Intelligence Driven Malware Analysis (IDMA) Malicious Profiling 14 January 2015 Homeland National Cybersecurity and Communications Integration Center Security
whoami • Cyber Threat Analyst at Northrop Grumman Performed wide range of duties from malware analysis o to cyber threat reporting Supporting US-CERT/NCCIC o • B.S. in Digital Forensic Science from Defiance College (Ohio) • M.S. in Digital Forensic Science from Champlain College (Vermont) • Certifications GIAC Certified Reverse Engineer of Malware (GREM) o GIAC Certified Incident Handler (GCIH) o GIAC Certified Forensic Analyst (GCFA) o Homeland Office of Cybersecurity and Communications Security 2
Outline • Introduction & Purpose • Foundation & Origin • IDMA Overview • Critical Components • Operational Use Case • Conclusions Homeland Office of Cybersecurity and Communications Security 3
Introduction & Purpose • Malware Analysis Integration Reduce operational isolation o Increase effectiveness of threat intelligence and o incident response operations • Augment Existing Methodologies Not attempting to reinvent the wheel o Utilize threat intelligence to drive analysis o Homeland Office of Cybersecurity and Communications Security 4
Foundation & Origin • Diamond Model of • Facilitate a Bridge Intrusion Analysis Incident response o (Caltagirone et al. 2013) Malware analysis o • Robust and Scalable Threat intelligence o Designed for incident o response Adapted for malware o analysis Homeland Office of Cybersecurity and Communications Security 5
Critical Components of IDMA • Indicator Classification Novel concept o Provides context for analysis o • Indicator Correlation Novel concept o Facilitates actionable and relevant indicators o • Threat Intelligence Order of Volatility (TI-OV) Novel concept o Methodical order of precedence o Homeland Office of Cybersecurity and Communications Security 6
Indicator Classification & Correlation Hash values Source and destination Single IP address IP (net flow) Single domain Targeted ports and services Beacon addressed and locations Delivery methods File names File paths IDS signatures or other detection methods Intrusion objectives (if known) Vulnerability identifiers File system interaction (create, change, delete) Registry interactions Toolchain analysis (packer, compiler) Impact and outcome Homeland Office of Cybersecurity and Communications Security 7
Threat Intelligence Order of Volatility (TI-OV) Homeland Office of Cybersecurity and Communications Security 8
Profiles of Analysis • Four Core Profiles (Analysis Methods) Static, Dynamic, Reversing, Adversary o • Segmented Analysis Reinforce existing methodologies o Multiple components = one profile o Modular system of analysis o • Critical Questions of Malicious Profiling o Provides focus to core profiles o Drives analysis towards intelligence criteria Homeland Office of Cybersecurity and Communications Security 9
IDMA Modular analysis Profiles can be individually or Profiles collectively applied to the diamond model to increase efficiency and focus analysis. The basic concept of malicious profiling leverages existing malware analysis techniques applied with critical thinking and intelligence analysis skills. Homeland Office of Cybersecurity and Communications Security 10
IDMA Concept Homeland Office of Cybersecurity and Communications Security 11
IDMA Process Flow Homeland Office of Cybersecurity and Communications Security 12
Use Case • SATR Discovery Malware hashes beaconing to government hosts o Intelligence -> malware analysis -> incident o response • IDMA Analysis Integration of efforts o IDMA project was a derivative of this effort o Homeland Office of Cybersecurity and Communications Security 13
Homeland Office of Cybersecurity and Communications Security 14
Use Case: Malicious Profile TI-OV Adversary Infrastructure Capabilities Victim Sample signed Anti-forensic Behavioral with two digital techniques certificates Public facing server URL Host Designed to Based run on Windows XP Digital Network Malicious domain Hosting IP certificate hardcoded address Based domains Ephemeral Compile time Sample hash Detection Time (Zeltser, 2015) Homeland Office of Cybersecurity and Communications Security 15
Use Case: Correlating Evidence • Original Work Flow Samples discovered o Net flow examined (limited scope) o Samples were sent to malware shop (little context provided) o Callback domain Net flow conclusions • Total time invested ~10 days (prior to additional response) • IDMA Work Flow Samples discovered o IDMA applied (context discovery) o Samples can be sent to malware shop o Indicators from all 8 categories of the profile supplied Additional context can drive further analysis (malware, IRT) o Homeland Office of Cybersecurity and Communications Security 16
Use Case: Correlating Evidence • Original Work Flow • IDMA Work Flow Samples discovered Samples discovered o o Net flow examined IDMA applied (context o o (limited scope) discovery) Samples were sent to Samples can be sent o o malware shop (little to malware shop context provided) Indicators from all 8 categories of the Callback domain profile supplied Net flow conclusions Additional context can Total time invested o o drive further analysis ~10 days (prior to (malware, IRT) additional response) Homeland Office of Cybersecurity and Communications Security 17
Use Case Conclusions • Full Scale Reverse Engineering Time consuming, resource intensive process o Few individuals are fully qualified o • IDMA Analysis Two profiles used (Static, Reversing) o Tools utilized o OllyDbg PEStudio BinText Context driven analysis o Total time invested ~3 hours (additional) o Homeland Office of Cybersecurity and Communications Security 18
Conclusions Volatility Context Shift field away from single Facilitates indicator precedence Focus analysis on less volatile indicators Additional context increases indicators Adds additional context for effectiveness of incident response and threat intelligence reporting operations Malware Analysis Value of Time & Diamond Model Sample analysis can feed all Context and behavior can four components be derived without full Malware analysis does not have scale reversing Can lead to increased to be compartmentalized & segregated effectiveness in incident response operations Homeland Office of Cybersecurity and Communications Security 19
Questions? Homeland Office of Cybersecurity and Communications Security 20
Recommend
More recommend
