HERMIT CRAB
   Holistic Evidence Reconstruction (of) Malware Intrusion
Techniques (for) Conducting Real-Time Analysis (of)...
The Team

     Dr. Chao H.
      Chu, CEO




Brian         Matthew              Matthew
Reitz,         Maisel,           ...
The Idea




 Network by XKCD

Source: http://www.xkcd.com/350/
The Purpose
 Malware writers use obfuscation and
  sophisticated behavior to cover up
 their digital tracks and move quick...
Static Analysis is Difficult


"Finally, there is post-mortem analysis, the study
of program behavior by looking at the af...
Meet Frank the Hermit Crab
   “Forensic Response Analytic Network Kit”




                                        “Shout ...
Xen/Hermit Crab Architecture
               Xen hypervisor


              Ubuntu Hardy Server
Ubuntu Dom0
              s...
Open Source Security Information
     Management (OSSIM)
     OSSIM provides a strong
 correlation engine, detailed low,
 ...
OSSIM Components
Arpwatch
  • used for MAC anomaly detection.

P0f
  • used for passive OS detection and OS change analysi...
OSSIM Architecture
OSSIM Profiles

All-In-
            Server
 One

     Sensor
Similar Projects

The Virtual      Network
 Security      Analysis Lab
   Labs        (esp. Snort)

                 Email...
DEMONSTRATION
SSH access
•  To dom0

•  And domUs
Xen overview
DomU networking
•  Internal
   networking
•  External
   networking
OSSIM Portal
Executive dashboard
Aggregated risks
Incident tickets
Security events
Vulnerability assessments
Monitors
Useful for tracing security
         incidents
Forensic console
References
1.    Brand, Murray. Forensic Analysis Avoidance Techniques of Malware. Edith Cowan University.
      http://sc...
Hermit Crab Presentation
Upcoming SlideShare
Loading in …5
×

Hermit Crab Presentation

2,302 views
2,182 views

Published on

Say hello to Frank.

Published in: Education, Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,302
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
35
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Project Vision: A forensic tool for investigators and researchers to forensically examine the behavior of malware across networks, in order to reconstruct and study viral techniques to propagate across a compromised network of systems.
  • These techniques take time and resources to analyze, and static analysis is too human-resource intensive to be practical.
  • Virus, Worms, and Botnets are often challenging for forensic investigators to identify and uncloak. Most of the payloads require write permissions, so the use of write-protection forensic tools makes it difficult to see what the malware is actually doing. In most cases, once malicious code has been identified, it is executed in a sandboxed virtual machine. While this will give an investigator an idea what the payload does, it doesn’t always give a full picture, especially in networked environments. The use of a virus aquarium will attempt to augment static (and potentially live) forensic investigations of malware-infected networks with captured network traffic and logs from the operating system and application level.
  • Hermit Crab Presentation

    1. 1. HERMIT CRAB Holistic Evidence Reconstruction (of) Malware Intrusion Techniques (for) Conducting Real-Time Analysis (of) Behavior
    2. 2. The Team Dr. Chao H. Chu, CEO Brian Matthew Matthew Reitz, Maisel, Dinkel CISO CIO Albert Chen, Server Admin
    3. 3. The Idea Network by XKCD Source: http://www.xkcd.com/350/
    4. 4. The Purpose Malware writers use obfuscation and sophisticated behavior to cover up their digital tracks and move quickly from host to host. XOR- "Fast-flux" Payload Polymorphism encrypted DNS migration verification shellcode
    5. 5. Static Analysis is Difficult "Finally, there is post-mortem analysis, the study of program behavior by looking at the after effects of execution. ... [It] is often the only tool available after an incident." -Dr. Wietse Zweitze Venema
    6. 6. Meet Frank the Hermit Crab “Forensic Response Analytic Network Kit” “Shout out to Tom Sennett”
    7. 7. Xen/Hermit Crab Architecture Xen hypervisor Ubuntu Hardy Server Ubuntu Dom0 ssh.d vnc Hardy Hardy Hardy OSSIM Heron 1 Heron 2 Heron 3
    8. 8. Open Source Security Information Management (OSSIM) OSSIM provides a strong correlation engine, detailed low, medium and high level visualization interfaces, and reporting and incident management tools, based on a set of defined assets such as hosts, networks, groups and services.
    9. 9. OSSIM Components Arpwatch • used for MAC anomaly detection. P0f • used for passive OS detection and OS change analysis. Nessus • used for vulnerability assessment and for cross correlation (IDS vs Security Scanner). Snort • the IDS, also used for cross correlation with nessus. Spade • the statistical packet anomaly detection engine. Used to gain knowledge about attacks without signatures. Ntop • which builds an impressive network information database from which we can identify aberrant behavior/anomaly detection. Nagios •  fed from the host asset database, it monitors host and service availability information. OSSEC •  integrity, rootkit, registry detection, and more.
    10. 10. OSSIM Architecture
    11. 11. OSSIM Profiles All-In- Server One Sensor
    12. 12. Similar Projects The Virtual Network Security Analysis Lab Labs (esp. Snort) Email Malware Recovery Analysis lab Exercise
    13. 13. DEMONSTRATION
    14. 14. SSH access •  To dom0 •  And domUs
    15. 15. Xen overview
    16. 16. DomU networking •  Internal networking •  External networking
    17. 17. OSSIM Portal
    18. 18. Executive dashboard
    19. 19. Aggregated risks
    20. 20. Incident tickets
    21. 21. Security events
    22. 22. Vulnerability assessments
    23. 23. Monitors
    24. 24. Useful for tracing security incidents
    25. 25. Forensic console
    26. 26. References 1.  Brand, Murray. Forensic Analysis Avoidance Techniques of Malware. Edith Cowan University. http://scissec.scis.ecu.edu.au/conferences2008/proceedings/2007/forensics/06_Brand%20-%20Forensic %20Analysis%20Avoidance%20Techniques%20of%20Malware.pdf 2.  Chaganti, Prabhakar. Xen Virtualization. Packt Publishing: 2007. http://www.packtpub.com/xen-virtualization-open-source-linux-servers/book 3.  Distler, Dennis. Malware Analysis: An Introduction. SANS Institute InfoSec Reading Room. http://www.sans.org/reading_room/whitepapers/malicious/malware_analysis_an_introduction_2103? show=2103.php&cat=malicious 4.  “InMAS: Internet Malware Analysis System”. CWSandbox. University of Mannheim. http://www.cwsandbox.org/ 5.  Lyon, Gordon. “Chapter 12. Zenmap GUI Users’ Guide: Surfing the Network Topology.” Nmap Network Scanning. http://nmap.org/book/zenmap-topology.html 6.  Masgood, S.G. “Malware Analysis for Administrators.” SecurityFocus. http://www.securityfocus.com/infocus/1780 7.  Munroe, Randall. “Network.” XKCD. http://xkcd.com/350/ 8.  “OSSIM Architecture.” OSSIM Documentation Wiki. Alienvault. http://www.ossim.net/dokuwiki/doku.php?id=documentation:architecture 9.  Provos, Neil. “Developments of the Honeyd Virtual Honeypot”. http://www.honeyd.org/index.php 10.  Roesch, Martin and others. “About Snort”. Sourcefire. http://www.snort.org/snort 11.  “SiLK - System for Internet-Level Knowledge”. CERT NetSA. Carnegie Mellon University Software Engineering Institute. http://tools.netsa.cert.org/silk/ 12.  Venema, Wietse. “Chapter 6: Malware Analysis Basics.” Forensic Discovery. http://www.porcupine.org/forensics/forensic-discovery/chapter6.html 13.  “Xen Hypervisor - Leading Open Source Hypervisor for Servers”. Xen.org. Citrix System, Inc. http://www.xen.org/products/xenhyp.html 14.  "Virtual-machine based security services." Professors Peter Chen and Brian Noble. <http:// www.eecs.umich.edu/virtual/>.

    ×