WannaCry: Fraud follows fear

After the global pandemic of the WannaCry ransomware attack this past weekend, it’s entirely predictable that fraudsters would follow. After every major attack or vulnerability disclosure, criminals are quick to take advantage of the attendant fear by pitching phony schemes to “protect” those that are worried they may be, or may become, victims.

This has indeed occurred already in the wake of WannaCrypt. Various third-party mobile app stores are offering protection from the ransomware, but those protective apps are for the most part bogus, and commonly infested with adware. So, steer clear of apps promising protection, and instead patch and update your systems.

Spam emails notifying you that your machine is infected with WannaCry (see picture below) are also making the rounds.

WannaCry Ransomware

Here’s some guidance to be safe from these attempts:

  • Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017.
  • Perform a detailed vulnerability scan of all systems on your network and apply missing patches ASAP.
  • Limit traffic from/to ports 139 and 445 to internal network only. Monitor traffic to these ports for out-of-ordinary behavior.
  • Enable strong spam filters to prevent phishing e-mails from reaching the end users and authenticate in-bound e-mail using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent e-mail spoofing.
  • Scan all incoming and outgoing e-mails to detect threats and filter executable files from reaching the end users.
  • Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.
  • Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary.
  • Configure access controls including file, directory and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories or shares.
  • Disable macro scripts from Microsoft Office files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full Office suite applications.

WannaCry: What it is and what to do about it

What happened

For those of us in the IT Security profession, Friday May 12 was Black Friday. Networks in healthcare and critical infrastructure across at least 99 countries have been infected by the WannaCry ransomware worm, aka WanaCrypt, WannaCrypt or Wcry. The bulk of infections were reported in Russia, Taiwan and Spain.

First observed targeting UK hospitals and Spanish banks, big companies like Telefónica, Vodafone and FedEx had some of their systems infected with the threat that also hit rail stations and universities. The Spanish CERT issued an alert warning the organizations and confirming that the malware was rapidly spreading.

Is it over? Will it happen again?

A sample of malware was reverse engineered and found to contain a “kill switch“. The malware tries to resolve a particular domain name and if it exists, it self destructs. This domain has been registered and so, if you are infected and this particular strain is able to successfully resolve that domain name using your internet connection and DNS settings, then it will apparently terminate itself. Obviously hope is not a strategy and assuming that we don’t have to do anything now is a big mistake. It is inevitable that a new strain which won’t have any such kill switch will emerge. Accordingly, it is imperative to strengthen defenses.

How it spreads

Initial infection is possibly via phishing email. CERT also reported that the hacker or hacking group behind the WannaCry campaign is gaining access to enterprise servers either through Remote Desktop Protocol (RDP) compromise. Once the infection has taken root, it spreads across the network looking for new victims using the Server Message Block (SMB) protocol. The ransomware uses the Microsoft vulnerability MS17-10[1]. This vulnerability was used by ETERNALBLUE, an exploit that was developed by the NSA and released to the public by the Shadow Brokers, a hacker group on April 14, 2017. Microsoft released a patch for this vulnerability on March 14, one month before the release of the exploit.

What it does

Once the infection is on the machine, it encrypts files and shows a ransom note asking for $300 or $600 worth of bitcoin.

Technical details

As described by CERT, the WannaCry ransomware is a loader that contains an AES-encrypted DLL. During runtime, the loader writes a file to disk named “t.wry”. The malware then uses an embedded 128-bit key to decrypt this file. This DLL, which is then loaded into the parent process, is the actual Wanna Cry Ransomware responsible for encrypting the user’s files. Using this cryptographic loading method, the WannaCry DLL is never directly exposed on disk and not vulnerable to antivirus software scans.

The newly loaded DLL immediately begins encrypting files on the victim’s system and encrypts the user’s files with 128-bit AES. A random key is generated for the encryption of each file.

The malware also attempts to access the IPC$ shares and SMB resources the victim system has access to. This access permits the malware to spread itself laterally on a compromised network. However, the malware never attempts to attain a password from the victim’s account in order to access the IPC$ share.

This malware is designed to spread laterally on a network by gaining unauthorized access to the IPC$ share on network resources on the network on which it is operating.

What steps has EventTracker SIEMphonic taken?

  1. Closely monitoring announcements and details provided by industry experts including US CERT, SANS, Microsoft, etc.
  2. Reviewed the latest vulnerability scan results from your network (if subscribed to ETVAS service) for vulnerable machines. ETVAS service subscribers who would like us to scan your network again can request us at ecc@eventtracker.com and we will perform a scan at your convenience.
  3. Updated the Active Watch List in your instance of EventTracker with the latest Indicators of Compromise (IOCs). This includes MD5 hashes of the malware variants, IP addresses of WannaCry C&C servers and domain names used by the malware
  4. Added an alert if we see any logs containing the domain name iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com which is used by WannaCry
  5. Watching Change Audit snapshots in your network for changes to registry (RunOnce) and for files with extension .wncry
  6. Updated ETIDS with snort signatures as described by the SANS Internet Storm Center
  7. Performing log searches using known IOCs

Recommended steps for prevention

  • Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017.
  • Perform a detailed vulnerability scan of all systems on your network and apply missing patches ASAP.
  • Limit traffic from/to ports 139 and 445 to internal network only. Monitor traffic to these ports for out of ordinary behavior.
  • Enable strong spam filters to prevent phishing e-mails from reaching the end users and authenticate in-bound e-mail using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent e-mail spoofing.
  • Scan all incoming and outgoing e-mails to detect threats and filter executable files from reaching the end users.
  • Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.
  • Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary.
  • Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
  • Disable macro scripts from Microsoft Office files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full Office suite applications.

How EventTracker protected customers

See the details in the Catch of the Day

Challenges with Threat Intelligence or why a Honeynet is a good idea

Shared threat intelligence is an attractive concept. The good guys share experiences about what the bad guys are doing thereby blunting attacks. This includes public-private partnerships like InfraGard, a partnership between the FBI and the private sector dedicated to sharing information and intelligence to prevent hostile acts against the U.S.

The analogy can be made to casinos that share information with each other about cheaters and their characteristics via the Gaming Board or the Griffin Book. If you share the intelligence then everybody but the cheater wins. So why not the same for cyber security?

For one thing, you are dealing with anonymous adversaries capable of rapid change, unlike the casino analogy where facial recognition can identify an individual even if their appearance is modified. Also, the behavior of the casino cheat tends to be similar (for example sit at the craps table or counting cards at blackjack as in Rain Man). In the cybersecurity world, all the defender has to go on is the type of attack (malware, phishing, ransomware), an IP range, and possibly a domain name. So the indicators of compromise (IOCs) that can be shared are file hashes, domain names, and sender email domains-all multiplying and morphing at digital speed. The IOCs are very hard to share globally at the scale and speed of the internet.

In addition, when the good guys share the IOCs, they do so in ways that are visible to bad guys as well (e.g., upload suspect files to Virus Total). This is leveraged by the bad guys to know the progress of the defenders and therefore adapt their attack.

So what now?

One solution is to implement local threat intelligence with a honeynet, a cyber-defense product that thwarts attempts by attackers to gain information about a private network. Comprised of
multiple virtualized decoys strategically scattered throughout the network to lure bad actors, honeynets can provide intelligence about malicious activity against the network. This solution is effective in identify bad actors including insiders, by their behavior, in your neighborhood. This blog describes the how they differ from Threat Intelligence.

When a SIEM is Like an Exercise Machine Stuck Behind the Junk in Your Garage

By Randy Franklin Smith

I’m a big believer in security analytics and detective controls in general.  At least sometimes, bad guys are going to evade your preventive controls, and you need the critical defense-in-depth layers that detective controls provide through monitoring logs and all the other information a modern SIEM consumes. Better yet, going on the offensive with threat hunting approaches the concept of taking the battle to enemy instead of passively waiting.

But a SIEM is like an exercise machine.  If no one’s using it – regularly and intensely – it can be the best exercise machine in the world, but you aren’t going to get stronger or lose weight.

And the exercise machine analogy only gets you so far because doesn’t highlight the need for highly skilled specialists.  Perhaps a better analogy is to compare the myriad sensors, passive and active monitoring systems on an aircraft carrier.  All that technology isn’t much use if there’s no 24/7 team of specialists interpreting the data and funneling the threat situation up to the officer on duty.  It’s just a bunch pretty flashing lights and screens.

Likewise, a SIEM needs a SOC.  But how many small- to medium-sized enterprises really have the team, resources and skills it takes to monitor, analyze and investigate what your SIEM is telling you – when it’s telling you? If you are like me, you may have the skill, but certainly don’t have time to look at a SIEM a few minutes each day, and we aren’t big enough to run a 24/7 SOC either.

So perhaps you settle for turning up the squelch and letting the SIEM only alert you to the most suspicious events and try to take a look at its dashboard every day.  At least you are collecting logs in case something happens – right?

But that approach is unlikely to catch incidents in time to limit the damage.  It’s frustrating because small businesses are just as much at risk to cyber threats as large enterprises, but we can’t leverage the economies of scale to do security right.

Or can we?  The solution for SMBs is the same as large enterprises – leverage economy of scale – but what’s different is the way that scale is achieved.  Large enterprises have the scale in-house.  The organization is large enough to justify funding and running an in-house SOC.

But small businesses can combine to get that economies of scale.  We aren’t talking about some kind of security co-op – although that’s interesting idea.  What we are talking about is security monitoring as a service.  Instead of, or in addition to, implementing an on-prem SIEM, some organizations are working with service providers to get the benefits of a SOC.  It’s almost like a corporate jet fractional ownership plan, but better.  The jet may or may not be available when you need it.

But with SIEM-as-a-Service you still get all the power, flexibility and security of an on-premise SIEM.  You can use and take advantage of the SIEM as much as you have time and resources for – to do your own monitoring and threat-hunting informed by your intimate knowledge of your organization and network.  But in addition to your efforts you are backed up by a 24/7 SOC operation watching your SIEM and providing for its care and feeding.  When you get busy on other projects, incidents and investigation you don’t have to worry that no-ones at the controls.

This is important because security monitoring and your SIEM is only a fraction of everything else small or event 1-person security team needs to be working on.

Event Tracker for example provides this in their SIEM as a Service solution, SIEMphonic. Their offering includes SIEM, intrusion detection, vulnerability scanning, threat intelligence, and HoneyNet deception technology, implemented either on-premises or in the cloud.  Experts at the company’s 24/7 intelligence-driven SOC provide remote administration and analytics.

Essential soft skills for cybersecurity success

IT workers in general, but more so IT Security professionals, pride themselves on their technical skills. Keeping abreast of the latest threats and the newest tactics to demonstrate to management and peers that one is “worthy.” The long alphabet soup in the signature, CISSP, CISA, MCSE, CCNA and so on, is all very necessary and impressive. However, cybersecurity puzzles are not solved by technical skills alone. In fact, the case can be made that soft skills are just as important, especially because everyone in the organization needs to cooperate. Security is everyone’s job.


Security is everyone’s job, so a critical success factor for the cybersecurity leader is what you communicate and how you communicate to various stakeholders to gain support, buy-in and behavior change. The soft skills to partner with various individuals and departments throughout your organization will drive the success of any cybersecurity program.


Too often, IT security leaders speak in the technical jargon of their area of expertise. Not surprisingly, this makes no impact on business leaders nor on others in the organization whose participation is critical to success. After all, a behavior change is only possible if the employee recognizes risk and internalizes the change. This skill, like many others, can be learned and improved with practice. It’s unusual to see a technically capable person want to learn and hone such a skill, but it’s incredibly valuable, and when encountered, its value is readily recognized.


Culture in this context includes the perceptions, attitudes and beliefs people in the organization have toward cybersecurity. The process of incorporating emotion is often difficult for technical people to comprehend, but plays a central role in communication and collaboration, and therefore success in changing behavior or adoption of new procedures. Old economy companies, such as financial or government organizations, may have a “professional” culture that requires formality and procedure in communication and content. Technology companies with relatively younger employees may react better to communications with humor or animation, and a more informal style. Learning company culture will make collaboration and communication, and therefore cybersecurity, much more effective.

Ultimately, technical skills are necessary for success, but absent these soft skills, a successful cybersecurity program cannot be achieved. As an industry, we tend to emphasize and value technical skills; the same is needed for soft skills.

Who suffers more — cybercrime victims or cybersecurity professionals?

So you got hit by a data breach, an all too common occurrence in today’s security environment. Who gets hit? Odds are you will say the customer. After all it’s their Personally Identifiable Information (PII) that was lost. Maybe their credit card or social security number or patient records were compromised. But pause a moment and consider the hit on the company itself. The hit includes attorney fees, lost business, reputational damage, and system remediation costs.

They deserve it, you say? They were negligent and must suffer the consequences. But spare a thought for the individuals on the “front line,” defending their organizations against the entire world of cyber criminals. They are victims, too. And it may not be a lack of diligence or due care on their part either. In the meantime they may experience the same disappointment and grief as a customer whose data is compromised. They are confused. They may feel a lack of focus and confidence in themselves. They may have sleepless nights and an increased level of anxiety. Not very different than a caregiver to a sick patient.

As in the patient/caregiver scenario, all the attention is focused on the patient. Consider this excerpt from American Nurse that says, “While nurses may not suffer the same way patients do, we experience pain, frustration, lack of resources, and many other forms of suffering when delivering care to patients and their families. In our highly regulated healthcare environment, administrators commonly view nursing as the highest cost center instead of a revenue generator. Typically, nursing is factored into room and board on the patient’s bill.”

This will sound eerily familiar to the IT staff on the front line of responding to a data breach.

How can you help?

  • Acknowledge their pain and anxiety; show that you understand
  • Coordinate care; be there for them in a continuous way
  • Get them help; outside experts who deal in incident management
  • Conduct a lessons learned; an excellent way to beef up skills on the team is to consider co-sourcing certain responsibilities

The next time you hear of a data breach, spare a thought for the IT Security team at the front line; after all they are victims, too.

Top three high risk behaviors that compromise IT Security

By A.N. Ananth

The insider threat is typically much more infrequent than external attacks, but they usually pose a much higher severity of risk for organizations when they do happen. While they can be perpetrated by malicious actors, it is more common the result of negligence. In addition to investing in new security tools and technology to protect against external threats, companies should place higher priority on identifying and fixing internal risks. Here are the top 3 high risk behaviors that compromise IT security:

1) Sharing login credentials: Convenience is the enemy of security. It is far too often more convenient to share credentials than create a unique login for each user. However, by doing so they leave the company vulnerable to data breach. While it may not be practical to completely eliminate shared credentials, a password manager that is accessible to multiple persons who need common access can shield the actual password from the user but still make it available.

2) Shadow IT or installing web applications: Users download unauthorized applications to their work computers or mobile devices. It also can occur when they subscribe to Software as a Service (SaaS) applications without IT approval. As employees spend large amounts of time at their desktop or laptop, it’s inevitable that they consider the device personal. The intention may be harmless–streaming music, looking for travel deals, shopping for personal items–but the danger is very real. Malvertising on such popular sites is frequently the reason for compromise.

3) Uploading of files to personal storage: Dropbox, Google Drive, etc. are often convenient ways of sharing company documents either between employees for collaboration or for use at home and work. The dedication is commendable, the behavior is still a risky one. Popular services were created for convenience and not necessarily for security.

What’s the remedy? Frequent updates and reminders. It’s so different than the procedures used in manufacturing facilities to minimize accidents. One single training session during onboarding isn’t enough. Regular IT and security updates are essential.

How did we decide on these particular behaviors, you ask? It’s based on observations by our SIEMphonic team; we review more than 1 billion logs every day to keep our customers safe. While training is a must, monitoring is also necessary. Many of these behaviors can be observed and appropriate measures such as training can be taken as a result.

As President Reagan observed, Doveryai, no proveryai.

Man Bites Dog!

Made you look!

It’s a clickbait headline, a popular tactic with the press to get people to click on their article.

Cyber criminals, the ones after the gold in your network, are at heart, capitalists. In other words, they seek efficiency. How to get maximum returns for the minimum possible work. This tendency reveals itself in multiple ways.

For example:

  • They scan networks, looking for the less well guarded ones; default passwords, unpatched systems, minimal defenses; easy pickings. After all why bother with hard work if the same results can be had easily?
  • The rise of Ransomware-as-a-service; essentially a franchise model for ransomware, such that criminals with little technical expertise can run ransomware attacks without having to build anything from scratch. As you can imagine, this has led to a sharp increase in ransomware attacks.

In order to get the bad guys to move along to the next target, your job then is to push them up the pyramid of pain — make it that much harder so as to decrease their ROI.

But, wait a minute, you’re thinking. What about that screaming headline? Anthem, Target, the beat goes on. Remember, headlines are always screaming. That’s what gets eyeballs and what sells. The mundane, common, low-level, ho-hum attacks simply don’t make the headlines but cause more damage on a sustained basis than the latest zero day.

The analogy in the healthcare world is that Bird Flu and Ebola garner screaming headlines while the common cold is responsible for more days missed at work and school by orders of magnitude. When was the last headline you saw about little Johnny missing school because of the flu?

How now, brown cow? The approach is well known but bears repeating:

  • Identify your crown jewels (know you assets)
  • Do a gap analysis to determine vulnerabilities
  • Address these vulnerabilities
  • Monitor for breaches

Sound like a plan? Check out our SIEMphonic service. It’s the easy button for sensible security.

Ransomware is only getting started

By Randy Franklin Smith

Ransomware is about denying you access to your data via encryption. But that denial has to be of a great enough magnitude create sufficient motivation for the victim to pay. Magnitude of the denial is a factor –

  • Value of the encrypted copy of the data, which is a function of:
    • Intrinsic value of the data (irrespective of how many copies exist)
    • The number of copies of the data and their availability
  • Extent of operations interrupted

If the motivation-to-pay is about the value of the data, remember that the data doesn’t need to be private. It just needs to be valuable. The intrinsic value of data (irrespective of copies) is only the first factor in determining the value of the criminally encrypted copy of the data. The number copies of the data and their level of availability exert upward or downward pressure on the value of the encrypted data. If the victim has a copy of the data online and immediately accessible, the ransomware encrypted copies have little to know value. On the other hand, if there are no backups of the data, the value of the encrypted copy skyrockets.

But ransomware criminals frequently succeed in getting paid even if the value of the encrypted copy of data is very low. And that’s because of the operations interruption. An organization may be hit by ransomware that doesn’t encrypt a single file containing data that is intrinsically valuable. For instance, the bytes in msword.exe or outlook.exe are not valuable. You can find those bytes on billions of PCs and download them at any time from the Internet.

But if a criminal encrypts those files, you suddenly can’t work with documents or process emails. That user is out of business. Do that to all the users and the business is out of business.

Sure, you can just re-install Office, but how long will that take? And surely the criminal didn’t stop with those two programs.

Criminals are already figuring this out. In an ironic twist, criminals have co-opted a white-hat encryption program for malicious scrambling of entire volumes. Such system-level ransomware accomplishes complete denial of service for the entire system and all business operations that depend on it.

Do that to enough end-user PCs or some critical servers and you are into serious dollar losses no matter how well prepared the organization.

So we are certainly going to see more system-level ransomware.

But encrypting large amounts of data is a very noisy operation that you can detect if you are watching security logs and other file i/o patterns which just can’t be hidden.

So why bother with encrypting data in the first place. Here’s 2 alternatives that criminals will increasingly turn to:

  • Storage device level ransomware
  • Threat of release

Storage device level ransomware

I use the broader term storage device because of course mechanical hard drives are on the way out.  Also, although I still use the term ransomware, storage device level ransomware may or may not include encryption. The fact is that storage devices have various security built-in to them that can be “turned.”  As a non-encryption but effective example, take disk drive passwords. Some drives support optional passwords that must be entered at the keyboard prior to the operating system booting. Sure the data isn’t encrypted and you could recover the data, but at what cost in terms of interrupted operations?

But many drives, flash or magnetic, also support hardware level encryption. Turning on either of these options will require some privilege or exploitation of low integrity systems but storage level ransomware will be much quieter, almost silent, in comparison to application or driver level encryption of present-day malware.

Threat of release

I’m surprised we haven’t heard of this more already. Forget about encrypting data or denying service to it. Instead exfiltrate a copy of any kind of information that would be damaging if it were released publicly or to another interested party. That’s a lot of information — not just trade secrets. HR information. Consumer private data. Data about customers. The list goes on and on and on.

There’s already a burgeoning trade in information that can be sold – like credit card information. But why bother with data that is only valuable if you can sell it to someone else and/or overcome all the fraud detection and lost limiting technology that credit card companies are constantly improving?

The data doesn’t need to be intrinsically valuable. It only needs to be toxic in the wrong hands.

Time will tell how successful this will be it will happen. The combination of high read/write I/O on the same files is what makes ransomware standout right now. And unless you are doing transparent encryption at the driver level, you have to accomplish it in bulk as quickly as possible. But threat-of-release attacks won’t cause any file system output. Threat-of-release also doesn’t need to process bulk amounts of information as fast as possible. Criminals can take their time and let it dribble out of the victim’s network and their command and control systems. On the other hand, the volume of outbound bandwidth with threat of release is orders of magnitude higher than encryption-based ransomware where all the criminal needs to send is encryption keys.

As with all endpoint based attacks (all attacks for that matter?) time is of the essence. The time-to-detection will continue to determine the magnitude of losses for victims and profits for criminals.

SIEMphonic and the Cyber Kill Chain

Cyber Kill Chain by Lockheed Martin

The Cyber Kill Chain model by Lockheed Martin describes how attackers use the cycle of compromise, persistence and ex filtration against an organization. Defense strategies that focus exclusively on the perimeter and on prevention do not take into account the kill chain life cycle approach; this is a reason why attackers are continuing to be so successful. Defending against persistent and advanced threats requires methods that detect and deny threats at each stage of the kill chain.

Focusing on perimeter defenses gives the appearance of concentrating resources on the most exposed assets and attack vectors. This thinking means the attacker needs to be successful only once out of an unlimited number of attempts. Defenders, conversely, must be right every time. This is not only wrong but also untenable. Just because there has been a successful malware infection or SQL injection attack against your network, it does not follow that the attacker has won and you have lost. The kill chain highlights that this is clearly not the case, because the attacker wins only when all phases of the Cyber Kill Chain have been executed successfully. A successful attack is an end-to-end process and described as a “chain” because an interruption at any stage can interrupt the entire attack. This turns the burden on the attacker who must now succeed at each and every step whereas a defender must succeed at only on step.

The EventTracker SIEMphonic solution is a mix of technology, skilled experts and process discipline designed to address defense across the entire cyber kill chain. Here’s how SIEMphonic maps to the Cyber Kill Chain.

Recon  Defined as identification, target selection, organization details, information on technology choices. SIEMphonic detects attempts by receiving and analyzing Web server logs, performing vulnerability scan, external penetration testing, all integrated with local, global and community threat intelligence. Our new EventTracker Honeynet offering is designed to deceive attackers and expose them by their actions rather than by reputation (which is too often neutral).

Deliver  Transmission of the malware is initiated by either the target (users browse to a malicious Web presence, leading to the dropping of malware, or they open a malicious PDF file) or by the attacker (SQL injection or network service exploitation). SIEMphonic provides security analytics and network behavioral analysis integrated with threat intelligence to detect such attempts.

Exploit  After delivery to the user or endpoint, malware will gain a foothold by exploiting a known vulnerability. Sadly it is most likely that a patch has been available for months or years but not implemented. The SIEMphonic vulnerability assessment service provides a managed service to systematically discover vulnerabilities and make it easier to remediate them thereby reducing the attack surface.

Install  Usually this is a remote-access trojan (RAT), stealthy in its operation, allowing persistence or “dwell time” to be achieved. The attacker seeks to control this without alerting the defenders. SIEMphonic technology includes Endpoint Threat Detection features which catches threats that evade the signature based anti virus. The Change Audit (aka FIM) feature tracks file changes at endpoints and is a robust technique to detect unwanted installation.

C&C  Now that the attacker has control of assets inside the network, using methods such as DNS, Internet Control Message Protocol (ICMP), websites he tells the controlled “asset” what to do next and what information to gather. A staging host is identified to which all internal data is copied, and then compressed and/or encrypted and made ready for exfiltration. SIEMphonic can detect such activities by analysis of DNS activity, file integrity monitoring and network traffic analysis all integrated with IP reputation intelligence.

Exfiltrate – In this final phase the attacker exfiltrates data and maintains dwell time in the network and then takes measures to identify more targets, expand their footprint. After the compromise, subsequent attack activity is performed as internal user. SIEMphonic activity monitoring function performs continuous monitoring to identify out of ordinary user access to data, including frequency, times of day and from locations previously unseen. Network behavioral analysis highlight devices that are moving data around that is not part of its role (traffic to hosts that stand out), an exceedingly high volume of DNS traffic to an external DNS server that is not defined for external host name resolution, traffic protocols being actively used that are against policy or trusted user attempting clearly malicious activity such as an FTP session to an unexpected destination.

Defending a network in today’s threat landscape requires a blend of technology, expertise and process discipline. SIEMphonic can help at an attractive price point.

Spending too much or too little on IT Security?

A common assumption is that security expenditure is a proxy for security maturity. This may make sense at first blush but paradoxically, a low relative level of information security spending compared to peers can be equally indicative of a very well-run or a poorly run security program. Spending analysis is, therefore, imprecise and a potentially misleading indicator of program success. In fact, it is necessary to ensure that the right risks are being adequately managed, and understand that spending may fluctuate accordingly.

According to Gartner’s most recent IT Key Metrics Data, respondents spent between 4-7% on IT security and risk management as a percentage of the overall IT budget. Note that IT spending statistics alone do not measure IT effectiveness and are not a gauge of successful IT within organizations. They simply provide an indicative view of average costs in general, without regard to complexity or demand.

The compliance hyperbole of previous years that drove information security spending has abated, having matured with organizations moving from planning to productive activities to address the requirements. Compliance remains a relevant internal selling point for justifying security and risk management budgets, but other factors — such as the series of high profile attacks played out in global media in recent years — have now become strong drivers. The visibility of information security spending in the boardroom is at an all-time high.

It is quite possible to constrain spending without compromising your security posture. One way is to consider managed detection and response. This is an effective outcome based combination of expertise and tools to detect threats, especially targeted advanced threats and insider threats. Our SIEMphonic service offering is a premier example of this type of service. The figure above, as described in this research note, can be the result.

Compliance is not a proxy for due care

Regulatory compliance is a necessary step for IT leaders, but it’s not sufficient enough to reduce residual IT security risk to tolerable levels. This is not news. But why is this the case? Here are three reasons:

  • Compliance regulations are focused on “good enough,” but the threat environment mutates rapidly. Therefore, any definition of “good enough” is temporary. The lack of specificity in most regulations is deliberate to accommodate these factors.
  • IT technologies change rapidly. An adequate technology solution today will be obsolete within a few years.
  • Circumstances and IT networks are so varied, that no single regulation can address them all. Prescribing a common set of solutions for all cases is not possible.

The key point to understand is that the compliance guidance documents are just that — guidance. Getting certification for the standard, while necessary, is not sufficient. If your network becomes the victim of a security breach and a third party suffers harm, then compliance to the guidelines alone will not be an adequate defense, although it may help mitigate certain regulatory penalties. All reasonable steps to mitigate the potential for harm to others must have been implemented, regardless of whether those steps are listed within the guidance.

A strong security program is based on effective management of the organization’s security risks. A process to do this effectively is what regulators and auditors look for.

‘Twas the Night Before Christmas – an EventTracker Story

Christmas Tree

‘Twas the night before Christmas and all through HQ

Not a creature was stirring, except greedy Lou –

An insider thief who had planned with great care

A breach to occur while no one was there.

Lou began his attack without trepidation,

For all his co-workers were on their vacations.

He logged into Payroll and then in a flash

Transferred to his account a large sum of cash.

But Lou didn’t realize that what he was doing

Had sent an alert that something was brewing.

And who was receiving this urgent alert?

Why EventTracker’s staff, who are always at work.

While monitoring all of their client locations

EventTracker’s team received notifications.

Their software had noticed some behavior changes

That seemed to fall outside of the normal ranges.

Immediately, they picked up the phone

And rang for Lou’s boss, but no one was home.

But EventTracker’s staff had more than one number.

And Lou’s boss heard his cell, despite being mid-slumber.

During the call, they exchanged information.

And while Lou’s boss called the police station,

EventTracker immediately got to work

Shutting down Lou’s access to HQ’s network.

Lou is now spending his Christmas in jail.

And the money he stole was returned without fail.

As for EventTracker, what else can I say?

This story will be one more Catch of the Day.

Work Smarter – Not Harder: Use Internal Honeynets to Detect Bad Guys Instead of Just Chasing False Positives

Log collection, SIEM and security monitoring are the journey not the destination.  Unfortunately, the destination is often a false positive.  This is because we’ve gotten very good at collecting logs and other information from production systems, then filtering that data and presenting it on a dashboard.  But we haven’t gotten that good at distinguishing events triggered by bad guys from those triggered by normal everyday activity.

A honeynet changes that completely.

At the risk of perpetuating a bad analogy, I’m going to refer to the signal-to-noise ratio often thrown around when you talk about security monitoring.  If you like that noise/signal concept then the difference is like putting an egg timer in the middle of Times Square at rush hour.  Trying to hear it is like trying to pick out bad guy activity in logs collected from production systems.  Now put that egg timer in a quiet room.  That’s the sound of a bad guy hitting an internal honeynet.

Honeynets on your internal network are normally very quiet.  The only legitimate stuff that’s going to hit them are things like vulnerability scanners, network mapping tools and… what else?  What else on your network routinely goes out and touches IP addresses that it’s not specifically configured to communicate with?

So you either configure those few scanners to skip your honeynet IP ranges, or else you leverage them as positive confirmation that your honeynet is working and reporting when it’s touched.  You just de-prioritize that expected traffic to an “honorable mention” pane on your dashboard.

On the other hand, (unless someone foolishly publishes it) the bad guy isn’t going to know the existence of your honeynet or its coordinates.  So as he routinely scans your network, he’s inevitably going to trip over your honeynet — if you’ve done it right.  But let’s talk about some of these points.

First, how would a bad guy find out about your honeynet?

  • Once he gets control of IT admin user accounts and reads their email, has access to your network and security documentation, etc. But if you have good privileged access controls this should be fairly late stage.  Honeynets are intended to catch intrusions at early to mid-stage.
  • By lurking on support forums and searching the Internet (e.g. Stackoverflow, honeynet vendor support sites). It goes without saying — don’t reveal your name, company or company email address in your postings.
  • By scanning your network. It’s pretty easy to identity honeynets when you come across them – especially low-interaction honeynets, which are most common.  But guess what?  Who cares?  They’ve already set off the alarm.  So this one doesn’t count.

So, honeynets are definitely a matter of security through obscurity.  But you know what?  We rely on security through obscurity a lot more than we think.  Encryption keys are fundamentally security through obscurity.  Just really, really, really, good obscurity.  And security through obscurity is only a problem when you are relying on it as a preventive control – like using a “secret” port number instead of requiring an authenticated connection.  Honeynets are detective controls.

But what if you are up against not just a persistent threat actor but a patient, professional and cautious one who assumes you have a honeynet and you’re listening to it?  He’s going to tiptoe around much more carefully.  If I were him, I would only touch systems out there that I had reason to believe were legitimate production servers.  Where would I collect such information?  Places like DNS, browser history, netstat output, links on intranet pages and so on.

At this time, most attackers aren’t bothering to do that.  It really slows them down and they know it just isn’t necessary in most environments.  But this is a constant arms race, so it’s good to think about the future.  First, a bad guy who assumes you have a honeynet is a good thing because of what I just mentioned.  It slows them down, giving more time for your other layers of defense to do their job.

But are there ways you to optimize your honeynet implementation for catching the honeynet-conscious, patient attacker?   One thing you can do is go through the extra effort and coordination with your network team to reserve more and smaller sub-ranges of IP addresses for your honeynet so that it’s widely and granularly dispersed throughout address space.  This makes it harder to make a move without hitting your honeynet, and further reduces the assumption that attackers usually find it safe to make — that all your servers are in range for static addresses, workstations in another discreet range for DHCP, and then another big block devoted to your honeynet.

The bottom line though is honeynets are awesome.  You get very high detection with a comparatively small investment.  Checkout my recent webinar on Honeynets sponsored by EventTracker, who now offers Honeynet-as-a-Service that is fully integrated with your SIEM.  Deploying a honeynet and keeping it running is one thing, but integrating it with your SIEM is another.  EventTracker nails both.

Top three reasons SIEM solutions fail

We have been implementing Security Information and Event Management (SIEM) solutions for more than 10 years. We serve hundreds of active SIEM users and implementations. We have had many awesome, celebratory, cork-popping successes. Unfortunately, we’ve also had our share of sad, tearful, profanity-filled failures. Why? Why do some companies succeed with SIEM while others fail? Here is a secret for you: the product doesn’t matter. The size of the company doesn’t matter. It’s something else. SIEM can deliver great results but it can soak up budget, time and leave you frustrated with the outcome. Here are the (all too) common reasons why SIEM implementations fail.

Reason 1: You don’t have an administrator in charge.

We call this the RUN function. A person in charge of platform administration. A Sys Admin who:

  • Keeps the solution up-to-date with upgrades and new versions
  • Performs system health checks, storage projections and log volume/performance analysis
  • Analyzes changes in log collection for new systems and non-reporting systems
  • Adds and configures users, standardized reports, dashboards and alerts
  • Generates Weekly System Status Report
  • Confirms external/third party integration’s are functioning normally: threat intel feeds, IDS, VAS

Reason 2: The boss isn’t committed.

For the SIEM solution to deliver value, the executive in charge must be fully committed to it, providing emotional, financial and educational support to the administrator. You tell your team that this is the company’s system and everyone’s going to use it. You invest in outside help to get it up and running, and use it the right way with the proper training and service. You don’t cave in when people complain because they don’t like the color of the screen or the font, or that things take extra clicks, or that it’s not “user friendly.” For this system to work, your people will need to do more work. You provide resources to help them, but you stand firm because this is your network. You realize that using this product the right way will help you make your company safer…and more valuable. Stand firm. Commit. Or you will fail.

Reason 3: You’re not using the data.

Our best implementations have 2-3 key objectives satisfied by the SIEM systems each day. Managers read these reports and rely on the data to help them secure their network. Have a few key objectives or you will fail. We call this the WATCH function for obvious reasons.

We are a premier provider of SIEM solutions and services, but with all due respect we would advise against buying a SIEM solution if a client is not prepared to invest in an administrator or reports, or shows little interest in adopting the system into their company culture.

How the EventTracker/Netsurion merger will bring you more powerful cybersecurity solutions

We are delighted that EventTracker is now part of the Netsurion family.

On October 13, 2016 we announced our merger with managed security services Netsurion. As part of the agreement, Netsurion’s majority shareholder, Providence Strategic Growth, the equity affiliate of Providence Equity Partners, made an investment in EventTracker to accelerate growth for our combined company. Netsurion’s managed security services protect multi-location businesses’ information, payment systems, and on-premise public and private Wi-Fi networks from data breaches, data loss, and other risks posed by hackers.

We are thrilled to join with a dynamic and leading security organization to provide a managed network security service that couples our cutting-edge managed SIEM offering with a state-of-the-art managed firewall.

As the threat landscape evolves rapidly and hackers become more sophisticated, it’s become clear that comprehensive security solutions, like SIEM, are necessary to protect organizations from current and emerging threats and ensuring your brand is safe. However, many small and multi-location businesses cannot afford, and do not have the knowledge to manage such complex systems. Combining our cloud-based SIEM capabilities with Netsurion’s expertise in managed security services allows us to deliver SIEM to a class of businesses that previously was unable to afford and manage such sophisticated security measures. Now any sized branch or remote office, franchise, or sole proprietor operation can use Netsurion’s managed network security service or EventTracker’s SIEM services without the costs and complexity of full-time dedicated resources.

This transaction is only the beginning of a series of amazing new offerings we will be announcing in the coming months. We will soon be introducing a new product offering that will bring enterprise-level SIEM security down to the multi-location environment, as well as enhanced PCI-DSS compliance services, including a new FIM solution and PCI QSA consulting services.

Tracking Physical Presence with the Windows Security Log

How do you figure out when someone was actually logged onto their PC?  By “logged onto” I mean, physically present and interacting with their computer. The data is there in the security log, but it’s so much harder than you’d think.

First of all, while I said it’s in the security log, I didn’t say which one. The bad news is, it isn’t in the domain controller log.  Domain controllers know when you logon, but they don’t know when you logoff. This is because domain controllers just handle initial authentication to the domain and subsequent authentications to each computer on the network. These are reflected as Kerberos events for Ticket-Granting Tickets and Service Tickets, respectively. But domain controllers are not contacted and have no knowledge of when you logoff – at all.  In fact, look at the events under the Account Logon audit policy subcategory. These are the key domain controller events that are generated when a user logs on with a domain account. As you can see, there is no logoff event. That event it only logged by the Logoff subcategory.

And really, the whole concept of a discreet session with a logon and logoff has disappeared.  You may remain “logged on” to your PC for days, if not weeks.  So the real question is not, “Was Bob logged in?” It’s more about, “Was Bob physically present, interacting with the PC?”  To answer this, you have to look at much more than simple logon/logoff events, which may be separated by long periods of time during which Bob is anywhere but at his computer.

Physical presence auditing requires looking at all the events between logon and logoff, such as when the console locks, the computer sleeps and screen saver events.

Logon session auditing isn’t just a curious technical challenge. At every tradeshow and conference I go to, people come to me with various security and compliance requirements where they need this capability. In fact, one of the cases that I was consulted as an expert witness centered around the interpretation of logon events for session auditing.

The absolute only way to track actual logon sessions is to go to the workstation’s security log. There you need to enable 3 audit subcategories:

  1. Logon
  2. Logoff
  3. Other Logon/Logoff

Together, these 3 categories log 9 different events relevant to our topic:

  • 4624 – An account was successfully logged on
  • 4634 – An account was logged off
  • 4647 – User initiated logoff
  • 4800 – The workstation was locked
  • 4801 – The workstation was unlocked
  • 4802 – The screen saver was invoked
  • 4803 – The screen saver was dismissed

But how do you correlate these events? Because that’s what it’s all about when it comes to figuring out logon sessions. It is by no means a cakewalk.  Matching these events is like sequencing DNA, but the information is there.  The best thing to do is experiment for yourself.  Enable the 3 audit policies above and then logon, wait for your screen saver to kick in, dismiss the screen saver, lock the console as though you are walking away and then unlock it.  Allow the computer to sleep. Wake it back up.

As you can see, there is some overlap among the above events. What you have to do is –between a given logon/logoff event pair (linked by Logon ID) — identity the time periods within that session where the user was not present as a result of:

  • Sleep (that of the computer)
  • Hibernation
  • Screen saver
  • Console locked

And count any session as ending if you see:

  • Event ID 4647 for that session’s Logon ID (User initiated logoff)
  • Event ID 4354 for that session’s Logon ID (Logoff)
  • Event ID 4608 – System startup

As you can see, the information is there. But you have to collect it, and that is a challenge for most organization because of the sheer number of workstations. SIEM solutions like EventTracker automate this for you whether by remote event collection, which can be practical in some cases, or with the more feasible end-point agent.

What is privilege escalation and why should you care?

A common hacking method is to steal information by first gaining lower-level access to your network. This can happen in a variety of ways: through a print server, via a phished email, or taking advantage of a remote control program with poor security. Once inside, the hacker will escalate their access rights until they find minimally protected administrative accounts. That is where the real damage and data theft starts. Given the number of Internet-available servers and reused passwords, this rough outline of attack happens more often than anyone wants to admit, and it can be a very big threat. The good news is that fixing this isn’t very difficult, just requiring diligence and vigilance. It also helps if you have the right protective software, such as what you can purchase from EventTracker, to stop these sorts of “privilege escalation” attacks.

The first thing is in understanding how prevalent this really is, and not bury your hand in the virtual sandbox. Consider the Black Hat 2015 Hacker Survey Report, which was done on behalf of Thycotic last December. The results showed 20% of those surveyed were able to steal privileged account credentials “all the time”. Wow. And what is worse is that three fourths of those surveyed during the conference saw no recent improvements in the security of privileged accounts too. Finally, to be more depressing, only six percent of those surveyed could never find any account information when they penetrated a network

Granted, the survey is somewhat self-serving, since Thycotic (like EventTracker) sells security tools to track and prevent privilege escalation events.

Next, you should understand how the hackers work and what methods they use to penetrate your network. A great play-by-play article can be found here in Admin magazine. The author shows you how a typical hacker can move through your network, gathering information and trying to open various files and find unprotected accounts.  In the sample system used for the article, the author “found a very old kernel, 28 ports open for incoming connections, and 441 packages installed and not updated for a while.” This is certainly very typical.

So what can do you to be more pro-active in this arena? First, if you aren’t using one of these tools start checking them out today. You should certainly have one in your arsenal, and I am not just saying this because I am writing this blog here. They are essential security tools for any enterprise.

Second, clean up your server password portfolio. You want to strengthen privileged accounts and shared administrative access to critical local Windows and Linux servers (Lieberman Software has something called Enterprise Random Password Manager that will do this quite nicely). Any product you use should discover and strengthen all server passwords and then encrypt them and store them in an electronic vault, and will change them as often as your password policies dictate. These types of tools will also report on those resources that are still using their default passwords: a definite no-no and one of the easiest ways that a hacker can gain entry to your network.

An alternative, or an addition to the password cleanup is to use a single sign-on tool that can automate sign ons and strengthen passwords at the same time. There are more than a dozen different tools for this purpose: I reviewed a bunch of them for Network World about a year ago here.

Next, regularly audit your account and access logs to see if anyone has recently become a privileged user. Many security tools will provide this information: the trick is to use them on a regular basis, not once when you first purchase them. Send yourself a reminder if you need the added incentive.

Finally, start thinking like a hacker. Become familiar with tools such as Metasploit and BackTrack that can be used to pry your way into a remote network and see any weaknesses. Know thy enemy!

Monitoring DNS Traffic for Security Threats

Cyber criminals are constantly developing increasingly sophisticated and dangerous malware programs. Statistics for the first quarter of 2016 compared to 2015 shows that malware attacks have quadrupled.

Why DNS traffic is important

DNS has an important role in how end users in your enterprise connect to the internet. Each connection made to a domain by the client devices is recorded in the DNS logs. Inspecting DNS traffic between client devices and your local recursive resolver could reveal a wealth of information for forensic analysis.

DNS queries can reveal:

  • Botnets/Malware connecting to C&C servers
  • What websites visited by an employee
  • Which malicious and DGA domains were accessed
  • Which dynamic domains (DynDNS) accessed
  • DDOS attack detection like NXDomain, phantom domain. random subdomain

Identifying the threats using EventTracker

While parsing each DNS log, we verify each domain accessed against:

  • Malicious domain database (updated on regular basis)
  • Domain Generation Algorithm (DGA)

Any domain which matches any of the above mentioned criteria warrants attention and an alert is generated along with the client which accessed it, and the geological information of the domain (IP, Country).

Using behavior analysis, EventTracker tracks the volume of connections to each domain accessed in the enterprise. If the volume of traffic to a specific domain is more than average, alert conditions are triggered. When a domain is accessed for the first time, we check the following:

  • Is this a dynamic domain?
  • Is the domain registered recently or expiring soon?
  • Does the domain have a known malicious TLD?

Recent trends show that cyber criminals may create dynamic domains as command and control centers. These domains are activated for a very short duration and then discarded, which makes the above checks even more important.

EventTracker does statistical/threshold monitoring of query, client, record type and error. This helps in detecting many DDOS attacks like NXDOMAIN attack, Phantom domain attack, random sub-domain attack, etc. EventTracker’s monitoring of client DNS settings will help to detect DNS hijacking and generate an alert for anything suspicious, including information about the client as well as its DNS setting. The EventTracker flex dashboard helps in correlating attack detection data and client details, making attack detection simpler.

Monitoring the DNS logs is a powerful way to identify security attacks as they happen in the enterprise, enabling successful blocking of attacks and fixing vulnerabilities.

Idea to retire: Do more with less

Ideas to Retire is a TechTank series of blog posts that identify outdated practices in public sector IT management and suggest new ideas for improved outcomes.

Dr. John Leslie King is W.W. Bishop Professor in the School of Information at the University of Michigan and contributed a blog hammering the idea of “do more with less” calling it a “well-intentioned but ultimately ridiculous suggestion.”

King writes: “Doing more with less flies in the face of what everyone already knows: we do less with less. This is not our preference, of course. Most of us would like to do less, especially if we could have more. People are smart: they do not volunteer to do more if they will get less. Doing more with less turns incentive upside down. Eliminating truly wasteful practices and genuine productivity gains sometimes allows us to do more with less, but these cases are rare. The systemic problems with HealthCare.gov were not solved by spending less, but by spending more. Deep wisdom lies in matching inputs with outputs.”

IT managers should respond to suggestions of doing more with less by assessing what really needs to be done…what can reasonably be discarded or added that enables the IT staff to go about their responsibilities without exceeding their limits?

Considering these ideas as they relate to IT Security, a way to optimize input with outputs may be by considering a co-managed solution focused on outcome. Rather than merely acquiring technology and then watching it gather dust as you struggle to build process and train (non-existent) staff to utilize it properly, start with the end in mind – the desired outcome. If this is a well managed SIEM solution, (and associated technology) then perhaps a co-managed SIEM approach may provide the way to match output with input.

How to control and detect users logging onto unauthorized computers

Windows gives you several ways to control which computers can be logged onto with a given account.  Leveraging these features is a critical way to defend against persistent attackers.  By limiting accounts to appropriate computers you can:

  • Enforce written policies based on best practice
  • Slow down or stop lateral movement by attackers
  • Protect against pass-the-hash and related credential harvesting attacks

The first place to start using this mitigation technique is with privileged accounts.  And the easiest way to restrict accounts to specified computers is with the allow and deny logon rights.  In Group Policy, under User Rights, you will find an “allow” and “deny” right for each of Windows’ five types of logon sessions:

  • Local logon (i.e. interactive logon at the console)
  • Network logon (e.g. accessing remote computer’s file system via shared folder)
  • Remote Desktop (i.e. Terminal Services)
  • Service (when a service is started in the background, its service account is logged on in this type of session)
  • Batch (i.e. Scheduled Task)

Of course, if an account has both “Logon locally” and “Deny logon locally,” the deny right will take precedence. By careful architecture of OUs, group policy objects and user groups, you can assign these rights to the desired combinations of computers and users.

But because of the indirect nature of group policy and the many objects involved it, can be complicated to configure the rights correctly.  It’s easy to leave gaps in your controls or inadvertently prevent appropriate logon scenarios.

In Windows Server 2012 R2, Microsoft introduced Authentication Policy Silos.  Whereas logon rights are enforced at the member computer level, silos are enforced centrally by the domain controller.  Basically, you create an Authentication Policy Silo container and assign the desired user accounts and computers to that silo.  Now those user accounts can only be used for logging on to computers in that silo.  Domain controllers only enforce silo restrictions when processing Kerberos authentication requests – not NTLM.  To prevent users accounts from bypassing silo restrictions by authenticating via NTLM, silo’d accounts must also be members of the new Protected Users group.  Membership in Protected Users triggers a number of different controls designed to prevent pass-the-hash and related credential attacks – including disabling NTLM for member accounts.

ADAdmin Silo

For what it’s worth, Active Directory has one other way to configure logon restrictions, and that’s with the Logon Workstations setting on domain user accounts.  However, this setting only applies to interactive logons and offers no control over the other logon session types.

Detecting Logon Violation Attempts

You can monitor failed attempts to violate both types of logon restrictions.  When you attempt to logon but fail because you have not been granted or are explicitly denied a given logon right, here’s what to expect in the security log.

Which Security Log Event ID Notes
Local computer being attempted for logon 4625

Logon Failure

Failure reason: The user has not been granted the requested logon type at this machine.

Status: 0xC000015B

Domain Controller 4768

Successful Kerberos TGT Request

Note that this is a successful event.  To the domain controller this was as a successful authentication.

As you can see there is no centralized audit log record of logon failures due to logon right restrictions.  You must collect and monitor the logs of each computer on the network.

On the other hand, here are the events logged when you attempt to violate an authentication silo boundary.

Which Security Log Event ID Notes
Local computer being attempted for logon 4625

Logon Failure

Failure reason: User not allowed to logon at this computer

Status: 0xC000006E

Domain Controller 4820 Failure A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions.

The silo is identified

4768 Failed Kerberos TGT Request Result Code: 0xC

An obvious advantage of Authentication Silos is the central control and monitoring.  Just monitor your domain controllers for event ID 4820 and you’ll know about all attempts to bypass your logon controls across the entire network.  Additionally, event ID 4820 reports the name of the silo which makes policy identification instant.

Restricting privileged accounts is a key control in mitigating the risk of pass-the-hash and fighting modern attackers.  Whether you enforce logon restrictions with user rights on local systems or centrally with Authentication Silos make sure you don’t just use a “fire and forget” approach in which you configure but neglect monitoring these valuable controls.  You need to know when an admin is attempting to circumvent controls or when an attacker is attempting to move laterally across your network using harvested credentials.

Detect Persistent Threats on a Budget


There’s a wealth of intelligence available in your DNS logs that can help you detect persistent threats.

So how can you use them to see if your network has been hacked, or check for unauthorized access to sensitive intellectual property after business hours?

All intruders in your network must re-connect with their “central command” in order to manage or update the malware they’ve installed on your system. As a result, your infected network devices will repeatedly resolve to the domain names that the attackers use. By mining your DNS logs, you can determine if known bad domain names and/or IP addresses have affected your systems. Depending on the most current “blacklist” of criminal domains is, and how rigid your network rules are regarding IP destinations that the domain names resolve to, DNS logs can help you spot these anomalies.

It’s not a a comprehensive technique for detecting persistent threats, but a good, budget friendly start.

Here is recent webinar we did on the subject of mining DNS logs.

Dirty truths your SIEM vendor won’t tell you

Analytics is an essential component of a modern SIEM solution. The ability to crunch large volumes of log and security data in order to extract meaningful insight can lead to improvements in security posture. Vendors love to tell you all about features and how their particular product is so much better than the competition.

Yeah, right!

The fact is, many products are available and most of them have comparable features. While software is a necessary part of the analytics process, it’s less critical than product marketing hype would have you believe.

As Meta Brown noted in Forbes, “Your own thought processes – the effort you put in to understand the business problem, investigate the data available, and plan a methodical approach to analysis – can do much more to simplify your work and maximize your chance for success than any product could.”

Techies just love to show off their tech macho. They can’t get together without arguing about the power of their code, speed of their response or the size of their clusters.

The reality? Once you invested in any of the comparable products, it’s the person behind the wheel that makes all the difference.

If you suffer from skill shortage, our remote managed SIEM Simplified solution may be for you.

Should I be doing EDR? Why isn’t anti-virus enough anymore?

Detecting virus signatures is so last year. Creating a virus with a unique signature or hash is quite literally child’s play, and most anti-virus products catch just a few percent of the malware that is active these days. You need better tools, called endpoint detection and response (EDR), such as those that integrate with SIEMs, that can recognize errant behavior and remediate endpoints quickly.

The issue is that hackers are getting better at covering their tracks, and leaving very few footprints of their dastardly deeds.

I like to think about EDR products in terms of hunting and gathering. Most traditional endpoint products that come from the anti-malware heritage are gatherers: they are used to collect malware that they can identify, based on some known patterns. That works well in the era when writing malware was a black art that had specialized skills and tools. Now there are ready-made exploit kits, such as Angler and tools called packers and crypters. These have made it so easy to produce custom malware that the average teen can do it with a Web browser and little programming knowledge.

But gathering is just one part of the ideal EDR product: they also need to be hunters too. They should be able to find that proverbial needle in the haystack, especially when you don’t even know what a needle looks like, except that it is sharp and can hurt you. The ideal hunter should be able to track down malware based on a series of unfortunate events, by observing behaviors such as making changes to the Windows registry, dropping a command shell remotely or from within a browser session, or by inserting an infected PDF document. While some “normal” apps exhibit these activities, most don’t. For example, some EDR products can track privilege escalation and credential spoofing, common activities of many hackers today that like to gain access to your network from a formerly trusted endpoint and use it as a base of operations to collect and export confidential data. To block this kind of behavior, today’s tools need to map the internal or lateral network movement so you can track down what PCs were compromised and neutralize them before your entire network falls into the wrong hands.

Part of the hunting experience is also being able to record what is happening to your network so you can go to the “videotape” playback function and see when something entered your environment and what endpoints it has infected. From there you should be able to isolate and remediate your PCs and return them to an uninfected state. Some EDR products offer a special kind of isolation feature that basically turns their network connection off, except for communicating back to the central monitoring console. That is a pretty nifty feature.

Finally, an EDR product should be able to use big data techniques to visualize trends and block potential attacks. Another aspect of this is to integrate with a variety of security event feeds and intelligence from Internet sources such as VirusTotal.com. You might as well leverage what researchers around the world already know and have already seen in the wild. Microsoft has jumped into this arena with their Windows Defender Advanced Threat Protection. Announced at the RSA show in March, it will be slowly rolled out to all Windows 10 users (whether they want it or not) thanks to Windows Update.  Basically what Microsoft is doing is turning every Windows 10 endpoint into a sensor with this tool, and sending this information to its cloud-based detection service called Security Graph. Other EDR vendors do similar things with their endpoint agents.

When you go shopping for an EDR product, ask your vendor these questions:

  • Do you need agents or agentless? There are advantages to both methods, depending on the mix of endpoint OS’s and what you are trying to accomplish and protect.
  • What does the user see on their protected desktop? Some tools will obscure any listing in the Control Panel Programs or toolbar icons to make them stealthier.
  • Does the product offer real-time protection? This may be important, depending on your needs. Some products aren’t designed for this kind of response time and need to take a longer view of trends and behaviors.
  • How is the product configured, managed and priced? Some install quickly, some take consulting contracts to set up. Some are priced per endpoint or per server, others by purchasing a physical appliance.

EventTracker offers EDR functionality within its SIEM platform. You can learn more about it here.

Uncover C&C traffic to nip malware

In a recent webinar, we demonstrated techniques by which EventTracker monitors DNS logs to uncover attempts by malware to communicate with Command and Control (C&C) servers. Modern malware uses DNS to resolve algorithm generated domain names to find and communicate with C&C servers. These algorithms have improved by leaps and bounds since they were first see in Conficker.C. Early attempts were based on a fixed seed and so once the malware was caught, it could be decompiled to predict the domain names it would generate. The next improvement was to use the current time as a seed. Here again, once the malware is reverse engineered it’s possible to predict the domain names it will generate. Nowadays, the algorithms may use things like the current trending twitter topic as a seed to make prediction harder.

But hold on a second, you say – we don’t allow free access, we have installed a proxy with configuration and it will stop these attempts. Possibly. However, a study conducted between Sep 2015-Jan 2016 showed that less than 34% of outbound connection attempts to C&C infrastructure were blocked by firewalls or proxy servers. Said differently, more than 60% of the time an infected device successfully called out to a criminal operator.

Prevention technologies look for known threats. They examine inbound files and look for malware signatures. It’s more or less a one-time chance to stop the attacker from getting inside the network. Attackers have learned that time is their friend. Evasive malware attacks develop over time, allowing them to bypass prevention altogether. When no one is watching, the attack unfolds. Ultimately, an infected device will ‘phone home’ to a C&C server to receive instructions from the attacker.

DNS logs are a rich source of intelligence and bear close monitoring.

Maximize your SIEM ROI

Aristotle put forth the idea in his Poetics that a drama has three parts — a beginning or protasis, middle or epitasis, and end or catastrophe. Far too many SIEM implementations are considered to be catastrophes. Having implemented hundreds of such projects, here are the three parts of a SIEM implementation which if followed will in fact minimize the drama but maximize the ROI. If you prefer the video version of this, click here.

The beginning or protasis

  • Identify log sources and use cases.
  • Establish retention period for the data set and who gets access to which parts.
  • Nominate a SIEM owner and a sponsor for the project.

The middle or epitasis

  • Install the SIEM Console
  • Push out and configure sensors or the log sources to send data
  • Enable alerting and required reporting schedules
  • Take log volume measurements and compare against project disk space requirements
  • Perform preliminary tuning to eliminate most noisy and less useful log sources and type
  • Train the product owner and users on features and how-to use

The end or catastrophe

  • Review log volume and tune as needed
  • Review alerts for correctness and establish notification methods, if appropriate
  • Establish escalation policy – when and to whom
  • Establish report review process to generate artifacts for audit review
  • Establish platform maintenance cycle (platform and SIEM updates)

Detecting Ransomware: The Same as Detecting Any Kind of Malware?

Ransomware burst onto the scene with high profile attacks against hospitals, law firms and other organizations.  What is it and how can you detect it?  Ransomware is just another type of malware; there’s nothing particularly advanced about ransomware compared to other malware.

Ransomware uses the same methods to initially infect an endpoint such as drive-by-downloads, phishing emails, etc.  Then it generates necessary encryption keys, communicates with command and control servers and gets down to business encrypting every file on the compromised endpoint. Once that’s done it displays the ransom message and waits for the user to enter an unlock code purchased from the criminals.  So at the initial stages of attack, trying to detect ransomware is like any other end-point based malware.  You look for new EXEs and DLLs and other executable content-like scripts.  For this level of detection check out my earlier webinars with EventTracker:

As criminals begin to move from consumer attacks to targeting the enterprise, we are going to see more lateral movement between systems as the attackers try to either encrypt enough endpoints or work their way across the network to one or more critical servers.  In either case their attacks will take a little longer before they pull the trigger and display the ransom message because they need to encrypt enough end-user endpoints or at least one critical server to bring the organization to its knees.  These attacks begin to look similar to a persistent data theft (aka APT) attack.

Detecting lateral movement requires watching for unusual connections between systems that typically don’t communicate with each other.  You also want to watch for user accounts attempting to logon to systems they normally never access.  Pass-the-Hash indicators tie in closely with later movement and that one of the things discussed in “Spotting the Adversary with Windows Event Log Monitoring: An Analysis of NSA Guidance”.

So much of monitoring for ransomware is covered by the monitoring you do for any kind of malware as well as persistent data theft attacks.  But what is different about ransomware?

  1. Detonation: The actually detonation of ransomware (file encryption) is a very loud and bright signal. There’s no way to miss it if you are watching.
  2. Speed: Enterprise ransomware attacks can potentially proceed much faster than data theft attacks.


When ransomware begins encrypting files, it’s going to generate a massive amount of file i/o – both read and write.  It has to read every file and write every file back out in encrypted format.  The write activity may occur on the same file if directly being re-written, the ransomware can delete the original file after writing out an encrypted copy.  In addition, if you watch which files ransomware is opening you’ll see every file in each folder being opened one file after another for at least read access.  You will also see that read activity in bytes should be matched by write activity.

Of course there are potential ways ransomware could cloak this activity by either going low and slow, encrypting files over many days or by scattering its file access between many different folders instead of following an orderly process of all files in one folder after another.  But I think it will a long time before enough attacks are getting foiled by such detection techniques that the attackers go to this extra effort.

How prone to false positives is this tactic?  Well, what other legitimate applications have a similar file i/o signature? Backup and indexing programs would have a nearly identical file read signature but would lack the equal amount of write activity.

The downside to ransomware detonation monitoring is that detection means a ransomware attack is well underway.  This is late stage notification.


Ransomware attacks against an enterprise may proceed much faster than persistent data theft attacks because data thieves have to find and gain access to the data that is not just confidential but also re-saleable or otherwise valuable to the attacker.  That may take months.  On the other hand, ransomware criminals just need to do either of the following:

  1. Lockdown at least one critical server – without which the organization can’t function. The server doesn’t necessarily need any confidential data nor need it be re-saleable.  On a typical network there’s many more such critical servers than there are servers with data that’s valuable to the bad guy for re-sale or other exploitation.
  2. Forget servers and just spread to as many end-user endpoints as possible. If you encrypt enough endpoints and render them useless you can ransom the organization without compromising and servers at all.  Endpoints are typically much easier to compromise because of their intimate exposure and processing of untrusted content and usage by less security savvy end-users among other reasons.

So beefing up your ransomware monitoring means continue with what you are (hopefully) already doing: monitoring for indicators of any type of malware on your network and watching for signs of lateral movement between systems.  But for ransomware you can also possibly detect late stage ransomware attacks by watching for signature file i/o by unusual processes.  So you need to be fast in responding.

And that’s the other way that ransomware differentiates itself from data theft attacks: the need for speed.  Ransomware attacks can potentially reach detonation much faster than data thieves can find, gain access and exfiltrate data worth stealing.  So, while the indicators of compromise might be the same for most of a ransomware or persistent data theft attack, reducing your time-to-response is even more important with ransomware.

Research points to SIEM-as-a-Service

SC Magazine released the results of a research survey focused on the rising acceptance of SIEM-as-a-Service for the small and medium sized enterprise.

The survey, conducted in April 2016, found that SMEs and companies with $1 billion or more in revenue or 5,000-plus employees faced similar challenges:

  • 64 percent of respondents agreed that they “lack the time to manage all the security activities.”
  • 49 percent reported a lack of internal staff to address IT security challenges
  • 48 percent said they lacked the IT security budget needed to meet those challenges

This come as no surprise to us. We’ve been seeing these trends rise over the past several years. Gartner reports that by 2019, total enterprise spending on security outsourcing services will be 75 percent of the spending on security software and hardware products, and that by 2020, 40 percent of all security technology acquisitions will be directly influenced by managed security service provider (MSSP) and on-premises security outsourcing providers, up from less than 15% today.

It used to be that firewalls and antivirus were sufficient enough stop gaps; but in today’s complex threatscape, the cyber criminals are more sophisticated. The weak point of any security approach is usually the unwitting victim of a phishing scam or the person who plugs in the infected USB; but “securing the human” requires the expertise of other humans, trained staff with the certification and expertise to monitor the network and analyze the anomalies. An already busy IT staff can become even more overburdened; identifying, training and keeping security expertise is hard. So is keeping up with the alerts that come in on a daily basis, and being current on the SIEM technology.

Thus, the increasing movement towards a co-managed SIEM which allows the enterprise to have access to the expertise and resources they need to run an effective security program without ceding control. SIEM-as-a-Service: saving time and money.

You can download the SC Magazine report here.

Is it all about zero-day attacks?

The popular press makes much of zero-day attacks. These are attacks based on vulnerabilities in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it—this exploit is called a zero day attack.

However, the reality is 99.99% of exploits are based on vulnerabilities already known for at least one year. Hardly zero-day.

What does this mean to you? It means you should prioritize vulnerability scanning to first identify and then patch and manage these vulnerabilities in your defense strategy. What is the point in obsessing over zero-day vulnerabilities when unpatched systems exist within your perimeter?

What’s so hard about this? Well, for many organizations, it’s the process and expertise that is needed to accomplish the related tasks. Procuring the technology is easy but that represents, at most, 20% of the challenges to obtain a successful outcome.

The people and process to leverage the technology are 80% of the challenge. The bulk of the iceberg below the waterline, which can sink your otherwise massive ship.

Welcome to the New Security World of SMB Partners

Yet another recent report confirms the obvious, that SMBs in general do not take security seriously enough. The truth is a bit more nuanced than that, of course—SMB execs generally take security very seriously, but they don’t have the dollars to do enough about it—although it amounts to the same thing.

This year, though, SMBs are going to have to look at security differently. Why? That is because enterprise execs are repeatedly seeing their own networks hurt because of less-than-terrific security from SMB partners that do distribution, providing supplies or handling anything from backup to bookkeeping. Faced with their own security mandates—whether from PCI, HIPAA, European Union or any other external body—they are going to crack down on SMB partners.

Hence, unless you want those enterprise-level contracts to take a walk, your security return-on-investment (ROI) calculation just got a lot messier.

What new actions can SMBs expect from their enterprise-level partners in 2016? Until now, most have satisfied their obligations and kept their corporate counsels at bay through contractual agreements. In short, they put in their partner contracts that the partner is obligated to comply with a laundry list of security measures. Write it down, make SMB partners sign it and they’re all done.

The problem with enterprises going solely with the contractual obligation route is that the proverbial stick (as in carrot and stick) is limited to reactive situations. If something bad happens with the enterprise operation’s security and a forensic investigation eventually points the finger at the SMB partner and that probe specifically concludes that the SMB had violated the contract’s obligations, that SMB partner doesn’t merely lose the contract. They will also certainly be sued for the resultant damages, which could easily bankrupt some SMBs. That’s sufficient incentive/deterrent, right?

Not anymore. From the enterprise’s perspective, that stick only kicks in after a breach and only if enough evidence exists to tie it back to the SMB partner. Given the ever-increasing talent of many cyberthieves to hide and delete their trails, it’s a gamble that many cash-strapped SMBs are willing to take. What are the odds of both of those things happening, those SMB execs think, given the vast security arsenal deployed by their multi-billion-dollar enterprise partner?

Therefore, to up the real—as opposed to merely pledged—compliance with its SMB-partner security rules, enterprises are going to start surprise snap inspections and demanding access to sensitive IT systems. Some might even go so far as to try and entrap partners by creating fake sub-suppliers to respond to the SMB partner’s RFPs and see if they follow the rules and demand what they are supposed to demand.

Why would enterprises go through this effort, seemingly to hurt partners? Because that’s what will be required. If XYZ enterprise doesn’t loudly and publicly expose and punish a couple of SMB partners, a sufficient deterrence won’t exist.

The whole point here is to change that SMB exec’s ROI calculation. By increasing the number of ways an SMB partner’s lack of security compliance can be caught/detected, they want that ROI to force those partners to invest the security dollars. The rationale is essentially: “If you won’t invest in security because you need to for your own company’s protection, or because you have signed a contract that you will, then do so because we need to make an example of somebody and you don’t want that to be you.”

Next Step: how to deliver the most cost-effective security. Once you have conceded to the new ROI calculations and have decided that you must increase your security budget, the natural inclination—especially in an SMB environment—is to calculate the absolute minimum dollars to comply.

This is also known as checklist security, which is frowned upon. That said, it’s a step-up from rolling the dice that you won’t get caught. Here’s a trick: Guarantee your safety by having your people work with the enterprise partner’s IT security people on what your options are.

You may be surprised at how reasonable they can be. The best part is that by doing so—in e-mail as much as possible, to create a powerful paper trail—you are protected. Despite the bogus reputation of enterprise IT that they don’t sweat pricing details, they do. No one is better at squeezing a contractor nickel than a Fortune 500 IT security manager.

Not only will they steer you to the most cost-effective options, but they might even make a referral for you, so that you can benefit from a small taste of your partner’s volume-purchasing pricing. They might even help you out by participating directly in those vendor calls. After all, you are a partner.

And because you are working with them—and don’t forget that paper trail—you can’t be blamed for choosing whoever the enterprise IT people suggested.

OK, in reality, you can be blamed for anything.