Attackers use common tools to hide among network activity

Free webinar highlights strategies to stop them before they damage your network, steal sensitive data

After attackers hit the Democratic National Committee this summer, several information security teams concluded they used a variety of persistent methods and several PowerShell exploits to pull off the attack and steal documents.

PowerShell is part of the Windows operating system. Exploits allow attackers to execute commands on remote computers. The malware is often disseminated through click bait or spam emails, and most endpoint security programs don’t detect PowerShell malicious intrusions.

“Today’s attackers use advanced techniques and tools to compromise systems and hide among normal activity,” Dave Low, director of Technology Solutions for GuidePoint Security, said. “PowerShell-based attacks are very difficult to detect using a logs-only approach. This can lead to theft of sensitive information, disruption of business operations, or destruction of assets and damage to your business’ reputation.”

Learn more about the PowerShell exploit and other ways attackers try to compromise your systems during a free webinar 1:30 p.m. Eastern Wednesday, Dec. 14.

While most computer users today know it’s risky to click on links and download files from unknown sources, malicious links and downloads continue to be a challenge for information security teams, analysts, and incident responders, Low said.

The challenges are often exacerbated by security teams’ limited time and resources, and further complicated by a growing number of devices connected to the internet.

Unsecured Internet of Things (IoT) devices are increasingly used for malicious purposes, like the October Distributed Denial of Service (DDoS) attack against domain registration company Dyn. That attack enlisted up to 100,000 malicious endpoints to slow down connections to popular websites like Amazon, Twitter, Spotify, and more.

Attackers used Mirai-based botnets on IoT devices for the large-scale Dyn network disruptions. Recently, a new Mirai worm knocked nearly a million German Deutsche Telekom customers offline, and affected customers for Post Office broadband and TalkTalk in the United Kingdom.

Powershell exploits, phishing, ransomware, and the Mirai worm are just a few of the many ways attackers try to gain access into your environment. At 1:30 p.m. Eastern Wednesday, Dec. 14, Low and Michael Godin, senior systems engineer for RSA, will talk about these tactics during a free interactive webinar, “Threat Hunting Lessons: Adversary Tools, Tactics, and Procedures.”

They’ll share real-world examples of attackers’ tactics, and will highlight tools and strategies analysts and incident responders can use to hunt for attacks before they cause damage. Register here now.

They’ll also explain how a Security Operations Center (SOC) can protect your organization by increasing your security team’s efficiency and encouraging active hunting. Low and Godin will explain how an effective information security plan and the right technology can help your team stop, think, and respond to threats quickly and calmly.

For more information, check out the webinar details here. Can’t make it? No worries. Go ahead and register and you’ll receive a recording after the webinar.

About GuidePoint Security
Headquartered in Herndon, Virginia, GuidePoint provides innovative and valuable cybersecurity solutions and expertise that enable organizations to successfully achieve their missions. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is with the System for Award Management (SAM). Learn more at: http://www.guidepointsecurity.com.

Hack to the Basics: Patch Vulnerabilities Before Attackers Exploit Them

victorbmc

White hat hacker illustrates how vulnerabilities can give unwanted access into your environment

While patching vulnerabilities may seem like a basic component of any organization’s information security plan, many often overlook this important step.

Hackers know this and are quick to search for exploits not long after vulnerabilities are discovered. Did you know that while it takes an average organization almost 200 days to patch a vulnerability, nearly half of all exploits happen 10 to 100 days after a vulnerability is published?

A recent co-presentation between GuidePoint Security and BMC takes a look at challenges vulnerabilities create for operations and security teams, explores how attackers use these vulnerabilities to exploit their way into environments, and discusses tools to quickly prioritize remediation and build a defense.

In “Hack to the Basics,” Brian Brush, regional partner with GuidePoint, says operations and security teams must do more work to bridge the gap between them.

“Most organizations still struggle with this,” he said.

Among the challenges are manual processes teams often use to find vulnerabilities.

“Hackers are already automated,” Brian said.

Seth Corder, automation specialist with BMC, emphasized Brian’s point by saying known vulnerabilities are often how attackers get into environments.

“They are looking for the easy stuff,” Seth said, adding that 80 percent of the potential attack surface is known vulnerabilities, even though 99.9 percent of the time there is a solution to fix it.

Automation tools like BMC’s BladeLogic Threat Detector can do just that.

Brian and Seth encourage operations and security teams to remember the value of fundamentals. Patch both internal and external vulnerabilities and focus on remediation. With a solid strategy for vulnerability hunting and patching, teams can direct their attention on making it harder for attackers to enter an environment and cause damage.

To see the full presentation and learn more about how vulnerabilities are a risk to your organization’s overall security, check out the video on BMC’s YouTube channel.

When an attacker breaches the perimeter

Victor Wieczorek, GuidePoint managing security consultant, is a white hat hacker who knows firsthand how easy it is to exploit systems where vulnerabilities are not patched and remediated.

In the same presentation with BMC, Victor demonstrates how quickly attackers can gain access to vulnerable systems.

“Hackers look for openings,” he said, clarifying they go after the easy things, like known vulnerabilities, first.

In a hands-on demonstration, Victor explains how, with a few scripts and automated tools, he can access a system where a vulnerability remains unpatched, long after a fix is available.

Attackers use the same vulnerability and automated scanning tools as security teams, Neil Parisi, BMC principal software consultant said. Playing the role of the “good guy” in the demonstration, Neil says it’s a race to the finish line between security/operations teams and attackers.

“Can you patch before they penetrate?”

In part two of the video series, “Hacker Breaches the Perimeter,” Victor uses easily downloadable and free tools to successfully access the demo environment, while Neil shows how BladeLogic can quickly patch and repair the vulnerability.

But, like most tenacious hackers, Victor doesn’t give up. Using information obtained before detection of the vulnerability, he moves on to secure a username and credentials for part three, “Breached! Hacker Moves on to Exploit the Center.”

In the fourth and final part of the video series, “Hacker Goes for Admin Rights,” Victor continues to move around in the environment undetected. How does he do it? By using the username he detected in the previous exploit and rolling the dice on his gamble the user had the same password for multiple systems. The result? Victor gains admin credentials and masks his malicious activities like an approved user. Watch the full video to find out how much access Victor gets as he exposes vulnerabilities and how the BMC team uses BladeLogic to stop the attack.

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cyber security solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

About BMC

BMC is a global leader in innovative software solutions that enable businesses to transform into digital enterprises for the ultimate competitive advantage. Its digital enterprise management solutions make digital business fast, seamless, and optimized from mainframe to mobile to cloud and beyond. BMC digital IT transforms 82 percent of the Fortune 500 and serves more than 10,000 customers worldwide. For more information, visit www.bmc.com.

Securing People and Assets Via Mobile Security

Banner two

GuidePoint Security is adding another partner to its portfolio of technologies.  In an effort to provide its clients with best-of-breed solutions, GuidePoint Security has expanded its list of partners to include Bluebox Security™. Bluebox was chosen as a new partner for its unique ability to deliver enterprise visibility, security, and control of mobile data, while simultaneously enabling mobile productivity for employees, without compromising their privacy.

GuidePoint Security understands the importance of mobile security and how it plays a significant role for the people and businesses it protects.  By adding another mobile security vendor, GuidePoint Security has expanded it’s reach to provide the best service possible to its existing and future customers.

“Mobile Security has been redefined, and Bring Your Own Device is here to stay,” said Justin Morehouse, Founder and Principal at GuidePoint Security.  “This partnership expands our offerings to confirm us as a leader in Information Security.”

“GuidePoint Security was founded by Information Security veterans who understand the importance of a data-first security strategy, and we are thrilled to have their endorsement both as a customer, and a partner,” said Caleb Sima, CEO, Bluebox Security. “The combination of GuidePoint Security’s deep domain expertise with Bluebox’s next-generation solution, will allow companies to rethink their mobile security approach to reduce risk in today’s rapidly changing mobile landscape.”

In order to further solidify the relationship between the two companies, GuidePoint Security and Bluebox are co-hosting a live webinar: 10 Questions CISOs Should Ask About Mobile Security. The webinar will be an interactive conversation about factors CISOs should be considering when implementing a mobile security solution.

The mobile landscape is changing rapidly, creating new challenges and opportunities for CISOs tasked with balancing business enablement and risk. This webinar provides a great opportunity for people to get in-depth information about how the partnership works and how it can benefit their business.  Click here to register.

Read additional news about this partnership: GuidePoint Security Secures Mobile Data With Bluebox Security.

About GuidePoint Security

GuidePoint Security, LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. GuidePoint Security is a small business. Classification can be found with the System for Award Management (SAM).  For more information visit  www.guidepointsecurity.com.

About Bluebox Security

Founded in 2012 by a team of security experts, Bluebox Security offers the first mobile data security solution to safeguard corporate data across the device, application, and network. The cloud-based solution provides complete visibility and security of corporate data, while providing employees the freedom, ease of use, and privacy that ensures widespread adoption. Bluebox Security has received a total of $27.5 million in funding from Andreessen Horowitz, Tenaya Capital, Sun Microsystems co-founder, Andreas Bechtolsheim, SV Angel, and Google Board member Ram Shriram. The company is headquartered in San Francisco. For more information visit  www.bluebox.com.

 

Security Visibility in the Cloud – Logging and Monitoring in AWS

By now we’re all well aware that there is a virtually limitless number of logging and monitoring solutions available on the market. Visit the Amazon Web Services (“AWS”) Marketplace, and you’ll find plenty of options. In fact, it gets really crazy when you start examining security monitoring versus application performance monitoring, often with solutions performing one role better than the other, or even just one of the roles altogether. What’s interesting to me is the lack of common Enterprise logging and monitoring solutions available in the AWS Marketplace. Obviously you can deploy instances to handle implementations of solutions like ArcSight, McAfee, LogRhythm, or NetIQ, but Splunk is the only well-known commercial provider with solutions available in the marketplace.

Now, that’s just the commercial side… what about open source?  Let’s cover a few terms first, for those new to centralized logging.

Shipper – a system agent that collects and forwards, or ships, system and application logs to a centralized server.

Collector / Broker – a message broker is a system that collects and queues logs as an intermediary step to indexing the logs centrally for analysis, monitoring, and alerting. Its primary purpose is to ensure you don’t lose messages when or if your indexer falls behind, crashes, or otherwise becomes unavailable to receive logs.

Collector / Indexer – a system used to collect, parse, and store logs for searching, analysis, monitoring, and alerting.

Dashboard / Visualizer – the dashboard is used to aid in log analysis by providing a search interface, and in some solutions alerting.

Open source logging and monitoring solutions abound, and like the well-known solutions missing from the AWS Marketplace, are typically implemented on purpose-built instances within your AWS Virtual Private Cloud (You are using a VPC, right?)  So what comprises an open source, centralized logging and monitoring solution?

Log shippers like Nxlog, Logstash, Lumberjack, and Fluentd. Brokers like Redis, RabbitMQ, and ZeroMQ. Indexers like Elasticsearch and… well, Elasticsearch seems to be the industry-standard as far as open source goes, but there are also a lot of folks using centralized syslog-ng, or Rsyslog.  Dashboards, such as Graylog2, Kibana (for Elasticsearch visibility, I like ElasticHQ), and security agents like OSSEC complete the architecture.

So, with all of these solutions available, why do I run into so many clients already in AWS, or moving to AWS, that have insufficient logging and monitoring, or worse, no logging and monitoring at all in their Cloud environment? Because Logging and Monitoring is Hard. Don’t get me wrong, it doesn’t require a rocket scientist on staff to get one or more of these commercial or open source solutions deployed. There’s preparation, communication, research, and other steps that have to be taken to properly implement logging and monitoring. I spent over a week researching available solutions, and building out proofs-of-concept in my virtualized lab to determine which solutions met my needs. That is the most critical point one should take away from this article; there is no right or wrong way to implement logging and monitoring in your AWS Cloud. As with all things IT, there is more than one way to accomplish your technical and business objectives. The trick is to find the right way for your organization.

Let’s look at some of the decision criteria that will come into play; this is not an exhaustive list:

People

  1. What expertise is available from my current staff – network engineering, development (if so, which languages), information security, incident handling, etc.?
  2. Do we have experience with a particular commercial solution?  A particular open source solution?
  3. Should I train existing staff, or hire staff with the relevant experience?
  4. Should I forget about managing this myself altogether and go with a Managed Services Provider?

Process

  1. Have we defined and documented the metrics we care about, and established a policy and process around ensuring this data is available and utilized?
  2. Have we defined and documented our business objectives behind logging and monitoring?
  3. Have we defined and documented regulatory mandates related to logging and monitoring? How do we keep our requirements and this documentation current?
  4. Have we determined roles and responsibilities involved in supporting the logging and monitoring initiative?

Technology

  1. Have we defined and documented technical requirements for our logging and monitoring solution? How do we architect our solution?
  2. Have we researched available options, and documented their strengths and weaknesses with regard to operating in our environment or culture?
  3. How do we facilitate a demonstration, proof-of-concept, or evaluation of the targeted solutionWhat do we log? Where do we store logs?
  4. What do we log?  Where do we store logs?
  5. How do we alert appropriate personnel a problem has been detected?

5_bucks

After extensive research, and comparison of features and functionality, I decided upon a Hybrid ELK Stack for this case study.  The ELK Stack is comprised of Elasticsearch Logstash and Kibana. I also added Graylog2 to support alerting, and OSSEC for file integrity and host intrusion prevention. There are numerous guides on the Interwebs to assist with deploying these solutions, so I will not go into installation and configuration in this post. I may write another article later to cover installation and configuration, but I’ve included links to all of the resources I used to get up and running at the bottom of this post. Note that, although this entire process covered a full week, the bulk of the final deployment was completed in about ~12 hours. I built the final environment on AWS’ Free Tier, but didn’t even complete rolling out the dashboards before the Logstash Shipper/Logstash Collector/Elasticsearch Indexer combination on the central server decimated the t1.micro instance (Ubuntu 12.04) I deployed it on (Java consumed all available memory). Rather than tune the overwhelmed box in an attempt to stabilize it, I took advantage of being in AWS and scaled up to a m1.small instance – problem solved.  In total, I spent less than $5 bucks on my, admittedly limited, proof-of-concept.

Kibana_booku_events

Figure 1: Kibana 3… Dead Sexy!

Take a look at the components I selected:

  1. Log Shipper – Logstash on Linux servers, Nxlog on Windows servers. Although Logstash is cross-platform, and is perfectly capable of shipping Windows Event Logs, IIS and MSSQL logs, the author of Nxlog convinced me Why Nxlog is better for Windows.
  2. Broker – This case study doesn’t incorporate the use of a Broker. I was originally going to include RabbitMQ in the architecture, but version dependencies led me down a path that was in danger of kludging up the whole study. In a production environment, you definitely need to use a broker to provide scalability and resiliency, but I pushed onward without including it.
  3. Indexer – Elasticsearch. Ridiculously easy decision for me, since Windows servers are in my test environment, and I was interested in testing something other than syslog.
  4. Dashboard / Visualization – Kibana 3 is dead sexy, and I’m an eye-candy kind of guy. I’d gone into this planning to just use Graylog2, since it is a great visualization tool itself, plus includes alerting capability, but after seeing screenshots of the new and improved Kibana 3.x, I couldn’t help deploying it, too. Regarding alerting, Nagios is often used in concert with Graylog2 for its ability to “roll up” alerts. If you’re interested in configuring email alerting/alarms for your Graylog2 deployment, Larry Smith has a great blog post to get you started here. Last, I also installed the ElasticHQ plugin to monitor my cluster of one’s health.
  5. As an aside, I also deployed OSSEC to the Linux and Windows servers for file integrity monitoring and intrusion prevention.
ElasticHQ

Figure 2: ElasticHQ… Elasticsearch cluster health, and a whole lot more!

A note about the final deployment; ultimately the redesigned, recently released Graylog2 v0.20.1 didn’t work out like I’d hoped. Everything was running smoothly, and based on configuration guidance and the absence of error output, it seemed I was setup properly, but I never saw the data from Elasticsearch in Graylog2. I spent the last few moments I had allocated to this project experimenting with some alternate configurations, and finally strayed so far from my working example that I had to give up. So, after a week of research and implementation time, a diagram of what we have can be seen in Figure 3.

Screen Shot 2014-04-23 at 2.49.08 PM

Figure 3: AWS Logging and Monitoring PoC Architecture

This was a trivial setup – I’m using a single box for a local Logstash shipper, an Elasticsearch index, MongoDB for Graylog2, and three different web interfaces. In a production system, ensure you use a more appropriate architecture including separating each component, utilizing multiple availability zones, inserting a broker to receive messages from log shippers, utilizing SSL, etc. etc.

Although I didn’t have enough time to sort out Graylog2, and get some alerting configured, I’m pleased with the overall outcome of my Security Visibility experiment. I found OSSEC to be an excellent “partner” in my quest for visibility, despite only utilizing and documenting the file integrity portion of its functionality.

ossec

Figure 4: OSSEC Web UI

Nxlog works perfectly for shipping Windows event logs, and of course, the lovely Kibana ties everything together and puts a nice bow on the concept of visualization.

Kibana_event_analysis

Figure 4: Analyzing events with Kibana 3

CP_Halo_deets

 

Although this was not a terribly difficult experiment, from a technical perspective, I still wondered, “Is there another | quicker | better way to gain security visibility in AWS?  Well, yes, and no. Yes, there’s an easy way to get security visibility, plus AWS automation to boot – no, because despite this gem of AWS security visibility, I will still recommend a centralized logging and monitoring platform in AWS. So, what’s this solution, you ask? CloudPassage Halo. But wait, there’s more! Halo has an API that’s made it possible for several SIEM solutions to integrate with it, sharing the Halo security visibility love in a centralized way within your existing, or planned, logging and monitoring deployment.

Halo has enough features and functionality to warrant its own blog post, so I won’t go into those here. Suffice it to say, anyone looking for security visibility, automation, or both in AWS should definitely have a look at what CloudPassage has to offer.

 

CP_win_security_events

Figure 5: Windows security events captured by Halo

Conclusion

Logging and monitoring is hard, but there are more than enough commercial and open source tools available to fit any size organization, with any size of budget. Attaining security visibility and appropriate incident handling isn’t just the right thing to do from a best practice perspective; many standards, regulations, and laws mandate them. So, regardless of the type of solution or solutions you select, choose and implement something, and gain insight into security incidents you may not have any idea are happening. After all, inadequate visibility is better than no visibility at all.

For additional information on this subject and the opportunity to ask questions, please click here to register for our Webinar titled:  Security Visibility in the Cloud – Logging and Monitoring in AWS occurring on May 1st, 2pm (EST).

 

GuidePoint’s David Bressler Presenting on Data Visualization at RSA’s Security Analytics Summit

David Bressler, Senior Security Consultant at GuidePoint, will be presenting on data visualization at RSA’s Security Analytics Summit on Wednesday, September 11, 2013 at the Hilton Alexandria Mark Center in Alexandria, Virginia. His presentation, entitled Using Maltego to Pimp Big Data from NetWitness, will discuss using Maltego, primarily an offensive OSINT tool, to help defenders visualize data within NetWitness. The presentation’s abstract, which will be presented along with Rich Popson, is:

Imagine what it would be like to utilize an OSINT tool that can use the NetWitness API to visualize the data being captured. Rich and David are going to show you how they turned what is known primarily as an offensive OSINT tool into a tool to help defenders visualize data within NetWitness.

The presentation will take place from 9:00 AM to 9:45 AM in the Arbors room. For more information on this presentation and the RSA Security Analytics Summit, visit https://blogs.rsa.com/th_event/rsa-security-analytics-summit-formerly-known-as-the-netwitness-user-conference/.

GuidePoint Security Presents Encore to Defending Attacks and Securing Applications

Based on the success of GuidePoint’s presentation to Federal agencies last month, Matt Darlage, VP of Technology Integration, will present an encore presentation open to all government agencies on Tuesday, December 11 from 11AM to 1PM at The Caucus Room in Northwest Washington, DC.

Presentation Abstract

Organizations targeted by hacktivist groups need to be able to detect and proactively apply countermeasures that are not only part of their tactical incident response capability, but are also enforced by their operational security architecture. These advanced solutions help defend targeted organizations with common-sense, practical approaches, avoiding unnecessary complexity. As a result, GuidePoint Security and F5 are hosting a technical discussion for Federal agencies that focuses on the realities of defending and securely delivering their applications.

During this discussion, attendees will learn about:

  • Layered and protocol centric approaches for resource exhaustion-based attacks
  • Web application delivery applications that create explicit access paths and leverage diverse inline content inspection mechanisms
  • Why encryption is your best friend, but can also be your worst enemy
  • Leveraging advanced security technologies and methodologies against modern web application attacks
  • Making security an enabler, not a disabler

Click here to register for this free event.

GuidePoint Security Presents to Federal Agencies on Defending Attacks and Securing Applications

Organizations targeted by hacktivist groups need to be able to detect and proactively apply countermeasures that are not only part of their tactical incident response capability, but are also enforced by their operational security architecture. These advanced solutions help defend targeted organizations with common-sense, practical approaches, avoiding unnecessary complexity.  As a result, GuidePoint Security and F5 are hosting a technical discussion for Federal agencies that focuses on the realities of defending and securely delivering their applications.

During this discussion, attendees will learn about:

  • Layered and protocol centric approaches for resource exhaustion-based attacks
  • Web application delivery applications that create explicit access paths and leverage diverse inline content inspection mechanisms
  • Why encryption is your best friend, but can also be your worst enemy
  • Leveraging advanced security technologies and methodologies against modern web application attacks
  • Making security an enabler, not a disabler

Click here to register for this free event.

 

GuidePoint Security Presents on Mobile Security Abroad at AppSec DC

AppSecDC 2012Heading to AppSec DC next week? Be sure to catch GuidePoint Security’s Co-Founder and Principal, Justin Morehouse, present Behind Enemy Lines Practical Triage Approaches to Mobile Security Abroad 2012 Edition on Thursday, April 5 at 11 a.m.

If you are unable to make it to the conference, we will post Justin’s slides after the presentation. If you would like more information about the presentation, leave a comment below.

Abstract: Having traveled over 100K miles internationally during the past 9 months, the topic of mobile security while abroad was on my radar. I took some precautions myself and jotted down some ideas to discuss with my peers. Then one of my clients asked me to come up with a solution for their executives while traveling to locations that would benefit greatly from their intellectual property. This presentation covers the lessons learned while securing mobile devices for both the enterprise and consumer while outside the 50 states. Areas of particular interest will be common threats and attacks and the REALISTIC steps you can take to reduce your attack surface and return your IP home safely. We’ll also cover what to do when your primary safeguards fail or end up in a toilet somewhere…