Transcript Product 1 - WikiLeaks

HBGary Overview
Core Technology
DETECT: Offline Physical Memory Analysis
• Lower Visibility = Better Malware Detection
• No code executing to “actively” fool our analysis
• Rootkit Detection becomes easier with offline memory analysis
DIAGNOSE: Automated Malware Analysis
• Identify a binary’s capabilities and authors intent
• Does it steal my data?
• Where is my data being sent?
• How does it install itself?
• Turn this into actionable intelligence
RESPOND: Rapidly with Actionable Intelligence
• Create Signatures for IDS/IPS
• Block URL’s and IP addresses at the gateway
• Identify other compromised machines
• Search network for malicious code footprint and artifacts
This looks suspicious
Core Technology
Offline Physical Memory Analysis = Lower Host Visibility = Better Detection
Operating System
Traditional Security Software
and
Forensic Software Approach
Advantages of our approach…
• Memory is analyzed offline
– malware cannot hide itself actively
• All code and data that is in use MUST exist in physical
memory
– therefore we have access to it
• The OS points us to the running rootkit or malware
– by virtue that the malware interacts with the OS
HBGary Solutions
HBGary Solutions
Responder Professional v1.3
• The only comprehensive memory analysis platform on the market
• Host Intrusion Detection, Incident Response, Live Windows Forensics,
Automated Malware Analysis
Enterprise Responder v1.0 - McAfee EPO
4.0 Integration
• Enterprise Malware & Rootkit Detection & Reporting
HBGary / EnCase Enterprise Integration –coming Mar 2009
• Enterprise solution for remote physical memory analysis
• Remotely Scan physical memory for suspicious items
• Advanced Malware & Rootkit Detection
Product 1
Responder Professional
• Stand Alone workstation Software
– *doesn’t scale
– 1 analyst : 1 machine analysis at a time.
•
•
•
•
•
Off Line Physical Memory Analysis
Digital DNA Scan
Extract Suspicious Executable Code
Malware Analysis
Reporting
Product 2
Enterprise Responder for McAfee ePO
• McAfee Partnership is our first step into the enterprise
• Enterprise Responder Package is a 250kb DLL
– Deployed as needed or persistent
• DDNA is calculated in a distributed fashion
– Alerts are sent to a central console and aggregated
• Response Action
Product 3
HBGary Responder for Encase
Enterprise
•
•
•
•
•
•
Live Physical Memory Analysis
Identify Suspicious Behavior
Extract Suspicious Executable Code
Automated Malware Analysis & Digital DNA creation
Response Action is programmable
Alerting & Reporting
Threat Assessment Server:
The Technology
•
•
•
•
•
•
•
Kernel Driver
Run-Time Malware Analysis
File System Modifications
Registry Modifications
Code cannot Free or Exit from Memory
Network Traffic Capture
Set Breakpoint CPU Run Trace
HBGary Responder Module
for Guidance Software Encase Enterprise
•
•
•
•
Physical Memory Analysis
Baserules Analysis
Identify Suspicious Code
Report on Suspicious Machines
Downloadable Products
Fastdump Pro v1.3 - $100 – [email protected]
•
•
•
•
Physical Memory Acquisition tool
32 and 64 bit Windows Operating Systems
Supports systems with more than 4GB RAM
Process Probe Feature
Flypaper Pro v1.0… coming in Feb 2009
•
•
•
•
•
Log Viewer with enhanced logging
File system
Registry
Network Activity
Memory Tar Pit
Flypaper Pro: The Technology
• Run-Time Malware Analysis
• Code cannot Free or Exit from Memory
• Logs program behaviors in real time
•
•
•
File system, Network, Registry
Process launching, memory access, etc.
Injected DLL, threads, etc.
• Network Traffic Capture
• Set Breakpoint CPU Run Trace
Malware analysis & diagnosis
• Any binary executable can be ‘extracted’
from the memory image
• Full x86 disassembly, code and data
identification
• Graphing of control and data flow
• This extraction and analysis is the basis of
digital DNA (see later slides on this)