Category Archives: Architectural

Network Detection and Response

As organizations, and security teams, we purchased many security devices for providing both network and endpoint security. However, attacks continue at the same pace, even we faced bigger attacks last year, and they are getting more sophisticated. So, what is the next step for organizations?

NDR market guide was shared last year by Gartner. As the idea, NDR uses (or must use) artifical intelligence to detect malicious behaviors, both from external threat actors and insider threats.  This means, we will no longer just store the huge network traffic data via full packet capture products, but also detect the anomalies in these captured traffic. So, NDR will play a major role in helping security team to response quicker.

Unfortunately, the only obstacle to the teams last year was not the more sophisticated attacks, but also the “new normal” made security teams so hard. Now, more users are reaching to organization’s sources, getting e-mails and downloading files out of office. Control over users’ behaviors is less and less. When that happens, the need for more sophisticated technologies is also increasing.


Even if we implement many security technologies to our structure, attacks are still going on. Now it is necessary to detect whether there is anyone inside as much as protecting the border. Honeypot technologies and EDRs have been used for this for years but these are not enough to decrease the dwell time. If you failed to prevent and detect an attacker inside your network, or an insider threat, it is always difficult to prevent data exfiltration, or your file from being encrypted.

Machine learning is the key here. The main idea is anomaly detection inside the network. The first step is to profile entire organization’s network and users’ and computers’ traffic. After having such a profiling, it will be easier to detect anomalies inside the network. Anomalies can be in different forms like data exfiltration to some rare destinations, uploading files to IP addresses without hostnames, login attempt from strange destinations (for cloud or vpn), and copying in large number of files from an smb share. We expect the NDR to catch all of that, of course more.


More otganizations are using cloud infrastructure more and more. Public, private, or hybrid, cloud infrasturctures are also a part of us. Critical files are stored and applications work there, and the responsibles are the customers for the data’s security.

Think of a scenerio like that; you have users storing files in cloud and they are working with a few of these files during their work. A user, has a permission to reach these files, downloading most of the files in a very short time, then resigns from work. Or, this user’s credentials have been compromised, and someone connected to your cloud from a country that non of your users normally connect and made anomalous behaviors. NDR must cover also cloud and detect these incidents. It is hard to implement a UEBA solution, thus, NDR can be implemented to detect insider threat.


Most of the organizations were caught unprepared for Covid situation. Users had to work at home and connected to organizations’ network or cloud from home. That means, users can connect to internet less controlled. An NDR with endpoint capabilities will also cover users at home, corralate users behaviors with your network traffic and can detect threats.

A Sad Story: Don’t Invest, Just Prodigalize

Last week, a friend called me, gave some bad news about a company. The company was looking for help since they became a victim of Egregor ransomware and trying to learn what to do against attacker since the attacker got their all data, encrypted it and gave three days to be paid 500k dollars. The attacker threatened them to publish their data in public in three days. Meanwhile, the only problem was not that all data would be published publicly, but also they lost all their private data. But, how can it be possible?

Ransomware is the biggest problem of the cyber world for some years. We heard about it, work on it and have seen paid bitcoins too much in these years. There are tens (or maybe hundreds) of webinars, talks and articles about it, trying to help about being safe against ransomware. It is ok while the weakest link is human, it is possible to be exposed a ransomware but it is not too difficult to confine it to a small area. 

The company I told about above was a chemical company and of course has too many private data like formulas. I mean they also lost their backups while I am saying they lost all their data. Since, they did not isolate their backup network, their backups was also being encrypted. Meanwhile, they have some backup tapes but cannot use them because they have never tested whether the backup tapes working, and of course they did not when the company need them. 

There are some basic prevention steps against ransomware. If we mention briefly, we can say user awareness, regular phishing tests, not only an anti-spam product but also a sandbox or another technology against malicious emails, EDR to response faster against a malicious behavior, NDR to determine the anomaly in the network, to backup data and test these backups regularly, to isolate backup network so infiltrated attackers cannot harm backups, to isolate private data and apply need to know, to limit users’ internet access, and more. the list seems too long but most of them do not require much expenditure. But it if you do not invest to professionals and to any technology, then you just prodigalize your money. However, you can never count lost reputation and also secret formulas and data. 

All these measures can take too much. I can understand if a company cannot invest all of them for security. But as I said above, this company’s backup network is not isolated and can be accessed from all other networks. And, as I learnt, they only use an antivirus software but it is not up to date, and I am sure they do not track whether all PCs or servers have this antivirus. So, like these measures, most of them are not expensive. To have these measures at least, every company needs to invest talented security professionals to save money. However, I think, any of these measures cost more than 500k$ + reputation + publicly published private data. To invest security is not wasting money. It is directly saving money. Everyone needs to understand this without living. 

Third Party Connections’ Security

Do you want your partners trust you directly? Well, do you trust your third party partners directly? When adversaries  are in, they always check different ways to reach more places. So, if one of your trusted third party connection got hacked, it means that there is just a short time they find your connection, and get inside if you did not make your connection secure.

Since 2018, we saw that attacks against third party connections increased. Most of them happened because of the small organizations that are giving support in any subject to larger organizations. Because of these small organizations’ low security budget, it is very difficult to secure the network and PCs for them. Most of these organizations do not have a domain structure, security devices for networks and even endpoint protection tools. What I saw while I am working with them that these type of organizations’ users are local admin in their laptops, and only using an antivirus agent to secure the rarely patched laptop. These laptops are being used to connect to other organizations, and sometimes to keep some sensitive data about of these organizations. They are very close to get hacked, but you must not get this risk while working with them.

Third Party Connection Management in Organizations

Especially in large organizations, since policies not working properly; and maybe since there is no any policy for third party connections, circulation of staff and sudden and fast developing projets, teams can create third party connections how it is easy at that time for them. This creates an unmanaged third party connections structure and so, it becomes worse day by day.

I remember we spent at least four months to fix the third party connections in a large organization. Dozens of leased lines reaching directly to different networks inside, hundereds of S2S VPNs established years ego, has certificates with low key sizes, and etc. Lack of a basic policy like third party connections policy causes a huge waste of time and effort to fix it.

What to Do?

Whoever you are connecting, or connecting to you, you should minimize threats. Because, all organizations are the target for hackers and they all can be hacked. You should not trust anybody else about security. You should understand what security controls they apply in the organization. If they have some weaknesses to determine the attacks made to themselves, it will put you at risk.

Create a 3rd party DMZ network. This is important because these 3rd party PCs should not connect to your network directly from any zone in your firewall. These PCs are something you cannot trust directly. So, at least, a 3rd party DMZ should be created to connect and control these type of connections. If there is no any 3rd party zone and policy, in a long period of time, with some of the activities explained at the beginning, you can see many different 3rd party organizations are connecting to your network from many different zones. And it will be something unmanagable day by day. For the beginning, I suggest to create a different zone for leased line connections to the internet facing firewall, and control these connections policies there. Also, a different firewall should be implemented for S2S VPN connections. It is important to receive these connections in a different firewall and control their connections.

You should use a vendor management program. It helps you to reduce the risk, by collecting more and more information about your third party connection and should be sure they comply with standards and regulations.

You should know what security controls, endpoint security (antivirus, EDR, encryption, etc.) and data leakage prevention methods do your third party connection imply to its users. Mostly, if you do not give a laptop to users that will connect to your network, third party organiztions’ staff uses their own or that company’s PCs. That means, these computer will be connected to your network most of the time, and these PCs will contain your some sensitive information. So, it is important to know whether they are protecting these PCs while working with you.

Screen recording is also a very useful tool. It is impossible to watch directly every consultant’s actions on your network. Most of the time they work on your test servers on test zones, and unfortunately, sometimes they can work directly on production zone or can reach to production zone because of the lack of controls. A screen recording tool will be an important deterrent action for you.

MFA is must. Multi-factor authentication should be used to connect your network. Mostly I suggest time based MFA tools to use. Any time a security incident occurs in 3rd party’s network, MFA will be important to secure you.

Host-Based Firewalls – A Possible Nightmare for IT Pros

With increasing remote workforce process during Covid-19, clients are now more independent with their laptops and mobile phones that also being used for personal usage besides organizational usage. Not only workers, but also computers and data are now outside the organization and most of the protection layers such as firewall and IPS. Vulnerabilities and attacks continue to surface but remote users’ connection and VPN also create troubles for IT teams to patch  and protect the clients.

Host-based firewalls help security professionals in many subject. Firstly, it controls the incoming and outgoing traffic, so becomes a very critical defense layers. For example, security pros may want to block all inbound connection to the client host initiated from outside. This is a very basic protection on some kinds of malwares.

Some sensitive applications like Swift, should be isolated from the network in the organization. But sometimes it is not an effective solution to create vlans for a few PCs or servers. For the situations like that, host-based firewalls are true saviors. These sensitive PCs and servers can be isolated with host-based firewalls. Since most of the antivirus agents also includes host-based firewall feature, this solution becomes easier and more logical. 

Meanwhile, organizations should not make it a habit. In large organizations having thousands of PCs and servers, this isolations on host-based firewalls can easily turn into a nightmare, since hundreds of rules have to be written. If these rules are not followed properly, also with the circulation in the administration team, a possible mixed rules can harm PCs and network more than they protect. It is inevitable that every rule for each small groups makes the rule list more complex, and it becomes more possible to make a mistake while adding new rules.

So, even if host-based firewalls are important and valuable solutions, they should be used as needed, and should not be a regular solution for isolation situations. 

“MUST” Practices for AntiVirus

Last week, I hearth that an organization did not add antivirus agent to their PC image. They are formatting the PC with their image, then connecting to the network and waiting for the sccm installing the antivirus software to the PC. Also, for remote users working on the field, some contracted partners are formatting the PCs since these users cannot come to the company, they then join to the network via VPN after formatting and keeps working. Meanwhile, the IT team is waiting for the sccm install the antivirus software, but because of the VPN network, most of the time it fails. PC keeps working on the network for days. 

While I was sharing this situation with some friends in the industry, some of them also said that it is a normal process for the organizations. So, I wanted to write this article. 

A few months ago, I shared a post about falling of the AV. It is true that AV softwares are not very efficient in recent years. There are many other measures need to be taken to protect the endpoints. However, most of these measures are for APT attacks. As everyone says, and also I touch in the article, attackers’ profile and techniques has changed a lot, since the times AV was popular and successful. But, despite all these situations, nobody can say that AVs are not necessary anymore. Organizations does not face attackers that using highly advanced techniques and tools only. There are still many script kiddies and those trying to learn hacking. These people are always looking for easy vulnerabilities to hack. It is very great possibility they find you. 

Another subject about AV, because of the hash databases downloaded, they can protect users for many of the malicious events, also while they are offline, or while they are not connected to the office. 

Even, most of the AV softwares are improving themselves with behavioral and AI capabilities. So, these can also detect and stop some of the APT attack phases. 

I am also curious your comments, but my opinion is an AV is still indispensable for all organizations. So, I want to some best (must) practices for using AV in an organization;

– An AV software should be installed on all devices. Clients should be periodically followed whether has AV on it or not. If it is possible, a NAC solution should be positioned and PCs that does not have AV should be blocked.

– AV solution should be centrally managed. So, updates can be managed centrally and out of date clients can be followed. 

 – Administrators should make sure all clients are sending logs properly. It is very important to response a suspicious situation quickly. 

– AV software should be updated periodically. Meanwhile, administrators also should be sure that all clients are getting the latest updates properly.

– AV software should be included into the PC and servers’ regular images. When a PC formatted and re-installed, it should include AV before connecting the network. 

– Users should not be able to disable the AV services and agent. Tamper protection and an uninstall password should be used and should be stored in a password management system. 

– Malicious files should be blocked and quarantined to be analyzed by the administrators.

 – Audit logs should be collected properly. Administrators should login to the software only by their own usernames. Generic usernames should not be used. 

– Too many exceptions should not be given. If needed, exceptions should be given only as stated by the vendors. 

– If including, host-based IDS should be enabled on the AV agent. 

A Guide to Choose EDR

As spoken in all security events in last decade, the attacker’s purposes and methods have changed greatly and become more complex. As if this is not enough, increase in the number of the mobile devices used in the organizations and moving some (or most of the) services to cloud made endpoints’ protection more difficult. With the expanded cloud usage and development of the mobile technologies, more users are coming less to the Office. This situation makes management, monitoring and protecting more difficult for the endpoints.

As said at the beginning, with the new advanced techniques of the attackers (like advanced malwares, fileless malwares or exploits), it is very difficult to protect endpoints with only traditional endpoint security solutions. Neverthless, as the subject of another discussion, this does not mean that signature based antivirus, host IPS, host firewall or other conventional endpoint security solutions meaningless anymore.
Meanwhile, while talking about traditional security solutions, we have to touch what endpoint is. Because, attack surface increased against today’s organizations, since IoT and OT are parts of the endpoints’ of them. Now, we need to expand endpoint security solutions as covering mobile phones, POS, wearable devices, sensors, cameras, HVAC, and cars, since they can access both to internet – even if confined with the cloud – and organization’s network, wherever they are and whenever they want.
According to this traditional endpoint security solutions, EDR solutions have malicious activity detection, containment of the endpoint, investigation of the incident and remediation capabilities fort he endpoint. With this capabilities, they can reduce the impact of an incident in the organization and provides intelligence for responding faster.
EDR systems use an agent on each endpoint system. EDR vendors feed these agents with their intelligence services, global customer data, firewalls, network and/or e-mail based APT devices, etc. With these intelligence data, the agent provides deep and real-time monitoring on the endpoint, discovery and response.
An EDR system must use at least a few monitoring methods such;
IOC Detection, means that the agent is comparing the system changes with its Indicator of Compromises. This IOCs can be feed from other devices of the vendor in the same network, or global customers and intelligence services.
Anolmaly Detection, means checking the system for anormal states.
Behavior Detection, means checking the system for bad or malicious behaviours.
Machine Learning and AI, means that the solution has the ability to determine the malicious activities without being explicitly programmed.
For an effective tussle against threats, time is the most important thing. Your EDR solution should help you detect, investigate and response  as quickly as possible. For doing this, first, your EDR should detect the threat as soon as possible. Right here, the power of the tools mentioned above shows the importance of their capabilities.
Power of the intelligence services of your EDR solution’s vendor, shows the power of the IOCs. A vendor should feed customers’ EDR with fast and effective intelligences. Also, as community data, vendors can feed their customers with other customers’ known bad data. This means, bigger community helps you better.
Also, integration with other security tools in the network is a key point. If an EDR solution can be fed with the other network tools, endpoints can be ready for the threats seen elsewhere, like in network traffic or in an e-mail. When we think that the malicious software reaches to the endpoint via e-mail or network channel, this feature becomes very important. With the integration and the advanced search capabilities in the EDR solution, a threat that seen in network anywhere can be catch quickly in the endpoint. From here, we also must see that an EDR solution must include an advanced search feature, searching the endpoint by many different options. These advanced searching options helps admin searching his clients against possible threats.
An EDR solution must provides clear and meaningful explanations about the threats. Only determining a threat is not enough for admins. The solutions must help them responding to these threats. For responding quickly and correctly, admins must understand the content of the threat. Also, containment is an important feature fort he EDR solutions, a time-saving feature for the admins, while they are working on the threat. An endpoint has a malicious content should be contained during the analysis, so other endpoints prevented against spreading of this malicious content.

Also, for investigation, EDR solution must provide a full state output of the endpoint, for the timezone that the malicious thing happen. A full or specific memory dump information, states of the services, etc. An automatic creation of these information is critical during the investigation processes.
From the experiences, I know that the endpoint is the most boring and difficult part of the security. Distribution problems, slowing machines after distributing, user complaints, etc. Most of the security admins don’t like to deal with the endpoint security. But as shown in most studies, thousands of threats are produced every day. Just protecting the network and a-mail channel is not enough for these new threats. We have to give the necessary importance to the endpoints. So, with all these problems of endpoints, choosing the right vendor becomes the most important thing. An endpoint security solution must not obstruct end users’ business. Even for security, business must go on. At this point, vendor’s experience is very important to choose. Also, getting a quick answer during a problem must be evaluated, during the selection process of the EDR solution.