Videos http://10.10.10.29 Fri, 19 May 2017 12:57:32 +0000 en-US hourly 1 https://wordpress.org/?v=4.6.1 Investigating Privilege Elevation on Linux http://10.10.10.29/resources/investigating-privilege-elevation-on-linux-2/ Fri, 28 Apr 2017 18:22:55 +0000 http://10.10.10.29/?post_type=resources&p=2551 Detecting Malware Through Process Chain Analysis http://10.10.10.29/resources/detecting-malware-through-process-chain-analysis-2/ Thu, 23 Mar 2017 02:56:16 +0000 http://10.10.10.29/?post_type=resources&p=2429 Want to read a transcript of the webinar? Click here

]]>
Looking for Cyber Threats Through Statistical Outliers http://10.10.10.29/resources/looking-for-cyber-threats-through-statistical-outliers-2/ Wed, 15 Feb 2017 23:22:35 +0000 http://10.10.10.29/?post_type=resources&p=2284 Want to read a transcript of the webinar? Click here

]]>
Responding to Cyber Incidents http://10.10.10.29/resources/responding-to-cyber-incidents/ Wed, 18 Jan 2017 00:31:47 +0000 http://10.10.10.29/?post_type=resources&p=2193 Want to read a transcript of the webinar? Click here

]]>
SNOW Live Memory forensics: analyzing suspicious code http://10.10.10.29/resources/snow-live-memory-forensics-analyzing-suspicious-code/ Tue, 03 Jan 2017 22:45:48 +0000 http://10.10.10.29/?post_type=resources&p=2009 Continue reading SNOW Live Memory forensics: analyzing suspicious code ]]> To Arc4dia’s hunters, malware is not merely a file alerts on disk, it is a live running computation, especially on a Windows systems, these computations leverage a whole bunch of tricks in order to hide themselves within legitimate processes, much the way a parasite would do to it’s host.

These tricks include DLA injection, threat injection, process hollowing and so on.

SNOW, Arc4dia’s EDR solution, detects such hidden computations by carefully balancing the memory accounts of all running processes on a system. Whenever something does not check, this fact is immediately reported over to our central analytics database and an investigation is opened.

For instance, the SNOWboard interface suggests here that a process on a machine is possibly the target of process hollowing. This means that one it’s code segments is very much different from the code stored on the disk for that module. This worries me, so I would very much want to analyze this suspicious code. Fortunately, I can quickly get a dump of this memory segment by sending a command to that machine’s agent. I overscore the address of the memory segment, I input it’s size, and away it goes.

In a matter of minutes, I get the response from the agent. I can now download a copy of this segment and throw it into IDA PRO to figure out what this suspicious code does.

Compare this to current approaches for memory forensics. Analysts must get a memory dump for the full process, possibly even the whole machine. This dump must be gathered through in-person access to the machine, which may disrupt the work of all it’s current users. Perhaps the analyst has a tool to do this work remotely. But then the data transfer implied by the memory dump may impact the network performance for the whole organization.

SNOW removes all these transactional costs from memory forensics, enabling it’s live execution for exploratory re-purposes. SNOW as an EDR solution, helps the IT security staff stay on top of the computations running all across the networks.

]]>
Cycon 2016 http://10.10.10.29/resources/advanced-targeted-cyber-attacks-the-past-present-and-future-by-marc-theberge-at-cycon-2016/ Mon, 12 Dec 2016 19:19:31 +0000 http://10.10.10.29/?post_type=resources&p=2151 SNOWboard Demo http://10.10.10.29/resources/snowboard-demo/ Sat, 01 Oct 2016 03:38:02 +0000 http://10.10.10.29/?post_type=resources&p=1566 SNOW Live http://10.10.10.29/resources/snow-live/ Sat, 01 Oct 2016 03:34:52 +0000 http://10.10.10.29/?post_type=resources&p=1564 SNOWboard Investigations http://10.10.10.29/resources/snowboard-investigations/ Thu, 14 Jul 2016 04:02:48 +0000 http://10.10.10.29/?post_type=resources&p=1581 SNOWboard Clustering Rules http://10.10.10.29/resources/snowboard-clustering-rules/ Thu, 14 Jul 2016 03:48:28 +0000 http://10.10.10.29/?post_type=resources&p=1580