1. Digital Investigations of Any Kind
ONE COMPANY
Cyber Intelligence
Response Technology
(CIRT)
www.accessdata.com
2. Who we are..
• AccessData has been in this industry for
over 25 years
• Offices in Utah, Houston, San Francisco,
London, Virginia, Maryland, Frankfurt,
Dubai, Australia and China
• Market leader/ Best of breed technologies
in Forensics and eDiscovery
• 130,000+ Clients Globally
• Train over 6000 customers each year
• Sustained annual growth year after year of
between 60% - 80%
• Gartner recognized as an Innovator in the
space
4. A Shift from Disparate Solutions
Traditional Approach: Paradigm Shift:
Point solutions do not provide a true Integrated Analysis in Single Platform
“360-degree” look at what is with Built-in Remediation
happening.
Network Forensics
Host-based Forensics
Volatile Data
Removable Media Audit Data Audit
Malicious Code Analysis / Threat Scoring
Security / Process Functions
High Entropy
Dynamic Loading
Imports Process Manipulation
Functions
Imports Security Functions
5. CIRT Platform – Built on Validated Technology
Network Forensics Host Based Forensics
Data Audit
Volatile Data
6. CIRT – The Value of Integrated Analysis
CLASSIFIED DATA SPILLAGE VIRTUAL WORKFORCE INTRUSION ALERT
Agency proactively audits using laptop checks in at intervals to be Unauthorized port 443 traffic. Visualize
scanned for anomalies which are communications, drill down into suspect
terms, such as “eyes only” and
host. Perform behavioral forensic analysis.
“top secret”. All instances all recorded, including network
Honeypot avoidance, crypto, dynamic
flagged for removal in and USB activity. Remote loading, high entropy and other criteria
accordance with federal agency monitoring helps to identify any indicate malware.
policies. instance of IP theft. Batch remediation function is leveraged.
ADVANCED MALWARE
CREDIT CARD AND ZERO DAY DETECTION
INFORMATION REPORTED Proactive monitoring the identification
Help desk is called alerting them of malicious codes behaviors from
that employee discovered credit multiple computers. Perform
card information on an unsecure differential analysis of volatile
location. Company reactively data, perform malware analysis/ threat
conducts PCI audit to locate
scoring. Analysis reveals malicious
exposed credit card holder info.
processes. Scan large enterprise for
Instances are wiped. Findings
defined processes and/or similar
are reported.
behavior and issue batch remediation.
Integrated Platform Monitor for recurrence.
7. Multi-Team Collaboration for Improved Emergency Response
Incident
Response
Team
Computer Information
Forensics Security
Team Team
Network
Compliance
Security
Team
Team
8. Key capabilities of the agent core
• Acts independently on/off network
• Has it’s own scheduler and local policy cache
• Agent can be installed as persistent or self-dissolving
after x number of days
• There is a run time version of the agent that allows
full capability without the need to actually install the
agent. (this mode does not allow for persistent/
scheduled functions)
• Has protected storage area securely store payload
until it can communicate back to site server.
9. The agent is made up of the following modules
• Core: Responsible for managing communication, policy / job execution, and defensive
measures, delivering payload, and updating itself
• NetFS: Provides the filtering, searching, collection, and preservation capabilities (same technology in
agent is what supports network share capability
• Cerberus: The ability to identify malware (with no prior knowledge) based of search/filter criteria on
running system or network shares across the enterprise. For example a job could be defined to Stage 1
Cerberus score all exe on a given set of systems. Any files that have a high threat score will be
automatically sent to the Stage 2 Cerberus analysis. There are options to choose whether the files are
preserved or just the metadata.
• Volatile: Now users can setup jobs to scan the enterprise and capture volatile data and interact with the
data in review. The volatile data includes pre-built facets and the ability to view details for all of the
volatile data payload. Volatile data includes Processes, Network
Sockets, Dll’s, Handles, Drivers, Services, Network Devices, registry, and users
• RAM: Now users can setup jobs to scan the network and analyze RAM along with Volatile or just RAM
analysis and interact with the data in review. The volatile data includes pre-built facets and the ability to
view details for all of the RAM analysis. RAM analysis includes Processes, Network
Sockets, Dll’s, Handles, Drivers, Services, Network, Devices, Processors, and registry.
• RMM (removable media module): Enables the targeted monitoring of files coming from and going to
removable media (USB/Firewire/CD/DVD). With job options to just record metadata or metadata and
payload for documents based off of user defined extensions. Results can be viewed, filtered and searched
on in the new review interface with the support of pre-made filter facets to quickly identify
documents/files coming from or going to removable media.
• SilentRunner : Advanced host based packet capture with robust filtering capabilities
• Remediation: Allows for the killing of processes and wiping of files
10. CIRT – SilentRunner Agent Module
Key Capabilities
Define operating parameters for the agent collector:
o on/off
o filter based off of these IP address
o filter based off of these ports or protocols or application
o filter based off of these IP address <to-from> these
ports/protocols
o define how much data can be collected
o define if it stops collecting once it hits max collection
o Define if it just has an open rolling buffer.
These settings would be applied as a policy/operating parameters
o Specify beginning and end for application of the policy
o Adhere to a schedule
The Pcap payload would be securely stored on the agent
Agent will store and forward for ingestion into centralized
SilentRunner System for integrated and correlated analysis
11. Intro to Cerberus
• CIRT is the first step towards automated reverse
engineering so you can triage a binary before
sending it for further analysis
• We tally all of the attributes we think are
“interesting” into a score that you can sort by
• For each binary, you can then drill down into that
score to see the attributes that we found that were
similar to malicious binaries we’ve seen in the past
12. What is Cerberus?
Cerberus reduces the level of expertise required to do
malware analysis.
Ideal for first responders.
STATIC ANALYSIS / DATA FLOW ANALYSIS
YIELDS SIMILAR RESULTS AS DYNAMIC ANALYSIS
STAGE ONE: Generic File/Metadata Analysis
• Identifies potentially malicious code, generates threat score.
Mythology Trivia:
STAGE TWO: Disassembly Analysis Cerberus guards the gates of the
• Runs elements of the code, without running actual underworld to prevent those who
executable. To find out what the binary is capable of. have crossed into Hades from
escaping.
WORKS AGAINST…
• Binaries that live on disk or network share In other words… he prevents bad
• System Memory – unpacked binaries things from breaking free.
13. Cerberus Analysis Approach
Cerberus uses a different approach than other products on the market because it doesn’t
rely on :
• Dynamic Analysis, Often not reliable, because the binary could recognize that it is
being analyzed and perform a different action in order to intentionally fool the analyst.
• Traditional Heuristics, such as the monitoring of modifications to the registry and the
insertion of hooks into certain library or system interfaces, are not based on the
fundamental characteristics of malware.
• High false positive / false negative rates.
• Signature-based /byte string analysis: cannot detect new malware or new variants and
requires prior knowledge in the form of an action or byte string.
NOTE: We are not relying on whitelists or signatures. We are able to assess behavior and
identify intent without the above methodologies.
14. What Does Cerberus Do?
STAGE ONE ANALYSIS STAGE TWO ANALYSIS
Basic Disassembly Analysis:
Executable Binary Analysis: • •Integrated disassembly engine
• Product Name • •If using network functionality, potentially what host it
• Product Version is communicating with and over what protocol(s)
• Company Name, etc. • •If using network functionality, can it bypass proxy
• Functions included in the Import Table servers?
• Network • For functions that require usernames and/or
• Process passwords, does the executable contain static string
• Security indicating insider or advanced knowledge?
• Registry
• Dynamic Loading, etc. Advanced Disassembly Analysis:
• Does the binary have high entropy (obfuscated)? • Automated unpacking
• Does the binary have signatures of: • Automated code and data flow analysis
• Internet Relay Chat (“IRC”) • •More advanced Functionality Interpretation
• Shellcode • IP addresses and Domain Names Used
• Cryptography (“Crypto”) • Debugger and Sandbox avoidance
• Does the binary contain strings associated with • Command and Control Functionality
autoruns? • Hooking Techniques
• Digital Signature Verification • Arbitrary Code Execution
• Host Forensic Artifacts
• Registry Settings
• Temp Files
• Configuration Files
25. So what?!
• This info will give you insight you’ve never had
before, in seconds!
• Your reverse engineering team will love you
because you’ll finally know what causes you
concern other than “it looked weird”
• If you’re a reverse engineer, this will save you
a ton of time!
26. CIRT – Removable Media Module
Key Capabilities Administrative Capabilities
Supports data copied to or from removable media The operator has a way to define parameters and apply
o Data copied from computer with agent policy/operating rules to the agent(s) and check status
o Data copied from removable media to machine with Ability to view activity in the form of reports
agent By user
Configurable parameters of what gets capture on the By source
agent such as: By Date range
o File with a given set of extensions The metadata captured will be accessible to a 3rd party
o Ability to turn it on/off application that can query for the tables that contain this
o Ability for it turn on/off between a date range information such as Arcsight
o Capture metadata only o Node name
o Capture the entire file o Name and extension of files copied to removable media
o Capture metadata for all files but preserve files o Date/time a given item was copied to/from removable
based off of a given filter criteria media
o Ability to trigger capture based off a filename Preserved data will be temporarily stored on the host machine
o Ability to trigger capture based off of file metadata in protected storage until it is picked up for
(extension/filename) processing/reporting
Ability to have triggers Ability specify maximum amount of storage that could be
o Does not track anything unless the file meets filter used
criteria o Ability to specify what happens when the secure
Ability to BLOCK any copy/paste operation to removable storage runs out of space
media Open buffer
Ability to track files opened from a usb/removable media Keep what it has and stop tracking
on host computer
Ability to view and analyze files that where captured as
part of interactive review.
30. CIRT – Architecture
Nodes with
Proxy Agent
Public Site Server
SilentRunner
(DB/Processing)
Network Shares
(Non agent data
sources)
Private Site Server
Application/Web Agents
Logging DB (ms sql) (Workstations/Laptops
Web Console /Servers )
Private Site Server
31. Thank You !
Jason Mical
Director of Network
Forensics
AccessData Group
Notas del editor
Founded 1987Privately funded/ ownedHeadquartered in Utah, USLondon Office (training)FrankfurtDubaiMarket leader/ Best of breed forensic technologiesBest known for Forensic Toolkit® (FTK™) 130,000+ Clients GloballyTrain more than 6,000 individuals annuallySustained annual growth 60% - 80% YOYGartner – Innovator in the space
Agent based policy and job engineOnce a week tell me what files have been added or removedEvery day tell me about processes that are running against a baseline
Application Server: Manages workflow and eDiscovery operations within the application (orchestration services, business services, work distribution services)Web Server: Provides web services for users to drive workflow/eDiscovery operations within the application. Also hosts website for Data Modeling (first pass review)Collection Worker(s): The service that does the actual search and forensic level collection from data sources (structured/unstructured/semi structured) designed to scale up and outProxy Worker: manages collection from proxyable assetsProcessing Worker: The service that performs the post collection processing of data. Expand archives (PST’s/NSF), indexes, de-duplication analysis, file identification, 2ndary culling/filtering, and production (scales up and will soon scale out)Processing Database: Database that facilitates 2ndary culling/filtering, data modeling, searching, de-duplication and production (scales up) Orchestration and Logging Database – Database that tracks all eDiscovery matters, workflows and operationsAgent: service that runs on target nodes providing secure forensic level access and preservation of ESISilent Runner: Network Forensic Capture and Analysis Engine