Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ähnlich wie Hermit Crab Presentation
Ähnlich wie Hermit Crab Presentation (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Hermit Crab Presentation
- 1. HERMIT CRAB Holistic Evidence Reconstruction (of) Malware Intrusion Techniques (for) Conducting Real-Time Analysis (of) Behavior
- 2. The Team Dr. Chao H. Chu, CEO Brian Matthew Matthew Reitz, Maisel, Dinkel CISO CIO Albert Chen, Server Admin
- 3. The Idea Network by XKCD Source: http://www.xkcd.com/350/
- 4. The Purpose Malware writers use obfuscation and sophisticated behavior to cover up their digital tracks and move quickly from host to host. XOR- "Fast-flux" Payload Polymorphism encrypted DNS migration verification shellcode
- 5. Static Analysis is Difficult "Finally, there is post-mortem analysis, the study of program behavior by looking at the after effects of execution. ... [It] is often the only tool available after an incident." -Dr. Wietse Zweitze Venema
- 6. Meet Frank the Hermit Crab “Forensic Response Analytic Network Kit” “Shout out to Tom Sennett”
- 8. Xen/Hermit Crab Architecture Xen hypervisor Ubuntu Hardy Server Ubuntu Dom0 ssh.d vnc Hardy Hardy Hardy OSSIM Heron 1 Heron 2 Heron 3
- 9. Open Source Security Information Management (OSSIM) OSSIM provides a strong correlation engine, detailed low, medium and high level visualization interfaces, and reporting and incident management tools, based on a set of defined assets such as hosts, networks, groups and services.
- 10. OSSIM Components Arpwatch • used for MAC anomaly detection. P0f • used for passive OS detection and OS change analysis. Nessus • used for vulnerability assessment and for cross correlation (IDS vs Security Scanner). Snort • the IDS, also used for cross correlation with nessus. Spade • the statistical packet anomaly detection engine. Used to gain knowledge about attacks without signatures. Ntop • which builds an impressive network information database from which we can identify aberrant behavior/anomaly detection. Nagios • fed from the host asset database, it monitors host and service availability information. OSSEC • integrity, rootkit, registry detection, and more.
- 12. OSSIM Profiles All-In- Server One Sensor
- 13. Similar Projects The Virtual Network Security Analysis Lab Labs (esp. Snort) Email Malware Recovery Analysis lab Exercise
- 14. DEMONSTRATION
- 15. SSH access • To dom0 • And domUs
- 16. Xen overview
- 17. DomU networking • Internal networking • External networking
- 18. OSSIM Portal
- 20. Aggregated risks
- 21. Incident tickets
- 22. Security events
- 24. Monitors
- 25. Useful for tracing security incidents
- 26. Forensic console
- 27. References 1. Brand, Murray. Forensic Analysis Avoidance Techniques of Malware. Edith Cowan University. http://scissec.scis.ecu.edu.au/conferences2008/proceedings/2007/forensics/06_Brand%20-%20Forensic %20Analysis%20Avoidance%20Techniques%20of%20Malware.pdf 2. Chaganti, Prabhakar. Xen Virtualization. Packt Publishing: 2007. http://www.packtpub.com/xen-virtualization-open-source-linux-servers/book 3. Distler, Dennis. Malware Analysis: An Introduction. SANS Institute InfoSec Reading Room. http://www.sans.org/reading_room/whitepapers/malicious/malware_analysis_an_introduction_2103? show=2103.php&cat=malicious 4. “InMAS: Internet Malware Analysis System”. CWSandbox. University of Mannheim. http://www.cwsandbox.org/ 5. Lyon, Gordon. “Chapter 12. Zenmap GUI Users’ Guide: Surfing the Network Topology.” Nmap Network Scanning. http://nmap.org/book/zenmap-topology.html 6. Masgood, S.G. “Malware Analysis for Administrators.” SecurityFocus. http://www.securityfocus.com/infocus/1780 7. Munroe, Randall. “Network.” XKCD. http://xkcd.com/350/ 8. “OSSIM Architecture.” OSSIM Documentation Wiki. Alienvault. http://www.ossim.net/dokuwiki/doku.php?id=documentation:architecture 9. Provos, Neil. “Developments of the Honeyd Virtual Honeypot”. http://www.honeyd.org/index.php 10. Roesch, Martin and others. “About Snort”. Sourcefire. http://www.snort.org/snort 11. “SiLK - System for Internet-Level Knowledge”. CERT NetSA. Carnegie Mellon University Software Engineering Institute. http://tools.netsa.cert.org/silk/ 12. Venema, Wietse. “Chapter 6: Malware Analysis Basics.” Forensic Discovery. http://www.porcupine.org/forensics/forensic-discovery/chapter6.html 13. “Xen Hypervisor - Leading Open Source Hypervisor for Servers”. Xen.org. Citrix System, Inc. http://www.xen.org/products/xenhyp.html 14. "Virtual-machine based security services." Professors Peter Chen and Brian Noble. <http:// www.eecs.umich.edu/virtual/>.
Hinweis der Redaktion
- Project Vision: A forensic tool for investigators and researchers to forensically examine the behavior of malware across networks, in order to reconstruct and study viral techniques to propagate across a compromised network of systems.
- These techniques take time and resources to analyze, and static analysis is too human-resource intensive to be practical.
- Virus, Worms, and Botnets are often challenging for forensic investigators to identify and uncloak. Most of the payloads require write permissions, so the use of write-protection forensic tools makes it difficult to see what the malware is actually doing. In most cases, once malicious code has been identified, it is executed in a sandboxed virtual machine. While this will give an investigator an idea what the payload does, it doesn’t always give a full picture, especially in networked environments. The use of a virus aquarium will attempt to augment static (and potentially live) forensic investigations of malware-infected networks with captured network traffic and logs from the operating system and application level.