hermit crab presentation
DESCRIPTION
Say hello to Frank.TRANSCRIPT
![Page 1: Hermit Crab Presentation](https://reader034.vdocuments.us/reader034/viewer/2022052216/555a0000d8b42aa8098b4de5/html5/thumbnails/1.jpg)
HERMIT CRAB Holistic Evidence Reconstruction (of) Malware Intrusion
Techniques (for) Conducting Real-Time Analysis (of) Behavior
![Page 2: Hermit Crab Presentation](https://reader034.vdocuments.us/reader034/viewer/2022052216/555a0000d8b42aa8098b4de5/html5/thumbnails/2.jpg)
The Team
Dr. Chao H. Chu, CEO
Brian Reitz, CISO
Matthew Maisel,
CIO
Albert Chen, Server Admin
Matthew Dinkel
![Page 3: Hermit Crab Presentation](https://reader034.vdocuments.us/reader034/viewer/2022052216/555a0000d8b42aa8098b4de5/html5/thumbnails/3.jpg)
The Idea
Source: http://www.xkcd.com/350/
Network by XKCD
![Page 4: Hermit Crab Presentation](https://reader034.vdocuments.us/reader034/viewer/2022052216/555a0000d8b42aa8098b4de5/html5/thumbnails/4.jpg)
The Purpose
Malware writers use obfuscation and sophisticated behavior to cover up
their digital tracks and move quickly from host to host.
Polymorphism "Fast-flux" DNS migration
Payload verification
XOR-encrypted shellcode
![Page 5: Hermit Crab Presentation](https://reader034.vdocuments.us/reader034/viewer/2022052216/555a0000d8b42aa8098b4de5/html5/thumbnails/5.jpg)
Static Analysis is Difficult
"Finally, there is post-mortem analysis, the study of program behavior by looking at the after effects of execution. ... [It] is often the only tool available after an incident."
-Dr. Wietse Zweitze Venema
![Page 6: Hermit Crab Presentation](https://reader034.vdocuments.us/reader034/viewer/2022052216/555a0000d8b42aa8098b4de5/html5/thumbnails/6.jpg)
Meet Frank the Hermit Crab
“Shout out to Tom Sennett”
“Forensic Response Analytic Network Kit”
![Page 7: Hermit Crab Presentation](https://reader034.vdocuments.us/reader034/viewer/2022052216/555a0000d8b42aa8098b4de5/html5/thumbnails/7.jpg)
![Page 8: Hermit Crab Presentation](https://reader034.vdocuments.us/reader034/viewer/2022052216/555a0000d8b42aa8098b4de5/html5/thumbnails/8.jpg)
Xen/Hermit Crab Architecture
Xen hypervisor
Ubuntu Dom0 Ubuntu Hardy Server ssh.d vnc
Hardy Heron 1
Hardy Heron 2
Hardy Heron 3 OSSIM
![Page 9: Hermit Crab Presentation](https://reader034.vdocuments.us/reader034/viewer/2022052216/555a0000d8b42aa8098b4de5/html5/thumbnails/9.jpg)
Open Source Security Information Management (OSSIM)
OSSIM provides a strong correlation engine, detailed low,
medium and high level visualization interfaces, and
reporting and incident management tools, based on a set of defined assets such as hosts, networks, groups and
services.
![Page 10: Hermit Crab Presentation](https://reader034.vdocuments.us/reader034/viewer/2022052216/555a0000d8b42aa8098b4de5/html5/thumbnails/10.jpg)
OSSIM Components Arpwatch
• used for MAC anomaly detection.
P0f • used for passive OS detection and OS change analysis.
Nessus • used for vulnerability assessment and for cross correlation (IDS vs Security Scanner).
Snort • the IDS, also used for cross correlation with nessus.
Spade • the statistical packet anomaly detection engine. Used to gain knowledge about attacks without signatures.
Ntop • which builds an impressive network information database from which we can identify aberrant behavior/anomaly detection.
Nagios • fed from the host asset database, it monitors host and service availability information.
OSSEC • integrity, rootkit, registry detection, and more.
![Page 11: Hermit Crab Presentation](https://reader034.vdocuments.us/reader034/viewer/2022052216/555a0000d8b42aa8098b4de5/html5/thumbnails/11.jpg)
OSSIM Architecture
![Page 12: Hermit Crab Presentation](https://reader034.vdocuments.us/reader034/viewer/2022052216/555a0000d8b42aa8098b4de5/html5/thumbnails/12.jpg)
OSSIM Profiles
All-In-One Server
Sensor
![Page 13: Hermit Crab Presentation](https://reader034.vdocuments.us/reader034/viewer/2022052216/555a0000d8b42aa8098b4de5/html5/thumbnails/13.jpg)
Similar Projects
The Virtual Security
Labs
Network Analysis Lab (esp. Snort)
Malware Analysis lab
Email Recovery Exercise
![Page 14: Hermit Crab Presentation](https://reader034.vdocuments.us/reader034/viewer/2022052216/555a0000d8b42aa8098b4de5/html5/thumbnails/14.jpg)
DEMONSTRATION
![Page 15: Hermit Crab Presentation](https://reader034.vdocuments.us/reader034/viewer/2022052216/555a0000d8b42aa8098b4de5/html5/thumbnails/15.jpg)
SSH access
• To dom0
• And domUs
![Page 16: Hermit Crab Presentation](https://reader034.vdocuments.us/reader034/viewer/2022052216/555a0000d8b42aa8098b4de5/html5/thumbnails/16.jpg)
Xen overview
![Page 17: Hermit Crab Presentation](https://reader034.vdocuments.us/reader034/viewer/2022052216/555a0000d8b42aa8098b4de5/html5/thumbnails/17.jpg)
DomU networking
• Internal networking
• External networking
![Page 18: Hermit Crab Presentation](https://reader034.vdocuments.us/reader034/viewer/2022052216/555a0000d8b42aa8098b4de5/html5/thumbnails/18.jpg)
OSSIM Portal
![Page 19: Hermit Crab Presentation](https://reader034.vdocuments.us/reader034/viewer/2022052216/555a0000d8b42aa8098b4de5/html5/thumbnails/19.jpg)
Executive dashboard
![Page 20: Hermit Crab Presentation](https://reader034.vdocuments.us/reader034/viewer/2022052216/555a0000d8b42aa8098b4de5/html5/thumbnails/20.jpg)
Aggregated risks
![Page 21: Hermit Crab Presentation](https://reader034.vdocuments.us/reader034/viewer/2022052216/555a0000d8b42aa8098b4de5/html5/thumbnails/21.jpg)
Incident tickets
![Page 22: Hermit Crab Presentation](https://reader034.vdocuments.us/reader034/viewer/2022052216/555a0000d8b42aa8098b4de5/html5/thumbnails/22.jpg)
Security events
![Page 23: Hermit Crab Presentation](https://reader034.vdocuments.us/reader034/viewer/2022052216/555a0000d8b42aa8098b4de5/html5/thumbnails/23.jpg)
Vulnerability assessments
![Page 24: Hermit Crab Presentation](https://reader034.vdocuments.us/reader034/viewer/2022052216/555a0000d8b42aa8098b4de5/html5/thumbnails/24.jpg)
Monitors
![Page 25: Hermit Crab Presentation](https://reader034.vdocuments.us/reader034/viewer/2022052216/555a0000d8b42aa8098b4de5/html5/thumbnails/25.jpg)
Useful for tracing security incidents
![Page 26: Hermit Crab Presentation](https://reader034.vdocuments.us/reader034/viewer/2022052216/555a0000d8b42aa8098b4de5/html5/thumbnails/26.jpg)
Forensic console
![Page 27: Hermit Crab Presentation](https://reader034.vdocuments.us/reader034/viewer/2022052216/555a0000d8b42aa8098b4de5/html5/thumbnails/27.jpg)
References 1. Brand, Murray. Forensic Analysis Avoidance Techniques of Malware. Edith Cowan University.
http://scissec.scis.ecu.edu.au/conferences2008/proceedings/2007/forensics/06_Brand%20-%20Forensic%20Analysis%20Avoidance%20Techniques%20of%20Malware.pdf
2. Chaganti, Prabhakar. Xen Virtualization. Packt Publishing: 2007. http://www.packtpub.com/xen-virtualization-open-source-linux-servers/book
3. Distler, Dennis. Malware Analysis: An Introduction. SANS Institute InfoSec Reading Room. http://www.sans.org/reading_room/whitepapers/malicious/malware_analysis_an_introduction_2103?show=2103.php&cat=malicious
4. “InMAS: Internet Malware Analysis System”. CWSandbox. University of Mannheim. http://www.cwsandbox.org/
5. Lyon, Gordon. “Chapter 12. Zenmap GUI Users’ Guide: Surfing the Network Topology.” Nmap Network Scanning. http://nmap.org/book/zenmap-topology.html
6. Masgood, S.G. “Malware Analysis for Administrators.” SecurityFocus. http://www.securityfocus.com/infocus/1780
7. Munroe, Randall. “Network.” XKCD. http://xkcd.com/350/ 8. “OSSIM Architecture.” OSSIM Documentation Wiki. Alienvault.
http://www.ossim.net/dokuwiki/doku.php?id=documentation:architecture 9. Provos, Neil. “Developments of the Honeyd Virtual Honeypot”. http://www.honeyd.org/index.php 10. Roesch, Martin and others. “About Snort”. Sourcefire. http://www.snort.org/snort 11. “SiLK - System for Internet-Level Knowledge”. CERT NetSA. Carnegie Mellon University Software Engineering
Institute. http://tools.netsa.cert.org/silk/ 12. Venema, Wietse. “Chapter 6: Malware Analysis Basics.” Forensic Discovery.
http://www.porcupine.org/forensics/forensic-discovery/chapter6.html 13. “Xen Hypervisor - Leading Open Source Hypervisor for Servers”. Xen.org. Citrix System, Inc.
http://www.xen.org/products/xenhyp.html 14. "Virtual-machine based security services." Professors Peter Chen and Brian Noble. <http://
www.eecs.umich.edu/virtual/>.