Memory Forensics and Security Analytics : Detecting Unknown Malware

Presented at DeepSec 2014 „Do you want to know more?“, Unknown date/time (Unknown duration)

The main purpose of the presentation is to show the audience how open-source tools can be used to develop an in-house automated Memory Forensics Solution, which has the capability to detect 'unknown' malware. I will show a demo of this solution, and how it can be used to find 'unknown' malware. This solution is based on my personal research. The idea is to spend 20 mins on the presentation piece and 10-15 minutes on the demo. Leaving 5-10 minutes on the Q&A. I will start with a quick introduction to the concept of Unknown Malware, followed by recent trends in malware detection. The 'On-Host Forensics' is latest development, with tools like Mandiant Redline, Carbon Black, Bromium becoming popular. These tools provide 'Host Based' malware detection capabilities relying on Memory Forensics techniques. Memory Forensics has been a traditional Incident response technique. With latest tools many of the Manual steps involved in Memory Analysis can be automated. Malware can be detected based on intelligence feeds or statistical analysis by 'On-host Forensics' tools. While each of these tools have their strengths, I would like to show how open source tools like 'Volatility' can be utilized to extract memory fragments automatically and feed this data to an analytics engine. My analytics engine is based on SQL server, capable of processing data from 100s of machines simultaneously. In this POC solution, the clients send their Memory Analysis from Volatility every 30 minutes and the analytics engine processes data through automated jobs. Approach one - Traditional way of finding malware, using Threat Intelligence and IOCs : I will simulate a Threat Intelligence feed, and show how my solution can be used to detect malware based on data received from OpenIOC or Cybox. Approach Two - Finding Malware by benchmarking your environment: I will perform analysis on Memory fragments to identify changes on the hosts using Security Analytics Engine. The engine keeps track of changes on the host and identifies anomalies by comparing against last known state. This will be followed by suggestions how such a solution can be deployed in an enterprise environment with the pros and cons. I will end the presentation with sharing where Memory Forensics sits within the Security Analytics space today. And what can we expected from it in the future as Security Analytics Solutions mature.

Presenters:

• Fahad Ehsan - UBS AG
  Fahad works with UBS AG, where he is a lead architect with the Security Analytics team. His other areas of expertise include Malware Reverse Engineering and Memory Forensics. He recently delivered a Vulnerability Management Platform, which is widely used within the Bank. Throughout his 7-year career, he has held various roles in Security Research & Engineering, Consultancy, SOC and C#/SQL dev teams.

Links:

• https://deepsec.net/archive/2014.deepsec.net/speaker.html#PSLOT179
• https://infocon.org/cons/DeepSec/DeepSec 2014/Memory Forensics and Security Analytics - Detecting Unknown Malware.mp4

Similar Presentations:

• Black Hat Asia 2021 Virtual / Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network
• Black Hat Asia 2019 / Investigating Malware Using Memory Forensics - A Practical Approach
• ShmooCon X (2014) / ADD -- Complicating Memory Forensics Through Memory Disarray