SlideShare uma empresa Scribd logo

HERMIT CRAB: Holistic Evidence Reconstruction of Malware

M
matthew.maisel

Say hello to Frank.

EducaçãoTecnologia
1 de 27
Baixar para ler offline
HERMIT CRAB Holistic Evidence Reconstruction (of) Malware Intrusion Techniques (for) Conducting Real-Time Analysis (of) Behavior
The Team Dr. Chao H. Chu, CEO Brian Matthew Matthew Reitz, Maisel, Dinkel CISO CIO Albert Chen, Server Admin
The Idea Network by XKCD Source: http://www.xkcd.com/350/
The Purpose Malware writers use obfuscation and sophisticated behavior to cover up their digital tracks and move quickly from host to host. XOR- "Fast-flux" Payload Polymorphism encrypted DNS migration verification shellcode
Static Analysis is Difficult "Finally, there is post-mortem analysis, the study of program behavior by looking at the after effects of execution. ... [It] is often the only tool available after an incident." -Dr. Wietse Zweitze Venema
Meet Frank the Hermit Crab “Forensic Response Analytic Network Kit” “Shout out to Tom Sennett”
Xen/Hermit Crab Architecture Xen hypervisor Ubuntu Hardy Server Ubuntu Dom0 ssh.d vnc Hardy Hardy Hardy OSSIM Heron 1 Heron 2 Heron 3
Open Source Security Information Management (OSSIM) OSSIM provides a strong correlation engine, detailed low, medium and high level visualization interfaces, and reporting and incident management tools, based on a set of defined assets such as hosts, networks, groups and services.
OSSIM Components Arpwatch • used for MAC anomaly detection. P0f • used for passive OS detection and OS change analysis. Nessus • used for vulnerability assessment and for cross correlation (IDS vs Security Scanner). Snort • the IDS, also used for cross correlation with nessus. Spade • the statistical packet anomaly detection engine. Used to gain knowledge about attacks without signatures. Ntop • which builds an impressive network information database from which we can identify aberrant behavior/anomaly detection. Nagios •  fed from the host asset database, it monitors host and service availability information. OSSEC •  integrity, rootkit, registry detection, and more.
OSSIM Architecture
OSSIM Profiles All-In- Server One Sensor
Similar Projects The Virtual Network Security Analysis Lab Labs (esp. Snort) Email Malware Recovery Analysis lab Exercise
DEMONSTRATION
SSH access •  To dom0 •  And domUs
Xen overview
DomU networking •  Internal networking •  External networking
OSSIM Portal
Executive dashboard
Aggregated risks
Incident tickets
Security events
Vulnerability assessments
Monitors
Useful for tracing security incidents
Forensic console
References 1.  Brand, Murray. Forensic Analysis Avoidance Techniques of Malware. Edith Cowan University. http://scissec.scis.ecu.edu.au/conferences2008/proceedings/2007/forensics/06_Brand%20-%20Forensic %20Analysis%20Avoidance%20Techniques%20of%20Malware.pdf 2.  Chaganti, Prabhakar. Xen Virtualization. Packt Publishing: 2007. http://www.packtpub.com/xen-virtualization-open-source-linux-servers/book 3.  Distler, Dennis. Malware Analysis: An Introduction. SANS Institute InfoSec Reading Room. http://www.sans.org/reading_room/whitepapers/malicious/malware_analysis_an_introduction_2103? show=2103.php&cat=malicious 4.  “InMAS: Internet Malware Analysis System”. CWSandbox. University of Mannheim. http://www.cwsandbox.org/ 5.  Lyon, Gordon. “Chapter 12. Zenmap GUI Users’ Guide: Surfing the Network Topology.” Nmap Network Scanning. http://nmap.org/book/zenmap-topology.html 6.  Masgood, S.G. “Malware Analysis for Administrators.” SecurityFocus. http://www.securityfocus.com/infocus/1780 7.  Munroe, Randall. “Network.” XKCD. http://xkcd.com/350/ 8.  “OSSIM Architecture.” OSSIM Documentation Wiki. Alienvault. http://www.ossim.net/dokuwiki/doku.php?id=documentation:architecture 9.  Provos, Neil. “Developments of the Honeyd Virtual Honeypot”. http://www.honeyd.org/index.php 10.  Roesch, Martin and others. “About Snort”. Sourcefire. http://www.snort.org/snort 11.  “SiLK - System for Internet-Level Knowledge”. CERT NetSA. Carnegie Mellon University Software Engineering Institute. http://tools.netsa.cert.org/silk/ 12.  Venema, Wietse. “Chapter 6: Malware Analysis Basics.” Forensic Discovery. http://www.porcupine.org/forensics/forensic-discovery/chapter6.html 13.  “Xen Hypervisor - Leading Open Source Hypervisor for Servers”. Xen.org. Citrix System, Inc. http://www.xen.org/products/xenhyp.html 14.  "Virtual-machine based security services." Professors Peter Chen and Brian Noble. <http:// www.eecs.umich.edu/virtual/>.

Recomendados

Hacker bootcamp
Hacker bootcampHacker bootcamp
Hacker bootcampGregory Hanis
 
File System Implementation & Linux Security
File System Implementation & Linux SecurityFile System Implementation & Linux Security
File System Implementation & Linux SecurityGeo Marian
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxAmitesh Bharti
 
Linux security-fosster-09
Linux security-fosster-09Linux security-fosster-09
Linux security-fosster-09Dr. Jayaraj Poroor
 
Malicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine LearningMalicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine Learningsecurityxploded
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux SecurityRizky Ariestiyansyah
 
Unix Security
Unix SecurityUnix Security
Unix Securityreplay21
 

Recomendados

Hacker bootcamp
Hacker bootcampHacker bootcamp
Hacker bootcampGregory Hanis
 
File System Implementation & Linux Security
File System Implementation & Linux SecurityFile System Implementation & Linux Security
File System Implementation & Linux SecurityGeo Marian
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxAmitesh Bharti
 
Linux security-fosster-09
Linux security-fosster-09Linux security-fosster-09
Linux security-fosster-09Dr. Jayaraj Poroor
 
Malicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine LearningMalicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine Learningsecurityxploded
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux SecurityRizky Ariestiyansyah
 
Unix Security
Unix SecurityUnix Security
Unix Securityreplay21
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS AttacksJignesh Patel
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security OverviewShawn Wells
 
Essential security for linux servers
Essential security for linux serversEssential security for linux servers
Essential security for linux serversJuan Carlos Pérez Pardo
 
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...UzairAhmad81
 
Talk of the hour, the wanna crypt ransomware
Talk of the hour, the wanna crypt ransomwareTalk of the hour, the wanna crypt ransomware
Talk of the hour, the wanna crypt ransomwareshubaira
 
Metasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With MetasploitMetasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With MetasploitAnurag Srivastava
 
Network Attack and Intrusion Prevention System
Network Attack and Intrusion Prevention System Network Attack and Intrusion Prevention System
Network Attack and Intrusion Prevention System Deris Stiawan
 
IDS Network security - Bouvry
IDS Network security - BouvryIDS Network security - Bouvry
IDS Network security - Bouvrygh02
 
SELinux for Everyday Users
SELinux for Everyday UsersSELinux for Everyday Users
SELinux for Everyday UsersPaulWay
 
Linux Security Quick Reference Guide
Linux Security Quick Reference GuideLinux Security Quick Reference Guide
Linux Security Quick Reference Guidewensheng wei
 
packet-sniffing-switched-environment-244
packet-sniffing-switched-environment-244packet-sniffing-switched-environment-244
packet-sniffing-switched-environment-244Tom King
 
5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS Attack5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS AttackRedZone Technologies
 
Container intrusions Do You Even IDS
Container intrusions Do You Even IDSContainer intrusions Do You Even IDS
Container intrusions Do You Even IDSAlfredo Hickman
 
Linux Network Security
Linux Network SecurityLinux Network Security
Linux Network SecurityAmr Ali
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Securitypankaj009
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS AttacksVitor Jesus
 
603535ransomware
603535ransomware603535ransomware
603535ransomwareAlexander Constantinou
 
Introduction To SELinux
Introduction To SELinuxIntroduction To SELinux
Introduction To SELinuxRene Cunningham
 
Network administration
Network administrationNetwork administration
Network administrationJobUrban.com
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesInformation Technology
 
Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introductionjagadeesh katla
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareNatraj G
 

Mais conteúdo relacionado

Mais procurados

2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security OverviewShawn Wells
 
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...UzairAhmad81
 
Talk of the hour, the wanna crypt ransomware
Talk of the hour, the wanna crypt ransomwareTalk of the hour, the wanna crypt ransomware
Talk of the hour, the wanna crypt ransomwareshubaira
 
Metasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With MetasploitMetasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With MetasploitAnurag Srivastava
 
Network Attack and Intrusion Prevention System
Network Attack and Intrusion Prevention System Network Attack and Intrusion Prevention System
Network Attack and Intrusion Prevention System Deris Stiawan
 
IDS Network security - Bouvry
IDS Network security - BouvryIDS Network security - Bouvry
IDS Network security - Bouvrygh02
 
SELinux for Everyday Users
SELinux for Everyday UsersSELinux for Everyday Users
SELinux for Everyday UsersPaulWay
 
Linux Security Quick Reference Guide
Linux Security Quick Reference GuideLinux Security Quick Reference Guide
Linux Security Quick Reference Guidewensheng wei
 
packet-sniffing-switched-environment-244
packet-sniffing-switched-environment-244packet-sniffing-switched-environment-244
packet-sniffing-switched-environment-244Tom King
 
Container intrusions Do You Even IDS
Container intrusions Do You Even IDSContainer intrusions Do You Even IDS
Container intrusions Do You Even IDSAlfredo Hickman
 
Linux Network Security
Linux Network SecurityLinux Network Security
Linux Network SecurityAmr Ali
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Securitypankaj009
 
Network administration
Network administrationNetwork administration
Network administrationJobUrban.com
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesInformation Technology
 

Mais procurados (20)

DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
 
Essential security for linux servers
Essential security for linux serversEssential security for linux servers
Essential security for linux servers
 
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
 
Talk of the hour, the wanna crypt ransomware
Talk of the hour, the wanna crypt ransomwareTalk of the hour, the wanna crypt ransomware
Talk of the hour, the wanna crypt ransomware
 
Metasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With MetasploitMetasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With Metasploit
 
Network Attack and Intrusion Prevention System
Network Attack and Intrusion Prevention System Network Attack and Intrusion Prevention System
Network Attack and Intrusion Prevention System
 
IDS Network security - Bouvry
IDS Network security - BouvryIDS Network security - Bouvry
IDS Network security - Bouvry
 
SELinux for Everyday Users
SELinux for Everyday UsersSELinux for Everyday Users
SELinux for Everyday Users
 
Linux Security Quick Reference Guide
Linux Security Quick Reference GuideLinux Security Quick Reference Guide
Linux Security Quick Reference Guide
 
packet-sniffing-switched-environment-244
packet-sniffing-switched-environment-244packet-sniffing-switched-environment-244
packet-sniffing-switched-environment-244
 
5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS Attack5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS Attack
 
Container intrusions Do You Even IDS
Container intrusions Do You Even IDSContainer intrusions Do You Even IDS
Container intrusions Do You Even IDS
 
Linux Network Security
Linux Network SecurityLinux Network Security
Linux Network Security
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Security
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
 
603535ransomware
603535ransomware603535ransomware
603535ransomware
 
Introduction To SELinux
Introduction To SELinuxIntroduction To SELinux
Introduction To SELinux
 
Network administration
Network administrationNetwork administration
Network administration
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System Vulnerabilities
 

Semelhante a HERMIT CRAB: Holistic Evidence Reconstruction of Malware

Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introductionjagadeesh katla
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareNatraj G
 
IDS+Honeypots Making Security Simple
IDS+Honeypots Making Security SimpleIDS+Honeypots Making Security Simple
IDS+Honeypots Making Security SimpleGregory Hanis
 
Talk28oct14
Talk28oct14Talk28oct14
Talk28oct14mjos
 
Intro2 malwareanalysisshort
Intro2 malwareanalysisshortIntro2 malwareanalysisshort
Intro2 malwareanalysisshortVincent Ohprecio
 
How to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksHow to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksMicrosoft
 
Modern malware and threats
Modern malware and threatsModern malware and threats
Modern malware and threatsMartin Holovský
 
CSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesCSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesNCCOMMS
 
CarolinaCon 2008 Rootkits Then and Now
CarolinaCon 2008 Rootkits Then and NowCarolinaCon 2008 Rootkits Then and Now
CarolinaCon 2008 Rootkits Then and NowTyler Shields
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Stephan Chenette
 
Intrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouniIntrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouniLoay Elbasyouni
 
Anti evasion and evader - klaus majewski
Anti evasion and evader - klaus majewskiAnti evasion and evader - klaus majewski
Anti evasion and evader - klaus majewskiStonesoft
 
AI for Cybersecurity Innovation
AI for Cybersecurity InnovationAI for Cybersecurity Innovation
AI for Cybersecurity InnovationPete Burnap
 
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligenceOrder vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligencePriyanka Aash
 
Thinking Differently About Security Protection and Prevention
Thinking Differently About Security Protection and PreventionThinking Differently About Security Protection and Prevention
Thinking Differently About Security Protection and PreventionDavid Perkins
 
How to Detect a Cryptolocker Infection with AlienVault USM
How to Detect a Cryptolocker Infection with AlienVault USMHow to Detect a Cryptolocker Infection with AlienVault USM
How to Detect a Cryptolocker Infection with AlienVault USMAlienVault
 

Semelhante a HERMIT CRAB: Holistic Evidence Reconstruction of Malware (20)

Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introduction
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of Malware
 
Modern Malware and Threats
Modern Malware and ThreatsModern Malware and Threats
Modern Malware and Threats
 
IDS+Honeypots Making Security Simple
IDS+Honeypots Making Security SimpleIDS+Honeypots Making Security Simple
IDS+Honeypots Making Security Simple
 
Talk28oct14
Talk28oct14Talk28oct14
Talk28oct14
 
9(1)
9(1)9(1)
9(1)
 
Intro2 malwareanalysisshort
Intro2 malwareanalysisshortIntro2 malwareanalysisshort
Intro2 malwareanalysisshort
 
How to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksHow to protect your corporate from advanced attacks
How to protect your corporate from advanced attacks
 
NetWitness
NetWitnessNetWitness
NetWitness
 
Modern malware and threats
Modern malware and threatsModern malware and threats
Modern malware and threats
 
CSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesCSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri Diogenes
 
CarolinaCon 2008 Rootkits Then and Now
CarolinaCon 2008 Rootkits Then and NowCarolinaCon 2008 Rootkits Then and Now
CarolinaCon 2008 Rootkits Then and Now
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
 
Intrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouniIntrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouni
 
Anti evasion and evader - klaus majewski
Anti evasion and evader - klaus majewskiAnti evasion and evader - klaus majewski
Anti evasion and evader - klaus majewski
 
AI for Cybersecurity Innovation
AI for Cybersecurity InnovationAI for Cybersecurity Innovation
AI for Cybersecurity Innovation
 
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligenceOrder vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
 
Thinking Differently About Security Protection and Prevention
Thinking Differently About Security Protection and PreventionThinking Differently About Security Protection and Prevention
Thinking Differently About Security Protection and Prevention
 
Network forensics1
Network forensics1Network forensics1
Network forensics1
 
How to Detect a Cryptolocker Infection with AlienVault USM
How to Detect a Cryptolocker Infection with AlienVault USMHow to Detect a Cryptolocker Infection with AlienVault USM
How to Detect a Cryptolocker Infection with AlienVault USM
 

Último

call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxCarlos105
 
Culture Uniformity or Diversity IN SOCIOLOGY.pptx
Culture Uniformity or Diversity IN SOCIOLOGY.pptxCulture Uniformity or Diversity IN SOCIOLOGY.pptx
Culture Uniformity or Diversity IN SOCIOLOGY.pptxPoojaSen20
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPCeline George
 
ACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfSpandanaRallapalli
 
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONHumphrey A Beña
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxSherlyMaeNeri
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxiammrhaywood
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management systemChristalin Nelson
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfTechSoup
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxiammrhaywood
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Mark Reed
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptxmary850239
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parentsnavabharathschool99
 
How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17Celine George
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomnelietumpap1
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfErwinPantujan2
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatYousafMalik24
 

Último (20)

call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
 
Culture Uniformity or Diversity IN SOCIOLOGY.pptx
Culture Uniformity or Diversity IN SOCIOLOGY.pptxCulture Uniformity or Diversity IN SOCIOLOGY.pptx
Culture Uniformity or Diversity IN SOCIOLOGY.pptx
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERP
 
ACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdf
 
Raw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptxRaw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptx
 
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptx
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management system
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx
 
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptxYOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parents
 
How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choom
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice great
 

HERMIT CRAB: Holistic Evidence Reconstruction of Malware

  • 1. HERMIT CRAB Holistic Evidence Reconstruction (of) Malware Intrusion Techniques (for) Conducting Real-Time Analysis (of) Behavior
  • 2. The Team Dr. Chao H. Chu, CEO Brian Matthew Matthew Reitz, Maisel, Dinkel CISO CIO Albert Chen, Server Admin
  • 3. The Idea Network by XKCD Source: http://www.xkcd.com/350/
  • 4. The Purpose Malware writers use obfuscation and sophisticated behavior to cover up their digital tracks and move quickly from host to host. XOR- "Fast-flux" Payload Polymorphism encrypted DNS migration verification shellcode
  • 5. Static Analysis is Difficult "Finally, there is post-mortem analysis, the study of program behavior by looking at the after effects of execution. ... [It] is often the only tool available after an incident." -Dr. Wietse Zweitze Venema
  • 6. Meet Frank the Hermit Crab “Forensic Response Analytic Network Kit” “Shout out to Tom Sennett”
  • 7.
  • 8. Xen/Hermit Crab Architecture Xen hypervisor Ubuntu Hardy Server Ubuntu Dom0 ssh.d vnc Hardy Hardy Hardy OSSIM Heron 1 Heron 2 Heron 3
  • 9. Open Source Security Information Management (OSSIM) OSSIM provides a strong correlation engine, detailed low, medium and high level visualization interfaces, and reporting and incident management tools, based on a set of defined assets such as hosts, networks, groups and services.
  • 10. OSSIM Components Arpwatch • used for MAC anomaly detection. P0f • used for passive OS detection and OS change analysis. Nessus • used for vulnerability assessment and for cross correlation (IDS vs Security Scanner). Snort • the IDS, also used for cross correlation with nessus. Spade • the statistical packet anomaly detection engine. Used to gain knowledge about attacks without signatures. Ntop • which builds an impressive network information database from which we can identify aberrant behavior/anomaly detection. Nagios •  fed from the host asset database, it monitors host and service availability information. OSSEC •  integrity, rootkit, registry detection, and more.
  • 12. OSSIM Profiles All-In- Server One Sensor
  • 13. Similar Projects The Virtual Network Security Analysis Lab Labs (esp. Snort) Email Malware Recovery Analysis lab Exercise
  • 15. SSH access •  To dom0 •  And domUs
  • 17. DomU networking •  Internal networking •  External networking
  • 25. Useful for tracing security incidents
  • 27. References 1.  Brand, Murray. Forensic Analysis Avoidance Techniques of Malware. Edith Cowan University. http://scissec.scis.ecu.edu.au/conferences2008/proceedings/2007/forensics/06_Brand%20-%20Forensic %20Analysis%20Avoidance%20Techniques%20of%20Malware.pdf 2.  Chaganti, Prabhakar. Xen Virtualization. Packt Publishing: 2007. http://www.packtpub.com/xen-virtualization-open-source-linux-servers/book 3.  Distler, Dennis. Malware Analysis: An Introduction. SANS Institute InfoSec Reading Room. http://www.sans.org/reading_room/whitepapers/malicious/malware_analysis_an_introduction_2103? show=2103.php&cat=malicious 4.  “InMAS: Internet Malware Analysis System”. CWSandbox. University of Mannheim. http://www.cwsandbox.org/ 5.  Lyon, Gordon. “Chapter 12. Zenmap GUI Users’ Guide: Surfing the Network Topology.” Nmap Network Scanning. http://nmap.org/book/zenmap-topology.html 6.  Masgood, S.G. “Malware Analysis for Administrators.” SecurityFocus. http://www.securityfocus.com/infocus/1780 7.  Munroe, Randall. “Network.” XKCD. http://xkcd.com/350/ 8.  “OSSIM Architecture.” OSSIM Documentation Wiki. Alienvault. http://www.ossim.net/dokuwiki/doku.php?id=documentation:architecture 9.  Provos, Neil. “Developments of the Honeyd Virtual Honeypot”. http://www.honeyd.org/index.php 10.  Roesch, Martin and others. “About Snort”. Sourcefire. http://www.snort.org/snort 11.  “SiLK - System for Internet-Level Knowledge”. CERT NetSA. Carnegie Mellon University Software Engineering Institute. http://tools.netsa.cert.org/silk/ 12.  Venema, Wietse. “Chapter 6: Malware Analysis Basics.” Forensic Discovery. http://www.porcupine.org/forensics/forensic-discovery/chapter6.html 13.  “Xen Hypervisor - Leading Open Source Hypervisor for Servers”. Xen.org. Citrix System, Inc. http://www.xen.org/products/xenhyp.html 14.  "Virtual-machine based security services." Professors Peter Chen and Brian Noble. <http:// www.eecs.umich.edu/virtual/>.

Notas do Editor

  1. Project Vision: A forensic tool for investigators and researchers to forensically examine the behavior of malware across networks, in order to reconstruct and study viral techniques to propagate across a compromised network of systems.
  2. These techniques take time and resources to analyze, and static analysis is too human-resource intensive to be practical.
  3. Virus, Worms, and Botnets are often challenging for forensic investigators to identify and uncloak. Most of the payloads require write permissions, so the use of write-protection forensic tools makes it difficult to see what the malware is actually doing. In most cases, once malicious code has been identified, it is executed in a sandboxed virtual machine. While this will give an investigator an idea what the payload does, it doesn’t always give a full picture, especially in networked environments. The use of a virus aquarium will attempt to augment static (and potentially live) forensic investigations of malware-infected networks with captured network traffic and logs from the operating system and application level.