Micronesia: Sub-kernel Kit for Host Introspection in Determining Insider Threat

Presented at ShmooCon XI (2015), Jan. 18, 2015, noon (60 minutes).

Bootkits have long been used in an offensive manner by adversaries in order to maintain cold-state persistence. Micronesia is an extended bootkit to allow for self-surveillancupon a host system. The purpose of the kit is to monitor for insider-threat potential on a local machine. At current, resources invested in this problem space for anti-leak/insider-threat detection is primarily invested in exterior-host communications. They rely heavily upon heuristics and detection of anomalous traf?c movement. A notable example can be seen in various government entities where sensitive documents in high-side networks are ?ngerprinted. These ?ngerprints are then matched against low-side traf?c with hopes of taint marking against data leakage. A knowledgeable adversary however can easily render communications ineffective to being tagged. This talk proposes a bootkit solution to allow for discrete full-system monitoring and determination of insider-threat activity. The kit's name symbolizes a shift in analytical focus away from mass collection of many systems and more towards host self-determination, hence Micronesia--a collection of small islands.


Presenters:

  • Loc Nguyen
    Loc Nguyen (@nocsi_) is a security researcher at Exodus Intelligence. For the past decade, his work has covered areas such as vulnerability research, exploit development, language design, program analysis and digital forensics. In his spare time, Loc likes to read YouTube comments.

Similar Presentations: