CYBER INTELLIGENCE & RESPONSE TECHNOLOGYPresentation Transcript
Digital Investigations of Any Kind ONE COMPANY Cyber Intelligence Response Technology (CIRT) www.accessdata.com
Who we are..• AccessData has been in this industry for over 25 years• Offices in Utah, Houston, San Francisco, London, Virginia, Maryland, Frankfurt, Dubai, Australia and China• Market leader/ Best of breed technologies in Forensics and eDiscovery• 130,000+ Clients Globally• Train over 6000 customers each year• Sustained annual growth year after year of between 60% - 80%• Gartner recognized as an Innovator in the space
AccessData Product & Services
A Shift from Disparate Solutions Traditional Approach: Paradigm Shift:Point solutions do not provide a true Integrated Analysis in Single Platform “360-degree” look at what is with Built-in Remediation happening. Network Forensics Host-based Forensics Volatile Data Removable Media Audit Data Audit Malicious Code Analysis / Threat Scoring Security / Process Functions High Entropy Dynamic Loading Imports Process Manipulation Functions Imports Security Functions
CIRT Platform – Built on Validated Technology Network Forensics Host Based Forensics Data Audit Volatile Data
CIRT – The Value of Integrated AnalysisCLASSIFIED DATA SPILLAGE VIRTUAL WORKFORCE INTRUSION ALERTAgency proactively audits using laptop checks in at intervals to be Unauthorized port 443 traffic. Visualize scanned for anomalies which are communications, drill down into suspectterms, such as “eyes only” and host. Perform behavioral forensic analysis.“top secret”. All instances all recorded, including network Honeypot avoidance, crypto, dynamicflagged for removal in and USB activity. Remote loading, high entropy and other criteriaaccordance with federal agency monitoring helps to identify any indicate malware.policies. instance of IP theft. Batch remediation function is leveraged. ADVANCED MALWARECREDIT CARD AND ZERO DAY DETECTIONINFORMATION REPORTED Proactive monitoring the identificationHelp desk is called alerting them of malicious codes behaviors fromthat employee discovered credit multiple computers. Performcard information on an unsecure differential analysis of volatilelocation. Company reactively data, perform malware analysis/ threatconducts PCI audit to locate scoring. Analysis reveals maliciousexposed credit card holder info. processes. Scan large enterprise forInstances are wiped. Findings defined processes and/or similarare reported. behavior and issue batch remediation. Integrated Platform Monitor for recurrence.
Multi-Team Collaboration for Improved Emergency Response Incident Response Team Computer Information Forensics Security Team Team Network Compliance Security Team Team
Key capabilities of the agent core• Acts independently on/off network• Has it’s own scheduler and local policy cache• Agent can be installed as persistent or self-dissolving after x number of days• There is a run time version of the agent that allows full capability without the need to actually install the agent. (this mode does not allow for persistent/ scheduled functions)• Has protected storage area securely store payload until it can communicate back to site server.
The agent is made up of the following modules• Core: Responsible for managing communication, policy / job execution, and defensive measures, delivering payload, and updating itself• NetFS: Provides the filtering, searching, collection, and preservation capabilities (same technology in agent is what supports network share capability• Cerberus: The ability to identify malware (with no prior knowledge) based of search/filter criteria on running system or network shares across the enterprise. For example a job could be defined to Stage 1 Cerberus score all exe on a given set of systems. Any files that have a high threat score will be automatically sent to the Stage 2 Cerberus analysis. There are options to choose whether the files are preserved or just the metadata.• Volatile: Now users can setup jobs to scan the enterprise and capture volatile data and interact with the data in review. The volatile data includes pre-built facets and the ability to view details for all of the volatile data payload. Volatile data includes Processes, Network Sockets, Dll’s, Handles, Drivers, Services, Network Devices, registry, and users• RAM: Now users can setup jobs to scan the network and analyze RAM along with Volatile or just RAM analysis and interact with the data in review. The volatile data includes pre-built facets and the ability to view details for all of the RAM analysis. RAM analysis includes Processes, Network Sockets, Dll’s, Handles, Drivers, Services, Network, Devices, Processors, and registry.• RMM (removable media module): Enables the targeted monitoring of files coming from and going to removable media (USB/Firewire/CD/DVD). With job options to just record metadata or metadata and payload for documents based off of user defined extensions. Results can be viewed, filtered and searched on in the new review interface with the support of pre-made filter facets to quickly identify documents/files coming from or going to removable media.• SilentRunner : Advanced host based packet capture with robust filtering capabilities• Remediation: Allows for the killing of processes and wiping of files
CIRT – SilentRunner Agent ModuleKey Capabilities Define operating parameters for the agent collector: o on/off o filter based off of these IP address o filter based off of these ports or protocols or application o filter based off of these IP address <to-from> these ports/protocols o define how much data can be collected o define if it stops collecting once it hits max collection o Define if it just has an open rolling buffer. These settings would be applied as a policy/operating parameters o Specify beginning and end for application of the policy o Adhere to a schedule The Pcap payload would be securely stored on the agent Agent will store and forward for ingestion into centralized SilentRunner System for integrated and correlated analysis
Intro to Cerberus• CIRT is the first step towards automated reverse engineering so you can triage a binary before sending it for further analysis• We tally all of the attributes we think are “interesting” into a score that you can sort by• For each binary, you can then drill down into that score to see the attributes that we found that were similar to malicious binaries we’ve seen in the past
What is Cerberus?Cerberus reduces the level of expertise required to domalware analysis. Ideal for first responders. STATIC ANALYSIS / DATA FLOW ANALYSIS YIELDS SIMILAR RESULTS AS DYNAMIC ANALYSISSTAGE ONE: Generic File/Metadata Analysis • Identifies potentially malicious code, generates threat score. Mythology Trivia:STAGE TWO: Disassembly Analysis Cerberus guards the gates of the • Runs elements of the code, without running actual underworld to prevent those who executable. To find out what the binary is capable of. have crossed into Hades from escaping.WORKS AGAINST… • Binaries that live on disk or network share In other words… he prevents bad • System Memory – unpacked binaries things from breaking free.
Cerberus Analysis Approach Cerberus uses a different approach than other products on the market because it doesn’t rely on : • Dynamic Analysis, Often not reliable, because the binary could recognize that it is being analyzed and perform a different action in order to intentionally fool the analyst. • Traditional Heuristics, such as the monitoring of modifications to the registry and the insertion of hooks into certain library or system interfaces, are not based on the fundamental characteristics of malware. • High false positive / false negative rates. • Signature-based /byte string analysis: cannot detect new malware or new variants and requires prior knowledge in the form of an action or byte string. NOTE: We are not relying on whitelists or signatures. We are able to assess behavior and identify intent without the above methodologies.
What Does Cerberus Do?STAGE ONE ANALYSIS STAGE TWO ANALYSIS Basic Disassembly Analysis:Executable Binary Analysis: • •Integrated disassembly engine• Product Name • •If using network functionality, potentially what host it• Product Version is communicating with and over what protocol(s)• Company Name, etc. • •If using network functionality, can it bypass proxy• Functions included in the Import Table servers? • Network • For functions that require usernames and/or • Process passwords, does the executable contain static string • Security indicating insider or advanced knowledge? • Registry• Dynamic Loading, etc. Advanced Disassembly Analysis:• Does the binary have high entropy (obfuscated)? • Automated unpacking• Does the binary have signatures of: • Automated code and data flow analysis • Internet Relay Chat (“IRC”) • •More advanced Functionality Interpretation • Shellcode • IP addresses and Domain Names Used • Cryptography (“Crypto”) • Debugger and Sandbox avoidance• Does the binary contain strings associated with • Command and Control Functionality autoruns? • Hooking Techniques• Digital Signature Verification • Arbitrary Code Execution • Host Forensic Artifacts • Registry Settings • Temp Files • Configuration Files
CIRT – Cerberus Threat Analysis Report
Stage 1 Cerberus Analysis
Stage 1 Cerberus Analysis Continued
Has File Access Functions
Has Process Manipulation
Has Networking Functions
Arguments for Internet_Connect_ A
Show me in Real-Time…
Show me more…
Perform Interactive Review of Web Content
So what?! • This info will give you insight you’ve never had before, in seconds! • Your reverse engineering team will love you because you’ll finally know what causes you concern other than “it looked weird” • If you’re a reverse engineer, this will save you a ton of time!
CIRT – Removable Media ModuleKey Capabilities Administrative Capabilities Supports data copied to or from removable media The operator has a way to define parameters and apply o Data copied from computer with agent policy/operating rules to the agent(s) and check status o Data copied from removable media to machine with Ability to view activity in the form of reports agent By user Configurable parameters of what gets capture on the By source agent such as: By Date range o File with a given set of extensions The metadata captured will be accessible to a 3rd party o Ability to turn it on/off application that can query for the tables that contain this o Ability for it turn on/off between a date range information such as Arcsight o Capture metadata only o Node name o Capture the entire file o Name and extension of files copied to removable media o Capture metadata for all files but preserve files o Date/time a given item was copied to/from removable based off of a given filter criteria media o Ability to trigger capture based off a filename Preserved data will be temporarily stored on the host machine o Ability to trigger capture based off of file metadata in protected storage until it is picked up for (extension/filename) processing/reporting Ability to have triggers Ability specify maximum amount of storage that could be o Does not track anything unless the file meets filter used criteria o Ability to specify what happens when the secure Ability to BLOCK any copy/paste operation to removable storage runs out of space media Open buffer Ability to track files opened from a usb/removable media Keep what it has and stop tracking on host computer Ability to view and analyze files that where captured as part of interactive review.
Perform Interactive Review of Removable Media
Perform Interactive Review of Removable Media
Perform Interactive Review of Volatile Data
CIRT – Architecture Nodes with Proxy Agent Public Site Server SilentRunner (DB/Processing) Network Shares (Non agent data sources) Private Site Server Application/Web Agents Logging DB (ms sql) (Workstations/Laptops Web Console /Servers ) Private Site Server
Thank You ! Jason Mical Director of Network Forensics AccessData Group