hermit crab presentation
Post on 18-May-2015
2.039 Views
Preview:
DESCRIPTION
TRANSCRIPT
HERMIT CRAB Holistic Evidence Reconstruction (of) Malware Intrusion
Techniques (for) Conducting Real-Time Analysis (of) Behavior
The Team
Dr. Chao H. Chu, CEO
Brian Reitz, CISO
Matthew Maisel,
CIO
Albert Chen, Server Admin
Matthew Dinkel
The Idea
Source: http://www.xkcd.com/350/
Network by XKCD
The Purpose
Malware writers use obfuscation and sophisticated behavior to cover up
their digital tracks and move quickly from host to host.
Polymorphism "Fast-flux" DNS migration
Payload verification
XOR-encrypted shellcode
Static Analysis is Difficult
"Finally, there is post-mortem analysis, the study of program behavior by looking at the after effects of execution. ... [It] is often the only tool available after an incident."
-Dr. Wietse Zweitze Venema
Meet Frank the Hermit Crab
“Shout out to Tom Sennett”
“Forensic Response Analytic Network Kit”
Xen/Hermit Crab Architecture
Xen hypervisor
Ubuntu Dom0 Ubuntu Hardy Server ssh.d vnc
Hardy Heron 1
Hardy Heron 2
Hardy Heron 3 OSSIM
Open Source Security Information Management (OSSIM)
OSSIM provides a strong correlation engine, detailed low,
medium and high level visualization interfaces, and
reporting and incident management tools, based on a set of defined assets such as hosts, networks, groups and
services.
OSSIM Components Arpwatch
• used for MAC anomaly detection.
P0f • used for passive OS detection and OS change analysis.
Nessus • used for vulnerability assessment and for cross correlation (IDS vs Security Scanner).
Snort • the IDS, also used for cross correlation with nessus.
Spade • the statistical packet anomaly detection engine. Used to gain knowledge about attacks without signatures.
Ntop • which builds an impressive network information database from which we can identify aberrant behavior/anomaly detection.
Nagios • fed from the host asset database, it monitors host and service availability information.
OSSEC • integrity, rootkit, registry detection, and more.
OSSIM Architecture
OSSIM Profiles
All-In-One Server
Sensor
Similar Projects
The Virtual Security
Labs
Network Analysis Lab (esp. Snort)
Malware Analysis lab
Email Recovery Exercise
DEMONSTRATION
SSH access
• To dom0
• And domUs
Xen overview
DomU networking
• Internal networking
• External networking
OSSIM Portal
Executive dashboard
Aggregated risks
Incident tickets
Security events
Vulnerability assessments
Monitors
Useful for tracing security incidents
Forensic console
References 1. Brand, Murray. Forensic Analysis Avoidance Techniques of Malware. Edith Cowan University.
http://scissec.scis.ecu.edu.au/conferences2008/proceedings/2007/forensics/06_Brand%20-%20Forensic%20Analysis%20Avoidance%20Techniques%20of%20Malware.pdf
2. Chaganti, Prabhakar. Xen Virtualization. Packt Publishing: 2007. http://www.packtpub.com/xen-virtualization-open-source-linux-servers/book
3. Distler, Dennis. Malware Analysis: An Introduction. SANS Institute InfoSec Reading Room. http://www.sans.org/reading_room/whitepapers/malicious/malware_analysis_an_introduction_2103?show=2103.php&cat=malicious
4. “InMAS: Internet Malware Analysis System”. CWSandbox. University of Mannheim. http://www.cwsandbox.org/
5. Lyon, Gordon. “Chapter 12. Zenmap GUI Users’ Guide: Surfing the Network Topology.” Nmap Network Scanning. http://nmap.org/book/zenmap-topology.html
6. Masgood, S.G. “Malware Analysis for Administrators.” SecurityFocus. http://www.securityfocus.com/infocus/1780
7. Munroe, Randall. “Network.” XKCD. http://xkcd.com/350/ 8. “OSSIM Architecture.” OSSIM Documentation Wiki. Alienvault.
http://www.ossim.net/dokuwiki/doku.php?id=documentation:architecture 9. Provos, Neil. “Developments of the Honeyd Virtual Honeypot”. http://www.honeyd.org/index.php 10. Roesch, Martin and others. “About Snort”. Sourcefire. http://www.snort.org/snort 11. “SiLK - System for Internet-Level Knowledge”. CERT NetSA. Carnegie Mellon University Software Engineering
Institute. http://tools.netsa.cert.org/silk/ 12. Venema, Wietse. “Chapter 6: Malware Analysis Basics.” Forensic Discovery.
http://www.porcupine.org/forensics/forensic-discovery/chapter6.html 13. “Xen Hypervisor - Leading Open Source Hypervisor for Servers”. Xen.org. Citrix System, Inc.
http://www.xen.org/products/xenhyp.html 14. "Virtual-machine based security services." Professors Peter Chen and Brian Noble. <http://
www.eecs.umich.edu/virtual/>.
top related