Embedded Memory Anomaly Detection Leading to Operational Security - 2017 INMM Novel Technologies Workshop
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Embedded Memory Anomaly Detection
Leading to Operational Security
2017 INMM Novel Technologies Workshop
Derek Aberle
August 30, 2017
Operated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA
Agenda
Wednesday, August 30, 2017
• Background
10:40 AM – 11:00 AM – Memory resident malware
– Internet of Things
– 3900 Series Router Architecture
Embedded Memory Anomaly
• R&D Example
Detection Leading to Operational
– Retrieving an Image
Security – Manual Analysis
Derek Aberle
– Survey of COTS Tools
A-4: Advanced Research in Cyber Systems
– Examining the Memory Layout
– Data Analytics
• Implications
Derek Aberle, Joe Taylor, Richard Sisneros, Alia Long, Phil Romero – Summary
– Discussion
Los Alamos National Laboratory 10/3/2017 | 2
Memory Resident Malware
File-less malware is written directly to the victim computer’s working memory,
called RAM, instead of being installed on the hard drive, where it can be
discovered by security scans.
Persistent, difficult to detect, built-in anti-forensics
Los Alamos National Laboratory 10/3/2017 | 3
Internet of Things
https://cdn.pixabay.com/photo/2015/05/25/05/27/network-782707_960_720.png
Digital is replacing analog, and everything is getting networked
Los Alamos National Laboratory 10/3/2017 | 4
Architecture of the 3900 Series Cisco Router
• Workstation hardware, Embedded software
– Intel Xeon processor with 1GB RAM
– Operates on a custom Cisco Operating system
• Region based memory
– Data, code, and executables live in predefined areas
• Not secure out of the box
– Passwords default to not encrypted?!?
• Generic attacks fail if properly secured
– STIG guides
– Configuration management software
Server hardware developed as an embedded system
Los Alamos National Laboratory 10/3/2017 | 5
Agenda
Wednesday, August 30, 2017
• Background
10:40 AM – 11:00 AM – Memory resident malware
– Internet of Things
– 3900 Series Router Architecture
Embedded Memory Anomaly
• R&D Example
Detection Leading to Operational
– Retrieving an Image
Security – Manual Analysis
Derek Aberle
– Survey of COTS Tools
A-4: Advanced Research in Cyber Systems
– Examining the Memory Layout
– Data Analytics
• Implications
Derek Aberle, Joe Taylor, Richard Sisneros, Alia Long, Phil Romero – Summary
– Discussion
Los Alamos National Laboratory 10/3/2017 | 6
Retrieving the Memory Image
• A router was provided by the local networking team.
• Cisco provides support to perform a volatile memory dump.
– 1GB of Memory
– The “Operating System” of the device is an executable itself.
– A Core Dump does not require an interruption of the system
• SSH was used to copy data to local machine
• The process can be easily automated in a defensive environment
There is no need to “exploit” a cisco router to apply our techniques.
Los Alamos National Laboratory 10/3/2017 | 7
Manual Analysis
• We utilized standard Linux utilities
• Examined open source tools for memory analysis
– Router tools are obsolete and/or no longer supported
– The source contained some “hints” which saved us time
Defensively, Cisco memory dumps are easy to get, and are not encrypted.
Los Alamos National Laboratory 10/3/2017 | 8Manual Analysis (cont.)
What hardware are we looking at?
What kind of software can we look for?
Where is the code and data hiding?
A roadmap of how to analyze the memory image.
Los Alamos National Laboratory 10/3/2017 | 9Survey of Commercial Off The Shelf Tools
• We examined three commonly used tools.
– NAFT, EnCase, and Volatility
• These guys make money on desktop systems
– Currently, very little support for “Internet of Things” devices.
– There are too many devices to expect a vendor to cover them all
• Great at finding hardware independent information
– They can be used to find certificates, keys, packets, etc..
• Not so great at anything else
– Failed at finding process table, anomaly detection, configuration changes
These should be part of an analyst toolkit, not what defines it.
Los Alamos National Laboratory 10/3/2017 | 10Examining the Memory Layout
• Begin memory – Top row
– 1MB
• Text region – blue
– Code: 100 MB
• Data region – yellow
– Variables: 100 MB
• BSS region – orange
– More variables:11MB
• Heap region – red
– Storage: 820 MB
• Empty region – gray
– Addons: 32 MB
Region based memory has defined addresses that are not random.
Los Alamos National Laboratory 10/3/2017 | 11Data Analytics (and future Anomaly Detection)
The above image shows bar heights proportional to the average (mean) value for each
1024 byte block and is colored by the standard deviation for the memory block.
Patterns are clearly encoded in the memory.
Los Alamos National Laboratory 10/3/2017 | 12Agenda
Wednesday, August 30, 2017
• Background
10:40 AM – 11:00 AM – Memory resident malware
– Internet of Things
– 3900 Series Router Architecture
Embedded Memory Anomaly
• R&D Example
Detection Leading to Operational
– Retrieving an Image
Security – Manual Analysis
Derek Aberle
– Survey of COTS Tools
A-4: Advanced Research in Cyber Systems
– Examining the Memory Layout
– Data Analytics
• Implications
Derek Aberle, Joe Taylor, Richard Sisneros, Alia Long, Phil Romero – Summary
– Discussion
Los Alamos National Laboratory 10/3/2017 | 13Summary
• Commercial off the Shelf solutions are not bullet proof.
– They can be used, but won’t do the job for you.
• The primary risk is with unsecured routers.
– Properly secured, updated, and configured systems are substantially less vulnerable.
– Assuming the System Admin correctly configured the system costs banks millions.
• The data is available to examine devices.
– Live forensics can provide new information not currently utilized operationally.
– We can automate the majority of the process to provide a tool.
• There are other possible paths of research.
– Machine learning algorithms could identify anomalies.
– The analytics developed would apply to other embedded hardware as well.
There are several paths for future work
Los Alamos National Laboratory 10/3/2017 | 14Questions, Discussion?
Thank you!
There are several paths for future work
Los Alamos National Laboratory 10/3/2017 | 15You can also read
