Cybersecurity-Unit-5

Dr. Mahesh Kumar K.M

January 22, 2025

1 / 137
Defense and Analysis Techniques

Memory Forensics
Honeypots
Malicious Code Naming
Automated Malicious Code Analysis Systems
Intrusion Detection Systems

2 / 137
Memory Forensics

Memory Forensics: Memory forensics involves finding and extracting forensic artifacts
from a computer’s physical memory.
Purpose: It is used to support incident response and malware analysis.
RAM State: While a system is on, random access memory (RAM) contains
critical information about the current state of the system.
Reconstruction: By capturing a full copy of RAM and analyzing it on a separate
machine, it is possible to reconstruct the original system’s state, including:
Applications the user was running.
Files or network connections that existed at the time.

3 / 137
Memory Forensics contd...

Order of Volatility: Preserving RAM according to the ”order of volatility” and

inspecting it for signs of an intrusion is not a new concept.
Past Methods: Before recent advancements, many investigators relied on running
the strings command on a memory dump to gather postmortem intelligence
about an attack.
Modern Advancements: Today, memory analysis is a critical component of
forensic investigations and is one of the most effective methods for:
Malware reverse-engineering, such as unpacking.
Rootkit detection.

4 / 137
Why Memory Forensics Is Important
Memory Forensics Skills: Analysts with memory forensics skills are better equipped to
handle malware incidents than those without such expertise.
Malware Design: Some malware is designed to run entirely from RAM (memory
resident codes) to avoid detection on longer-term storage devices like the hard
drive.
Critical Evidence: If analysts do not examine RAM for signs of intrusion, they
may miss the most important, or even the only, evidence that malware existed on
the system.
Malware Hiding: Some malware uses API hooks to hide its own code and resources
from the operating system, typically targeting other processes on the infected system.
Limitations of API Hooks: These rootkit techniques work while the system is
running but fail against offline memory forensics tools.
Challenges for Malware Authors: To hide from offline tools, malware requires a
different set of capabilities that most authors have not implemented.
Side Effects: Similar to Newton’s law, every action in a computer system
produces a reaction. Even if attackers anticipate side effects of every API call,
they cannot continuously hide each side effect.
Clues for Investigators: Familiarity with these side effects gives investigators
clues to reconstruct what happened on the system.

5 / 137
Capabilities of Memory Forensics

Memory Forensics: Analysts can gather an extreme amount of information about the
state of a system using memory forensics.
Comparison with Live Tools: Table 5-1 compares the default capabilities of a
memory analysis framework with the corresponding tools typically used on a live
system.
Efficiency: Memory forensics frameworks can provide the same information as
10–20 standard tools used on live systems.
Rootkit Bypass: One of the key advantages of memory forensics is its ability to
bypass rootkit tricks, which many live system tools cannot overcome.

6 / 137
Capabilities of Memory Forensics contd...

7 / 137
Memory Analysis Frameworks

Factors to Consider: When selecting a memory analysis framework, the key factors
include:
Cost, the programming language for developing plug-ins, and the operating
systems the framework supports.
Reliability of the framework’s output.
Volatility Framework:
Free and Open-Source: Volatility is a free, open-source memory analysis
framework written in Python.
Cross-Platform: It runs on multiple operating systems, making it a favorite
among many iDefense engineers.
Learning from Source Code: Volatility’s open-source nature allows analysts to
learn how it works by examining the source code, gaining insights into memory
analysis techniques, such as kernel structures and parsing methods.
Understanding the Tools: Knowing how tools like Volatility work, rather than just
using them, is essential for analyzing and understanding sophisticated malware.

8 / 137
Memory Analysis Frameworks contd...

9 / 137
Dumping Physical Memory

Recommended Tool: iDefense recommends using win32dd 2 by Matthieu Suiche for

memory dumping.
Supported OS Versions: win32dd supports memory acquisition on various
versions of Windows, including:
Windows 2000, XP, 2003, Vista, 2008, 7, and 2008 RC2.
Cryptographic Checksums: The tool includes the ability to compute
cryptographic checksums (MD5, SHA-1, or SHA-256) and supports both client
and server architecture, enabling easy transmission of memory dumps across
networks.
How to Use win32dd:
Download win32dd from the tool’s home page and extract the archive.
To dump the full physical address space, save the output file as mem.dmp in the
same directory as win32dd.
Create a SHA-1 hash of the dumped file using the following syntax:

F : win32dd.exe/fmem.dmp/s1

10 / 137
Installing and Using Volatility
Download and Installation:
Download Volatility from its home page on the Volatile Systems 3 website or
grab the latest Subversion package from Google Code.
The Volatility Documentation Project by Jamie Levy (gleeda) provides detailed
manuals for installation on Windows, Linux, and OSX.
Basic Setup:
Extract the archive and navigate to the extracted folder:
tar − xvfVolatility − 1.3.tar .gz
cdVolatility − 1.3
Invoke Volatility using Python:
pythonvolatility
Getting Help:
To learn about required arguments for individual commands, use:
pythonvolatility < command > − − help
Many commands work without arguments.
Extracting Evidence:
To extract evidence from a memory dump, use the following syntax:
pythonvolatility < command >< arguments > −fmem.dmp

11 / 137
Finding Hidden Processes

EPROCESS Object: The Windows kernel creates an EPROCESS object for every
process on the system.
The object contains a pair of pointers that identify the previous and subsequent
processes.
These pointers form a chain of process objects, known as a doubly linked list.
Visualizing a Doubly Linked List:
Think of a group of people holding hands in a circle. Each person connects to
exactly two others.
To count the people, one could start with any person and walk in either direction,
counting heads until returning to the start.
Enumerating Processes:
Tools like Process Explorer, Task Manager, and other system administration
programs enumerate processes by walking through this linked list.
This is done using API functions that follow the same methodology of walking
through the chain.

12 / 137
Finding Hidden Processes contd...

Offline Process Enumeration: Enumerating processes in memory dumps differs

because the system is offline and API functions do not work.
Finding EPROCESS Objects:
To find the EPROCESS objects, Volatility uses the symbol
PsActiveProcessHead defined in ntoskrnl.exe.
Although the symbol is not exported, it is accessible from the KPCR structure,
which exists at a hard-coded address in memory.
The PsActiveProcessHead symbol is a global variable that points to the
beginning of the doubly linked list of EPROCESS objects.
Path to Find Data: Exhibit 5-1 illustrates the path Volatility takes to find the desired
data in a memory dump.

13 / 137
Finding Hidden Processes contd...

14 / 137
Finding Hidden Processes contd...

15 / 137
Finding Hidden Processes contd...

Limitations of pslist: After understanding how the pslist command works, it is

important to evaluate why it might not always be reliable.
Rootkit Evasion:
One reason for unreliability is the presence of rootkits that perform Direct Kernel
Object Manipulation (DKOM).
In their book Rootkits: Subverting the Windows Kernel, Greg Hoglund and James
Butler demonstrate how rootkits hide processes by unlinking entries from the
doubly linked list.
The rootkit overwrites the Flink and Blink pointers of surrounding objects to
point around the hidden EPROCESS object, making the process invisible.
Impact on Process Detection:
This unlinking effectively hides the process from any tool that relies on walking
the linked list, including tools that operate on live systems or memory dumps.
Despite being hidden, the process remains running because CPU scheduling is
thread-based, not reliant on the presence of the EPROCESS object.
Exhibit 5-2 shows how the overwriting works to hide the process.

16 / 137
Finding Hidden Processes contd...

17 / 137
Finding Hidden Processes contd...

Circle Analogy: Consider the previous analogy of people joining hands to form a
circle, representing the doubly linked list of processes.
Rootkit Evasion: If one person releases both hands to step outside the circle (as
shown in Exhibit 5-2), the people on the left and right will join hands, closing the gap.
The disconnected person does not disappear but is now free to move about the
room.
If we count the people in the circle using the original method (walking the circle),
we will count one fewer person, missing the disconnected individual.
Alternate Detection: To detect the missing person, instead of relying on walking the
circle, we could use a thermal imaging device to scan the entire room, allowing us to
accurately identify all people—even those not in the circle.
Key Takeaway: This is similar to how a rootkit hides processes by unlinking them
from the doubly linked list, making them invisible to traditional enumeration methods.

18 / 137
Finding Hidden Processes contd...

psscan2 Command: The psscan2 command in Volatility is not exactly a thermal

imaging device, but it works similarly in theory.
How psscan2 Works:
Instead of walking the linked list of EPROCESS objects like the pslist command,
psscan2 scans linear memory for pools with the same attributes (e.g., paged vs
nonpaged, tag, and size) used by the kernel for EPROCESS objects.
It then applies a series of sanity checks to validate these objects.
Rootkit Evasion: This method allows psscan2 to find EPROCESS objects even if a
rootkit has unlinked them from the list.
Expanding the Concept:
The same concept applies to finding other hidden kernel objects, such as kernel
drivers, sockets, connections, services, and more.

19 / 137
Volatility Analyst Pack

textbfVAP 7 Overview: The Volatility Analyst Pack (VAP) 7 is a collection of

plug-ins designed for malware analysis and rootkit detection.
Plug-in Status:
If the status is “Public”, the plug-in is publicly available.
If the status is “By request”, the plug-in is only available to iDefense customers
upon request (BETA mode).
Table 5-3 provides a detailed description of each plug-in and its status.

20 / 137
Volatility Analyst Pack

21 / 137
Honeypots

Honeypots: Isolated technical assets with high logging to attract malicious

activity for monitoring and early warning.
Purpose:
Collect valuable attack data for analysis.
Act as decoys containing known vulnerabilities to lure attackers.
Honeynets: A network of honeypots configured to collect and contain network
traffic.
Success Factors:
Proper placement and configuration of honeypots.
Isolation from legitimate IT assets and traffic to avoid risk.
Firewall Configuration: Special configuration to control and monitor traffic in
honeynets.

22 / 137
Honeypots Contd...

In-Depth Defenses: Aim to limit unauthorized access and protect sensitive

information.
Limitation: Hardened defenses offer no insight into vulnerabilities or weaknesses
exploited by attackers.
Reactive Approach:
Common in IT security due to lack of visibility.
Requires responding after an incident occurs.
Ideal Approach: Proactive defense strategies using knowledge of:
Upcoming vulnerabilities
Malicious code
Attackers’ tactics
Honeypots: Specially configured systems used to lure malicious activity for
analysis, providing data to improve defenses.

23 / 137
Honeypots Contd...

Definition: A honeypot is an information system resource whose value lies in

unauthorized or illicit use.
Concept: Capitalizes on the isolation of a resource and the subsequent activity
that interacts with it.
Design:
Resembles an interesting target for attackers to probe, exploit, or compromise.
Configured with high logging to capture and analyze malicious activity.
Environment:
Thrives in isolated environments with no production value or business purpose.
All activity observed is considered suspicious and valuable for analysis.
Placement: Critical to minimize legitimate or unintentional traffic and enhance
security.

24 / 137
Honeypots Contd...

Proper Deployment: Honeypots are beneficial when properly deployed and

maintained.
Decoy Function:
They resemble easy targets, acting as decoys to divert attackers from production
systems.
Data and Insight:
Provide valuable data on attackers, attack strategies, and exploitation methods.
Incident Evidence:
When handled correctly, they provide digital fingerprints for incident investigations.
Improving Defenses: Data gathered from honeypots can be used to strengthen
production security defenses and minimize attack risks.

25 / 137
Honeypots Contd...

Classification: Honeypots are categorized based on the level of system interaction

available to the attacker.
Low-Interaction Honeypots:
Emulate vulnerable services and applications to attract attackers.
Mimic real network responses to inbound connections, allowing attack progress.
Security:
The honeypot itself is not vulnerable—attacks do not compromise it.
The system only emulates vulnerabilities, allowing exploits to be captured.
Logs and Analysis:
Activity logs capture the exploit attempts.
Post-attack analysis provides insights to protect production systems from similar
attacks.

26 / 137
Honeypots Contd...

Classification: High-interaction honeypots are the second type, utilizing real

services and vulnerabilities.
Attracting Attacks:
They use actual services to attract inbound attacks and allow attackers to exploit real
vulnerabilities.
Detailed Information:
Provide insights into the steps of exploitation and post-compromise activities.
Close Monitoring:
Requires constant and close observation due to the risk of system compromise.
Additional Security:
Extra security measures are needed to contain attacks and prevent malicious code
propagation.

27 / 137
Honeypots Contd...

Low-Interaction Honeypots:
Strengths:
Safer from compromise due to emulation.
Requires less maintenance effort.
Logs limited data, reducing analysis time.
Weaknesses:
Emulation requires knowledge of known vulnerabilities.
Cannot capture attacks on unknown vulnerabilities.
Limited data after an attack attempt due to lack of compromise.
High-Interaction Honeypots:
Strengths:
Provides more detailed information on malicious activity.
Weaknesses:
Requires more resources to analyze and maintain.
Higher risk of compromise due to real vulnerabilities.

28 / 137
Honeypots Contd...

Resource Intensive:
High-interaction honeypots require customized technologies like firewalls, IDSs, and
virtual machines.
Frequent rebuilds are necessary after compromise.
Analysis Demands:
Logs the full attack and post-compromise activity, consuming large time and resources.
System remains compromised post-attack, requiring cleansing.
Risks:
Compromised honeypots can be used by attackers to launch attacks on other systems.
Investigations may trace the attack back to the honeypot, raising potential legal
concerns.

29 / 137
Honeypots Contd...

Honeypot Solutions:
Both commercial and open-source options are available, each designed for specific use
cases.
Honeypots act primarily as decoys to divert attacks away from production systems.
Example - Specter:
A commercial low-interaction honeypot.
Advertises vulnerabilities and serves as a decoy and data collection solution.
Honeynet:
A collection of honeypots that simulate a network of systems.
Requires a ”honeywall” to capture and analyze data while containing risks posed by
high-interaction honeypots.
Honeynet Infrastructure:
The honeynet gateway is typically placed in the demilitarized zone (DMZ) to expose
vulnerable infrastructure to inbound attacks.

30 / 137
Honeypots Contd...

31 / 137
Honeypots Contd...

Malicious Code Collection:

Honeypots can capture and analyze malicious code.
Example: Nepenthes advertises vulnerabilities, captures malicious code, and analyzes
shellcode from exploitation.
Includes submission modules to send captured malicious code to servers like Norman’s
SandBox for further analysis.
Spam Tracking:
Honeypots can capture spam email for tracking and spam filter creation.
Example: Honeyd simulates a mail relay or open proxy to collect spam emails.
Client-Based Honeypots:
Not just for servers, honeypots can also act as clients to interact with malicious servers.
Examples: Capture-HPC 13 and MITRE’s Honeyclient download malicious code and
log system changes.
Honeynet Project:
Offers a variety of honeypot-related applications for download and use.

32 / 137
Honeypots Contd...

Entrapment:
Entrapment occurs when law enforcement induces someone to commit a crime they
wouldn’t otherwise commit.
Honeypots do not induce attackers to break in, so entrapment does not apply.
Entrapment is a defense in criminal law, but it is not grounds for a lawsuit.
Privacy:
Logging attacker activity raises privacy concerns, particularly under laws like the Federal
Wiretapping Act and Electronic Communication Privacy Act.
A logon banner stating server monitoring and activity logging typically waives privacy
concerns for attackers.
Liability:
Liability arises if a compromised honeypot is used to launch attacks on other systems.
Consultation with a legal team can help mitigate potential legal issues before deploying
a honeypot.

33 / 137
Honeypots Contd...

Honeypots as Decoys: Honeypots lure attackers to perform malicious actions for

information-gathering purposes.
Detection by Seasoned Attackers:
Experienced attackers can detect honeypots.
Once detected, attackers may avoid or alter their behavior to bypass the honeypot’s
logging.
Detection Techniques:
Detection methods range in complexity depending on the honeypot technology.
Attackers may use various techniques to identify a honeypot, including comparative
analysis.
Low-Interaction Honeypots:
Emulated services in low-interaction honeypots may differ from real services in behavior.
Attackers can detect honeypots by comparing real services with emulated ones.

34 / 137
Honeypots Contd...

Detection Methods: High-interaction honeypots can be detected through various

techniques:
Virtualization Checks:
Attackers can check for strings or environmental settings indicative of a virtualized environment.
Example: Registry values added for virtual devices in guest OS configurations.
Network Traffic Modification:
Network traffic can be analyzed for signs of manipulation or restrictions on outbound traffic.
Latency Checks: Attackers may perform latency checks to identify abnormal delays in
response times.
Honeynet Data Control:
Honeynets control outbound traffic to prevent attacks from spreading.
Example: Honeynets often use Snort inline to scrub outbound traffic and block
connections.
Test Example: Running ‘/bin/sh‘ on an external host to check if Snort modifies the
packet or drops the connection.

35 / 137
Honeypots Contd...

High Latency as a Detection Method:

Running intensive tasks on a honeypot, such as logging activities, can introduce
network latency.
The use of logging modules can cause significant delays as all system activity is logged.
dd Command:
The dd command is commonly used to create heavy system load.
Example: dd if=/dev/zero of=/dev/null bs=1M (writes endless data to /dev/null).
This generates an overwhelming amount of data for the honeypot to log.
ping Command:
The ping command can be used to measure network latency.
Higher latency during the execution of dd may indicate a honeypot with active logging
modules.

36 / 137
Honeypots Contd...

Insights into Attack Techniques:

Honeypots provide security professionals with information on cutting-edge attack
techniques observed in the wild.
Strengthening Network Posture:
Data gathered from honeypots helps implement security safeguards, enhancing network
defenses.
Proactive Security:
Honeypots enable proactive responses to threats and attacks, allowing for quicker and
more effective action.
Surviving Malicious Activity:
With honeypots, network administrators can better prepare for and mitigate threats,
increasing resilience against cyberattacks.

37 / 137
Malicious Code Naming

Confusion in Malicious Code Naming:

Malicious code naming conventions are often confusing and inconsistent.
Differences between how antivirus tools and security analysts name and reference
threats contribute to the confusion.
Impact of Naming Conventions:
Misidentification of viruses and malicious code due to inconsistent naming leads to
confusion among security researchers and administrators.
Industry Challenges:
The lack of standardized naming procedures complicates the identification and response
to threats.
Various organizations are attempting to improve the state of malicious code naming in
the antivirus industry.

38 / 137
Malicious Code Naming contd...

Challenges with Antivirus Detection Names:

Antivirus detection names are not always reliable for determining the exact malicious
code family.
These names can be generic and may not accurately describe the entire malicious code
family.
Inconsistent Naming in Media and Research:
Different media outlets and researchers may use varying names for the same malicious
code.
Sometimes the malicious code itself may contain different names, leading to confusion.
Analysts as Reliable Sources:
Analysts are often the best source for determining the correct name of malicious code,
as they analyze the code in detail.
Automatic solutions cannot always match the accuracy and insight provided by skilled
human analysts.

39 / 137
Malicious Code Naming contd...

iDefense Naming Practices:

iDefense analysts assign a new name to a malicious file if it hasn’t been described
before or if the new name provides better reference.
Organizational Policies:
Different organizations may have policies to rename viruses when creating detections to
avoid revealing new hacking tools or techniques to attackers.
Attackers’ Tactics:
Attackers often insert fake authors, tool names, or other misleading details to confuse
analysts and hinder identification.
Tools for Identifying Malicious Code:
Analysts can use online virus scanning services, such as VirusTotal or av-test.org, to
check if a file already has a known malicious code name.
Example:
Exhibit 5-4 shows the results of a scan for a typical banking Trojan, identifying its
detection status across various antivirus tools.

40 / 137
Malicious Code Naming contd...

41 / 137
Malicious Code Naming contd...

VirusTotal Results:
In a scan of a malicious file, 17 out of 38 (44.74%) antivirus engines detect it as
malicious.
Despite detection, none of the antivirus tools provide the true name of the virus family
or indicate its purpose (e.g., targeting banks).
Limitations of Generic Naming:
Generic names assigned to malicious files are often too vague to be useful.
The naming technique is likely to be incorrect or overly broad, failing to provide
valuable insights into the virus family or its intentions.
Ease of Naming:
Assigning a name to a malicious file is quick and easy for anyone.
This process does not require any understanding of the code or its actual purpose,
leading to potential misidentification.

42 / 137
Malicious Code Naming contd...

Using Detection Names for Research:

Administrators can use detection names to research threats and identify potentially
similar threats or malicious behaviors.
This method is not completely reliable due to the generic nature of many detection
names.
Challenges with Generic Signatures:
Signatures often detect generic threats, packed code, or behavioral patterns rather than
identifying unique malicious code names.
As a result, detection names might not convey much information about the virus family
or specific behavior.
Examples of Misidentification:
An antivirus product may assign the same name to two different files if both perform
the same function (e.g., downloaders).
Different threats may be grouped under the same name if they use the same packer or
technique to evade detection.

43 / 137
Malicious Code Naming contd...

Antivirus Programs as a Preliminary Step:

Antivirus programs are useful for initial risk assessment of malicious files.
However, they are less accurate and reliable compared to reverse engineering or
behavioral analysis.
Signature-Based Detection:
Signatures help analysts improve detection of threats but don’t require an in-depth
analysis of the code’s purpose.
Signature-based detection is fast but can miss complex threats or provide too generic
information.
One-to-One Relationship Between Signature and Detection Name:
Antivirus engines often assign one signature to one detection name.
While this aids in tracking alerts, it provides limited insight into the nature of the threat.
Generic Signatures:
Generic signatures, often used for broad threat categories, do not help customers fully
understand the specific risk or behavior of the threat.

44 / 137
Malicious Code Naming contd...

Reasons for Naming Differences:

Researchers and reverse engineers face fewer challenges in naming compared to
automatic antivirus scanning products.
Antivirus products rely on signatures and may miss key behaviors or characteristics not
detectable through automated scanning.
Advantages of Analyst Naming:
Analysts can collect and inspect various sources of data, such as:
Network traffic
Modified or created files
Memory contents
Reverse-engineered binaries or propagation techniques
These data points allow analysts to more accurately identify and name malicious files.
Imperfect Naming:
Despite the more detailed analysis, naming by researchers and reverse engineers is still
imperfect and subject to errors.

45 / 137
Malicious Code Naming contd...

Multiple Names for the Same Threat:

The banking Trojan mentioned earlier is referred to by researchers with different names
such as:
wsnpoem/ntos
Zeus/zbot
PRG
This variability in naming arises due to different researchers’ perspectives and naming
conventions.
Awareness-Dependent Naming:
Unlike automated tools, naming often relies on researcher awareness and understanding
of the code’s behavior.
This makes naming more subjective and prone to human error or intentional renaming.
Private Information and Initial Naming:
Some names, like those used by iDefense, may be based on private information before
public analysis is available.
When public information becomes available, researchers may need to reconcile these
private names with public ones, based on the code’s behavior or other characteristics.

46 / 137
Malicious Code Naming contd...

Common Naming Format:

Antivirus names typically follow this format:
Family Name.Group Name.Major Variant.Minor Variant[:Modifier]
This format is widely used across antivirus vendors.
Flexibility in Naming:
Antivirus vendors have flexibility in how they name a new virus, including variations in
family, group, and variant names.
Common types include terms like generic or heuristic (heur) in their names.
Importance of Understanding Naming Conventions:
Administrators should familiarize themselves with the specific naming conventions used
by the antivirus products in their environment.
Referring to the vendor’s naming documentation can help clarify the meaning of virus
names.

47 / 137
Malicious Code Naming contd...

Creative Virus Naming:

Virus names may originate from an analyst’s creativity or based on the virus’s
circumstances.
Naming can be influenced by factors like the virus’s propagation method or
attention-grabbing features.
Example: Storm Worm (W32/Nuwar@mm):
The virus initially spread through e-mails with the headline “Nuclear War”.
It was later known as the “Storm Worm” due to a different e-mail subject, “230 dead
as storm batters Europe”.
Naming Dispute:
The community debated whether the virus should be classified as a worm due to its
primary spread through massive e-mail campaigns, rather than traditional worm
behavior.

48 / 137
Malicious Code Naming contd...

Disagreement on Using Attacker-Supplied Information:

There is disagreement on whether to rely on attacker-supplied information when naming
viruses.
Some researchers believe using attacker-provided names can risk exposing innocent
parties, especially if the attacker inserts misleading or harmful details.
Benefits of Hiding or Mutating Names:
Hiding real names or mutating them can obscure the virus’s origin and protect innocent
parties.
It prevents attackers from identifying new tools or gathering intelligence about public
tools.
Example: Blackworm (Nyxem):
Brian Krebs of the Washington Post documented an incident involving the virus
Blackworm, also known as Nyxem.
Mutating names can help avoid giving attackers information that could facilitate further
attacks.
Challenges in Identifying Equivalent Threats:
While the origins of mutated virus names can be understood by analyzing the malicious
code, it is often difficult to recognize that different names refer to the same underlying
threat (e.g., Blackworm and Nyxem).

49 / 137
Malicious Code Naming contd...

50 / 137
Malicious Code Naming contd...

Influence of Different Goals:

Various factors and goals lead researchers to create new virus names, even when an
existing name may already be available.
Example - Nyxem:
Nyxem was derived by transposing the letters ’m’ and ’x’ from Nymex, a shorthand
term for the New York Mercantile Exchange.
Virus names can be cryptic, often intentionally, due to a lack of verifiable information
about the virus.
Overlapping Names:
Overlapping names can confuse researchers and administrators when antivirus products
assign well-known names to new or unknown viruses.
Example - Chir.B Worm (2007):
iDefense analyzed a variant of the Chir.B worm, but the Avast antivirus engine
mistakenly identified it as the older Nimda (Win32:Nimda [Drp]).
This highlights the potential confusion caused by the reuse of familiar names for new
threats.

51 / 137
Malicious Code Naming contd...

Older Signatures Detect New Threats:

In some cases, older virus signatures may detect new threats due to similar behaviors,
such as file-infecting worm functionality.
This results in older names being assigned to new viruses, potentially causing confusion.
Limitations of Signature-based Detection:
While using older signatures to detect new threats is useful, it is not always clear to
users what the alert means (i.e., whether it detects behavior, a specific virus, or
something else).
Signature rule writers face challenges in conveying this information clearly to users.
Unpredictability of Virus Evolution:
Analysts cannot reliably predict the future evolution of viruses.
This unpredictability makes it difficult to choose virus names that won’t overlap with
multiple threats in the future.

52 / 137
Malicious Code Naming contd...

Common Malware Enumerations (CME):

CME was initially promising but failed to gain critical mass due to the large volume of
new viruses and limited resources.
It provided a catalog of thirty-nine different threats over several years, incorporating
names and descriptions from various antivirus vendors.
Neglect of CME:
Despite its early utility, CME has been largely neglected over the last two years, as
indicated by the CME website.
Challenges in Standardizing Virus Names:
Organizations like the Computer Antivirus Researchers Organization (CARO) have
faced similar difficulties in attempting to standardize virus naming.
The ever-increasing volume of new viruses and the complexity of naming make it
difficult to maintain a consistent system.

53 / 137
Malicious Code Naming contd...

Understanding Abbreviations and Naming Conventions:

Administrators should understand common abbreviations and naming conventions for
incidents to help identify specific behaviors and ask the right questions.
Limitations of Virus Naming:
Relying solely on virus naming is not reliable and does not provide enough detailed
information to be highly useful.
Role of Analysts and Reverse Engineers:
Analysts and reverse engineers are the best sources for accurately identifying virus
families due to the wide variation in naming conventions.
Need for Extensive Research:
Reverse engineering and behavioral analysis are often required to accurately determine
how to name a new threat.

54 / 137
Automated Malicious Code Analysis Systems

The massive volume of distinct pieces of malicious code exceeds the capacity of
human analysts.
Fortunately, researchers can automate much of the initial analysis.
This automation allows much greater efficiency and prioritization of analysis of
malicious code samples.

55 / 137
Automated Malicious Code Analysis Systems contd...

With attackers producing tens of thousands of new pieces of malicious code

daily, it is impossible to analyze each sample by hand.
Behavioral analysis, the process of running an executable in a safe environment
and monitoring its behavior, is one way to determine what malicious code does.
Automated Malicious Code Analysis Systems (AMASs) perform this process
quickly and efficiently, producing a report for human analysts to determine the
actions taken by the malicious code.
We explore the advantages and disadvantages of different techniques used by
AMASs to analyze malicious code.

56 / 137
Automated Malicious Code Analysis Systems contd...

In recent years, researchers have built many AMASs that differ in capability and
analysis techniques but all operate under the same principle.
To be effective, malicious code must perform some action on the infected system,
and monitoring the malicious code’s behavior is a useful way to determine its
functionality.
Behavioral analysis cannot determine everything that malicious code is capable
of, but it can tell you what the malicious code will do under certain circumstances.

57 / 137
Automated Malicious Code Analysis Systems contd...

There are two main techniques to analyze the behavior of malicious code:
1 Passive analysis: Record the state of the system before and after the infection, then
compare these states to determine what changed.
2 Active analysis: Actively monitor and record malicious code actions during execution.

58 / 137
Passive Analysis contd...

Passive analysis is the hands-off approach to behavioral malicious code analysis.

It requires a computer to infect, a way to capture the state of that computer,
and a way to restore the system to its original state.
Passive analysis systems work in a three-stage cycle:
1 First, install the operating system and necessary applications on the computer,
recording the ”clean” state.
2 The recorded information includes system features that malicious code might alter, such
as the file system and Windows registry.
3 Second, execute the malicious code on the system for a period of time, typically two to
three minutes, which is sufficient for the code to complete its initial installation.

59 / 137
Passive Analysis contd...

60 / 137
Passive Analysis contd...

After the malicious code infects the system, it must be shut down before an
external system analyzes its disk and memory to record the new ”infected” state.
An external computer may be used to record the infected system’s state to avoid
interference from the malicious code.
Malicious code often hides files and processes using rootkits, but an external
system (e.g., a virtual machine host or a system working from a copy of the
infected disk) is not susceptible to this interference.

61 / 137
Passive Analysis contd...

During the analysis stage, the external system compares the infected state to the
clean state already recorded.
AMASs can make comparisons between any features of the system that have a
state.
Common analysis features include:
File system
Windows Registry content
Running processes
Listening ports
Memory contents

62 / 137
Passive Analysis contd...

The comparison between the clean state and infected state is where the passive
analysis system shines.
The analysis typically consists of two stages (see Exhibit 5-7).
In the first stage, it compares the clean and infected states, creating a list of all
changes in the monitored features.
While the list of changes may seem sufficient, it’s important to remember that
Windows also performs thousands of tiny tasks that might change the file system.
This is especially true if the system has been rebooted since the clean state was
recorded (in analysis systems using physical hardware).
To filter out nonmalicious changes, the system uses a second stage to remove all
entries in a predefined white list.
The result is a report containing all changes relevant to the malicious code
analysis.

63 / 137
Passive Analysis contd...

64 / 137
Passive Analysis contd...

In addition to static information about the malicious code (e.g., file name, size,
and MD5), the resulting report might contain:
New files:
C:\WINDOWS\system32\lowsec\user.ds
C:\WINDOWS\system32\lowsec\local.ds
C:\WINDOWS\system32\sdra64.exe
Registry modifications:
Key: HKLM\software\Microsoft\WindowsNT\CurrentVersion\Winlogon
Old Value: \Userinit"=\C:\WINDOWS\system32\userinit.exe"
New Value: \Userinit"=\C:\WINDOWS\system32\userinit.exe,
C:\WINDOWS\system32\sdra64.exe"

65 / 137
Passive Analysis contd...

The information shows that the malicious code not only created three new files
but also altered the Windows Registry to run the file sdra64.exe when the user
logs on.
Passive analysis systems frequently include network monitoring, as long as the
monitoring occurs outside the infected system.
Network traffic is a key component of many AMASs because it includes any
external communication the malicious code might make and reveals the source of
the command-and-control (C&C) server if one exists.
In the mentioned example report, analysis of the network traffic revealed that the
URL visited was http://index683.com/varya/terms.php.

66 / 137
Passive Analysis contd...

Knowing that the malicious code visits this particular website is very valuable.
Security personnel can search proxy logs for any systems that visited this site to
pinpoint infected systems.
Blocking access to this URL will help prevent the malicious code from
conducting its malicious activity.
Malicious code cannot typically detect a passive analysis system because it does
not interfere with its operation.
However, malicious code can make passive systems ineffective by exploiting the
system’s analysis timeout.
If the system only allows the malicious code to run for three minutes before
recording the infected state, the malicious code could simply sleep for four
minutes before taking any action.

67 / 137
Passive Analysis contd...

While passive analysis is simple, it cannot tell the malicious code’s entire story.
For instance, if the malicious code creates a temporary file while installing
components and deletes it before the system captures the infected state, the
analysis report will not include this evidence.
Passive monitoring also fails to capture the timeline of the infection.
The sample report shows that the malicious code creates three files, but it does
not show the order in which they were created.
It is possible that the malicious code created sdra64.exe first, and that
executable created the additional files.
To capture this information, the system must actively monitor the malicious code.

68 / 137
Active Analysis

Unlike passive systems, active analysis AMASs install software on the

soon-to-be-infected system that monitors the malicious code and logs its activity.
This process creates a much more complete report that can show the order in
which the malicious code made changes and which specific process took each
action.
Some classify many modern Trojans as downloaders, as their primary
functionality is to download and execute a secondary payload.
Active analysis systems can differentiate between files and registry keys created
by the downloader and those created by the new file.
This functionality is one way that active systems provide much more detail than
passive systems ever could.

69 / 137
Active Analysis contd...

One way that active systems monitor malicious code activity is through API
hooking.
An API hook allows a program to intercept another application’s request for a
built-in Windows function, such as InternetOpenUrlW(), which applications use
to make requests for Web pages.
API hooking is a technique often used by rootkits, as it allows malicious code to
not only record user activity but also alter the data sent to and returned by the
API function.
A rootkit might use this to hide the presence of particular files or ensure that the
user does not stop any of its malicious code processes.

70 / 137
Active Analysis contd...

Active analysis systems can install their own rootkits that hook the APIs the
malicious code will use, allowing it to track every API call the program makes.
If malicious code can detect the AMAS processes, it could exit without taking
any actions that would reveal its functionality.
This is the primary disadvantage to active systems, but a well-written rootkit can
hide its own processes to prevent the malicious code from detecting it and
altering its behavior.

71 / 137
Active Analysis contd...

Active systems are not vulnerable to the same waiting technique that malicious
code uses to fool passive systems.
An active analysis rootkit can hook the sleep() function that malicious code
uses to delay execution and then alter the sleep time to just 1 millisecond.
Active analysis systems work in a cycle between clean and infected states, but do
not require a comparison of the clean and infected states to perform their
analysis.
After the malicious code completes execution or runs for the maximum time
allowed, the system records the activity in a report and begins restoring the
system to the clean state.

72 / 137
Active Analysis contd...

Another form of active analysis involves using an emulator rather than infecting a
traditional operating system (OS).
The most prominent emulation-based analysis system is the Norman SandBox.
Instead of installing a rootkit and hooking the Windows APIs, Norman created
software that emulates the Windows OS.
When malicious code running in the Norman SandBox calls the sleep() function,
it actually calls a Norman function that acts just like the Windows sleep()
function.
Malicious code can detect emulated systems if they do not perfectly mimic the
operating system’s API, and malicious code authors frequently attempt to evade
these systems.

73 / 137
Active Analysis contd...

The main advantage of emulated systems is speed.

Emulated systems do not require swapping between a clean and infected state
and can run the malicious code faster than a standard OS because they do not
need to provide full functionality of each API.
They need merely to emulate the OS in a convincing way.
For any organization that processes thousands of samples each day, speed is a
key factor in rating an AMAS.

74 / 137
Physical or Virtual Machines

For nonemulated AMASs, both passive and active, analysis time is spent in two
primary categories:
First, time is spent allowing the malicious code to execute.
If the runtime is too short, the analysis might miss a critical step, but the more
time allotted, the longer the system takes to generate a report.
The second major source of analysis time is restoring the infected system to a
clean state.
This must be done to prepare the system for the next analysis and makes up a
significant portion of the analysis time.

75 / 137
Physical or Virtual Machines contd...

Virtualization systems like VMWare and VirtualBox have many features that
make them excellent choices for developing an AMAS.
These programs allow a user to run one or many virtual computers on top of
another OS.
Researchers use these systems to run many analysis instances on a single physical
computer, saving time, power, and money.
Virtual machines (VM) also have the ability to store a clean “snapshot” of the
operating system.
After the analysis is complete, restoring the system to the clean snapshot
typically takes less than 30 seconds.
However, as with active analysis systems, malicious code can detect that it is
running in a VM and alter its execution path to produce an inaccurate report.
One recent example of VM-aware malicious code is Conficker, which did not
execute in VMs to increase analysis difficulty.

76 / 137
Physical or Virtual Machines contd...

Physical machines are not as simple to restore as their virtual counterparts, but
multiple options are available.
One possible solution is Faronics DeepFreeze.
DeepFreeze is a Windows program that allows administrators to revert a system
to a clean state each time it reboots.
Internet users at universities and Internet cafes commonly use DeepFreeze, where
many users access the same pool of computers.
iDefense tested DeepFreeze for use in one sandbox and found that it was not
sufficient to prevent malicious code from altering the system.
Software solutions are not reliable because malicious code can disable them or
use methods to write to the disk that the software does not monitor.

77 / 137
Physical or Virtual Machines contd...

CorePROTECT makes a hardware product named CoreRESTORE that acts as

an interface between a computer’s IDE/ATA controller and hard drive.
CoreRESTORE prevents the system from making changes to the disk but returns
data as though the disk has already been altered.
This solution is effective but is only available for systems that use IDE/ATA
interfaces.
A third solution is to save a complete copy of the system’s hard drive in a clean
state and write this copy to the system’s disk each time restoration is necessary.
Joe Stewart of SecureWorks first introduced this method in the TRUMAN
system, and iDefense currently uses this method in its Malcode Rapid Report
Service (ROMAN).
This method takes two to three minutes per analysis, is undetectable by malicious
code, and ensures each analysis begins with a known clean image.

78 / 137
Physical or Virtual Machines contd...

79 / 137
Physical or Virtual Machines contd...

Pure passive and active analysis systems are common, but a single system can
employ techniques from both categories.
iDefense is developing a new AMAS known internally as Automal, which uses a
combination of passive and active analysis with a custom rootkit.
The primary functionality of Automal is based on memory forensics using custom
plug-ins for the Volatility framework.
Memory forensics is relatively new in AMAS but allows systems to discover
critical information about data and processes hidden from tools running on an
active system and that show no evidence in features typically monitored by
passive systems.
Automal runs Volatility on a snapshot of the infected system’s memory when the
system is offline, preventing malicious code from detecting it or changing tactics.

80 / 137
Physical or Virtual Machines contd...

AMASs are valuable tools to anyone who regularly analyzes malicious code, not
just those who process thousands of samples per day.
Many organizations do not have the resources or need to develop their own
AMASs.
Fortunately, many AMASs are available free online.
Each system uses a different analysis mechanism and may return different results.
Submitting files to multiple systems can be beneficial since the combination of
resulting reports may be more complete than what a single system can produce.
Using AMAS is an excellent first step during any malicious code investigation, as
a fully automated analysis can be performed quickly with little human interaction.

81 / 137
Physical or Virtual Machines contd...

82 / 137
Intrusion Detection Systems

Network security encompasses safeguards deployed to increase the safety of

interconnected systems and the information that traverses the network.
Connecting computers allows for communication and the exchange of information
but exposes systems to remote threats.
This exposure requires a monitoring and detection solution to ensure the safety
of interconnected systems.
iDefense describes a network detection solution called an intrusion detection
system (IDS).
Every day, new vulnerabilities and malicious code threaten systems on networks.
The constant update of threats requires strenuous patching schedules and
antivirus updates.
Patching and antivirus updates in an enterprise environment take time, which
prolongs the period devices are vulnerable.
In the event that no patch exists for a given vulnerability (zero-day vulnerability),
devices are vulnerable for an even longer period while the vendor develops a patch.

83 / 137
Intrusion Detection Systems contd...

There is a need for systems to detect vulnerabilities and malicious code activity
during vulnerable periods.
An IDS can satisfy this need quickly, as these devices can receive one update and
detect malicious activity across an entire network.
An IDS is a device that monitors network traffic for malicious activity.
IDS devices, referred to as sensors, detect malicious activity by searching through
traffic that traverses a network.
The IDS sensor requires access to network packets, which is possible through two
implementations: out of line and inline.
Exhibit 5-9 shows the difference in network topologies between out-of-line and
inline sensors.

84 / 137
Intrusion Detection Systems contd...

85 / 137
Intrusion Detection Systems contd...

Out-of-line sensors connect to a SPAN (Switched Port Analyzer), performing

actions known as monitoring, port mirroring, or a network tap.
A SPAN port is a port on a network device (such as a switch or firewall) that
receives a duplicate feed of real-time traffic for monitoring.
A network tap is a standalone device that sends and receives traffic between two
ports and has a third port for monitoring purposes.
Out-of-line sensors connected to a SPAN port or tap monitor traffic and produce
alerts in response to malicious activity.
Inline sensors physically sit in the path of network traffic, with traffic traveling
through the inline device to its destination.
The inline sensor checks traffic for malicious activity and can produce alerts or
block malicious activity.
Inline sensors configured to block malicious traffic are known as intrusion
prevention systems (IPSs), which help reduce the occurrence of malicious
activity on a network.

86 / 137
Intrusion Detection Systems contd...

Both types of sensors use rules, also known as signatures, to detect malicious
activity.
IDS sensors rely on these signatures to detect malicious activity; therefore, the
effectiveness of an IDS sensor depends on the caliber of the signatures.
Most IDS vendors have different rule structures or languages, but they generally
use content matching and anomalies to detect events.
Content-matching rules use specific pattern matches or regular expressions to
search network traffic for specific strings or values associated with malicious
traffic.
These rules are very specific and require prior knowledge of the particular
malicious content within network activity.
The use of regular expressions provides flexibility to a signature by allowing it to
search for multiple variations of a string.

87 / 137
Intrusion Detection Systems contd...

The content match is static and straightforward, but the regular expression
enhances effectiveness by searching for multiple different actions.
Example HTTP request: GET
/controller.php?action=bot&entity list=&uid=1&first=1&guid=412784631&rnd=94
Content Match: \GET/controller.php?action="
Regular Expression: /GET
s/controller.php?action=(bot|loader |report)/
Sensors also detect malicious activity based on anomalous network traffic.
These anomalies include protocol-specific anomalies and traffic thresholds.
Network protocols abide by standards, and abnormalities in these standards
indicate suspicious activity.
Signature authors capitalize on these protocol abnormalities to detect malicious
activity.
Example: Exhibit 5-10 shows a protocol anomaly within the HTTP header of a
GET request generated by an infected client.
The malicious code author added fields SS and xost to the header, allowing for
easy detection by an IDS signature, as they are not part of the HTTP protocol.

88 / 137
Intrusion Detection Systems contd...

89 / 137
Intrusion Detection Systems contd...

Traffic thresholds detect anomalous increases in traffic compared to a baseline

amount of traffic.
This approach requires a baseline figure that accurately represents the normal
amount of traffic to observe an increase.
The baseline figure needs constant adjustments to reflect legitimate increases
and decreases in traffic patterns.
Without these adjustments, the IDS will generate many alerts on legitimate
traffic and waste investigative resources.
Threshold-based detection does not often detect a specific threat but provides a
heuristic approach to malicious activity detection.
These events require investigation to determine the specific issue, as they are
prone to trigger on nonmalicious traffic.

90 / 137
Intrusion Detection Systems contd...

By name, IDS suggests that such systems simply detect inbound attempts to
gain entry to a device; in reality, they have the ability to detect much more.
An IDS device can detect any type of malicious activity that traverses a network
based on the rules used for detection, with some exceptions described later in this
section.
The success of an IDS device in detecting a particular event depends on the
accuracy and flexibility of the signatures within its rule set.
A rule set is a list of signatures that the IDS device uses to detect malicious
activity.
IDS vendors supply a rule set for their products, and many allow the creation of
custom signatures.
The signatures within these sets can detect inbound attacks on servers and
clients, malicious code infections, and propagation.

91 / 137
Intrusion Detection Systems contd...

An IDS device has the ability to detect inbound attacks on a server or client
from specially crafted signatures.
To detect these attacks, the signature author needs prior knowledge of the attack
or the vulnerability to match its network activity.
Equipped with a signature for the attack or vulnerability, the IDS sensor can
detect the activity and trigger an alert for the possible compromise on the
destination.
The IDS, however, is unable to determine if the end system was vulnerable to the
detected attack.
An investigation is pivotal to determine if the attack was successful.
Rules can also detect worm propagation via content matches or anomalies.
The content match approach requires prior knowledge of the network activity the
worm generates when it attempts to spread to other systems.
A signature match provides the source of the worm propagation, which is an
infected system that needs remediation.
An investigation of the destination in this event will determine if the worm
successfully spread to the system.

92 / 137
Intrusion Detection Systems contd...

An anomaly-based rule can provide worm detection in a heuristic manner.

By using thresholds, a signature can trigger an alert on an increase in traffic over
a worm-able service, such as MS-RPC, NetBIOS, or SUNRPC, to investigate a
possible worm outbreak.
For example, if an increase in traffic occurs from one system over Microsoft
NetBIOS port 139, it could be a worm attempting to propagate to other systems.
This alert, however, could also be the result of a legitimate file transfer to a
shared resource.
This shows the need for investigation to determine the cause for the anomalous
increase in traffic.

93 / 137
Intrusion Detection Systems contd...

IDS sensors can be effective at detecting Trojans installed on compromised

machines.
Trojans communicate with their command-and-control (C&C) servers to
download updated configuration files and binaries, to receive commands to run on
the infected systems, or to drop stolen data.
The network activity generated by this communication usually uses a common
protocol, such as HTTP, to avoid rejection from a firewall.
Content-matching rules specifically created for the C&C communication can
accurately detect Trojan infections.
The example HTTP request discussed previously in this section was activity from
a Trojan, and using the content match or regular expression in an IDS signature
would successfully detect infected machines.

94 / 137
Intrusion Detection Systems contd...

Occasionally, malicious code authors omit fields or include additional fields to

standard protocols within their code, which generates anomalous traffic.
This allows an anomaly-based IDS signature to detect the C&C traffic easily by
searching for these protocol abnormalities.
IDS devices detect a variety of threats to a network, but they do have issues that
limit their effectiveness.
IDS evasion is a concept that encompasses all techniques used to avoid detection
during malicious activity.
Varieties of techniques are available, but the most common evasion methods
include:
Obfuscation
Encryption
Compression
Traffic fragmentation

95 / 137
Intrusion Detection Systems contd...

Obfuscation, encryption, and compression can evade detection from an IDS.

IDS signatures searching for content as the result of malicious activity have
difficulty matching if the known patterns change.
Although obfuscation, encryption, and compression differ in functionality, all
three change the representation of data transmitted over the network.
Obfuscation of data and exploit code evades detection through structural
changes while retaining original functionality through encoding, concatenation,
and obscure variable/function names.
Encryption of data or the network traffic can evade detection from an IDS.
An IDS signature can detect malicious activity within unencrypted channels by
searching for malicious content within cleartext data.
However, an IDS struggles to detect malicious activity within encrypted
communications due to lack of the decryption key.

96 / 137
Intrusion Detection Systems contd...

Compression changes the representation of data by passing it through an

algorithm to reduce the size.
Compressing information is common for communication, as it requires less
network bandwidth.
Evading detection occurs when the sender compresses the data using a
compression algorithm and sends the compressed data over the network.
The destination uses a decompression algorithm to view the original data sent by
the source.
The IDS device sees the communication between the source and the destination
but inspects the compressed data, which does not resemble the original data.

97 / 137
Intrusion Detection Systems contd...

Traffic fragmentation and reassembly can also evade IDS.

Malicious activity split into multiple different packets requires the IDS to
reassemble the fragmented packets before inspecting the traffic.
For example, an attacker can spread the transmission of the attack’s payload
across fifty packets.
To detect the attack payload, the IDS sensor has to track and reassemble the
fifty packets in memory and then scan the reassembled payload using the rule set.
Fragmentation techniques such as fragment overlapping, overwriting, and
timeouts complicate IDS evasion, but are not covered in this book.

98 / 137
Intrusion Detection Systems contd...

In addition to IDS evasion techniques, the network environment can affect the
sensor’s ability to detect malicious activity.
Placement of the IDS sensor is key to monitoring the appropriate traffic.
Overlooking sensor placement leads to visibility issues, as the sensor will not
monitor the correct traffic.
Placement in high-traffic areas can severely affect the performance of the IDS
sensor.
Sensors in high-traffic environments require a great deal of hardware to perform
packet inspections.
Packet inspections become more resource-intensive as the amount of traffic
increases; if the sensor lacks sufficient resources, it will fail to detect malicious
traffic.
This results in the IDS failing to create an alert about the malicious activity.

99 / 137
Intrusion Detection Systems contd...

The rule set used by the IDS sensor affects the sensor’s detection performance.
To increase performance, each IDS vendor uses different rule set optimization
techniques.
Despite optimization, the sensor checks all traffic for signature matches.
A smaller set of rules results in faster performance but fewer rules to detect
malicious content.
Larger rule sets perform slower but provide more rules for detecting malicious
activity.
This shows the need for a compromise between speed and threat coverage.
Threat coverage requires another compromise.
An over-flow of alerts dilutes critical alerts with low-priority alerts and useless
data, making triaging difficult.
The rule set needs constant attention and custom tuning to reduce alerts on
legitimate traffic.

100 / 137
Intrusion Detection Systems contd...

Inline devices physically sit between two network devices and have the ability to
block malicious activity.
However, legitimate traffic can also match signatures for malicious activity.
This often results in the sensor blocking legitimate traffic.
Another situation occurs when IDS devices go offline or are overwhelmed with
traffic.
If the device does not fail open in the event of system failure, it will block all
traffic at its network interface.
The inline device will also drop traffic if it exceeds its processing power.

101 / 137
Intrusion Detection Systems contd...

Despite the issues, IDSs are still beneficial to network security. Proper
consideration of the network environment is a must.
An appropriate operating environment can reduce issues that plague a sensor’s
ability to detect malicious activity.
Supplementing the environment with continuous updates and tuning of the
sensor’s rule set provides excellent coverage for a majority of malicious events.
IDS devices provide an invaluable stream of information to aid in security
investigations and improve overall network security.
IDS sensors improve security by detecting a network’s vulnerable areas and
inbound attacks.
In cases of inline sensors, IDS devices can greatly improve security by blocking
malicious activity before it performs malice.

102 / 137
Introduction to Port Scanners

A port scanner is a tool used to identify open ports on a computer or network.

Nmap is one of the most popular port scanning tools.
It is used for network discovery and security auditing.
It can scan multiple hosts and services in a network.

103 / 137
Why Use Nmap?

Identify open ports and services running on a host.

Detect security vulnerabilities.
Network inventory.
Monitor uptime and status of services.

104 / 137
Installing Nmap on Linux

Open your terminal.

Update the package lists:
sudo apt update
Install Nmap:
sudo apt install nmap
Verify installation:
nmap --version

105 / 137
Installing Nmap on Windows

Download the Nmap installer from the official website:

https://nmap.org/download.html
Choose the Windows version and download the executable file.
Run the installer and follow the instructions.
After installation, open Command Prompt and type:
nmap --version

106 / 137
Basic Nmap Commands

Scan a single host:

nmap <hostname or IP>
Scan multiple hosts:
nmap <host1> <host2> ...
Scan a range of IPs:
nmap 192.168.1.1-20
Scan all ports:
nmap -p- <hostname or IP>

107 / 137
Advanced Nmap Options

Service version detection:

nmap -sV <hostname or IP>
OS detection:
nmap -O <hostname or IP>
Aggressive scan:
nmap -A <hostname or IP>

108 / 137
Using Nmap for Network Security

Regularly scan your network for vulnerabilities.

Identify unauthorized devices or open ports.
Verify firewalls and intrusion prevention systems.

109 / 137
Conclusion

Nmap is a powerful tool for network security.

Installation on both Linux and Windows is straightforward.
Mastering Nmap allows you to enhance your network auditing and security
practices.

110 / 137
References

Nmap Official Website: https://nmap.org/

Nmap Documentation: https://nmap.org/book/

111 / 137
Introduction to Intrusion Detection Systems (IDS)

IDS are security systems that monitor network traffic to detect malicious activity.
Intrusion Detection Systems can be classified as:
Network-based IDS (NIDS)
Host-based IDS (HIDS)
Snort is one of the most widely used open-source NIDS.

112 / 137
What is Snort?

Snort is an open-source network intrusion detection and prevention system

(IDS/IPS).
It can perform real-time traffic analysis and packet logging.
Snort can detect a variety of attacks, such as buffer overflows, stealth port scans,
CGI attacks, and more.

113 / 137
Unique Features of Snort

Real-time Traffic Analysis: Snort analyzes packets in real-time to detect

suspicious activities.
Flexibility: Can be used as an IDS or IPS and configured for different types of
network environments.
Rule-based Detection: Uses a rule-based language to define patterns of known
attacks.
Open-source: Snort is free and supported by a large community.
Scalability: Suitable for both small networks and large enterprise environments.

114 / 137
Components of Snort

Packet Decoder: Processes network traffic and organizes packets.

Preprocessors: Prepare and normalize data for easier detection (e.g., stream5 for
TCP reassembly).
Detection Engine: Uses rules to inspect packets and detect attacks.
Logging and Output: Records detected events in log files or triggers alerts.

115 / 137
Installing Snort

Snort can be installed on Linux, Windows, and macOS.

Basic installation on Ubuntu:
sudo apt update
sudo apt install snort
Verify installation:
snort -V

116 / 137
Configuring Snort for Maximum Performance

Adjust System Resources:

Allocate enough memory and CPU for Snort to handle high traffic loads.
Use optimized hardware for high-performance networks.
Tune Snort Rules:
Disable unnecessary rules to reduce overhead.
Customize rules for your specific environment.
Enable Multi-threading:
Snort supports multi-threading for parallel processing of packets.
Enable multi-threading to improve performance on multi-core systems.
Use Appropriate Preprocessors:
Use only the preprocessors that are necessary for your environment.
Disable unnecessary preprocessors to improve performance.

117 / 137
Configuring Snort Rules for Maximum Performance

Optimize Rule Performance:

Organize rules based on severity and frequency.
Place more commonly triggered rules higher in the configuration.
Use ’fast’ Logging:
Use faster output plugins like fast to reduce the time spent logging events.
Limit Logging:
Log only critical events to avoid excessive disk I/O.

118 / 137
Snort Performance Tuning Best Practices

Disable Unused Features: Disable features like database logging if not required.
Use Inline Mode for Prevention: If Snort is being used as an IPS, configure it to
drop malicious traffic instead of logging it.
Increase Packet Buffer Size: Adjust the buffer size to accommodate larger traffic
volumes.
Regularly Update Rules: Keep Snort’s rules up-to-date to ensure detection of
new threats.

119 / 137
Monitoring Snort Performance

Use tools like top, htop, or snortstat to monitor Snort’s resource consumption.
Check for high CPU or memory usage and adjust configurations accordingly.
Regularly check Snort logs for performance issues or missed alerts.

120 / 137
Snort Output Options

Unified Output: Useful for logging in a format that is compatible with other
tools like Barnyard2.
Syslog Output: Send alerts to a centralized logging system.
Fast Output: Provides a compact and fast alert output suitable for
high-performance environments.

121 / 137
Conclusion

Snort is a powerful and flexible intrusion detection/prevention system.

Proper configuration and rule management are essential for achieving maximum
performance.
Regular performance monitoring and rule updates ensure that Snort continues to
operate effectively.

122 / 137
References

Snort Official Website: https://www.snort.org/

Snort Documentation: https://www.snort.org/documents

123 / 137
Analysis and Management Tools: Using Databases and Web Servers to
Manage Your Security Data - Introduction

Managing security data is crucial for identifying vulnerabilities and monitoring

network activity.
Databases and web servers are key components in handling large volumes of
security-related information.
Effective analysis and management of security data can help in making informed
security decisions.

124 / 137
Role of Databases in Security Management

Databases store and organize security data efficiently.

They can manage logs, alerts, and network traffic data.
Relational databases (e.g., MySQL, PostgreSQL) or NoSQL databases (e.g.,
MongoDB) can be used based on the requirements.
Advantages:
Scalable data storage.
Faster queries for security analysis.
Support for real-time analysis.

125 / 137
Using MySQL/PostgreSQL for Security Data Management

MySQL/PostgreSQL are popular relational databases used in security data

management.
These databases provide:
Structured storage for security logs and alerts.
SQL queries to search, filter, and analyze security events.
Support for indexing and optimization for better query performance.
Example: Storing firewall logs in a database for easy querying and analysis.

126 / 137
NoSQL Databases in Security Management

NoSQL databases (e.g., MongoDB, Cassandra) are increasingly used for

large-scale security data storage.
They provide:
Flexibility in storing unstructured or semi-structured data.
Scalability for handling big data generated by security systems.
Horizontal scalability for handling distributed data across servers.
Example: Using MongoDB to store large volumes of event data from network
monitoring tools.

127 / 137
Integrating Web Servers with Security Databases

Web servers (e.g., Apache, Nginx) can serve as an interface between security data
and users.
Web servers allow for:
Real-time querying and visualization of security data through web interfaces.
Access control and authentication to protect sensitive security information.
Integration with databases to display live data and alerts on web dashboards.
Example: Using a web interface to visualize security events stored in a database.

128 / 137
Building a Web Dashboard for Security Data

A web dashboard provides a graphical representation of security data.

Tools used for building dashboards:
PHP/Python: Server-side scripting to connect with databases and process queries.
JavaScript (e.g., D3.js, Chart.js): Front-end libraries for interactive data visualization.
Bootstrap: For responsive and user-friendly UI design.
Example: Building a real-time attack monitoring dashboard using web
technologies.

129 / 137
Key Technologies for Web Server Integration

Apache HTTP Server: Popular web server used to host security data
visualization applications.
Nginx: Lightweight, high-performance web server ideal for serving large amounts
of data.
Node.js: A JavaScript runtime to create back-end services and APIs for data
processing.
Flask/Django: Python web frameworks for connecting databases with web
interfaces.

130 / 137
Data Analysis Using SQL Queries

SQL allows for querying databases to perform advanced analysis on security data.
Example queries:
SELECT * FROM logs WHERE severity = ’high’; – Retrieves high-severity logs.
SELECT COUNT(*) FROM alerts WHERE timestamp > NOW() - INTERVAL 1 HOUR; –
Counts recent alerts.
SQL queries can be automated to trigger alerts or generate reports based on
specific criteria.

131 / 137
Automating Security Data Management

Use cron jobs or scheduled tasks to automate database maintenance:

Automatic cleanup of old logs and alerts.
Regular database backups to ensure data integrity.
Automate report generation using SQL queries or scripts, and send them to
administrators.
Example: Using cron jobs to run queries that flag unusual activity at specific
intervals.

132 / 137
Visualizing Security Data with Web Servers

Data visualization helps in quickly identifying patterns, trends, and potential

threats.
Use charts, graphs, and tables to represent:
Network traffic over time.
Frequency of security incidents by type or severity.
Geographic distribution of attacks.
Example: Creating bar charts to show attack frequency over a 24-hour period.

133 / 137
Security and Access Control for Web Servers

Secure your web servers and databases:

Use SSL/TLS encryption for data transmission.
Set up role-based access control (RBAC) to restrict access to sensitive data.
Employ multi-factor authentication for web interfaces.
Example: Setting up HTTPS and login authentication for a security monitoring
dashboard.

134 / 137
Challenges in Security Data Management

Volume: Handling large volumes of security data generated by network devices

and monitoring tools.
Complexity: Managing different types of security data from diverse sources (e.g.,
firewalls, intrusion detection systems).
Real-time Processing: Ensuring real-time analysis and alerting on security
threats.
Security: Protecting sensitive security data from unauthorized access.

135 / 137
Conclusion

Databases and web servers are integral to managing and analyzing security data
effectively.
Properly integrating these tools allows for real-time monitoring, automated alerts,
and comprehensive analysis of security events.
Effective management and visualization of security data help organizations
respond quickly to security incidents.

136 / 137
References

PostgreSQL Official Website: https://www.postgresql.org/

MySQL Official Website: https://www.mysql.com/
Apache HTTP Server: https://httpd.apache.org/
Flask Framework: https://flask.palletsprojects.com/

137 / 137
Introduction to Forensic Tools

Digital forensics involves the identification, preservation, analysis, and

presentation of digital evidence.
Forensic tools help investigators examine digital data while maintaining the
integrity of the evidence.
Effective use of forensic tools ensures the accuracy of the investigation and
supports legal procedures.

138 / 137
Preparing for a Good Forensic Investigation

Proper preparation is crucial to ensure the integrity of digital evidence:

Maintain a clean and controlled environment to avoid contamination of evidence.
Document all actions performed during the investigation.
Ensure tools are reliable, validated, and up-to-date.
Steps for preparation:
Gather the right forensic tools.
Establish a chain of custody for evidence handling.
Ensure all tools are functioning properly and calibrated.

139 / 137
Forensic Analysis Tools

Digital forensics tools are designed to recover and analyze evidence from digital
devices.
Common categories of forensic tools:
Disk Imaging Tools: Make bit-for-bit copies of hard drives.
File Carving Tools: Recover deleted or fragmented files from unallocated disk space.
Network Forensics Tools: Analyze network traffic to investigate suspicious activity.
Mobile Device Forensics Tools: Recover data from smartphones and tablets.
Example tools:
FTK Imager: Disk imaging and evidence collection tool.
EnCase: Comprehensive forensic analysis and reporting tool.
Wireshark: Network protocol analyzer for network forensics.
Cellebrite UFED: Tool for mobile device data extraction and analysis.

140 / 137
Making Copies of Forensic Data

When working with forensic data, it is essential to make an exact copy (image) of
the original data to avoid modifying the evidence.
The copy (or image) is used for analysis, while the original data is preserved as
evidence.
Types of Copies:
Bit-for-bit Copy: A 100
Logical Copy: A copy of selected data, such as files or directories, excluding deleted or
unallocated data.
Tools for making copies:
DD: A Linux tool that creates bit-for-bit copies of storage devices.
FTK Imager: A GUI-based tool for creating forensic images.
Clonezilla: A free software for disk imaging and cloning.

141 / 137
Forensic Data Integrity and Validation

To maintain data integrity, investigators must ensure that copies are exact
replicas of the original.
Use hashing algorithms (e.g., MD5, SHA-1, SHA-256) to generate checksums for
the original data and copies.
Verify that the hash values of the copied data match the original, ensuring no
alterations occurred during the copy process.
Example:
sha256sum original.img generates a SHA-256 checksum for the original data.
sha256sum copy.img generates a SHA-256 checksum for the copied data.
Compare the values to verify the copy’s integrity.

142 / 137
Creating and Logging into a Forensic Case

A forensic case involves documenting the details of the investigation, including

evidence handling and analysis.
Steps for creating a forensic case:
Case Creation: Initialize a case in forensic analysis software (e.g., EnCase, FTK).
Case Details: Record information about the case, including case number, date, and
involved parties.
Chain of Custody: Log every action taken with the evidence, including who handled it
and when.
Logging into a forensic case:
Use secure login credentials to access the forensic case system.
Ensure that case data is kept secure and confidential.

143 / 137
Documenting Forensic Evidence

Proper documentation is crucial for maintaining the integrity of the investigation.

Key elements of documentation:
Chain of custody: A log that tracks the evidence from its discovery to its presentation
in court.
Forensic examiner’s notes: Document observations, analysis procedures, and any
anomalies found.
Digital evidence report: A formal report detailing the findings, tools used, and
methodologies.
Use case management software to maintain a secure and detailed log of all
forensic actions.

144 / 137