Archive

Believe it or not, compliance saves you money


We all hear it over and over again: complying with data protection requirements is expensive. But did you know that the financial consequences of non-compliance can be far more expensive?
 
The Ponemon Institute once again looked at the costs that organizations have incurred, or are incurring, in meeting mandated requirements, such as the EU General Data Protection Regulation (GDPR), the Payment Card Industry Data Security Standard (PCI-DSS), and the Healthcare Information Portability and Accountability Act (HIPAA). The results were compared with the findings from a 2011 Ponemon survey on the same topic. The differences were stark and telling.
 
Average costs of compliance have increased 43%, up from around $3.5 million in 2011 to just under $5.5 million this year, while non-compliance costs surged from $9.4 million to $14.8 million during the same period. On average, organizations that are found non-compliant with data protection obligations these days can expect to fork out at least 2.71 times more money getting started and proving compliance than if they had been compliant in the first place.
 
For most enterprises, the cost associated with buying and deploying data security and incident response technologies account for a bulk of their compliance-related expenditure. On average, organizations in the Ponemon survey spent $2 million on security technologies to meet compliance objectives. The study found that businesses today are spending on average about 36% more on data security technologies and 64% more on incident response tools compared to 2011.
 
Financial companies tend to spend a lot more - $30.9 million annually - on compliance initiatives than entities in other sectors. Organizations in the industrial sector and energy/utilities sector also have relatively high compliance-related expenses of $29.4 million and $24.8 million respectively, on an annual basis.
 
So, what is the hardest regulation to satisfy? GDPR. 90% of the participants in the Ponemon studied pointed to GDPR as being the most difficult regulation to meet.
 
Need to get off to a fast start? Thinking NIST 800-171 or PCI-DSS? Our SIEMphonic service, powered by EventTracker technology, was designed to do just that. Check out all the compliance regulations we support.
 
It's a paradox, but the less you might spend, the more you might pay.
 

Attribution of an attack - don’t waste time on empty calories

Empty calories are those derived from food containing no nutrients. When consumed in excess, they contribute to weight gain, especially if you're not burning them off in your daily activities. Why make more work for yourself?
 
When we are attacked, we feel a sense of outrage and the natural tendency is to want to somehow punish the attacker. To do this, you must first identify the attacker, preferably accurately, or else. This is easier said than done, especially online.
 
Threat researchers have built an industry on identifying and profiling hacking groups in order to understand their methods, anticipate future moves, and develop methods for battling them. They often attribute attacks by “clustering” malicious files, IP addresses, and servers that get reused across hacking operations, knowing that threat actors use the same code and infrastructure repeatedly to save time and effort. So, when researchers see the same encryption algorithms and digital certificates reused in various attacks, for example, they tend to assume the attacks were perpetrated by the same group. 
 
The attacks last year on the Democratic National Committee, for example, were attributed to hacking groups associated with Russian intelligence based in part on analysis done by the private security firm CrowdStrike, which found that tools and techniques used in the DNC network matched those used in previous attacks attributed to Russian intelligence groups.
 
This is, of course, is much harder for the average business that cannot (and should not) spend scarce IT security budget on attribution of an attacker. It's a lot harder than it would seem. This Virus Bulletin reviews cases in which they’ve seen hackers acting on behalf of nation-states stealing tools and hijacking infrastructure previously used by hackers of other nation-states. Investigators need to watch out for signs of this or risk tracing attacks to the wrong perpetrators. Which means that attribution of an attack is hard even for those agencies with limitless funds at their disposal.
 
The WannaCry ransomware outbreak is an obvious example of malware theft and reuse. Last year, a mysterious group known as the Shadow Brokers stole a cache of hacking tools that belonged to the National Security Agency and posted them online months later. One of the tools — a so-called zero-day exploit, targeting a previously unknown vulnerability — was repurposed by the hackers behind WannaCry to spread their attack. 
 
Even assuming you were somehow able to absolutely identify the attacker as "Peilin Gu" located at "He Nan Sheng Zheng Zhou Shi Nong Ke Lu 38hao Jin Cheng Guo Ji Guang Chang Wu Hao Lou Xi Dan Yuan 2206", then what? How would you inflict retribution on this attacker? Likely as a private company, without a presence in China.
 
The rational course of action is instead to study the attack method and the target within your infrastructure and use this information to shore up defenses. You can bet that if this attacker uncovered a vulnerability in your defenses and exploited it then others of his “ilk” would follow course imminently.
 
Are you finding it hard to keep up with all the threats? Co-managed SIEM services can help. Give us a chance to show you how you can avoid empty calories and in the process, breathe a little easier.
 
 

Can you outsource the risk? Five questions to ask a managed SIEM or SOC vendor.

Given the acute shortage of security skills, managed solutions like SIEM-as-a-Service and SOC-as-a-Service such as SIEMphonic have become more widely adopted. It has proven to be an excellent way to leverage outside expertise and reduce cost, which is a challenge for companies globally. Seem too good to be true? It is and it isn’t. Regardless of how much responsibility you delegate, accountability lays firmly on the shoulders of the organization doing the delegating. What this means is that when you consider co-sourcing a critical function like security monitoring, it’s important to perform a vendor risk assessment. After all, if your vendor has a problem, then you have a problem. Their risk becomes your risk. So, what should a responsible CIO be doing? Frankly, the best time to enforce security at a service provider is before you sign the contract. Ask these questions:
  1. How seriously does the provider take security?
  2. What industry standard practices do they follow?
  3. How do they vet their staff?
  4. Are the data centers properly redundant and physically secure?
  5. Are the regularly audited by a competent external authority?
Some buyers who have a dim view of their internal commitment to the various forms of risk automatically consider that any firm that provides services for a living must inevitably have better processes and procedures than they themselves do. Careful, now. Proceed with caution – assumptions are risky too. As part of our ongoing commitment to managing risk, our SIEMphonic solutions were certified as ISO27001 compliant. We regularly audit and review our own performance and share the results with our customers every month to solicit feedback. As you think about enjoying the benefits of co-sourcing, remember: Risk cannot be outsourced.

Going Mining for Bitcoin

While you’ve been busy defending against ransomware, the bad guys have been scheming about new ways to steal from you. Let’s review a tactic seen in the news called bitcoin mining.

Hackers broke into servers hosted at Amazon Web Services (AWS) that holds information from multi-national, multi-billion-dollar companies, Aviva and Gemalto. The criminals were using computer power to mine the cryptocurrency, bitcoin.

Though anyone could try to mine bitcoin off their computer services, the process is very energy intensive, and could be costly in electricity expenses alone. But it’s worthwhile for many hackers because a successful attempt can be very lucrative.

To avoid the high cost of going at it alone, most bitcoin miners join a pool of different computers that combine their powers to solve complex algorithms. Successfully solving the problem generates a set number of new bitcoin, which are worth upwards of $4,300 each. Bitcoin can be mined until there are a total of 21 million bitcoin that exist.

How should you defend against this? Know your baseline and watch for anomalies. See how EventTracker caught a bitcoin miner, hidden behind a rarely used server dedicated for key-fob provisioning.

Bitcoin

Prevention is Key in Cybersecurity

“You see, but you do not observe. The distinction is clear.” Sherlock Holmes said this to John Watson in “A Scandal in Bohemia.” Holmes was referring to the number of steps from the hall to the rooms upstairs. Watson, by his own admission, has mounted those steps hundreds of times, but could not say how many there were. The same can be said in the world of IT security. A lot of data, an overwhelming amount actually, is available from hundreds of sources, but rarely is it observed. Having something and getting value from it are entirely different.

This is also underlined in the story, “Peace Health employee accessed patient info unnecessarily.” On Aug. 9, a Vancouver medical center, Peace Health, discovered that an employee accessed electronic files containing protected health information, including patient names, ages, medical records, account numbers, admission and discharge dates, progress notes, and diagnoses. An investigation revealed that the employee accessed patient information between November 2011 and July 2017.

What? This had been going on for 5 years and was just discovered? It would seem this is another case of “You see but do not observe,” and indeed the distinction is clear. Log data showing what this employee was doing had been accumulating and faithfully archived, but it was never examined.

What was the impact? There was reputational damage, plus the costs incurred (letters, call center expenses, etc.), and possible fines by HHS for the HIPAA violation. Plus, there was disruption of regular tasks to investigate the extent and depth of this incident and related incidents that may have occurred.

Ben Franklin observed that an ounce of prevention is worth a pound of cure. The same is true in this case. We at EventTracker know that it’s hard to pay attention given the volume of security data that is emitted by the modern network. Therefore, we provide security monitoring as a service, so that you don’t just get more technology thrust your way, you gain the actual outcome you desire.

Contact us to start your free trial today.

Experimenting with Windows Security: Controls for Enforcing Policies

By Randy Franklin Smith

Interest continues to build around pass-the-hash and related credential artifact attacks, like those made easy by Mimikatz. The main focus surrounding this subject has been hardening Windows against credential attacks, cleaning up artifacts left behind, or at least detecting PtH and related attacks when they occur.

All of this is important – especially because end-users must logon to end-user workstations, which are the most vulnerable systems on the network.

Privileged admin accounts are another story. Even if you eliminated pass-the-hash, golden ticket, and other credential artifact attacks, you would remain vulnerable whenever admin accounts logon to insecure endpoints.  Keystroke logging, or simply starting a process under the current user’s credentials, are viable methods for stealing or hijacking the credentials of a locally logged-on user.

So, the big lessons learned with Mimikatz and privileged accounts are to avoid using privileged credentials on lower security systems, such as any system in which web browsing or email occurs, or any type of file or content is downloaded from the internet. That’s really what ESAE (aka Red Forest) is all about. But privileged accounts aren’t limited to just the domain admin accounts contemplated by the Red Forest. There’s many other privileged accounts for member servers, applications, databases, devices, and so on.

Privileged accounts should only be used from dedicated administrative workstations maintained at the same level of security as the resources being administered.

How do you implement controls that really enforce this kind of written policy? And how do you detect attempts to circumvent?

When it comes to Windows, you have a few options:

  • Logon rights defined at the local system
  • Workstation restrictions defined on the domain account
  • Authentication silos

I’ll briefly explain each one and show how you can monitor attempts to violate the policies.

Logon Rights

There’s five logon types and corresponding “allow and deny rights” for each, with “deny” overriding “allow”, of course. You define these in group policy and they are enforced by the local systems in which the group policy objects are applied. For instance, if you have an OU for end-user Workstations and you assign “deny logon locally” to an AD admin group, those members won’t be able to logon at the console of workstations regardless of their authority.

If someone tries to violate a “deny logon” right you can catch this by looking for event ID 4625 – an account failed to logon with status or sub-status code 0xc000015b. But be aware that these events are logged via the local workstation – not on the domain controller. This is another reason to use native Windows Event Collection to get events from your workstations.

Workstation Restrictions

This is something you’d have to specify on individual user accounts as shown below in Active Directory User and Computers. This control only applies to interactive logons.

In this example, I’ve allowed Tamas to logon only at SAW1 (secure admin workstation 1). Depending on how many SAWs and admins you have, this could be tedious. If Tamas tried to logon at a different workstation, that computer would log event ID 4625 – an account failed to logon with status or sub-status code 0xC0000070. The domain controller would log event ID 4769 with failure code 0xC.

Authentication Silos

This is a new feature of AD that allows you to carve out groups of computers and users, and limit those users to those computers – centrally from AD Authentication policy silos, which are containers you can assign user accounts, computer accounts, and service accounts to. You can then assign authentication policies for this container to limit where privileged accounts can be used in the domain. When accounts are in the Protected Users security group, additional controls are applied, such as the exclusive use of the Kerberos protocol. With these capabilities, you can limit high-value account usage to high-value hosts. Learn more about silos in Implementing Win 2012 R2 Authentication Silos and the Protected Users Group to Protect Privileged Accounts from Modern Attacks.

When a user tries to logon outside the silo of permitted computers, the domain controller will log event ID 4820: A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions.

Bad guys have more methods and shrink-wrapped tools than ever to steal credentials, so it’s especially important to lock down privileged accounts and prevent artifacts of their credentials from being littered throughout your network where the bad guys can find them. Windows gives you controls for enforcing such policies and provides an audit trail when someone attempts to violate them. Remember that besides just non-compliant or forgetful admins, these events may signal a bad guy who’s successfully stolen privileged credentials but is unaware of the controls you’ve put in place.  So, take these events seriously.

What’s Next in 2018? Our Prediction: SIEM-as-a-Utility

The traditional enterprise network has seen a tectonic shift in recent years thanks to cloud, mobility and now IoT. Where once enterprise data was confined to the office network and data center, it’s now expanded past its traditional perimeter. For instance, in a hospital, traditionally data resided in the data center, laptops, and desktop machines. Now, data can be resident in the x-ray machines, PCs connected to blood test analyzers, HVAC chiller units, etc. In franchise restaurants, one sees the rapid advent of digital menus, self-serve kiosks, customer Wi-Fi, and more. These digital assets have come into the market and onto the network very quickly, so that businesses can keep pace and compete for customers.

Correspondingly, the threats have also migrated — hackers now attack that less secure digital drink dispenser to then go lateral to the POS network. Often in the rush to market, securing these new assets that are now on the network has been an afterthought.

The techniques to protect and monitor these new assets are not so different. Secure the configuration, limit access, watch over logs for patterns. The ubiquity and scale of these assets, though, is tenfold, and so, traditional SIEM technology struggles with deployment, cost, and scale. Traditional SIEM was designed for large enterprise with assumptions on lots of bandwidth, CPU, and staff. These are all belied in the brave new world where all are in short supply.

Now that organizations have a 10x increase in the number of devices on the network – but most of these devices are lower value, simpler assets, with fixed networks and a limited scope of attacks that they are susceptible to — those can be managed in a more automated sense.

SIEM Will Evolve in Functionality and Ubiquity

The progression of today’s SIEM platform has seen dramatic changes. Mature platforms that have their roots in centralized log management have proven to be the species best suited to evolve, adapt, and match today’s advanced cybersecurity demands. We see this trend continuing. SIEM’s ability to centralize and aggregate billions of event logs from devices makes it a natural choice to house advanced threat lifecycle management capabilities. We’ve already seen the beginnings of SIEM taking on functionality that was originally viewed by some as a different animal—those being User and Entity Behavior Analytics (UEBA) and Security Orchestration and Automated Response (SOAR). After a quick rise in interest surrounding UEBA and SOAR solutions, these concepts have become rightly absorbed into SIEM platforms.

Evolution of SIEM

In terms of ubiquity, as the Internet of Things (IoT) explosion continues to unfold, right-sized SIEM functionality will be brought to these simpler, yet very numerous, devices. Case in point, in 2017, Netsurion brought SIEM to the point-of-sale (POS) market to answer the restaurant data breach epidemic. By folding the POS into the enterprise cybersecurity scope, the days of a data breach siphoning credit card data going undetected for months would no longer be the case.

By then coupling SIEM with IoT and branch location connectivity technology, like SD-WAN, the evolved capabilities of SIEM will be able to reach every edge of the highly-distributed enterprise.

Bringing It All Together

With SIEM platforms evolving to encompass machine learning concepts and orchestration capabilities, plus spreading to the furthest ends of the digital enterprise, we must also look at the most appropriate delivery model. By intertwining connectivity, threat, and compliance management, the delivery model that might work best for some organizations would be that the SIEM, or IT security, is delivered from an organization’s preferred ISP or managed IT service provider (MSP). The fully evolved SIEM platform will be able to deliver advanced functionality, wide integration, and lastly, MSP-friendly deliverability.

SIEM, UEBA, SOAR and Your Cybersecurity Arsenal

The evolution of Security Information and Event Management (SIEM) solutions has made a few key shifts over time. It started as simply collecting and storing logs, then morphed into correlating information with rules and alerting a team when something suspicious was happening. And now, SIEM solutions are providing advanced analytics and response automation.

Today’s advanced SIEM solutions:

  1. Incorporate purpose-built sensors to continually collect digital forensics data across an organization.
  2. Leverage artificial intelligence and machine learning to identify out-of-the-ordinary network behavior that may indicate possible malware or a data breach.

Advanced SIEM requires continual tuning to learn what is deemed abnormal behavior for a given organization.

At EventTracker, this all happens through our ISO 27001 certified Security Operations Center (SOC), where expert analysts work with this intricate data to learn the customer network and the various device types (OS, application, network devices etc.). Ideally, these experts work in tandem with the customers’ internal IT teams to understand their definition of normal network activity.

Next, based on this information and the available knowledge packs within EventTracker, we schedule suitable daily and weekly reports, along with configure alerts. The real magic happens when this data becomes “flex reports”. These reports focus on valuable information that is embedded within the description portion of the log messages. When these parameters are trended in a graph, all sorts of interesting, actionable information emerges.

User and Entity Behavior Analytics

In addition to noticing suspicious network behavior, SIEMs have evolved to include User Behavior Analytics (UBA), or User and Entity Behavior Analytics (UEBA). UBA/UEBA triggers an alert when unusual user or entity behavior occurs. This is an important feature now that compromised credentials make up 76% of all network intrusions.

When credentials are stolen, they tend to be used in unusual ways, places, and times. For instance, if a log in occurs that is outside the normal pattern, then this is immediately flagged for investigation. If user ‘‘Susan’’ usually logs in to “Workstation5” but suddenly logs in to “Server3”, then this is out of ordinary and may merit an investigation.

Security Orchestration Automation and Response (SOAR)

While alerts to suspicious behavior are necessary, the real goal is acting on the suspicious behavior as quickly and effectively as possible. That’s the next evolution of SIEM: Security Orchestration Automation and Response (SOAR).

While traditional SIEMs can “say” something, those that incorporate SOAR can “do” something.

SOARs consolidate data sources, use information provided by threat intelligence feeds, and automate responses to improve efficiency and effectiveness.

For example, with EventTracker, if an infected USB is plugged into a laptop, even if it’s off the network at the time, and malware begins to run, EventTracker will detect the insertion of the USB, as well as detect any suspicious communication to a low-reputation IP address. It will also catch any suspicious processes that begin to run. Once detected, EventTracker automatically stops the communication and the executable, preventing a potential data breach. Watch a short demo about advanced endpoint security now.

Get the Most Out of Your SIEM

As attacks continue to become more sophisticated and persistent, traditional security tools that just focus on protecting the perimeter will continue to be replaced by solutions that also have detection and response capabilities, in particular on the endpoint devices.

Learn more about the features of EventTracker’s SIEMphonic Enterprise, and sign up for a demo to learn more about our machine learning, UEBA and SOAR functionality.

You’re in the Cybersecurity Fight No Matter What: Are You Prepared?

“You’re in the fight, whether you thought you were or not”, Gen. Mike Hayden, former Director of the CIA and NSA. It may appear at first to be a scare tactic or an attempt to sow fear, uncertainty, and doubt, but truly, what this means is that it’s time to adopt the Assume Breach paradigm.

Mr. Hayden also said, “You are almost certainly penetrated.” These words ring true and it’s time to acknowledge that a breach has either already occurred or that it’s only a matter of time until it will. It is more likely that an organization has already been compromised, but just hasn’t discovered it yet. Operating with this assumption will reshape detection and response strategies in a way that pushes the limits of any organization’s infrastructure, people, processes, and technologies.

Traditional security methodologies have largely been focused on prevention. It is a defensive strategy aimed at eliminating vulnerabilities and thereby mitigating security breaches before they happen. However, as the daily news headlines bear witness, perfect protection is not practical. So, monitoring is necessary.

Many businesses think of IT security as a nice-to-have option – just a second priority to be addressed, if IT budget dollars remain. However, compliance with regulations is seen as a must-have, mostly due to fear of the auditor and potential shame or penalty in the event of an audit failure. If this mindset prevails, then up to 70% of the budget under security and compliance will be allocated to the latter, with the rest “left over” for security. And as the total amount shrinks, this leads to the undesirable phenomenon known as checkbox compliance. Article after article explains why this is a bad mindset to have.

Remember, you’re in the fight, whether you knew it or not. Accept this and compliance becomes a result of good security practice. The same IT security budget can become more effective.

If you’re overwhelmed at the prospect of having to develop, staff, train, and manage security and compliance all by yourself, there are services like EventTracker’s SIEMphonic, that will do the heavy lifting. See our “Catch of the Day” to see examples of how this service has benefited our customers.

Which security functions outsource poorly and which outsource well

By A.N. Ananth

The IT security industry’s skill shortage is a well-worn topic. Survey after survey indicates that a lack of skilled personnel is a critical factor in weak security posture. If the skills are not available in your organization then you could: a) ignore the problem and hope for the best, or b) get help from the outside. Approach “a” is simply a dereliction of duty, and approach “b” has some negative connotations associated with the word “outsource”. It throws up images of loss of control and misaligned priorities.

As a service provider, we agree, and prefer to describe our SIEMphonic services as co-sourcing. Is it a panacea? Not really. Nothing is ever a silver bullet. There are security functions that do well when co-sourced, and then there are those that really must be performed internally. How do you know which is which?

This opinion from a Gartner Analyst breaks down defines defense as requiring deep knowledge of what to defend and how to defend. The former requires detailed knowledge of your IT environment, business processes, assets, systems, application, personnel, company culture, mission, and other knowledge of your IT, business and culture. The latter requires detailed understanding of threat actors, attacks methods, exploits, attacks, vulnerabilities, security architecture, and other security domain knowledge.

Using the above general guideline as a touchstone, here are two areas that can be done outside:

  • Network Monitoring: It’s a process that requires specific expertise, but is usually far away from the core processes of the company. Most businesses can’t afford to have eyes on the network 24/7. In legacy security environments, customers received a daily list of 12 to 15 events. Now businesses process millions of events, 10 of which will be worth investigating, and eight of which might be false positives. It’s a lot of tedious work to justify allocating to full-time employees.
  • Vulnerability Management: Vendors release updates constantly, and the consequence of not patching internal systems is now painfully clear to Equifax and the victims of WannaCry. Patching is like doing the dishes, a never-ending task, but one that lends itself well to co-sourcing.

Here are two tasks that should remain in-house:

  • Incident Response & Breach Remediation: When a security breach or virus outbreak hits, a third party can alert you to suspicious activity, but they can’t figure out the network design and jump-start remediation. That’s something only your internal engineers can do because they deeply know the network. Remediation is not so much about technical skills as it is about the knowledge of the environment.
  • Security Strategy, Policy, and Architecture: Anything that requires the business judgement of the risk you’re taking cannot be outsourced. Core functions like security strategy, architecture, and policy should be kept in-house, as should the responsibility of managing and executing programs through completion. These functions are all about business risk, and require a knowledge of risk appetite — things that cannot be done by an outside party.

If your organization is affected by skill shortage, then consider co-sourcing. Just be mindful of what does well vs. poorly with this model, and plan accordingly.

EventTracker’s co-sourced solutions can provide your organization with advanced tools, backed by world-class experts that monitor your network 24/7.

Avoid Three Common Active Directory Security Pitfalls

While the threats have changed over the past decade, the way systems and networks are managed have not. We continue with the same operations and support paradigm, despite the fact that internal systems are compromised regularly. As Sean Metcalf notes, while every environment is unique, they all too often have the same issues. These issues often boil down to legacy management of the enterprise Microsoft platform going back a decade or more.

There is also the reality of what we call the Assume Breach paradigm.  This means that during a breach incident, we must assume that an attacker a) has control of a computer on the internal network and b) can access the same resources of legitimate users through recent log on activity.

Active Directory (AD) is the most popular Lightweight Directory Access Protocol (LDAP) implementation and holds the keys to your kingdom. It attracts attackers, as honey attracts bees. There are many best practices to secure Active Directory, but to start, let’s ensure you stay away from common pitfalls. Below are three common mistakes to avoid:

  1. Too many Domain Admins: Active Directory administration is typically performed by a small number of people. Membership in Domain Admins is rarely a valid requirement.Those members have full administrative rights to all workstations, servers, Domain Controllers, Active Directory, Group Policy, etc., by default. This is too much power for any one account, especially in today’s modern enterprise. Unless you are actively managing Active Directory as a service, you should not be in Domain Admins.
  2. Over-permissioned Service Accounts: Vendors have historically required Domain Admin rights for Service Accounts even when the full suite of rights provided is not actually required, though it makes the product easier to test and deploy. The additional privileges provided to the Service Account can be used maliciously to escalate rights on a network. It is critical to ensure that every Service Account is delegated only the rights required, and nothing more. Keep in mind that a service running under the context of a Service Account has that credential in LSASS (protected memory), which can be extracted by an attacker. If the stolen credential has admin rights, the domain may be quickly compromised due to a single Service Account.
  3. Not monitoring admin group membership: Most organizations realize that the number of accounts with admin rights increases on a yearly, if not monthly basis, without ever going down. The admin groups in Active Directory need to be scrutinized, especially when new accounts are added. It’s even better to use a system that requires approval before a new account is added to the group. This system can also remove users from the group when their approved access expires.

By avoiding these pitfalls, and securing Active Directory properly, you are on your way to keeping your “kingdom” safe. But like Thomas Paine said, “Those who expect to reap the blessings of freedom must, like men, undergo the fatigue of supporting it.” There are a number of ways to reap the benefits of a secure infrastructure, but there are many intracacies required to make this a reality. Solutions, like SIEMphonic Enterprise, takes on “fatigue” required to with a dedicated 24/7 SOC.

Click here for more details or sign up for a free demo today.

Three myths surrounding cybersecurity

A common dysfunction in many companies is the disconnect between the CISO, who views cybersecurity as an everyday priority, versus top management who may see it as a priority only when an intrusion is detected. The seesaw goes something like this: If breaches have been few and far between then leaders tighten the reins on the cybersecurity budget until the CISO proves the need for further investment in controls. On the other hand, if threats have been documented frequently, leaders may reflexively decide to overspend on new technologies without understanding that there are other, nontechnical remedies to keep data and other corporate assets safe.

Does your organization suffer from any of these?

Myth: More spending equals more security

McKinsey says, “There is no direct correlation between spending on cybersecurity (as a proportion of total IT spending) and success of a company’s cybersecurity program.” Companies that spend heavily but are still lagging behind their peers may be protecting the wrong assets. Ad hoc approaches to funding (goes up when an intrusion is reported, goes down when all is quiet on the western front) will be ineffective in the long term.

Myth: All threats are external

Too often, the very people who are closest to the data or other corporate assets are the weak link in a company’s cybersecurity program. Bad habits — like sharing passwords or files over unprotected networks, clicking on malicious hyperlinks sent from unknown email addresses, etc. — open up corporate networks to attack. In this study by Intel Security, threats from inside the company account for about 43 percent of data breaches. Leaders must realize that they are actually the first line of defense against cyberthreats, which is never the sole responsibility of the IT department.

Myth: All assets are equally valuable

Are generic invoice numbers and policy documents that you generate in-house as valuable as balance sheets or budget projections? If not, then why deploy a one-size-fits-all cybersecurity strategy? Does leadership understand the return they are getting on their security investments and associated trade-offs? Leaders must inventory and prioritize assets and then determine the strength of cybersecurity protection required at each level. McKinsey cites the example of a global mining company that realized it was focusing a lot of resources on protecting production and exploration data, but had failed to separate proprietary information from that which could be reconstructed from public sources. After recognizing the flaw, the company reallocated its resources accordingly.

These three myths are common, but the list goes on…Now it’s time to decide what to do about it. Research is a great start, but time is of the essence. According to a 2017 Forbes survey, 69% of senior executives are already re-engineering their approach to cybersecurity. What’s your next step?

EventTracker reviews billions of logs daily to keep our customers safe. See what we caught recently and view our latest demo.

Report All the Binary Code Executing on Your Network with Sysmon Event IDs

By Randy Franklin Smith

Computers do what they are told, whether good or bad. One of the best ways to detect intrusions is to recognize when computers are following bad instructions – whether in binary form or in some higher level scripting language. We’ll talk about scripting in the future, but in this article I want to focus on monitoring execution of binaries in the form of EXEs, DLLs and device drivers.

The Windows Security Log isn’t very strong in this area. Event ID 4688 tells you when a process is started and provides the name of the EXE – in current versions of Windows you thankfully get the full path – in older versions you only got the file name itself.  But even the full pathname isn’t enough. This is because that’s just the name of the file; the name doesn’t say anything about the contents of the file. And that’s what matters because when we see that c:\windows\notepad.exe ran how do we know if that was really the innocent notepad.exe that comes from Microsoft? It could be a completely different program altogether replaced by an intruder, or more in more sophisticated attacks, a modified version of notepad.exe that looks and behaves like notepad but also executes other malicious code.

Instead of just the name of the file we really need a hash of its contents. A hash is a relatively short, finite length mathematical digest of the bit stream of the file. Change one or more bits of the file and you get a different hash. (Alert readers will recognize that couldn’t really be true always – but in terms of probabilistic certainty, it’s more than good enough to be considered true.)

Unfortunately, the Security Log doesn’t record the hash of EXEs in Event ID 4688, and even if it did, that would only catch EXEs – what about DLLs and device drivers? The internal security teams at Microsoft recognized this need gap as well as some which apparently led to Mark Russinovich, et al, to write Sysmon. Sysmon is a small and efficient program you install on all endpoints that generates a number of important security events “missing” from the Windows Security Log.  In particular, sysmon logs:

  • Event ID 1 – for process creation (i.e. an EXE was started)
  • Event ID 6 – driver loaded
  • Event ID 7 – imaged loaded (i.e. an DLL was loaded)

Together these 3 events created a complete audit record of every binary file loaded (and likely executed) on a system where sysmon is installed.

But, in addition to covering DLLs and drivers, these events also provide the hash of the file contents at the time it was loaded.  For instance, the event below shows that Chrome.exe was executed and tells us that the SHA 256-bit hash was 6055A20CF7EC81843310AD37700FF67B2CF8CDE3DCE68D54BA42934177C10B57.

Process Create:

UtcTime: 2017-04-28 22:08:22.025

ProcessGuid: {a23eae89-bd56-5903-0000-0010e9d95e00}

ProcessId: 6228

Image: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

CommandLine: “C:\Program Files (x86)\Google\Chrome\Application\chrome.exe” –type=utility –lang=en-US –no-sandbox –service-request-channel-token=F47498BBA884E523FA93E623C4569B94 –mojo-platform-channel-handle=3432 /prefetch:8

CurrentDirectory: C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.81\

User: LAB\rsmith

LogonGuid: {a23eae89-b357-5903-0000-002005eb0700}

LogonId: 0x7EB05

TerminalSessionId: 1

IntegrityLevel: Medium

Hashes: SHA256=6055A20CF7EC81843310AD37700FF67B2CF8CDE3DCE68D54BA42934177C10B57

ParentProcessGuid: {a23eae89-bd28-5903-0000-00102f345d00}

ParentProcessId: 13220

ParentImage: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

ParentCommandLine: “C:\Program Files (x86)\Google\Chrome\Application\chrome.exe”

Now, assuming we have the ability to analyze and remember hashes, we can detect whenever a new binary runs on our network.

Sysmon allows you to create include and exclude rules to control which binaries are logged and which hashes are computed based on an xml configuration file you supply sysmon at installation time or any time after with the /c command. Sysmon is easy to install remotely using Scheduled Tasks in Group Policy’s Preferences section. In our environment, we store our sysmon.xml file centrally and have our systems periodically reapply that configuration file in case it changes. Of course, be sure to carefully control permissions where you store that configuration file.

Just because you see a new hash – doesn’t necessarily mean that you’ve been hacked. Windows systems are constantly updated with Microsoft and 3rd party patches. One of the best ways to distinguish between legitimate patches and malicious file replacements is if you can regularly whitelist known programs from a systems patched early – such as patch testing systems.

Once sysmon is installed you need to collect the sysmon event log from each endpoint and then analyze those events – detecting new software. EventTracker is a great technology for accomplishing both of these tasks.

Can general purpose tools work for IT security?

This post got me thinking about a recent conversation I had with the CISO of a financial company. He commented on how quickly his team was able to instantiate a big data project with open source tools. He was of the view that such power could not be matched by IT security vendors who, in his opinion, charged too much money for demonstrably poorer performance.

The runaway success of the ELK stack has the DIY crowd energized. Why pay security vendors for specialist solutions when a “big data” project that we already have going on, based on this same stack, can work so much better, the thinking goes. And it’s free, of course.

What we know from 10+ years of rooting around in the security world is that solving the platform problem gets you about a quarter of the way to the security outcome. After that comes detection content, and then the skills to work the data plus the process discipline. Put another way, “Getting data into the data lake, easy. Getting value out of the data in the lake, not so much.”

In 2017, it is easier than ever to spin up an instance of ELK on premises or in the cloud and presume that success is at hand just because the platform is now available. Try using generic tools to solve the security problem and you will soon discover why security vendors have spent so much time writing rules and why service providers spend so much effort on process/procedure and recruitment/training.

Are you lowering your expectations to meet your SIEM performance?

It’s an old story. Admin meets SIEM. Admin falls in love with the demo provided by the SIEM vendor. Admin commits to a 3 year relationship with SIEM.

And now the daily grind. The SIEM requires attention, but the Admin is busy. Knowledge of what the SIEM needs in order to perform starts to dissipate from memory as the training period recedes in the past. Log volume constantly creeps up, adding to sluggishness.

Soon you are at a point where the SIEM could have theoretically performed but actually does not. It’s a mix of initial underestimation of hardware needs, increasing log volume, apathy and dissipation of knowledge about SIEM details.

How now?

In most implementations, this vicious cycle feeds on itself and the disillusionment reinforces itself. The SIEM is either abandoned or the user is resigned to poor performance.

What a revoltin’ development.

It doesn’t have to be this way, you know. Our SIEMphonic offerings were designed to address each of these problems. Don’t just buy a SIEM, get results!

Equifax’s enduring lesson — perfect protection is not practical

Recently Equifax, one of the big-three US credit bureaus, disclosed a major data breach. It affects 143 million individuals — mostly Americans, although data belonging to citizens of other countries, for the most part Canada and the United Kingdom, were also hit.

It’s known the data was stolen, not just exposed. Equifax disclosed it had detected unauthorized access. So this isn’t simply a case of potential compromise of data inadvertently exposed on the web. Someone came in and took it.

How the breach occurred remains publicly unknown, and Equifax has been close-mouthed about the details. But there’s considerable speculation online that the hackers exploited a patchable yet unpatched flaw in Equifax’s website.

Quartz suggests an Apache Struts vulnerability. Markets Insider says it’s unclear which vulnerability may have been exploited. The Apache Struts team has issued a statement which says: Regarding the assertion that especially CVE-2017-9805 is a nine year old security flaw, one has to understand that there is a huge difference between detecting a flaw after nine years and knowing about a flaw for several years. If the latter was the case, the team would have had a hard time to provide a good answer why they did not fix this earlier. But this was actually not the case here –we were notified just recently on how a certain piece of code can be misused, and we fixed this ASAP. What we saw here is common software engineering business –people write code for achieving a desired function, but may not be aware of undesired side-effects. Once this awareness is reached, we as well as hopefully all other library and framework maintainers put high efforts into removing the side-effects as soon as possible. It’s probably fair to say that we met this goal pretty well in case of CVE-2017-9805.

So where to turn? Is it reasonable to assume that Equifax should be rigorous in updating its systems, especially public facing ones with access to such valuable data? Yes, of course. But it frankly doesn’t matter what it was written in, how it was deployed, or whether it was up to date. How do you explain (apparently) no controls to monitor unusual activity? That’s dereliction of duty, in 2017.

Perfect protection is not practical, thus monitoring is necessary. Rinse and repeat, ad nauseam, it seems.

Looking for an expert set of eyes to monitor your assets? SIEMphonic can help. See what we’ve caught.

Three critical advantages of SIEMphonic Essentials

By now it’s accepted that SIEM is a foundational technology for both securing a network from threats as well as demonstrating regulatory compliance. This definition from Gartner says: Security information and event management (SIEM) technology supports threat detection and security incident response through the real-time collection and historical analysis of security events from a wide variety of event and contextual data sources. It also supports compliance reporting and incident investigation through analysis of historical data from these sources. The core capabilities of SIEM technology are a broad scope of event collection and the ability to correlate and analyze events across disparate sources.”

However, SIEM is not fit-and-forget technology, nor is it technically simple to implement and operate. In order to bring the benefits of SIEM technology to the small network, with a decade of experience behind us, we developed SIEMphonic Essentials to address the problems beyond mere technology. Here’s three specific advantages:

1) No hardware to procure or maintain

SIEMphonic Essentials is hosted in our Tier-1 data center freeing you from having to procure, maintain and upgrade server class hardware. Disk in particular is a challenge. Log data grows exponentially and while consumer disk cost is relatively inexpensive, the same cannot be said for business class disk cost.

2) More data? Fixed cost!

The hallmark of a successful SIEM implementation is growing volumes of data. Many SIEM solutions are priced based on log volume indexed or received (the so-called events per second). More data inevitably means more unforeseen cost. With SIEMphonic Essentials, you get simple t-shirt sizing (Small, Medium, Large) and you can leave both the cost and implementation of data storage to us.

3) Skill shortage

There is an African proverb that says, “It takes a village to raise a child.” In fact, it takes various skills to RUN and WATCH a SIEM solution. This specific problem is why many SIEM implementations become shelfware. Writing and tuning detection rules, performing incident investigations, and understanding how to search means that analysts need both security knowledge and specialized SIEM tool expertise. The IT Security space has zero unemployment, high staff acquisition costs and ongoing training costs. Buying a SIEM solution is easy. There are many providers and an end-of-quarter discount is always around the corner. Getting value from it? Not so much. With SIEMphonic Essentials, we start with a proper implementation (after all as Aristotle noted, well begun is half done) and then our 24/7 Security Operations Center escalates P1 events to your team.

SIEMphonic Essentials delivers visibility and detection across your enterprise. Not just technology…results!

Three paradoxes disrupting IT Security

2017 has been a banner year for IT Security. The massive publicity of attacks like WannaCry have focused public attention like never before on a hitherto obscure field. Non-technical people, including board members, nod gravely when listening as the CISO or wise friend harangue them for attention, behavior change or budget on the topic of IT Security. It’s in a way comforting to think that such attention is a good thing. After all, there’s no such thing as bad publicity, right? This is certainly the age of “I don’t care what the news papers say about me as long as they spell my name right“.

Not so fast, my friend. Despite all of the attention, all of the massive investment by venture funds in IT Security, all of the hand wringing and tut-tutting after the latest attack makes the front pages, there are some deeply rooted inconsistencies if you look closely at the scene.

Paradox #1: More data, less information

For some time now, we are drowning in data but starving for insight. This recent survey of CIOs shows that:

  • 95% of CIOs believe data is changing the way their organizations do business
  • 83% see data as a valuable asset that is not being fully utilized within their organization
  • 64% believe their organization is not making optimal use of the data to drive their business forward

In 2010, Eric Schmidt, of Google noted that every two days, we create as much information as we did from the dawn of civilization up to 2003. Data is everywhere, but insight is not. Why? Because the barriers to producing data are so low. In the Middle Ages, when paper was a sign of wealth, and books were locked up in monasteries, knowledge was considered valuable and creating it was costly. Today the challenge is different. We live at the opposite extreme, where instrumentation in practically every network connected device emits data, nonstop. The challenge, as always, is what does it all mean, to me, now? That level of insight continues to be elusive. Getting at it requires a mix of technology, data science and domain expertise and process discipline — a trifecta that is rare.

Paradox #2: More connectivity, less understanding

Today more and more of our lives are online. Every desktop, phone, tablet, watch, automobile and x-ray machine is online and generating reams of data. Networks are interconnected leading to even larger networks. So much so that no less a personage than Elon Musk worries that Skynet is about to become self-aware. Sure, connectivity has created tremendous positive changes, including new markets in developing nations, efficiencies in the marketplace and benefits for social interaction that were unthinkable a mere decade ago. But the same connectivity that lets you travel the globe in one click works the other way also. Deplorables from far flung locales can be at your doorstep with one click.

The sprawling network also begets the problem of not knowing your “home” turf. There is increasingly less understanding of the ways into and out of complex interconnected networks which makes them harder to defend. And, what of the Mir Jafar‘s amongst us — the scary thought of the insider threat? Effective defense demands actionable intelligence. It’s essential to answer the 4 Ws (who, what, where, when), but prevention and effective countermeasures require the 5th W (why), which is knowing motive, i.e., understanding. In his blog, David Bianco describes network defense as defenders working to push attackers up the pyramid pf pain. The highest form of defense is to understand the attackers’ tactics, techniques and procedures (TTP) so as to deny them their prize.

Paradox #3: The wisdom of crowds, the irrelevance of crowds

The latest buzzword in IT Security circles for the past couple of years has been threat intelligence, or crowd-sourced observations of bad behavior with the attendant publishing of these actors and their actions on a global scale. If the bad guys collaborate and share info on TTPs (ransomware as a service?) then should defenders do the same? Should every defender be left to analyze artifacts from the past and work in isolation to determine the future?

Surely the answer is no, and yet there’s the question of applicability and relevance to our specific network. If Ivan the Terrible is on the rampage in Kazakhstan, should the sheriff of Middleburg, VA worry and shore up his defense against the TTP used there? Probably not. And so the paradox. While crowds can give you a million eyes, it doesn’t necessarily translate into actionable intelligence to defend your network.

Disruption is a good word, signifying creativity and innovation—shaking up things in a good way. But disruption often has unintended consequences. More information, connectivity and crowdsourcing are also shrinking insight, eroding understanding and empowering irrelevant data points. These are points to ponder as we journey deeper into this 21st century.

Tip of the hat to Amy Zegart whose article in The Atlantic got the neurons firing.

Think you are too small to be hacked?

As a small business, how would you survive an abrupt demand for $250,000? It’s ransomware, and as this poll shows, that’s what an incident would cost a small business. Just why has ransomware exploded on to the scene in 2017? Because it works. Because most bad guys are capitalists and are driven by the profit motive. Because most small business have not taken the time to guard their data. Because they are soft targets. What makes the news headlines are the attacks on large companies like Merck, Maersk or large government, NHS Hospitals in the UK, etc. But make no mistake, small businesses get hit every day – they’re just not in the headlines. After all, more people miss work due to the common cold, but this never makes the news. On the other hand, a single case of Ebola and whoa!

Unfortunately this leads to confirmation bias. Since you don’t hear about it, it must not be a thing, right? That’s dangerous thinking for a small business. The large corporations can bounce back from cyberattacks; they have the depth of pocket to hire the experts needed during the crisis. But how does a small businesses cope? Breach costs can go to $250,000, not to mention the destruction of client trust if word gets out that confidential information was leaked.

So what do you do? Try these three steps:

Educate
It starts with you and your employees. Know your digital assets and maintain an up-to-date inventory. Invest in training of employees, as they are the weakest link in the IT security game.
Protect
Minimum diligence includes up-to-date anti-virus, a managed next-gen firewall and regular patching. Step it up with endpoint protection. Regular reviews of user and system activity is a solid, low-cost improvement to close the gap.
Co-source
Get an expert on your team. It’s too expensive to get dedicated resources, but this doesn’t mean you have to go it alone.  Co-sourcing is an excellent technique to have an expert team on call that specializes in cybersecurity.

If the first half of 2017 is an indicator, then it’s high time to wake up and smell the hummus.

***Some images from FreePik.com

How do you determine IT security risk?

How much security is enough? That’s a hard question to answer. You could spend $1 or $1M on security and still ask the same question. It’s a trick question; there is no correct answer. The better/correct question is how much risk are you willing to tolerate? Mind you, the answer to this question is a “beauty in the beholder” deal, and again there is no one correct answer.

The classic comeback from management when posed this question by the CISO is to debate what risk means, in a business context, of course. To answer this, consider the picture below.

This is your tax dollars at work. It comes from a NIST publication called “Small Business Information Security” and is available here. It presents a systematic method to first identify and thereafter mitigate the elements of risk to your business. To a small business owner, this may all be very well but can be overwhelming.

Did you know that you are not alone in tackling this problem? Our SIEMphonic program is specifically designed to provide co-management. We get that for a small business owner, it’s difficult to deploy, manage and use an effective combination of expertise and tools that provide early detection of targeted, advanced threats and insider threats. With SIEMphonic Enterprise Edition and SIEMphonic MDR Edition, we work together with you to analyze event data in real-time, then collect, store, investigate, and report on log data for incident response, forensics and regulatory compliance. Let us help you strengthen your security defenses, respond effectively, control costs and optimize your team’s capabilities through SIEMphonic.

Ransomware's Next Move

By Aaron Branson

Have we seen the true business impact of of ransomware yet, or has this just been a proof-of-concept? The recent news about WannaCrypt and Petya ransomware should not come as a surprise. The outbreaks are due not only to the ransomware’s ability to spread but also to mutate. While IT security teams identify, hunt, and remove specific variants of the ransomware, there may already be unknown mutated varieties lurking dormant and ready to execute. We expect stories like this will continue to pop up as organizations only hunt “known” threats after enough other organizations come across them. As shown in the graph below provided by Proofpoint Q1 2017 Quarterly Threat Report, there were 4.3x new ransomware variants in Q1 2017 than in Q1 2016!

Polymorphic and mutating malware… yep, you read that right

EventTracker Security Center 8.3, the latest version SIEM platform released June 8 includes just such a capability to combat modern ransomware and polymorphic and mutating malware. Dormant Malware Hunter is a new capability introduced by EventTracker. Modern malware, including ransomware, copies itself with different names and hashes to various folders, so that if the original is identified and removed, the clones remain ready to attack at a later time. Dormant Malware Hunter identifies hidden EXE and DLL files that have never executed, while exempting those found on a known safe files list. As a result, copies of malware can be removed from the network, preventing re-infection or propagation.

Such capability to hunt down these dormant and unknown threats allows IT security teams to fully cleanse their network of ransomware variants… even the ones not yet known to global threat intelligence feeds.

“Ransom-a-Retailer” may be cyber-criminals next game

EventTracker, along with parent company, Netsurion, also predicts the next wave of ransomware attacks could be retail and hospitality, and the impact could be crippling. Incidents like these that impacted Honda and Renault certainly impact the bottom-line by slowing production. But sales are still being made and orders fulfilled. Granted, they may have experienced a hiccup in efficiency. If these attackers turn their attention to the much-maligned POS system which frequents the headlines for credit card data theft, and choose to hold a retailer ransom by preventing them from making transactions with consumers, such retailers could bleed millions of dollars in lost revenue daily until they recover the function of the POS systems.

Black Friday 2017 may truly be a dark day

Consider things from the cyber-criminals point of view. They apparently have no problem hacking into a POS system and siphoning off credit card data for months undetected. I’ll forego naming the many brands victim of such breaches as I’m sure the incidents are already familiar to you. But here’s the thing… the going rate for stolen credit card data on the black market is in decline. A US credit card used to be able to fetch $20-30, but of late that data is falling closer to $5-10. Simple supply-and-demand – there’s too much stolen credit card data available!

What would prevent that same cyber-criminal from using those same infiltration tactics to deploy ransomware on the POS and within minutes, not months, have what they need. If a major retailer was unable to ring out a single consumer on Black Friday, the busiest brick-n-mortar shopping day of the year, what ransom would they be willing to pay? How many millions of revenue would they lose even if they recovered without paying the ransom?

To guard retailers from such harm before it becomes the “next big thing in ransomware”, EventTracker launched SIEMphonic MDR Edition in December 2016. The managed endpoint threat detection and response solution is unique in that it takes the appropriate set of capabilities from its enterprise SIEM and makes it logistically and economically practical to deploy to each and every POS system across every retail outlet.

IT security for franchise retailers is tougher than herding cats

In the more complex franchise-model space, retail and hospitality brands have the added challenge of wrangling thousands of storefronts owned by upwards of hundreds of different franchise owners running their own show. Without a proper solution that accounts for such complexity, securing a franchised brand from ransomware at these many vulnerability points (think X number of POS terminals multiplied by Y number of locations across multiple/separate franchise businesses) is like herding cats (still one of my favorite commercials of all time). Netsurion, however, has added a specially packaged version of SIEMphonic MDR into its already leading managed network security, resilience and compliance service for merchants. The solution, named SIEM-at-the-Edge, brings the same needed endpoint threat detection and response capability to the “edge” locations of the franchise merchants.

Here’s to hoping merchants of all shapes and sizes heed the prevalent warnings and evidence that POS systems are extremely vulnerable and a ransomware attack could be devastating. An ounce of prevention is worth a pound of cure!

Yet Another Ransomware That Can be Immediately Detected with Process Tracking on Workstations

By Randy Franklin Smith

As I write this, yet another ransomware attack is underway. This time it’s called Petya, and it again uses SMB to spread. But here’s the thing — it uses an EXE to get its work done. That’s important because there are countless ways to infect systems, with old ones being patched and new ones being discovered all the time. You definitely want to reduce your attack surface by disabling/uninstalling unneeded features.  Plus, you want to patch systems as soon as possible.

Those are preventive controls and they are irreplaceable in terms of defense in depth. But no layer of defense is ever a silver bullet. Patching and surface area management will never stop everything.

So, we need an effective detective control that tells us as soon as something like Petya gets past our frontline preventive layers of defense. The cool thing is that you can do that using nothing more than the Windows security log – or even better – Sysmon. Event ID 4688, activated by enabling Audit Process Creation for success, is a Security log event produced every time an EXE loads as a new process.

If we simply keep a running baseline of known EXE names and compare each 4688 against that list, BAM!, you’ll know as soon as something new, like Petya’s EXEs, run on your network. Of course you need to be collecting 4688s from your workstations, and your SIEM needs to be able to do this kind of constant learning whitelist analysis. You are going to get events when you install new software or patch old software, but only when new EXE names show up.

The only problem with using 4688 is it’s based on EXE name (including path). Bad guys can – but don’t usually bother to use replace known EXEs to stay below the radar. That would defeat the above scheme.  So what can you do? Implement Sysmon, which logs the hash of each EXE. Sysmon is a free element of Microsoft Sysinternals written by Mark Russonovich and friends. Sysmon event ID 1 (shown below) is logged the same time as 4688 (if you have both process creation auditing and Sysmon configured) but it also proves the hash of the EXE. So even if the attacker does replace a known EXE, the hash will difference, and your comparison against known hashes will fail – thus detecting a new EXE executing for the first time in your environment.

Log Name: Microsoft-Windows-Sysmon/Operational
Source: Microsoft-Windows-Sysmon
Date: 4/28/2017 3:08:22 PM
Event ID: 1
Task Category: Process Create (rule: ProcessCreate)
Level: Information
Keywords:
User: SYSTEM
Computer: rfsH.lab.local
Description:
Process Create:
UtcTime: 2017-04-28 22:08:22.025
ProcessGuid: {a23eae89-bd56-5903-0000-0010e9d95e00}
ProcessId: 6228
Image: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
CommandLine: “C:\Program Files (x86)\Google\Chrome\Application\chrome.exe” –type=utility –lang=en-US –no-sandbox –service-request-channel-token=F47498BBA884E523FA93E623C4569B94 –mojo-platform-channel-handle=3432 /prefetch:8
CurrentDirectory: C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.81\
User: LAB\rsmith
LogonGuid: {a23eae89-b357-5903-0000-002005eb0700}
LogonId: 0x7EB05
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=6055A20CF7EC81843310AD37700FF67B2CF8CDE3DCE68D54BA42934177C10B57
ParentProcessGuid: {a23eae89-bd28-5903-0000-00102f345d00}
ParentProcessId: 13220
ParentImage: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
ParentCommandLine: “C:\Program Files (x86)\Google\Chrome\Application\chrome.exe”

Tracking by hash will generate more false positives because anytime a known EXE is updated by the vendor, the first time the new version runs, a new hash will be generated and trip a new alarm or entry on your dashboard. But this tells you that patches are rolling out and confirms that your detection is working. And you are only notified the first time the EXE runs provided, you automatically add new hashes to your whitelist.

Whether you track new EXEs in your environment by name using the Security Log or by hash using Sysmon – do it!  New process tracking is one of those highly effective, reliable and long lived, strategic controls that will alert you against other attacks that rely on EXE still beyond the horizon.

EventTracker has a built-in feature that will detect and alert on EXEs and DLLs the first time they run, plus they just released a Dormant Malware Hunter in the latest version of their software. Modern malware, including ransomware, copies itself with different names and hashes to various folders, so that if the original is identified and removed, the clones remain ready to attack at a later time. The Dormant Malware Hunter identifies hidden EXE and DLL files that have never executed, while exempting those found on a known safe files list. As a result, copies of malware can be removed from the network, preventing re-infection or propagation.

Petya Ransomware – What it is and what to do

A new ransomware variant is sweeping across the globe known as Petya. It is currently having an impact on a wide range of industries and organizations, including critical infrastructure such as energy, banking, and transportation systems. While it was first observed in 2016, it contained notable differences in operation that caused it to be “immediately flagged as the next step in ransomware evolution.”

What is it?

This is a new generation of ransomware designed to take timely advantage of recent exploits. This current version is targeting the same vulnerabilities (ETERNALBLUE) that were exploited during the recent Wannacry attack. In this variant, rather than targeting a single organization, it uses a broad-brush approach that targets any device it can find that its attached worm is able to exploit.

The gravity of this attack is multiplied by the fact that even servers patched against the SMBv1 vulnerability exploited by EternalBlue can be successfully attacked, provided there is at least one Windows server on the network vulnerable to the flaw patched in March in MS17-010.

How it spreads?

Early reports also suspected that some infections were spread via phishing emails with infected Excel documents exploiting a CVE-2017-0199, a Microsoft Office/WordPad remote code execution vulnerability.

The attackers have built in the capability to infect patched local machines using the PSEXEC Windows SysInternals utility to carry out a pass-the-hash attack. Some researchers have also documented usage of the Windows Management Instrumentation (WMIC) command line scripting interface to spread the ransomware locally.

Unlike WannaCry, this attack does not have an internet-facing worming component, and only scans internal subnets looking for other machines to infect. Once a server is compromised by EternalBlue, the attacker is in as a system user.

What it does

The malware waits for 10-60 minutes after the infection to reboot the system. Reboot is scheduled using system facilities with “at” or “schtasks” and “shutdown.exe” tools. Once it reboots, it starts to encrypt the MFT table in NTFS partitions, overwriting the MBR with a customized loader with a ransom note.

The malware enumerates all network adapters, all known server names via NetBIOS and also retrieves the list of current DHCP leases, if available. Each and every IP on the local network and each server found is checked for open TCP ports 445 and 139. Those machines that have these ports open are then attacked with one of the methods described above.

The criminals behind this attack are asking for $300 in Bitcoins to deliver the key that decrypts the ransomed data, payable to a unified Bitcoin account. Unlike Wannacry, this technique would work because the attackers are asking the victims to send their wallet numbers by e-mail to “wowsmith123456@posteo.net,” thus confirming the transactions.

There is no kill-switch as of yet, and reports say the ransom email is invalid, so paying up is not recommended.

Technical Details

Talos observed that compromised systems have a file named “Perfc.dat” dropped on them. Perfc.dat contains the functionality needed to further compromise the system and contains a single unnamed export function referred to as #1. The library attempts to obtain administrative privileges (SeShutdowPrivilege and SeDebugPrivilege) for the current user through the Windows API AdjustTokenPrivileges. If successful, the ransomware will overwrite the master boot record (MBR) on the disk drive referred to as PhysicalDrive 0 within Windows. Regardless of whether the malware is successful in overwriting the MBR or not, it will then proceed to create a scheduled task via schtasks to reboot the system one hour after infection.

As part of the propagation process, the malware enumerates all visible machines on the network via the NetServerEnum and then scans for an open TCP 139 port. This is done to compile a list of devices that expose this port and may possibly be susceptible to compromise.

The malware has three mechanisms used to propagate once a device is infected:

  1. EternalBlue – the same exploit used by WannaCry.
  2. Psexec – a legitimate Windows administration tool.
  3. WMI – Windows Management Instrumentation, a legitimate Windows component.

These mechanisms are used to attempt installation and execution of perfc.dat on other devices to spread laterally.

For systems that have not had MS17-010 applied, the EternalBlue exploit is leveraged to compromise systems.

Psexec is used to execute the following instruction (where w.x.y.z is an IP address) using the current user’s windows token to install the malware on the networked device. Talos is still investigating the methods in which the “current user’s windows token” is retrieved from the machine.

C:\WINDOWS\dllhost.dat \\w.x.y.z -accepteula -s -d C:\Windows\System32\rundll32.exe C:\Windows\perfc.dat,#1

WMI is used to execute the following command which performs the same function as above, but using the current user’s username and password (as username and password).

Wbem\wmic.exe /node:”w.x.y.z” /user:”username” /password:”password” “process call create “C:\Windows\System32\rundll32.exe \”C:\Windows\perfc.dat\” #1″

Once a system is successfully compromised, the malware encrypts files on the host using 2048-bit RSA encryption. Additionally, the malware cleans event logs on the compromised device using the following command:

wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:

What steps has EventTracker SIEMphonic taken?

  1. Closely monitoring announcements and details provided by industry experts including US CERT, SANS, Microsoft, etc.
  2. Reviewed the latest vulnerability scan results from your network (if subscribed to ETVAS service) for vulnerable machines. ETVAS service subscribers who would like us to scan your network again can request us at ecc@eventtracker.com and we will perform a scan at your convenience.
  3. Updated the Active Watch List in your instance of EventTracker with the latest Indicators of Compromise (IOCs). This includes MD5 hashes of the malware variants, IP addresses of  C&C servers, the email address wowsmith123456@posteo.net
  4. Monitoring system reboots and additions to the Scheduled Tasks list
  5. Watching Change Audit snapshots in your network for changes to registry (RunOnce)
  6. Updated ETIDS with snort signatures as described by Cisco Talos
  7. Performing log searches using known IOCs

Recommendations

  • Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017.
  • Perform a detailed vulnerability scan of all systems on your network and apply missing patches ASAP.
  • Limit traffic from/to ports 139 and 445 to internal network only. Monitor traffic to these ports for out of ordinary behavior.
  • Enable strong spam filters to prevent phishing e-mails from reaching the end users and authenticate in-bound e-mail using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent e-mail spoofing.
  • Scan all incoming and outgoing e-mails to detect threats and filter executable files from reaching the end users.
  • Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.
  • Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary.
  • Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
  • Disable macro scripts from Microsoft Office files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full Office suite applications.

Perfect protection is not practical

With distressing regularity, new breaches continue to make headlines. The biggest companies, the largest institutions both private and government are affected. Every sector is in the news. Recounting these attacks is fruitless. Taking action based on the trends and threat landscape is the best step. Smarter threats that evade basic detection, mixed with the operational challenge of skills shortage, make the protection gap wider.

An overemphasis on prevention defines the current state of defenses as shown in the pie chart below.

pie-chart

According to ISACA’s 2015 cybersecurity report , over 85% of senior IT and business leaders report that they feel there is a labor crisis of skilled cybersecurity workers. Gartner believes approximately 50% of budgeted security positions are vacant; on average, technical staff spend about four years in a position before moving on. The threats that this outnumbered corps are working to confront are evolving so fast that security departments’ staffing methods are often hopelessly out of date.

prefect-protection

The main lesson to learn is that “perfect protection is not practical, so monitoring is necessary.”

Are you feeling overwhelmed with the variety, velocity and volume of cyber attacks? Help is at hand. Our SIEMphonic managed detection and response offering blends best-in-class technology with a 24/7 iSOC to help strengthen your security defenses while controlling cost.

Three myths about Ransomware

Three Myths about Ransomware

Ransomware is a popular weapon for the modern attacker with >50% of the 330,000+ attacks in 3Q15 targeted against US companies. No industry is immune to these attacks, which if successful are a blot on financial statements of the targeted companies. Despite their success, ransomware attacks are not sophisticated, exploit traditional infection vectors and are not stealthy. The success of such attacks reveal poor endpoint protection planning and strategy, which are observed at companies of every size and every vertical. This leads to most organizations reacting to such infections rather than planning against them, which is expensive in staff hours and of course hurtful to reputation.

A misunderstanding of ransomware, how it works and how the infection can be prevented are common. Here are three common misconceptions:

Myth #1: Ransomware is a zero-day attack

In fact, exploiting a zero-day vulnerability is an expensive proposition for a malicious actor. In reality, most malware target vulnerabilities, which while well-documented and easily remediated, remain unpatched. Therefore, a systematic schedule of patching and endpoint system updates within 30 days of becoming available is the most effective available way to minimize the threat of ransomware, and indeed most “targeted” attacks.

Myth #2: Anti-virus & perimeter solutions are sufficient protection

Signature-based protection has been widely used for 20+ years and is a necessary and effective protection mechanism. However, this approach is well known and easily evaded by attackers. In addition to signature-based anti-virus solutions, it is necessary to consider endpoint detection and response solutions supported by monitoring and analytics. Many ransomware attacks are successful because attackers breach perimeter security solutions and web-facing applications. Most networks are flat, making them easy to traverse. Segmenting assets into trust zones and enforcing traffic flow rules is the way to go.

Myth #3: IT Admins always follow best practices

When administrator accounts are not monitored at all, it exposes such super powers to hacker opportunism. Admin workstations with drive mappings and often used (and sadly common) administrator passwords to critical servers are a high priority target. Best practice prescribes monitoring administrator accounts for unauthorized use, access and behaviors.

Recognize that ransomware itself isn’t much different than the malware of the past. Ransomware enters the organization the same way as other malware, propagates the same way and leverages known vulnerabilities in the same way. Thus the good news is that ransomware can also be defended in the same way as malware.

WannaCry: What to do if you can’t update Microsoft Windows

By A.N. Ananth

A global pandemic of ransomware hit Windows based systems in 150 countries in a matter of hours. The root cause was traced to a vulnerability corrected by Microsoft for supported platforms (Win 7, 8.1 and higher) in March 2017, about 55 days before the malware was widespread. Detailed explanations and mitigation steps are described here. The first step to mitigation is to apply the update from Microsoft. A version for XP and 2003 was also released by Microsoft on Friday May 12, 2017.

But what if you did not apply the update because you just cannot do so? This is often the case in Industrial Control Systems (ICS), which comprise Operational Technology (OT) systems built on the same platforms (Windows XP, 7) that are susceptible to this vulnerability, but the patch/backup strategy recommended for traditional desktops just simply does not apply.

There are reports of several manufacturers that have apparently stopped work at plants because of WannaCry infestations of control systems, including automobile manufacturers like Renault, Dacia, and Nissan. There are many valid reasons:

  • The earlier versions of Microsoft software used in ICS aren’t just off-the-shelf versions of Windows, but they’re Windows as mediated by industrial control system vendors like Honeywell, Siemens and the like. They don’t use off-the-shelf Windows. Applying updates requires testing to ensure the ICS system is not going to be disrupted.
  • ICS system owners abhor downtime. It is very expensive to shut down a manufacturing line or an airport runway, and not possible to shut down the International Space Station.
  • ICS system owners often cite the “air gap”. But that’s a myth that has been exploded often.

As a start, ICS-CERT has published an advisory which provides this guidance:

  • Disable SMBv1 on every system connected to the network.
    • Information on how to disable SMBv1 is available here.
    • While many modern devices will operate correctly without SMBv1, some older devices may experience communication or file/device access disruptions.
  • Block port 445 (Samba).
    • This may cause disruptions on systems that require port 445.
  • Review network traffic to confirm that there is no unexpected SMBv1 network traffic. The following links provide information and tools for detecting SMBv1 network traffic and Microsoft’s MS17-010 patch:
  • Vulnerable embedded systems that cannot be patched should be isolated or protected from potential network exploitation.

If you need help and aren’t currently a customer, the same SIEM technology that detected WannaCry for our SIEMphonic Enterprise Edition customers can protect your systems as well. Our solution is designed to protect endpoints from unknown processes, like ransomware, and has been proven effective in tens of millions of installations. Find out more here.

WannaCry: Nuisance or catastrophe? What to expect next?

As we come to the one week point of the global pandemic of ransomware called WannaCry, it seems that while the infection gained worldwide (and unprecedented) news coverage, it has been more of a global nuisance than a global catastrophe. Some interesting points to note:

  • The most affected systems were un-patched Windows 7 and 2008 — not XP as thought earlier. This clearly points to patching cycle. It also validates the approach taken by Microsoft in Windows 10 to force Windows updates for consumers and small business. There was a lot of rage against the machine at the time, but in retrospect, can we agree that it was the right design choice?
  • The distribution method was not a phishing email, rather it seems the malware authors spread by scanning for networks that did not block port 445, which is used by the SMB protocol. It’s high time to correct this mis-configuration. Here is how to do it.
  • It may be that in the eyes of some users, this is another case of the security industry crying “wolf” again, thereby contributing to the numbness to such outbreaks.

What can we expect going forward?

  • As usual, criminals will be quick to take advantage of the attendant fear by pitching phony schemes to “protect” those that are worried they may be, or may become, victims.
  • There will be copycat malware. The distribution by worm (instead of phishing) makes network hygiene even more important.
  • Leaks will increase. Both Wikileaks and Shadow Brokers received tremendous publicity, and given the commercial nature of the latter, they will try and leverage this notoriety.
  • Patch hygiene may improve for a short period in businesses. This is similar to a driver slowing down after observing someone else pulled over by the police. The effects are only temporary though, sad to say.
  • Collaboration across the industry was a big part of blunting the damage. It looks set to continue, which is an incredibly good thing.

Do hackers prefer attacking over the weekend?

The recent WannaCry attack started on a Friday and it was feared that the results would be far more severe on Monday, as workers trickled back from the weekend. The fraudulent wires from Bangladesh Bank that resulted in $81M lost also happened on a Friday. A detailed account of how this weekend timing allowed hackers to get away a large sum (rerouted to the Philippines) with is described in this Reuters investigation.

Attribution in each case has veered towards a state-sponsored attacker that is interested in financial gain. The finger of suspicion points to North Korea in both cases. Lamont Siller, an FBI officer in the Philippines in a speech said, “We all know the Bangladesh Bank heist, this is just one example of a state-sponsored attack that was done on the banking sector.” Symantec in a blog update reported “that its researchers found hacking tools that are ‘exclusively used by Lazarus’ on machines infected with early versions of WanaCryptor, aka WannaCry.” Lazarus is thought to have originated in North Korea.

All righty then, 1) attacks are state sponsored, persistent and advanced, and 2) timed for non-working hours. So are you ready to defend against such attackers? You know, you are not alone. EventTracker’s SIEMphonic service blends award winning SIEM technology with a 24/7 iSOC to give you the cover you need at a price that won’t break the bank.

Want to know more? Here is how we caught WannaCry and what we are doing about it for our customers.

WannaCry at Industrial Control Systems

WannCry-Control-Systems

A global pandemic of ransomware hit Windows based systems in 150 countries in a matter of hours. The root cause was traced to a vulnerability corrected by Microsoft for supported platforms (Win 7, 8.1 and higher) in March 2017, about 55 days before the malware was widespread. Detailed explanations and mitigation steps are described here. The first step to mitigation is to apply the update from Microsoft. A version for XP and 2003 was also released by Microsoft on Friday May 12, 2017.

But what if you did not apply the update because you just cannot do so? This is often the case in Industrial Control Systems (ICS), which comprise Operational Technology (OT) systems built on the same platforms (Windows XP, 7) that are susceptible to this vulnerability, but the patch/backup strategy recommended for traditional desktops just simply does not apply.

There are reports of several manufacturers that have apparently stopped work at plants because of WannaCry infestations of control systems, including automobile manufacturers like Renault, Dacia, and Nissan. There are many valid reasons:

  • The earlier versions of Microsoft software used in ICS aren’t just off-the-shelf versions of Windows, but they’re Windows as mediated by industrial control system vendors like Honeywell, Siemens and the like. They don’t use off-the-shelf Windows. Applying updates requires testing to ensure the ICS system is not going to be disrupted.
  • ICS system owners abhor downtime. It is very expensive to shut down a manufacturing line or an airport runway, and not possible to shut down the International Space Station.
  • ICS system owners often cite the “air gap”. But that’s a myth that has been exploded often.

As a start, ICS-CERT has published an advisory which provides this guidance:

  • Disable SMBv1 on every system connected to the network.
    • Information on how to disable SMBv1 is available here.
    • While many modern devices will operate correctly without SMBv1, some older devices may experience communication or file/device access disruptions.
  • Block port 445 (Samba).
    • This may cause disruptions on systems that require port 445.
  • Review network traffic to confirm that there is no unexpected SMBv1 network traffic. The following links provide information and tools for detecting SMBv1 network traffic and Microsoft’s MS17-010 patch:
  • Vulnerable embedded systems that cannot be patched should be isolated or protected from potential network exploitation.

WannaCry: Fraud follows fear

After the global pandemic of the WannaCry ransomware attack this past weekend, it’s entirely predictable that fraudsters would follow. After every major attack or vulnerability disclosure, criminals are quick to take advantage of the attendant fear by pitching phony schemes to “protect” those that are worried they may be, or may become, victims.

This has indeed occurred already in the wake of WannaCrypt. Various third-party mobile app stores are offering protection from the ransomware, but those protective apps are for the most part bogus, and commonly infested with adware. So, steer clear of apps promising protection, and instead patch and update your systems.

Spam emails notifying you that your machine is infected with WannaCry (see picture below) are also making the rounds.

WannaCry Ransomware

Here’s some guidance to be safe from these attempts:

  • Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017.
  • Perform a detailed vulnerability scan of all systems on your network and apply missing patches ASAP.
  • Limit traffic from/to ports 139 and 445 to internal network only. Monitor traffic to these ports for out-of-ordinary behavior.
  • Enable strong spam filters to prevent phishing e-mails from reaching the end users and authenticate in-bound e-mail using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent e-mail spoofing.
  • Scan all incoming and outgoing e-mails to detect threats and filter executable files from reaching the end users.
  • Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.
  • Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary.
  • Configure access controls including file, directory and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories or shares.
  • Disable macro scripts from Microsoft Office files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full Office suite applications.

WannaCry: What it is and what to do about it

What happened

For those of us in the IT Security profession, Friday May 12 was Black Friday. Networks in healthcare and critical infrastructure across at least 99 countries have been infected by the WannaCry ransomware worm, aka WanaCrypt, WannaCrypt or Wcry. The bulk of infections were reported in Russia, Taiwan and Spain.

First observed targeting UK hospitals and Spanish banks, big companies like Telefónica, Vodafone and FedEx had some of their systems infected with the threat that also hit rail stations and universities. The Spanish CERT issued an alert warning the organizations and confirming that the malware was rapidly spreading.

Is it over? Will it happen again?

A sample of malware was reverse engineered and found to contain a “kill switch“. The malware tries to resolve a particular domain name and if it exists, it self destructs. This domain has been registered and so, if you are infected and this particular strain is able to successfully resolve that domain name using your internet connection and DNS settings, then it will apparently terminate itself. Obviously hope is not a strategy and assuming that we don’t have to do anything now is a big mistake. It is inevitable that a new strain which won’t have any such kill switch will emerge. Accordingly, it is imperative to strengthen defenses.

How it spreads

Initial infection is possibly via phishing email. CERT also reported that the hacker or hacking group behind the WannaCry campaign is gaining access to enterprise servers either through Remote Desktop Protocol (RDP) compromise. Once the infection has taken root, it spreads across the network looking for new victims using the Server Message Block (SMB) protocol. The ransomware uses the Microsoft vulnerability MS17-10[1]. This vulnerability was used by ETERNALBLUE, an exploit that was developed by the NSA and released to the public by the Shadow Brokers, a hacker group on April 14, 2017. Microsoft released a patch for this vulnerability on March 14, one month before the release of the exploit.

What it does

Once the infection is on the machine, it encrypts files and shows a ransom note asking for $300 or $600 worth of bitcoin.

Technical details

As described by CERT, the WannaCry ransomware is a loader that contains an AES-encrypted DLL. During runtime, the loader writes a file to disk named “t.wry”. The malware then uses an embedded 128-bit key to decrypt this file. This DLL, which is then loaded into the parent process, is the actual Wanna Cry Ransomware responsible for encrypting the user’s files. Using this cryptographic loading method, the WannaCry DLL is never directly exposed on disk and not vulnerable to antivirus software scans.

The newly loaded DLL immediately begins encrypting files on the victim’s system and encrypts the user’s files with 128-bit AES. A random key is generated for the encryption of each file.

The malware also attempts to access the IPC$ shares and SMB resources the victim system has access to. This access permits the malware to spread itself laterally on a compromised network. However, the malware never attempts to attain a password from the victim’s account in order to access the IPC$ share.

This malware is designed to spread laterally on a network by gaining unauthorized access to the IPC$ share on network resources on the network on which it is operating.

What steps has EventTracker SIEMphonic taken?

  1. Closely monitoring announcements and details provided by industry experts including US CERT, SANS, Microsoft, etc.
  2. Reviewed the latest vulnerability scan results from your network (if subscribed to ETVAS service) for vulnerable machines. ETVAS service subscribers who would like us to scan your network again can request us at ecc@eventtracker.com and we will perform a scan at your convenience.
  3. Updated the Active Watch List in your instance of EventTracker with the latest Indicators of Compromise (IOCs). This includes MD5 hashes of the malware variants, IP addresses of WannaCry C&C servers and domain names used by the malware
  4. Added an alert if we see any logs containing the domain name iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com which is used by WannaCry
  5. Watching Change Audit snapshots in your network for changes to registry (RunOnce) and for files with extension .wncry
  6. Updated ETIDS with snort signatures as described by the SANS Internet Storm Center
  7. Performing log searches using known IOCs

Recommended steps for prevention

  • Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017.
  • Perform a detailed vulnerability scan of all systems on your network and apply missing patches ASAP.
  • Limit traffic from/to ports 139 and 445 to internal network only. Monitor traffic to these ports for out of ordinary behavior.
  • Enable strong spam filters to prevent phishing e-mails from reaching the end users and authenticate in-bound e-mail using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent e-mail spoofing.
  • Scan all incoming and outgoing e-mails to detect threats and filter executable files from reaching the end users.
  • Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.
  • Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary.
  • Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
  • Disable macro scripts from Microsoft Office files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full Office suite applications.

How EventTracker protected customers

See the details in the Catch of the Day

Challenges with Threat Intelligence or why a Honeynet is a good idea

Shared threat intelligence is an attractive concept. The good guys share experiences about what the bad guys are doing thereby blunting attacks. This includes public-private partnerships like InfraGard, a partnership between the FBI and the private sector dedicated to sharing information and intelligence to prevent hostile acts against the U.S.

The analogy can be made to casinos that share information with each other about cheaters and their characteristics via the Gaming Board or the Griffin Book. If you share the intelligence then everybody but the cheater wins. So why not the same for cyber security?

For one thing, you are dealing with anonymous adversaries capable of rapid change, unlike the casino analogy where facial recognition can identify an individual even if their appearance is modified. Also, the behavior of the casino cheat tends to be similar (for example sit at the craps table or counting cards at blackjack as in Rain Man). In the cybersecurity world, all the defender has to go on is the type of attack (malware, phishing, ransomware), an IP range, and possibly a domain name. So the indicators of compromise (IOCs) that can be shared are file hashes, domain names, and sender email domains-all multiplying and morphing at digital speed. The IOCs are very hard to share globally at the scale and speed of the internet.

In addition, when the good guys share the IOCs, they do so in ways that are visible to bad guys as well (e.g., upload suspect files to Virus Total). This is leveraged by the bad guys to know the progress of the defenders and therefore adapt their attack.

So what now?

One solution is to implement local threat intelligence with a honeynet, a cyber-defense product that thwarts attempts by attackers to gain information about a private network. Comprised of
multiple virtualized decoys strategically scattered throughout the network to lure bad actors, honeynets can provide intelligence about malicious activity against the network. This solution is effective in identify bad actors including insiders, by their behavior, in your neighborhood. This blog describes the how they differ from Threat Intelligence.

When a SIEM is Like an Exercise Machine Stuck Behind the Junk in Your Garage

By Randy Franklin Smith

I’m a big believer in security analytics and detective controls in general.  At least sometimes, bad guys are going to evade your preventive controls, and you need the critical defense-in-depth layers that detective controls provide through monitoring logs and all the other information a modern SIEM consumes. Better yet, going on the offensive with threat hunting approaches the concept of taking the battle to enemy instead of passively waiting.

But a SIEM is like an exercise machine.  If no one’s using it – regularly and intensely – it can be the best exercise machine in the world, but you aren’t going to get stronger or lose weight.

And the exercise machine analogy only gets you so far because doesn’t highlight the need for highly skilled specialists.  Perhaps a better analogy is to compare the myriad sensors, passive and active monitoring systems on an aircraft carrier.  All that technology isn’t much use if there’s no 24/7 team of specialists interpreting the data and funneling the threat situation up to the officer on duty.  It’s just a bunch pretty flashing lights and screens.

Likewise, a SIEM needs a SOC.  But how many small- to medium-sized enterprises really have the team, resources and skills it takes to monitor, analyze and investigate what your SIEM is telling you – when it’s telling you? If you are like me, you may have the skill, but certainly don’t have time to look at a SIEM a few minutes each day, and we aren’t big enough to run a 24/7 SOC either.

So perhaps you settle for turning up the squelch and letting the SIEM only alert you to the most suspicious events and try to take a look at its dashboard every day.  At least you are collecting logs in case something happens – right?

But that approach is unlikely to catch incidents in time to limit the damage.  It’s frustrating because small businesses are just as much at risk to cyber threats as large enterprises, but we can’t leverage the economies of scale to do security right.

Or can we?  The solution for SMBs is the same as large enterprises – leverage economy of scale – but what’s different is the way that scale is achieved.  Large enterprises have the scale in-house.  The organization is large enough to justify funding and running an in-house SOC.

But small businesses can combine to get that economies of scale.  We aren’t talking about some kind of security co-op – although that’s interesting idea.  What we are talking about is security monitoring as a service.  Instead of, or in addition to, implementing an on-prem SIEM, some organizations are working with service providers to get the benefits of a SOC.  It’s almost like a corporate jet fractional ownership plan, but better.  The jet may or may not be available when you need it.

But with SIEM-as-a-Service you still get all the power, flexibility and security of an on-premise SIEM.  You can use and take advantage of the SIEM as much as you have time and resources for – to do your own monitoring and threat-hunting informed by your intimate knowledge of your organization and network.  But in addition to your efforts you are backed up by a 24/7 SOC operation watching your SIEM and providing for its care and feeding.  When you get busy on other projects, incidents and investigation you don’t have to worry that no-ones at the controls.

This is important because security monitoring and your SIEM is only a fraction of everything else small or event 1-person security team needs to be working on.

Event Tracker for example provides this in their SIEM as a Service solution, SIEMphonic. Their offering includes SIEM, intrusion detection, vulnerability scanning, threat intelligence, and HoneyNet deception technology, implemented either on-premises or in the cloud.  Experts at the company’s 24/7 intelligence-driven SOC provide remote administration and analytics.

Essential soft skills for cybersecurity success

IT workers in general, but more so IT Security professionals, pride themselves on their technical skills. Keeping abreast of the latest threats and the newest tactics to demonstrate to management and peers that one is “worthy.” The long alphabet soup in the signature, CISSP, CISA, MCSE, CCNA and so on, is all very necessary and impressive. However, cybersecurity puzzles are not solved by technical skills alone. In fact, the case can be made that soft skills are just as important, especially because everyone in the organization needs to cooperate. Security is everyone’s job.

Collaboration

Security is everyone’s job, so a critical success factor for the cybersecurity leader is what you communicate and how you communicate to various stakeholders to gain support, buy-in and behavior change. The soft skills to partner with various individuals and departments throughout your organization will drive the success of any cybersecurity program.

Communication

Too often, IT security leaders speak in the technical jargon of their area of expertise. Not surprisingly, this makes no impact on business leaders nor on others in the organization whose participation is critical to success. After all, a behavior change is only possible if the employee recognizes risk and internalizes the change. This skill, like many others, can be learned and improved with practice. It’s unusual to see a technically capable person want to learn and hone such a skill, but it’s incredibly valuable, and when encountered, its value is readily recognized.

Culture

Culture in this context includes the perceptions, attitudes and beliefs people in the organization have toward cybersecurity. The process of incorporating emotion is often difficult for technical people to comprehend, but plays a central role in communication and collaboration, and therefore success in changing behavior or adoption of new procedures. Old economy companies, such as financial or government organizations, may have a “professional” culture that requires formality and procedure in communication and content. Technology companies with relatively younger employees may react better to communications with humor or animation, and a more informal style. Learning company culture will make collaboration and communication, and therefore cybersecurity, much more effective.

Ultimately, technical skills are necessary for success, but absent these soft skills, a successful cybersecurity program cannot be achieved. As an industry, we tend to emphasize and value technical skills; the same is needed for soft skills.

Who suffers more — cybercrime victims or cybersecurity professionals?

So you got hit by a data breach, an all too common occurrence in today’s security environment. Who gets hit? Odds are you will say the customer. After all it’s their Personally Identifiable Information (PII) that was lost. Maybe their credit card or social security number or patient records were compromised. But pause a moment and consider the hit on the company itself. The hit includes attorney fees, lost business, reputational damage, and system remediation costs.

They deserve it, you say? They were negligent and must suffer the consequences. But spare a thought for the individuals on the “front line,” defending their organizations against the entire world of cyber criminals. They are victims, too. And it may not be a lack of diligence or due care on their part either. In the meantime they may experience the same disappointment and grief as a customer whose data is compromised. They are confused. They may feel a lack of focus and confidence in themselves. They may have sleepless nights and an increased level of anxiety. Not very different than a caregiver to a sick patient.

As in the patient/caregiver scenario, all the attention is focused on the patient. Consider this excerpt from American Nurse that says, “While nurses may not suffer the same way patients do, we experience pain, frustration, lack of resources, and many other forms of suffering when delivering care to patients and their families. In our highly regulated healthcare environment, administrators commonly view nursing as the highest cost center instead of a revenue generator. Typically, nursing is factored into room and board on the patient’s bill.”

This will sound eerily familiar to the IT staff on the front line of responding to a data breach.

How can you help?

  • Acknowledge their pain and anxiety; show that you understand
  • Coordinate care; be there for them in a continuous way
  • Get them help; outside experts who deal in incident management
  • Conduct a lessons learned; an excellent way to beef up skills on the team is to consider co-sourcing certain responsibilities

The next time you hear of a data breach, spare a thought for the IT Security team at the front line; after all they are victims, too.

Top three high risk behaviors that compromise IT Security

By A.N. Ananth

The insider threat is typically much more infrequent than external attacks, but they usually pose a much higher severity of risk for organizations when they do happen. While they can be perpetrated by malicious actors, it is more common the result of negligence. In addition to investing in new security tools and technology to protect against external threats, companies should place higher priority on identifying and fixing internal risks. Here are the top 3 high risk behaviors that compromise IT security:

1) Sharing login credentials: Convenience is the enemy of security. It is far too often more convenient to share credentials than create a unique login for each user. However, by doing so they leave the company vulnerable to data breach. While it may not be practical to completely eliminate shared credentials, a password manager that is accessible to multiple persons who need common access can shield the actual password from the user but still make it available.

2) Shadow IT or installing web applications: Users download unauthorized applications to their work computers or mobile devices. It also can occur when they subscribe to Software as a Service (SaaS) applications without IT approval. As employees spend large amounts of time at their desktop or laptop, it’s inevitable that they consider the device personal. The intention may be harmless–streaming music, looking for travel deals, shopping for personal items–but the danger is very real. Malvertising on such popular sites is frequently the reason for compromise.

3) Uploading of files to personal storage: Dropbox, Google Drive, etc. are often convenient ways of sharing company documents either between employees for collaboration or for use at home and work. The dedication is commendable, the behavior is still a risky one. Popular services were created for convenience and not necessarily for security.

What’s the remedy? Frequent updates and reminders. It’s so different than the procedures used in manufacturing facilities to minimize accidents. One single training session during onboarding isn’t enough. Regular IT and security updates are essential.

How did we decide on these particular behaviors, you ask? It’s based on observations by our SIEMphonic team; we review more than 1 billion logs every day to keep our customers safe. While training is a must, monitoring is also necessary. Many of these behaviors can be observed and appropriate measures such as training can be taken as a result.

As President Reagan observed, Doveryai, no proveryai.

Man Bites Dog!

Made you look!

It’s a clickbait headline, a popular tactic with the press to get people to click on their article.

Cyber criminals, the ones after the gold in your network, are at heart, capitalists. In other words, they seek efficiency. How to get maximum returns for the minimum possible work. This tendency reveals itself in multiple ways.

For example:

  • They scan networks, looking for the less well guarded ones; default passwords, unpatched systems, minimal defenses; easy pickings. After all why bother with hard work if the same results can be had easily?
  • The rise of Ransomware-as-a-service; essentially a franchise model for ransomware, such that criminals with little technical expertise can run ransomware attacks without having to build anything from scratch. As you can imagine, this has led to a sharp increase in ransomware attacks.

In order to get the bad guys to move along to the next target, your job then is to push them up the pyramid of pain — make it that much harder so as to decrease their ROI.

But, wait a minute, you’re thinking. What about that screaming headline? Anthem, Target, the beat goes on. Remember, headlines are always screaming. That’s what gets eyeballs and what sells. The mundane, common, low-level, ho-hum attacks simply don’t make the headlines but cause more damage on a sustained basis than the latest zero day.

The analogy in the healthcare world is that Bird Flu and Ebola garner screaming headlines while the common cold is responsible for more days missed at work and school by orders of magnitude. When was the last headline you saw about little Johnny missing school because of the flu?

How now, brown cow? The approach is well known but bears repeating:

  • Identify your crown jewels (know you assets)
  • Do a gap analysis to determine vulnerabilities
  • Address these vulnerabilities
  • Monitor for breaches

Sound like a plan? Check out our SIEMphonic service. It’s the easy button for sensible security.

Ransomware is only getting started

By Randy Franklin Smith

Ransomware is about denying you access to your data via encryption. But that denial has to be of a great enough magnitude create sufficient motivation for the victim to pay. Magnitude of the denial is a factor –

  • Value of the encrypted copy of the data, which is a function of:
    • Intrinsic value of the data (irrespective of how many copies exist)
    • The number of copies of the data and their availability
  • Extent of operations interrupted

If the motivation-to-pay is about the value of the data, remember that the data doesn’t need to be private. It just needs to be valuable. The intrinsic value of data (irrespective of copies) is only the first factor in determining the value of the criminally encrypted copy of the data. The number copies of the data and their level of availability exert upward or downward pressure on the value of the encrypted data. If the victim has a copy of the data online and immediately accessible, the ransomware encrypted copies have little to know value. On the other hand, if there are no backups of the data, the value of the encrypted copy skyrockets.

But ransomware criminals frequently succeed in getting paid even if the value of the encrypted copy of data is very low. And that’s because of the operations interruption. An organization may be hit by ransomware that doesn’t encrypt a single file containing data that is intrinsically valuable. For instance, the bytes in msword.exe or outlook.exe are not valuable. You can find those bytes on billions of PCs and download them at any time from the Internet.

But if a criminal encrypts those files, you suddenly can’t work with documents or process emails. That user is out of business. Do that to all the users and the business is out of business.

Sure, you can just re-install Office, but how long will that take? And surely the criminal didn’t stop with those two programs.

Criminals are already figuring this out. In an ironic twist, criminals have co-opted a white-hat encryption program for malicious scrambling of entire volumes. Such system-level ransomware accomplishes complete denial of service for the entire system and all business operations that depend on it.

Do that to enough end-user PCs or some critical servers and you are into serious dollar losses no matter how well prepared the organization.

So we are certainly going to see more system-level ransomware.

But encrypting large amounts of data is a very noisy operation that you can detect if you are watching security logs and other file i/o patterns which just can’t be hidden.

So why bother with encrypting data in the first place. Here’s 2 alternatives that criminals will increasingly turn to:

  • Storage device level ransomware
  • Threat of release

Storage device level ransomware

I use the broader term storage device because of course mechanical hard drives are on the way out.  Also, although I still use the term ransomware, storage device level ransomware may or may not include encryption. The fact is that storage devices have various security built-in to them that can be “turned.”  As a non-encryption but effective example, take disk drive passwords. Some drives support optional passwords that must be entered at the keyboard prior to the operating system booting. Sure the data isn’t encrypted and you could recover the data, but at what cost in terms of interrupted operations?

But many drives, flash or magnetic, also support hardware level encryption. Turning on either of these options will require some privilege or exploitation of low integrity systems but storage level ransomware will be much quieter, almost silent, in comparison to application or driver level encryption of present-day malware.

Threat of release

I’m surprised we haven’t heard of this more already. Forget about encrypting data or denying service to it. Instead exfiltrate a copy of any kind of information that would be damaging if it were released publicly or to another interested party. That’s a lot of information — not just trade secrets. HR information. Consumer private data. Data about customers. The list goes on and on and on.

There’s already a burgeoning trade in information that can be sold – like credit card information. But why bother with data that is only valuable if you can sell it to someone else and/or overcome all the fraud detection and lost limiting technology that credit card companies are constantly improving?

The data doesn’t need to be intrinsically valuable. It only needs to be toxic in the wrong hands.

Time will tell how successful this will be it will happen. The combination of high read/write I/O on the same files is what makes ransomware standout right now. And unless you are doing transparent encryption at the driver level, you have to accomplish it in bulk as quickly as possible. But threat-of-release attacks won’t cause any file system output. Threat-of-release also doesn’t need to process bulk amounts of information as fast as possible. Criminals can take their time and let it dribble out of the victim’s network and their command and control systems. On the other hand, the volume of outbound bandwidth with threat of release is orders of magnitude higher than encryption-based ransomware where all the criminal needs to send is encryption keys.

As with all endpoint based attacks (all attacks for that matter?) time is of the essence. The time-to-detection will continue to determine the magnitude of losses for victims and profits for criminals.

SIEMphonic and the Cyber Kill Chain

Cyber Kill Chain by Lockheed Martin

The Cyber Kill Chain model by Lockheed Martin describes how attackers use the cycle of compromise, persistence and ex filtration against an organization. Defense strategies that focus exclusively on the perimeter and on prevention do not take into account the kill chain life cycle approach; this is a reason why attackers are continuing to be so successful. Defending against persistent and advanced threats requires methods that detect and deny threats at each stage of the kill chain.

Focusing on perimeter defenses gives the appearance of concentrating resources on the most exposed assets and attack vectors. This thinking means the attacker needs to be successful only once out of an unlimited number of attempts. Defenders, conversely, must be right every time. This is not only wrong but also untenable. Just because there has been a successful malware infection or SQL injection attack against your network, it does not follow that the attacker has won and you have lost. The kill chain highlights that this is clearly not the case, because the attacker wins only when all phases of the Cyber Kill Chain have been executed successfully. A successful attack is an end-to-end process and described as a “chain” because an interruption at any stage can interrupt the entire attack. This turns the burden on the attacker who must now succeed at each and every step whereas a defender must succeed at only on step.

The EventTracker SIEMphonic solution is a mix of technology, skilled experts and process discipline designed to address defense across the entire cyber kill chain. Here’s how SIEMphonic maps to the Cyber Kill Chain.

Recon  Defined as identification, target selection, organization details, information on technology choices. SIEMphonic detects attempts by receiving and analyzing Web server logs, performing vulnerability scan, external penetration testing, all integrated with local, global and community threat intelligence. Our new EventTracker Honeynet offering is designed to deceive attackers and expose them by their actions rather than by reputation (which is too often neutral).

Deliver  Transmission of the malware is initiated by either the target (users browse to a malicious Web presence, leading to the dropping of malware, or they open a malicious PDF file) or by the attacker (SQL injection or network service exploitation). SIEMphonic provides security analytics and network behavioral analysis integrated with threat intelligence to detect such attempts.

Exploit  After delivery to the user or endpoint, malware will gain a foothold by exploiting a known vulnerability. Sadly it is most likely that a patch has been available for months or years but not implemented. The SIEMphonic vulnerability assessment service provides a managed service to systematically discover vulnerabilities and make it easier to remediate them thereby reducing the attack surface.

Install  Usually this is a remote-access trojan (RAT), stealthy in its operation, allowing persistence or “dwell time” to be achieved. The attacker seeks to control this without alerting the defenders. SIEMphonic technology includes Endpoint Threat Detection features which catches threats that evade the signature based anti virus. The Change Audit (aka FIM) feature tracks file changes at endpoints and is a robust technique to detect unwanted installation.

C&C  Now that the attacker has control of assets inside the network, using methods such as DNS, Internet Control Message Protocol (ICMP), websites he tells the controlled “asset” what to do next and what information to gather. A staging host is identified to which all internal data is copied, and then compressed and/or encrypted and made ready for exfiltration. SIEMphonic can detect such activities by analysis of DNS activity, file integrity monitoring and network traffic analysis all integrated with IP reputation intelligence.

Exfiltrate – In this final phase the attacker exfiltrates data and maintains dwell time in the network and then takes measures to identify more targets, expand their footprint. After the compromise, subsequent attack activity is performed as internal user. SIEMphonic activity monitoring function performs continuous monitoring to identify out of ordinary user access to data, including frequency, times of day and from locations previously unseen. Network behavioral analysis highlight devices that are moving data around that is not part of its role (traffic to hosts that stand out), an exceedingly high volume of DNS traffic to an external DNS server that is not defined for external host name resolution, traffic protocols being actively used that are against policy or trusted user attempting clearly malicious activity such as an FTP session to an unexpected destination.

Defending a network in today’s threat landscape requires a blend of technology, expertise and process discipline. SIEMphonic can help at an attractive price point.

Spending too much or too little on IT Security?

A common assumption is that security expenditure is a proxy for security maturity. This may make sense at first blush but paradoxically, a low relative level of information security spending compared to peers can be equally indicative of a very well-run or a poorly run security program. Spending analysis is, therefore, imprecise and a potentially misleading indicator of program success. In fact, it is necessary to ensure that the right risks are being adequately managed, and understand that spending may fluctuate accordingly.

According to Gartner’s most recent IT Key Metrics Data, respondents spent between 4-7% on IT security and risk management as a percentage of the overall IT budget. Note that IT spending statistics alone do not measure IT effectiveness and are not a gauge of successful IT within organizations. They simply provide an indicative view of average costs in general, without regard to complexity or demand.

The compliance hyperbole of previous years that drove information security spending has abated, having matured with organizations moving from planning to productive activities to address the requirements. Compliance remains a relevant internal selling point for justifying security and risk management budgets, but other factors — such as the series of high profile attacks played out in global media in recent years — have now become strong drivers. The visibility of information security spending in the boardroom is at an all-time high.

It is quite possible to constrain spending without compromising your security posture. One way is to consider managed detection and response. This is an effective outcome based combination of expertise and tools to detect threats, especially targeted advanced threats and insider threats. Our SIEMphonic service offering is a premier example of this type of service. The figure above, as described in this research note, can be the result.