security kaizen magazine, issue 21

Interview withMr. Ahmed Riad

Middle East Business ContinuityLeader

Interview withMr. Ahmed Riad

Middle East Business ContinuityLeader

Bluekaizen kicks off 6th annual Cairo Security Camp conference in Egypt

www.bluekaizen.org

Vol.5 Issue 21 July - Aug. 2015

ww

w.b

luek

aize

n.or

g

Cont

ents

Mr. Ahmed Riad: Middle East Business Continuity Leader 6

Interviews

Issue 21 | Securitykaizen Magazine | 4

Dyre Wolf Attack Malware Review24

Protecting the Perimeter A Cyber Defense Strategy Cyber Defence32

Wapomi Worm: Behavior and code analysis Malware Review27

Reviews

Prospects of SIEM36

Best Practice

New & News

21 Bluekaizen News

News

Network Security

18 12Pentesting on Non-Jailbroken IOS Device’s!! PART2

CAM Table Overflow Attack &How to prevent it

Grey Hat

ww

w.b

luek

aize

n.or

g

Edito

r’s

Not

e

Issue 17 | www.bluekaizen.org | 6

For Advertisement In Security Kaizen

Magazine &

www.bluekaizen.org Website

[email protected]

OrPhone: +2 0100 267 5570 +971 5695 40127

Security Kaizen is issued Bi-Monthly

Reproduction in Whole or part without written permission is strictly

prohibitedALL COPYRIGHTS ARE

PRESERVED TOWWW.BLUEKAIZEN.ORG

Chairman & Editor-in-ChiefMoataz Salah

EditorMohamed H.Abdel Akher

ContributorsBK team

Sonal GawandAhmed Haytham

Ahmed M. HammadHarris Schwartz

Doaa WaelVijay lalwani

Website DevelopmentMariam Samy

Marketing CoordinatorMahitab Ahmed

DistributionAhmed Mohamed

Design Medhat A.Albaky

MagazineT eam

Bluekaizen Founder

Moataz Salah


Bluekaizen kicks off 6th annual

Cairo Security Camp conference in Egypt

Cairo, Egypt 2015 – Celebrating its 6th year, Cairo Security Camp is taking place at the

Intercontinental City Stars hotelfrom the 19th till the 20th of September 2015.

This unique security conference brings a mix of security professionals, law enforcement and hackers all in one place with the focus of discussing attacks and defense methods.

Attendees will have the unique opportunity to mingle with security gurus and professionals and decision makers all in one place, not to mention that they will sharpen one or two skills while attending the technical sessions.

Cairo Security Camp 2015 will be a 2 days event, featuring different sessions and technical talks. Alongside the conference proceedings there will be an exhibition where major companies can showcase their products and new technologies in the field.

The event will start on Saturday, 19th of September with Major Mustafa Khidr to keynote the first day, followed by great informative sessions from various renowned speakers in the field. The talks will cover all major issues facing the everyday information security vulnerabilities.

The CSCAMP2015 experience is further enhanced with a technology showcase and exhibition area, this area is open for public and is home for many renown companies in the filed like Cisco, Star Link, ISACA and others.

For more information about Cairo Security Camp 2015 and registration please follow linkhttp://www.cairosecuritycamp.com

ww

w.b

luek

aize

n.or

g

Inte

rvie

ws

Mr. Ahmed Riad Interview with

Middle East Business Continuity Leader

WWW.Bluekaizen.org

BK T eam

Can you please introduce yourself to security Kaizen magazine readers (bio, experience, history)?

Thanks for your question, I Am Ahmed Riad an expert in Business Continuity Management, Information Security Management, IT Disaster Recovery and IT Risk Management with over 12 years of industry experience both locally and internationally within banking and financial sector, telecommunications and consultancy of cross-functional experience in delivering optimal values in high growth environment.

I am considered one of the leading business continuity practice owners in Middle East and worldwide, promoting the practice among the clients, peers, and even other practitioners through the voluntary events, seminars, and published papers.


What is the meaning of Business Continuity and Organizational resilience from your point of view?

Great question. Simply, Business Continuity is a discipline. It exists to avoid any interruption that could lead to significant losses or failure in achieve any of the organization objectives.

Business Continuity is all about preparing for and managing the response to (Loss oftechnology, loss of building, denial of access to a building, loss of staff , loss of supplier, etc.)

Organization is an entity that offers services and products whether it’s profitable or not.Business Continuity helps the organization to continue its production of servicesor products in Emergency and crisis situation.Let me also describe how it works, organization provides services or products through multiple resources such as human power, equipment, techniques and processes according to certain framework in line with the organization governance. We defines the potential risks that can threaten the organization, and also analyzes the importance of every element inside the organization (personnel, technique, processes, services). Then we implementthe necessary business continuity strategies for the organization to guarantee therecovery from any disaster or emergency situation Next step, we startpreparing the Business Continuity Plans .We also simulate some drills based on imaginary scenarios for emergencies and disasterthat could happen, in order to be ready for every possible risk and help the wholeorganization to be resilient when dealing with any crises situations.

From my point of view, I see the organizational resilience the future because it integrates several aspects such as: crisis management, business continuity, information security … etc.

So far, we don’t have a clear implementation model for organizational resilience, however there is only a guideline that have been released by the British guideline 65000 in 2014 which explains the organizational resilience.

I Inn

ovat

ed a

nd im

plem

ente

d a

mod

el fo

r how

to im

plem

ent B

usin

ess

Cont

inui

ty in

Mid

dle

East

and

Nor

th A

fric

a w

ith A

rabi

c fla

vor c

onsi

derin

g th

e or

gani

zatio

n’s

cultu

re in

the

Mid

dle

East

.I am dedicated ambassador of Business Continuity and have earned the following recognitions:• WINNER of the BCI MIDDLE EAST Awards 2015 as ” Continuity and Resilience Consultant of the Year ”• WINNER of the BCI MIDDLE EAST Awards 2014 as ” Business Continuity Personality of the Year”• Member of Global Membership Council - Business Continuity Institute (BCI) “ Elected as Middle East Region Representative”• Shortlisted for Business Continuity Consultant of the Year - DRI 2015 Awards of Excellence• Shortlisted for Business Continuity Consultant of the Year - BCI Global Award 2014


As we see in your short biography you have achieved tremendous success as a Middle East Business Continuity Practice Leader which is a rare thing. readers would like to know what brought you to this Industry?

I have been working in the information security field since 2007 including implementing the standards like ISO 27001 and IT Disaster Recovery plans and as you all know the business continuity is a part of ISO 27001 requirements.Information security standards and techniques are designed and implemented to secure any organization from any possible information loss.From that point, The Business continuity field fascinated me and felt that I can work on embedding a business continuity for an entire organization for dealing with any future potential risks, and I started to focusing on it more in order to apply it on a large scale in the Middle East in different business sectors.

You have implemented a model for how to implement Business Continuity in Middle East and North Africa. Could you please give us an overview?

In the last four years, I have noticed a sharp interest in the Middle East regarding the business continuity and organizational resilience. From here, I started thinking of an integrated model for implementation the business continuity.

1. Integrated methodology consists of five basic stages, 22 processes and 120 sub-action (available in Arabic and English versions).2. The first document toolkit that includes an integrated implementation.3. Dictionary that includes 100+ Arabic terminologies.4. Integrated methodology in Arabic and English for the implementation of ISO 22301 regarding the business continuity and ISO 27001 regarding the information security combined in one project.5. Integrated methodology in Arabic and English version of the implementation of ISO 22301 regarding the business continuity and the UAE business continuity standard. I use this model for all my clients and it provides a positive results and very good feedback across the region.

of industry experience both locally and internationally within banking and financial sector, telecommunications and consultancy of cross-functional experience in delivering optimal values in high growth environment.

leading business continuity practice owners in Middle East and worldwide, promoting the practice among the clients, peers, and even other practitioners through the voluntary events, seminars, and published papers.

years


What are the kinds of industries and clients that you have dealt with to provide consulting services regarding the Business Continuity and Resilience? Can you tell us about one of your best projects that you’re proud of?In the last 7 years, I have worked on many projects of the business continuity and IT Disaster recovery in several sectors (financial, health, communication, service sector and governmental one)One of my best projects is in the financial sectors in a country of the Gulf region and it is one of the most important projects for me because it was first project where I was able to apply my model and this project was recognized many times from institutes and from filed experts.

Can you tell us more details about the Business Continuity Institute and your role within Global Membership Council as Middle East representative?Business Continuity Institute is a non-profit institution founded in 1994; it works to increase the awareness of the business continuity and providing the best practices that helps the organizations and individuals to implement Business Continuity more effectively.It also provides scientific membership for more than 9000 member around the world and it varies according to the level of experience.It also offers regional forums to raise the awareness of the business continuity around the world.For the Global Membership Council, it contains 21 experts from all over the world and they are chosen by elections and I have been elected to be the ambassador for the Middle East for the next three years (2014-2017)The role of the Global Membership Council (GMC) is to provide professional expertise to enable the implementation of the BCI Strategy as defined by the Board, including the development, growth and standing of the BCI Membership as a whole. The GMC advises the Board on any membership issues and therefore plays a critical role within the Institute as the representative voice of the members.

As a Middle East practice Leader in Business Continuity and Resilience, How do you see the future of this Industry for Egyptian Society? What challenges this Industry is facing?

From my point of view, the implementation of business continuity and organizational resilience within the Egyptian governments’ entities must be embraced by the Egyptian state in the coming period in line with Egypt’s 2030 strategy.

Business Continuity has been applied in Egypt on a small scale in certain sectors such as banks ... there must be an integrated vision of the implementation at the Egyptian state level which contributes to raise the level of resilient of the Egyptian state to deal with crisis and disasters.

The most existing difficulties to global implementation of BCM and organizational resilience in Egypt are due to lack of:1. Egyptian expertise in this filed.2. Overall vision for implementation in Egypt.3. Books and references in business continuity in Arabic.4. Enforcement and regulations.


• Build a local Egyptian expertise: During the previous period in cooperation with BlueKaizen tried to raise awareness of business continuity and rehabilitation specialists in the business continuity by holding training courses in partnership with the best intern–ational entities such as BCI and PECB, but I think this step is not sufficient and therefore in the upcoming future I will be conducting voluntarily seminars and workshop with the help from Blue Kaizen and BCI Egyptian forum in different places such as universities and the financial sector in order to raise awareness of business continuity and organizational resilience.

• Absence of a comprehensive vision for implementation at the state level:As a leader of the business continuity on the world level, and from my love to my country I already started developing a comprehensive vision for the implementation of business continuity within Egyptian society and will provide it to the responsible authorities in Egypt and I hope there will be interest in the business continuity for the benefits of the country.

• Raise awareness of alignment IT Disaster Recovery with business continuity Management:With the collaboration with Blue kaizen and BCI Egypt Forum I will hold several seminars and workshops dedicated to IT professionals in order to raise awareness of business continuity and correct misconceptions and develop clear strategies to implement business continuity in the institution.

• Lack on available books and references about business continuity in Arabic language:During the last period it became clear to me the lack of Arabic contents in business continuity and organizational resilience, However during this period as individual effort I attempted to develop Arabic contents in collaboration with business continuity Institute BCI as well as at the Disaster Recovery Institute International DRII , which produced (Good Practices Guideline in Arabic (LI) - BCI, business continuity and organizational resilienceDictionary in Arabic - Disaster Recovery Institute , USA.But I think that this is not enough as the Arabic contents in this important discipline, therefore I currently working on creating a web portal which should be a Arabic guideline for business continuity and organizational resilience across the middle east and north Africa .

As Egyptian how can you help Egyptian Society to be more resilient and what is the initiative you can provide for a better future


what are the books, best practices or web site for business continuity and organizational resilience you’d recommend and why?With respect to all the existing books, training courses and websites inBusiness continuity, I highly recommend the BCI Good Practices Guideline GPG 2013from business continuity institute The real value of the GPG to BC professionals liesin the fact that it considers not just the ‘what’ to do but also the ‘why’, ‘how’ and‘when’ of practices written by BC world experts., in the line with ISO 22301, offered indifferent languages and it explains the life cycle of business continuity and how it canbe implemented.

Because of what happened in the Arabic world over the past five years, The Arab World found it interesting to implement the business continuity on government level to keep providing and producing services and products.

There are several pilot initiatives at the Arab world such initiative in the United Arab Emirates to apply business continuity on government level and the private sector and follow the issuance of the first Arabic standard in business continuity management by NCEMA.There is also an initiative at the State of Qatar, which has been through the issuance of business continuity guide, and I hope Egypt will follow the example of these countries to ensure continuity of delivery of basic services to the state and create mechanisms and clear methodology to deal with disasters and crisis.

In 2007 it was issued by the British Standard BS 25999. Since that date till 2012 There was no internationalStandard supported in business continuity until the body of standards ISO issued the ISO 22301 which had become a clear framework of business continuity requirements that must be abiding to the organizations to obtain a certificate of international accreditation in business continuity and discerned the importance of thisstandard that attracted the attention of several institutions around the world to apply the business continuity to improve its readiness and willingness to deal with disasters and crisis.

Also during the last five years, the BCI works to develop GPG 2010 – GPG 2013 , which contributes to the clarification of the mechanics and the life of the implementation of business continuity that’s alignments with requirements of ISO 22301, also there is DRII professional Practices that provide a life cycle of implementation of BCM.

Why do you think there is increase of interest in business continuity? What has been the impact of ISO 22301?

Integration is the answer for this question, in the sense that the world on the way to implement an integrated approach to maintain the organizational resilience and to ensure the integration of several departments into a single entity (risk management, business administration, responding continuity emergency ... etc.) which will lead to increase the readiness of the organization to deal with disasters and crisis and emergencies and handling it easily.

During the past four months I have formatted an integrated methodology for implementing the organizational resilience within the institutions and I will provide it at the upcoming security Kaizen Conference, I hope it will be beneficial to the recipients and the middle east region.

Looking out 3 to 5 years, beyond the trends, what do you think will be the next big change in the business continuity industry?


ww

w.b

luek

aize

n.or

g

Gre

y H

at

Hello Again! In previous article we had gone thru, basic understanding of Application installation and application traffic analysis, in this part we will look in to reverse engineering and memory analysis.

Pentesting on Non-Jailbroken

IOS Device’s!!

PART2

Sonal GawandInformation security

consultant at Indusface


• Reverse engineering – As we have a non-jailbroken iOS device, we are having certain limitations in reverse engineering and decryption of iOS application source code, but still we can perform App Cracking and Traditional Reversing Approach.

Application cracking simply means extracting .ipa package from the application. If you have installed application from the app store, you should go for application cracking technique.

To crack the application, we require the iTools tool. It is a simple application that will help you install iPhone application. Take backup of the application and more important is to crack the application.

Observe in the figure 19 that iTools is showing list of all application with backup and browse function. iTools and iFunbox both the tools are almost similar but major difference is that we can take .ipa backup (app cracking) and runtime system logs and crash reports with the help of iTools tool.

Figure 19When we click on Backup button the tool is gives two options.

1. Backup program (.ipa package) and 2. Backup program and document.

We will choose first option as we need to test for app cracking and then reversing with traditional approach.

Figure 20

Observe in the below snapshot that we have cracked the application with .ipa package.

Figure 21

Till now we have only cracked the .ipa package, now we need to proceed with reversing the .ipa package.

We are going to use traditional approach for this. Now rename application.ipa with application.zip and then extract the .zip file. Below snapshot shows the content inside the Payload- .app folder.


Guys, now we have the content of .app folder inside Payload, what should be the next step??? Just go through different files like plist files, NIB files, localizable strings, mobileprovision file, Appresource files, and License and package info and last but not the least the app binary file.

• Memory Analysis – The iOS application stores data at various locations like Plist files, cache, Coredata and Sqlite files, Keychain, keyboard cache, logs, Cache snapshots etc.

As we are working with Non-jailbroken iPhone device, still we can able to analysis Plist files, Coredata and Sqlite files, logs and Cache

snapshot. We are not able to view keychain and keyboard data through non-jailbroken device though.

1. SQLite storage: SQLite is a cross-platform C library that comes with iOS is a lightweight and powerful relational database engine that can be easily embedded into an application. Unencrypted sensitive information stored in a SQLite file can be stolen easily by gaining physical access to the device or from the device backupYou can view Sqlite files in SQLite Manager

Figure 23

Figure 22


Figure 25

2. Plist file: Property list file is a well-structured binary files which contains the configuration details of .ipa bundle in key value pairs. This files are used to store configuration information and preferences. List file can be in binary or XML format. They can be easily view in plistEditors. Also you can look-up for weak encoding used in plist file.

Figure 24

3. Cookies.binarycookies : This files contain persistent cookies of those application which do not prompt user to login every time. Cookies.binarycookies file is locatde in libary folder of the application. You will find snapshot inside Library/Cookies folder.

This file is not in readable format, so to read this file use below steps.You must have Python installed on your device. Downlaod ‘BinaryCookieReader’

and copy past inside Python folder. Similary extract application’s Cookies.binarycookies file and copy past inside Python folder too. Open command propt, traverse through the Python folder and run below commandPython.exe BinaryCookieReader.py Cookies.binarycookies

4. Cache Snapshot: When the application goes into the background screenshot has been created with the last state of the application. An attacker can exploit this feature if sensitive information can be recovered through the snapshot storage.You will find snapshot inside Library/Cache/snapshot folder.

5. Error Logs: In general iOS application writes data, exceptions onto logs for diagnostics and troubleshooting purpose. In iOS the logs are not getting stored in application sandbox that means one application can read logs of

another application. Logs can also be viewed by Console App available on App store itself.


The logs are getting stored in device, to view that go to – Privacy – Diagnostics & Usage – Diagnostics & Usage Data. Below is the snapshot of logs which are getting stored on device.

Figure 26

Figure 27

With the help of iTools we can see runtime system logs too.

Figure 28

To extract / browse the application data, we can use iFunbox or iTools tool. Here I have used iTools tool to extract the application’s folder. Open iTools on your workstation and connect iPhone device with USB.

As shown in the snapshot below, we can browse through the application folder. Now to analyse the storage we have to copy paste this folders to our workstation.

Figure 29

Select the folders to copy and right click on the selection. The iTool will give you multiple options, out of them click on Copy to local provided proper path.

Figure 30Issue 21 | Securitykaizen Magazine | 16

Observe in the below snapshot that ‘document’ folder contains different files including database and json file. Use can use notepad++ or WordPad to open json files.

Figure 31

To view database file, use SQLite Manager, which is a Firefox addon.

Figure 32

Observe in the below snapshot that library folder contains multiple files including Cache, Application Support files, Cookies.binarycookies, Cache snapshot and database folder. You can go though each and every folder and extract the sensitive application dataFor more information, refer ‘Insecure data storage’ on - https://www.owasp.org/index.php/IOS_Application_Security_Testing_Cheat_Sheet

Figure 33

And yes here we have successfully performed the iPhone Application Testing on non-jailbroken device. It’s true that for pentesting you should have jailbroken device but if you do not have one then also you can able to perform your task :)

And that’s making our life easier.

References:•https://www.owasp.org/index.php/IOS_Application_Security_Testing_Cheat_Sheet•https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks•iTools - http://itools.en.uptodown.com/• iFunbox - http://dl.i-funbox.com/• Fiddler - http://www.telerik.com/download/fiddler1•Burp - http://portswigger.net/burp/download.html•plistEditor - http://www.icopybot.com/plist-editor.htm•Notepad++ - http://notepad-plus-plus.org/download/v6.7.4.html•BinaryCookie Reader - http://securitylearn.net/wp-content/uploads/tools/iOS/BinaryCookieReader.py•SQLite Manager - https://addons.mozilla.org/en-us/firefox/addon/sqlite-manager/


Cyber Security Trainee at ITI

Ahmed Haytham

Before we start there is a basic concept in the network field which is “Switch VS Hub”. The main difference is how the packets are transmitted from one device “Source” (A) to another “Destination” (B).

Hubs always perform frame flooding by sending a received packet from source (A) to all connected devices. Normally all devices will drop the received packet except the destination (B).

CAM Table Overflow Attack

How to prevent it&

ww

w.b

luek

aize

n.or

gN

etw

ork

Secu

rity


Switches on the other hand have a table called Content addressable memory (CAM) which refers to a dynamic table that maps MAC addresses of the connected devices to the ports on the Switch. When the packet is sent from A to B the switch will search its CAM table for the port that corresponds to the MAC address of B and will only send the packet to B, which is more secure than the Hub flooding technique.

BUT the question is what if this CAM table is full? In this article we will see how to perform an attack to test the security of our own virtual network and we will also learn how to secure it.

Let’s establish our virtual environment using GNS (virtualization of the Network), Virtual Box or a Virtual machine with two O/S’s (Kali Linux and Window XP). As shown

here we have a network administrator running windows XP (victim) trying to manage its own router (R1) and a Kali Linux machine (Attacker) connected on the same switch (S1).

If we issue the command “show mac-address-table” on our switch we will see the CAM table of the Switch which shows the port and MAC addresses of the devices that are connected to it.

We can also type “show mac-address-table count” to show the maximum entries this table can hold. In this case we have 8192 maximum entries available.

From the KALI Linux machine the command “macof” is used to generate random MAC addresses from its NIC (Network Interface Card) connected to the switch, we issue “macof –h” to show help after that we type “macof –I eht1´ to choose our NIC interface.


After pressing enter a huge number of fake random MAC addresses will be generated as seen below.

The switch will also dynamically store these MAC addresses in its CAM table. Now we will issue our first two commands on our switch again to see the changes made to the CAM table

Here the number of the total MAC addresses stored is increasing each time we issue the same command because the Attacker’s machine continues to generate a huge number of fake MAC addresses.The new CAM table entries will be as the following, notice the large number of MAC addresses assigned to the same port (interface FastEthernet 1/0)

After a couple of minutes our humble switch is forwarding packets as a Hub !!

Now the switch is flooding any received packet from any port to all other ports including the (Attacker), he will receive a copy of each packet sent from the administrator(Vitim) or any other machine to the router (R1) or any other device connected to this switch. By using software like Ettercap the Attacker can change his NIC from the normal operation mode into promiscuous mode which causes the controller to pass all traffic it receives to the CPU rather than passing only the frames that the controller is intended to receive, this mode is normally used for packet sniffing and is also known as man in the middle attack.

To recover from this attack we first need to shutdown this port from the switch using the two commands shutdown & no shutdown on the attacked interface

To prevent this type of attack we will change the port to an access port by issuing switchport mode access and to apply port security on our port we type switchport port-security, after that we will assign the maximum number of MAC addresses to be stored in the CAM table for this interface using switchport port-security maximum 5. Finally we will choose our violation action that will be applied when the user (attacker) is trying to generate more than 5 MAC addresses associated to same port. We choose to shutdown this port switchport port-security violation shutdown

Now if the attacker attempts to perform this attack again on this switch his port will be automatically shutdown, also a log will be generated on the switch informing the administrator that the (attacker) MAC address on this port was trying to attack us and the port state is now down.


New

& N

ews

ww

w.b

luek

aize

n.or

g

A peek under the hood to the recent security breaches

News

The tech company announced on Monday that it would rebrand itself as Alphabet – a new holding company whose largest wholly owned subsidiary will be Google.

“Our company is operating well today, but we think we can make it cleaner and more accountable. So we are creating a new company, called Alphabet,” CEO Larry Page announced in a blog post Monday.

“What is Alphabet? Alphabet is mostly a collection of companies. The largest of which, of course, is Google,” he explained.The move will essentially separate Google’s web companies that generate the bulk of its revenue— YouTube and its eponymous search engine — from its research divisions like the health products Calico and Life Sciences.According to Page, Google made the decision to clearly differentiate between the business’s different facts.

“Fundamentally, we believe this allows us more management scale, as we can run things independently that aren’t very related,” he wrote.Going forward, Sundar Pichai — formerly the senior vice president in charge of productive — will be Google’s chief executive, in charge of the search engine.

A Company Called Alphabet Now Owns Google

WWW.Bluekaizen.org

BK T eam


Kali Linux 2.0 Released

Kali Linux, a specialized distribution designed for penetration testing, released a new and massively updated version. Kali Linux 2.0 offers a redesigned user interface for streamlined work experience, along with a new multi-level menus and tool categories options.The new Kali Sana ( Kali Linux v2.0 ) comprises of many new features like:• Re-designed the user interface for a streamlined work experience• Reconstructed menus and tools categories• Weekly update of core tool sets• Native Ruby 2.0 for faster Metasploit load times• Built in desktop notifications as well as built in screencasting• Featuring cutting edge wireless penetration testing tools and many more

Hacker’s Device that almost unlock any car and opens GaragesAt the hacker conference DefCon in Las Vegas , Samy Kamkar presented the details of a gadget he’s developed called “RollJam.” The $32 radio device, smaller than a cell phone, is designed to defeat the “rolling codes” security used in not only most modern cars and trucks’ keyless entry systems, but also in their alarm systems and in modern garage door openers.RollJam, as Kamkar describes it, is meant to be hidden on or near a target vehicle or garage, where it lies in wait for an unsuspecting victim to use his or her key fob within radio range. The victim will notice only that his or her key fob doesn’t work on the first try. But after

a second, successful button press locks or unlocks a car or garage door, the RollJam attacker can return at any time to retrieve the device, press a small button on it, and replay an intercepted code from the victim’s fobto open that car or garage again at will. “Every garage that has a wireless remote, and virtually every car that has a wireless key can be broken into,” says Kamkar.

RollJam is damaging the security because the rolling codes are invalidated only after it or a subsequent rolling code is received.Devices like the RSA SecurID, by contrast, cause validation codes to expire after a specific amount of time. Therefore, Rolling Code in cars should also be associated with a period of time, researcher said.Another way to mitigate hacks like RollJam is using a unique chip for every different car.


Anti-Virus Firm BitDefender is hacked

Hacking Team Gets hacked

BitDefender, an award winning internet security Software Company based in Romania has fallen victim to a data breach which leaked the company’s customer data including usernames and passwords to an anonymous hacker.

The customer data stolen by a hacker with an online alias “DetoxRansome” told Forbes that all information including passwords and usernames were unencrypted. According to “DetoxRansome,” the usernames and passwords were in plain text. However, if it were encrypted, it would have been extremely difficult to decrypt.Fortunately, the data stolen accounts to “less than 1% of the company’s customer data,” said a spokesman of BitDefender.on Twitter, the hacker demanded US$15,000 in exchange for the data that he has stolen. However, the security firm has refused the demand to pay ransom to the hacker and is currently working with law enforcement to investigate the issue.

Hacking Team is Italian company, selling surveillance software to all sorts of authoritarian governments around the world.The Hacking Team’s Twitter named changed to “Hacked Team” as unknown attackers took control of the company’s Twitter account The first tweet said, “Since we have nothing to hide, we’re publishing all our e-mails, files and source code.” From there on out, tweets included internal company info supplied by unknown attackers and the stolen information went viral via a 400GB torrent.“ It’s a huge trove of data, including a spreadsheet listing every government client, when they first bought the surveillance software, and how much money they have paid the company to date” Bruce

Schneier Said.A 2014 report by the Citizen Lab at the University of Toronto found indications that Hacking Team’s products were used in Ethiopia, Sudan, Oman, Egypt and elsewhere. Meanwhile, Hacking Team has told all of its customers to shut down all uses of its software. They are in “full on emergency mode,” which is completely understandable.


Dyre Wolf Attack

Banking Trojans, malware designed to leach money from compromised accounts, are nothing new to the world of cyber security. According to that, these targets accounts are personal checking or saving accounts belonging to individuals that happen to fall prey to the malware. Hundreds, even thousands of dollars can be transferred out of individual’s accounts and directly into the attackers and earning them quick money.

The victim calls the attacker number and is greeted by a very professional-sounding person with an American accent who states he works with the relevant bank. After a brief conversation, this individual prompts the victim to give the username and password in question for the account and verifies it, several times. The attacker may also ask for a token code. Within this verifying stage, the attacker might ask to speak with a co-worker with similar access to the account, and who may be one of the authorized persons on that account, and ask them to verify information as well, and give a token code over the phone.

There have been several reports of compromise resulting in losses of $500,000 to over $1,000,000 USD. It’s important to note, these attackers are targeting organizations that typically make large transfers of this size on a regular basis to try to avoid triggering fraud detection mechanisms in place.

ww

w.b

luek

aize

n.or

g

Revi

ews

Malware Review

Ahmed HammadInformation Security

Engineer at Security Meter


What is the Dyre Wolf? This is a new campaign that utilizes the now popular Dyre, or Dyreza, malware directly targeting corporate banking accounts and has successfully stolen upwards of a million dollars from unsuspecting companies. (The Dyre wolf wants Money). In Q1 of 2015, the Dyre Trojan was the top offender among the top malware families attacking globally.

How Dyre Wolf works?The following figure shows the Dyre Wolf attack sequence.

Step 1 Spear Phishing:The mail that the employee received contain zip file, this file named “invoice”, “fax”, or “doc” with random number generated behind it (file147357x.zip). The file inside the zip has an embedded PDF icon but actually it is an EXE or SCR file. Phishing mail characteristics and attachments:

Subject: Unpaid invoice

Subject: Your FED TAX payment was rejected

Subject: Invoice #1006501

Subject: New Bank Details

Attachment: Invoice [6 random numbers].pdf

Attachment: ADP-invoice.pptx

Step 2 the first stage malware is executed:• Upatre malware uses “checkip.dynds.org” to determine the public IP address of the attacker machine. This website replies with a simple message “current IP address: X.X.X.X” this malware uses this information to understand who has been infected.• Next a STUN (Session Traversal Utilities for NAT) server is contacted to determine the public IP address and the type of NAT (Network Address Translation).• Internet connectivity is checked to determine if the proxy is being utilized by contacting google.com.

• Upatre makes its initial contact with the command and control (C&C) server.

The following are known C2 servers: 109.228.17.152, 109.228.17.155, 109.228.17.158, 166.78.103.85, 176.114.0.58, 193.203.50.17, 193.203.50.69, 202.153.35.133, 203.183.172.196, 212.56.214.130, 212.56.214.154, 213.239.209.196, 217.172.179.9, 217.172.181.164, 217.172.184.75, 217.23.8.68, 80.248.224.75, 85.25.134.53, 85.25.138.12, 85.25.145.179, 93.190.139.178, 94.23.196.90, 94.23.61.172

•Upatre downloads Dyre file from a varied list of domains as well as changing filenames.

Step 3 the second stage malware is executed:•Establishing persistence: As a part of installation, the dyre malware establishes persistence by creating a service “Google Update Service” (googleupdaterr.exe) or “User Data Update” (userdata.dat), this service is set to run automatically each time the system restart. Once the system started, it then inject a malicious code into the legitimate SVCHOST.EXE process after which the malicious “Google Update Service” stops.

• Establishing a darknet: During this stage the Dyre malware makes connections to several nodes in order to establish peer to peer tunneling network.

• Web browser hooking: once Dyre has installed itself and established a solid networking connection, it hooks to victim’s browser (Internet Explorer, Firefox and Chrome) in order to intercept credentials the user may enter when visiting any of the targeted banks sites.

• Email Spreading: If Dyre detects that the OUTLOOK email client is installed, it will attempt to send email messages to various recipients with DYRE Payloads attached as zip file. The body of mail content will be mysterious as example (Please remit BACs before date DD/MM/YYYY).


Step 4 Victim logs into targeted bank account:The dyre alters the bank page with the fake number 1-XXX-XXX-XXX

Step 5 the phone call – Enter advanced social Engineering:Dyre has a number of different ways to operate its social engineering schemes:

• The classic injection: In this technique Dyre monitors the victim’s online activity. The moment the victim attempts to browse to one of Dyre’s targeted web pages [Bank of America, NatWest, Citibank, RBS (Royal Bank Of Scotland), Ulsterbank] , the malware injects new fillable data fields into the page, all while collecting the victim’s login credentials. This is a classic injection mechanism for banking trojans, it happens on the legitimate original page, and is commonly implemented by malware like ZeuS and all its offspring, SpyEye, GootKit, Bugat, etc.

• The Proxy and web fakes: In this technique Dyre monitors the victim’s online activity. The moment the victim attempts to browse to one of Dyre’s targeted web pages, the malware redirects the request through a proxy server over to Dyre’s server. In response, the C&C sends back a page replica of the bank’s webpage adapted to the original page the victim was supposed to reach. This replica is completely faked and contains extra data fields for the victim to fill out.

• On the fly – server side injection: In this technique Dyre again monitors the victim’s online activity. The moment the victim attempts to browse to one of Dyre’s targeted web pages, the malware intercepts the response from the bank’s servers. It reaches out to its operators’ highly secure PHP server, presenting it with the bank’s original page response. The PHP server takes over and sends the response to the victim’s browser, only this time it includes adapted code injections that are thrown into the bank’s response before it is served back to the victim. This is an on-the-fly mechanism that Dyre uses to avoid coding its injections into the configuration file. It also allows the attacker to communicate with victims in real time, presenting them with carefully selected social engineering designed to complete a fraudulent transaction.

Step 6 The Wire Transfer:After obtaining the credentials from the victim, the attacker logs into the account and transfers some amount of money. There have been several reports of compromise resulting in losses of $500,000 to over

$1,000,000 USD. It’s important to note, these attackers are targeting organizations that typically make large transfers of this size on a regular basis to try to avoid triggering fraud detection mechanisms in place.

Step 7 The DDOS:Immediately after the wire transfer happens, the attacker issues a DDoS attack against the victim. The DDoS itself appears to be volumetric in nature. Using reflection attacks with NTP and DNS, the Dyre Wolf operators are able to overwhelm any resource downstream.

Recommendation Techniques:There are several ways that organization can take in order to stop or limit the risk of the Upatre or Dyre Malware:1- Strip executable from email attachments (configure mail server to strep any executable files)2- Current antivirus and/or endpoint protection.3- Restrict execution of programs from temp folders.4- Use Two Factor Authentication with banking sites (Recommended to utilize the maximum security features)5- End user awareness (Be proactive with end-user education and security awareness)DYRE Statistics:The Dyre/Dyreza Trojan started out as a seemingly simple RAT (Remote Access Trojan) project around mid-2014.

North America is the most affected geography seeing highest infection rates of Dyre. This falls in line with the majority of the banks targeted by Dyre.

Referenceshttps://securi ty intel l igence.com/dyre-wolf/#.VcIKN8Cqqkq



Executive Summary:• By performing (behavior and code) analysis on this executable sample it has been identified as Wapomi Worm.

• A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. Wapomi worms spreads through infecting removable devices attached to victim device. It detected from a number of years ago, but it is still active.

• Wapomi tries to connect to number of C&C’s domains and ip addresses to download files from it but it failed beside this it installs rootkit on victim machine in order to hide itself.

Sample Identification:

ww

w.b

luek

aize

n.or

g

Revi

ews

Malware Review

Doaa WaelMalware Analyst

Behavior and Code Analysis

e9c7822615cc7af044f5b144d902821a.exe

300.0 KB ( 307200 bytes )

e9c7822615cc7af044f5b144d902821a

e337650d4567604282a578565996a4451476e7a3

c8a7cab2af54707ba722445ec4b208690219595d31b1add756b142b3ed4d7f9f

Win32 EXE

-

File name

File Size

MD5

SHA1

SHA2

Type

Packers

wapomi worm :

Anti-Debugging techniques:• Huge Number of NOP instructions and jump 402e91 at the end:At address 401092: malware reserves a region of pages in the virtual address space of the calling process using VirtualAlloc with size equal 40000000 and protect mode is PAGE_EXECUTE_READWRITE.Then using memset it sets it with charater to set 90 and the number of characters is 4000000 so by going through the large number of NOP instructions it finally jump to address 402e91• GetTickCount API usingBecause an executable single stepping doesn’t run as fast as running it in real execution. Malware uses this method to detect debugger using by calling GetTickCount API before a section of code, which returns the amount of time the OS has been running, then calling it again after the section of code and compare the two. If this difference between the two times is too large, it can assume that the code is being stepped

Main Findings:1. The malware starts by dropping new file “c:\44ba068f.exe”using CreateFile and executes it using WinExec which creating new process called 44ba068f.exe which will be responsible for all the malicious activities after that.

2. By examining the new file which exist on “c:\44ba068f.exe” it was packed file as shown below

3. According to PEiD the sample packed using “ASPack 2.12” which is an advanced Win32 executable file compressor. It also protects programs against reverse engineering. Programs compressed with ASPack are self-contained and run exactly as before, with no runtime performance penalties.

4. To unpack the sample by stepping through the first instructions until finding PUSHAD instruction which used to push all registers into stack. As packers use this instruction to back up the registers original state before going on the unpacking code and once unpacking finished the registers contents will be

restored again. So by putting hardware breakpoint on the address which will be pointed by ESP register (after the PUSHAD instruction is executed) it will be detected when the sample restores the registers which means when the unpacking code finished.

5. The new malware file starts by trying to retrieve the path of the directory designated for temporary files and the path of the system directory then it going through decryption routine to retrive number of addresses and jump to execute the code which exists in it by pushing the target address and using return instruction after it.

6. It creates new file named “C\Documents and Settings\infotmp.txt”.

7. Malware obtains a list of running processes by calling CreateToolhelp32Snapshot,it cycling through the PROCESSENTRY32 structures with Process32First and Process32Next. Then malware compares the list of running processes with the strings: RavMonD.exe, 360tray.exe, MPSVC.exe, KSafeTray.exe, RsAgent.exe and explorer.exe

8. It uses the pseudorandom generator (as shown below) to produce random DWORD values such as 0x36630570 many times in the code. Here it uses the random value to create random file name “36630570.tmp” through using Wsprintf with format “%.8x.tmp”. Then it uses the pseudorandom generator again to produce another value “645d087e” pushed to Wsprintf with format “%.8x.log”at address 402705 to create random filename “645d087e.log”

9. It determines the version of the operating system using GetVersionEx. Then it writes the operating system version in file “C\Documents and Settings\infotmp.txt” as shown below


10. Malware opens “HKEY_CURRENT_USER\Keyboard Layout\Preload” registry key (The Preload registry subkey values between 1 and 15 represent the available input locales.The value in these keys represents the country and keyboard layout, the key Preload\1 will become the standard keyboard) and queries for registry values “1”,”2” which is “00000409” for value “1” and value “2” wasn’t exist

11. It uses SHSetValue to set value “Layout File” , “Layout text” with data “KBDUS.DLL” , 386A6504” for registry key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\keyboard Layouts\E0010409” (The Keyboard layout code subkey represents a particular keyboard layout.The entries in the Keyboard layout code subkey store information about the installed keyboard layout or Input Method Editor (IME).

12. It opens the malicious file “c:\44ba068f.exe”, retrieves the size of it which is “00037600”,reads data from the file with the same size “00037600”.Then it opens “C:\WINDOWS\system32\36630570.tmp” to write the malicious code section which have read from file “c:\44ba068f.exe”.

13. Malware loads the “imm32.dll” into the address space of the calling process,retrieves the address of ImmLoadLibrary which is “76398739”. Then It attempts to hook ImmLoadLibrary by changing the protection on a region of committed pages in the virtual address space “76398739” of the calling process to PAGE_EXECUTE_READWRITE . And it uses memcpy to copy 5 bytes from “76398739” which contains instruction MOV EDI,EDI to “00414fe0” then it changes in “76398739” to contain instruction “JMP 62C4DD3D”.

14. It also retrieves a module handle of ntdll.dll ,the address of ZwQueryValueKey which is “7c90e1fe”. Then It attempts to hook ZwQueryValueKey by changing the protection on a region of committed pages in the virtual address space “ntdll.ZwQueryValueKey in 7c90e1fe” to PAGE_EXECUTE_READWRITE .And it uses memcpy to copy 5 bytes from “7c90e1fe” which contains instruction “MOV EAX,0B1” to “414f54” then it changes in “76398739” to contain instruction “JMP 00405e3a”.

15. After that It uses LoadKeyboardLayout to load a new input locale identifier (formerly called the keyboard layout) “E0010409” into the system so inside LoadKeyboardLayout code in call USER32.LoadKeyboardLayoutW there is a call ZwQueryValueKey which have been patched.

16. Malware uses OpenSCManager to establish a connection to the service control manager and opens the specified service control manager database. Then it opens service “AppMgmt” (Application Management ) and retrieves the current status of service “AppMgmt” if the service was running it starts to search for another service like BITS,FastUserSwitchingCompatibity , WmdmPmSN,… and so on until reach stopped service. It starts to modify the corresponding dll file and starts the service with modified dll. In this case Appmgmt service wasn’t running.

17. It loads “sfc_os.dll” into the address space of the calling process. sfc_os.dll is a dll that contains functions used to monitor system files for validity. It belongs to the Microsoft Windows Environment. then it retrieves the address of an exported function “#5”. sfc_os.#5 corresponds to PfnSetFileException and SetFileException that is used to disable WPF (Windows File Protection)

18. It opens “C:\WINDOWS\system32\appmgmts.dll” file and writes in it the malicious code section with the same size of malicious file “c:\44ba068f.exe” then it starts the service “AppMgmt” and terminates the process.By trying to examine malicious DLL file using OllyDbg debugger it have been found that:• It was also packed using “ASPack 2.12”.• It deletes “C\Documents and Settings\infotmp.txt” and “c:\44ba068f.exe”.• It uses SHGetValue to retrieve the value “services” in registry key “Machine\system\CurrentControlSet\Enum\SW\{eec12db-ad9c-4168-b03daef417fe}\{ABD61E00-9350-47e2-a632-4438B90CC6641}” which was “drmaud” then it compared after that with string “drmaud” and finally it uses SHSetValue to change the data of value “services” to be “52ac5050”.

• Malware uses SHSetValue to set the values “start”,”type” and “ImagePath” of a registry key “Machine\system\CurrentControlSet\services\52ac5050” with data “0x03”,”0x01” and “system32\52ac5050.sys” respectively to maintain persistence every time windows starts.


• It uses FindResource to determine the location of a resource code “C:\WINDOWS\system32\52ac5050.sys”. It retrieves resource size in bytes “0x30B0”. After that it retrieves a handle that can be used to obtain a pointer to the first byte of it in memory using LoadResource and reserves a region of pages in the virtual address space of the calling process with size equal to resource size “0x30B0”, it copies the resource bytes to new allocated buffer “00910000”, opens “C:\WINDOWS\system32\52ac5050.sys “and writes on it using buffer “00910000”.

• Then it uses Wsprintf to create string “\Device\00000000” and trying to create file using ZwCreateFile if it fails it jumps to Wsprintf ,creates another device name like “\Device\00000001” and so on if it success it push the handle to DeviceIOControl at address: 003545a5 in order to send a control code directly to the specified device driver if it fails it jumps again to Wsprintf , creates another device name and so on until it success and after that at addess 354320: it uses CreateFile with mode “OPEN_EXISTING” to open file named \\.\Guntior which return file handle “0xf0

•Malware uses Wsprintf to create large list of strings which pushed to DeviceIOControl in order to create the following registry entries under registry key “Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\” which used to block various popular security products and anti-viruses programs from running on the system by creating large numbers of entries under this key each one for one of popular antiviruses and sets value “debugger” so force it to run under a debugger regardless of how it is launched and alter how the system treats this programs.

• It uses FindResource to determine the location of a resource code “C:\WINDOWS\system32\ dmlocalsvc.dll”, it retrieves resource size in bytes “0x2100” after that it retrieves a handle that can be used to obtain a pointer to the first byte of it in memory using LoadResource and reserves a region of pages in the virtual address space of the calling process with size equal to resource size “00950000”. It copies the resource bytes to new

allocated buffer “00950000”,opens “C:\WINDOWS\system32\ dmlocalsvc.dll “ and writes on it using buffer “00950000”. • It opens registry key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt” then it uses RegSaveKey to save this key and all of its subkeys and values to new file named “C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\s159b1d87.txt”.Also it uses CreateProcess to run command line “reg export HKLM\SYSTEM\CurrentControlSet\Services\AppMgmt C : \DOCUME~1\ADMINI~1\LOC AL S~1\Temp\r72823129.txt”

• Another time malware obtains a list of running processes and compares it with list of common security products and anti-viruses programs using Lstrcmpi in order to terminate it.

• After that malware deletes and closes “Appmgmt” service then it deletes registry key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\paramters”, opens registry key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ “, creates registry sub key “AppMgmt ” ,using RegRestoreKey it reads the registry information from file “s2bd14ff1.txt” and copies it over the specified key.

• It deletes“C:\WINDOWS\system32\36630570.tmp”,“C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\r72823129.txt” and “C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\s159b1d87.txt”

• It opens file “C:\WINDOWS\system32\drivers\etc\hosts” writes on it the buffer contents “127.0.0.1 localhost”


• It retrieves the currently available disk drives, determines whether a disk drive is a removable, fixed, CD-ROM, RAM disk, or network drive. For removable drives the return value will be 2 so it compares the return value if it equals 2 it calls address 35e597 in order to infect the removable drives as described following

• In function 35e597: malware creates file named “E:\autorun.inf”, creates directory “E:\recycle. <645FF040-5081-101B-9F08-00AA002F954E>” containing new created named “E:\recycle. <645FF040-5081-101B-9F08-00AA002F954E>\uninstall.exe”

• It uses function in address 35603f to create domain names contains combinations of characters and numbers then pushing it to Wsprintf with format “www.%s.info” to create the full domain name like “www.vn3704.info” trying to retrieve host information corresponding to it using GetHostbyname but it fails

• It uses function in address 35940f to create C&C’s Ip addresses then at address 35944c: it push C&C’s ip address, the file which it trying to download and the path which will be used to save downloaded file then it calls function at address 358255 which used to connect to C&C’s address’s (ex: 60.191.186.243) and trying to download file “msdownload/update/v5/redir/

wuredirtu.rar” in path “C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\8ac5ccb.rar”. But it fails because no response has been received from this ip address so it goes through loop trying to push different addresses every time but no one of them responds.

• At address 35e4fb: malware uses CreateProcess to run command line “C:\Program Files\Internet Explorer\iexplorer.exehttp://72.8.141.240/htm/mac.htm?48” but this page cannot be displayed

• It uses FindFirstFile to search a directory “C:\”for a file or subdirectory with a name * as wildcard characters then it compares each one extension with extensions “exe,rar,htm,html,asp,aspx” using Lstrcmpi in order to infect it with the malicious code section

• It uses SHGetSpecialfolderpPath to retrieve the path of a special folder “C:\Program Files” then it creates string “C:\Program Files\WINRAR\Rar.exe”, it copies an existing file “C:\Program Files\WINRAR\Rar.exe” to a new file “C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\06645eff.exe”.



Protecting the Perimeter A Cyber Defense Strategy

If you have read my articles (past) you will find that I am a big fan of proactive defense strategies when it pertains to protecting your company network and infrastructure and bottom line, your “IP” aka “intellectual property”, no matter what that might consist of (customer data, medical data, strategic plans, etc.) The strategy and a smart one comes down to keeping the bad guy as far away from the inside of your network as possible.

ww

w.b

luek

aize

n.or

g

Revi

ews

Cyber Defence

Harris SchwartzCyber Security Expert

Your Cyber Defense Strategy should include solutions (process, technology, 3rd party vendor, etc.) to cover both everyday “events” and “incidents” as they occur. A good cyber defense strategy will include the “3” solutions that I mentioned above, and among the 3 solutions, could involve 1 or more of each type. I have been protecting company networks and “defending” them as well for the last 20+ years, and I believe my approach has been quite successful. Of course, depending on the particular network and topology, solutions can be different from the next. Some of the solution providers (3rd parties) would likely be different, because in some cases where I was not the original InfoSec Leader, existing solutions were already in place, and I had to work with those existing programs to be successful.

PERIMETER MONITORINGIt is common that your company may have a network operations center (NOC) and they may offer monitoring of your network. Its likely and possible with larger companies. It is not recommended to only rely on your NOC staff. They are more interested in ensuring network appliances are running, have enough memory and CPU and other operational metrics. They are less interested in the traffic and behaviors of users that might be targeting your company. Sure, your NOC staff will be a partner that you will work with to implement router changes, firewall blocks and other infrastructure needs. BUT, it is vital that your information security team conduct its own perimeter monitoring.

Your monitoring can be accomplished several ways, internal, external and/or both. Most companies and organizations have a SIEM or log aggregator that they collect their logs with (firewalls, IDS, IPS, VPN, etc.) but in many cases lack the necessary resources to properly manage their SIEM. This can be time consuming and frustrating if you lack the necessary staff to accomplish this. Some companies utilize MSSP’s (Managed Security Service) to address the first level of log analysis and event monitoring (SOC - Security Operation Center) and then escalate to an internal team that addresses the next stage of research and investigation. In these scenarios, the MSSP may offer their own SIEM solution and in addition will manage the solution completely. I have worked in numerous environments that included both scenarios - internal teams 100% managed SIEM and monitoring and a combination of internal and external teams accomplishing the task. There are many pros and cons as well to both. First and foremost, most MSSP providers are 24x7, while your internal teams may not be. This can be a challenge, depending on your environment and the need for continuous coverage, or not. In some environments this scenario works out well.

In choosing an MSSP, there are so many to choose from. I will say from my experience, that there are two that I really enjoy working with, and have proven to be greatly flexible in their offering with their clients. What I mean here is, that many of the large well known MSSP’s (Dell, Symantec, HP) are all stuck on 1 solution that fits all, and there is no room for flexibility. For an enterprise that requires a fully managed solution, then these MSSP’s are the way to go - fully outsourced. This is not my recommendation, as I believe there needs to be a partnership and collaboration between the MSSP and your internal information security staff, because only you know your business the best. The two MSSP’s that I really like are CSC and Solutionary. (If you have questions offline, email me and I can provide greater details).In addition to the partnership between your MSSP and internal staff handling the escalations of events and incidents, there is your team that is engaged in a proactive monitoring strategy. I wrote a whole other article on proactive monitoring and investigation, and this is a concept that works really well. The need to understand your network traffic, what is normal v. abnormal, authorized and anomalous activity. Together, with all of these strategies, your perimeter will be well monitored and watched.

TECHNOLOGYObviously, there needs to perimeter devices, and these are often chosen by your network security team or infrastructure teams, or possibly your Information Security team. Your part in protecting your perimeter comes with working with the appropriate teams to ensure that your network perimeter devices are tuned and configured properly to meet your cyber security/risk needs. Much of this tuning and decisions on configurations will come from an assessment, review of industry trends and reviewing your own network’s traffic and activity.

Most network perimeter devices can be tuned and configured various ways to prevent, block, drop and/or notify your teams of different types of network traffic. These “rules” or “signatures” are part of the device offering, but in many cases are subscriptions or additional device offerings that are purchased for in depth threat prevention. It is also important to decide amongst your team and your network teams on how to address router blocks, firewall blocking and other blocking needs at the Intrusion Detection levels as well. You should also investigate whether any infrastructure changes will require a change management process as well. Then there is also the need for “emergency” changes, like DDOS or other attack.



DDOS MitigationThis is another area of perimeter defense that is typically forgotten about too many times, until the instance when you require a solution and it is too late. This is why careful preparation and planning is important, after all all of these actions and plans will or should be covered in your strategy.

DDOS Mitigation can be accomplished in several ways as well, and typically most companies will utilize a combination of internal devices (e.g. Arbor) and an external 3rd party provider that can take over when necessary. Many of the available 3rd party providers can assume bad traffic in the 300-500 Gbps range, much higher than most networks can handle themselves. I always like to recommend Neustar as a 3rd party provider as my experiences have been very successful when engaged in the past. There are some newcomers to the arena as well, and always worth looking at and examining. It is always good to ask for references.

E-COMMERCEThis is another area that gets missed by Information Security teams when thinking about perimeter protection. Depending on how much e-commerce plays a part in your business, and if you are a retail company, then e-commerce will play a major role. Industry trends tell us that web application attacks are in the top 3 types of attacks that target e-commerce, through SQL style injection attacks and XSS (Cross Site Scripting) attacks. It is the vulnerabilities in system OS and applications that bad actors are constantly looking for and exploiting. Hopefully, your team already has a vulnerability management program in place as well.There may be the need to maintain a higher level of perimeter protection around e-commerce systems/servers to ensure a higher level of protection. This can be coupled with a 3rd party service as well, typically provided through your outsourced CDN - or Content Delivery Network, and they provide varying levels of protection, including countermeasures when necessary.

PEOPLEWe must remember that technology and solutions cannot accomplish proper levels of perimeter defense alone. The third aspect is people, not only those that are required to maintain the “care and feeding” of the technology in use, but also the team that will be responsible for handling escalations and conducting proactive monitoring and investigations.

Prospects of SIEM

ww

w.b

luek

aize

n.or

g

Best

Pra

ctic

e

As we, all know that the SIEM technology is growing day by day and many organizations have adopted it for monitoring and compliance purpose. SIEM (Security Information and Event Management) is a technology that has the capability to collect the logs, analyze it, store it, correlate it, and give some meaningful output.

Some of us have the illusion about SIEM’s effectiveness and we might have heard that SIEM can detect the attacks. Here, I want to make some clarification, SIEM does not have the capability to detect the attacks but it has the capability to detect the behavior of the attacks.

Note: The terms used in the article are related to Arcsight SIEM (for other SIEM, terms might change but the concept will remain almost the same)

Vijay LalwaniSecurity Analyst at Paladion Network


How SIEM will detect the behavior of the attack and what it can do when it detects such behavior?

SIEM has a correlation engine which processes the events and looks for the events of interest, if such events are detected it will generate a new correlation event and will perform actions like notifying the users through SMS, Email and also performs some more actions as defined.

What are events of interest?For Correlation Engine, events of interest are the events for which rules have been created. What is a rule? Rule is nothing but a set of building blocks that have conditions, if met, will detect the behavior of attacks or any other security Incident, or any unauthorized access or any compliance or/and operational related events. If events of interest observed, SIEM has the capability to notify the users (through Email, SMS) those are defined in rule action along with many other capabilities like to generate a new event, adding/removing data from resources (like Active list, session list – used to store data), creating a new case (is like ticketing tool used to track incident).

Let me explain the whole thing by giving the simple example and we will get to know how SIEM will detect the behavior of attacks at different stages.

If I want to divide the attacks into different stages, I will divide it into three stages:1. Reconnaissance (Scanning),2. Exploitation (Exploit the discover vulnerability)3. Communication to Command and Control (CC) server (Data Exfiltration)

Here I will explain how SIEM can detect the attacks at different stages. In first stage, attacker will aim to get the information of target network infrastructure (like live host, open ports, running services, OS, etc). Let us take an example; attackers have started Reconnaissance by doing ping sweep and Port Scanning. To detect the same, we will create the rule to generate the alert in SIEM that if firewall observes the ping request to multiple destinations from same source (number of destinations depends on the organization definition of ping sweep). We can also add the Source/Attacker address and Destination/Target address to Active Lists (resource in SIEM, used to store the data) and Active Lists data can be referred in another rules.

Also for Port Scanning, we can create rule to detect if firewall observes the traffic from same source to same destination at multiple destination ports and generate the alert (here we can refer Active List by creating the rule to add destination that had replied to the ping

request i.e. attackers is carrying out port scanning on live host that were detected in ping sweep).

If the attacker succeeds to identify the open ports and running services, attackers will list out the vulnerability present in the same and will exploit the vulnerability. IPS has the capability to detect the exploit. Rule can be created if the IPS observe the exploit used against the vulnerable destination (here also we can refer the active list that has the list of vulnerable hosts or list of hosts detected by attacker during scanning).

Now, if attacker succeeds in exploiting the vulnerability and is able to execute some malicious code or able to install malware, the infected host will communicate with the CC server. Rule can be created to detect the traffic from infected host to CC server or any abnormal traffic generated from infected host to unknown destination or CC server.

The above example is only an overview how SIEM can detect attacks at different stages. We can also create the rules more specific to monitor the abnormal activity, internal and external threat, compliance related events, audit events of devices, and many others.

SIEM is not limited to this, but it has the capability to collects the data from the Vulnerability assessment tools, imports it in the assets data, and prioritizes the event to and from the assets accordingly. It can also be integrated with third party ticketing tool to send the event data to it and to track the incident. It can be also integrated with pattern discovery, which will help to generate the pattern of the events/traffic received from different assets on minutes, hourly, daily, weekly basis and compare it with normal pattern to detect any abnormal pattern. Pattern discovery will help to detect the slow attacks, smart attacks and the zero day attacks.
