireless NetworksIntrusion Detection Techniques for Mobile Wireless Networks
Intrusion Detection Techniques for Mobile Wireless Networks
 
GTB DLP Suite Presentation
GTB DLP Suite PresentationGTB DLP Suite Presentation
GTB DLP Suite Presentation
 
Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection System
 
RSA Anatomy of an Attack
RSA Anatomy of an AttackRSA Anatomy of an Attack
RSA Anatomy of an Attack
 
Appendix g iocs readme
Appendix g iocs readmeAppendix g iocs readme
Appendix g iocs readme
 
DYNAMIC IDP SIGNATURE PROCESSING BY FAST ELIMINATION USING DFA
DYNAMIC IDP SIGNATURE PROCESSING BY FAST ELIMINATION USING DFADYNAMIC IDP SIGNATURE PROCESSING BY FAST ELIMINATION USING DFA
DYNAMIC IDP SIGNATURE PROCESSING BY FAST ELIMINATION USING DFA
 
Security best practices
Security best practicesSecurity best practices
Security best practices
 
IDS (intrusion detection system)
IDS (intrusion detection system)IDS (intrusion detection system)
IDS (intrusion detection system)
 
Rationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the CloudRationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the Cloud
 
Testingfor Sw Security
Testingfor Sw SecurityTestingfor Sw Security
Testingfor Sw Security
 
Symantec Web Security Solutions
Symantec Web Security SolutionsSymantec Web Security Solutions
Symantec Web Security Solutions
 
Confidentiality policies UNIT 2 (CSS)
Confidentiality policies UNIT 2 (CSS)Confidentiality policies UNIT 2 (CSS)
Confidentiality policies UNIT 2 (CSS)
 
Secure Decisions - Cyber Security Sensemaking
Secure Decisions - Cyber Security SensemakingSecure Decisions - Cyber Security Sensemaking
Secure Decisions - Cyber Security Sensemaking
 
Efficient String Matching Algorithm for Intrusion Detection
Efficient String Matching Algorithm for Intrusion DetectionEfficient String Matching Algorithm for Intrusion Detection
Efficient String Matching Algorithm for Intrusion Detection
 
Netflow analyzer- Datasheet
Netflow analyzer- DatasheetNetflow analyzer- Datasheet
Netflow analyzer- Datasheet
 
IPS Product Comparison of Cisco 4255 & TippingPoint 5000E
IPS Product Comparison of Cisco 4255 & TippingPoint 5000EIPS Product Comparison of Cisco 4255 & TippingPoint 5000E
IPS Product Comparison of Cisco 4255 & TippingPoint 5000E
 

Similar a CYBER INTELLIGENCE &amp; RESPONSE TECHNOLOGY

Continuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk ScoringContinuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk Scoring
Q1 Labs
 
HTLV - DSS @Vilnius 2010
HTLV - DSS @Vilnius 2010HTLV - DSS @Vilnius 2010
HTLV - DSS @Vilnius 2010
Andris Soroka
 
Trend micro real time threat management press presentation
Trend micro real time threat management press presentationTrend micro real time threat management press presentation
Trend micro real time threat management press presentation
Andrew Wong
 
Static Detection of Application Backdoors
Static Detection of Application BackdoorsStatic Detection of Application Backdoors
Static Detection of Application Backdoors
Tyler Shields
 
Tech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs WhitelistingTech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs Whitelisting
Invincea, Inc.
 
Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec Endpoint Protection 12
Symantec Endpoint Protection 12
Symantec
 

Similar a CYBER INTELLIGENCE &amp; RESPONSE TECHNOLOGY (20)

2012 Data Center Security
2012 Data Center Security2012 Data Center Security
2012 Data Center Security
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
 
Continuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk ScoringContinuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk Scoring
 
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012
 
endpoint-detection-and-response-datasheet.pdf
endpoint-detection-and-response-datasheet.pdfendpoint-detection-and-response-datasheet.pdf
endpoint-detection-and-response-datasheet.pdf
 
HTLV - DSS @Vilnius 2010
HTLV - DSS @Vilnius 2010HTLV - DSS @Vilnius 2010
HTLV - DSS @Vilnius 2010
 
Trend micro real time threat management press presentation
Trend micro real time threat management press presentationTrend micro real time threat management press presentation
Trend micro real time threat management press presentation
 
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
 
Operationalizing Security Intelligence
Operationalizing Security IntelligenceOperationalizing Security Intelligence
Operationalizing Security Intelligence
 
encase enterprise
encase enterprise encase enterprise
encase enterprise
 
Static Detection of Application Backdoors
Static Detection of Application BackdoorsStatic Detection of Application Backdoors
Static Detection of Application Backdoors
 
Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introduction
 
Tech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs WhitelistingTech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs Whitelisting
 
Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action
 
Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016
 
iScan Online - PCI DSS Mobile Task Force
iScan Online - PCI DSS Mobile Task ForceiScan Online - PCI DSS Mobile Task Force
iScan Online - PCI DSS Mobile Task Force
 
Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session
 
CSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesCSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri Diogenes
 
Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec Endpoint Protection 12
Symantec Endpoint Protection 12
 

CYBER INTELLIGENCE &amp; RESPONSE TECHNOLOGY

  • 1. Digital Investigations of Any Kind ONE COMPANY Cyber Intelligence Response Technology (CIRT) www.accessdata.com
  • 2. Who we are.. • AccessData has been in this industry for over 25 years • Offices in Utah, Houston, San Francisco, London, Virginia, Maryland, Frankfurt, Dubai, Australia and China • Market leader/ Best of breed technologies in Forensics and eDiscovery • 130,000+ Clients Globally • Train over 6000 customers each year • Sustained annual growth year after year of between 60% - 80% • Gartner recognized as an Innovator in the space
  • 4. A Shift from Disparate Solutions Traditional Approach: Paradigm Shift: Point solutions do not provide a true Integrated Analysis in Single Platform “360-degree” look at what is with Built-in Remediation happening. Network Forensics Host-based Forensics Volatile Data Removable Media Audit Data Audit Malicious Code Analysis / Threat Scoring Security / Process Functions High Entropy Dynamic Loading Imports Process Manipulation Functions Imports Security Functions
  • 5. CIRT Platform – Built on Validated Technology Network Forensics Host Based Forensics Data Audit Volatile Data
  • 6. CIRT – The Value of Integrated Analysis CLASSIFIED DATA SPILLAGE VIRTUAL WORKFORCE INTRUSION ALERT Agency proactively audits using laptop checks in at intervals to be Unauthorized port 443 traffic. Visualize scanned for anomalies which are communications, drill down into suspect terms, such as “eyes only” and host. Perform behavioral forensic analysis. “top secret”. All instances all recorded, including network Honeypot avoidance, crypto, dynamic flagged for removal in and USB activity. Remote loading, high entropy and other criteria accordance with federal agency monitoring helps to identify any indicate malware. policies. instance of IP theft. Batch remediation function is leveraged. ADVANCED MALWARE CREDIT CARD AND ZERO DAY DETECTION INFORMATION REPORTED Proactive monitoring the identification Help desk is called alerting them of malicious codes behaviors from that employee discovered credit multiple computers. Perform card information on an unsecure differential analysis of volatile location. Company reactively data, perform malware analysis/ threat conducts PCI audit to locate scoring. Analysis reveals malicious exposed credit card holder info. processes. Scan large enterprise for Instances are wiped. Findings defined processes and/or similar are reported. behavior and issue batch remediation. Integrated Platform Monitor for recurrence.
  • 7. Multi-Team Collaboration for Improved Emergency Response Incident Response Team Computer Information Forensics Security Team Team Network Compliance Security Team Team
  • 8. Key capabilities of the agent core • Acts independently on/off network • Has it’s own scheduler and local policy cache • Agent can be installed as persistent or self-dissolving after x number of days • There is a run time version of the agent that allows full capability without the need to actually install the agent. (this mode does not allow for persistent/ scheduled functions) • Has protected storage area securely store payload until it can communicate back to site server.
  • 9. The agent is made up of the following modules • Core: Responsible for managing communication, policy / job execution, and defensive measures, delivering payload, and updating itself • NetFS: Provides the filtering, searching, collection, and preservation capabilities (same technology in agent is what supports network share capability • Cerberus: The ability to identify malware (with no prior knowledge) based of search/filter criteria on running system or network shares across the enterprise. For example a job could be defined to Stage 1 Cerberus score all exe on a given set of systems. Any files that have a high threat score will be automatically sent to the Stage 2 Cerberus analysis. There are options to choose whether the files are preserved or just the metadata. • Volatile: Now users can setup jobs to scan the enterprise and capture volatile data and interact with the data in review. The volatile data includes pre-built facets and the ability to view details for all of the volatile data payload. Volatile data includes Processes, Network Sockets, Dll’s, Handles, Drivers, Services, Network Devices, registry, and users • RAM: Now users can setup jobs to scan the network and analyze RAM along with Volatile or just RAM analysis and interact with the data in review. The volatile data includes pre-built facets and the ability to view details for all of the RAM analysis. RAM analysis includes Processes, Network Sockets, Dll’s, Handles, Drivers, Services, Network, Devices, Processors, and registry. • RMM (removable media module): Enables the targeted monitoring of files coming from and going to removable media (USB/Firewire/CD/DVD). With job options to just record metadata or metadata and payload for documents based off of user defined extensions. Results can be viewed, filtered and searched on in the new review interface with the support of pre-made filter facets to quickly identify documents/files coming from or going to removable media. • SilentRunner : Advanced host based packet capture with robust filtering capabilities • Remediation: Allows for the killing of processes and wiping of files
  • 10. CIRT – SilentRunner Agent Module Key Capabilities Define operating parameters for the agent collector: o on/off o filter based off of these IP address o filter based off of these ports or protocols or application o filter based off of these IP address <to-from> these ports/protocols o define how much data can be collected o define if it stops collecting once it hits max collection o Define if it just has an open rolling buffer. These settings would be applied as a policy/operating parameters o Specify beginning and end for application of the policy o Adhere to a schedule The Pcap payload would be securely stored on the agent Agent will store and forward for ingestion into centralized SilentRunner System for integrated and correlated analysis
  • 11. Intro to Cerberus • CIRT is the first step towards automated reverse engineering so you can triage a binary before sending it for further analysis • We tally all of the attributes we think are “interesting” into a score that you can sort by • For each binary, you can then drill down into that score to see the attributes that we found that were similar to malicious binaries we’ve seen in the past
  • 12. What is Cerberus? Cerberus reduces the level of expertise required to do malware analysis. Ideal for first responders. STATIC ANALYSIS / DATA FLOW ANALYSIS YIELDS SIMILAR RESULTS AS DYNAMIC ANALYSIS STAGE ONE: Generic File/Metadata Analysis • Identifies potentially malicious code, generates threat score. Mythology Trivia: STAGE TWO: Disassembly Analysis Cerberus guards the gates of the • Runs elements of the code, without running actual underworld to prevent those who executable. To find out what the binary is capable of. have crossed into Hades from escaping. WORKS AGAINST… • Binaries that live on disk or network share In other words… he prevents bad • System Memory – unpacked binaries things from breaking free.
  • 13. Cerberus Analysis Approach Cerberus uses a different approach than other products on the market because it doesn’t rely on : • Dynamic Analysis, Often not reliable, because the binary could recognize that it is being analyzed and perform a different action in order to intentionally fool the analyst. • Traditional Heuristics, such as the monitoring of modifications to the registry and the insertion of hooks into certain library or system interfaces, are not based on the fundamental characteristics of malware. • High false positive / false negative rates. • Signature-based /byte string analysis: cannot detect new malware or new variants and requires prior knowledge in the form of an action or byte string. NOTE: We are not relying on whitelists or signatures. We are able to assess behavior and identify intent without the above methodologies.
  • 14. What Does Cerberus Do? STAGE ONE ANALYSIS STAGE TWO ANALYSIS Basic Disassembly Analysis: Executable Binary Analysis: • •Integrated disassembly engine • Product Name • •If using network functionality, potentially what host it • Product Version is communicating with and over what protocol(s) • Company Name, etc. • •If using network functionality, can it bypass proxy • Functions included in the Import Table servers? • Network • For functions that require usernames and/or • Process passwords, does the executable contain static string • Security indicating insider or advanced knowledge? • Registry • Dynamic Loading, etc. Advanced Disassembly Analysis: • Does the binary have high entropy (obfuscated)? • Automated unpacking • Does the binary have signatures of: • Automated code and data flow analysis • Internet Relay Chat (“IRC”) • •More advanced Functionality Interpretation • Shellcode • IP addresses and Domain Names Used • Cryptography (“Crypto”) • Debugger and Sandbox avoidance • Does the binary contain strings associated with • Command and Control Functionality autoruns? • Hooking Techniques • Digital Signature Verification • Arbitrary Code Execution • Host Forensic Artifacts • Registry Settings • Temp Files • Configuration Files
  • 15. CIRT – Cerberus Threat Analysis Report
  • 16. Stage 1 Cerberus Analysis
  • 17. Stage 1 Cerberus Analysis Continued
  • 18. Has File Access Functions
  • 22. Show me in Real-Time…
  • 24. Perform Interactive Review of Web Content
  • 25. So what?! • This info will give you insight you’ve never had before, in seconds! • Your reverse engineering team will love you because you’ll finally know what causes you concern other than “it looked weird” • If you’re a reverse engineer, this will save you a ton of time!
  • 26. CIRT – Removable Media Module Key Capabilities Administrative Capabilities Supports data copied to or from removable media The operator has a way to define parameters and apply o Data copied from computer with agent policy/operating rules to the agent(s) and check status o Data copied from removable media to machine with Ability to view activity in the form of reports agent  By user Configurable parameters of what gets capture on the  By source agent such as:  By Date range o File with a given set of extensions The metadata captured will be accessible to a 3rd party o Ability to turn it on/off application that can query for the tables that contain this o Ability for it turn on/off between a date range information such as Arcsight o Capture metadata only o Node name o Capture the entire file o Name and extension of files copied to removable media o Capture metadata for all files but preserve files o Date/time a given item was copied to/from removable based off of a given filter criteria media o Ability to trigger capture based off a filename Preserved data will be temporarily stored on the host machine o Ability to trigger capture based off of file metadata in protected storage until it is picked up for (extension/filename) processing/reporting Ability to have triggers Ability specify maximum amount of storage that could be o Does not track anything unless the file meets filter used criteria o Ability to specify what happens when the secure Ability to BLOCK any copy/paste operation to removable storage runs out of space media  Open buffer Ability to track files opened from a usb/removable media  Keep what it has and stop tracking on host computer Ability to view and analyze files that where captured as part of interactive review.
  • 27. Perform Interactive Review of Removable Media
  • 28. Perform Interactive Review of Removable Media
  • 29. Perform Interactive Review of Volatile Data
  • 30. CIRT – Architecture Nodes with Proxy Agent Public Site Server SilentRunner (DB/Processing) Network Shares (Non agent data sources) Private Site Server Application/Web Agents Logging DB (ms sql) (Workstations/Laptops Web Console /Servers ) Private Site Server
  • 31. Thank You ! Jason Mical Director of Network Forensics AccessData Group

Notas del editor

  1. Founded 1987Privately funded/ ownedHeadquartered in Utah, USLondon Office (training)FrankfurtDubaiMarket leader/ Best of breed forensic technologiesBest known for Forensic Toolkit® (FTK™) 130,000+ Clients GloballyTrain more than 6,000 individuals annuallySustained annual growth 60% - 80% YOYGartner – Innovator in the space
  2. Agent based policy and job engineOnce a week tell me what files have been added or removedEvery day tell me about processes that are running against a baseline
  3. Application Server: Manages workflow and eDiscovery operations within the application (orchestration services, business services, work distribution services)Web Server: Provides web services for users to drive workflow/eDiscovery operations within the application. Also hosts website for Data Modeling (first pass review)Collection Worker(s): The service that does the actual search and forensic level collection from data sources (structured/unstructured/semi structured) designed to scale up and outProxy Worker: manages collection from proxyable assetsProcessing Worker: The service that performs the post collection processing of data. Expand archives (PST’s/NSF), indexes, de-duplication analysis, file identification, 2ndary culling/filtering, and production (scales up and will soon scale out)Processing Database: Database that facilitates 2ndary culling/filtering, data modeling, searching, de-duplication and production (scales up) Orchestration and Logging Database – Database that tracks all eDiscovery matters, workflows and operationsAgent: service that runs on target nodes providing secure forensic level access and preservation of ESISilent Runner: Network Forensic Capture and Analysis Engine