Memory Forensics and Security Analytics : Detecting Unknown Malware presented at DeepSec 2014

by Fahad Ehsan,

Summary : The main purpose of the presentation is to show the audience how open-source tools can be used to develop an in-house automated Memory Forensics Solution, which has the capability to detect 'unknown' malware. I will show a demo of this solution, and how it can be used to find 'unknown' malware. This solution is based on my personal research. The idea is to spend 20 mins on the presentation piece and 10-15 minutes on the demo. Leaving 5-10 minutes on the Q&A.
I will start with a quick introduction to the concept of Unknown Malware, followed by recent trends in malware detection. The 'On-Host Forensics' is latest development, with tools like Mandiant Redline, Carbon Black, Bromium becoming popular. These tools provide 'Host Based' malware detection capabilities relying on Memory Forensics techniques.
Memory Forensics has been a traditional Incident response technique. With latest tools many of the Manual steps involved in Memory Analysis can be automated. Malware can be detected based on intelligence feeds or statistical analysis by 'On-host Forensics' tools.
While each of these tools have their strengths, I would like to show how open source tools like 'Volatility' can be utilized to extract memory fragments automatically and feed this data to an analytics engine. My analytics engine is based on SQL server, capable of processing data from 100s of machines simultaneously. In this POC solution, the clients send their Memory Analysis from Volatility every 30 minutes and the analytics engine processes data through automated jobs.
Approach one - Traditional way of finding malware, using Threat Intelligence and IOCs : I will simulate a Threat Intelligence feed, and show how my solution can be used to detect malware based on data received from OpenIOC or Cybox.
Approach Two - Finding Malware by benchmarking your environment: I will perform analysis on Memory fragments to identify changes on the hosts using Security Analytics Engine. The engine keeps track of changes on the host and identifies anomalies by comparing against last known state.
This will be followed by suggestions how such a solution can be deployed in an enterprise environment with the pros and cons.
I will end the presentation with sharing where Memory Forensics sits within the Security Analytics space today. And what can we expected from it in the future as Security Analytics Solutions mature.