2019 - Memory Analysis is the Ground Truth - Itai Tevet

one two three hi everybody hi first of all super excited to be here for assignment Becker super cool down Goodweather amazing thank you for listening here today and we're going to talk about what I consider at most important tool or skill set as part of Incident Response process which is memory analysis my opinion and I'm going to talk about also like the traditional way of belief memory now sense why that important but also sharing with you my idea about how a new approach can automate this processing well let's say also scrape some skill gaps along the way but just before that a few words about myself on my knees time currently a co-founder of a company called in desert

some you may be and before talking this company around four years ago I was leading the incident response team of Israeli military for several years so most of my day job and a big part of my career was to deal with nation sponsored attacks and databases which was very very fun and very exciting and very very stressful but anything anything really regarding a reverse engineering forensics Incident Response was under my vision and including also memory analysis that I have had special privilege to investigate some of the most interesting incidents in the world and also on another topic about myself when I was about 16 years old I had a very bad fever and I went to my doctor and he

well basically getting some regular painkillers and probably after I came back to him saying that I had like a huge pain in my right part of the stomach so we checked touch here to see if I had appendicitis so nothing like hurt me so he said yeah that's probably just to go back to take it like a man and so on and the third time I came back to him it was less pleasant and more intense he insisted it's just a fever I should be a man I told him that my insides are burning he really really insisted it's nothing it became very very ugly but in the end he was convinced that I should go to the

hospital for one reason or another and when I went to the hospital by the way it's compared to the story when I went to the hospital they did like an MRI scan that they could see you know they see the inside of my body and they saw I did not attend a situs but my appendix was just few anxious about what a normal human being should have so that's why my doctor didn't detect that so you know it's hard for me to blame my doctor well though he wasn't too much but but you know it didn't happen means or like the tools to actually see what's going on inside my body you know the hospitals had an MRI where they

could see every bit of it why my doctor has searched for symptoms fever so it's really about and the difference between trying to analyze the symptoms of the problem versus read knowing exactly what's going on and diving into the root of the problem now the reason why I share with you this same white I'm not just story is because we can learn something from this because cyber attacks also have this really like diseases they also have symptoms and also behind room departure and a symptom for a cyber attack I'm sure you'll agree with me could be a suspicious network connections right we might have seen a peak in CEO of DVT and maybe he's a coin

miner right maybe somebody has inserted like the autorun registry key or like syrup is a memory times its orient support so everything that is not in the a baseline of a normal activity might be a symptom for a cyberattack right but what is the root causes of cyber attack what is equivalent oh you know what I have to appeal by cyber attacks so here's the thing the root cause of cyber attacks is almost 99.99% always some piece of code running in memory so even if it's a big time ATT or just a small piece of code that is injected in under some process whether it's an attacker of trying to scrape for passwords whether it's an attacker that runs something to

dispense capsule into ATM whatever in the end there's always in every cyber time there's always some piece of code running somewhere right and this is really important to understand it will understand what the root problem of cyber attacks eventually all comes down to this some piece of code buddy memory so this the reason well maintenance my my talk is called memory Nelson is the ground truth because well if we will understand and analyze what's actually going on in the memory where everything is running there right this is really the ground then we would be able to do the equivalent of an MRI scan in the cyber world we will be able to look at the business buys understand what's

actually going on and not just look for symptoms anomalies suspicious things that eventually might be just false positive and eventually you know as incident responders as as security teams we would be able to much faster and much more accurately detect respond and mediate so marry analysis how can you do that because well behind the curtains volatile memory or RAM essentially is a big pile of binary code on city roads right how can we make sense out of all the basic bikes running in my doctor for example at the very moment so some of the traditional approach sorry good open source tools to solve that problem take a memory image of a suspicious machine and be able to

extract data so for instance who is familiar with volatility yes so first of all memory houses in the process of first getting the memory done right don't make the image of the memory and then analyze it right so you have a few of let's say easy tools to perform memory acquisition what I recommend by the waves silently tool called being human check it out I think it's most most convenient and the most accurate but you can also even get crash dose of a Windows machine even carbonaceous file is like when you vibrate butyrate creates like a file that's basically like a memory image of the entire machine so you can do these processes in order to get the memory

image but okay now I got something that looks like this what should we do now in order to do that and get that MRI scan capability so this is why I mean we have great tools like what I can't recall but basically what they do is they have many different mix tools within them that can take a memory image and extract readable data plumbing so for example and I said that some of you know about it but I just wanted to cover the base so basically well I know that some of you can't see but basically running like volatility you can take the memory image and then get the whole process list or the process tree that was running under

that's not much you can also get network connections and so on and so forth but you can do so much more than just fetching some processes you can dive into the browser history you can scrape encryption keys from memory so much stuff that is going on in memory now with these tools you have a very clear vision and access to all this data but well you have so much data to look at think about oh sorry I forgot to mention it this process tree is not like opening a task manager in City not at all this Greece equivalent of an Emirati to a memory because once you have a memory image you're not subject to hackers interfering with the

operating system example this is the actual bingo that is running in the machine so it's media reading that's hard core of what's going on inside but as I mentioned before oh you have so much data that you can extract from a single memory image in the end and I'm sure that some of you will agree with me it's such a daunting task because you have so much data to look through hidden processes might not only be malicious real trials that are mapped into memory might not be that bad and so on and so forth so it eventually we although we look at the right place which is one time memory we're too much data to look

at so for example when you get a memory image how did he know which small teams or processes are this good legit operating system stuff 99% of what's running in a machine right in the ground in an effective how do you get to this small fragment of code that might be ejected under some things so that's why they know exactly what we have [Music] so it's very hard to be able to because what it's memories track that it's all scrambled because it was loaded into memory and you can't run it anywhere so oh it might weigh if you take a process them from a memory image that you suspected back and then check it let's

say in fire soul with some with some antivirus engine this I may have I mean so much false positives because they're not designed to check a memory extracted items only regular file that you can see on this you know uses 42 a biological firearms there although that's reverse engineers in the world it's still so hard even to reverse-engineer memory extraction item because yet against White's family so anyway what I wanted to share with you is that memory analysis is great but now with the existing tools we are drowning in data and it's very very hard to actually conduct on a day to day basis I'm sure that a lot of people when I asked about people I can take a you

know a rough guess that most of you know what they are and no memory analysis you do not do it on a day to day basis and the reason why is because it's so hard and yes it's necessary but it takes too much time requires too much skills so what I'm what to introduce thingy is an idea of a new approach that can perhaps help us to automate the process of memory analysis and this approach I like to call a genetic now analysis and the idea is that think of if you would have a technology that you can give it just a log of binary code find a of ones and zeros and this could tell you hey

listen this is or this is code that was seen in Zeus Mallory whoever then you would take the memory image insanity has been my vision of what's going on there this is the you know the high level growth of genetic analysis is to identify being able to identify the origins of every piece of binary code now full disclosure here my life in the past five years were dedicated to perfect this roots with my company I'm not just the approach in general just the full disclosure so nobody will you know call me a fraud so genetic malware analysis or genetic code analysis we need this goal is to be able to like it's like these should that for

binary data you have that one series okay I know that this is how is it possible so this here's the thesis of generic genetic now renounces or genetic code analysis they're quite quite simple okay so every single software in the world I'm sure you'll agree with me almost always it's based on previously written code right no programmer likes remain the wheel whether it's being based in from Stack Overflow whether it's copying pasting from existing infrastructure that I have developed company but software new software is always based on previous building materials so here's the thesis of genetic memory analysis if it will detect these code similarities and code reuse we will be able to trace the genetic origins of

software so that if I see a certain file that few pieces of code receive Pony and Microsoft products I will be able to make a guess that this is another Microsoft product in a more version this is the reason thesis just in a nutshell and here's how it works in a more like practical level so when you take a blob of some binary code or let's say it's an executable file or even an entire memory image with this approach you would they set it in thousands of small pieces that I like to call them jeans right and then basically you would compare each and every team to jeans that are already known in here like babies so I'll share

an example then it will be much clearer so let's say this is an under file running things want your suspected machines you have conductive memory analysis by the memory Duncan saw suspicious process and you've dumped it now now what now out genetic now analysis comes into play so this approach can tell you Magnusson a piece of code is that file was already seen enforced right or a piece of code of that software with that file was already seen in zoos and you know this approach to tell you hey listen this is a piece of code that I had never seen before not in any other software for now where in the world so you get is very deep

understanding as if you had a team of hundreds of the person Janiero analyzing every single line of binary code and telling you where they've already seen it before this is the general now I want to give you some few examples know how it looks like in like in practice of real examples so a one time I had friend

explorer.exe injected yellow unlinked in every single Windows 7 computer in his organization he was you know spike sweating and he like what you and here's the thing when you ovulate two virus all that single induction it just produce so many alerts from so many babies most generic are available that that generic generic I so this is what happens and when we check it like with genetic analysis approach we saw something very very cool so let me show you so I know I don't want to dive into like a base here but eventually this injection had 95% code similarity to other Microsoft products need to be more exact it had the most similarities in had with a web W then

commoner it also has some a lot of other codes in RT so what Microsoft product but that just makes sense that's how software vendors work with a real scope but that was ability to really say okay although it was anomalous this code sorry the model was it it was an ominous this whole thing was weird but still it's by the way here you can see like it was joining up one is inviting so in the past were quite hot and another example that is not a big but a lot of different is how many of you committed with the ccleaner oh yes basically wasn't a Jade software that Tigers have injected malicious codes within academic software

so when you run damaging software the battle is over memory along with the application very intact so anyway taking a look on how this injective piece of code looks in memory and genetically analyze it you can see that like 30 percent of the code is similar to when it's younger which is also called a b-17 basically it's a Chinese government so with the ccleaner in memory you would see code similarities to other Chinese government entity so really what I want to suggest is a new way to conduct memory analysis that combines both the new idea of genetic analysis with traditional solution I would recommend anybody to conduct this memory now in the most effective way that can be automated to a

new skill so first of all when I get the log of memory image in order to analyze all the trusted modules on the operating system all the code that I know is okay and then I left usually with about ten processes ten modules that are bad this is that crazy who knows how much genetic analysis you are based in about 10 which is really good and if you have left with now where we power in your systems then you would be able to say hey this is probably you know one guy or this is probably important we'll be able to classify a matter if it was indeed an hour in your system and lastly I have indefinitely

used traditional approaches like volatility and recall for example in order to assess the damages for example you see the time line what did he attack this is amazing but the new approach that I suggest you today is quick triage genetic analysis new approach and forensic analysis for damage assessment and response would be with other traditional memory analysis so really this is two main key takeaways that I want you to have today is first of all the importance of memory analysis I mean I think we talked about it a lot and lastly I wanted to present you the approach of genetic analysis and how it can help you do memory naps at a huge huge scale and quite automated fashion

without being a super ultra reverse engineer so first of all thank you very much it was a pleasure to be here and I'm happy five minutes yeah okay so I'll just repeat the questions first one is how do you do our compiler so this is the main challenge but you can't do genetic analysis analysis without addressing the fact that binary code looks different every time I take a question afterwards the second question yeah so the second question was yeah so takes a memory snapshot so I assume that you talked about like during malware analysis because then when you're running a stand-ups it's a question of what triggers is natural but here I talk to you more about my memory analysis in a

sense of incident response and the simple answer is as soon as possible you haven't alert we need to know what's going on me to triage a suspicious machine take a memory snaps up right away that's my recommendation thank you so much [Applause]