The Hunt is on! Advanced Memory Forensics Meets NextGen Actionable Threat Intelligence

Tech 1 (718A) October 2, 2018 3:55 pm - 4:55 pm Feedback     

Bookmark and Share

Solomon Sonya

Cyber attacks continue to increase in severity and sophistication.  A new era of attacks have become more ubiquitous and dangerous in nature.  Malware has become much better at hiding its presence on the host machine.  However, one place it cannot hide for long is in the volatile memory of the computer system. The purpose of this talk is to show exactly how to conduct advanced forensics on volatile memory to extract relevant artifacts and indicators of compromise and interface with a new Actionable Cyber Threat Intelligence Engine I have built and released to the community to better hunt and identify new indicators of compromise across enterprise networks.

This talk starts straight into memory forensics. We will cover techniques to acquire and dump volatile memory from the host machines. This includes analysis both on live machines, dead systems where we will rebuild the memory states during previous system configurations, and virtual machines. Then we focus on how to analyze these images and carve various artifacts, connections, running states, and binaries straight from memory. From here, we cover new ways to hunt for malicious indicators of discovered during our analysis. I will show how to build new capabilities to interface artifacts extracted from our digital forensics into frameworks to expand our hunting capabilities. Next, we cover a new actionable threat intelligence framework I have developed called Excalibur Mark I – Threat Intelligence Engine.  A little code and advanced analysis goes a long way in uncovering new compromise on victim machines. I will show how to develop interfaces from our memory analysis and build new Actionable Cyber Threat Intelligence to truly enhance the skill level of our cyber security experts.

As attacks continue to advance, the knowledge and skill level of our cyber security experts must advance as well. This talk includes lots of live-demos and introduces new tools I have created to automate host system, network, and memory forensics and synchronize with a new actionable threat intelligence system I built to discover attacks, visualize and build indicators of compromise, and learn how to stop these attacks from the future.