A6 Hunting Advanced Adversaries with Memory Analytics presented at ThreatIntelligence 2016

by Andrew Case,

Summary : Traditionally, threat intelligence has focused on sharing artifacts and indicators extracted through disk and network forensics in order to rapidly identify threats. Unfortunately, these indicators have quickly become insufficient due to the changing tactics of advanced attackers. On the networks side, attackers are constantly shifting servers and domain names, and they are using custom encrypted protocols to transfer data. On the host side, many attacks occur with no relevant artifacts being written to disk or the on-disk artifacts are frequently mutated. This shift in adversarial tactics has led to a state in which detection solely through traditional means is often inadequate. Instead, memory analytics, which examines the state of the running system through an unfiltered view of physical memory, provides threat intelligence indicators and data that are difficult for attackers to evade. Furthermore, these in-memory artifacts can be quickly scanned for across even the largest networks. In this presentation, attendees will learn how to leverage memory analytics as a source of threat intelligence and detection, and how large-scale detection can occur in a fraction of the time of existing methods.