egambit Forensic egambit, your defensive cyber-weapon system. You have the players. We have the game.

Transcription

1 egambit Forensic egambit, your defensive cyber-weapon system. You have the players. We have the game. TEHTRI-Security

2 Forensic with egambit In this document, we will introduce how egambit Forensic can help at removing doubts regarding a potentially compromised endpoint. This is accomplished through an offline analyzer working on Windows, Linux and Mac OS X, combined with a web frontend, a knowledge-base, and a sandbox infrastructure for in-depth checks. Based on egambit version 3.1 November 2015

3 About the forensic activity - In CSIRT/SOC teams, we are all concerned about endpoint security and sometimes we have doubts about some hosts Ø Is it compromised or not? This is one of the key question - Your IT infrastructure might include different OS and distributions, which might not be handled by a main security analysis tool Ø Laptops / Workstations / Servers Ø Windows : XP, 2003, Vista, 2008, 7, 2012 Ø Linux : Ubuntu, Debian, CentOS, Fedora, ArchLinux, OpenSUSE Ø Mac OS X : Yosemite, El Capitan - A forensic player needs to analyze various locations on your systems in order to detect a suspicious program/activity Ø Processes, Files, Memory, Registry, Network, Startup - In some cases, a sandbox infrastructure is needed to analyze the behavior behind a weird file, like a document or a binary - With egambit Forensic, you get all of these key features

4 About egambit Forensic - egambit Offline Forensic or E.O.F. Ø This is a program that can inspect many areas of your systems and generates a report. No need to be connected to the Internet - egambit Forensic web site Ø This web site can read reports generated by E.O.F. so that you can get a diagnostic based on internal / external databases o This is like scanning your systems with more than 50 antiviruses Ø You can also work with hashes, domains, URLs and IP addresses to get a related security report Ø You can upload suspicious files for a complete scan against internal / external databases Ø For advanced analysis, you can push files to the egambit sandbox in order to safely execute/analyze them

5 egambit Offline Forensic E.O.F. Overview generated report Files, processes, startup, memory, network E.O.F runs on Windows, Linux or Mac OS X Upload it to the egambit Forensic website Binaries update.exe goodware driver.exe malware 9 / 56 Documents Contract.doc malware 23 / 55 Manual.pdf goodware The egambit Forensic website will read E.O.F reports to propose you diagnostics

6 egambit Offline Forensic E.O.F. Features Main features Standard Scan Processes, Startup programs, Disk files. Many formats are handled: o More than 70 extensions, such as EXE, DLL, SYS, BAT, PDF, DOC Advanced Scan Memory scan, Office macros, Browsers scans, Installed software, Antiviruses Specific commands and actions Network configuration (routing, proxies ), Groups, Users, System information

7 egambit Offline Forensic E.O.F. Options Optional features that can be enabled / disabled when required o o o o Files Scan: this can be a very long process when you have millions of files to analyze Documents Scan: doc, ppt, xls or pdf files. Some might contain sensitive names/information In-depth Files Scan to detect hidden backdoors: this might be a very long check Personal Scan: you can add your own rules to detect specific threats thanks to a standard format

8 Web site features You can launch security analysis through external or internal intelligence sources Currently, TEHTRIS proposes around 50 millions of hashes with its internal databases Beyond that, millions of hashes are available through private external databases links Search There, you can submit hashes of file, IP addresses, internet domains and URLs File There, you can easily upload your own files to get a database analysis E.O.F [Forensic] Download the forensic tools & launch it on MS Windows, Linux and Apple Mac OS X Then, upload the generated E.O.F reports to the website and get a full forensic report Sandbox Submit files for an in-depth analysis by executing them in a clean Windows environment Choose analysis options : memory scan, user or kernel hooks, Windows XP or 7

9 Sandbox analysis Overview Emulated Windows environments can safely analyze any kind of suspicious file : EXE, DOC, PDF, XLS, VBS upload files files are executed egambit Forensic website Windows Sandbox egambit sandbox features Supports many formats :.exe,.dll,.msi,.pdf,.doc,.xls,.ppt,.vbs,.jar,.html,.ps1,.zip,.rar Tracks any activity involving files, registry, network, processes Detects common threats : keylogger, browser injection, proxy modification, credentials harvesting, exfiltration Detects stealth behaviors : hidden files, antivirus kill, anti-sandboxes, stealth persistence, antidebug This can provide useful IOC Indicator Of Compromise, that will help your team at catching the threat over your whole IT environment

10 Sandbox analysis Samples

11 Synthesis egambit Forensic - Three levels of forensic investigation Ø Offline analyzer for Windows, Linux and Mac OS X [ E.O.F ] Ø Web site for specific search & upload over databases Ø Sandbox infrastructure for in-depth analysis - Up-to-date services for each feature continuity Ø We regularly add new killer features in E.O.F Ø Our databases are automatically filled and updated every day with new data from internal and external sources Ø The sandbox infrastructure is constantly improved to beat new threats and to propose new functionalities

12 Join us Ready for innovative solutions against cyber threats?

13 security.com egambit egambit is a product that can monitor and improve your IT Security against complex threats like cyber-spy or cyber-sabotage activities. This product is realized by the TEHTRI-Security company in FRANCE. It is fully designed and developed near Bordeaux, and Paris as well. Created in 2012, the egambit product has already helped companies in China, Brazil, USA and Europe against internal and external cyber threats. In 3 years egambit has already caught billions of events related to security issues worldwide, thanks to the tremendous skills and motivation of expert Consultants working on the project with a real Ethical Hacking spirit. 100% of the source code is within TEHTRIS hands, and it was designed with extended security features. egambit is your defensive cyber-weapon system.

14 egambit Your defensive cyber-weapon system You have the players. We have the game. Let s use egambit in your environment, in order to improve hardening and detection of security issues and incidents.

15 Follow-up Do not hesitate to contact our team TEHTRI-Security Managed Security Service Provider egambit Complete defensive weapon

16