Razorback is the result of extensive research by members of the Sourcefire Vulnerability Research Team into developing a platform to address advanced detection problems. The level of sophistication currently demonstrated both by actors described as the 'Advanced Persistent Threat' (APT) and publicly available exploit frameworks such as Metasploit, CANVAS and Core Impact leave increasingly fewer options to provide robust detection. This project is designed to provide enterprise defense teams with a framework for developing the kinds of detection necessary to combat these threats.
A complicating factor in high-CPU-cost detection is the desire of organizations to have low-latency analysis at wire speed. While components of the Razorback system will be able to block first-strike attacks prior to delivery, some detection solutions will cause sufficient latency as to make this impossible. One of the key points of the system is to accept that some solutions require trading real-time blocking for high-accuracy detection.
The Razorback Framework addresses these issues by providing a core infrastructure that matches declared data types to the individual capabilities of various detection systems. By providing an open, documented API, arbitrary data sources can be paired with one or more arbitrary detection systems to provide detection solutions that would otherwise be impossible due to limited data access or restriction on system resources.
This talk will discuss the concepts, design, and architecture of the Razorback Framework as well as introduce several modules for performing advanced inspection, detection, and alerting of network events. Additionally, the capability to update network defense mechanisms based upon these events will be demonstrated. The current implementation of the framework uses a stripped-down version of snort as a data collector, but any data collection engine could be used, including server-based modules designed to work with squid, procmail,or any other proxy or server.
At the conclusion of this discussion, participants will have the knowledge required to install and configure the framework and existing modules and have enough information about the design and philosophy of the framework to begin development on new, custom modules necessary to fill their needs.
Patrick Mullen has fourteen years of computer industry experience with the past twelve years focused on information and network security. He was an early major contributor for the snort open source intrusion detection system and has contributed to several other open source security projects. Patrick is currently Principal Research Engineer with the Sourcefire Vulnerability Team (VRT) In this role he is responsible for researching vulnerabilities and developing advanced detection algorithms for security issues. Patrick is also the team lead for c-based detection capabilities within Snort. Prior to joining Sourcefire, Patrick spent six years as a security consultant where he analyzed application, system, and network security, providing a holistic view into security requirements and recommendations for Fortune 500 enterprises.
Ryan Pentney was born in Montreal, Canada. He studied Computer Science at Concordia University and later went on to join Sourcefire in 2008 as part of the Vulnerability Research Team. His primary responsibilities involve vulnerability analysis/discovery, snort rule-writing and reverse-engineering. Most recently he has taught Sourcefire's Fundamentals of Exploit Development class and been heavily involved in the development of the Razorback Framework near-real-time detection project. His areas of interest include software exploitation, intrusion prevention research and formal languages.