Monitoring DNS Traffic for Security Threats


Cyber criminals are constantly developing increasingly sophisticated and dangerous malware programs. Statistics for the first quarter of 2016 compared to 2015 shows that malware attacks have quadrupled.

Idea to retire: Do more with less


Ideas to Retire is a TechTank series of blog posts that identify outdated practices in public sector IT management and suggest new ideas for improved outcomes. Dr. John Leslie King is W.W. Bishop Professor in the School of Information at the University of Michigan and contributed a blog hammering the idea of “do more with less” calling it a “well-intentioned but ultimately ridiculous suggestion.”

How to control and detect users logging onto unauthorized computers


Windows gives you several ways to control which computers can be logged onto with a given account.  Leveraging these features is a critical way to defend against persistent attackers.  By limiting accounts to appropriate computers you can

Detect Persistent Threats on a Budget


There’s a wealth of intelligence available in your DNS logs that can help you detect persistent threats. So how can you use them to see if your network has been hacked, or check for unauthorized access to sensitive intellectual property after business hours?

Dirty truths your SIEM vendor won’t tell you


Analytics is an essential component of a modern SIEM solution. The ability to crunch large volumes of log and security data in order to extract meaningful insight can lead to improvements in security posture. Vendors love to tell you all about features and how their particular product is so much better than the competition.

Should I be doing EDR? Why isn’t anti-virus enough anymore?


Detecting virus signatures is so last year. Creating a virus with a unique signature or hash is quite literally child’s play, and most anti-virus products catch just a few percent of the malware that is active these days. You need better tools, called endpoint detection and response (EDR), such as those that integrate with SIEMs, that can recognize errant behavior and remediate endpoints quickly.

Uncover C&C traffic to nip malware


In a recent webinar, we demonstrated techniques by which EventTracker monitors DNS logs to uncover attempts by malware to communicate with Command and Control (C&C) servers. Modern malware uses DNS to resolve algorithm generated domain names to find and communicate with C&C servers. These algorithms have improved by leaps and bounds since they were first see in Conficker.C. Early attempts were based on a fixed seed and so once the malware was caught, it could be decompiled to predict the domain names it would generate.

Maximize your SIEM ROI


Aristotle put forth the idea in his Poetics that a drama has three parts — a beginning or protasis, middle or epitasis, and end or catastrophe. Far too many SIEM implementations are considered to be catastrophes. Having implemented hundreds of such projects, here are the three parts of a SIEM implementation which if followed will in fact minimize the drama but maximize the ROI.

Detecting Ransomware: The Same as Detecting Any Kind of Malware?


Ransomware burst onto the scene with high profile attacks against hospitals, law firms and other organizations.  What is it and how can you detect it?  Ransomware is just another type of malware; there’s nothing particularly advanced about ransomware compared to other malware.

Research points to SIEM-as-a-Service


SC Magazine released the results of a research survey focused on the rising acceptance of SIEM-as-a-Service for the small and medium sized enterprise. The survey, conducted in April 2016, found that SMEs and companies with $1 billion or more in revenue or 5,000-plus employees faced similar challenges:

Is it all about zero-day attacks?


The popular press makes much of zero-day attacks. These are attacks based on vulnerabilities in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it—this exploit is called a zero day attack.

Welcome to the New Security World of SMB Partners


Yet another recent report confirms the obvious, that SMBs in general do not take security seriously enough. The truth is a bit more nuanced than that, of course—SMB execs generally take security very seriously, but they don’t have the dollars to do enough about it—although it amounts to the same thing. This year, though, SMBs are going to have to look at security differently. Why? That is because enterprise execs are repeatedly seeing their own networks hurt because of less-than-terrific security from SMB partners tha

Top 3 traits of a successful Security Operations Center


Traditional areas of risk — financial risk, operational risk, geopolitical risk, risk of natural disasters — have been part of organizations’ risk management for a long time. Recently, information security has bubbled to the top, and now companies are starting to put weight behind IT security and Security Operations Centers (SOC).

Is the IT Organizational Matrix an IT Security Problem?


Do you embrace the matrix? Not this one, but the IT Organizational Matrix, or org chart. The fact is, once networks get to a certain size, IT organizations begin to specialize and small kingdoms emerge. For example, endpoint management (aka Desktop) may be handled by one team, whereas the data center is handled by another (Server team).  Vulnerability scanning may be handled by a dedicated team but identity management (Active Directory? RSA tokens?) is handled by another. 

Cloud Security Starts at Home


Cloud security is getting attention and that’s as it should be.  But before you get hung up on techie security details, like whether SAML is more secure than OpenID Connect and the like, it’s good to take a step back.  One of the tenets of information security is to follow the risk.  Risk is largely a measure of damage and likelihood.  When you are looking at different threats to the same cloud-based data then it becomes a function of the likelihood of those risks.

2015 Cyber Attack Trends — 2016 Implications


The range of threats included trojans, worms, trojan downloaders and droppers, exploits and bots (backdoor trojans), among others. When untargeted (more common), the goal was profit via theft. When targeted, they were often driven by ideology.

Your SIEM relationship status: It’s complicated


On Facebook, when two parties are sort-of-kind-of together but also sort-of, well, not, their relationship status reads, “It’s complicated.” Oftentimes, Party A really wants to like Party B, but Party B keeps doing and saying dumb stuff that prevents Party A from making a commitment.

Certificates and Digitally Signed Applications: A Double Edged Sword


Windows supports the digitally signing of EXEs and other application files so that you can verify the provenance of software before it executes on your system.  This is an important element in the defense against malware.  When a software publisher like Adobe signs their application they use the private key associated with a certificate they’ve obtained from one of the major certification authorities like Verisign.

Top 5 SIEM complaints


Here’s our list of the Top 5 SIEM complaints:1) We bought a security information and event management (SIEM) system, but it’s too complicated and time-consuming, so we’re:

The Cost of False IT Security Alarms


Think about the burglar alarm systems that are common in residential neighborhoods. In the eye of the passive observer, an alarm system makes a lot of sense. They watch your home while you’re asleep or away, and call the police or fire department if anything happens. So for a small monthly fee you feel secure. Unfortunately, there are a few things that the alarm companies don’t tell you.

SIEM: Sprint or Marathon?


Winning a marathon requires dedication and preparation. Over long periods of time. A sprint requires intense energy but for a short period of time. While some tasks in IT Security are closer to a sprint (e.g., configuring a firewall), many, like deploying and using a Security Information and Event Management (SIEM) solution, are closer to a marathon.

The Assume Breach Paradigm


Given today’s threat landscape, let’s acknowledge that a breach has either already occurred within our network or that it’s only a matter of time until it will. Security prevention strategies and technologies cannot guarantee safety from every attack. It is more likely that an organization has already been compromised, but just hasn’t discovered it yet. Operating with this assumption reshapes detection and response strategies in a way that pushes the limits of any organization’s infrastructure, people, processes and technologies.

5 IT Security resolutions


Ho hum. Another new year, time for some more New Year’s resolutions. Did you keep the ones you made last year? Meant to but somehow did not get around to it? This time how about making it easy on yourself?

SIEM and Return on Security Investment (RoSI)


The traditional method for calculating standard Return on Investment (RoI) is that it equals the gain minus the cost, divided by the cost. The higher the resulting value, the greater the RoI. The difficulty in calculating a return on security investment (RoSI), however, is that security tends not to increase profits (gain), but to decrease loss – meaning that the amount of loss avoided rather than the amount of gain achieved is the important element.

Following the standard RoI approach, RoSI can be calculated by the sum of the loss reduction minus the cost of the solution, divided by the cost of the solution. In short, a high result is better for RoI, and a low result is better for RoSI.

This is where it gets difficult: how do you measure the ‘loss reduction’? To a large extent it is based on guesswork and surveys. Bruce Schneier in The Data Imperative concluded, “Depending on how you answer those two questions, and any answer is really just a guess — you can justify spending anywhere from $10 to $100,000 annually to mitigate that risk.”

What we find as a practical outcome of delivering our SIEM-as-a-service offering (SIEM Simplified) is that many customers value the anecdotes and statistics that are provided in the daily reports and monthly reviews to demonstrate RoSI to management. Things such as how many attacks were repulsed by the firewalls, how many incidents were addressed by criticality, anecdotal evidence of an attack disrupted or misconfiguration detected. We publish some of these anonymously as Catch of the Day.

It’s a practical way to demonstrate RoSI which is easier to understand and does not involve any guesses.

Stuff the turkey, not the SIEM


Did you know that SIEM and Log Management are different?

The latter (log management) is all about collecting logs first and worrying about why you need them second (if at all). The objective is “let’s collect it all and have it indexed for possible review. Why? Because we can.”

The former (SIEM) is about specific security use cases. SIEM is a use-case driven technology. Use cases are implementation specific, unlike antivirus or firewalls.
Treating SIEM like Log Management, is a lot like a turducken.

Don’t want that bloated feeling like Aunt Mildred explains here? Then don’t stuff your SIEM with logs absent a use case.

Need help doing this effectively? A co-managed SIEM may be your best bet.

Effective cyber security by empowering people


You have, no doubt, heard that cyber security is everyone’s job. So then, as the prime defender of your network, what specifically are you doing to empower people so they can all act as sentries? After all, security cannot be automated as much as you’d like. Human adversaries will always be smarter than automated tools and will leverage human ingenuity to skirt around your protections.

But, marketing departments in overdrive are busy selling the notion of “magic” boxes that can envelope you in a protective shell against Voldemort and his minions. But isn’t that really just fantasy? The reality is that you can’t replace well-trained security professionals exercising judgment with computers.

So what does an effective security buyer do?

Answer: Empower the people by giving them tools that multiply their impact and productivity, instead of trying to replace them.

When we were designing EventTracker 8, an oft repeated observation from users was the shortage of senior analysts. If they existed at all in the organization, they were busy with higher level tasks such as policy creation, architecture updates and sometimes critical incident response. The last task on their plates was the bread-and-butter of log review and threat monitoring. Such tasks are often the purview of junior analysts (if they exist). In response, many of the features of EventTracker 8 are designed specifically to enable junior administrators to make effective contributions to cyber security.

Still feeling overwhelmed by the daily tasks that need doing, consoles that need watching, alerts that need triaging? Don’t fret – that is precisely what our SIEM Simplified service (SIEMaas) is designed to provide – as much, or as little help as you need. Become empowered, be effective.

Diagnosing Account Lockout in Active Directory


Symptom

Account Lockouts in Active Directory

Additional Information

“User X” is getting locked out and Security Event ID 4740 are logged on respective servers with detailed information.

Reason

The common causes for account lockouts are:

  • End-user mistake (typing a wrong username or password)
  • Programs with cached credentials or active threads that retain old credentials
  • Service accounts passwords cached by the service control manager
  • User is logged in on multiple computers or disconnected remote terminal server sessions
  • Scheduled tasks
  • Persistent drive mappings
  • Active Directory delayed replication

Troubleshooting Steps Using EventTracker

Here we are going to look for Event ID 4740. This is the security event that is logged whenever an account gets locked.

  1. Login to EventTracker console:

2. Select search on the menu bar

3. Click on advanced search

4. On the Advanced Log Search Window fill in the following details:

  • Enter the result limit in numbers, here 0 means unlimited.
  • Select the date, time range for the logs to be searched.
  • Select all the domain controllers in the required domain.
  • Click on the inverted triangle, make the search for Event ID: 4740 as shown below.

Once done hit search at the bottom.

You can see the details below. If you want to get more information about a particular log, click on the + sign

Below shows more information about this event.

Now, let’s take a closer look at 4740 event. This can help us troubleshoot this issue.

Log Name Security
Source Microsoft-Windows-Security-Auditing
Date MM/DD/YYYY HH:MM:SS PM
Event ID 4740
Task Category User Account Management
Level Information
Keywords Audit Success
User N/A
Computer COMPANY-SVRDC1
Description A user account was locked out.
Subject:
Security ID NT AUTHORITY\SYSTEM
Account Name COMPANY-SVRDC1$
Account Domain TOONS
Logon ID 0x3E7
Account That Was Locked Out:
Security ID S-1-5-21-1135150828-2109348461-2108243693-1608
Account Name demouser
Additional Information:
Caller Computer Name DEMOSERVER1
Field My Description
DateTime This shows Date/Time of event origination in GMT format.
Source This shows the Name of an Application or System Service originating the event.
Type This shows Warning, Information, Error, Success, Failure, etc.
User This is the user/service/computer initiating event. (Name with a $ means it’s a computer/system initiated event.
Computer This shows the name of server workstation where event was logged.
EventID Numerical ID of event.
Description This contains the entire unparsed event message.
Log Name The name of the event log (e.g. Application, Security, System, etc.)
Task Category A name for a subclass of events within the same Event Source.
Level Warning, Information, Error, etc.
Keywords Audit Success, Audit Failure, Classic, Connection etc.
Category This shows the name for an aggregative event class, corresponding to the similar ones present in Windows 2003 version.
Subject: Account Name Name of the account that initiated the action.
Subject: Account Domain Name of the domain that account initiating the action belongs to.
Subject: Logon ID A number that uniquely identifying the logon session of the user initiating action. This number can be used to correlate all user actions within one logon session.
Subject: Security ID SID of the locked out user
Account Name Account That Was Locked Out
Caller Computer Name This is the computer where the logon attempts occurred

Resolution

Logon into the computer mentioned on “Caller Computer Name”  (DEMOSERVER1) and look for one of the aforementioned reasons that produces the problem.

To understand further on how to resolve issues present on “Caller Computer Name”  (DEMOSERVER1) let us look into the different logon types.

LogonType Code 0
LogonType Value System
LogonType Meaning Used only by the System account.
Resolution No evidence so far seen that can contribute towards account lock out
LogonType Code 2
LogonType Value Interactive
LogonType Meaning A user logged on to this computer.
Resolution User has typed wrong password on the console
LogonType Code 3
LogonType Value Network
LogonType Meaning A user or computer logged on to this computer from the network.
Resolution User has typed wrong password from the network. It can be a connection from Mobile Phone/ Network Shares etc.
LogonType Code 4
LogonType Value Batch
LogonType Meaning Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.
Resolution Batch file has an expired or wrong password
LogonType Code 5
LogonType Value Service
LogonType Meaning A service was started by the Service Control Manager.
Resolution Service is configured with a wrong password
LogonType Code 6
LogonType Value Proxy
LogonType Meaning Indicates a proxy-type logon.
Resolution No evidence so far seen that can contribute towards account lock out
LogonType Code 7
LogonType Value Unlock
LogonType Meaning This workstation was unlocked.
Resolution User has typed a wrong password on a password protected screen saver
LogonType Code 8
LogonType Value NetworkCleartext
LogonType Meaning A user logged on to this computer from the network. The user’s password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).
Resolution No evidence so far seen that can contribute towards account lock out
LogonType Code 9
LogonType Value NewCredentials
LogonType Meaning A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.
Resolution User initiated an application using the RunAs command, but with wrong password.
LogonType Code 10
LogonType Value RemoteInteractive
LogonType Meaning A user logged on to this computer remotely using Terminal Services or Remote Desktop.
Resolution User has typed wrong password while logging in to this computer remotely using Terminal Services or Remote Desktop
LogonType Code 11
LogonType Value CachedInteractive
LogonType Meaning A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.
Resolution No evidence so far seen that can contribute towards account lock out as domain controller is never contacted in this case.
LogonType Code 12
LogonType Value CachedRemoteInteractive
LogonType Meaning Same as RemoteInteractive. This is used for internal auditing.
Resolution No evidence so far seen that can contribute towards account lock out as domain controller is never contacted in this case.
LogonType Code 13
LogonType Value CachedUnlock
LogonType Meaning This workstation was unlocked with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.
Resolution No evidence so far seen that can contribute towards account lock out as domain controller is never contacted in this case.

How to identify the logon type for this locked out account?

Just like how it is shown earlier for Event ID 4740, do a log search for Event ID 4625 using EventTracker, and check the details.

Log Name Security
Source Microsoft-Windows-Security-Auditing
Date date
Event ID 4625
Task Category Logon
Level Information
Keywords Audit Failure
User N/A
Computer COMPANY-SVRDC1
Description An account failed to log on.
Subject:
Security ID SYSTEM
Account Name COMPANY-SVRDC1$
Account Domain TOONS
Logon ID ID
Logon Type 7
Account For Which Logon Failed:
Security ID NULL SID

Account Name demouser
Account Domain TOONS

Failure Information:
Failure Reason An Error occurred during Logon.
Status 0xc000006d
Sub Status 0xc0000380
Process Information:
Caller Process ID 0x384
Caller Process Name C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name computer name
Source Network Address IP address
Source Port 0
Detailed Authentication Information:
Logon Process User32
Authentication Package Negotiate
Transited Services
Package Name (NTLM only)
Key Length 0

Logon Type 7 says User has typed a wrong password on a password protected screen saver.

Now we understand what reason to target and how to target the same.

Applies to

Microsoft Windows Servers
Microsoft Windows Desktops

Contributors

Ashwin Venugopal, Subject Matter Expert at EventTracker
Satheesh Balaji, Security Analyst at EventTracker

Index now, understand later


Late binding is a computer programming mechanism in which the method being called upon an object or the function being called with arguments is looked up by name at runtime. This contrasts with early binding, where everything must be known in advance. This method is favored in object-oriented languages and is efficient but incredibly restrictive. After all, how can everything be known in advance?

In EventTracker, late binding allows us to continue learning and leveraging new understanding instead of getting stuck in whatever was sensible at the time of indexing. The upside is that it is very easy to ingest data into EventTracker without knowing much (or anything) about its meaning or organization. Use any one of several common formats/protocols, and voila, data is indexed and available for searching/reporting.

As understanding improves, users can create a “Knowledge Pack” to describe the indexed data in reports, search output, dashboards, co-relation rules, behavior rules, etc. There is no single, forced “normalized” schema and thus no connectors to transform incoming data to the fixed schema.

As your understanding improves, the knowledge pack improves and so does the resulting output. And oh by the way, since the same data can be viewed by two different roles in very different ways, this is easily accommodated in the Knowledge Pack. Thus the same data (e.g., Login failures) can be viewed in one way by the Security team (in real time, as an alert, with trends) and in an entirely different way by the Compliance team (as a report covering a time-span with annotation to show due care).

Focus on assets, not threats


As defenders, it is our job to make the attackers’ lot in life harder. Push them up the “pyramid of pain“. Be a hard target so they move on to a softer/easier one.

Hallmarks of a successful security monitoring team


Over the years, we have seen many approaches to implementing a security monitoring capability.

The “checkbox mentality” is common—when the team uses the out-of-the-box functionality, including perhaps rules/reports, to meet a specific regulation.

The “big hero” approach is found in chaotic environments where tools are implemented with no planning or oversight, in a very “just do it” approach. The results may be fine, but are lost when the “big hero” moves on or loses interest.

The “strict process” organizations that implement a waterfall model and have rigid processes for change management and the like frequently lack the agility and dynamics required by today’s constantly evolving threats.

So what then are the hallmarks of a successful approach? Augusto Barrios described these factors here. Three factors are common:

  • Good people: Team members who know the environment and can create good use cases. Members who know the selected technology and can weave the rules, configuration and customize to suit.
  • Lightweight, but clear processes: Recognize that it’s very hard to move from good ideas to real (and deployed) use cases without processes. Absent this, things go to a slow death.
  • Top down and lateral support: The security team may have good people and processes to put together the use cases, but they are not an island. They will need continuous support to bring in new log sources, context data and the knowledge about the business and the environment required for implementation and optimization. They will need other people’s (IT ops, business applications specialists) time and commitment, and that’s only possible with top down support and empowerment.

Since it’s quite hard to get all of it right, an increasingly popular approach is to split the problem between the SIEM vendor and the buyer. Each has strengths critical to success. The SIEM vendor is expert with the technology, likely has well defined processes for implementation and operational success, whereas the buyer knows the environment intimately. Together, good use cases can be crafted. Escalation from the SIEM vendor who performs the monitoring is passed to the buyer team to provide lateral support. This approach has the potential to ramp up very quickly, since each team plays to their existing strengths.

The Gartner term for this approach is “co-managed SIEM.”

Want to get started quickly? Here is a link for you.