FIM – or File Integrity Monitoring – is among the latest methods for detecting malware, viruses, and malevolent actors.  FIM monitors every computer file, and when changes occur the FIM agent alerts the FIM server.

Most often, one change doesn’t indicate a problem, but a slew of file changes in a few seconds?  It might.  Bear in mind that Windows Registry is a file, and multiple changes there strongly suggest a virus, Trojan, or other malware.

There are several FIM-style systems currently on the market – OSSEC, Carbon Black, and Bit9, to name a few.  Each has its quirks, and differences.   Recently, I interviewed Carbon Black’s CEO, Michael Viscuso (I also use their current version product with my own systems).  He revealed some exciting changes from the company in the upcoming weeks, but let’s take a look at their FIM as-is.

Carbon Black is a Windows-based system that allows you to install the agent on any Windows machine, and watch any modifications.  Carbon Black, like many of its competitors, doesn’t just do FIM.  It also examines all network connections that computer is making, just in case an employee is connecting to Youporn or a foreign government computer – not that either of those is wrong.  (Well, OK, they are both very wrong at work).

Many FIM systems dump data to Splunk, Arcsight, or their own internal dashboard.  A lot of companies and agencies, are using FIM systems on their own, to build signatures for Intrusion Detection Systems (IDS), such as Snort, Suricata, or Bro-IDS.

When you can track an issue, malware, or intrusion back to “Patient Zero,” you more clearly identify how to prevent it the next time.  FIM systems provide for this opportunity based on the data they collect.

So what?

Well, the current method of detection – antivirus – is too easily circumvented.   Malware now has support contracts, and Virustotal can see a piece of malware, allowing the information to be sent back to the author to get it re-morphed until it’s invisible to antivirus.

In plain English?  A person wears a tie, goes to work, and sits down at his computer to work.  He gets a paycheck, and has a boss.  He is paid to write malware.  His company sells this malware to people and organizations with a support contract.  So if Norton Antivirus can detect the malware, their support line gets a call.  And they have to change the malware just enough to slip by Norton, and Mcafee, and ClamAV, and every other antivirus program.

Virustotal is also a great tool.  You submit a program you’re suspicious of, and Virustotal runs it by every antivirus program out there to detect malware.  Except, malware writers use it themselves to guarantee their product can slip by all the antivirus programs around.

That’s why antivirus – while still useful – is behind the curve.  Possibly even dead.

Instead, systems that monitor computer performance for anomalous behaviors are the next great wave of host-based security.  Combined with a HIDS (Host-based Intrusion Detection System), the FIM systems can detect and/or stop malware and malevolent actors.

Bro-IDS was infused with venture capital, and several of the FIM systems above were too.  Investors’ are noticing as these systems are being introduced at bigger and bigger corporations and agencies.  What does that mean for you?

There are jobs waiting for people who know how to handle the systems.  Those capable of installing, running, tweaking, and maintaining the FIM and IDS systems are increasingly valuable.

So how do you learn them?

Carbon Black offers a one-month free trial on their website.  Download it, install it on a windows computer, and deploy some clients.  OSSEC, Bro-IDS and Snort are open source (another IDS).  Check out Security Onion as well (it has most of these tools already built and configured for you).

Combined with Virtualbox, or the free version of ESX, the U.S. Government Configuration Baseline (free time-limited windows with official configurations from the government), and some free Linux distros, you’ve got a real working-environment in which to explore.  Even more impressive is Honeydrive to create a honeypot that just reeks of “Own me!!!”

From here, you can learn the FIM and IDS systems for free (except for your hardware, and the electricity to run it).  You can understand and apply the latest and best tactics for breach detection, forensic analysis of a malware infestation, and tracking that virus back to that Patient Zero.  Trust me, at that point, you’ve got a job.

Related News

Joshua Marpet is on the Board of Directors of two Infosec conferences, BSides Las Vegas, and Security BSides Delaware. He is also staff at Derbycon, Shmoocon, and as the "InfoSec Megaphone", anywhere else he goes. Joshua is an experienced Forensic, Incident Response, and mobile forensics expert and researcher. As an adjunct professor at Wilmington University, he teaches Information Security at an NSA/DHS certified Center of Academic Excellence. In his professional life, he is a managing partner at Guarded Risk, a proactive forensics and proactive incident response firm.