Hermit Crab Presentation

  • View

  • Download

Embed Size (px)


Say hello to Frank.

Text of Hermit Crab Presentation

  • 1. HERMIT CRABHolistic Evidence Reconstruction (of) Malware Intrusion Techniques (for) Conducting Real-Time Analysis (of) Behavior

2. The Team Dr. Chao H. Chu, CEO Brian MatthewMatthew Reitz, Maisel,Dinkel CISOCIO Albert Chen, Server Admin 3. The IdeaNetwork by XKCDSource: http://www.xkcd.com/350/ 4. The PurposeMalware writers use obfuscation and sophisticated behavior to cover uptheir digital tracks and move quicklyfrom host to host. XOR- "Fast-flux" Payload PolymorphismencryptedDNS migration verification shellcode 5. Static Analysis is Difficult "Finally, there is post-mortem analysis, the study of program behavior by looking at the after effects of execution. ... [It] is often the only tool available after an incident." -Dr. Wietse Zweitze Venema 6. Meet Frank the Hermit CrabForensic Response Analytic Network Kit Shout out to Tom Sennett 7. Xen/Hermit Crab ArchitectureXen hypervisor Ubuntu Hardy Server Ubuntu Dom0 ssh.d vnc Hardy Hardy Hardy OSSIM Heron 1 Heron 2 Heron 3 8. Open Source Security InformationManagement (OSSIM)OSSIM provides a strongcorrelation engine, detailed low, medium and high levelvisualization interfaces, andreporting and incident management tools, based on aset of defined assets such ashosts, networks, groups and services. 9. OSSIM Components Arpwatch used for MAC anomaly detection.P0f used for passive OS detection and OS change analysis.Nessus used for vulnerability assessment and for cross correlation (IDS vs Security Scanner).Snort the IDS, also used for cross correlation with nessus.Spade the statistical packet anomaly detection engine. Used to gain knowledge about attacks without signatures.Ntop which builds an impressive network information database from which we can identify aberrant behavior/anomalydetection.Nagios fed from the host asset database, it monitors host and service availability information.OSSEC integrity, rootkit, registry detection, and more. 10. OSSIM Architecture 11. OSSIM ProfilesAll-In- ServerOne Sensor 12. Similar ProjectsThe VirtualNetworkSecurityAnalysis LabLabs(esp. Snort) EmailMalware Recovery Analysis lab Exercise 13. DEMONSTRATION 14. SSH access To dom0 And domUs 15. Xen overview 16. DomU networking Internalnetworking Externalnetworking 17. OSSIM Portal 18. Executive dashboard 19. Aggregated risks 20. Incident tickets 21. Security events 22. Vulnerability assessments 23. Monitors 24. Useful for tracing securityincidents 25. Forensic console 26. References 1. Brand, Murray. Forensic Analysis Avoidance Techniques of Malware. Edith Cowan University. http://scissec.scis.ecu.edu.au/conferences2008/proceedings/2007/forensics/06_Brand%20-%20Forensic %20Analysis%20Avoidance%20Techniques%20of%20Malware.pdf 2. Chaganti, Prabhakar. Xen Virtualization. Packt Publishing: 2007. http://www.packtpub.com/xen-virtualization-open-source-linux-servers/book 3.Distler, Dennis. Malware Analysis: An Introduction. SANS Institute InfoSec Reading Room.http://www.sans.org/reading_room/whitepapers/malicious/malware_analysis_an_introduction_2103?show=2103.php&cat=malicious 4. InMAS: Internet Malware Analysis System. CWSandbox. University of Mannheim.http://www.cwsandbox.org/ 5. Lyon, Gordon. Chapter 12. Zenmap GUI Users Guide: Surfing the Network Topology. Nmap NetworkScanning. http://nmap.org/book/zenmap-topology.html 6. Masgood, S.G. Malware Analysis for Administrators. SecurityFocus.http://www.securityfocus.com/infocus/1780 7. Munroe, Randall. Network. XKCD. http://xkcd.com/350/ 8. OSSIM Architecture. OSSIM Documentation Wiki. Alienvault.http://www.ossim.net/dokuwiki/doku.php?id=documentation:architecture 9. Provos, Neil. Developments of the Honeyd Virtual Honeypot. http://www.honeyd.org/index.php 10. Roesch, Martin and others. About Snort. Sourcefire. http://www.snort.org/snort 11. SiLK - System for Internet-Level Knowledge. CERT NetSA. Carnegie Mellon University Software EngineeringInstitute. http://tools.netsa.cert.org/silk/ 12. Venema, Wietse. Chapter 6: Malware Analysis Basics. Forensic Discovery.http://www.porcupine.org/forensics/forensic-discovery/chapter6.html 13. Xen Hypervisor - Leading Open Source Hypervisor for Servers. Xen.org. Citrix System, Inc.http://www.xen.org/products/xenhyp.html 14. "Virtual-machine based security services." Professors Peter Chen and Brian Noble. .