Presentation is loading. Please wait.

Presentation is loading. Please wait.

Overview.

Published byMagdalene Harvey Modified over 6 years ago

Similar presentations

Presentation on theme: "Overview."— Presentation transcript:

1 Overview

2 Presentation Outline The Problem HBGary Approach Products Services

3 Presentation Outline  The Problem HBGary Approach Products Services

4 The Bad Guys Want…… Intellectual Property Strategic Advantage
Financial Gain

5 Evolving Risk Environment
Valuable cyber targets Attackers are motivated and well-funded Malware is sophisticated and targeted Existing security isn’t stopping the attacks

6 Drive-by Download – Legitimate Websites
Users can get compromised simply by visiting legitimate websites that have been corrupted. This type of malware tends to reside only in memory, not on the filesystem. Your organization can do everything right and still get compromised. Automated memory analysis is required to find new and advanced malware missed by AV and HIDS.

7 50,000+ New Malware Every Day!

8 Top 3 AV companies don’t detect 80% of new malware
Anti-Virus Shortcomings Source: “Eighty percent of new malware defeats antivirus”, ZDNet Australia, July 19, 2006 Top 3 AV companies don’t detect 80% of new malware 8

9 Traditional Host Security Products Fail to Detect……
New malware Malware variants Targeted attacks Advanced persistent threats Rootkits Memory resident malware The bad guys are highly skilled and are creating new malware that is frequently aimed at specific targets making it very challenging for traditional security products. But all malware, regardless of techniques it uses, must reside in memory, which makes it possible for physical memory analysis to detect them. Every network can and will be compromised 9

10 Traditional Memory and Malware Analysis is Difficult
Requires lots of technical expertise Time consuming Expensive Doesn’t scale Traditional methods to analyze memory and malware are difficult. It requires expertise, is time consuming and expensive, and it doesn’t scale. 10

11 Presentation Outline The Problem  HBGary Approach Products Services

12 HBGary Components Physical Memory Forensics Malware Detection
Malware Analysis Standalone and Enterprise

13 Physical Memory Forensics
Under the Hood Digital DNA (Behavioral Analysis) Engineering Reverse Code Physical Memory Forensics Under the hood we start with physical memory. If you ever looked at a memory dump you’ll see that it is unstructured garble-dee-goop. HBGary has reverse engineered over 50 undocumented Windows structures to give you organized information of the data contained in memory. We uncover all digital objects, so automated reverse engineering on each and every binary to uncover low level behaviors. Digital DNA examines the behaviors to identify which binaries are malware.

14 Why Physical Memory? Malware must be in memory to execute
Software code in memory is usually unpacked Malware can fool the OS, but it cannot hide in physical memory

15 Useful Information in RAM
Processes and Drivers Loaded Modules Network Socket Info Passwords Encryption Keys Decrypted files Order of execution Runtime State Information Rootkits Configuration Information Logged in Users NDIS buffers Open Files Unsaved Documents Live Registry Video Buffers – screen shots BIOS Memory VOIP Phone calls Advanced Malware Instant Messenger chat

16 Digital DNA Automated malware detection Software classification system
3500 software and malware behavioral traits Example Huge number of key logger variants in the wild About 10 logical ways to build a key logger

17 Ranking Software Modules by Threat Severity Software Behavioral Traits
Digital DNA Ranking Software Modules by Threat Severity 0B 8A C2 05 0F F B ED C D 8A C2 Malware shows up as a red alert. Suspicious binaries are orange. For each binary we show its underlying behavioral traits. Examples of traits might be “packed with UPX”, “uses IRC to communicate”, or “uses kernel hooking with may indicate a presence of a rootkit”. The blue bar shows the Digital DNA sequence for the binary iimo.sys. 0F 51 0F 64 Software Behavioral Traits

18 B[00 24 73 ??]k ANDS[>004] C”QueueAPC”{arg0:0A,arg}
What’s in a Trait? 04 0F 51 B[ ??]k ANDS[>004] C”QueueAPC”{arg0:0A,arg} The rule is a specified like a regular expression, it matches against automatically reverse engineered details and contains boolean logic. These rules are considered intellectual property and not shown to the user. Unique hash code Weight / Control flags The trait, description, and underlying rule are held in a database

19 Digital DNA in Memory vs. Disk Based Hashing and Signatures

20 White listing on disk doesn’t prevent malware from being in memory
Internet Document PDF, Active X, Flash Office Document, Video, etc… DISK FILE IN MEMORY IMAGE Public Attack-kits have used memory-only injection for over 5 years OS Loader White listing on disk doesn’t prevent malware from being in memory Whitelisting typically works by have a list of good hashes with the assumption that you’re loading only good binaries for execution into memory. But bad code can get injected into good programs. White listing does not mean secure code. DDNA will find the bad injected code. MD5 Checksum is white listed White listed code does not mean secure code Process is trusted

21 Digital DNA defeats packers
IN MEMORY IMAGE Packer #1 Packer #2 Decrypted Original OS Loader Digital DNA defeats packers As you know most malware is packed. The bad guy does this to avoid detection. For every packer used, you need another signature. But a program must unpack itself in memory to execute. Its underlying behaviors remain the same, so its DDNA remains the same. Starting Malware Packed Malware Digital DNA remains consistent

22 Same malware compiled in three different ways
DISK FILE IN MEMORY IMAGE Same malware compiled in three different ways OS Loader If the same malware is compiled e different ways you would need 3 different hashes or signatures to see it. DDNA still detects because the program is logically the same and has the same behaviors. MD5 Checksums all different Digital DNA remains consistent

23 A suspicious file… Now what?

24 Why Perform Malware Analysis?
What happened? What is being stolen? How did it happen? Who is behind it? How do I bolster network defenses?

25 Presentation Outline The Problem HBGary Approach  Products Services

26 Responder Professional
Standalone analysis system for incident responders Digital DNA Malware detection in memory Standalone and enterprise

27 HBGary Responder Professional
Standalone system for incident response Deep dive analysis of memory and malware Digital DNA module REcon module

28 HBGary and Verdasys Integration
Responder Professional Digital Guardian Console Analysis Reporting Policies Actions DG Server DG Agents (Endpoints) SQL Results Livebins Live Bins DDNA Extensions HBGary DDNA

29 Integrated License Management
© 2009 Verdasys All rights reserved

30 DDNA Deployment & Activation
Scheduled or ad hoc endpoint scans © 2009 Verdasys All rights reserved

31 Detect Malware alert reporting Configure risk reporting thresholds
© 2009 Verdasys All rights reserved

32 Diagnose Extract malware (livebins) from endpoint nodes
Analyze with HBGary Responder Professional © 2009 Verdasys All rights reserved

33 Respond Create DG policy rules to contain malware discovered by Digital DNA Examples Block host/hijacked applications from running Limit which apps can act on sensitive data Block network access to specific URLs/IDs Prevent read/write to files used by malware

34 Integration Roadmap Detection – Rule/event based DDNA activation
Unknown application or process deleted Suspicious communications Range of IP destinations Range of communications port DG Agent tampering attempts Malware Analysis Integration to include Responder DG Rule Generation to contain malware © 2009 Verdasys All rights reserved

35 Presentation Outline The Problem HBGary Approach Products  Services

36 Use HBGary Service When…
Suspicious traffic & AV says machines are clean Find malware on your computers Need to verify computers are trusted Determine root cause of compromise Malware damage assessment

37 Services Overview Incident Response Intrusion Forensics
Malware Analysis Training

38 HBGary Services Advance malware detection
Live first response triage of servers and workstations Enterprise scope of breach analysis Root cause analysis Malware analysis Enterprise containment, mitigation and remediation

39 Questions?

Download ppt "Overview."

Similar presentations

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Www.encase.com Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,

Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares.

Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares.
eScan Total Security Suite with Cloud Security

eScan Total Security Suite with Cloud Security
13Computer Intrusions Dr. John P. Abraham Professor UTPA.

13Computer Intrusions Dr. John P. Abraham Professor UTPA.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.

©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.

1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Nexthink V5 Demo Security – Malicious Anomaly. Situation › Avoid damage resulting from the incident itself and the cost of the unplanned response › Protection.

Nexthink V5 Demo Security – Malicious Anomaly. Situation › Avoid damage resulting from the incident itself and the cost of the unplanned response › Protection.
Advanced Persistent Threats (APT) Sasha Browning.

Advanced Persistent Threats (APT) Sasha Browning.
Connected Security Your best defense against advanced threats Anne Aarness – Intel Security.

Connected Security Your best defense against advanced threats Anne Aarness – Intel Security.
BUFFERZONE Advanced Endpoint Security Data Connectors-Charlotte January 2016 Company Confidential.

BUFFERZONE Advanced Endpoint Security Data Connectors-Charlotte January 2016 Company Confidential.
©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.

©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.
©2015 Check Point Software Technologies Ltd. 1 Website Watering Holes Endpoints are at risk in numerous ways, especially when social engineering is applied.

©2015 Check Point Software Technologies Ltd. 1 Website Watering Holes Endpoints are at risk in numerous ways, especially when social engineering is applied.
Enterprise’ Ever-Evolving Challenge & Constraints Dealing with BYOD Challenges Enable Compliance to Regulations Stay Current with New Consumption Models.

Enterprise’ Ever-Evolving Challenge & Constraints Dealing with BYOD Challenges Enable Compliance to Regulations Stay Current with New Consumption Models.
© 2016 You Have Alerts. Now What? Brian Carrier VP of Digital Forensics Basis Technology 1.

© 2016 You Have Alerts. Now What? Brian Carrier VP of Digital Forensics Basis Technology 1.

Similar presentations

Ads by Google