Feed aggregator

Todas las sesiones del Security Innovation Day 2018 de @ElevenPaths en vídeo

Un informático en el lado del mal - 4 hours 35 min ago
La semana pasada tuvimos ya la sexta edición de nuestro Security Innovation Day 2018 de ElevenPaths, donde contamos algunas de las cosas en las que hemos estado trabajando durante este año, para que nuestros clientes pudieran conocerlas de primera mano, así como probarlas en los puestos que montamos en el descanso.

Figura 1: Todas las sesiones del Security Innovation Day 2018 de ElevenPaths en vídeo
Ahora están disponibles ya todas ellas para verlas online, así que las hemos subido a Youtube para que puedas verlas tranquilamente desde donde quieras, y cuando tú puedas. Este es el evento completo.
01.- Opening Session
La primera de las charlas la impartieron Pedro Pablo Pérez, CEO de ElevenPaths, y Julia Perea, Directora de Seguridad Digital de Telefónica de España. En ella se contaron las principales novedades durante este año, con foco en el anuncio de la disponibilidad de nuestros servicios en modo Self-Service Online, como mASSAP Online, Faast For WordPress o Latch

Figura 2: Opening Session
Además, se explicó cómo funcionan nuestros Security Operation Centers, el trabajo en la Telco Security Alliance, o las vulnerabilidades descubiertas por nuestros equipos de investigación este año, como la última que hemos publicado de CISCO.
02.- On the path towards an Intelligent MSSP
En la segunda sesión, se pudo ver en detalle todo lo que estamos haciendo para construir la mejor red de Security Operations Centers para construir el mejor servicio MSSP. Ahora mismo, nuestros servicios están reconocidos como uno de los mejores por los analistas de la industria, como verás en la presentación, pero aún estamos innovando en ese servicio para mejorar. 
Figura 3: On the path towards an Intelligent MSSP
Alberto Sempere, Director de Producto en ElevenPaths y Ester Tejedor [X] se encargaron de explicar todo este trabajo en detalle.
03.- Our princess is "always" in other castle. Chasing innovation.
Sesión para el equipo de innovación, en la que Sergio de los Santos y Gonzalo Álvarez Marañón se encargaron de contarnos algunas de las tecnologías y patentes en las que hemos estado trabajando. Merece la pena que veas esta charla para que veas algunos proyectos como Capacicard o SmartPattern que hemos patentado.

Figura 4: Our princess is "always" in other castle
04.- Beyond innovation
En esta charla Rames Sarwat y Yaiza Rubio (junto con Antonio Bordón) , nos contaron más detalles  sobre nuestro producto estrella de este año. Stela Filetrack, la solución para gestionar el Shadow Data Lake que son todos los ordenadores personales y servicios que utilizan tus usuarios para gestionar documentos.
Figura 5: Beyond innovation
Un producto que permite a cualquier departamento de IT, de Seguridad o CDO, gestionar los documentos que están más allá de los repositorios centrales. En esta tecnología hemos integrado todas nuestras tecnologías documentales, como SealSign, MetaShield Protector, SealPath y Shadow, para hacer una solución "Enterprise Ready" que permita hacer "magia" con los documentos de la compañía.
05.- Corporate APT using FakeNews
En esta charla, que dimos Martina Matarí - del equipo de Seguridad Digital de Telefónica y ganadora del último challenge de Cybersecurity en la Defcon - y yo, hablamos de los ataques a los empleados de una empresa. Comenzamos por los ataques a las identidades, después a los usuarios y acabamos con los ataques a la reputación de los empleados con FakeNews.
Figura 6: Corporate APT using FakeNews
Como ya os he contado, hice una demo con una FakeNews que utilizaba DeepFakes para hacer un vídeo falso mío y contar una noticia falsa que pudiera afectar a la reputación de un empleado. Tenéis más información de esto en el post de "How to Face Swapping Chema Alonso & Axl Rose using DeepFakes".
Saludos Malignos!
Sigue Un informático en el lado del mal - Google+ RSS 0xWord
Categories: Security Posts

The Open Source Conundrum

Zero in a bit - Thu, 2018/11/15 - 21:33
If you’ve read or watched the news at all in the last five years, you know that securing software is challenging. And in today’s world, developers are shouldering a big part of this challenge. Here lies the conundrum. Developers are in the best position to secure code, but security is often not one of their priorities. With the shift to DevOps in recent years, development is all about speed of delivery, which means moving quickly and relying on open source code, and which often comes into conflict with the goals of security. In many cases, this had led to a “patch and pray” model – where organizations patch vulnerabilities when they hear about them, and then pray it wasn’t exploited in the window between discovery and patching. But this doesn’t have to be the case. We can take advantage of open source libraries and move at the speed of DevOps without relying solely on a reactive security model. However, we do need to acknowledge that open source has changed the security game. Just the sheer numbers are landscape-altering. At SourceClear, we’ve found that most companies have more open source code than internally developed code – in many instances, in fact, the open source share is up to 90 percent. In terms of security, this means that the attack surface has changed dramatically. In this environment, it becomes critical to ask four questions: 1. What open source code are you using? (Hint: It’s more than you think.) 2. Where did it come from? Should I trust it? 3. What does it do? 4. What vulnerabilities are present? Ultimately, control over what is in your code has changed. Today, you need new security solutions to reduce risk in this new environment. Join me in person this month to dig further into this problem, and its solutions. I’m hitting the road for our “Open Source Conundrum” roadshow beginning November 27. Find out when I’ll be in a city near you, and stop by to network with peers and get some solid advice on this challenging security issue.
Categories: Security Posts

Defending Against Zero-Day Attacks with AlienVault USM Anywhere

AlienVault Blogs - Thu, 2018/11/15 - 19:12
Introduction Recently, an AlienVault customer reached out to ask how AlienVault handles the detection of  zero-day attacks, which are exploits against previously unknown vulnerabilities. In this blog, I shed light on how we approach this. Modern security products rely on some definition of threats, whether that definition is as specific as a signature that identifies a unique strain of malware or as general as a behavior pattern that threat actors employ broadly across different strains of malware. The challenge of security is keeping those definitions up to date as attacks emerge and evolve in the wild every single day. Most organizations outside of the Fortune 500 do not have the resources to tackle this challenge on their own.  There are a few approaches to this challenge of staying ahead of the always-shifting threat landscape and new zero-day attacks. One is to discover vulnerabilities before threat actors discover them and figure out how to exploit them. Another is to identify the active exploit in the wild early and to quickly update your defenses immediately to detect and respond to it. AlienVault uses both of these approaches to keep our customer environments secure in the face of zero-day attacks. Let’s take a deeper look at how. Early Access to New Vulnerability Information One way to stay ahead of emerging threats is to know about the vulnerability before threat actors have an opportunity to exploit it. As soon as a new software vulnerability or security flaw becomes public knowledge, threat actors go to work, taking advantage of the time it takes for security vendors to update their tools and for security teams to then identify and patch their vulnerabilities. That’s why it’s a security best practice for software researchers to inform security vendors of new threats and vulnerabilities before they announce them to the general public. For example, AlienVault participates in Microsoft’s Microsoft Active Protections Program (MAPP). Through this program, AlienVault Labs receives early access to new vulnerability information for Microsoft and Adobe products before Microsoft publishes it in its monthly security update. This allows us to update the defenses in USM Anywhere ahead of a public announcement, giving our customers a headstart in identifying and remediating the vulnerabilities in their environments. Discovering Zero-Day Attacks as they Emerge in the Wild Of course, the “good guys” are not always the first to discover new vulnerabilities.  All too often, threat actors find and exploit vulnerabilities before vendors have the opportunity to discover and release patches for them. Thus, zero-day vulnerabilities are often discovered after they’ve been exploited in a successful zero-day attack. That’s why it’s important to have a constant watchful eye on the global threat landscape as well as the ability to operationalize new threat information as soon as it becomes available. The Power of the Global Threat Intelligence Community AlienVault has a couple of strategies here.  First, AlienVault USM Anywhere is unique in its ability to detect zero-day attacks thanks to its direct integration with the Open Threat Exchange (OTX), the world’s largest open threat intelligence sharing community. The global OTX community of over 100,000 security researchers and practitioners contribute 19 million pieces of threat data daily, and they often alert the community within the initial minutes or hours of discovering an attack in the wild. This threat data is available to any OTX user to consume in their security tools. For AlienVault USM Anywhere users, OTX threat data is integrated and ready to use in the platform. Users can subscribe to any OTX Pulse to enable security alerting on the indicators of compromise (IOCs) published within that pulse. Users can also subscribe to email notifications to stay aware of specific attacks, threat actors, or malware families as they evolve. AlienVault Labs Security Research Team In addition to the community-powered threat data shared in OTX, USM Anywhere receives continuous and automatic threat intelligence from the  AlienVault Labs Security Research Team. This team works on behalf of all USM Anywhere customers, monitoring the global threat landscape daily, analyzing threats with a combination of human and machine intelligence, and curating the threat intelligence that is delivered continuously and automatically to USM Anywhere. AlienVault Threat Intelligence is ready to use and is written to proactively detect higher-level activities, patterns, and behaviors to effectively automate threat hunting activities across customer environments. Behavioral-Based Detection Detecting threats based on IOCs like file hashes and IP addresses enables security teams to identify emerging attacks quickly and with higher confidence. Yet, alone, IOCs are fairly volatile as threat actors can alter them very quickly, easily, and even automatically. Less volatile are the tactics, techniques, and procedures (TTPs) that threat actors use (and reuse) to carry out attacks. Think of these as the recipe for the attack - it’s the high level tasks they perform at each stage of attack.  These steps are often the same for different malware or campaigns, so identifying them is more effective than focusing on other methods of detection. For example, consider a network attack.  The initial network intrusion may be done using a brand new, unidentified vulnerability.  But, once the threat actor gains access to the system she attacked, her recipe calls for downloading tools needed to move laterally in the network and extract data.  These tools can be identified when they are downloaded or when they communicate on the network.  These tools are independent of the initial zero-day vulnerability that was exploited in order to gain access, so we can still detect the threat by detecting other tools used in the attack. To do this, AlienVault Labs uses machine learning algorithms to extract threat characteristics and clusters to identify known and unknown threats. These "clusters" are based on observed network behavior, OS interactions, and more. The algorithms further analyze these clusters to identify anomalous behavior. The AlienVault Labs team uses this information to codify the tactics, techniques, and procedures, which are packaged as correlation rules and delivered continuously to USM Anywhere as part of the threat intelligence subscription. Using this strategy, AlienVault was able to detect and block "ALPC zero day" months before it was actually identified in the wild and an IOC was written for it.  This exploit is designed to take advantage of an API vulnerability in the Windows task “SchRpcSetSecurity” that controls the ALPC (Advanced Local Procedure call) interface allowing local users to obtain SYSTEM privileges. AlienVault Labs detected this privilege escalation technique with generic detection mechanisms that are resilient to a changing attack vector. In other words, they came up with a way to detect this type of privilege escalation that is independent of the exploit it is wrapped in.  So any attack, even a zero day, that uses this technique is effectively identified by AlienVault. Another example is the well-known Apache Struts vulnerability.  When it was first released, there was no defense against the attack.  However, once it got onto a system, it leveraged a Webshell to communicate back to its masters.  AlienVault USM Anywhere was already able to detect this Webshell because it was used by other attackers in previous campaigns as part of their TTPs. Summary In this blog post, I’ve outlined a few of the techniques that AlienVault leverages to detect emerging and evolving threats, including zero-day attacks. To quickly summarize:
  • Early access to new vulnerability information allows us to update the vulnerability signatures in USM Anywhere ahead of public release.
  • OTX acts as an early warning system of experts around the world, and they are bolstered by our internal threat team to quickly find and analyze new attacks.
  • Advanced detection techniques like identification of behaviors and TTPs means AlienVault can detect many zero-day attacks even if the IOCs change frequently.
See the table below for some examples of how these efforts have resulted in early detection of several different recent threats by USM Anywhere. Vulnerabilities and Zero-day Attack Examples that USM Anywhere Defends Against
Categories: Security Posts

IDA 7.2: Qt 5.6.3 configure options & patch

Hex blog - Tue, 2018/11/06 - 12:29
A handful of our users have already requested information regarding the Qt 5.6.3 build, that is shipped with IDA 7.2. Configure options Here are the options that were used to build the libraries on: Windows: ...\5.6.3\configure.bat "-nomake" "tests" "-qtnamespace" "QT" "-confirm-license" "-accessibility" "-opensource" "-force-debug-info" "-platform" "win32-msvc2015" "-opengl" "desktop" "-prefix" "C:/Qt/5.6.3-x64" Note that you will have … Continue reading IDA 7.2: Qt 5.6.3 configure options & patch
Categories: Security Posts

Pattern Welding Explained as Wearable Art

Niels Provos - Tue, 2018/08/28 - 06:37

Pattern-Welding was used throughout the Viking-age to imbue swords with intricate patterns that were associated with mystical qualities. This visualization shows the pattern progression in a twisted road with increasing removal of material. It took me two years of intermittent work to get to this image. I liked this image so much that I ordered it for myself as a t-shirt and am looking forward for people asking me what the image is all about. If you want to get a t-shirt yourself, you can order this design via RedBubble. If you end up ordering a t-shirt, let me know if it ends up getting you into any interesting conversations!

Categories: Security Posts

An Elaborate Hack Shows How Much Damage IoT Bugs Can Do

Wired: Security - Mon, 2018/04/16 - 19:00
Rube-Goldbergesque IoT hacks are surprisingly simple to pull off—and can do a ton of damage.
Categories: Security Posts

How Russian Facebook Ads Divided and Targeted US Voters Before the 2016 Election

Wired: Security - Mon, 2018/04/16 - 15:00
New research shows just how prevalent political advertising was from suspicious groups in 2016—including Russian trolls.
Categories: Security Posts

Infocon: green

SANS Internet Storm Center, InfoCON: green - Fri, 2018/04/06 - 17:46
ISC Stormcast For Friday, April 6th 2018 https://isc.sans.edu/podcastdetail.html?id=5943
Categories: Security Posts

ISC Stormcast For Friday, April 6th 2018 https://isc.sans.edu/podcastdetail.html?id=5943, (Fri, Apr 6th)

SANS Internet Storm Center, InfoCON: green - Fri, 2018/04/06 - 03:30
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security Posts


Threat Hunting & Adversary Emulation: The HELK vs APTSimulator - Part 1, (Thu, Apr 5th)

SANS Internet Storm Center, InfoCON: green - Thu, 2018/04/05 - 19:26

Ladies and gentlemen, for our main attraction, I give you...The HELK vs APTSimulator, in a Death Battle! The late, great Randy "Macho Man" Savage said many things in his day, in his own special way, but "Expect the unexpected in the kingdom of madness!" could be our theme. I'm having a flashback to my college days, many moons ago. :-) The HELK just brought it on. Yes, I know, HELK is the Hunting ELK stack, got it, but it reminded me of the Hulk, and then, I thought of a Hulkamania showdown with APTSimulator, and Randy Savage's classic, raspy voice popped in my head with "Hulkamania is like a single grain of sand in the Sahara desert that is Macho Madness." And that, dear reader, is a glimpse into exactly three seconds or less in the mind of your scribe, a strange place to be certain. But alas, that's how we came up with this fabulous showcase.
In this corner, from Roberto Rodriguez, @Cyb3rWard0g, the specter in SpecterOps, it's...The...HELK! This, my friends, worth every ounce of hype we can muster.
And in the other corner, from Florian Roth, @cyb3rops, the The Fracas of Frankfurt, we have APTSimulator. All your worst adversary apparitions in one APT mic drop. This...is...Death Battle! Now with that out of our system, let's begin. There's a lot of goodness here, so I'm definitely going to do this in two parts so as not undervalue these two offerings.
HELK is incredibly easy to install. Its also well documented, with lots of related reading material, let me propose that you take the tine to to review it all. Pay particular attention to the wiki, gain comfort with the architecture, then review installation steps.
On an Ubuntu 16.04 LTS system I ran:
git clone https://github.com/Cyb3rWard0g/HELK.git
cd HELK/
sudo ./helk_install.sh 
Of the three installation options I was presented with, pulling the latest HELK Docker Image from cyb3rward0g dockerhub, building the HELK image from a local Dockerfile, or installing the HELK from a local bash script, I chose the first and went with the latest Docker image. The installation script does a fantastic job of fulfilling dependencies for you, if you haven't installed Docker, the HELK install script does it for you. You can observe the entire install process in Figure 1. Figure 1: HELK Installation
You can immediately confirm your clean installation by navigating to your HELK KIBANA URL, in my case http://192.168.248.29.
For my test Windows system I created a Windows 7 x86 virtual machine with Virtualbox. The key to success here is ensuring that you install Winlogbeat on the Windows systems from which you'd like to ship logs to HELK. More important, is ensuring that you run Winlogbeat with the right winlogbeat.yml file. You'll want to modify and copy this to your target systems. The critical modification is line 123, under Kafka output, where you need to add the IP address for your HELK server in three spots. My modification appeared as hosts: ["192.168.248.29:9092","192.168.248.29:9093","192.168.248.29:9094"]. As noted in the HELK architecture diagram, HELK consumes Winlogbeat event logs via Kafka.
On your Windows systems, with a properly modified winlogbeat.yml, you'll run:
./winlogbeat -c winlogbeat.yml -e
./winlogbeat setup -e
You'll definitely want to set up Sysmon on your target hosts as well. I prefer to do so with the @SwiftOnSecurity configuration file. If you're doing so with your initial setup, use sysmon.exe -accepteula -i sysmonconfig-export.xml. If you're modifying an existing configuration, use sysmon.exe -c sysmonconfig-export.xml.  This will ensure rich data returns from Sysmon, when using adversary emulation services from APTsimulator, as we will, or experiencing the real deal.
With all set up and working you should see results in your Kibana dashboard as seen in Figure 2.
Figure 2: Initial HELK Kibana Sysmon dashboard.
Now for the showdown. :-) Florian's APTSimulator does some comprehensive emulation to make your systems appear compromised under the following scenarios:
  • POCs: Endpoint detection agents / compromise assessment tools
  • Test your security monitoring's detection capabilities
  • Test your SOCs response on a threat that isn't EICAR or a port scan
  • Prepare an environment for digital forensics classes 
This is a truly admirable effort, one I advocate for most heartily as a blue team leader. With particular attention to testing your security monitoring's detection capabilities, if you don't do so regularly and comprehensively, you are, quite simply, incomplete in your practice. If you haven't tested and validated, don't consider it detection, it's just a rule with a prayer. APTSimulator can be observed conducting the likes of:
  • Creating typical attacker working directory C:\TMP...
  • Activating guest user account
    • Adding the guest user to the local administrators group
  • Placing a svchost.exe (which is actually srvany.exe) into C:\Users\Public
  • Modifying the hosts file
    • Adding update.microsoft.com mapping to private IP address
  • Using curl to access well-known C2 addresses
    • C2: msupdater.com
  • Dropping a Powershell netcat alternative into the APT dir
  • Executes nbtscan on the local network
  • Dropping a modified PsExec into the APT dir
  • Registering mimikatz in At job
  • Registering a malicious RUN key
  • Registering mimikatz in scheduled task
  • Registering cmd.exe as debugger for sethc.exe
  • Dropping web shell in new WWW directory
A couple of notes here.
Download and install APTSimulator from the Releases section of its GitHub pages.
APTSimulator includes curl.exe, 7z.exe, and 7z.dll in its helpers directory. Be sure that you drop the correct version of 7 Zip for your system architecture. I'm assuming the default bits are 64bit, I was testing on a 32bit VM. Let's do a fast run-through with HELK's Kibana Discover option looking for the above mentioned APTSimulator activities. Starting with a search for TMP in the sysmon-* index yields immediate results and strikes #1, 6, 7, and 8 from our APTSimulator list above, see for yourself in Figure 3.
Figure 3: TMP, PS nc, nbtscan, and PsExec in one shot
Created TMP, dropped a PowerShell netcat, nbtscanned the local network, and dropped a modified PsExec, check, check, check, and check.
How about enabling the guest user account and adding it to the local administrator's group? Figure 4 confirms.
Figure 4: Guest enabled and escalated
Strike #2 from the list. Something tells me we'll immediately find svchost.exe in C:\Users\Public. Aye, Figure 5 makes it so.
Figure 5: I've got your svchost right here
Knock #3 off the to-do, including the process.commandline, process.name, and file.creationtime references. Up next, the At job and scheduled task creation. Indeed, see Figure 6.
Figure 6: tasks OR schtasks
I think you get the point, there weren't any misses here. There are, of course, visualization options. Don't forget about Kibana's Timelion feature. Forensicators and incident responders live and die by timelines, use it to your advantage (Figure 7).
Figure 7: Timelion
Finally, under HELK's Kibana Visualize menu, you'll note 34 visualizations. By default, these are pretty basic, but you quickly add value with sub-buckets. As an example, I selected the Sysmon_UserName visualization. Initially, it yielded a donut graph inclusive of malman (my pwned user), SYSTEM and LOCAL SERVICE. Not good enough to be particularly useful I added a sub-bucket to include process names associated with each user. The resulting graph is more detailed and tells us that of the 242 events in the last four hours associated with the malman user, 32 of those were specific to cmd.exe processes, or 18.6% (Figure 8).
Figure 8: Powerful visualization capabilities
I am thrilled with both HELK and APTSimulator. The true principles of blue team and detection quality are innate in these projects. The fact that Roberto considers HELK still in alpha state leads me to believe there is so much more to come. Be sure to dig deeply into APTSimulator's Advanced Solutions as well, there's more than one way to emulate an adversary.
Part 2 will explore HELK integration with Spark, Graphframes & Jupyter notebooks.
Russ McRee | @holisticinfosec (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security Posts
Syndicate content