cyber intelligence & response technology
DESCRIPTION
TRANSCRIPT
www.accessdata.com
Digital Investigations of Any Kind
ONE COMPANY
Cyber Intelligence Response Technology
(CIRT)
Who we are..
• AccessData has been in this industry for over 25 years
• Offices in Utah, Houston, San Francisco, London, Virginia, Maryland, Frankfurt, Dubai, Australia and China
• Market leader/ Best of breed technologies in Forensics and eDiscovery
• 130,000+ Clients Globally
• Train over 6000 customers each year
• Sustained annual growth year after year of between 60% - 80%
• Gartner recognized as an Innovator in the space
AccessData Product & Services
Paradigm Shift:Integrated Analysis in Single Platform
with Built-in Remediation
Data Audit
Network ForensicsHost-based Forensics
Volatile Data
Malicious Code Analysis / Threat ScoringSecurity / Process FunctionsHigh EntropyDynamic LoadingImports Process Manipulation FunctionsImports Security FunctionsImports Networking FunctionsRegistry Modification FunctionsFile Size DiscrepancyContains Autorun Strings
Traditional Approach:Point solutions do not provide a true
“360-degree” look at what is happening.
A Shift from Disparate Solutions
Removable Media Audit
Host Based ForensicsVolatile DataData Audit
CIRT Platform – Built on Validated Technology
Network Forensics
CIRT – The Value of Integrated Analysis
Integrated Platform
CLASSIFIED DATA SPILLAGE
Agency proactively audits using terms, such as “eyes only” and “top secret”. All instances flagged for removal in accordance with federal agency policies.
VIRTUAL WORKFORCE
laptop checks in at intervals to be scanned for anomalies which are all recorded, including network and USB activity. Remote monitoring helps to identify any instance of IP theft.
INTRUSION ALERT
Unauthorized port 443 traffic. Visualize communications, drill down into suspect host. Perform behavioral forensic analysis. Honeypot avoidance, crypto, dynamic loading, high entropy and other criteria indicate malware.Batch remediation function is leveraged.
CREDIT CARD INFORMATION REPORTEDHelp desk is called alerting them that employee discovered credit card information on an unsecure location. Company reactively conducts PCI audit to locate exposed credit card holder info.Instances are wiped. Findings are reported.
ADVANCED MALWARE AND ZERO DAY DETECTIONProactive monitoring the identification of malicious codes behaviors from multiple computers. Perform differential analysis of volatile data, perform malware analysis/ threat scoring. Analysis reveals malicious processes. Scan large enterprise for defined processes and/or similar behavior and issue batch remediation. Monitor for recurrence.
Multi-Team Collaboration for Improved Emergency Response
Incident Response
Team
Information Security Team
Network Security TeamCompliance Team
Computer Forensics Team
Key capabilities of the agent core
• Acts independently on/off network• Has it’s own scheduler and local policy cache• Agent can be installed as persistent or self-dissolving
after x number of days• There is a run time version of the agent that allows
full capability without the need to actually install the agent. (this mode does not allow for persistent/ scheduled functions)
• Has protected storage area securely store payload until it can communicate back to site server.
The agent is made up of the following modules• Core: Responsible for managing communication, policy / job execution, and defensive measures,
delivering payload, and updating itself• NetFS: Provides the filtering, searching, collection, and preservation capabilities (same technology in agent
is what supports network share capability• Cerberus: The ability to identify malware (with no prior knowledge) based of search/filter criteria on
running system or network shares across the enterprise. For example a job could be defined to Stage 1 Cerberus score all exe on a given set of systems. Any files that have a high threat score will be automatically sent to the Stage 2 Cerberus analysis. There are options to choose whether the files are preserved or just the metadata.
• Volatile: Now users can setup jobs to scan the enterprise and capture volatile data and interact with the data in review. The volatile data includes pre-built facets and the ability to view details for all of the volatile data payload. Volatile data includes Processes, Network Sockets, Dll’s, Handles, Drivers, Services, Network Devices, registry, and users
• RAM: Now users can setup jobs to scan the network and analyze RAM along with Volatile or just RAM analysis and interact with the data in review. The volatile data includes pre-built facets and the ability to view details for all of the RAM analysis. RAM analysis includes Processes, Network Sockets, Dll’s, Handles, Drivers, Services, Network, Devices, Processors, and registry.
• RMM (removable media module): Enables the targeted monitoring of files coming from and going to removable media (USB/Firewire/CD/DVD). With job options to just record metadata or metadata and payload for documents based off of user defined extensions. Results can be viewed, filtered and searched on in the new review interface with the support of pre-made filter facets to quickly identify documents/files coming from or going to removable media.
• SilentRunner : Advanced host based packet capture with robust filtering capabilities• Remediation: Allows for the killing of processes and wiping of files
CIRT – SilentRunner Agent Module
Key Capabilities Define operating parameters for the agent collector:
o on/offo filter based off of these IP addresso filter based off of these ports or protocols or applicationo filter based off of these IP address <to-from> these
ports/protocolso define how much data can be collectedo define if it stops collecting once it hits max collectiono Define if it just has an open rolling buffer.
These settings would be applied as a policy/operating parameterso Specify beginning and end for application of the policyo Adhere to a schedule
The Pcap payload would be securely stored on the agent Agent will store and forward for ingestion into centralized
SilentRunner System for integrated and correlated analysis
Intro to Cerberus
• CIRT is the first step towards automated reverse engineering so you can triage a binary before sending it for further analysis
• We tally all of the attributes we think are “interesting” into a score that you can sort by
• For each binary, you can then drill down into that score to see the attributes that we found that were similar to malicious binaries we’ve seen in the past
What is Cerberus?
Cerberus reduces the level of expertise required to do malware analysis.
Ideal for first responders.
STATIC ANALYSIS / DATA FLOW ANALYSISYIELDS SIMILAR RESULTS AS DYNAMIC ANALYSIS
STAGE ONE: Generic File/Metadata Analysis• Identifies potentially malicious code, generates threat score.
STAGE TWO: Disassembly Analysis• Runs elements of the code, without running actual
executable. To find out what the binary is capable of.
WORKS AGAINST…• Binaries that live on disk or network share• System Memory – unpacked binaries
Mythology Trivia:Cerberus guards the gates of the underworld to prevent those who have crossed into Hades from escaping.
In other words… he prevents bad things from breaking free.
Cerberus uses a different approach than other products on the market because it doesn’t rely on :
• Dynamic Analysis, Often not reliable, because the binary could recognize that it is being analyzed and perform a different action in order to intentionally fool the analyst.
• Traditional Heuristics, such as the monitoring of modifications to the registry and the insertion of hooks into certain library or system interfaces, are not based on the fundamental characteristics of malware.• High false positive / false negative rates.
• Signature-based /byte string analysis: cannot detect new malware or new variants and requires prior knowledge in the form of an action or byte string.
NOTE: We are not relying on whitelists or signatures. We are able to assess behavior and identify intent without the above methodologies.
Cerberus Analysis Approach
Executable Binary Analysis:• Product Name• Product Version• Company Name, etc.• Functions included in the Import Table
• Network• Process• Security• Registry
• Dynamic Loading, etc.• Does the binary have high entropy (obfuscated)?• Does the binary have signatures of:
• Internet Relay Chat (“IRC”)• Shellcode• Cryptography (“Crypto”)
• Does the binary contain strings associated with autoruns?
• Digital Signature Verification
Basic Disassembly Analysis:• Integrated disassembly engine�• If using network functionality, potentially what host it is �
communicating with and over what protocol(s)• If using network functionality, can it bypass proxy �
servers?• For functions that require usernames and/or passwords,
does the executable contain static string indicating insider or advanced knowledge?
Advanced Disassembly Analysis:• Automated unpacking• Automated code and data flow analysis• More advanced Functionality Interpretation�
• IP addresses and Domain Names Used• Debugger and Sandbox avoidance• Command and Control Functionality• Hooking Techniques• Arbitrary Code Execution• Host Forensic Artifacts
• Registry Settings• Temp Files• Configuration Files
What Does Cerberus Do?
STAGE ONE ANALYSIS STAGE TWO ANALYSIS
CIRT – Cerberus Threat Analysis Report
Stage 1 Cerberus Analysis
Stage 1 Cerberus Analysis Continued
Has File Access Functions
Has Process Manipulation
Has Networking Functions
Arguments for Internet_Connect_ A
Show me in Real-Time…
Show me more…
Perform Interactive Review of Web Content
So what?!
• This info will give you insight you’ve never had before, in seconds!
• Your reverse engineering team will love you because you’ll finally know what causes you concern other than “it looked weird”
• If you’re a reverse engineer, this will save you a ton of time!
CIRT – Removable Media Module
Key Capabilities Supports data copied to or from removable media
o Data copied from computer with agento Data copied from removable media to machine with
agent Configurable parameters of what gets capture on the
agent such as:o File with a given set of extensionso Ability to turn it on/offo Ability for it turn on/off between a date rangeo Capture metadata onlyo Capture the entire fileo Capture metadata for all files but preserve files
based off of a given filter criteriao Ability to trigger capture based off a filenameo Ability to trigger capture based off of file metadata
(extension/filename) Ability to have triggers
o Does not track anything unless the file meets filter criteria
Ability to BLOCK any copy/paste operation to removable media
Ability to track files opened from a usb/removable media on host computer
Ability to view and analyze files that where captured as part of interactive review.
Administrative Capabilities The operator has a way to define parameters and apply
policy/operating rules to the agent(s) and check status Ability to view activity in the form of reports
By user By source By Date range
The metadata captured will be accessible to a 3rd party application that can query for the tables that contain this information such as Arcsighto Node nameo Name and extension of files copied to removable mediao Date/time a given item was copied to/from removable
media Preserved data will be temporarily stored on the host
machine in protected storage until it is picked up for processing/reporting
Ability specify maximum amount of storage that could be usedo Ability to specify what happens when the secure
storage runs out of space Open buffer Keep what it has and stop tracking
Perform Interactive Review of Removable Media
Perform Interactive Review of Removable Media
Perform Interactive Review of Volatile Data
CIRT – Architecture
Application/WebLogging DB (ms sql)
Web Console
(DB/Processing)
Agents(Workstations/Laptops
/Servers )
Private Site Server
Private Site Server
Network Shares(Non agent data
sources)
Public Site Server
SilentRunner
Nodes with Proxy Agent
Jason MicalDirector of Network
ForensicsAccessData Group
Thank You !