HBGary Overview
Download
Report
Transcript HBGary Overview
“Overhauling
Enterprise Computer Health Care with Digital
DNA”
Advanced Host Diagnostics
for Today’s Zero Day Malware Threats
Weighted Threshold
Behavioral Engine
FEED
HOST
HOST Physical Memory
Digital DNA™
IP Address / URL /
Netblock / Domain
Name
Hidden Drivers
Successful Attacks
Web Filtering
Encoded into
security
consumables.
Hidden Threads
Submit to MSSP
Filenames /
Paths
IDS rule lists
File MD5
FW rule lists
Registry Keys
/Paths
AV DAT Files
Service Names
Submit to AV
Mutex Names
Email Filtering
NIDS
NETWORK
Malware
Distribution & Operation
Known threats
already present
in Enterprise.
NGFW
Makes existing
security
investment
smarter.
AntiVirus
HOST
Bad Guys
NETWORK
Digital DNA Based Risk Intelligence
AV converged suites
Binary Signatures
Digital DNA Processing Cluster
Raw
Knowledge
Encoded
Knowledge
Point of Presence
Weighted Threshold
Behavioral Engine
FEED
HOST
HOST Physical Memory
Digital DNA™
IP Address / URL /
Netblock / Domain
Name
Hidden Drivers
Successful Attacks
Web Filtering
Encoded into
security
consumables.
Hidden Threads
Submit to MSSP
Filenames /
Paths
IDS rule lists
File MD5
FW rule lists
Registry Keys
/Paths
AV DAT Files
Service Names
Submit to AV
Mutex Names
Email Filtering
NIDS
NETWORK
Malware
Distribution & Operation
Known threats
already present
in Enterprise.
NGFW
Makes existing
security
investment
smarter.
AntiVirus
HOST
Bad Guys
NETWORK
Digital DNA Based Risk Intelligence
AV converged suites
Binary Signatures
Digital DNA Processing Cluster
Raw
Knowledge
Encoded
Knowledge
Point of Presence
The Problem
“Today’s malware is morphing far to rapidly
for the current detection methods to succeed”
“If our healthcare industry
was run like the malicious code detection industry,
then most of us would be dead today”
Cybercrime Evolution
• Cybercrime Authors have evolved over the last 30
years
– Continued improvement and innovation
– Capitalistic Shadow Economy - Competition
• Malware Authors
– Professional Software Development Lifecycle model
– Professional Quality Assurance
• Malware doesn’t ship until code is undetected by
latest Antivirus products
– Guarantee’s are provided – think SLA
Disclaimer
“At HBGary we believe
All computers can and will be compromised by
malware”
Like Cancer prevention in humans…Your best malware defense is
1. Early Detection – requires lowest level visibility i.e. cat scan
2. Rapid Diagnosis – automated biopsy
3. Rapid Response – response action plan based on biopsy
Virus Total – Runs 40 AV Products
0 out of 40
Detected
readme.pdf
Uploaded
malware is
scanned by all
AV Products
with the latest
signatures…
This file was a
zero day
attack..
No one
detected it…
but HBGary
DDNA.
2009 Attack Trends
IN MEMORY IMAGE
OS Loader
DISK FILE
IE, Adobe, MS
Word, PPT, Excel,
Firefox, Flash,
Java
Internet Browsers
PDF, Active X, Flash
Office Document, Video,
etc…
2009 Attack Trends
Rootkit
Encrypted over SSL
Drive by
Download
Filesystem
No representation of what
is being stolen
Runtime Memory
Executable code is only
visible in RAM and
Pagefile
Drive-by Download – Legitimate websites
The Opportunity
“Build a Better Mousetrap”
Technology and Methodology
DETECT:
Offline Physical Memory Analysis
• Unprecedented Visibility
• “Automated Crash Dump Analysis”
• No code executing to “actively” fool our analysis
DIAGNOSE: Automated Malware Analysis
• Rapidly Identify the malicious code capabilities
• Generate Report
RESPOND: Enterprise Policy Changes to Mitigate the Threat
• URL’s and IP address blocking
• IDS/IPS – Detection and Blocking Rules
• Identify Scope of Breach
• Develop and Implement Optimal corrective action plan
New Mouse Trap
Digital DNA™
What is Digital DNA?
• New Approach to Detecting Zero Day Malware
• Detects Malware regardless of how it was packaged
• Diagnose and Report on Code behaviors
• Programming techniques are classified with clear descriptions
• “Reverse Engineering for Dummies”
• Identify variants across the Enterprise
It really can’t get any easier than this
HBGary DDNA Technology
GOALS: Gain the
lowest level of
diagnostic visibility in
order to detect
malware and
malicious behaviors
Physical
Memory
Forensics
Code
Reverse
To obtain our goals we
combined the latest
advances in Memory
Forensics & Reverse
Engineering technology.
The result was Digital DNA.
Engineering
Digital DNA
(Behavioral Analysis)
Advantages of Digital DNA
1. Forensic Quality Approach
–
–
Analysis is 100% offline
Like Crash Dump Analysis – No Code Running – see everything
2. Automated Malware Analysis
–
The value of Automated Reverse Engineering
3. Digital DNA™ detects zero-day threats
–
–
–
5+ years of reverse engineering technology
AUTOMATED!
No Reverse Engineering expertise required
Digital DNA
Ranking Software Modules by Threat Severity
0B 8A C2 05 0F 51 03 0F 64 27 27 7B ED 06 19 42 00 C2 02 21 3D 00 63 02 21
8A C2
0F 51
0F 64
Software Behavioral Traits
Fuzzy Search
5,000 Malware is sequenced every 24 hours
Over 2,500 Traits are
categorized into Factor,
Group, and Subgroup.
This is our “Genome”
We expect to have 10,000
Traits by end of year
Integration with McAfee ePO
HBGary
Portal
ePO Console
Responder
Workstation
Schedule
ePO
Server
SQL
ePO
Agents
(Endpoints)
Events
DDNA Extension
DDNA Module
HBGary
Products with Digital
DNA
Digital DNA Product Line
Enterprise Digital DNA – McAfee ePO, Guidance Software, Verdasys
• Enterprise Malware/Rootkit Detection & Reporting
• Distributed Physical Memory Analysis with Digital DNA
• Rapid Response Policy Lockdown
Responder Professional – Stand Alone Software
for 1 analyst
• Comprehensive physical memory and malware investigation platform
• Host Intrusion Detection & Incident Response
• Live Windows Forensics
• Automated Malware Analysis
• Computer incident responders, malware analysts, security assessments
• Digital DNA
Core Technology
The Core Technology
Offline
Physical
Memory
Analysis
This is The
Advantage!
Rootkit
Detection
Rebuilds underlying
undocumented data
structures
Automated
Malware
Analysis
Digital
DNA
Rebuilds running state of
machine “exposes all
objects ”
Alerting &
Reporting
Malware cannot hide
itself actively
The Core Technology
Offline
Physical
Memory
Analysis
These tricks expose
themselves by interacting
with OS
Rootkit
Detection
Direct Kernel Object
Manipulation Detection
Automated
Malware
Analysis
Digital
Hook Detection
IDT/SSDT/Driver Chains
DNA
Alerting &
Reporting
Crossview Based
Analysis
The Core Technology
Offline
Physical
Memory
Analysis
Suspicious Code is
extracted from RAM
Rootkit
Detection
Code is Disassembled,
broken apart, and
analyzed
Automated
Malware
Analysis
Digital
DNA
Integration with Flypaper
& Flypaper Pro
Alerting &
Reporting
Code Control Flow
Graphing
The Core Technology
Offline
Physical
Memory
Analysis
Identifies executable
code behaviors
Rootkit
Detection
DDNA created for all
executable code
Automated
Malware
Analysis
Digital
DNA
A Threat Score is
provided for all code
Alerting &
Reporting
White & Black List
Code /Behaviors
The Core Technology
Offline
Physical
Memory
Analysis
Custom Reports in
XML, RTF, PDF, other
Rootkit
Detection
Reports can be sent to
Enterprise Console
Automated
Malware
Analysis
Digital
DNA
Behavioral Analysis Scan
and others
Alerting &
Reporting
Alert on Suspicious
Behaviors and coding
tricks
MD5 Doesn’t Work
in Memory
Why MD5’s Don’t Work in Memory
• In memory, once executing, a file is
represented in a new way that cannot be
easily be back referenced to a file checksum
• Digital DNA™ does not change, even if the
underlying file does
– Digital DNA is calculated from what the software DOES (it’s
behavior), not how it was compiled or packaged
DISK FILE
IN MEMORY IMAGE
100% dynamic
Copied in full
OS Loader
Copied in part
In memory,
traditional
checksums
don’t work
MD5
Checksum
reliable
MD5
Checksum
is not
consistent
Digital DNA
remains
consistent
IN MEMORY IMAGE
Internet Document
PDF, Active X, Flash
Office Document, Video, etc…
OS Loader
DISK FILE
White-listing on disk
doesn’t prevent
malware from being in
memory
MD5 Checksum
is whitelisted
Process is
trusted
Whitelisted code does
not mean secure code
DISK FILE
IN MEMORY IMAGE
OS Loader
Same
malware
compiled in
three
different
ways
MD5
Checksums
all different
Digital DNA
remains
consistent
IN MEMORY IMAGE
Packer #1
Packer #2
OS Loader
Decrypted
Original
Starting
Malware
Packed
Malware
Digital DNA
remains
consistent
Digital DNA
defeats
packers
OS Loader
IN MEMORY IMAGE
Malware
Tookit
Digital DNA
detects
toolkits
Different
Malware
Authors
Using
Same
Toolkit
Toolkit DNA
Detected
Packed
Client Testimonials
Client Testimonial
• 1 of the Largest Pharmaceutical Co’s
• Under attack every day
• Uses Enterprise Anti Virus
– Sends malware to vendor
– Waits for signature 1-8 hours -
• Uses Responder Pro –
– Responder provides immediate critical intelligence to secure the
network and mitigate the threat to the data
Client Testimonial 2
• 1 of the largest Entertainment Co’s
• Under attack every day & Uses Enterprise Anti Virus
• When a machine is compromised, they perform various
levels of remediation with their antivirus vendor
signatures.
• Once the machine is determined clean by the Antivirus
software, they use our technology to verify the machine is
no longer infected…
• Findings: about 50% of machines are still infected…
Conclusion
Dramatically Improve Host Security with:
Memory Forensics can detect malicious code that nothing else can…
• Not only for Incident Response
• Should be used during Security Assessments
Today Malware Analysis should be brought in house
• It can help you… minimize costs and impact.
• Rapidly Identify the “Scope of Breach”
• Mitigate the threat before you have a anti-virus signature
• Minimize & Manage Enterprise Risk
Future at HBGary
Development Initiatives
• Active Defense – HBGary Enterprise Technology
• Recon – Next Gen Sandbox for automated malware analysis
• Digital DNA v2 – Advanced mapping of malware genome
Webinar Series
• Memory Forensics
• Responder Pro with Digital DNA
• Rapid Malware Analysis to mitigate the threat
Partnerships
•
•
•
•
Guidance Software
McAfee
Verdasys
some others announced soon
Questions?
Thank you very much
[email protected]