Can we get a copy of the slides?
Yes
When is the next MANDIANT webinar?
Fresh Prints – Malware Behaving Badly will be on Thursday, February 18, 2010 at 2:00 p.m. Eastern time.
If most of the software on the system is stock, why do I need a software classification service?
Since most of the software on your system is stock, a service like GSR is valuable. It allows you to determine which percentage of your system is from known sources. A GSR service let’s you answer that question quickly.
What percentage of these attacks is Windows-based, versus Linux-based / Solaris-based / Macintosh-based?
Currently, the majority of everything we see is Windows based with the most popular attack being social engineering on the end user. These attacks are frequently email based. We have seen some web based application attacks, but that has gone by the way side because the email based attacks have been so successful. Once compromised, they will attempt to gain credentials to other systems and then access those systems with valid credentials.
How do you determine the trust factor for software?
This process is very similar to trusting a person. You would start by looking at a numbers of attributes - its source, how long it’s been out there, is it digitally signed? Then follow that up by looking at the file itself - what does it do on the system, where has it been seen? Both the positive and negative factors begin to determine the trust factor of the file.
Once a file is found, how do you find out how it got there? Will it reinstall automatically outside of run once?
Sometimes in the investigation you may not determine the actual mechanism of delivery. Frequently we end up looking at things such as browser history and/or email. We look at whatever trails we can to track end user’s actions.
There are techniques out there where the malware will self persist. This means that malware will install itself in different locations and then utilize various registry keys to persist after the fact or potentially modify a piece of software on the system so that it invokes the malware whenever it is run.
Does Bit9 plan to add hashes other than MD-5 to their database?
In addition to MD-5, Bit9 also has SHA-1, SHA-256, as well as SS-Deep. All four of these hash values are tracked and maintained within the Bit9 database.
How often are you using Indicators of Compromise vs. battlefield reducing techniques for your responses to advanced threats?
We do find that for some of the advanced threats we can take indicators from one and use them in another environment. However, the effectiveness of that goes down over time. Often times we can write methodology indicators. Instead of looking for a specific type of malware we look for a technique. When these techniques both fail we end up utilizing some of the techniques we discussed today. If I were to guess at a ratio, I’d say that occurs roughly 50% of the time.
Does Bit9 have a separate category for remote administration tools like Sysinternals psexec?
Yes, one of these categories is called hacking tools that includes PS Exec, remote admin tools, and network sniffing tools. In some organizations these might be legitimate tools that developers are using; however they may also be indicators of some other problems that are present. Hacking tools is a category that Bit9 puts on the radar screen for you.
How do you perform "outlier" style analyses when you're doing incident response?
In regards to how MANDIANT would perform this analysis, we collect information from all systems and all hosts within a network. We would then pull information from the platform and analyze it on multiple axes. Outliers will tend to stand out.
You’ve talked about reputation and forensics – how does application control fit into this picture?
When there is an incident response, being able to quickly use a tool like MIR and a software reputation service such as Bit9 to diagnose is critical. You then can take that information and lock down systems, putting policies in place to take control of which software can run. Having this ability allows you to define which software you would like in your organization and keeps you in control.
Is a persistent executable required for an APT, or can vulnerabilities in trusted apps be used in combination to compromise systems/networks?
What we tend to see is either the vulnerability is the user, or there may be a vulnerability on a trusted or common application that the user utilizes to effect a compromise. That initial vulnerability allows the bad guy to further execute arbitrary code.
