Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Hermit Crab Presentation


Published on

Say hello to Frank.

Published in: Education, Technology
  • Be the first to comment

Hermit Crab Presentation

  1. 1. HERMIT CRAB Holistic Evidence Reconstruction (of) Malware Intrusion Techniques (for) Conducting Real-Time Analysis (of) Behavior
  2. 2. The Team Dr. Chao H. Chu, CEO Brian Matthew Matthew Reitz, Maisel, Dinkel CISO CIO Albert Chen, Server Admin
  3. 3. The Idea Network by XKCD Source:
  4. 4. The Purpose Malware writers use obfuscation and sophisticated behavior to cover up their digital tracks and move quickly from host to host. XOR- "Fast-flux" Payload Polymorphism encrypted DNS migration verification shellcode
  5. 5. Static Analysis is Difficult "Finally, there is post-mortem analysis, the study of program behavior by looking at the after effects of execution. ... [It] is often the only tool available after an incident." -Dr. Wietse Zweitze Venema
  6. 6. Meet Frank the Hermit Crab “Forensic Response Analytic Network Kit” “Shout out to Tom Sennett”
  7. 7. Xen/Hermit Crab Architecture Xen hypervisor Ubuntu Hardy Server Ubuntu Dom0 ssh.d vnc Hardy Hardy Hardy OSSIM Heron 1 Heron 2 Heron 3
  8. 8. Open Source Security Information Management (OSSIM) OSSIM provides a strong correlation engine, detailed low, medium and high level visualization interfaces, and reporting and incident management tools, based on a set of defined assets such as hosts, networks, groups and services.
  9. 9. OSSIM Components Arpwatch • used for MAC anomaly detection. P0f • used for passive OS detection and OS change analysis. Nessus • used for vulnerability assessment and for cross correlation (IDS vs Security Scanner). Snort • the IDS, also used for cross correlation with nessus. Spade • the statistical packet anomaly detection engine. Used to gain knowledge about attacks without signatures. Ntop • which builds an impressive network information database from which we can identify aberrant behavior/anomaly detection. Nagios •  fed from the host asset database, it monitors host and service availability information. OSSEC •  integrity, rootkit, registry detection, and more.
  10. 10. OSSIM Architecture
  11. 11. OSSIM Profiles All-In- Server One Sensor
  12. 12. Similar Projects The Virtual Network Security Analysis Lab Labs (esp. Snort) Email Malware Recovery Analysis lab Exercise
  14. 14. SSH access •  To dom0 •  And domUs
  15. 15. Xen overview
  16. 16. DomU networking •  Internal networking •  External networking
  17. 17. OSSIM Portal
  18. 18. Executive dashboard
  19. 19. Aggregated risks
  20. 20. Incident tickets
  21. 21. Security events
  22. 22. Vulnerability assessments
  23. 23. Monitors
  24. 24. Useful for tracing security incidents
  25. 25. Forensic console
  26. 26. References 1.  Brand, Murray. Forensic Analysis Avoidance Techniques of Malware. Edith Cowan University. %20Analysis%20Avoidance%20Techniques%20of%20Malware.pdf 2.  Chaganti, Prabhakar. Xen Virtualization. Packt Publishing: 2007. 3.  Distler, Dennis. Malware Analysis: An Introduction. SANS Institute InfoSec Reading Room. show=2103.php&cat=malicious 4.  “InMAS: Internet Malware Analysis System”. CWSandbox. University of Mannheim. 5.  Lyon, Gordon. “Chapter 12. Zenmap GUI Users’ Guide: Surfing the Network Topology.” Nmap Network Scanning. 6.  Masgood, S.G. “Malware Analysis for Administrators.” SecurityFocus. 7.  Munroe, Randall. “Network.” XKCD. 8.  “OSSIM Architecture.” OSSIM Documentation Wiki. Alienvault. 9.  Provos, Neil. “Developments of the Honeyd Virtual Honeypot”. 10.  Roesch, Martin and others. “About Snort”. Sourcefire. 11.  “SiLK - System for Internet-Level Knowledge”. CERT NetSA. Carnegie Mellon University Software Engineering Institute. 12.  Venema, Wietse. “Chapter 6: Malware Analysis Basics.” Forensic Discovery. 13.  “Xen Hypervisor - Leading Open Source Hypervisor for Servers”. Citrix System, Inc. 14.  "Virtual-machine based security services." Professors Peter Chen and Brian Noble. <http://>.