Thursday, September 20, 2012

HERMES


As a follow up to yesterday's post I would like to talk a bit more about HERMES and how it works.

INITIAL KNOWLEDGE - First there there is some form of information that comes in indicating a potential attack. This information usually has some trackable piece of information such as an email address, subject line, content, an md5 sum, etc. This information usually comes in one of the following methods:

  • Law enforcement notification
  • Incident Response/forensics post compromise information
  • A detection system picks up an attack (rare)
  • Specialized sourcing (AR gathers targeted attack tools, malware and other indicators using a variety of means including IR and direct sharing)
Example HERMES Intel Report Components
ANALYSIS - Typically focused on attack files, net flow, PCAPS, etc. The results include the following information:
  • Static
    • Disassembly, strings, code capabilities, maliciousness ratings, file identifiers, import/exports
  • Dynamic
    • File system & registry modifications, processes, memory modifications
    • Network activity, flow & full PCAP
    • User Agent Strings
  • Forensic information (file timestamps, etc)
  • Multiple Anti-Virus Scanning
Example HERMES Dynamic & Network Activity Report

What's special about the above is that HERMES uses your standard build image rather than a generic XP VM, the way maliciousness is determined, and some of the memory work we do. Also the fact that the AV scans (unlike sites such as VirusTotal, Jotti, etc.) do not submit your sensitive samples to AV vendors is fairly unique.

CORRELATION - Most organizations track incidents over time via a notebook, a wiki or most commonly a white board. HERMES allows you to identify relationships between attacks over time.
  • Incident Tracking
  • Analyst Notes
  • Actor/attribution Information
  • Relations between IOCs on different samples or cases
There are several ways in which HERMES is already benefiting our clients and options how it may benefit you:
  • HERMES can be delivered as an appliance to supplement or provide your reverse engineering and incident tracking operations
  • HERMES can be delivered as an ESXi implementation which can fit easily into your existing virtualized environment
  • Finally AR can provide organizations with HERMES targeted threat intel reporting or be operated by AR staff for you. Results can be provided as a XML feed, PDF, etc.
All of this information is fed into APTSim models to ensure  that ongoing testing mirrors actual current targeted attack techniques and grows in sophistication over time in sync with the attackers. This information is also used to generate your IDS, AV, Splunk and other defensive signatures.

Rather than focusing on the entire set of malware, for which there are millions upon millions of samples, HERMES focuses on a handful of sophisticated, targeted attack tools which are in use over the last 30 days or less. 

Most security tools are designed to deal with the 80% of attacks such as botnets, scans, mass malware, etc. But its the other 20% that you should care about because those are the ones that are intentionally (and successfully) damaging your business and that you have no defense against. This is something you can get your hands around with a tool like HERMES.

On the next post I will talk a bit more about APTSim and how it works.

As always, hit up info [at] attackresearch.com for more information.

V.

valsmith

2 comments:

Anonymous said...

What have you used to generate dnamic/static analyzis report?

valsmith said...

We build our own custom system for doing it.