Upload File

hermit crab presentation

27
HERMIT CRAB Holistic Evidence Reconstruction (of) Malware Intrusion Techniques (for) Conducting Real-Time Analysis (of) Behavior

Upload: matthewmaisel

Post on 18-May-2015

2.038 views

Category:

Education


5 download

Report

Tags:

DESCRIPTION

Say hello to Frank.

TRANSCRIPT

Page 1: Hermit Crab Presentation

HERMIT CRAB Holistic Evidence Reconstruction (of) Malware Intrusion

Techniques (for) Conducting Real-Time Analysis (of) Behavior

Page 2: Hermit Crab Presentation

The Team

Dr. Chao H. Chu, CEO

Brian Reitz, CISO

Matthew Maisel,

CIO

Albert Chen, Server Admin

Matthew Dinkel

Page 3: Hermit Crab Presentation

The Idea

Source: http://www.xkcd.com/350/

Network by XKCD

Page 4: Hermit Crab Presentation

The Purpose

Malware writers use obfuscation and sophisticated behavior to cover up

their digital tracks and move quickly from host to host.

Polymorphism "Fast-flux" DNS migration

Payload verification

XOR-encrypted shellcode

Page 5: Hermit Crab Presentation

Static Analysis is Difficult

"Finally, there is post-mortem analysis, the study of program behavior by looking at the after effects of execution. ... [It] is often the only tool available after an incident."

-Dr. Wietse Zweitze Venema

Page 6: Hermit Crab Presentation

Meet Frank the Hermit Crab

“Shout out to Tom Sennett”

“Forensic Response Analytic Network Kit”

Page 7: Hermit Crab Presentation
Page 8: Hermit Crab Presentation

Xen/Hermit Crab Architecture

Xen hypervisor

Ubuntu Dom0 Ubuntu Hardy Server ssh.d vnc

Hardy Heron 1

Hardy Heron 2

Hardy Heron 3 OSSIM

Page 9: Hermit Crab Presentation

Open Source Security Information Management (OSSIM)

OSSIM provides a strong correlation engine, detailed low,

medium and high level visualization interfaces, and

reporting and incident management tools, based on a set of defined assets such as hosts, networks, groups and

services.

Page 10: Hermit Crab Presentation

OSSIM Components Arpwatch

• used for MAC anomaly detection.

P0f • used for passive OS detection and OS change analysis.

Nessus • used for vulnerability assessment and for cross correlation (IDS vs Security Scanner).

Snort • the IDS, also used for cross correlation with nessus.

Spade • the statistical packet anomaly detection engine. Used to gain knowledge about attacks without signatures.

Ntop • which builds an impressive network information database from which we can identify aberrant behavior/anomaly detection.

Nagios •  fed from the host asset database, it monitors host and service availability information.

OSSEC •  integrity, rootkit, registry detection, and more.

Page 11: Hermit Crab Presentation

OSSIM Architecture

Page 12: Hermit Crab Presentation

OSSIM Profiles

All-In-One Server

Sensor

Page 13: Hermit Crab Presentation

Similar Projects

The Virtual Security

Labs

Network Analysis Lab (esp. Snort)

Malware Analysis lab

Email Recovery Exercise

Page 14: Hermit Crab Presentation

DEMONSTRATION

Page 15: Hermit Crab Presentation

SSH access

•  To dom0

•  And domUs

Page 16: Hermit Crab Presentation

Xen overview

Page 17: Hermit Crab Presentation

DomU networking

•  Internal networking

•  External networking

Page 18: Hermit Crab Presentation

OSSIM Portal

Page 19: Hermit Crab Presentation

Executive dashboard

Page 20: Hermit Crab Presentation

Aggregated risks

Page 21: Hermit Crab Presentation

Incident tickets

Page 22: Hermit Crab Presentation

Security events

Page 23: Hermit Crab Presentation

Vulnerability assessments

Page 24: Hermit Crab Presentation

Monitors

Page 25: Hermit Crab Presentation

Useful for tracing security incidents

Page 26: Hermit Crab Presentation

Forensic console

Page 27: Hermit Crab Presentation

References 1.  Brand, Murray. Forensic Analysis Avoidance Techniques of Malware. Edith Cowan University.

http://scissec.scis.ecu.edu.au/conferences2008/proceedings/2007/forensics/06_Brand%20-%20Forensic%20Analysis%20Avoidance%20Techniques%20of%20Malware.pdf

2.  Chaganti, Prabhakar. Xen Virtualization. Packt Publishing: 2007. http://www.packtpub.com/xen-virtualization-open-source-linux-servers/book

3.  Distler, Dennis. Malware Analysis: An Introduction. SANS Institute InfoSec Reading Room. http://www.sans.org/reading_room/whitepapers/malicious/malware_analysis_an_introduction_2103?show=2103.php&cat=malicious

4.  “InMAS: Internet Malware Analysis System”. CWSandbox. University of Mannheim. http://www.cwsandbox.org/

5.  Lyon, Gordon. “Chapter 12. Zenmap GUI Users’ Guide: Surfing the Network Topology.” Nmap Network Scanning. http://nmap.org/book/zenmap-topology.html

6.  Masgood, S.G. “Malware Analysis for Administrators.” SecurityFocus. http://www.securityfocus.com/infocus/1780

7.  Munroe, Randall. “Network.” XKCD. http://xkcd.com/350/ 8.  “OSSIM Architecture.” OSSIM Documentation Wiki. Alienvault.

http://www.ossim.net/dokuwiki/doku.php?id=documentation:architecture 9.  Provos, Neil. “Developments of the Honeyd Virtual Honeypot”. http://www.honeyd.org/index.php 10.  Roesch, Martin and others. “About Snort”. Sourcefire. http://www.snort.org/snort 11.  “SiLK - System for Internet-Level Knowledge”. CERT NetSA. Carnegie Mellon University Software Engineering

Institute. http://tools.netsa.cert.org/silk/ 12.  Venema, Wietse. “Chapter 6: Malware Analysis Basics.” Forensic Discovery.

http://www.porcupine.org/forensics/forensic-discovery/chapter6.html 13.  “Xen Hypervisor - Leading Open Source Hypervisor for Servers”. Xen.org. Citrix System, Inc.

http://www.xen.org/products/xenhyp.html 14.  "Virtual-machine based security services." Professors Peter Chen and Brian Noble. <http://

www.eecs.umich.edu/virtual/>.


A new hermit crab species of the genus Tomopaguropsis ... · A new hermit crab species of the genus . Tomopaguropsis. Alcock, 1905 (Crustacea: Decapoda: Paguridae) from the Bohol

Hermit Crab Poster

HERMIT CRAB FAUNA FROM SEA GRASS MEADOWS IN PUERTO RICO: SPECIES

Dear Class, Today we learn about hermit crabs. Do you think you would want to hold a hermit crab? I would want to hold a hermit crab because ____________

HERMIT CRAB MUSICAL CHAIRS - ocmarineprotection.org Activities.pdf · Plants and animals meet their ... Hand out the worksheet and supplies and have them color and cut out their hermit

On the mode feeding of Hermit Crab Pagurus euphenhardus

Hermit Crab Care Research

Page 913 “Blackberry Eating,” “Memory,” “Eulogy for a Hermit Crab,” “ Meciendo ”

Lecture 3 Classification The problem with common names Hirola Island grey fox Green eyed frog National geographic EKECa Hermit crab King crab : Genus

Microplastics disrupt hermit crab shell selection

By-Catch and Nantucket Scallop Fishery€¦ · Brittle Stars. Spider Crab. Hermit Crab (Flat Claw) Hermit Crab (Long Claw) Sand Shrimp. Blood Ark. Lady Crab. Mud Crab. White snail

Hermit The Crab

Spermatophore Transfer in the Hermit Crab Clibanarius Vittatus

Anthropocene in a hermit-crab shell · shells can be carried around by hermit-crabs as long as it still works as a house or until the hermit-crab finds a better one. The search for

18 19 - OceanoGráfica · Bruxa Cangrejilla Sedentary hermit crab Bunter Einsiedler Casa-alugada Cangrejo ermitaño Sedentary hermit crab Bunter Einsiedler Casa-alugada-sedentário

Hermit Crab Coloring and Activity Book - Gulf of Mexico · Hermit Crab Coloring and Activity Book 000 university of Southern Mississip Redeaacå

What to Expect: Hermit Crab

THE RAINIER WRITING WORKSHOP MFA @ PLU 2015 … · 2016-01-25 · Admin 212 Brenda Miller, The Hermit Crab Essay Hermit Crab essays take on alien forms, or shells, to tell their stories

Substrate color preference in the European hermit crab (Pagurus bernhardus)

SYMBIOTIC BACTERIA FROM THE HERMIT CRAB … DIVERSITY 1996 ISOLATION AND CHARACTERIZATION OF SYMBIOTIC BACTERIA FROM THE HERMIT CRAB Rachel Greedy Stefan Ratering Dept. Microbiol

Reappraisal of hermit crab species (Crustacea: Anomura ...verlag.nhm-wien.ac.at/pdfs/103B_135176_McLaughlin.pdfReappraisal of hermit crab species (Crustacea: Anomura: Paguridea) reported

ASSOCIATIONS BETWEEN THE HERMIT CRAB DARDANUS … · 2019. 3. 16. · ASSOCIATIONS BETWEEN THE HERMIT CRAB DARDANUS PEDUNCULATUS AND ITS COMMENSAL SEA ANEMONE CALLIACTIS TRICOLOR

Filter feeding in the Hermit Crab Pagurus bernhardus

Hermit Crab Coloring and Activity Bookgcrl.usm.edu/public/kids/docs/coloring.and.activity.book.hermit.crab.pdf · Hermit Crab Coloring and Activity Book 000 university of Southern

Population biology of the hermit crab Petrochirus diogenes ... · Population biology of the hermit crab Petrochirus diogenes (Linnaeus) (Crustacea, Oecapoda) ... Joaquim Olinto Branco

Differentiation of three common deep-water hermit crabs ...Deep-water hermit crabs of the family Parapaguridae can be abundant (up to 20 kg or 1000 hermit crab individuals per haul)

Table 3 hermit crab children's book

A New Hawaiian Hermit Crab ofthe Genus Trizopagurus (Crustacea

Shell Selection of the Hermit Crab, Pagurus longicarpus

Factors affecting biodiversity on hermit crab shells...hermit crabs, Dvoretsky & Dvoretsky,2010)seemto play important roles. Secondary factors reported to date include host gender

Basic Hermit Crab Care€¦ · Basic Hermit Crab Care At A Glance An example of a hermit crab tank: Lifespan: Up to 40 years is possible in captivity though 10 to 20 years is more

Hermit Crab Essay

Bio-ecological aspects of the hermit crab Paguristes calliopsis

Three new species of the pagurid hermit crab genus Catapagurus

SYMBIOSIS MATCHING ACTIVITY. HERMIT CRAB AND SNAIL SHELL 2 The hermit crab will find an empty snail shell and occupy it. If it outgrows it, it will find