You may feel you don’t have the resources for a cyber hunt team, but you are certainly under threat from hard to find adversaries! Ultimately, cyber hunting is a mindset, more than a job title!
Start with the assumption that the bad guys are already on your network and they have the intent, capability, and opportunity to do harm at any time. They are also watching what you are doing, and changing their game, as you react to them.
Your job is to take on the cyber hunter mindset and find adversaries before they do harm.
Get in the mind of the attacker
It is important to acknowledge that behind every attack is a human which means you are not up against a computer but, a person or a group of creative thinkers. Like in the children’s game of Clue, you have to use deductive reasoning to narrow down the list of suspects, the possible murder locations, and the possible weapons.
As you take on the mindset of the attacker, you begin to understand how sabotage or espionage in your network might take place:
Knowing your network, utilizing your toolset and your creative thinking, you can effectively plan work to raise the bar, forcing the intelligent adversary out in the open.
Assume they have control over more than you know about
It takes on average about 197 days to detect a breach on a corporate network and identify an entrenched hacker. By a similar token, it is very likely that when you do discover a compromise you are not seeing the full extent. This means the adversary likely already has more assets under his or her control than you are aware of.
By taking immediate action, you will show your hand, and force the intruder to be more careful. Although the battle is won, the war is lost. The intruder is still there, and aware you may be watching. Instead, change your technique and begin by learning as much as you possibly can about the intruder. Find out how the intruder is controlling the compromised asset, and search the network for additional evidence and footholds. Then take action all at once, and eradicate the intruder completely.
By learning what the bad guys know about you, you will know more about your adversary then they know about you, and you are subsequently in a stronger position to “win”.
Expect your attacker to change based on what you do.
Network defense is a game of cat and mouse. It is not a one-shot attack and cleanup cycle, but instead an ongoing battle between you and the cybercriminals. As you change your defensive posture with additional access controls, firewalls, and detection technology, the intruder evolves to avoid tripping the tripwire.
In addition to these traditional fortifications, you must observe patterns of connections, patterns in logs, or connection behaviors that are not expected in your normal course of business. By knowing your environment, you may detect anomalies that betray the intruder.
The essence of anomaly detection is discovering deviations of what is normal — but this is hard, as most malicious activities are actually quite “normal” from a mathematical perspective. However, the human mind is fantastically able to combine many pieces of diverse evidence, even if they are not anomalies perse. You have to be observant and curious to detect stealthy anomalous actors on your network.
Ready To Change Your Mindset?
The best cyber hunters are curious, passionate and proactive. They know how to leverage multiple tools. They understand their threat landscape and their organization well enough to ask the right questions and find the answers and they change their mindset by:
With the right framework and tools, you can learn the art of actively seeking out, tracking, and disabling the most skilled and dangerous network intruders. Are you ready to become a cyber hunter?
Self Proclaimed Foodie ・Outdoor Enthusiast ・ FlowTraq’s Newest Team Member
We are excited to introduce you to our newest team member Richard Larkin, we call him Rick! He joins our team as a Solution Architect and works at our headquarters in Manchester, NH which has become a hub for technology startups and great local grub.
Rick fuels his day with ice cold nitro brew coffee on tap and fills his day with FlowTraq product demonstrations and customer trainings. Rick is constantly uncovering the changing needs, challenges and requirements of FlowTraq users. He shares that he is “looking forward to traveling to meet customer’s and attend industry trade shows and conferences.” When we asked him what he likes most about working at FlowTraq he said “I’ve enjoyed learning a new technology and going on a journey with each customer, as well as working with some of the sharpest minds and thought leaders in the cyber security field”.
Formerly a network engineer turned cyber security engineer, Rick brings over 30 years of experience to FlowTraq. Rick attended the University of Massachusetts Dartmouth for undergrad and pursed his graduate degree in Electrical Engineering from Boston University. He has also worked for impressive organizations throughout his career like Raytheon, Fidelity Investments and Massachusetts Institute of Technology. His career has taken him all over the world to places like Germany and Kwajalein, Marshall Islands, but we learned his favorite spot to visit is Hawaii.
Rick’s explains “FlowTraq fills a need in the industry by providing deep visibility into the security of a network, both in the building and the cloud” What surprised him most so far was our brag worthy customer list.
If he had to pick only one feature of FlowTraq, he would pick exploring the workspace. “The FlowTraq workspace allows you to look at the data with limitless options, you can quickly dig deep and investigate an anomaly on your network, it’s like finding a needle in a haystack”.
When he disconnects from technology, he prefers being outdoors with his family or enjoying a nice meal with his wife. There is a local rail trail he frequents. He also keeps busy by staying connected to his four daughters and two grandchildren and one on the way!
Looking to connect Rick?
Also, for more company updates, follow us on LinkedIn!
The days of perimeter defense-based security are now behind us. And they have been for awhile. With the ubiquitous proliferation of smartphones, laptops, and employees working from the road, the traditional concept of a “network border” has evaporated. Yet, even before this started to take place, the black-hats-turned-white-hats and other front-line operators would scream for defense-in-depth.
Anyone who’s ever done a thorough investigation of a widespread network intrusion, generally discovered these three facts:
1) The bad guy got in and moved around a lot inside
2) The bad guy has been inside for a while, on average 99 days*
3) There was no way to have pro-actively closed all holes
This concludes that a network with a solidly defined border cannot abide by border defenses alone. Eventually, someone gets in. And it is the moving around on the inside where the bad guys spend most of their time.
As a system is compromised it becomes a stepping stone.
Intel gathered on the system allows the intruder to move laterally in the network. This intel could be a network layout, common applications, services that the organization uses, or even credentials for other accounts and resources in the organization that allows the attacker to penetrate further.
With each step, more of the network is mapped out and more data is discovered. By understanding what applications are commonly used, the attacker might perform limited scans of the resources, and attempt exploits in a targeted fashion. The days of widespread network scanning are over, as such behavior is way too loud and easily picked up by sensors.
As some attackers become more stealthy and methodical, it has become much harder to successfully and quickly detect them. That is likely the leading reason that time-to-detection has not gone down, despite an explosive growth in the security technology industry. Because of this, the security operator has been forced to adopt a more active role, instead of detect-only.
Good cyber hunters search for patterns of connections, patterns in logs, or connection behaviors that are not expected in the normal course of business. And instead of acting on alerts (which are “positive indicators of compromise”) they take time to map out the extent of the treat in their network. This is borne from the realization that an intruder may have penetrated the network much deeper than the current evidence may support. In other words: if the bad guy is deep inside your network and has their hands into many resources, shutting the attacker down in only one of them, tips your hat. The attacker now knows they are being watched and will change tactics.
Cyber hunting is all about understanding the full extent of the compromise before any action is taken. And this is hard. Because there are many ways in which someone may move laterally through the network. For this, widespread visibility is the key. To stack the deck in the favor of the hunter, we turn to a technique that has been around for decades: decoys.
A decoy can be as simple as an email account without a real user, and as complicated as a server full of resources that are out there “to be discovered”. The latter is also called a “honeypot”.
By leading the attacker astray, you accomplish two important goals:
1) The mere act of an attacker touching these decoys is a red flag
2) The attacker now is chasing fake leads on your network, which takes time, and makes more noise that can be observed
The downside of decoys are myriad, and a commitment must be made to watch them carefully. They are hard to put together realistically, taking significant operator time. And they must be monitored carefully, as they can in themselves become stepping stones or platforms for launching attacks into the world. When placing decoys, it is also very important to ensure your visibility is “out-of-band”. It should not be trivial for the attacker to understand you are closely watching the decoy, or even disable your visibility. In general, it must be hard for an attacker to understand they have hit upon a decoy.
Security remains a cat & mouse game, and it goes without saying that a perfectly secure network does not exist. Using decoys as a trap for the advanced intruder can pay off in spades, but the investment must be carefully and deliberately made. More important still, a comprehensive network of visibility and data gathering must be in place before even attempting the deployment of traps in your network. After all: what good is a tripwire, if you aren’t listening!
Look for next week’s blog on tips on how to successfully build and watch a decoy.
*Source: Gartner, June 2017
We recently examined achieving PCI compliance in a public cloud environment. In that article, I gave a high-level overview of the steps you need to perform. In this article, I would like to dive a bit deeper and discuss some of the unique challenges you can run into, and your options for resolving them. As I hinted in the last article, the biggest challenges can revolve around meeting the network specific controls within the PCI DSS framework.
Cloud providers can receive a PCI DSS attestation as a Service Provider. This permits them to offer services to customers that need to process credit cards as part of their business model. It also permits them to offer services to other cloud providers that expect to have an impact on credit card transactions. For example, Amazon maintains an attestation as a PCI DSS Level 1 Service Provider. This means any third party company could build a Software as a Service (SaaS) offering capable of achieving PCI DSS compliance on top of that infrastructure. This is sometimes referred to as “nested vendors.”
One of the required documents a cloud provider must maintain is a Report on Compliance (ROC). This defines the level of responsibility assumed by both the cloud provider and their customers for each PCI DSS control. In some cases, the provider may assume full responsibility (example: data center physical security). In some cases, the vendor may assume no responsibility (example: checking customer code for security vulnerabilities). In others, implementation of the control is considered a shared responsibility (example: vendor supplies a firewall but customer must properly configure it). You need to review the ROC and provide coverage for all controls to which the provider does not accept full responsibility.
Let’s look at an example of a PCI DSS control that can be extremely challenging to put in place if your provider does not accept full responsibility. Figure 1 shows the control requirements included in control 11.4:
The control requires that a Network based Intrusion Detection or Prevention System (NIDS or NIPS) be installed and maintained. While the description does not specify a network or host based system, the bullet items specify that it be installed at the “perimeter” and “at critical points,” which implies a network deployment rather than host based. In a cloud environment, the provider includes networking services. However, they typically do not accept responsibility for this control. This leaves you in a position of having to implement a control within an infrastructure that you do not administer.
One possibility is to attempt to implement a compensating control. This is permitted when there is a legitimate hindrance to implementing the control exactly as described. Since you don’t control the network layer, you could argue that you are technically unable to implement the control as it is described. You could further argue that a compensating control would be to run Snort, or similar NIDS software, on either every host within the provider’s environment or on a dual-homed server acting as a gateway in front of all other servers (assuming the provider supports this type of connectivity). You could then argue that this creates a similar level of security to that which is described by the PCI DSS control.
However, pursuing this path brings its own set of challenges. You are deviating from the control as it is described. Your Qualified Security Assessor (QSA) may or may not agree with your assessment, and thus may or may not consider this control to be in place. You may put a lot of work into implementing a compensating control, only to find out that you need to identify another solution. Further, just because a QSA accepts a compensating control once, does not guarantee they will do so in future assessments. It is entirely possible that a compensating control can get accepted one year but rejected the next. Since the acceptance of a compensating control is a subjective evaluation, final judgment can vary between assessments.
Finally, both of the described possibilities create additional administration challenges. In the case of running Snort on every box, you have to administer the overhead of having Snort running on every system. A centralized infrastructure must be created, and Snort will take processor and disk read/write time from whatever production processes are also running on each system. While running a gateway setup solves many of these challenges, the configuration is not supported by all cloud vendors and even if it is, you can end up with a single point of network failure. So while compensating controls are possible, they should be considered an option of last resort.
A common mistake I hear is that Netflow or IPFIX data cannot be used to meet PCI DSS control 11.4. The assumption is that since this data does not include payload information, it does not qualify. Let’s carefully reread control 11.4 and extract out all listed requirements:
Note that the defined purpose is to alert personnel when a system acts suspiciously and is potentially compromised. A NIDS that analyzes payloads is not going to give you this information. For example let’s assume an attacker launches an inbound injection attack, which is the top listed OWASP vulnerability. Most likely the attack will take place over HTTPS. HTTPS provides data privacy, which will prevent the NIDS from being able to eavesdrop on the session. Thus the attack will go undetected. Further, even if HTTPS is not used and the attack is detected, this does not guarantee that the target system is actually vulnerable. All we know for sure is that someone attempted the attack. Triggering a response when the success of the attack is not confirmed is going to generate a large number of false positive alerts.
So how do we detect suspect compromises? By identifying when the system acts suspiciously. For example, assume we have a publicly accessible Web server. What type of outbound session establishment is required by this system? Here is a common list:
This is a pretty short list. We could easily define a set of rules that ignores all traffic that meets the above-defined criteria. We then trigger an alert whenever an unexpected traffic pattern is detected leaving the system. We could do this with a classic signature based NIDS, or we could do this with IPFIX flow data. We do not need to analyze payloads to detect this type of suspect activity. The benefit of using flow data is that we do not need to deploy an entirely new security system.
We have established that NetFlow or IPFIX data can be used to meet PCI DSS control 11.4. This leads us to our next challenge, which is that as of the time of this writing, no public cloud vendor supports IPFIX. However all is not lost, if you have instances running in Amazon, you can convert their VPC flow logs to IPFIX format.
I’ve written an article called Working With VPC Flow Logs. If you are new to Amazon flow logs, this may be a good place to start. Once you’ve read that, you can move on to Alex Barsamian’s great article on the configuration as well as importing flow logs into Flowtraq. This can help you get up to speed quickly in meeting this control.
Leveraging public clouds that are PCI DSS compliant is a great way to reduce the number of control to which you are responsible. This can create new challenges, as you need to satisfy controls within an infrastructure you do not administer. Combining tools such as Amazon’s flow logs with FlowTraq can help you meet this control quickly and effectively.
On May 12th, 2017, a widespread global ransomware attack began traveling through vulnerabilities in the Windows operating system. It has struck over 150 countries and a broad range of industries. More than 45,000 attacks have been recorded so far, ranging from UK National Health Service to FedEx.
It has yet to be discovered who is behind the attack. However, a twenty-two-year-old cyber security researcher registered a domain name hidden in the malware which has currently stopped the spread of the attack. This has given organizations in the US more time to develop immunity to the attack. The attack is likely not over. Cyber criminals often change the code and start again. Microsoft released a patch (a software update that fixes the problem) for this window operating flaw in March 2017, but pirated programs and computers that have not installed the security update continue to remain vulnerable.
Since, it’s random, scattered and broad it’s hard to know where it may hit next. It’s important that all organizations are patching their Microsoft operating systems before they are infected.
After a security weakness, or a malicious link clicked from your email, the ransomware installs itself, and encrypts some or all of the files on your computer with a secret key, so you can no longer open them.
In order for you to un-encrypt your files so you can use them again, you must pay an amount of money to the attacker. This is usually paid in bitcoin. Once you have paid, the attacker gives you a key with which to unencrypt your files. Keys are typically specific to your computer, so a different key must be used on each system that has been infected with ransomware.
If you’ve been hit by WannaCry Ransomware, you’ll see the following on your screen: “Oops, your files have been encrypted!”
1.) Ransomware is a real threat, much like credit card theft, electronic banking hacks, and electronic espionage.
2.) If you haven’t already, patch or disable Microsoft immediately. More information can be found here.
Your organization can protect itself by following the golden mantra of update, educate, and separate:
You may not always care about minor bug fixes or features but you should always keep major apps, programs and operating systems like Windows, browsers and PDF readers up to date. Setup automatic updates and/or calendar reminders.
49% of data breaches are caused by malicious or criminal attacks, and 19% are related to employee negligence (Source: Cost of Data Breach Study by the Ponemon Institute.)
A lot of ransomware is simply emailed to people, and requires them to click on a link in order for the computer to be infected. This is commonly called “phishing”. Once the user knows how to recognize links and attachments, and be distrustful of them, the changes of ransomware taking hold of your environment quickly diminishes.
Gain support from your senior leadership by knowing the business risks and consequences to the company in regards to data breach. Ensure your employees are not using pirated software and that all software is up to date. Educate and train your employees on how to handle confidential information and email safely. Commit to security best practices as an organization.
A strong firewall on the perimeter is worthless once the attacker and his/her ransomware are in the door, and has free reign inside. So build a network of levies, so security breaches don’t spill over from one segment to the next.
When your daily defenses are in decent shape, hunt for compromises daily. It is important to realize you are fighting a human attacker, who is smart about the defenses that you could have in place.
Collect flow data from all routers and switches in your network, and let a behavior anomaly detector do its work. Collect logs from all servers, access points, and workstations. Hunt for obvious malicious activity, investigate each anomaly, and watch for movement of large amounts of data on your network.
There is no such thing as a 100% secure network, but by just doing the legwork you are a long way on your way to keeping ransomware off your network.
Gain visibility on your network around the clock and set up alerts. Learn more about FlowTraq Cyber Threat Hunting.