Towards a Reliable and Automated Analysis of Compromised Systems

Despite the incredible effort and the enormous investments to increase
security and fight cybercrime, the number of security incidents is rapidly
increasing every year. In fact, the security community is struggling to
cope with the multiplication and increase in complexity of attacks and
malicious software. Security companies routinely collects over a million
new malicious samples per day and this is only the tip of the iceberg:
state-sponsored espionage, insider threats, and widespread software
vulnerabilities make extremely difficult to protect against cyber attacks.
It is not anymore a matter of “if” a systems will be compromised, but only a
matter of “when”. Even worse, new smart objects are now
connected to the Internet as part of the ongoing Internet-of-Thing (IoT)
revolution, and it is time to accept the fact that it is already
too late to secure this first generation of devices. Since both prevention
and detection techniques regularly fail to protect computer systems and
online services, the ability to quickly respond to security incidents is
becoming of paramount importance to promptly analyze the aftermath of
computer attacks and mitigate their damage.

Unfortunately, the field of information technology is rapidly evolving, and
these changes will have a dramatic impact on the way we will be able to
handle computer incidents in the next decade. In particular, the fragile
(and often difficult to quantify) reliability of current techniques, the
increasing diversity of devices and data sources, and the scarce
availability of the information required for the analysis are three of the
main problems that affect this important field - and that the Bitcrumbs
projects want to tackle.

The contributions of the project fall mainly in two areas:
1. Analysis, Measurement, and Detection of Malicious code
A large body of research has been conducted in this area, ranging from
the design of first platform to analyze Linux malware to the first large-scale study on IoT malware,
from several studies on the effectiveness and shortcomings of
machine learning and AI in malware classification, to the analysis of the skills of human experts
and the comparison with ML solutions.
2. Memory Forensics.
The project led to a complete and groundbreaking rethinking of the field of memory
forensics, by proposing many new techniques that go in the direction of generic, automated, and
system-agnostic analysis of physical memory. We believe the research we conducted in this area
can result in a new approach to memory forensics, which we refer to as Memory Forensics 2.0.

In terms of exploitation and dissemination, the project resulted in over 20 scientific publications
in top security conferences and journals. In addition, the forensic angle has been presented at
several industrial venues - while the research in the malware field is now in the process of being
transferred to a new startup.

The objective of BITCRUMBS is to rethink the Incident Response field from
its foundations by proposing a more scientific and comprehensive approach
to the analysis of compromised systems. The BITCRUMBS project will make
progress towards this goal in three steps: (1) by introducing a new
systematic approach to precisely measure the effectiveness and accuracy of
IR techniques and their resilience to evasion and forgery; (2) by designing
and implementing new automated techniques to cope with advanced threats and
the analysis of IoT devices; and (3) by proposing a novel
forensics-by-design development methodology and a set of guidelines for the
design of future systems and software.