Category Archives: Generals

DFIR Problems in the Cloud

As more and more companies are starting to use cloud because of ease of deployment and integration with business needs and due to its scalability, the pandemic and changing business models forced usage of it more.

From IT perspective, cloud usage provides a lot of convenience. With using cloud, companies can pay for only the resources they need and scale up or down to meet their needs easily. With this scalability, they do not need to guess future usage and butgeting it. Additionally, while it takes days or weeks to implement a new server, it only takes a few minutes to get a new one in cloud and it saves on expenses like cabling, staff, broad network access and data center. Cloud also provides a global infrastructure and high availability for systems easily.

Because of reasons above and more, it is very understandable why cloud market will keep growing in next years and the expectations are the market will have more than $800 billion in value in 2025. However, this convenience causes different problems and challenges on the security, incident response and digital forensics side.

Separation of Responsibilities in the Cloud

Security is difficult in cloud for customers because the cloud customer does not have access and responsibility of all the systems those need to be secured. So, it is crucial to know shared responsibility models of the cloud.

As the content of this article, we do not go into the description of what these cloud services are one by one.

Challenges of Security

This shared responsibility model shown above, makes security, incident response and digital forensics more difficult. It is not enough to know the organization’s assets only, security teams need to work together with cloud security provider’s (CSP) security teams. For all types of models, the organization’s teams will not have access and control on data, OS, storage, network traffic, or etc. The difficulties are not these only. Most of the organizations are using hybrid clouds and more than one CSP. This means, systems are distributed between different data centers and locations and teams need data from these different systems in different CSP and structures.

The distributed multi CSP structures causes difficulties to collect data during an incident. So, investigation real-time incidents in the cloud becomes more difficult. One of the reasons of this situation is the access rights; in all types of cloud service model, the incident handler and forensic analyst has limited access and control over data. And the other can be differences in the operational details and procedures in different CSPs. Also, with using different CSPs, and according to the CSP’s structure, logs can be stored as distributed across different servers and locations. This situation also creates difficulties investigation an incident. A correlation an activity between different CSPs is challenging due to lack of interoperability. Time stamps of the logs and time correlation will contribute to this challenging too.

Many new items can be added to this technical challenges list. However, there is also legal side of using cloud. As CSPs distributed their structure in different location all over the world, customers can face some legal issues. Data collection, protection and governance laws change according to the region that the servers located in. It creates a challenges to standardize processes. This differences can also reflect on SLAs.

We can easily increase the items that challenging security teams on cloud like; having experiences in handling cloud environments for admins, gathering and knowledge of cloud investigation and forensics tools, international communication, privacy concerns, unknown location of data, data volatility, time and timestamp synchronization, log format differences, etc.

Virtual Machines Roles in Growing Number of Ransomware Attacks

Symantec Threat Hunter Team published a post about evidence that an increasing number of ransomware attackers are using virtual machines (VMs) in order to run their ransomware payloads on compromised computers. The purpose of using VMs on ransomware attacks is thought to hide the malicious activities. It is stated that this method is used in order to bypass the security solutions in virtual machines and to ensure that malicious codes can be hidden in the virtual machine.

In the past, a similar attack was seen on Windows XP machines by RagnarLocker ransomware. The same method now is used in Windows 7 machines.

It is important to prevent the installation of unauthorized virtual machines in corporate networks and implement NDR solutions to capture the anomalies in the network. In addition, Symantec published these IoCs to detect;

  • 2eae8e1c2e59527b8b4bb454a51b65f0ea1b0b7476e1c80b385f579328752836 – Installer
  • 9f801a8d6b4801b8f120be9e5a157b0d1fc3bbf6ba11a7d202a9060e60b707d8 – runner.exe
  • e5291bae18b0fa3239503ab676cacb12f58a69eb2ec1fd3d0c0702b5a29246cb – VirtualBox
  • d89bd47fb457908e8d65f705f091372251bae3603f5ff59afb2436abfcf976d8 – Mountlocker
  • 8f247e4149742532b8a0258afd31466f968af7b5ac01fdb7960ac8c0643d2499 – Mountlocker

Carbon Black Critical Bug

VMware Carbon Black has published an update to resolve critical authentication bypass vulnerability on Carbon Black App Control product. App Control is a solution to lock down critical systems and servers to prevent unwanted changes and ensure continuous compliance with regulatory mandates.

This authentication bypass vulnerability was followed by CVE-2021-21998. VMware Carbon Black App Control versions 8.6.x, 8.5.x, 8.1.x, and 8.0.x are affected by this vulnerability.

With this auth bypass vulnerability, threat actors who can access to the management server of the App Control application can bypass the authentication and get admin privilege. With this privilege, attackers can seize critical information on the system and can deactivate EPP and EDR features on the target systems.

VMware announced that the vulnerability has been solved with the 8.6.2 and 8.5.8 versions. It is critical to upgrade the system not to be affected from critical attacks.

Threat Hunting I – Understanding Threat Hunting

Although Threat Hunting is nothing new, it is a very hot topic lately. Even if you have perimeter and endpoint security devices and SIEM for collecting and correlating logs from them, it is not a good way to wait for incidents coming. Without Threat Hunting, dwell time is increasing more than 150 days, and this is not acceptable anymore. While attackers are working proactively and developing new techniques day by day, security teams need to be more proactive too. Threat Hunting is the most proactive approach in an organization’s security structure and improves its security posture.

Dwell time is the dirty metric nobody wants to talk about in cyber security. It signifies the amount of time threat actors go undetected in an environment, and the industry stats about it are staggering.
Source: Extrahop

In its simplest definition, Threat Hunting is detecting abnormal activities on endpoints and network. But, what to look for hunting threats?

What to Hunt?

Threat Hunting is a continuous process. Hunters should check anything that could be an evidence of an incident.

  • Processes: Processes are important components of OSs. Adversaries may inject malicious code into hijacked processes. Therefore, hunters should check processes and child processes regularly.
  • Binaries: Hunters should check binaries with their checksum, name and other specifications.
  • Network: Network activities to specific destinations and anomalies in network should be checked.
  • Registery: Hunters should check registery key additions and modifications.

The Team

For a continuous hunting, organizations need to have threat hunters in their CSIRT. The difference between analysts and threat hunters is the proactive approach as mentioned before. Also in smaller organizations, SOC analysts may work on threat hunting but actually, a threat hunter may has more specifications than an analyst. In larger organizations, it is important to have a dedicated threat hunting leader and team. This team should has detailed knowledge about;

  • OSs: The Threat Hunting team should have knowledge about OSs that organization is using. This knowledge must include process structures, files, permissions, and registery depending on the OS. This is important because malicious files and attackers make changes in OS here. A threat hunter need to understand what is normal and what is not. Something is not normal could be a sign of an intrusion. For having this knowledge, baselines could be created for all critical systems. These baselines will help to know the normal and the anomalies.
  • Apps: Threat Hunters should have knowledge about the applications used in the organization. It is also important to know perimeter and endpoint security devices and applications used by organization.
  • Business: Threat Hunting team should have knowledge about the organization’s business so they need to follow adversaries working on the organization’s sector and geographical location. It is also important to know third party companies the organization works and communication ways with them.
  • Network: In a big and segmented network structure, it is important to know where the critical assets are.
  • The Lockheed Martin Cyber Kill Chain: Also known as APT phases, represents the phases of an advanced attack.
  • TTPs: IoCs are important components for hunting but they provide to detect “known knowns”. TTPs are at the top of Pyramid of Pain (defined by David Bianco) and especially adversaries’ techniques and tactics should be known those are threatening the organization’s sector and location.
  • Threat Hunting Tools: In CSIRT plan, it needs to be included that which tools and techniques can be used for threat hunting. Threat hunters should have knowledge of these tools and techniques.
  • IR&H Plan: Threat hunting is only a step of proactive approach. If threat hunters successfully find an intrusion or anomaly in systems, they need to know the next step. Who should they inform? What should be done?..etc..

Requirements

  • Threat Intelligence: Threat intelligence is one of the most important feeds of threat hunting. Threat hunters need to have most recent intelligence and IoCs so they cant perform hunting the latest threats.
  • EDR: Threat hunters need IoCs but also need to know how to use these IoCs. After gathering the most recent IoCs from TI platforms, an IoC sweep must be made on endpoints.
  • NDR: Just like endpoints, network traffic also need to be checked with the latest IoCs. For doing this, CSIRT need to collect all east-west and south-north network traffic. NDR devices those have AI capabilities also detect anomalies in the network.
  • SIEM: Depending on the hunt’s scope, the threat hunter may need to check IPS/IDS, proxy, DNS, firewall or some other tools’ logs. Because logs are coming from different sources, CSIRT need to collect and correlate these logs in SIEM and feeding SIEM with the latest IoCs, these logs will more meaningful.
  • FIM: We said that baselines must be created for critical systems. FIM solutions will help CSIRT to create baselines for OSs and alert analysts when an unauthorized transaction is made.

New Tools of Kali

Kali Linux 2021.2 is released with some new tools called Kaboxer and Kali-Tweaks and some cosmetic changes.

Kaboxer provides dockers to use applications that they cannot work in newly OSs anymore or need isolation.

Kali-Tweaks is a tool that makes it easy for users to configure their OS. Users can customize their Kali easily with Kali-Tweaks.

There are also some more differences in new Kali release. Some of the differences in Kali Linux 2021.2 are

  • Opening a listener on TCP and UDP ports 0-1023 no longer requires super-user access
  • More Kali Docker images
  • New packages for Raspberry Pi
  • Pacu for AWS exploitation framework
  • Peirates for Kubernetes penetration
  • Dirsearch for brute forcing directories and files in web servers
  • Quark-Engine for Android malware scoring

FireEye Announces Sale of FireEye Products

FireEye, one of the most important security companies announced that they had an agreement to sell FireEye products including FireEye name to Symphony Technology Group (STG) in an all-cash transaction for $1.2 billion.

A few months ago, FireEye repositioned some products in Mandiant name. ISight Threat Intelligence and Verodin was positioned in Mandiant name and thus, the reason for this change was revealed. “We believe this separation will unlock our high-growth Mandiant Solutions business and allow both organizations to better serve customers,” said FireEye Chief Executive Officer Kevin Mandia.

FireEye announced this in their investors page, you can see the details here.

Incident Handling and Response to Insider Threats

Because an insider is an employee, is a trusted person and has access to various data, insider threats are major risks for organizations. Organizations are investing to prevent perimeter against external threat but focusing less on internal threats. This is the other factor that making insider threat more risky.

Attacks may come from different type of employees. These attackers may be system admins or managers who have authorized access to critical data, some unhappy or terminated employees, users who lost a device including sensitive data, or sending e-mail to incorrect receipints, or untrained personnel about security policies and best practices who subjected to social enginneering attacks.

All types of incidents require similar steps to respond. Here, we will try to explain the stages incident responders and actually whole organization must realize against an insider attack.

IH&R Steps for Insider Threats

EFFECTIVENESS OF INSIDER THREAT

Insider threat is a major risk because these kind of attack are very effective. It is difficult to detect and can go undetected for years. It is very easy to attack from inside since users have authorization to some data and systems, and can easily cover their actions by reaching to logs and deleting or modifying them. This makes also difficult to detect these type of attacks. Organizations need to monitor users’ behavior to detect and respond quickly.

As against all type of attacks, organizations need a well planned and regularly tested incident response plans to contain and eradicate insider attacks.

PREPERATION

The organizations must always be ready to an insider attack. Preparation stage is important to detect and respond these attacks.

  • Conduct security awareness trainings regularly to inform users against social engineering techniques. Insider attacks are not only done by malicious employees. Regular security awareness trainings will prevent your users with access to sensitive data from being used by malicious people.
  • Train users how to report any policy violation.
  • Classify organization’s data, identify the critical ones and apply need to know approach to reach to data.
  • Be sure all necessary logs are collected in SIEM.
  • Use privileged access management tools for storing passwords for all types of accounts reaching to critical data or production environment.
  • Make sure that terminated employees’ access rights are immediately removed both for logical and physical systems.
  • Deploy data loss prevention tools, but never trust that DLP will fully protect you. It is important to know the gaps of DLP tools to prevent data better. Make sure you read our post about DLP 🙂
  • Install NDR to detect abnormal behaviors of users. You can access our article explaining the importance of NDR against insider threat.
  • Install honeypot and honeytokens to lure attackers.
  • Segregate backup network from production or test networks and implement secure access methodologies to backup files.
  • Device control should be applied in the whole systems of the organizations. Users should not be allowed to use external storage.
  • Employees should sign a confidentiality and nondisclouse agreement bu Human Resources department.
  • Regularly and objective interviews and feedbacks from employees will help organization keep employees more peaceful.

DETECT AND ANALYZE

Indicators for insider threats are mostly abnormal behaviors of users. So, NDR with artifical intelligence technologies to detect anomaly in the network, UEBA, and Honeypot tools are critical to detect these type of attacks. The changes in network usage pattern may be indicator for ann insider threat.

It is important to collect logs in SIEM but in most cases, we saw in real life that huge amount of log data causes missing of malicious activity. It is more important to collect valuable logs and corralate them than collecting. Also, missing or modified logs may be indicator for insider threats. All log sources must be checked regularly to detect such an incident.

Accessing resources in unusual time and from unusal location may be indicator of insider threats. However, multiple login fail attempts may be used with these time and location information to cover unauthorized access attempts.

Users’ social media actions should be monitored. Unhappy and unmotivated users may try to post some unnecessary information about the organization.

Incident responders must analyze different logs from different sources after a suspicious activity has been reported. These logs may include IDS/IPS, proxy, NDR, EDR, DLP and email logs. They should check for a suspicious network connection and data transfers outside the network.

CONTAINMENT

For all types of attacks, containment is an indispensable stage for incident responders. It is fatally important to contain the source in question to prevent bad actors’ actions both laterally and outbound. Containment will minimizes the damages. Advanced EDR tools allows containment of such sources without having to be physically present near the source and incident handlers can still keep analyzing these sources while the threat could not be spread.

After detecting the malicious insider and containment, all privileges and credentials of this actor should be blocked, including e-mail and domain account and physical access cards.

ERADICATION

The organization should have an incident response plan and procedures to be able to move fast after an incident occurs. Eradication is also an important stage for incident handling and incident handlers should know in advance what to do in a case of insider attack by checking the policies and procedures.  However, eradication is not just CSIRT’s job. These are some processes all departments and emmployees must be involved. Malicious actor’s behaviors should be determined step by step and the preventive or detective control missings that allow her to do must be corrected. New security controls should be added and preperation stage should be reviewed again.

RECOVERY

The recovery stage must begin immediately after detecting, containing and eradicating the insider threat incident. If data is stolen and exfiltrated, incident responders should contact immmediately with the threat actor before selling or disclosuring it publicly.

Incident responders must be sure to gather ennough evidence for legal proceedings. This evidence will also help insurance processes.

In case the attacker placed malware or a backdoor inside the network, all systems should be checked carefully and all outbound connections should be checked against a C&C communication. A threat Hunting activity may be required.

If information is stolen and the stolen data is including user credentials, passwords should be changed whole over the organization.

POST-INCIDENT ACTIVITIES

This is one of the most important steps in incident Response. CSIRT should create a lessons learnt document after all incidents, this is also goes for insider threat incidents too. This lesson learnt documents will help organization preparing more effective to possible future incidents. In this stage, all the confusion caused by the incident will be gone and teams and responsible can identify what needs to be done for future readiness. Also, policies and procedures should be reviewed and changed if needed after lesson learnt works.

Also, all incidents and evidences should be documented properly to use in future.

CSA Announced Their 50 Trusted Providers

The Cloud Security Alliance (CSA) announced the selection of a first round of “trusted providers” for cloud security. CSA, a dedicated organization for defining best practices for cloud security, assumes that these trustmarks (will be displayed on each organization’s Security, Trust, Assurance and Risk (STAR) registery) will assist customers in identifying cloud providers that demonstrate their commitment.

There are some criteria that companies must follow to become a CSA Trusted Cloud Provides;

CSA’s co-founder and CEO, Jim Reavis said; “This new CSA Trusted Cloud Provider program builds upon CSA cloud provider certification to also quantify the credentialing of provider personnel and their contributions to industry projjects. This is intended to offer transparent B2B marketplace intelligence so business can better evaluate the security commitment and accomplishments of cloud providers.”

It was noteworthy that there are not many important security vendors which are already working for cloud security in the list. We will see how these trustmark will change the game in infosec world.

Passwordstate Password Manager Supply Chain Attack

Click Studios has notified customers to reset their passwords of Passwordstate password management application. They inform that the reason for this change is a supply chain attack. They announced that bad actors used sophisticated techniques to compromise the software’s update mechanism and used it to drop malware on user computers.

According to the company’s announcement, “any in-place upgrades performed between 20th April 8:33 PM UTC and 22nd April 0:30 AM UTC have the potential to download a malformed Passwordstate_upgrade.zip. This .zip file was sourced from a download network not controlled by Click Studios.”

The company published an Incident Management Advisory on 24th April 2021, 12:38 PM (Australian CDT),about the processes that the company will follow and explaining to customers that this platform is the only authorized place about the iimprovoments.

Passwordstate is an on-prem web-based solution used for enterprise password management, and used by about 29000 customers. Also, several Fortune 500 companies are customers of Passwordstate.

Product Review: Cyber AI Analyst

Best enterprise security solution finalists announced by SCMagazine. DarkTrace’s Cyber AI Analyst is one of these solutions, and since I like its mentality, want to write something about it.

For most of the organizations, one of the biggest problems of today is to have and keep qualified analysts. Because of the attacks developing day by day, newly established and growing SOCs and growing teams, it became more difficult to have qualified analysts and/or keep them. Mostly, organizations try to educate young people as analyst but mostly they cannot keep them.

So, unfortunately, most of the organizations are living without a sufficient number of analysts. Cyber AI Analyst is a solution that focuses on this problem. SCMagazine wrote as;

Detected and contained the spread of a state-sponsored campaign across several organizations globally in March 2020, generating detailed reports of the incidents in real time — weeks before the attack was publicly attributed to APT41.

According to DarkTrace, it took 3 years to develop Cyber AI Analyst. It has been developed by observing real/human analysts’ behaviors, about investigation and triage. AI can react as expert analysts against an incident. It can analyze and prioritize incidents and reports what you need as an incident report like malicious files that caused that incident, C&C connections, domains and all infected endpoints. Normally, it takes hours to check all related logs to find these information about the incident.

Thus, even the organization has a small number of analysts, security teams can have a valuable incident report. So, these team members can focus other tasks instead of spending hours in SIEM.