El Jefe 2.0 - Process Chain Visualization and Heuristics
One improvement in modern Anti-Virus is the move away from signatures to heuristics and program behavior analysis on any one process. This turns out to be a decent protection at first, but as attackers evolve it will rapidly become less effective. El Jefe offers a radically different leap-frog in the level of analysis done with its protective heuristics by looking at the entire chain of process creation, rather than each process creation event alone.
Walking through the events on multiple stations |
Intuitively, a human being will ask questions based on process chain anomalies:
- Why is IExplorer.exe popping up commands like crazy?
- Why does Adobe PDF process spawn another process as LOCAL/SYSTEM?
- Why did this user suddenly start using commands like wmic, which only a system administrator normally would use?
A big part of
doing analysis is looking at pages and pages of text looking for
patterns and ways to correlate stuff to find anomalies. This takes a tremendous amount of work, and has the risk of becoming a stultifying routine for
the analyst. In other words, many companies are drowning in their own Big Security Data.
As part of our
Digital Executive Protection program, we spend hours
looking at our client's high process creation data looking for potential signs of attack. One way we found to make this more effective is to add alternative ways to inspect and visualize this data.
The D3 JavaScript
library provides us with great resource for doing that. The first visualization tool we
built show us easily the amount of usage of any given process. Instead of going the traditional way with big colorful
circles for the most used processes, we invert it so with
one fast view you can look at the processes that are hardly ever used - the exceptions which are most likely to be worth looking at further.
Process Usage: An easy way to identify process used only a small amount of time |
The second graph
we are experimenting with examines the relationship between all the processes executed on the system. This provides us with an easy way to move around
different processes that have been run on any system and understand how they were triggered, by who and
which activities were done.
You might notice events are a key feature in El Jefe. One thing we want to explore is the correlation of an event's properties within multiple instances of that event. For example, when people use IE to host their trojans that IE has a very different memory and thread-count from a normal IE. This can be visualized in El Jefe and will stand out even though IE itself is not malicious.
Analyzing triggered events over time |
The second big
feature we will introduce in this new version is the integration with the famous Cuckoo sandbox. We love the work that team has done over
the years and it matches up perfectly with the procedure our analysts were using for El Jefe. We connect to Cuckoo within El Jefe, so now every
time you find a suspicious binary, you can seamlessly ask El Jefe to grab the binary
from the target machine and run it on the isolated Cuckoo sandbox.
The result, for those unfamiliar with Cuckoo, is a beautiful
report on what the binary has done, including files dropped,
registries touched and a PCAP with everything the binary has sent
over the network.
Event Inspection |
Based on these new cool features we think El Jefe is a good addition to a company's security stance - given that it is both free, extensible, and more effective than traditional AV tools.
Keep tuned, because this new release is around the corner!
Keep tuned, because this new release is around the corner!