Friday, April 11, 2014

Revamping El Jefe

El Jefe 2.0 - Process Chain Visualization and Heuristics

One improvement in modern Anti-Virus is the move away from signatures to heuristics and program behavior analysis on any one process. This turns out to be a decent protection at first, but as attackers evolve it will rapidly become less effective. El Jefe offers a radically different leap-frog in the level of analysis done with its protective heuristics by looking at the entire chain of process creation, rather than each process creation event alone.

Walking through the events on multiple stations

Intuitively, a human being will ask questions based on process chain anomalies:
  • Why is IExplorer.exe popping up commands like crazy? 
  • Why does Adobe PDF process spawn another process as LOCAL/SYSTEM?
  • Why did this user suddenly start using commands like wmic, which only a system administrator normally would use?
A big part of doing analysis is looking at pages and pages of text looking for patterns and ways to correlate stuff to find anomalies. This takes a tremendous amount of work, and has the risk of becoming a stultifying routine for the analyst. In other words, many companies are drowning in their own Big Security Data. 
As part of our Digital Executive Protection program, we spend hours looking at our client's high process creation data looking for potential signs of attack. One way we found to make this more effective is to add alternative ways to inspect and visualize this data.
The D3 JavaScript library provides us with  great resource for doing that. The first visualization tool we built show us easily the amount of usage of any given process. Instead of going the traditional way with big colorful circles for the most used processes, we invert it so with one fast view you can look at the processes that are hardly ever used - the exceptions which are most likely to be worth looking at further.
Process Usage: An easy way to identify process used only a small amount of time

The second graph we are experimenting with examines the relationship between all the processes executed on the system. This provides us with an easy way to move around different processes that have been run on any system and understand how they were triggered, by who and which activities were done.

Event Relationsip: Move around events and find the relationship with each other.

You might notice events are a key feature in El Jefe. One thing we want to explore is the correlation of an event's properties within multiple instances of that event. For example, when people use IE to host their trojans that IE has a very different memory and thread-count from a normal IE. This can be visualized in El Jefe and will stand out even though IE itself is not malicious.

Analyzing triggered events over time 
The second big feature we will introduce in this new version is the integration with the famous Cuckoo sandbox. We love the work that team has done over the years and it matches up perfectly with the procedure our analysts were using for El Jefe. We connect to Cuckoo within El Jefe, so now every time you find a suspicious binary, you can seamlessly ask El Jefe to grab the binary from the target machine and run it on the isolated Cuckoo sandbox. The result, for those unfamiliar with Cuckoo, is a beautiful report on what the binary has done, including files dropped, registries touched and a PCAP with everything the binary has sent over the network.
Event Inspection
Based on these new cool features we think El Jefe is a good addition to a company's security stance - given that it is both free, extensible, and more effective than traditional AV tools.

Keep tuned, because this new release is around the corner!