Security Posts

RSAC Panel Discussion: How can we protect our digital society?

Zero in a bit - 52 min 15 sec ago
During the RSA conference Sam King, general manager of CA Veracode lead an engaging discussion with Art Coviello, former CEO of RSA and Robert Knake, senior fellow for cyber policy at the Council on Foreign Relations and senior research scientist at Northwestern University’s Global Resilience Institute. While the conversation touched on a variety of topics, the prevailing theme was on the need for a private and public partnership and the how much we can depend on the government for cybersecurity assistance. According to the panelists, the main thing holding the government back from improving overall cybersecurity of our country is a lack of technologist in government. As the questions posed to Mark Zukerberg during his congressional hearing demonstrated, our government officials are not entirely sure how this Internet thing works. This is exactly why we need a partnership between government and the private sector. Companies know what is needed but do not have the authority or reach to get it done. While government has the authority they require the expertise of the private sector to determine what should be done. How to respond to state sponsored cyberattacks also came up during the conversation. Should we respond in kind with our own cyberattacks? In our increasingly connected world, what is to say those counter attacks don’t end up impacting our own citizens and critical systems? Questions about the effectiveness of economic sanctions also came up. This seemed to be preferred to the concept of a mutually ensured digital destruction that escalation would create. During the Q+A with the audience one particularly poignant question arose. After years of deadly shootings we’ve seen a group of individuals come together and protest. Regardless of which side you fall on the gun control debate – you cannot deny that this grassroots effort has been effective at creating change. Private industries are responding to their calls. Do we need a similar grassroots movement to entice the private sector and government to respond to the cyber threats facing our modern world? What will it take to spur citizen activists into action around this issue? It’s a question that keeps going around in my head after leaving this panel. The panelists left the discussion on a positive note talking about the progress they’ve seen and how protecting our digital society is possible with cooperation from private sectors and government. As this issue becomes more and more relevant, I look forward to seeing how this debate evolves.
Categories: Security Posts

¡Feliz quinto cumpleaños ElevenPaths!

Un informático en el lado del mal - 4 hours 46 min ago
Un día tal cómo hoy nos juntamos una veintena de personas en la 3ª planta del Oeste 3 en el Distrito Telefónica para comenzar una nueva andadura. El día antes, Rodol y yo habíamos firmado el contrato de venta para que nuestro proyecto de Informática 64 se convirtiera en lo que hoy en día es ElevenPaths.
Figura 1: ¡Feliz quinto cumpleaños ElevenPaths!
De hecho, aún no era ni ElevenPaths, ya que tardaríamos un tiempo en elegir el nombre. Una historia que os conté en un post hace no mucho tiempo. Nuestro nombre oficial en aquel entonces fue Telefónica Digital Identity & Privacy, y no contamos a nadie nuestra existencia hasta el mes de Junio, pero el periodista Santiago Millán, que siempre presta atención a todo lo que hacemos, nos descubrió en el mes de Mayo.
Hoy con mi gran amigo Rodol ensayando para el MWC. 27 años juntos }:)A post shared by Chema Alonso (@chemaalonso) on Feb 16, 2017 at 7:08am PST
Quiso el destino que, además, la fecha que elegimos para la firma del contrato coincidiera con el 89 cumpleaños de Telefónica, ya que, como visteis ayer, el 19 de Abril de 1924 es cuando fue constituida la Compañía Telefónica Nacional de España. El proyecto parecía imposible al principio, e incluso escuché a muchos agoreros contándonos cómo íbamos a fracasar con ElevenPaths. Pero eso solo añadió más diversión a todo el proceso. Yo quise dejarlo claro en una de las salas de ElevenPaths. ¡La sala de peligro!
Esta es otra sala de trabajo de Eleven Paths. En concreto es "La Sala de Peligro" }:)A post shared by Chema Alonso (@chemaalonso) on Jan 19, 2016 at 4:26am PST
Lejos están aquellos días de ser un grupito pequeñito de una veintena de compañeros. Hoy en día ElevenPaths es un equipo internacional, con compañeros en medio mundo. Con un portfolio de productos y servicios del que nos sentimos más que orgullosos. Con una cartera de patentes, con un ecosistema de partners, de innovación, de clientes, con operaciones en SOCs en un gran número de países.
Foto de equipo de ElevenPaths. Grande el equipo que se ha creado. #proud @elevenpathsA post shared by Chema Alonso (@chemaalonso) on Mar 12, 2017 at 6:15am PDT
Por supuesto, la magia de todo esto ha sido conseguir el entendimiento perfecto entre un grupo de personas que vino con ganas de, como decía nuestro siempre querido David Barroso, hacer "Radical Innovation",  con una empresa maravillosa, única y especial como Telefónica
Con el equipazo de ElevenPaths de Argentina. Grandes! }:)A post shared by Chema Alonso (@chemaalonso) on Sep 8, 2017 at 9:11am PDT
Por supuesto que tuvimos que aprender mucho los unos de los otros, pero la buena voluntad de los equipos, el contar con una plantilla de profesionales con soft-skills para trabajar en equipo, resolver problemas, afrontar situaciones complicadas, e intentar siempre mejorar hizo posible esa comunión. Ahí, los equipos de RRHH hicieron un trabajo único para ser siempre empáticos, para ayudarnos a vivir en el cambio y la evolución constante, para ser un apoyo en el camino a cada momento.
Con la gran Yaiza Rubio dando la Keynote del Security Innovation Day 2017: Security Rocks!

Components: Increasing Speed and Risk

Zero in a bit - Thu, 2018/04/19 - 20:05
Open source component vulnerabilities have been a hot topic in the security industry as well as in the media. It used to be the main concern in software development was making sure you testing throughout the SDLC. While this is still a crucial part of making sure your software is secure, component security has grown in importance. As Tim Jarrett, Director of product management at CA Veracode explained “Software development has changed a lot over past 10 years.”  Software today is mostly assembled rather than composed. CA Veracode’s data shows that between 80 and 90 percent of an application is made up of someone else’s code. And when there is a vulnerability in one of these components it ends up spreading to all the applications which contain that component. No wonder we are seeing such widespread proliferation of vulnerabilities and seeing major breaches. During his talk at the RSA Conference, Tim Jarrett focused on the core reasons for open source component risk and where it comes from. He said that when we talk about open source components the discussion generally centers on time to value as the reason developers integrate components into their code. Jarrett pointed out that this point is valid but disregards the other main reason developers use open source components – to create high quality code. If someone else has already thought of the problem you are trying to solve, and found a functional way to solve it, why would you start from scratch? Why then, do developers integrate vulnerable components into their code if quality is such an important consideration? Often it is not a conscience decision. For example, they may use one of the thousands of components that has the vulnerable Apache Commons Collection component without even knowing that components is a part of the code. We need more visibility into the bill of materials, not just for our own software, but for the components we are using as well. Jarrett, closed out his presentation by pointing out that everyone’s code has vulnerabilities. If the code we are producing ourselves can have security defects, what makes use think the code we get from others is any better, or more secure? It is a great question that all developers should ask as they integrate components. It shouldn’t stop them from using components – there are many positive reasons to use an open source component. He does advise developers to make sure they are using the most recent version of a component, and for security professionals to keep a bill of materials so they can patch when new vulnerabilities are found. 
Categories: Security Posts

Building a Security Awareness Ambassador

Zero in a bit - Thu, 2018/04/19 - 20:04
Lance Spitzner, Director, SANS Institute The security skills gap is well documented. There just aren’t enough security professionals in the workforce to help secure our digital economy. Even if there were, scaling to the number of security professionals needed to create a comprehensive security program alone would not solve the security problem, especially in AppSec. During this talk, Lance Spitzner, Director at SANS Institute talked about the need to create security ambassadors at your organization. These ambassadors would help champion the security initiatives across your entire employee base. At Veracode we talk about the need to foster AppSec champions in development teams. These champions have a strong understanding of application security best practices and work with their teams to implement them. Security champions also help bring security from theoretical concept to practical application for their development team – bridging the gap that exists between security and development.  Much like security champions, security ambassadors bring the theoretical principles of security to the entire organization, helping promote secure behavior. Why is this valuable? Because we know the two most common ways cybercriminals get into an organization is through insecure applications and through gaining privileged access. The security industry has helped companies implement security training programs, but we all know those can be ineffective. They focus on compliance and helping employees gain just enough security knowledge to pass a multiple choice quiz. But when you have security ambassadors on the team you go further than compliance. These people have deeper security training about secure behavior and can then spread that information to their peers. Spitzner described the many benefits of using security ambassadors to improving overall security at an organization. Given the success we’ve seen at CA Veracode with our own security champion program, I’d have to agree that creating a mini army of security focused people throughout an organization is an effective way to improve security and behavior. 
Categories: Security Posts

Vulnerability Spotlight: Multiple Issues in Foxit PDF Reader

Cisco Talos - Thu, 2018/04/19 - 19:05
OverviewTalos is disclosing five vulnerabilities in Foxit PDF Reader. Foxit PDF Reader is a popular free program for viewing, creating, and editing PDF documents. It is commonly used as an alternative to Adobe Acrobat Reader and has a widely used browser plugin available.  Update to the current version of Foxit PDF Reader.
DetailsVulnerabilities Discovered by Aleksandar Nikolic
TALOS-2017-0506TALOS-2017-0506 / CVE-2017-14458 in an exploitable use-after-free vulnerability that exists specifically in the JavaScript engine of Foxit PDF Reader. When executing embedded JavaScript code, a document can be closed, which essentially frees up a lot of used objects, but the JavaScript can continue to execute. Taking advantage of this, a specially crafted PDF document can trigger a previously freed object in memory to be reused, which results in arbitrary code execution. There are a couple of different ways an adversary could leverage this attack, including tricking a user into opening a malicious PDF. Or, if the browser plugin is enabled, simply viewing the document on the internet could result in exploitation. Full details of the vulnerability can be found here.

TALOS-2018-0525TALOS-2018-0525 / CVE-2018-3842 results from an exploitable use of an uninitialized pointer in the Javascript engine in the Foxit PDF Reader that can result in remote code execution. A specially craft PDF file could trigger this vulnerability. There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a malicious PDF or, if the browser plugin is enabled, simply viewing the document on the Internet could result in exploitation. Full details of the vulnerability can be found here.

TALOS-2018-0526TALOS-2018-0526 / CVE-2018-3843 results from a type confusion vulnerability in the way Foxit PDF reader parses files with associated extensions. A specially crafted PDF file could trigger this vulnerability resulting in sensitive memory disclosure or, potentially, arbitrary code execution.  There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a malicious PDF or, if the browser plugin is enabled, simply viewing the document on the Internet could result in exploitation. Full details of the vulnerability can be found here.

TALOS-2018-0532TALOS-2018-0532 / CVE-2018-3850 is a use-after-free vulnerability that exists in the Javascript engine of the Foxit PDF Reader. This specific vulnerability lies in the 'this.xfa.clone()' method, which results in a use-after-free condition. A specially crafted PDF file could trigger this vulnerability resulting in sensitive memory disclosure or, potentially, arbitrary code execution.  There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a malicious PDF or, if the browser plugin is enabled, simply viewing the document on the Internet could result in exploitation. Full details of the vulnerability can be found here.

TALOS-2018-0536TALOS-2018-0536 / CVE-2018-3853 is a use-after-free vulnerability that exists in the JavaScript engine of the Foxit PDF Reader. The specific vulnerability lies in combinations of the 'createTemplate' and 'closeDoc' methods related to the JavaScript functionality of Foxit PDF Reader. A specially crafted PDF file could trigger this vulnerability resulting in sensitive memory disclosure or, potentially, arbitrary code execution.  There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a malicious PDF or, if the browser plugin is enabled, simply viewing the document on the Internet could result in exploitation. Full details of the vulnerability can be found here.
CoverageThe following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or

Snort Rule: 45158-45159, 45608-45609, 45652-45653, 45715-45716, 45823-45824

Categories: Security Posts

Updates for BASS

Cisco Talos - Thu, 2018/04/19 - 17:35
This blog post was authored by Jonas Zaddach and Mariano Graziano.

Cisco Talos has rolled out a series of improvements to the BASS open-source framework aimed at speeding up its ability to provide coverage for new malware families. Talos released BASS, (pronounced "bæs") an open-source framework designed to automatically generate antivirus signatures from samples belonging to previously generated malware clusters, last June. It is meant to reduce the amount of resources required to run ClamAV by producing more pattern-based signatures, as opposed to hash-based signatures, and to alleviate the workload of analysts who write pattern-based signatures. The framework is easily scalable, thanks to Docker, an open platform for developers and sysadmins to build, ship, and run distributed applications, whether on laptops, data center VMs, or the cloud.

We have received excellent feedback from the community on this project, which inspired us to make several improvements to the BASS framework. It's clear that there is an interest in automatic signature generation: during the past 10 months, BASS has been forked by 22 researchers from all over the world. The principal motivation is the overwhelming number of samples collected every day, a large percentage of which are composed of portable executable (PE) files, many of which are malicious. There is a constant race to provide quick and effective coverage for these new malware families.

The first release of BASS was very experimental and, like all alpha software, had room to improve. We have worked on the framework, and below, we will walk through the committed changes and new features of BASS. For a more in-depth analysis of BASS, please review the video of our talk and this presentation from the REcon security conference, as well as the Talos blog.

The first set of modifications for BASS ensure that the programs involved in the detection process are properly updated. BASS is based on the interactive disassembler IDA Pro. Periodically, Hex-Rays, the company behind IDA Pro, releases a new version of their disassembler. In September 2017, IDA 7.0 was released, which was significant because IDA is now a native 64-bit application. The first public release of BASS was based on IDA 6.95, the new release officially supports IDA 7.0, which is successfully installed in a Docker container. Binexport is another key component of BASS. Binexport is an IDA Pro plugin that is fundamental to the exportation of information necessary to BinDiff and BinNavi from IDA. Given the massive change in IDA 7.0, binexport's authors released binexport 10, which supports that update. BASS has integrated binexport10 into a working docker environment with IDA Pro 7.0. This container is under the ida7 directory.

Regarding the analysis and the automatic signature generation, the following changes have been pushed:

  • Filtering out functions with less than 10 basic blocks.
  • Filtering out functions that are automatically recognized by IDA (e.g., FLIRT)
  • Function whitelisting support
  • Improved code in charge of the function weight computation
  • More weight to functions containing anti-debug and interesting APIs
  • Less weight to functions containing msvcrt functions
  • Client able to find the optimal signature for a given cluster
  • Experimental ELF support for x86_64 binaries

All these improvements have been extensively tested internally, where BASS is used on a regular basis, which has also lead to many other minor bug fixes.

BASS will continue to be updated to support any changes from dependent software updates. Enhanced framework performance to handle clusters with a significant number of samples, which will continue to be improved upon. We will also continue to research an optimal solution to filter out library functions. For the moment, you can investigate and test our current solutions implemented in the funcdb container.

The code is available on Github:

Categories: Security Posts

Let’s be Fools

AlienVault Blogs - Thu, 2018/04/19 - 15:00
The Roman poet Lucretius once wrote: “A fool believes that the tallest mountain in the world will be equal to the tallest one he has observed.” Translation? He’s essentially saying that our lived experiences define our perspectives. They warp our sense of scale like a bit of plastic in the microwave, moulding what we consider to be large and small. As someone with years of experience in the security industry, and the cynicism and grey hair to prove it, I’ve got a lot of appreciation for this. Remember in 2010 when the hacker group Goatse Security (please don’t google the first word in that name) penetrated the heart of AT&T’s servers and acquired the email addresses of over 100,000 iPad users? Man, 2010 was a different time. The AT&T iPad hack was a major news story, and rightfully so. I distinctly remember thinking that 100,000 victims was pretty big. Now, in light of the Ashley Madison and Equifax hacks, it almost seems quaint. What I’m saying is that, my perspective of what constitutes a major incident has shifted. I noticed that earlier this week when a jewelry retailer in the US accidentally leaked the details of 1.3 million customers. This happened because it committed one of the most basic of security schoolboy errors, and failed to secure the Amazon S3 bucket where it kept its database backups. 1.3 million? Yawn. I don’t get out of bed for less than 100 million. And while I struggle to imagine a data breach greater in size than the 2016 release of over 300 million MySpace users, or more damaging than the 2017 Equifax hack, I know this is inevitable, even if I can’t actually visualize it in my mind’s eye. But, like, what if it’s better to be fools? We live in interesting times. Security breaches are no longer measured in the millions, but in the hundreds of millions of records. It’s only a matter of time until the first billion-victim data leak happens. The smaller leaks (and apparently anything less than 10 million constitutes a “smaller leak”) barely warrant a mention. But what about the big ones? After every major incident there’s the trifecta of outrage, blame, and calls for consequences, but that that eventually settles down into apathetic acceptance.

Remember when everyone was really upset about the Ashley Madison hack, and then forgot about it? Remember when everyone was really upset about the LinkedIn hack, and then forgot about it? Remember when everyone was really upset about the Equifax hack, and then forgot about it? And let me ask one last question: are we any better for having done so? Are companies still making silly security mistakes? Has there been any change at the government level? Any new laws passed? Has anyone gone to jail for having screwed up in such an egregious manner? Perhaps it’s time to treat all security breaches -- all security breaches, but especially the big ones -- as the biggest mountains we’ve ever seen, because change isn’t going to happen any other way. I, for one, think it’s better to be a fool. Who’s with me?       
Categories: Security Posts

An Elaborate Hack Shows How Much Damage IoT Bugs Can Do

Wired: Security - Mon, 2018/04/16 - 19:00
Rube-Goldbergesque IoT hacks are surprisingly simple to pull off—and can do a ton of damage.
Categories: Security Posts

How Russian Facebook Ads Divided and Targeted US Voters Before the 2016 Election

Wired: Security - Mon, 2018/04/16 - 15:00
New research shows just how prevalent political advertising was from suspicious groups in 2016—including Russian trolls.
Categories: Security Posts

What do you wish osquery could do?

Welcome to the third post in our series about osquery. So far, we’ve described how five enterprise security teams use osquery and reviewed the issues they’ve encountered. For our third post, we focus on the future of osquery. We asked users, “What do you wish osquery could do?” The answers we received ranged from small requests to huge advancements that could disrupt the incident-response tool market. Let’s dive into those ‘super features’ first. osquery super features Some users’ suggestions could fundamentally expand osquery’s role from an incident detection tool, potentially allowing it to steal significant market share from commercial tools in doing prevention and response (we listed a few of these in our first blog post). This would be a big deal. A free and open source tool that gives security teams access to incident response abilities normally reserved for customers of expensive paid services would be a windfall for the community. It could democratize fleet security and enhance the entire community’s defence against attackers. Here are the features that could take osquery to the next level: Writable access to endpoints What it is: Currently, osquery is limited to read-only access on endpoints. Such access allows the program to detect and report changes in the operating systems it monitors. Write-access via an osquery extension would allow it to edit registries in the operating system and change the way endpoints perform. It could use this access to enforce security policies throughout the fleet. Why it would be amazing: Write-access would elevate osquery from a detection tool to the domain of prevention. Rather than simply observing system issues with osquery, write-access would afford you the ability to harden the system right from the SQL interface. Application whitelisting and enforcement, managing licenses, partitioning firewall settings, and more could all be available. How we could build it: If not built correctly, write-access in osquery could cause more harm than good. Write-access goes beyond the scope of osquery core. Some current users are only permitted to deploy osquery throughout their fleet because of its limited read-only permissions. Granting write-access through osquery core would bring heightened security risks as well as potential for system disruption. The right way to implement this would be to make it available to extensions that request the functionality during initialization and minimize the impact this feature has on the core. IRL Proof: In fact, we have a pull request waiting on approval that would support write-access through extensions! The code enables write-permissions for extensions but also blocks write-permissions for tables built into core. We built this feature in support of a client who wanted to block malicious IP addresses, domains and ports for both preventative and reactive use-cases. Once this code is committed, our clients will be able to download our osquery firewall extension to use osquery to partition firewall settings throughout their fleets. Event-triggered responses What it is: If osquery reads a log entry that indicates an attack, it could automatically respond with an action such as quarantining the affected endpoint(s). This super feature would add automated prevention and incident response to osquery’s capabilities. Why it would be amazing: This would elevate osquery’s capabilities to those of commercial vulnerability detection/response tools, but it would be transparent and customizable. Defense teams could evaluate, customize, and match osquery’s incident-response capabilities to their companies’ needs, as a stand-alone solution or as a complement to another more generic response suite. How we could build it: Automated event response for osquery could be built flexibly to allow security teams to define their own indicators of incidents and their preferred reactions. Users could select from known updated databases: URL reputation via VirusTotal, file reputation via ReversingLabs, IP reputation of the remote addresses of active connections via OpenDNS, etc. The user could pick the type of matching criteria (e.g., exact, partial, particular patterns, etc.), and prescribe a response such as ramping up logging frequency, adding an associated malicious ID to a firewall block list, or calling an external program to take an action. As an additional option, event triggering that sends logs to an external analysis tool could provide more sophisticated response without damaging endpoint performance. IRL Proof: Not only did multiple interviewees long for this feature; some teams have started to build rudimentary versions of it. As discussed in “How are teams currently using osquery?”, we spoke with one team who built incident alerting with osquery by piping log data into ElasticSearch and auto-generated Jira tickets through ElastAlert upon anomaly detection. This example doesn’t demonstrate full response capability, but it illustrates how useful just-in-time business process reaction to incidents is possible with osquery. If osquery can monitor event-driven logs (FIM, process auditing, etc), trigger an action based on detection of a certain pattern, and administer a protective response, it can provide an effective endpoint protection platform. Technical debt overhaul What it is: Many open source projects carry ‘technical debt.’ That is, some of the code engineering is built to be effective for short-term goals but isn’t suitable for long-term program architecture. A distributed developer community each enhancing the technology for slightly different requirement exacerbates this problem. Solving this problem requires costly coordination and effort from multiple community members to rebuild and standardize the system. Why it would be amazing: Decreasing osquery’s technical debt would upgrade the program to a standard that’s adoptable to a significantly wider range of security teams. Users in our osquery pain points research cited performance effects and reliability among organizational leadership’s top concerns for adopting osquery. Ultimately, the teams we interviewed won the argument, but there are likely many teams who didn’t get the green light on using osquery. How we could build it: Tackling technical debt is hard enough within an organization. It’s liable to be even harder in a distributed community. Unless developers have a specific motivation for tackling very difficult high-value inefficiencies, the natural reward for closing an issue biases developers toward smaller efforts. To combat this, leaders in the community could dump and sort all technical debt issues along a matrix of value and time, leave all high-value/low-time issues for individual open source developers, and pool community resources to resolve harder problems as full-fledged development projects. IRL Proof: We know that pooling community resources to tackle technical debt works. We’ve been doing it for over a year. Trail of Bits has been commissioned by multiple companies to build features and fixes too big for the open source community. We’ve leveraged this model to port osquery to Windows, enhance FIM and process auditing, and much more that we’re excited to share with the public over the coming months. Often, multiple clients are interested in building the same things. We’re able to pool resources to make the project less expensive for everyone involved while the entire community benefits. Other features users want osquery shows considerable potential to grow beyond endpoint monitoring. However, the enterprise security teams and developers whom we interviewed say that the open source tool has room for improvement. Here are some of the other requests we heard from users:
  • Guardrails & rules for queries: Right now, a malformed query or practice can hamper the user’s workflow. Interviewees wanted guidance on targeting the correct data, querying at correct intervals, gathering from recommended tables, and customized recommendations for different environments.
  • Enhance Deployment Options: Users sought better tools for deploying throughout fleets and keeping these implementations updated. Beyond recommended QueryPacks, administrators wanted to be able to define and select platform-specific configurations of osquery across multi-platform endpoints. Automatically detecting and deploying configurations for unique systems and software was another desired feature.
  • Integrated Testing, Debugging, and Diagnostics: In addition to the current debugging tools, users wanted more resources for testing and diagnosing issues. New tools should help improve reliability and predictability, avoid performance issues, and make osquery easier to use.
  • Enhanced Event-Driven Data Collection: osquery has support for event-based data collection through FIM, Process Auditing, and other tables. However, these data sources suffer from logging implementation issues and are not supported on all platforms. Better event-handling configurations, published best practices, and guardrails for gathering data would be a great help.
  • Enhanced Performance Features: Users want osquery to do more with fewer resources. This would either lead to overall performance enhancements, or allow osquery to operate on endpoints with low resource profiles or mission-critical performance requirements.
  • Better Configuration Management: Enhancements such as custom tables and osqueryd scheduled queries for differing endpoint environments would make osquery easier to deploy and maintain on a growing fleet.
  • Support for Offline Endpoint Logging: Users reported a desire for forensic data availability to support remote endpoints. This would require offline endpoints to store data locally –- including storage of failed queries –- and push to the server upon reconnection
  • Support for Common Platforms: Facebook built osquery for its fleet of macOS- and Linux-based endpoints. PC sysadmins were out of luck until our Windows port last year. Support for other operating systems has been growing steadily thanks to the development community’s efforts. Nevertheless, there are still limitations. Think of this as one umbrella feature request: support for all features on all operating systems.
The list keeps growing Unfortunately for current and prospective osquery users, Facebook can’t satisfy all of these requests. They’ve shared a tremendous gift by open sourcing osquery. Now it’s up to the community to move the platform forward. Good news: none of these feature requests are unfeasible. The custom engineering is just uneconomical for individual organizations to invest in. In the final post in this series, we’ll propose a strategy for osquery users to share the cost of development. Companies that would benefit could pool resources and collectively target specific features. This would accelerate the rate at which companies could deprecate other full-suite tools that are more expensive, less flexible and less transparent. If any of these items resonate with your team’s needs, or if you use osquery currently and have another request to add to the list, please let us know.
Categories: Security Posts

Infocon: green

SANS Internet Storm Center, InfoCON: green - Fri, 2018/04/06 - 17:46
ISC Stormcast For Friday, April 6th 2018
Categories: Security Posts

ISC Stormcast For Friday, April 6th 2018, (Fri, Apr 6th)

SANS Internet Storm Center, InfoCON: green - Fri, 2018/04/06 - 03:30
(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security Posts

Threat Hunting & Adversary Emulation: The HELK vs APTSimulator - Part 1, (Thu, Apr 5th)

SANS Internet Storm Center, InfoCON: green - Thu, 2018/04/05 - 19:26

Ladies and gentlemen, for our main attraction, I give you...The HELK vs APTSimulator, in a Death Battle! The late, great Randy "Macho Man" Savage said many things in his day, in his own special way, but "Expect the unexpected in the kingdom of madness!" could be our theme. I'm having a flashback to my college days, many moons ago. :-) The HELK just brought it on. Yes, I know, HELK is the Hunting ELK stack, got it, but it reminded me of the Hulk, and then, I thought of a Hulkamania showdown with APTSimulator, and Randy Savage's classic, raspy voice popped in my head with "Hulkamania is like a single grain of sand in the Sahara desert that is Macho Madness." And that, dear reader, is a glimpse into exactly three seconds or less in the mind of your scribe, a strange place to be certain. But alas, that's how we came up with this fabulous showcase.
In this corner, from Roberto Rodriguez, @Cyb3rWard0g, the specter in SpecterOps, it's...The...HELK! This, my friends, worth every ounce of hype we can muster.
And in the other corner, from Florian Roth, @cyb3rops, the The Fracas of Frankfurt, we have APTSimulator. All your worst adversary apparitions in one APT mic drop. Battle! Now with that out of our system, let's begin. There's a lot of goodness here, so I'm definitely going to do this in two parts so as not undervalue these two offerings.
HELK is incredibly easy to install. Its also well documented, with lots of related reading material, let me propose that you take the tine to to review it all. Pay particular attention to the wiki, gain comfort with the architecture, then review installation steps.
On an Ubuntu 16.04 LTS system I ran:
git clone
cd HELK/
sudo ./ 
Of the three installation options I was presented with, pulling the latest HELK Docker Image from cyb3rward0g dockerhub, building the HELK image from a local Dockerfile, or installing the HELK from a local bash script, I chose the first and went with the latest Docker image. The installation script does a fantastic job of fulfilling dependencies for you, if you haven't installed Docker, the HELK install script does it for you. You can observe the entire install process in Figure 1. Figure 1: HELK Installation
You can immediately confirm your clean installation by navigating to your HELK KIBANA URL, in my case
For my test Windows system I created a Windows 7 x86 virtual machine with Virtualbox. The key to success here is ensuring that you install Winlogbeat on the Windows systems from which you'd like to ship logs to HELK. More important, is ensuring that you run Winlogbeat with the right winlogbeat.yml file. You'll want to modify and copy this to your target systems. The critical modification is line 123, under Kafka output, where you need to add the IP address for your HELK server in three spots. My modification appeared as hosts: ["","",""]. As noted in the HELK architecture diagram, HELK consumes Winlogbeat event logs via Kafka.
On your Windows systems, with a properly modified winlogbeat.yml, you'll run:
./winlogbeat -c winlogbeat.yml -e
./winlogbeat setup -e
You'll definitely want to set up Sysmon on your target hosts as well. I prefer to do so with the @SwiftOnSecurity configuration file. If you're doing so with your initial setup, use sysmon.exe -accepteula -i sysmonconfig-export.xml. If you're modifying an existing configuration, use sysmon.exe -c sysmonconfig-export.xml.  This will ensure rich data returns from Sysmon, when using adversary emulation services from APTsimulator, as we will, or experiencing the real deal.
With all set up and working you should see results in your Kibana dashboard as seen in Figure 2.
Figure 2: Initial HELK Kibana Sysmon dashboard.
Now for the showdown. :-) Florian's APTSimulator does some comprehensive emulation to make your systems appear compromised under the following scenarios:
  • POCs: Endpoint detection agents / compromise assessment tools
  • Test your security monitoring's detection capabilities
  • Test your SOCs response on a threat that isn't EICAR or a port scan
  • Prepare an environment for digital forensics classes 
This is a truly admirable effort, one I advocate for most heartily as a blue team leader. With particular attention to testing your security monitoring's detection capabilities, if you don't do so regularly and comprehensively, you are, quite simply, incomplete in your practice. If you haven't tested and validated, don't consider it detection, it's just a rule with a prayer. APTSimulator can be observed conducting the likes of:
  • Creating typical attacker working directory C:\TMP...
  • Activating guest user account
    • Adding the guest user to the local administrators group
  • Placing a svchost.exe (which is actually srvany.exe) into C:\Users\Public
  • Modifying the hosts file
    • Adding mapping to private IP address
  • Using curl to access well-known C2 addresses
    • C2:
  • Dropping a Powershell netcat alternative into the APT dir
  • Executes nbtscan on the local network
  • Dropping a modified PsExec into the APT dir
  • Registering mimikatz in At job
  • Registering a malicious RUN key
  • Registering mimikatz in scheduled task
  • Registering cmd.exe as debugger for sethc.exe
  • Dropping web shell in new WWW directory
A couple of notes here.
Download and install APTSimulator from the Releases section of its GitHub pages.
APTSimulator includes curl.exe, 7z.exe, and 7z.dll in its helpers directory. Be sure that you drop the correct version of 7 Zip for your system architecture. I'm assuming the default bits are 64bit, I was testing on a 32bit VM. Let's do a fast run-through with HELK's Kibana Discover option looking for the above mentioned APTSimulator activities. Starting with a search for TMP in the sysmon-* index yields immediate results and strikes #1, 6, 7, and 8 from our APTSimulator list above, see for yourself in Figure 3.
Figure 3: TMP, PS nc, nbtscan, and PsExec in one shot
Created TMP, dropped a PowerShell netcat, nbtscanned the local network, and dropped a modified PsExec, check, check, check, and check.
How about enabling the guest user account and adding it to the local administrator's group? Figure 4 confirms.
Figure 4: Guest enabled and escalated
Strike #2 from the list. Something tells me we'll immediately find svchost.exe in C:\Users\Public. Aye, Figure 5 makes it so.
Figure 5: I've got your svchost right here
Knock #3 off the to-do, including the process.commandline,, and file.creationtime references. Up next, the At job and scheduled task creation. Indeed, see Figure 6.
Figure 6: tasks OR schtasks
I think you get the point, there weren't any misses here. There are, of course, visualization options. Don't forget about Kibana's Timelion feature. Forensicators and incident responders live and die by timelines, use it to your advantage (Figure 7).
Figure 7: Timelion
Finally, under HELK's Kibana Visualize menu, you'll note 34 visualizations. By default, these are pretty basic, but you quickly add value with sub-buckets. As an example, I selected the Sysmon_UserName visualization. Initially, it yielded a donut graph inclusive of malman (my pwned user), SYSTEM and LOCAL SERVICE. Not good enough to be particularly useful I added a sub-bucket to include process names associated with each user. The resulting graph is more detailed and tells us that of the 242 events in the last four hours associated with the malman user, 32 of those were specific to cmd.exe processes, or 18.6% (Figure 8).
Figure 8: Powerful visualization capabilities
I am thrilled with both HELK and APTSimulator. The true principles of blue team and detection quality are innate in these projects. The fact that Roberto considers HELK still in alpha state leads me to believe there is so much more to come. Be sure to dig deeply into APTSimulator's Advanced Solutions as well, there's more than one way to emulate an adversary.
Part 2 will explore HELK integration with Spark, Graphframes & Jupyter notebooks.
Russ McRee | @holisticinfosec (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security Posts

Support my videos on Patreon!

Niels Provos - Sun, 2017/05/28 - 01:18

Add your support on Patreon to help me create more videos. Your support will help with materials, rent as well as other equipment, e.g. cameras, lights, software, etc. It is not required but appreciated. Due to time constraints I can make no promises on how often I will be able to publish new videos but my plan is to continue producing videos as long as people find them interesting.
Categories: Security Posts

Thu, 1970/01/01 - 02:00
Syndicate content