Security Posts

What Is Inline Security?

BreakingPoint Labs Blog - Sáb, 2020/01/25 - 22:46
People talk about inline security a lot. But what is it? I thought I would take a moment to explain…
Categorías: Security Posts

Want to avoid another Black Friday outage? Let’s enter the metrics.

BreakingPoint Labs Blog - Sáb, 2020/01/25 - 22:46
As Black Friday and Cyber Monday ring in the holiday shopping season, consumers ever-increasingly…
Categorías: Security Posts

10,000 downloads in 1 year! BreakingPoint customers bolster cybersecurity testing with daily malware service.

BreakingPoint Labs Blog - Sáb, 2020/01/25 - 22:46
When we launched our daily malware service, there were some level of doubt. Before the daily…
Categorías: Security Posts

What Security Use Cases Are You Using?

BreakingPoint Labs Blog - Sáb, 2020/01/25 - 22:46
I hear this comment all the time, “Yeah, I have enough security defenses deployed.” However, when I…
Categorías: Security Posts

Citas para tu agenda esta semana: @h_c0n, @MorterueloCON & LEIA

Un informático en el lado del mal - Sáb, 2020/01/25 - 21:28
Esta semana que se nos viene tiene un par de citas muy especiales para mí, y la verdad es que voy a estar bastante ocupado con muchas cosas de trabajo y vida personal, pero para estoy aprovechando el fin de semana para trabajar tranquilamente en muchas cosas que tenía pendientes y sacar el máximo de lo que pueda para la semana que se me viene encima.
Figura 1: Citas para tu agenda esta semana: H-C0N, @MorterueloCON & LEIA
Entre otras cosas, mañana domingo es es el aniversario de El lado del mal, así que tendré que pensar si escribo y renuevo mis votos con el blog, o si me lo tomo sabático. El martes tengo un día muy importante en mi vida con el acto de Santo Tomás de Aquino en la Universidad Rey Juan Carlos de Móstoles. El jueves 30 tengo preparada una reunión con mi equipo - con todo él - y el viernes tengo una visita al Grado de Ingeniería de Ciberseguridad de la URJC a ver a los futuros "hackers".

Figura 2: Grado Ingeniería de la Ciberseguridad en la URJC
Pero aún me quedará algo de tiempo para participar en el PodCast de Más allá de la Innovación el próximo miércoles 29 para hablar de MyPublicInbox y 0xWord. Vamos, que no me voy a aburrir durante ningún día de esta semana, os lo garantizo.

Figura 3: Contactar con el podcast "Más allá de la Innovación" en MyPublicInbox
Pero además de mis cosas, hay otras actividades que merece la pena que tengáis en el radar, que seguro que pueden animarte, enseñarte, o hacerte pensar.

28 de Enero: Reto 2020, enseñar a hablar correcto español a la IA [Online][G]
En este webinar impartido por el Dr. Richard Benjamins, AI & Data Ambassador de Telefónica, hablaremos del proyecto LEIA, acrónimo de Lengua Española en Inteligencia Artificial. Figura 4: LUCA Talk sobre LEIAUn proyecto ambicioso que trata de unir a los humanos con las máquinas y a las humanidades con las ciencias, concretándose en tres objetivos interrelacionados entre sí: enseñar a hablar un correcto español a las máquinas, aprovechar la Inteligencia Artificial para ayudar a las personas a hablar un correcto español y crear un certificado de buen uso del español.28 y 29 de Febrero: MorterueloCON [Cuenca] [Actualización: es en Febrero]Nuestro CSE de ElevenPaths, Carlos Rodríguez participa, con una ponencia sobre Blockchain y ciberseguridad, en la sexta edición del evento conquense de ciberseguridad por excelencia.Figura 5: MorterueloCON en Cuenca
31 de Enero y 1 de Febrero: H-Con [Madrid]
Durante este viernes y sábado tiene lugar la H-CON en Madrid (La Nave), la conferencia organizada por nuestros amigos de HackPlayers, en la que colaboraremos desde 0xWord. Ya han publicado la agenda final y la lista de ponentes es más que interesante.Figura 6: H-Con en MadridEn ella está David Meléndez - autor del libro de "Hacking con Drones: Love is in the Air" o Alfonso Muñoz - autor del libro de "Criptografía: De la cifra clásica a RSA 2ª Edición" y co-auor de "Esteganografía y Estegoanálisis". Si la agenda me lo permite, intentaré pasarme el sábado un rato por esta conferencia que promete ser más que interesante.31 de Enero y 1 de Febrero: Despistaos [Leon y Gijón]
El grupo Despistaos sigue con su gira de salas el fin de que viene, en León y Gijón. Una oportunidad única de verlos en concierto en un entorno cercano para cantar sus canciones. Puedes conseguir las entradas para estos conciertos en estos enlaces:- Comprar entradas para concierto de Despistaos 31 de Enero en León.
- Comprar entradas para concierto de Despistaos 1 de Febrero en Gijón.


View this post on Instagram
2020 viene cargado de conciertos. ¿Ya le has pedido tu regalo a Papá Noel?

The Sneaky Simple Malware That Hits Millions of Macs

Wired: Security - Sáb, 2020/01/25 - 19:10
How the Shlayer Trojan topped the macOS malware charts—despite its “rather ordinary” methods.
Categorías: Security Posts

Visibility Gap of Your Security Tools, (Sat, Jan 25th)

SANS Internet Storm Center, InfoCON: green - Sáb, 2020/01/25 - 18:31
I have been focusing on visibility lately and often specifically on gaps. Visibility gaps demand the attention of every cybersecurity professional. Success often hinges on how quickly these gaps get closed. The very act of which helps us achieve what they need the most - greater visibility. Solving for these gaps will equip us by catalyzing transformation. No need for Artificial Intelligence or Machine Learning, just an advanced persistent drive to close these visibility gaps!   I introduced this idea in a previous Diary Is Your SOC Flying Blind?  This time, I want to focus on your security agents. Are they working and providing their intended value? How do you know? What would it look like to have an Agent Health Dashboard that answered two fundamental questions all day long:         Is the agent installed?         Is the agent performing its expected role?   I like to include practical ideas when I am the Handler. To that end, I developed several ideas across several diverse dimensions for you to consider. Perhaps next week, you will use this as a checklist to complete or perform a spot check.   Visibility for your developers and DBAs   Number of active sessions   Number of runaway sessions   Application performance metrics   Visibility for your physical security   Camera feeds   Badges that show to be both inside and outside of the building at the same time   Visibility for your networks   Netflow volume   Traffic volume    New ports and services   Trends over time for each   Visibility for your Servers and Workstations    Day log volume    Communication patterns    Lateral movement detection    Trends over time for each    Alert when devices stop sending their logs     Activity performed by administrators   Application question - What visibility gaps exist, and what can you do next week on purpose to close one of them? Please leave your ideas and suggestions in our comments box!   Russell Eubanks ISC Handler @russelleubanks (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categorías: Security Posts

Google Calls Out Safari for Privacy Flaws

Wired: Security - Sáb, 2020/01/25 - 16:00
Facial recognition, iCloud encryption, and the rest of this week's top security news.
Categorías: Security Posts

The Doomsday Clock Moves Closer Than Ever to Midnight

Wired: Security - Sáb, 2020/01/25 - 15:00
Since the advent of the clock—even during the peak years of the Cold War—the minute hand has never advanced past the 11:58 mark.
Categorías: Security Posts

Scraping the Web Is a Powerful Tool. Clearview AI Abused It

Wired: Security - Sáb, 2020/01/25 - 14:00
The facial recognition startup claims it collected billions of photos from sites like Facebook and Twitter. What does the practice mean for the open web?
Categorías: Security Posts

Healthcare security: How can blockchain help?

AlienVault Blogs - Jue, 2020/01/23 - 16:00
This is part 2 of a blog on healthcare security. For more info, check out part 1. An independent guest blogger wrote this blog. When it comes to data security, there is no more important place than the healthcare industry. When people go to the doctor, they provide all of their most sensitive information, from their health issues to their phone number, to a doctor they trust. When a medical office or database is hacked or damaged, and that information is released, it can be catastrophic to everyone involved. Patient security is not only good practice, but it is also the law. Guidelines are in place to protect patient data, and it is up to health professionals and administrators to ensure that proper protections are made. Here are some best practices for now and advanced security platforms to look forward to in the future. The rise of blockchain technology While the possibility of losing business and patient data through a system breakdown or employee error is a serious concern, the potential for cybercrime is perhaps the bigger threat. As technology advances, so do the methods that hackers use to infiltrate our systems. The result is a combination of threats from computer viruses to phishing attacks, which trick employees into clicking a link or attachment that opens a door into their computer’s infrastructure. From there, a hacker can sell the personal info that they obtain on the black market or use it to extort money from the unsuspecting patient. Since criminals have the ability to hack into health systems, an extra layer of security is needed: enter the blockchain. Instead of having patient information listed on an excel spreadsheet or an unsecured platform, this type of technology has information that is encrypted and entered into a chain that cannot be changed, deleted, or tampered with. All new information is verified against a ledger of previous events and cannot be modified unless it is deemed accurate. In addition to creating better security, blockchain also creates additional transparency for those receiving care. Since a patient would be one of the owners of the blockchain, they are able to monitor when new data is added or changed within their records and have a say in the decision. Blockchain also prevents the leakage of data when emailing or shipping patient records to a new provider, as the new office would need only an access key to view and add their own content. While this is a relatively new technology, it could prove to be a necessary one in the future. Safeguarding medical data Regardless of how data can be lost, it is essential that your medical office is proactive instead of reactive when it comes to a potential breakdown. The first step should always be to create an extensive risk analysis that not only assumes potential risks but also lists a plan of action if the unthinkable were to occur. Start by taking all potential scenarios, from a hacker to a terrorist attack, then list them in order of likeliness to occur. Finally, have steps in writing that each associate needs to carry out to ensure that the data is restored and the damage is minimal. Part of every disaster recovery plan should be backup servers that store data as soon as it is acquired. These servers should be separate from your main computing system, so if your local office suffers a breach, your backup data will remain intact. Backups can be physical or based in the cloud, but in any case, they should be maintained regularly. Medical centers should also be equipped with the best data breach insurance. When a breach occurs, the fallout can be devastating as there is not only a cost involved with restoring your company but also a trust that is broken with the customers. This is why you must act swiftly when an incident occurs, and insurance can provide experts to help repair your company and assist with accrued costs. HIPAA compliance While all businesses should have security as a top priority, health organizations need to be extra diligent, as they have their own laws that must be followed. The Health Insurance Portability and Accountability Act, or HIPAA, protects patient rights while also working to protect their personal information. Paired with that is the HIPAA security rule, which requires that the proper procedures are in place to keep this information protected when it is stored and transferred. It is the responsibility of the health practice to follow these guidelines. For instance, HIPAA requirements state that medical records must be kept for a minimum of six years from the date they were created. These records must be retained with backup systems and functioning firewalls. Once a practice decides to close down the records, they must be disposed of properly. For physical paperwork, old documents should be shredded so they cannot be reproduced. Once they are shredded, an outside vendor should take these records away so the shreds can also be disposed of properly. Patient information should never be shared with anyone who isn’t authorized, so precautions must be made at all times. While working in the office, never use a customer’s full first and last name within close proximity of other patients, and ensure that your printer prints face down so passersby cannot sneak a peek at a name or social security number. When faxing information to other offices, use a cover sheet, so the content is not visible for all to see. Finally, all staff members should use complicated passwords that include letters, numbers, and special characters. When it comes to the security of personal data in healthcare, due diligence is not only an ethical responsibility, but a legal one as well. The doctor-patient relationship is built on trust, and these proactive actions can honor that bond.
Categorías: Security Posts

Themes from Real World Crypto 2020

Over 642 brilliant cryptographic minds gathered for Real World Crypto 2020, an annual conference that brings together cryptographic researchers with developers implementing cryptography in the wild. Overall, RWC 2020 was an impressive conference that demonstrated some amazing work. Here we explore three major themes that emerged:
  1. Crypto bugs are everywhere...Whether it’s a somewhat unsurprising Bleichenbacher attack on TLS, or cryptographic side-channel attacks on (supposedly) secure hardware, there are a lot of cryptographic vulnerabilities out there. This became abundantly clear this past week.
  1. …so we need more cryptographers on projects…When designing, implementing, and reviewing cryptographic systems, the more cryptographers involved, the better. RWC 2020 featured big examples of how well collaboration can work, and how badly important systems can fail without it.
  1. …but cryptographic capabilities are growing fast! Advanced cryptography is becoming more practical, as shown by new multi-party computation frameworks and improvements to ZK-proofs. Plus we saw exciting new applications in Apple’s Find My protocol for finding offline devices, message authentication for satellites to prevent spoofing, and more.
Let’s dig in!  1. Crypto bugs are everywhere Traditional attacks Yet another Bleichenbacher attack was presented: The 9 Lives of Bleichenbacher’s CAT: New Cache ATtacks on TLS Implementations. (Which brings us to a fourth theme: Cryptographers still love using tortured puns and silly acronyms.) The attack leverages Bleichenbacher’s attack on PKCS#1 v1.5 padding for RSA key exchanges. Specifically, the attack takes advantage of the fact that many companies reuse certificates across multiple servers, so the Bleichenbacher attack can be parallelized and thus completed before the 30-second session timeout occurs.  Unfortunately, this insecure padding scheme is still supported by ~6% of the internet; further, a man-in-the-middle downgrade attack can be performed, so any server that supports a vulnerable implementation can be broken 100% of the time (and this works even if the client does not support RSA key exchange). Another talk, SHA-1 is a Shambles, discussed a chosen-prefix collision on SHA-1, and showed that SHA-1 can now be attacked in practice with affordable hardware.  The authors used this vulnerability to perform an impersonation attack on PGP. This project was the culmination of several years of work, with theoretical attacks discovered in the early 2000s, and the first practical attack found in the 2017 paper, SHAttered. In other words, SHA-1 shall never be used again (ok, coming up with puns is harder than it looks).  Other attacks Two different attacks on secure hardware were presented at RWC: one on a hardware security module (HSM) and another on a trusted platform module (TPM). The first attack targeted a specific HSM model and was able to (among other things) perform arbitrary code execution and decrypt all secrets. Although the attack itself was not heavily cryptographic, the talk demonstrated (yet again) that we cannot necessarily trust that our cryptographic secrets will be safe on HSMs. The second talk combined a timing side-channel attack with a lattice attack on ECDSA to recover the private signing key, demonstrating that TPMs are unfortunately not side-channel resistant. Meanwhile, “Pseudorandom Black Swans: Cache Attacks on CTR DRBG” demonstrated that random number generators are also vulnerable to side-channel attacks. The cache attack leverages two problems with CTR_DRBG: Keys are not rotated fast enough, and adding more entropy is optional (and chosen by the API caller). This means keys can be compromised, and if inadequate entropy is used, an attack can then obtain all future states. These attacks were not a part of the previous standard’s threat model; fortunately, FIPS 140-3 updates this threat model. 2. The case for more cryptographers From all of these attacks, the lesson is to involve more cryptographers and think about a variety of threat scenarios when designing your system (and in the case of the last talk, use Hash_DRBG). Several RWC 2020 presentations confirmed this. For instance, we saw how CRLite, a scalable system for TLS revocations, was achieved through academic and industrial collaboration. On the other hand, two different cryptographic reviews of e-voting systems and an analysis of the handshake protocol in WPA3 showed the dangers of too few cryptographic cooks. The good CRLite, the system for TLS revocations, started as an academic design and Firefox extension proof of concept; from there industry improved on the scheme, taking into account infrastructure that exceeded the means of academia alone. Now there is a working prototype and development is progressing while academia continues to refine the protocol. More promising news came from model-checking 5G security: Our tools are sufficiently advanced that standardization now can and should be accompanied by formal models and analysis. This idea was pioneered by the symbolic analysis of TLS 1.3, and it’s great to see the trend continuing. These types of analysis are very powerful for protocols and standards, as they ensure that security goals are clearly stated and achieved by the protocol.  In the case of 5G, the security goals were not clearly stated in the initial conception of the protocol. The RWC 2020 presentation, “A Formal Analysis of 5G Authentication,” specified the security goals more clearly, which led to the discovery that 5G does not achieve untraceability (perhaps this is bad after all!). Nevertheless, this work serves as an important demonstration and should be replicated for future standardization efforts. The bad “Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd” makes a pretty compelling case for involving cryptographers in protocol design. WPA2 is vulnerable to offline dictionary attacks, and WPA3 was proposed as the improvement. However, Dragonblood found that WPA3 is vulnerable to side-channels, and, according to the authors of the paper, “WPA3 does not meet the standards of a modern security protocol.” To make matters worse, the countermeasures are costly and may not be adopted. Worst of all, as the authors state, these issues could have been avoided if the protocol design process was open to more cryptographers. The ugly There’s plenty of ugliness in the world of e-voting, as the talks at RWC 2020 confirmed. In one analysis of the Moscow internet voting system, two significant breaks to the encryption scheme were found within a somewhat constrained time frame. For example, the first break resulted from an insecure variant of ElGamal dubbed “Triple ElGamal,” which attempted to achieve 768-bit security, but actually achieved three separate instances of 256-bit security, which can be broken in under 10 minutes using CADO-NFS.  Both breaks cited were fixed; however, the fixes to the second break were published only two days before the election, and the technology was still deployed. The general impression of the presenter was that the voting scheme achieved no privacy, very partial verifiability, no coercion resistance, and no protection against vote-buying. Although the Russian government should be commended for opening their source code, it is clear that more cryptographers should have been involved in this entire process. Similar work on the Switzerland internet voting system led to the discovery of some significant cryptographic bugs. The protocol uses a zero-knowledge proof system to achieve both privacy and verifiability; however, due to a flaw in their Fiat-Shamir transformation, none of the zero-knowledge proofs were sound. Further, parameters were generated incorrectly in a way that could allow for votes to be modified. Even worse, statements were malformed for their zero-knowledge proofs, which broke their security proofs. This result is not ideal. However, to be fair, it is great to see cryptographers involved, as critical issues were spotted before deployment in Switzerland (and revealed similar issues to non-public systems in other countries). 3. New growth and cryptography applications It’s not all bad; our cryptographic capabilities are growing quickly! And RWC 2020 displayed some fascinating efforts to apply cryptography to real world problems. “Find My” cryptography Earlier this year, Apple released a new “Find My” feature in iOS 13 that allows offline devices to be located while protecting privacy of both the owner and the finder of the device. Previously, similar features like “Find My Phone” required the device to be online, a serious limitation, particularly for devices like MacBooks which are typically offline. The cryptography behind this feature was presented at RWC 2020. Apple sought a protocol that achieved the following goals: 
  • Only the owner of the device can track the device and access location reports remotely
  • Previous locations of the device are protected if the device is compromised 
  • Owners only receive anonymous information from the finder  
  • The finder’s location is never revealed to others (including the server) 
To achieve this, the protocol calls for offline devices to broadcast public keys via Bluetooth. Active devices become “finders,” and when other offline devices are discovered via Bluetooth, the finder encrypts its location using the offline device’s public key and sends it to the cloud. This way, even the server does not know the location—however, IP-based information does leak to the server, and Apple’s only promise is that they do not store logs of this information. The owner can then access the time and location of their offline device whenever there is an active device in its vicinity. (There are more subtleties to the protocol to achieve the remaining security goals, such as key rotation). In summary, Apple specified rigorous security and privacy goals, and constructed a novel design in their attempt to achieve them. Private detection of compromised credentials “Protocols for Checking Compromised Credentials” presented a formal security analysis of two protocols for checking compromised credentials: HaveIBeenPwned (HIBP) and Google Password Checkup (GPC). These protocols aim to alert users if their credentials have been breached and shared across the web. GPC maintains an active database of username and password pairs for users to query. HIBP, on the other hand, only maintains passwords.  Since these databases contain hundreds of millions of records, both protocols implement a bucketization strategy, where hash values corresponding to records are sorted into buckets, based on their hash prefix. This allows users to query the database with a hash prefix, receive a bucket of hash values, and check if their credentials have been compromised, without revealing their entire hash of their secret to the server. The study presented at RWC 2020 demonstrated that each protocol leaks noticeable information about user secrets due to their bucketization strategies—both protocols leak information for different, subtle reasons. Luckily, the study also produced mitigation strategies for both protocols. Out of this world cryptography RWC even included some cryptographic applications that are out of this world. Galileo is a global navigation satellite system (like GPS) used by the European Union. As discussed at RWC, these navigation systems are a critical part of our infrastructure, and spoofing location is actually fairly easy. Luckily, so far, this spoofing is mostly used for playing Pokemon Go; however, spoofing attacks on these satellite systems are real. To protect against potential future attacks, Galileo will offer a public navigation message authentication service. Banking on collaboration The final talk at RWC discussed using multi-party computation to detect money laundering. Financial regulators impose large fines on banks if they allow money laundering activities, so these banks are incentivized to detect illegal activities. However, collaboration between banks is difficult because transaction data is private. Fortunately, multi-party computation can facilitate this collaboration without violating privacy. Overall, this effort achieved promising results by applying a graph-based approach for modeling transactions and algorithms specialized for multi-party computation for efficient, collaborative analysis between various banks. Conclusion RWC 2020 made it clear that involving cryptographers in the design and implementation of your novel protocols will save you both time and money, as well as keeping everyone safer. If you’re involved in this type of work encourage everyone involved to open-source your code, publish your protocols for review, and hey, talk to the Trail of Bits cryptography team!
Categorías: Security Posts

Hunting for beacons

Fox-IT - Mié, 2020/01/15 - 13:29
Author: Ruud van Luijk Attacks need to have a form of communication with their victim machines, also known as Command and Control (C2) [1]. This can be in the form of a continuous connection or connect the victim machine directly. However, it’s convenient to have the victim machine connect to you. In other words: It has to communicate back. This blog describes a method to detect one technique utilized by many popular attack frameworks based solely on connection metadata and statistics, in turn enabling this technique to be used on multiple log sources. Many attack frameworks use beaconing Frameworks like Cobalt Strike, PoshC2, and Empire, but also some run-in-the-mill malware, frequently check-in at the C2 server to retrieve commands or to communicate results back. In Cobalt Strike this is called a beacon, but concept is similar for many contemporary frameworks. In this blog the term ‘beaconing’ is used as a general term for the call-backs of malware. Previous fingerprinting techniques shows that there are more than a thousand Cobalt Strike servers online in a month that are actively used by several threat actors, making this an important point to focus on. While the underlying code differs slightly from tool to tool, they often exist of two components to set up a pattern for a connection: a sleep and a jitter. The sleep component indicates how long the beacon has to sleep before checking in again, and the jitter modifies the sleep time so that a random pattern emerges. For example: 60 seconds of sleep with 10% jitter results in a uniformly random sleep between 54 and 66 seconds (PoshC2 [3], Empire [4]) or a uniformly random sleep between 54 and 60 seconds (Cobalt Strike [5]). Note the slight difference in calculation. This jitter weakens the pattern but will not dissolve the pattern entirely. Moreover, due to the uniform distribution used for the sleep function the jitter is symmetrical. This is in our advantage while detecting this behaviour! Detecting the beacon While static signatures are often sufficient in detecting attacks, this is not the case for beaconing. Most frameworks are very customizable to your needs and preferences. This makes it hard to write correct and reliable signatures. Yet, the pattern does not change that much. Therefore, our objective is to find a beaconing pattern in seemingly pattern less connections in real-time using a more anomaly-based method. We encourage other blue teams/defenders to do the same. Since the average and median of the time between the connections is more or less constant, we can look for connections where the times between consecutive connections constantly stay within a certain range. Regular traffic should not follow such pattern. For example, it makes a few fast-consecutive connections, then a longer time pause, and then again, some interaction. Using a wider range will detect the beacons with a lot of jitter, but more legitimate traffic will also fall in the wider range. There is a clear trade-off between false positives and accounting for more jitter. In order to track the pattern of connections, we create connection pairs. For example, an IP that connects to a certain host, can be expressed as ’10.0.0.1 -> somerandomhost.com”. This is done for all connection pairs in the network. We will deep dive into one connection pair. The image above illustrates a beacon is simulated for the pair ’10.0.0.1 -> somerandomhost.com” with a sleep of 1 second and a jitter of 20%, i.e. having a range between 0.8 and 1.2 seconds and the model is set to detect a maximum of 25% jitter. Our model follows the expected timing of the beacon as all connections remain within the lower and upper bound. In general, the more a connection reside within this bandwidth, the more likely it is that there is some sort of beaconing. When a beacon has a jitter of 50% our model has a bandwidth of 25%, it is still expected that half of the beacons will fall within the specified bandwidth. Even when the configuration of the beacon changes, this method will catch up. The figure above illustrates a change from one to two seconds of sleep whilst maintaining a 10% beaconing. There is a small period after the change where the connections break through the bandwidth, but after several connections the model catches up. This method can work with any connection pair you want to track. Possibilities include IPs, HTTP(s) hosts, DNS requests, etc. Since it works on only the metadata, this will also help you to hunt for domain fronted beacons (keeping in mind your baseline). Keep in mind the false positives Although most regular traffic will not follow a constant pattern, this method will most likely result in several false positives. Every connection that runs on a timer will result in the exact same pattern as beaconing. Example of such connections are windows telemetry, software updates, and custom update scripts. Therefore, some baselining is necessary before using this method for alerting. Still, hunting will always be possible without baselining! Conclusion Hunting for C2 beacons proves to be a worthwhile exercise. Real world scenarios confirm the effectiveness of this approach. Depending on the size of the network logs, this method can plow through a month of logs within an hour due to the simplicity of the method. Even when the hunting exercise did not yield malicious results, there are often other applications that act on specific time intervals and are also worth investigating, removing, or altering. While this method will not work when an adversary uses a 100% jitter. Keep in mind that this will probably annoy your adversary, so it’s still a win! References: [1]. https://attack.mitre.org/tactics/TA0011/ [2]. https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/ [3]. https://github.com/nettitude/PoshC2/blob/master/C2-Server.ps1 https://github.com/nettitude/PoshC2_Python/blob/4aea6f957f4aec00ba1f766b5ecc6f3d015da506/Files/Implant-Core.ps1 [4]. https://github.com/EmpireProject/Empire/blob/master/data/agent/agent.ps1 [5]. https://www.cobaltstrike.com/help-beacon
Categorías: Security Posts

Forging A Viking Broad Sword: from start to finish

Niels Provos - Vie, 2019/11/15 - 02:16

This is a video completing about two years of work in creating a single-edged pattern-welded sword or seax that could plausibly have been created during Viking times. It shows alls steps from assembling pieces of steel, twisting and forging until the sword blade is complete and tested with a simple cutting test.

It’s about 30 minutes long and shot on a Sony FS7. It’s 4K and color graded for high-dynamic range (HDR).
Categorías: Security Posts

Lumina certificate expiration on October 10th, 2010: workaround

Hex blog - Mar, 2019/10/08 - 17:29
We invite our Lumina users to read this short announcement
Categorías: Security Posts

Jue, 1970/01/01 - 02:00
Distribuir contenido