The Volatility team talks proactive threat hunting with memory forensics (an OSDFCon presentation)


Our final OSDFCon blog series featured speaker is actually a collective: the team behind the nonprofit Volatility Foundation. This year, memory forensics has evolved once more, and the Volatility team talked to us about using it to be more proactive than reactive in incident response.

BT: Your talk topic this year is “Feasting Off the Hunt.” What trends drove you develop a talk about this particular aspect of threat hunting, and to develop the Volatility plugins that address it?

VT: One of the major trends in incident response these days is that organizations with mature information security programs are realizing that they can’t just sit back and wait for a third party to notify them when they have been compromised. Similarly, a motivated attacker, who has been extracted from a network, is going to continue to try to find other ways to get back into the organization and, if successful, they will often adapt their tactics.

As a result, these organizations are starting to leverage their incident response teams to perform proactive threat hunting. The advantage with these efforts is that organizations are not only more likely to find attackers hiding within their infrastructure, but they are also gaining valuable insight into what is normally happening.

A critical part of these new approaches is the ability to rapidly learn what attackers are doing in your environment and then quickly extend your forensics arsenal to detect their evolving tactics. The presentation will discuss a couple of case studies to demonstrate how these techniques are being used in real investigations involving targeted threat groups. It will also discuss new Volatility plugins that were developed during these investigations.

BT: What is the 2-line reason why a practitioner should attend your talk — what will they learn?

VT: The presentation will discuss tactics and strategies that allow organizations to deal with the challenges associated with advanced adversaries. It will also discuss why open source tools, such as Volatility, are a critical component in the battle against modern threats.

BT: What brought you into the digital forensics domain? What is your favorite aspect of digital forensics?

VT: In the early 2000’s, the offensive community was thriving and rapidly outpacing the technical capabilities of the forensics community. It was during this time that we also began to see widespread examples of memory resident malware, including both Code Red and SQL Slammer, and kernel-level rootkits were undermining most live response scripts. The Metasploit community and its developers were also pushing the state of the art in anti-forensics and stealthy exploitation techniques.

As an alternative, we wanted to create a project that would help bring together technical talent in the forensics and incident response communities. We also wanted to create a unifying framework that would bring together academics, practitioners, government, and law enforcement from around the world.

We felt it was important to create a platform where the latest cutting edge research being presented at academic conferences could be immediately transitioned into the hands of digital investigators. By focusing on digital forensics and investigations, we are accepting that attackers will always find a way to defeat security tools, but it’s dramatically harder to remove or hide all artifacts created within the “digital crime scene”.

BT: How do open source digital forensics tools make your research and/or your investigative work easier?

VT: One of the unique aspects of the Volatility team is that the majority of the researchers and developers are also active practitioners. This includes incident responders, malware analysts, reverse engineers, threat intelligence analysts, and digital investigators.

As a result, we are building the tools that we actually use during our investigations. During these investigations, we often encounter attackers who are leveraging innovative techniques to hide from off the shelf security and forensics tools.

We firmly believe the most effective way of dealing with these threats is with creative analysts who have the ability to rapidly adapt their tools to the evolving threats. Open source forensics tools give you the ability to look into the code to understand what is happening and understand the assumptions that are built into the tools. Finally, you have the ability to build on the research of the community and extend the capabilities to do something new and exciting.

BT: Besides presenting, what are you looking forward to most about OSDFCon 2015?

VT: While we participate in a lot of events throughout the year, OSDFCon is definitely one of our favorites! In fact, it is one of the only times during the year when the Volatility team is able to meet up in person. Most importantly, it’s also an opportunity for us to spend time with Volatility users who we may not get to see frequently or have never met in person. As a result, we get a lot of valuable feedback about memory analysis challenges people are experiencing and gain insight into features users would like to see in future releases.

BT: What’s next for Volatility?

VT: It is definitely one of the most exciting times in Volatility development. There are a number of interesting projects focused on developing new analysis capabilities and new techniques for detecting suspicious activity using previously unknown artifacts that can only be found memory.

At the moment, a lot of the development time is being focused toward Volatility 3.0. This is a complete rewrite of the entire code base and has given us the opportunity to re-architect the framework leveraging the experience we have gained from supporting Volatility over the past 9 years. These new capabilities will allow the Volatility community to continue to push the state of the art in memory analysis.

Join us October 28 to learn more about Volatility and its proactive application in the world of threat hunting — register here!