Razorback is the result of extensive research by members of the Sourcefire Vulnerability Research Team into developing a platform to address advanced detection problems. The level of sophistication currently demonstrated both by actors described as the 'Advanced Persistent Threat' (APT) and publicly available exploit frameworks such as Metasploit, CANVAS and Core Impact leave increasingly fewer options to provide robust detection. This project is designed to provide enterprise defense teams with a framework for developing the kinds of detection necessary to combat these threats.
A complicating factor in high-CPU-cost detection is the desire of organizations to have low-latency analysis at wire speed. While components of the Razorback system will be able to block first-strike attacks prior to delivery, some detection solutions will cause sufficient latency as to make this impossible. One of the key points of the system is to accept that some solutions require trading real-time blocking for high-accuracy detection.
The Razorback Framework addresses these issues by providing a core infrastructure that matches declared data types to the individual capabilities of various detection systems. By providing an open, documented API, arbitrary data sources can be paired with one or more arbitrary detection systems to provide detection solutions that would otherwise be impossible due to limited data access or restriction on system resources.
This talk will discuss the concepts, design, and architecture of the Razorback Framework as well as introduce several modules for performing advanced inspection, detection, and alerting of network events. Additionally, the capability to update network defense mechanisms based upon these events will be demonstrated. The current implementation of the framework uses a stripped-down version of snort as a data collector, but any data collection engine could be used, including server-based modules designed to work with squid, procmail,or any other proxy or server.
At the conclusion of this discussion, participants will have the knowledge required to install and configure the framework and existing modules and have enough information about the design and philosophy of the framework to begin development on new, custom modules necessary to fill their needs.