Artifact Analysis Kevin J. Houle AusCERT 2005 May 25, 2005 CERT® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 The CERT Coordination Center is part of the Software Engineering Institute. The Software Engineering Institute is sponsored by the U.S. Department of Defense. © 2005 by Carnegie Mellon University some images copyright www.arttoday.com 1 Tutorial Overview • Tutorial Goals • What is Artifact Analysis? • Artifact Analysis Roles • Artifact Analysis Process • Artifact Analysis Examples Note: Questions are welcome as we go… © 2005 by Carnegie Mellon University 2 Tutorial Goals • Understand artifact analysis roles • Understand aspects of artifact analysis capability • Introduce typical artifact analysis methods and common tools • Understand various types of insights which can be gained via artifact analysis This tutorial is a starting place. © 2005 by Carnegie Mellon University 3 What is Artifact Analysis? CERT® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 The CERT Coordination Center is part of the Software Engineering Institute. The Software Engineering Institute is sponsored by the U.S. Department of Defense. © 2005 by Carnegie Mellon University some images copyright www.arttoday.com 4 What Is an “Artifact”? An artifact may be any of the following things. • Tools used by intruders to gather information about networks or hosts • Tools used by intruders to exploit vulnerabilities • Tools installed by intruders on compromised hosts • A malicious program (e.g., virus, worm, Trojan horse, bot, etc.) • Soft evidence (e.g., algorithms, descriptions, partial artifacts, network traces, etc.) An artifact is one or more files that accomplish a single task or have a well defined purpose. © 2005 by Carnegie Mellon University 5 What is Artifact Analysis? The study of Internet attack technology, otherwise known as malicious code, or “malware” • Viruses • Worms • Trojan horses • Rootkits • Bots • Denial-of-service tools • Vulnerability exploits • Spyware • Etc… © 2005 by Carnegie Mellon University 6 What is Artifact Analysis? (2) Artifact analysts include • Computer Security Incident Response Teams • Anti-Virus / Anti-spyware vendors • Managed Security Service Providers • Software vendors • Enterprises / organizations • Governments, law enforcement • Attackers © 2005 by Carnegie Mellon University 7 Degrees of Analysis / Trust • Artifact Analysis produces understanding and insights • Degrees of required understanding vary - Answering specific questions - Authoritatively describing complete functionality • Consumers must trust analysis • Artifact analysis capability is a way to create trusted information © 2005 by Carnegie Mellon University 8 Artifact Analysis Roles CERT® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 The CERT Coordination Center is part of the Software Engineering Institute. The Software Engineering Institute is sponsored by the U.S. Department of Defense. © 2005 by Carnegie Mellon University some images copyright www.arttoday.com 9 Roles of Artifact Analysis • Incident response • Vulnerability analysis • Attack technology trends • Threat assessment • Capability assessment • Vulnerability assessment • Law enforcement / forensics • Signature generation • Red teaming • Attacker competition © 2005 by Carnegie Mellon University 10