A White Paper from AccessData Group. Cerberus. Malware Triage and Analysis

Similar documents
A White Paper from AccessData Group. The Future of Mobile E-Discovery

A White Paper from AccessData Group. The Future of Mobile E-Discovery

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Discovering passwords in the memory

Advanced Threat Detection: Necessary but Not Sufficient The First Installment in the Blinded By the Hype Series

CASE STUDY: Top 5 Communications Company Evaluates Leading ediscovery Solutions

ENABLING FAST RESPONSES THREAT MONITORING

10 Building Blocks for Securing File Data

Security Awareness Campaigns Deliver Major, Ongoing ROI

Win the race against time to stay ahead of cybercriminals

EXECUTIVE SUMMARY THE STATE OF BEHAVIORAL ANALYSIS

Privilege Gone Wild: The State of Privileged Account Management in 2015

Why you need an Automated Asset Management Solution

The Fundamental Failures of End-Point Security. Stefan Frei Research Analyst Director

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection

LASTLINE WHITEPAPER. In-Depth Analysis of Malware

APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK

Defending Against Cyber Attacks with SessionLevel Network Security

Privilege Gone Wild: The State of Privileged Account Management in 2015

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

Comprehensive Advanced Threat Defense

GOING BEYOND BLOCKING AN ATTACK

Practical Threat Intelligence. with Bromium LAVA

Defending Behind The Device Mobile Application Risks

Full System Emulation:

What s Happening with Summation? FAQs

The Value of Physical Memory for Incident Response

PDSA Special Report. Is your Company s Security at Risk

Breach Found. Did It Hurt?

How To Create An Insight Analysis For Cyber Security

Streamlined Malware Incident Response with EnCase

The case for continuous penetration testing

Cyber Protection for Building Automation and Energy Management Systems

WHITE PAPER Big Data Analytics. How Big Data Fights Back Against APTs and Malware

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Web application security: automated scanning versus manual penetration testing.

Security Business Intelligence Big Data for Faster Detection/Response

Making the difference between read to output, and read to copy GOING BEYOND BASIC FILE AUDITING FOR DATA PROTECTION

10 Top Tips for Data Protection in the New Workplace

IBM Data Security Services for endpoint data protection endpoint data loss prevention solution

WHITE PAPER: THREAT INTELLIGENCE RANKING

Combating a new generation of cybercriminal with in-depth security monitoring

Advanced Threat Protection with Dell SecureWorks Security Services

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

Start up licenses high performance traffic analysis engine from Exploit Technologies

LOG MANAGEMENT: BEST PRACTICES

Unlocking The Value of the Deep Web. Harvesting Big Data that Google Doesn t Reach

Security Intelligence Services.

How Security Testing can ensure Your Mobile Application Security. Yohannes, CEHv8, ECSAv8, ISE, OSCP(PWK) Information Security Consultant

McAfee Security Architectures for the Public Sector

Solera Networks, A Blue Coat Company SOLERA NETWORKS BIG DATA SECURITY ANALYTICS

Simplifying the Challenges of Mobile Device Security Three Steps to Reduce Mobile Device Security Risks

Controlling Remote Access to IBM i

WHAT S NEW IN WEBSENSE TRITON RELEASE 7.8

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

Instilling Confidence in Security and Risk Operations with Behavioral Analytics and Contextualization

Firewalls Overview and Best Practices. White Paper

Renowned Law Firm Reduces Cost and Risk by Moving from Legacy Software to AccessData E-Discovery Suite

Intelligence Driven Security

Security strategies to stay off the Børsen front page

Protect Your Universe with ArcSight

The Business Case for ECA

FROM INBOX TO ACTION AND THREAT INTELLIGENCE:

EnCase Enterprise For Corporations

WatchGuard Technologies, Inc. 505 Fifth Avenue South Suite 500, Seattle, WA

10 SMART MONEY FACTS YOU NEED TO KNOW ABOUT BUSINESS SECURITY

Addressing Big Data Security Challenges: The Right Tools for Smart Protection

InfoSec Academy Forensics Track

Getting Ahead of Malware

Guardium Change Auditing System (CAS)

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

An New Approach to Security. Chris Ellis McAfee Senior System Engineer

Agent vs. Agent-less auditing

PCI Compliance for Healthcare

EnCase Endpoint Security Product Overview

Banking Security using Honeypot

Maximizing Configuration Management IT Security Benefits with Puppet

Strengthen security with intelligent identity and access management

WHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION

Overcoming Five Critical Cybersecurity Gaps

A BUSINESS CASE FOR BEHAVIORAL ANALYTICS. White Paper

Worldwide Security and Vulnerability Management Forecast and 2008 Vendor Shares

IBM Data Security Services for endpoint data protection endpoint data loss prevention solution

Security Management. Keeping the IT Security Administrator Busy

white paper How Big Data Fights Back Against APTs and Malware

Scanless Vulnerability Assessment. A Next-Generation Approach to Vulnerability Management

Simplifying the Challenges of Mobile Device Security

WHAT EVERY CEO, CIO AND CFO NEEDS TO KNOW ABOUT CYBER SECURITY.

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

Virtual Appliance for VMware Server. Getting Started Guide. Revision Warning and Disclaimer

Threat Intelligence Pty Ltd Specialist Security Training Catalogue

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

End-user Security Analytics Strengthens Protection with ArcSight

Stay ahead of insiderthreats with predictive,intelligent security

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

GETTING MORE FOR LESS AS LOG MANAGEMENT AND SIEM CONVERGE

Splunk Enterprise Log Management Role Supporting the ISO Framework EXECUTIVE BRIEF

Transcription:

A White Paper from AccessData Group Cerberus Malware Triage and Analysis

What is Cerberus?

Cerberus is the first-ever automated reverse engineering tool designed to show a security analyst precisely what an executable is capable of within minutes without a sandbox. Cerberus serves as a malware triage platform. It eliminates the potential for extraordinary backlog in a reverse engineer s workflow while equipping security experts with immediate, easily digestible intelligence. The Current Problem There are tens of thousands of static executables on disk and typically 100+ processes running on a given machine at any time. Any one of them could contain malicious code capable of stealing valuable information and sending it back to an attacker. Since most machine users (and most incident responders for that matter) are not able to translate the machine code contained in executables or extracted from running memory into something humanreadable, reverse engineers are often relied on to fill in the gaps. Reverse engineering is a time consuming effort requiring highly skilled individuals who are in very short supply. Additionally, only a small percentage of malicious files and running processes need to be fully disassembled. There is a great need for automated analysis to fill the gap between what incident responders are finding and what needs to be fully examined. Reverse engineers disassemble the executable in full and provide incident responders with relevant information about it, in a language that they understand. Similar to translating a several million word document from one language to another, reverse engineering an executable can take days, if not weeks, depending on its size and complexity. Given the sheer amount of executables and running processes on a machine, and malware being generated everyday, it is impossible for a human to translate (pull apart) every executable that finds its way onto a machine. An alternative to reverse engineering every binary on the machine would be to run each one in a sandbox or perform some form of dynamic analysis. Keep in mind that certain malware is incorporating counter measures to thwart dynamic analysis which introduces additional variables and sometimes behaves differently depending on the OS. Unfortunately, this approach only tells the analyst what an executable does under certain conditions, not everything the executable is capable of doing. That is, given an infinite number of scenarios outside a sandbox environment, where and how could this executable be most dangerous?

This is a diagram of a sample function from a malicious application. It checks whether a file exists in the top block, and then chooses which functionality to execute based on whether it finds this file. Malware triage via Cerberus takes roughly the same amount of time as running the executable in a sandbox but gets the results of a reverse engineer. In literally minutes, it produces results that a general security analyst can understand. Watching the program run once in a sandbox, analysts may only see one code path executed, as highlighted in brown above. This code path would only demonstrate behavior when the file isn t found. In this case, analysts would have no knowledge of behavior when the file does exist. In reviewing the results, this expert can either deal with a potential problem from a high level, or determine that further analysis is needed. Given that the vast majority of executables are benign, first triaging executables with Cerberus allows a reverse engineer to save time that would otherwise be wasted looking at all potential threats. How It Works Instead of running a binary in a sandbox, Cerberus emulates the machine code contained in the executable so that the binary has no way to control its own destiny. In this manner, Cerberus can emulate all paths through the executable and tell the user what the executable is capable of versus what it did during one or more executions. Since most malware will detect that it is running in a sandbox, this distinction is essential for triaging an executable that has malicious intent. In addition to masking its malicious intent, some malware samples seen in the wild are capable of escaping the sandbox environment and gaining access to the analyst s physical workstation. This is a huge security concern, and there is a growing amount of research into virtual machine escape vulnerabilities. With that in mind, Cerberus is designed to emulate the executable s instructions versus allowing it to execute on its own. By emulating the instructions internally, the analyst need not worry about malicious executables invading their machine because of vulnerabilities in the sandbox environment.

Cerberus Combining Control Flow Analysis & Data Flow Analysis Cerberus uses control flow and data flow analysis together to emulate all paths within an executable and monitor changes within its local memory and variable allocations. Cerberus then tells the user possible values for each argument in each function, revealing what that executable is capable of doing in a language that is easily understood by any security analyst. In this respect, Cerberus is analogous to IBM s Deep Blue chess-playing computer, designed to make the best chess-match decision by doing three things: 1) Data Flow Analysis: Evaluating the current conditions of a chess board (i.e. where each of the pieces are currently located on the board.) 2) Control Flow Analysis: Emulating all possibilities in all possible games moving forward given the current conditions (i.e. where each of the pieces are capable of moving and what the possible decision points are for each piece.) 3) Providing Results: Presenting data so that the best decision can be made moving forward. Building on the chess example, Cerberus emulates every single path of an executable (or, all possible moves in a chess game) and watches how the data (chess pieces) is being manipulated to show what s possible. Similar to how a well-programmed computer is able to look at a chess board, interpret data, emulate the possibilities and intelligently move forward faster and more effectively than a human player, the automated process in Cerberus is exponentially more efficient than a human reverse engineer. This function is illustrated on the next page

Each separate code path is highlighted in brown. Cerberus analyzes all code paths, regardless of how the executable behaves any particular time it is run. This includes behavior both when the file is found and when it is not found, providing a more comprehensive picture of the program s behavior.

To reiterate, Cerberus emulation uses a control flow path and plays every possible path within an executable. At the same time as it s taking each path in the control flow diagram, it records changes to memory allocations. In this manner, it is able to communicate to the user possible values for each argument to each function. Want to know whether this executable is capable of bypassing your authenticated web proxy? Simply look at the functions used for connecting to the internet and see whether a username or password is used. If one or more username/password combinations are used, are any of them correct? All of this information is available within minutes and doesn t require a reverse engineer. The Typical Scenario Let s envision you are in charge at a security operations center and you receive an alert of a potentially malicious executable, which is attempting to move from Machine A to Machine B. Not knowing exactly what the executable is, you review your options: a) analyze the executable for known strings that may give you, a non-reverse engineer, something to determine malicious intent, b) run the executable in a sandbox to see what it does in a contrived environment or c) send the executable to your reverse engineering team. Let s assume you have 10 reverse engineers on your team who, on average, take one week to completely dissect an executable. If two malicious executables cross your desk per day, and you submit each to the reverse engineering team, by day 5 they d already be behind, and you would still have not received the report from the first executable. All the while, your intellectual property could be walking out the front door. Obviously this is not a scalable process. Not to mention, this scenario assumes you have a team of 10 reverse engineers on staff, which most companies do not have. This is the major problem Cerberus solves. Cerberus essentially serves as the Babel Fish for Incident Responders, translating executables from machine code into English. The translation then offers experts an excellent understanding of what is actually occurring so that they may handle the problems themselves or seek further assistance from a reverse engineer, who now begins the dissection process with a leg up over the traditional scenario. More importantly, it allows reverse engineers to focus on the most important malware while providing immediate intelligence to the incident responders on the frontline. In addition, the reverse engineer and security analyst can communicate using similar language, saving the reverse engineer tons of time because the analyst knows why he is worried about the executable.

Conclusion The amount of malware is growing exponentially every day, and the manual analysis provided by reverse engineers cannot keep up with this tidal wave of work. Cerberus automated analysis will tip the scale back in your favor, so you can quickly identify threats while ignoring benign files. AccessData Group has pioneered digital investigations and litigation support for more than twenty years and is the maker of the industry-standard computer forensics technology, FTK, as well as the leading legal review technology, Summation. AccessData provides a broad spectrum of stand-alone and enterprise-class solutions that enable digital investigations of any kind, including computer forensics, incident response, e-discovery, legal review, IP theft, compliance auditing and information assurance. More than 130,000 users in law enforcement, government agencies, corporations, consultancies, and law firms around the world rely on AccessData software solutions, as well as our premier hosted review and digital investigations services. AccessData Group is also a leading provider of digital forensics and litigation support training and certification, with our much sought after AccessData Certified Examiner (ACE ) program and Summation certification program. Come learn why our e-discovery solutions are consistently ranked among the leaders in analysts coverage of the market space, by visiting AccessData.com. AccessData Group 384 South 400 West Suite 200 Lindon, UT 84042 USA 801.377.5410 AccessData, Forensic Toolkit and FTK are registered trademarks owned by AccessData in the United States and other jurisdictions and may not be used without prior written permission. All other marks and brands may be claimed as the property of their respective owners. Any reference to non-accessdata marks are for the purposes of enumerating the technologies AccessData solutions will address during the course of a digital investigation.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information