Can we get a copy of the presentation?
Yes, the slides and recording are posted on the website.
When is the next MANDIANT webinar?
State of the Hack will be on Thursday, March 11, 2010 at 2:00 p.m. Eastern time.
Where can we download Audit Viewer and Memoryze?
Check out the Free Software section of our website. Or you can search for them on the front page of our site.
Have you seen malware that was digitally signed?
Not so far. While attackers are taking more steps to make their malware resemble normal software, thus far they haven’t signed their work. That’d be pretty cheeky.
Can you grab memory remotely?
Memoryze can perform local memory forensic analysis and acquisition, and it’s intended to run on one or a few hosts. For remote operation at scale, we use our Intelligent Response agent. The MIR agent includes all the functionality of Memoryze, plus disk forensic capability and large scale operation in enterprise networks. There’s more information about Intelligent Response on our website.
Memoryze uses a driver to access system memory. Is that driver signed? Does it work on Vista and other platforms that require signed drivers?
Yes, the driver is signed by Mandiant, and it installs fine on systems that require drivers to be signed. And you don’t have to reboot after installing or uninstalling the driver.
When will 64-bit support be available in Memoryze?
Memoryze will support 64-bit operating systems very soon. We don’t pre-announce release dates, but we’re very close to this one.
Are there any things to look for at the network level to help identify APT compromise?
Absolutely. There are some things you can look for in network traffic to help identify APT activity. Our M-Trends report contains some examples. We’ll also discuss this topic in the State of the Hack webinar series.
How is Memoryze different from other similar tools?
Memoryze performs analysis of memory, not just acquisition, and it can do so on a live system under study. Memoryze can also analyze memory dumps, so you can use it for live response as well as dead forensics. You could think of Memoryze as a combination of memory acquisition and analysis code. (That’s the how we came up with the name, btw: “Memoryze” is due to “Memory” and “Analyze”.)
Does MANDIANT offer training courses, and what are the class sizes?
Yup. You may be familiar with our public classes – we often teach at Black Hat in Las Vegas, and we have a memory analysis class coming up shortly at CanSecWest on March 22. You can sign up at http://cansecwest.com/dojomemory.html .
We also offer private classes on a variety of topics, from proactive analysis to incident response and malware reverse engineering. Check out the class list in the Education section of our website and contact us to discuss it further.
Is there a “dummies” course for beginners in malware analysis?
Absolutely. Our Introduction to Malware Analysis class is a great start, and we have some more advanced classes as well. We’ve offered them publicly in the past and hope to keep doing so. For more information, please email .(JavaScript must be enabled to view this email address).
Where does whitelisting of suspicious files on disk fit in an overall APT detection and remediation strategy?
I think you meant whitelisting of non-suspicious files here. That’s certainly part of a good incident response program, because it lets you sweep away the known-good noise and focus on finding the potentially-evil. We did a webinar on that topic with our pals at Bit9 in January. Check it out in our presentation archives.
Would application whitelisting prevent an attacker from using his own svchost.exe?
That mostly depends on the whitelisting implementation, I think. If you have your systems locked down to a super-tight configuration, where you specify each and every file that’s allowed to execute, and only allow those files, you might be able to make it harder.
However, it’s very difficult to maintain that tight a grip on all the systems in an environment. Remember, the APT attackers are smart; they might well just try and find the systems that aren’t locked down as tightly, and then stage their attacks from there.
Do you have any plans to support Linux systems?
At this time, we’re continuing our focus on Windows systems. We still see the attackers targeting them almost exclusively. When they need access to a non-Windows system, they just compromise a Windows one and access the data from there.
We’ll keep an eye on this, though, and when there’s a significant need for non-Windows support, we’ll consider it. We’ve built the existing agent code so we can extend it to non-Windows systems without a major rearchitecturing.
Aren’t Memoryze and Audit Viewer similar to Microsoft Sysinternals Process Explorer?
Both programs give you insight into what’s running on a system, but they use different means to access the data.
Process Explorer uses API calls, has a real-time GUI, and is more focused on system administration tasks than incident response. (I use it to troubleshoot performance problems on my laptop; it’s great for that.)
Memoryze uses memory forensic analysis, not API calls, and so it’s harder to fake out. Our tools are also aimed more at incident response than system administration. Finally, Memoryze can analyze dead memory images, whereas Process Explorer only runs on live systems.
Have you seen attacks that chain exploits? For example, first compromise the browser process, and subsequently elevate privileges using another means?
I guess you could say that, sure. Here’s how it works.
The most common APT exploitation cycle starts with a user compromise, most frequently a spear phish email with a rigged attachment or a link to a rigged web page. Once that machine is compromised, it beacons out to the attacker, and the attacker establishes remote control of it.
Then, the attacker uses the compromised machine to elevate his privileges within the environment. They prefer to act as valid internal users, and they’ll use attack tools to steal or replay passwords in order to move around their target’s network.
There’s a lot more on the APT compromise cycle in our M-Trends report. Check it out.
Do you have an outline of steps, or a “cheat sheet” for finding and removing the APT?
Yes, we go over some of that information in the M-Trends report. And we’ll also be addressing APT remediation later this year in our State of the Hack webinar series.
Do you need a MIR license to use the new Audit Viewer features?
Nope. You’re welcome to use Memoryze and Audit Viewer under their no-cost license agreements (they’re in the installers.)
Of course, it’s easier to do large scale investigation with Intelligent Response. Once you know what you’re looking for, MIR lets you sweep large numbers of systems to see if the evil is visible to the agent.
Do malware authors adapt to hide from investigators using these techniques?
Yes, they do. As the network defenders improve their game, the attackers escalate as well. That’s a cycle we’ve seen in almost every APT compromise. There’s more about it in our M-Trends report.
What utilities can you use to grab process metadata without grabbing an entire memory image, in the context of a network sweep?
That’s exactly what Intelligent Response is intended for, actually. The Intelligent Response agent contains the Memoryze memory analysis code, so you just create a process-listing memory forensic job and dispatch that out to the agent population. It’s pretty neat.
Is the APT using kernel hooking to hide from Windows API calls?
That’s not a prevalent technique at this point in time. I can’t say that it never happens, but the APT’s tactic is generally to hide by looking normal, not so much to hide by hiding.
If I find something I suspect is APT malware, can I submit it to MANDIANT for analysis?
Sure. We offer expert malware analysis as one of our consulting services. Get in touch with us to find out what the rates and deliverables would be.
Can you go over again why a valid process wouldn’t get an Audit Viewer score of 100?
Many legitimate processes still use unsigned DLL’s, even some Microsoft programs. That’s why we built the configurability into Audit Viewer, so you can choose to trust things that you’ve decided are okay in your environment.
