SlideShare une entreprise Scribd logo

Hermit Crab Presentation

M
matthew.maisel

Say hello to Frank.

FormationTechnologie
1  sur  27
Télécharger pour lire hors ligne
HERMIT CRAB Holistic Evidence Reconstruction (of) Malware Intrusion Techniques (for) Conducting Real-Time Analysis (of) Behavior
The Team Dr. Chao H. Chu, CEO Brian Matthew Matthew Reitz, Maisel, Dinkel CISO CIO Albert Chen, Server Admin
The Idea Network by XKCD Source: http://www.xkcd.com/350/
The Purpose Malware writers use obfuscation and sophisticated behavior to cover up their digital tracks and move quickly from host to host. XOR- "Fast-flux" Payload Polymorphism encrypted DNS migration verification shellcode
Static Analysis is Difficult "Finally, there is post-mortem analysis, the study of program behavior by looking at the after effects of execution. ... [It] is often the only tool available after an incident." -Dr. Wietse Zweitze Venema
Meet Frank the Hermit Crab “Forensic Response Analytic Network Kit” “Shout out to Tom Sennett”
Xen/Hermit Crab Architecture Xen hypervisor Ubuntu Hardy Server Ubuntu Dom0 ssh.d vnc Hardy Hardy Hardy OSSIM Heron 1 Heron 2 Heron 3
Open Source Security Information Management (OSSIM) OSSIM provides a strong correlation engine, detailed low, medium and high level visualization interfaces, and reporting and incident management tools, based on a set of defined assets such as hosts, networks, groups and services.
OSSIM Components Arpwatch • used for MAC anomaly detection. P0f • used for passive OS detection and OS change analysis. Nessus • used for vulnerability assessment and for cross correlation (IDS vs Security Scanner). Snort • the IDS, also used for cross correlation with nessus. Spade • the statistical packet anomaly detection engine. Used to gain knowledge about attacks without signatures. Ntop • which builds an impressive network information database from which we can identify aberrant behavior/anomaly detection. Nagios •  fed from the host asset database, it monitors host and service availability information. OSSEC •  integrity, rootkit, registry detection, and more.
OSSIM Architecture
OSSIM Profiles All-In- Server One Sensor
Similar Projects The Virtual Network Security Analysis Lab Labs (esp. Snort) Email Malware Recovery Analysis lab Exercise
DEMONSTRATION
SSH access •  To dom0 •  And domUs
Xen overview
DomU networking •  Internal networking •  External networking
OSSIM Portal
Executive dashboard
Aggregated risks
Incident tickets
Security events
Vulnerability assessments
Monitors
Useful for tracing security incidents
Forensic console
References 1.  Brand, Murray. Forensic Analysis Avoidance Techniques of Malware. Edith Cowan University. http://scissec.scis.ecu.edu.au/conferences2008/proceedings/2007/forensics/06_Brand%20-%20Forensic %20Analysis%20Avoidance%20Techniques%20of%20Malware.pdf 2.  Chaganti, Prabhakar. Xen Virtualization. Packt Publishing: 2007. http://www.packtpub.com/xen-virtualization-open-source-linux-servers/book 3.  Distler, Dennis. Malware Analysis: An Introduction. SANS Institute InfoSec Reading Room. http://www.sans.org/reading_room/whitepapers/malicious/malware_analysis_an_introduction_2103? show=2103.php&cat=malicious 4.  “InMAS: Internet Malware Analysis System”. CWSandbox. University of Mannheim. http://www.cwsandbox.org/ 5.  Lyon, Gordon. “Chapter 12. Zenmap GUI Users’ Guide: Surfing the Network Topology.” Nmap Network Scanning. http://nmap.org/book/zenmap-topology.html 6.  Masgood, S.G. “Malware Analysis for Administrators.” SecurityFocus. http://www.securityfocus.com/infocus/1780 7.  Munroe, Randall. “Network.” XKCD. http://xkcd.com/350/ 8.  “OSSIM Architecture.” OSSIM Documentation Wiki. Alienvault. http://www.ossim.net/dokuwiki/doku.php?id=documentation:architecture 9.  Provos, Neil. “Developments of the Honeyd Virtual Honeypot”. http://www.honeyd.org/index.php 10.  Roesch, Martin and others. “About Snort”. Sourcefire. http://www.snort.org/snort 11.  “SiLK - System for Internet-Level Knowledge”. CERT NetSA. Carnegie Mellon University Software Engineering Institute. http://tools.netsa.cert.org/silk/ 12.  Venema, Wietse. “Chapter 6: Malware Analysis Basics.” Forensic Discovery. http://www.porcupine.org/forensics/forensic-discovery/chapter6.html 13.  “Xen Hypervisor - Leading Open Source Hypervisor for Servers”. Xen.org. Citrix System, Inc. http://www.xen.org/products/xenhyp.html 14.  "Virtual-machine based security services." Professors Peter Chen and Brian Noble. <http:// www.eecs.umich.edu/virtual/>.

Recommandé

Hacker bootcamp
Hacker bootcampHacker bootcamp
Hacker bootcamp
Gregory Hanis
 
File System Implementation & Linux Security
File System Implementation & Linux SecurityFile System Implementation & Linux Security
File System Implementation & Linux Security
Geo Marian
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
Amitesh Bharti
 
Linux security-fosster-09
Linux security-fosster-09Linux security-fosster-09
Linux security-fosster-09
Dr. Jayaraj Poroor
 
Malicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine LearningMalicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine Learning
securityxploded
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
amiable_indian
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux Security
Rizky Ariestiyansyah
 
Unix Security
Unix SecurityUnix Security
Unix Security
replay21
 

Recommandé

Hacker bootcamp
Hacker bootcampHacker bootcamp
Hacker bootcamp
Gregory Hanis
 
File System Implementation & Linux Security
File System Implementation & Linux SecurityFile System Implementation & Linux Security
File System Implementation & Linux Security
Geo Marian
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
Amitesh Bharti
 
Linux security-fosster-09
Linux security-fosster-09Linux security-fosster-09
Linux security-fosster-09
Dr. Jayaraj Poroor
 
Malicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine LearningMalicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine Learning
securityxploded
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
amiable_indian
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux Security
Rizky Ariestiyansyah
 
Unix Security
Unix SecurityUnix Security
Unix Security
replay21
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
Jignesh Patel
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
Shawn Wells
 
Essential security for linux servers
Essential security for linux serversEssential security for linux servers
Essential security for linux servers
Juan Carlos Pérez Pardo
 
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
UzairAhmad81
 
Talk of the hour, the wanna crypt ransomware
Talk of the hour, the wanna crypt ransomwareTalk of the hour, the wanna crypt ransomware
Talk of the hour, the wanna crypt ransomware
shubaira
 
Metasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With MetasploitMetasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With Metasploit
Anurag Srivastava
 
Network Attack and Intrusion Prevention System
Network Attack and Intrusion Prevention System Network Attack and Intrusion Prevention System
Network Attack and Intrusion Prevention System
Deris Stiawan
 
IDS Network security - Bouvry
IDS Network security - BouvryIDS Network security - Bouvry
IDS Network security - Bouvry
gh02
 
SELinux for Everyday Users
SELinux for Everyday UsersSELinux for Everyday Users
SELinux for Everyday Users
PaulWay
 
Linux Security Quick Reference Guide
Linux Security Quick Reference GuideLinux Security Quick Reference Guide
Linux Security Quick Reference Guide
wensheng wei
 
packet-sniffing-switched-environment-244
packet-sniffing-switched-environment-244packet-sniffing-switched-environment-244
packet-sniffing-switched-environment-244
Tom King
 
5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS Attack5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS Attack
RedZone Technologies
 
Container intrusions Do You Even IDS
Container intrusions Do You Even IDSContainer intrusions Do You Even IDS
Container intrusions Do You Even IDS
Alfredo Hickman
 
Linux Network Security
Linux Network SecurityLinux Network Security
Linux Network Security
Amr Ali
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Security
pankaj009
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
Vitor Jesus
 
603535ransomware
603535ransomware603535ransomware
603535ransomware
Alexander Constantinou
 
Introduction To SELinux
Introduction To SELinuxIntroduction To SELinux
Introduction To SELinux
Rene Cunningham
 
Network administration
Network administrationNetwork administration
Network administration
JobUrban.com
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System Vulnerabilities
Information Technology
 
Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introduction
jagadeesh katla
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of Malware
Natraj G
 

Contenu connexe

Tendances

Linux Security Quick Reference Guide
Linux Security Quick Reference GuideLinux Security Quick Reference Guide
Linux Security Quick Reference Guide
wensheng wei
 
packet-sniffing-switched-environment-244
packet-sniffing-switched-environment-244packet-sniffing-switched-environment-244
packet-sniffing-switched-environment-244
Tom King
 
5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS Attack5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS Attack
RedZone Technologies
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Security
pankaj009
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System Vulnerabilities
Information Technology
 

Tendances (20)

DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
 
Essential security for linux servers
Essential security for linux serversEssential security for linux servers
Essential security for linux servers
 
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
 
Talk of the hour, the wanna crypt ransomware
Talk of the hour, the wanna crypt ransomwareTalk of the hour, the wanna crypt ransomware
Talk of the hour, the wanna crypt ransomware
 
Metasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With MetasploitMetasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With Metasploit
 
Network Attack and Intrusion Prevention System
Network Attack and Intrusion Prevention System Network Attack and Intrusion Prevention System
Network Attack and Intrusion Prevention System
 
IDS Network security - Bouvry
IDS Network security - BouvryIDS Network security - Bouvry
IDS Network security - Bouvry
 
SELinux for Everyday Users
SELinux for Everyday UsersSELinux for Everyday Users
SELinux for Everyday Users
 
Linux Security Quick Reference Guide
Linux Security Quick Reference GuideLinux Security Quick Reference Guide
Linux Security Quick Reference Guide
 
packet-sniffing-switched-environment-244
packet-sniffing-switched-environment-244packet-sniffing-switched-environment-244
packet-sniffing-switched-environment-244
 
5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS Attack5 Ways To Fight A DDoS Attack
5 Ways To Fight A DDoS Attack
 
Container intrusions Do You Even IDS
Container intrusions Do You Even IDSContainer intrusions Do You Even IDS
Container intrusions Do You Even IDS
 
Linux Network Security
Linux Network SecurityLinux Network Security
Linux Network Security
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Security
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
 
603535ransomware
603535ransomware603535ransomware
603535ransomware
 
Introduction To SELinux
Introduction To SELinuxIntroduction To SELinux
Introduction To SELinux
 
Network administration
Network administrationNetwork administration
Network administration
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System Vulnerabilities
 

Similaire à Hermit Crab Presentation

IDS+Honeypots Making Security Simple
IDS+Honeypots Making Security SimpleIDS+Honeypots Making Security Simple
IDS+Honeypots Making Security Simple
Gregory Hanis
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
Stephan Chenette
 
Malware Analysis Report Infamous Chisel [EN].pdf
Malware Analysis Report Infamous Chisel [EN].pdfMalware Analysis Report Infamous Chisel [EN].pdf
Malware Analysis Report Infamous Chisel [EN].pdf
Overkill Security
 
Intrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouniIntrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouni
Loay Elbasyouni
 
Anti evasion and evader - klaus majewski
Anti evasion and evader - klaus majewskiAnti evasion and evader - klaus majewski
Anti evasion and evader - klaus majewski
Stonesoft
 
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligenceOrder vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Priyanka Aash
 

Similaire à Hermit Crab Presentation (20)

Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introduction
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of Malware
 
Modern Malware and Threats
Modern Malware and ThreatsModern Malware and Threats
Modern Malware and Threats
 
IDS+Honeypots Making Security Simple
IDS+Honeypots Making Security SimpleIDS+Honeypots Making Security Simple
IDS+Honeypots Making Security Simple
 
Talk28oct14
Talk28oct14Talk28oct14
Talk28oct14
 
9(1)
9(1)9(1)
9(1)
 
Intro2 malwareanalysisshort
Intro2 malwareanalysisshortIntro2 malwareanalysisshort
Intro2 malwareanalysisshort
 
How to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksHow to protect your corporate from advanced attacks
How to protect your corporate from advanced attacks
 
NetWitness
NetWitnessNetWitness
NetWitness
 
Modern malware and threats
Modern malware and threatsModern malware and threats
Modern malware and threats
 
CSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesCSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri Diogenes
 
CarolinaCon 2008 Rootkits Then and Now
CarolinaCon 2008 Rootkits Then and NowCarolinaCon 2008 Rootkits Then and Now
CarolinaCon 2008 Rootkits Then and Now
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
 
Malware Analysis Report Infamous Chisel [EN].pdf
Malware Analysis Report Infamous Chisel [EN].pdfMalware Analysis Report Infamous Chisel [EN].pdf
Malware Analysis Report Infamous Chisel [EN].pdf
 
Intrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouniIntrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouni
 
Anti evasion and evader - klaus majewski
Anti evasion and evader - klaus majewskiAnti evasion and evader - klaus majewski
Anti evasion and evader - klaus majewski
 
AI for Cybersecurity Innovation
AI for Cybersecurity InnovationAI for Cybersecurity Innovation
AI for Cybersecurity Innovation
 
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligenceOrder vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
 
Thinking Differently About Security Protection and Prevention
Thinking Differently About Security Protection and PreventionThinking Differently About Security Protection and Prevention
Thinking Differently About Security Protection and Prevention
 
Network forensics1
Network forensics1Network forensics1
Network forensics1
 

Dernier

1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
QucHHunhnh
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
negromaestrong
 
Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.
MateoGardella
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
heathfieldcps1
 
Gardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch LetterGardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch Letter
MateoGardella
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
ciinovamais
 

Dernier (20)

How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docx
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
 
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
 
Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptx
 
Gardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch LetterGardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch Letter
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
psychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxpsychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docx
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 

Hermit Crab Presentation

  • 1. HERMIT CRAB Holistic Evidence Reconstruction (of) Malware Intrusion Techniques (for) Conducting Real-Time Analysis (of) Behavior
  • 2. The Team Dr. Chao H. Chu, CEO Brian Matthew Matthew Reitz, Maisel, Dinkel CISO CIO Albert Chen, Server Admin
  • 3. The Idea Network by XKCD Source: http://www.xkcd.com/350/
  • 4. The Purpose Malware writers use obfuscation and sophisticated behavior to cover up their digital tracks and move quickly from host to host. XOR- "Fast-flux" Payload Polymorphism encrypted DNS migration verification shellcode
  • 5. Static Analysis is Difficult "Finally, there is post-mortem analysis, the study of program behavior by looking at the after effects of execution. ... [It] is often the only tool available after an incident." -Dr. Wietse Zweitze Venema
  • 6. Meet Frank the Hermit Crab “Forensic Response Analytic Network Kit” “Shout out to Tom Sennett”
  • 7.
  • 8. Xen/Hermit Crab Architecture Xen hypervisor Ubuntu Hardy Server Ubuntu Dom0 ssh.d vnc Hardy Hardy Hardy OSSIM Heron 1 Heron 2 Heron 3
  • 9. Open Source Security Information Management (OSSIM) OSSIM provides a strong correlation engine, detailed low, medium and high level visualization interfaces, and reporting and incident management tools, based on a set of defined assets such as hosts, networks, groups and services.
  • 10. OSSIM Components Arpwatch • used for MAC anomaly detection. P0f • used for passive OS detection and OS change analysis. Nessus • used for vulnerability assessment and for cross correlation (IDS vs Security Scanner). Snort • the IDS, also used for cross correlation with nessus. Spade • the statistical packet anomaly detection engine. Used to gain knowledge about attacks without signatures. Ntop • which builds an impressive network information database from which we can identify aberrant behavior/anomaly detection. Nagios •  fed from the host asset database, it monitors host and service availability information. OSSEC •  integrity, rootkit, registry detection, and more.
  • 12. OSSIM Profiles All-In- Server One Sensor
  • 13. Similar Projects The Virtual Network Security Analysis Lab Labs (esp. Snort) Email Malware Recovery Analysis lab Exercise
  • 15. SSH access •  To dom0 •  And domUs
  • 17. DomU networking •  Internal networking •  External networking
  • 25. Useful for tracing security incidents
  • 27. References 1.  Brand, Murray. Forensic Analysis Avoidance Techniques of Malware. Edith Cowan University. http://scissec.scis.ecu.edu.au/conferences2008/proceedings/2007/forensics/06_Brand%20-%20Forensic %20Analysis%20Avoidance%20Techniques%20of%20Malware.pdf 2.  Chaganti, Prabhakar. Xen Virtualization. Packt Publishing: 2007. http://www.packtpub.com/xen-virtualization-open-source-linux-servers/book 3.  Distler, Dennis. Malware Analysis: An Introduction. SANS Institute InfoSec Reading Room. http://www.sans.org/reading_room/whitepapers/malicious/malware_analysis_an_introduction_2103? show=2103.php&cat=malicious 4.  “InMAS: Internet Malware Analysis System”. CWSandbox. University of Mannheim. http://www.cwsandbox.org/ 5.  Lyon, Gordon. “Chapter 12. Zenmap GUI Users’ Guide: Surfing the Network Topology.” Nmap Network Scanning. http://nmap.org/book/zenmap-topology.html 6.  Masgood, S.G. “Malware Analysis for Administrators.” SecurityFocus. http://www.securityfocus.com/infocus/1780 7.  Munroe, Randall. “Network.” XKCD. http://xkcd.com/350/ 8.  “OSSIM Architecture.” OSSIM Documentation Wiki. Alienvault. http://www.ossim.net/dokuwiki/doku.php?id=documentation:architecture 9.  Provos, Neil. “Developments of the Honeyd Virtual Honeypot”. http://www.honeyd.org/index.php 10.  Roesch, Martin and others. “About Snort”. Sourcefire. http://www.snort.org/snort 11.  “SiLK - System for Internet-Level Knowledge”. CERT NetSA. Carnegie Mellon University Software Engineering Institute. http://tools.netsa.cert.org/silk/ 12.  Venema, Wietse. “Chapter 6: Malware Analysis Basics.” Forensic Discovery. http://www.porcupine.org/forensics/forensic-discovery/chapter6.html 13.  “Xen Hypervisor - Leading Open Source Hypervisor for Servers”. Xen.org. Citrix System, Inc. http://www.xen.org/products/xenhyp.html 14.  "Virtual-machine based security services." Professors Peter Chen and Brian Noble. <http:// www.eecs.umich.edu/virtual/>.

Notes de l'éditeur

  1. Project Vision: A forensic tool for investigators and researchers to forensically examine the behavior of malware across networks, in order to reconstruct and study viral techniques to propagate across a compromised network of systems.
  2. These techniques take time and resources to analyze, and static analysis is too human-resource intensive to be practical.
  3. Virus, Worms, and Botnets are often challenging for forensic investigators to identify and uncloak. Most of the payloads require write permissions, so the use of write-protection forensic tools makes it difficult to see what the malware is actually doing. In most cases, once malicious code has been identified, it is executed in a sandboxed virtual machine. While this will give an investigator an idea what the payload does, it doesn’t always give a full picture, especially in networked environments. The use of a virus aquarium will attempt to augment static (and potentially live) forensic investigations of malware-infected networks with captured network traffic and logs from the operating system and application level.