HBGary -  Protection Against Advanced Targeted Threats 

HBGary Digital DNA Malware Detection System is a revolutionary technology to detect advanced computer security threats within physical memory without relying on the Windows operating system which cannot be trusted. All software modules residing in memory are identified and ranked by level of Severity. The Digital DNA Sequence appears as a series of Trait codes that when concatenated together describe the behaviors of each software module, provides a full family of classification solutions that allow organizations to classify, label and protect email, documents, and electronic files.

HBGary - Actionable Intelligence

Actionable Intelligence is what can you learn from Responder and Digital DNA that will help you counter a cyber-threat.

  1. Can search for variants of the malware across the enterprise using Digital DNA
  2. Can determine which toolkit was used to generate the malware
    • This reveals what pre-packaged capabilities are present
    • If the toolkit is tracked in the HBGary Portal, we may have existing threat-intelligence reports for it
    • A toolkit has specific DDNA that can be scanned for, increasing the likelihood you can detect variants
    • Toolkits have lifecycles – is this a new threat, or an evolving threat? Evolving threats have long-term funding. New threats may have new capabilities that can damage the Enterprise in new ways, so this needs to be understood.
  3. Can attribution factors detect which attacker developed and deployed the malware?
    • If so, then the attacker will have threat intelligence associated with them. This will reveal the intent of the attacker and the potential threat to the Enteprise
    • For example, is the attacker interested in running spam-bots, stealing banking credentials, or stealing intellectual property?
  4. IP Address and DNS names of Command and Control / Drop Sites
    • This information can be consumed by network security equipment to block traffic and discover other nodes that have been infected
  5. Unique protocol strings
    • This information can be consumed by network security equipment to block traffic and discover other nodes that have been infected
  6. Compromised Information
    • Responder can be used to determine which files have been opened or exfiltrated, if keystrokes were logged, and if passwords were stolen. Compromised passwords can be changed. If keylogging or data was stolen, some damages can be assessed.


Rootkit Detection

The harder a rootkit tries to hide, the easier it is to identify it. Changes made to the operating system are often invalid and easy to spot. For a rootkit to operate, it must exist in memory. Attempts to mask memory only make the memory stand out more. By not relying on the subverted operating system for information, Responder bypasses all of the rootkit's defenses.

Incident Response

Having physical memory is like having a hidden camera in the corner of a crime scene. It answers all of the unanswered questions - who did what and in what order. All the live activity on a computer is stored in memory. Live memory is a treasure trove of events, keystrokes, open files, network packets, screen shots and software functions. This volatile data is the key to understanding runtime configuration, user actions and software capabilities and behaviors. Responder doesnt just identify if malware is present, it identifies what it was doing.

Malware Reverse Engineering

Each and every cyber espionage case could easily be misconstrued as a traditional "virus" outbreak. Why should you reverse engineer binaries for Information Security or Computer Forensic purposes? The answer is very simple, when you come across unknown executables, drivers, and modules on workstations and servers during routine security assessments or investigations you need to be able to identify the software's true capabilities and intent. You need to rapidly determine if the software is malicious or whether it has the functionality necessary to prove the "Trojan Defense". You can no longer rely alone on your antivirus and antispyware companies to help you keep a clean and trusted network.

Computer Forensics

Computer Forensic investigators world wide have been asking for live memory preservation and analysis capabilities for years. These cybercops have known about the valuable information contained in memory but until now have not had an easy way to analyze and parse the low level undocumented data structures contained therein.

Netsanity - Makes sense...