Attribution for Intrusion Detection

Keynote Hall October 19, 2010 - Feedback     

Bookmark and Share

Greg Hoglund

With today’s evolving threat landscape, and the general failure of AV to keep bad guys out of the network, effective intrusion detection is becoming extremely pertinent. Greg will talk about using attribution data to increase the effectiveness and lifetime of intrusion detection signatures, both host and network. Within host physical memory, software in execution will produce a great deal of clear text related to behavior, command and control, and API usage – most of which is not readily available from captured binaries or disk acquisitions. Some of this available data relates to how malware was written – the actual source code used. Other data may include forensic toolmarks left by a compiler and even the native language pack used by a developer. Many of these indicators do not change very often – the attackers will reuse source code and development tools that same way that any normal software developer does. These indicators are extremely effective at detecting intrusions in the enterprise, especially when combined together. In this way they become a form of attribution – a way to fingerprint individual threat actors. Some of these indicators can even be used to make network security products more effective – for example the DNS names used for command and control. Protocol level information can even be decoupled from DNS and result in NIDS signatures that work even when the attackers rotate their DNS points. Greg will discuss how to analyze host systems, including physical memory, raw disk, and timeline information, to detect intrusions using attribution data. Greg will also discuss how to locate and extract attribution data from captured malware and compromised systems.