NetFort Advertising

NetFort Blog

Crypto Mining Malware Spreading Via SMBv1 Vulnerability

Crypto Mining Malware

Ransomware Cryptocurrency Link

During 2017 we saw advances in security tools which have meant IT and network security managers have become better equipped to deal with ransomware threats. In addition, lots of standalone programs have been made by independent researchers to decrypt files. This increased awareness of ransomware prevention (backing up files) and Ransomware detection tools has really helped to reduce the Ransomware problem.

Bitcoin is frequently associated with Ransomware as it is a popular payment type demanded by ransomware authors. There are many types of crypto currency available today which you can acquire with money or goods or you can mine them using one or more computers.

The primary purpose of mining is to allow Bitcoin nodes to reach a secure, tamper-resistant consensus. Mining is also the mechanism used to introduce Bitcoins into the system: Miners are paid any transaction fees as well as a “subsidy” of newly created coins. The image below shows an example of a large bitcoin mining rig, lots of processing power and associated cooling fans to keep it operational.

Icarus Bitcoin Mining rig

One of the new trends with Malware is the move away from data encryption to a more stealthy bitcoin mining strategy. Bitcoin mining can happen in the background. No need for any splash screens or data destruction.

Crypto Mining Malware & Association With SMBv1

Many attackers now favor anonymous cryptocurrencies, with Monero being the most prominent. Crypto currencies are popular as they are both secure, private and difficult to trace. Servers are often targeted and since many of them are not updated or patched on a regular basis, attackers have a bigger chance of success.

Recently more than 526,000 Windows hosts, mostly Windows servers, have been infected by a Monero miner known as Smominru, according to researchers at Proofpoint. It spreads using the EternalBlue exploit (CVE-2017-0144) which targeted the SMBv1 protocol.

Crypto mining malware like this covertly mines for coins using the victim’s GPU horsepower without them knowing about it. It has potential for longer-term gains. When a computer is infected many people will fail to notice fans spinning up, or computers under higher load or just plain old not responding. A lot of those people may just pass it off as “one of those things my computer does.”

How to Detect SMBv1 Use on Your Network

As I mentioned earlier, the ExternalBlue exploit is being used by a lot of attackers to install Ransomware or Crypto Miners on victims PC’s. Systems are compromised when an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server

Because of this, you need to make sure you detect SMBv1 use on your network and switch off the protocol on any systems which has it enabled. SMBv1 has been superceeded by SMBv2 and SMBv3 which are far more efficient and secure.

However, sometimes reality is more difficult than the theory. I met with some of our LANGuardian customers this week. They said that when they disabled SMBv1 on some servers they had issues with a loss in connectivity to some printers. I also had issues in my home lab where certain Android devices lost connectivity to a NAS system when SMBv1 was disabled. The easy thing to do is to re-enable SMBv1 but that will increase the attack vector of your network.

Using LANGuardian to Detect SMBv1 Use

The video below shows how a traffic analysis tool like our own LANGuardian can be used to root out SMB1 clients and servers on your network. Make sure you can detect this activity by monitoring communication between clients and servers or check each network device to see if SMBv1 is enabled.

Find Out What Systems Are Using SMBv1 on Your Network

Use the deep packet inspection engine of LANGuardian to report on SMBv1 activity by IP address or Username. Real time and historical reports available. No need to install any agents or client software.

  • See what servers are allowing connections on SMBv1
  • Find out what clients are attempting to connect using SMBv1
  • Can be deployed as a virtual machine

All analysis is done passively using network traffic analysis and you will see results within minutes.

How To Detect Unauthorised DNS Servers On Your Network

Detecting unauthorized DNS servers to prevent DNS poisoning

Why worry about unauthorised DNS servers?

DNS remains a vital part of computer networking. The foundation of DNS was laid in 1983 by Paul ­Mockapetris, then at the University of Southern California, in the days of ­ARPAnet, the U.S. Defense Department research project that linked computers at a small number of universities and research institutions and ultimately led to the Internet. The system is designed to work like a telephone company’s 411 service: given a name, it looks up the numbers that will lead to the bearer of that name.

DNS was never designed as a very secure protocol and it is popular target for attackers. There are two ways DNS can be hacked: by using protocol attacks (attacks based on how DNS is actually working) or by using server attacks (attacks based on the bugs or flaws of the programs or machines running DNS services).

One of the more recent protocol attacks was the

In both of these cases the attackers change your DNS server from 8.8.8.8 (Google) for example to one of their own DNS servers. Most of your DNS queries will be handled correctly and you will get correct IP addresses. However, for certain site like banking the attackers will direct you to a mocked up website which looks like a valid banking one. You logon details are captured once you start to interact with the site and these are then used to steal your money.

Detecting unauthorised DNS server use with LANGuardian

Our LANGuardian product includes both a DNS traffic decoder and an number of alerting features which you can use to track down unauthorised DNS server use. The image below shows an example of the DNS traffic decoder. Here we can see how LANGuardian can build up an inventory of all DNS servers and client queries to them.

A LANGuardian report showing unauthorised DNS server use

Having a DNS audit trail like this will also give you the data you need to investigate other DNS issues such as cache poisoning.

How to generate alerts if a device uses an unauthorised DNS server

LANGuardian includes a customizable alerting engine where you can define whitelists of valid servers and get alerts if users try an access others. For the purposes of this example we are going to create a DNS whitelist containing these servers:

  • 192.168.127.22 (hosted internally on network)
  • 8.8.8.8 (google1)
  • 8.8.4.4 (google2)

We then use the LANGuardian alerts configuration option to create a DNS alerting rule which would trigger if queries to other servers are detected. The screenshot below shows an example of this.

Unauthorised DNS servers alert configuration

Once the rule is saved it will look like this on the LANGuardian alerts list.

LANGuardian DNS Alert Rule

Once the unauthorised DNS server alert is triggered, LANGuardian will capture certain DNS metadata like source and destination IP addresses, country where DNS server is registered and the domain names that were queried. The image below shows an example of what the alerts look like.

A list of unauthorised servers detected on the network using network traffic analysis

These alerts can also be exported as SYSLOG so that they can be processed by a blocking device such as a firewall or NAC (Network Access Control) system.

How to monitor DNS traffic

One of the best ways to monitor DNS traffic is to port mirror traffic going to and from your local DNS servers and all Internet traffic. Monitoring Internet traffic is crucial so that you can pick up on devices using external DNS servers so it is really easy to monitor network traffic on your network. Most managed switches support SPAN or mirror ports. If you have a switch that does not have any traffic monitoring options there are many alternatives for SPAN ports. The video below shows the steps needed to monitor Internet traffic and you should extend this to also monitor local DNS servers.

Find Out What DNS Servers Are In Use On Your Network

Use the deep packet inspection engine of LANGuardian to report on what DNS servers are in use on your network. Real time and historical reports available. No need to install any agents or client software.

  • See what DNS servers are in use
  • Generate alerts if  a network device uses an unauthorised DNS server
  • Capture DNS metadata so you can troubleshoot DNS issues and perform forensics on past events.

All analysis is done passively using network traffic analysis and you will see results within minutes.

Announcing NetFort LANGuardian 14.4

Span port monitoring with NetFort

LANGuardian 14.4

NetFort are delighted to announce the availability of the latest major LANGuardian release, V14.4. It includes a number of major enhancements including GeoIP traffic reporting, improvements to the alerting engine and the ability to capture network traffic and generate a PCAP via any LANGuardian sensor on the network.

The main themes of this release are to improve traffic analysis, better alerting and to enhance the product so that it is better able to address compliance standards such as a CSC and GDPR. LANGuardian 14.4 includes:

  • New GeoIP filtering and displays.
  • New MetaData alerting GUI and rules support.
  • New user credentials from SMB sessions.
  • New Windows Services (DCERPC) decoder.
  • New full packet capture mechanism to save PCAPs from any LANGuardian sensor.
  • Improved accuracy of Google QUIC fingerprinting.
  • New PDF format option for scheduled reports.

New GeoIP filtering and displays

GeoIP is a feature where IP addresses are automatically matched with the country where they are registered. This is very useful if you want to track which countries are connecting to your network or what countries clients on your network are connecting to. Use this for improving your network security or to meet data export compliance regulations, such as GDPR.

We have included two new reports which can be found under the Traffic Analysis report category.

  • Top Countries by Client Location. This report shows the total bandwidth, displayed by the country location of the client.
  • Top Countries by Server Location. This report shows the total bandwidth, displayed by the country location of the server.

The image below shows an example of the report output.

Top Countries by Server Location

New MetaData alerting GUI and rules support

We regularly host customer days where users of our products can review our roadmap or try out beta versions of our software. One of the most common recent requests was a need for better alerting. Customers want an easy way to configure alerts so that they are automatically notified of security or operational events that matter to them.

LANGuardian 14.4 has an updated metaData alerting GUI and rules support, to alert on a wide range of conditions and events that LANGuardian monitors for, such as authorized applications, unknown DNS servers, inter-subnet access attempts and much more. Use this to implement network usage policy alerting for security and compliance. This is a upgrade on the previous version and further enhancements are planned in the next LANGuardian version.

The image below shows an example of how an alert is configured. This alert will trigger if any user deletes a file called budget2018.xlsx off the network.

network traffic metadata rule

New user credentials from SMB sessions

One of the unique selling points of LANGuardian is its ability to associate network activity with actual usernames. It does this by working out what users are assigned what IP addresses on the network. However, it is possible to logon to the network with one username and then use another username to connect to a Windows file share.

LANGuardian 14.4 can now passively capture what usernames and being used to connect to Windows files shares. This is very useful for reporting on what users are connecting to file shares using administrator accounts. It is also very useful when it comes to compliance standards such as GDPR where you may have to identify sharing of credentials to comply with Identity and Access Management (IAM).

The following image shows an example of domain user association with network file share activity. The user logged onto the workstation that accessed the Profit & Loss file was darragh.delaney

Domain user accessing file

The next image shows an example of the new passive username capture from SMB sessions. The actual user that was used to connect to the file server was darragh.

network user accessing SMB file share

Windows Services (DCERPC) decoder

New New DCE/RPC, short for “Distributed Computing Environment / Remote Procedure Calls”, is the remote procedure call system developed for the Distributed Computing Environment (DCE). This system allows programmers to write distributed software as if it were all working on the same computer, without having to worry about the underlying network code.

A lot of Windows applications use DCERPC to communicate between clients and servers. Examples of this would be network based printing or some Microsoft Exchange services. Previous versions of LANGuardian were able to detect DCERPC but could not drilldown to see what applications were in use. LANGuardian 14.4 now includes a DCERPC decoder so you can drilldown and see what applications are in use.

The screenshot below shows an example of the drilldown. Here we can see how DCERPC is being used mostly for printing and Exchange on my network.

Distributed Computing Environment / Remote Procedure Calls

New full packet capture mechanism

We introduced a full packet capture feature in LANGuardian last year. Customers wanted the ability to capture unprocessed network traffic so that they could take a look at it outside of LANGuardian. The first version only allowed you to take packet captures off local network interface cards.

LANGuardian 14.4 now allows you to save PCAPs from any LANGuardian sensor on your network from a centralized GUI. Leverage your LANGuardian installation to get complete coverage for troubleshooting or forensics. The image below shows the packet capture option in use. Clicking on the network interface dropdown now allows you to select any sensor.

Packet capture

Improved accuracy of Google QUIC fingerprinting

QUIC (Quick UDP Internet Connections, pronounced quick) is a transport layer network protocol designed by Jim Roskind at Google. The most common use of QUIC today is for streaming YouTube videos. If you use a Chrome browser then data associated with your YouTube activity uses the QUIC protocol.

LANGuardian 14.4 includes improved detection capabilities for this protocol. The screenshot below shows a typical drilldown. Majority of traffic will be associated with YouTube but you will see QUIC associated with other Google services.

Google QUIC Protocol

New PDF format option for scheduled reports

Automated email reports are popular with our customers. Many will choose to get reports like Top Network Events, Top Users or Top Applications delivered to their mailboxes every day. For some time these reports were delivered in HTML format. LANGuardian 14.4 now includes a new option where you can get your reports delivered as PDF attachments.

PDF email attachments

Video: A quick tour of the new features in LANGuardian 14.4

You can download a 30 day trial of LANGuardian from here.

Tracking Down New Devices After The Holiday Season

Tracking wireless devices on network

New Devices = New Year Challenges

As 2017 draws to a close I would like to take this opportunity to wish all my business and Infosec contacts a Happy Christmas and best wishes for the new year. It is also the season for exchanging gifts and the top of many peoples list is a new phone, tablet or some other IoT gadget. It is amazing what you can get for so little now. I just watched a video about an Android powered smartwatch that comes with a SIM slot, camera, touchscreen, access to Play Store plus many other features and you get all this for $12.

The challenge that these devices brings is that they may end up on corporate networks. No big deal you may say but all it takes is for one compromised system to bring down your network with a malware infection. The portability is the problem, users walk past your firewall with their shiny new device and suddenly you have a problem inside your network.

Another issue is the potential bandwith grab that new devices bring. Many will need updates and as soon as they get on a network with lots of bandwidth they start downloading updates. Some of these can be over 2GB in size which can swamp WAN or Internet connections.

How can you detect new devices on your network?

One of the best ways to detect new devices on your network is to monitor network traffic going to and from a number of key points including:

  1. Internet gateway
  2. Internal interfaces of proxy servers
  3. DHCP queries
  4. DNS queries
  5. Network interfaces going to WAN routers

One of the easiest ways to monitor network traffic is to use a SPAN, mirror port or TAP. These allow you to get a full copy of network traffic as it passes through a switch. The main thing to remember is that you don’t need to monitor every port on your network, just focus on the ones I have listed above.

Once you have a traffic source in place you then need to extract certain information from the network packets which will allow you to report on new network devices. For the purposes of this blog I am going to use our own LANGuardian system and it can extract device metadata from the packets. The video below details the steps neccessary to monitor Internet traffic and you can extend this to include other network points.

Monitoring Internet Traffic. Proxy & Direct

One of the richest sources of data when it comes to monitoring new devices is Internet traffic. Most wired and wireless devices try an access external services to download updates or to send and receive data to cloud services. Buried within this data will be certain pieces of metadata which can reveal what devices are on your network.

The image below shows an example of metadata captured from Internet traffic which is then used to build up an inventory of what devices are connecting to your network.

Monitoring DHCP Requests

New devices connecting to your network will normally send out a DHCP request so that it can get an IP address which it then uses to communicate. If you monitor these DHCP requests you can start to build up an inventory of what devices are connecting to your network. The screen shot below shows an example of what you should be capturing. Here you can see the device MAC addresses with associated hostname and IP address. An alert can be triggered on LANGuardian if the MAC address is new so you know when a new device connects to your network.

DHCP Requests

Monitoring DNS Queries

Once you start to build an inventory of what is connecting to your network, you should also try and capture some associated data. A good example would be to capture all DNS queries that devices on your network are sending. These queries can reveal a lot about what the devices are doing and what sort of applications they are running. In the example below we can see that there is a device active on our network and it is running cloud apps like WhatsApp and GMail and it is running the Township game.

Monitoring network interfaces going to WAN routers

As I mentioned previously, wireless\IoT devices can consume large volumes of bandwidth. Businesses can be impacted if users in remote sites start complaining that the “network is slow” and all it takes is for one device update to swamp a link. Make sure you are monitoring what applications are using your bandwidth.

An easy way to do this is to monitor the network interfaces on your WAN routers with a product like LANGuardian. It can also associated network activity with usernames so you know who is doing what on your network. A sample of this username integration is shown in the image below.

Top network users

Find Out What Devices Are Connecting To Your Network

Use the deep packet inspection engine of LANGuardian to report on what devices are connecting to your network. Real time and historical reports available. No need to install any agents or client software.

  • See what devices are connecting to your network
  • Generate alerts if a new device connects
  • Capture associated metadata for forensics

All analysis is done passively using network traffic analysis and you will see results within minutes.

How to Passively Detect VPN Clients on Your Network

How to detect the presence of VPN clients

Why worry about VPN clients?

VPNs have been around for a long time. A VPN extends a private network across a public network, and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. Applications running across the VPN may therefore benefit from the functionality, security, and management of the private network.

If you use public WiFi networks such as those found in airports and cafes then it is recommended that you use a VPN service. A VPN will ensure that all of your communication is encrypted.

However, there are times when VPN activity is suspicious and/or bad. I see an increasing amount of VPN actvity on college\school networks. In most cases end users are using a VPN to get around a web filter or use a blocked application such as Bittorrent. A VPN will also punch a hole in your firewall and it may become a route for nasties such as Ransomware.

“A VPN client will punch a hole through your firewall”

Common uses for VPN clients

Good

  1. Site to site connectivity where a branch office can connect to HQ via the Internet
  2. Allows remote workers to connect to HQ
  3. Encrypts your data when you are on a public WiFi network

Bad

  1. Bypass web filters (some may not see this as bad)
  2. Allows you to run applications which are blocked
  3. Create a hole in a Firewall which may become the source of a Malware infection
  4. Can be used for data exfiltration

How to detect VPN clients on your network

VPN clients can be difficult to detect as they typically use a port such as 443 over UDP or TCP which is normally open on a firewall. However, there are a number of things to watch out for. First we need to understand how the most common VPN clients work.

Most VPN clients come as a software pack which include the actual VPN software and a database of VPN servers. The idea is that everything you need is included when you install so you don’t need to access a specifc website to connect to anything. If you did it would be easy to block access to these websites. This makes it hard to detect VPN clients if you are looking at reports from something like a web filter.

Once you select a VPN server, an encrypted connection is created between your client and the VPN server. All of your Internet bound activity is then routed through this VPN connection. If you want to browse a website for example, the VPN server connects to the website and sends the text\images\media back to you via your encrypted connection. This is what makes them secure, someone ‘sniffing’ your local traffic can’t see what you are accessing.

How VPN works

In summary, a VPN client makes a direct connection to a VPN server and this server then does the job of accessing what service\application your requested. This differs from users connecting to websites or applications directly. For example I may go and visit YouTube using a web browser. When I type in YouTube.com my computer will go and resolve this name to an IP address using DNS. Computers use IP addresses to connect, not human readable names.

In order to detect VPN clients on a network, we need to watch out for any client sessions where there is client to server connections with no DNS resolutions. To do this you need to monitor network traffic going to and from your Internet gateway and you also need to monitor DNS traffic hitting your DNS servers if you host them locally.

Detecting VPN Clients

  1. Monitor Internet traffic
  2. Monitor DNS queries
  3. Watch out for client connections to external hosts with no name resolution

What you need to watch out for is any sessions to external IP addresses which have no hostnames associated with the server. If the connection is over TCP or UDP port 443 then you are probably looking at VPN client activity. The image below shows an example of what to watch out for if you want to detect VPN clients. The first client listed is connecting directly to an IP address as no hostname is shown. The other connections are to Googlevideo which are part of the YouTube service.

Report showing a VPN client connecting to an external VPN server

Check out the video below to learn more about how you can use our LANGuardian product to detect VPN clients.

How to Detect Scarab Ransomware by Monitoring Network Traffic

Along comes another one. Scarab Ransomware

Scarab Ransomware is just another in a series of Ransomware variants that appeared in 2017. It falls into the crypto Ransomware category which typically go after user data on hard drives and network shares and encrypts it. Scarab Ransomware has the typical three stage infection process:

  1. Get a user to click on a link or open an attachment infected with Malware
  2. Connect to external websites to download the actual Ransomware
  3. Encrypt the users data and leave a ransom note

The name Scarab is also associated with a family of beetles. Scarabs are stout-bodied beetles, many with bright metallic colours, measuring between 1.5 and 160 mm. They are also known as a dung beetle.

Detecting the presence of Scarab Ransomware

First spotted on November 23, the Scarab ransomware is being sent primarily to .com addresses, followed by co.uk inboxes. It was sent to millions of email addresses in the first four hours alone, according to Forcepoint. The emails are originating from hosts within the Necurs Botnet.

The unsolicited emails in question come with the well-worn “Scanned from {printer company name}” subject line and contain a 7zip attachment with a VBScript downloader. Use SMTP traffic monitoring or check the logs on your email server for any subject lines which start with “Scanned from”.

Another key indicator of Scarab Ransomware is the presence of these types of files on network shares:

  • Files with the extension “.[suupport@protonmail.com].scarab”
  • Ransom notes which are saved as text files with the name “IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT”

The image below shows how our LANGuardian product detected suspicious activity on a network share by monitoring network traffic going to and from the file servers. When you monitor network traffic like this you can passively generate a list of all file and folder activity without the need for logging or agents.

Scarab Ransomware detected on a network

Watch out for an increase in file renames. A sure sign of Scarab Ransomware activity

File renames are not a common action when it comes to activity on network file shares. Over the course of a normal day, you may end up with just a handful of renames even if you have hundreds of users on your network. When Scarab Ransomware strikes, it will result in a massive increase in file renames as your data gets encrypted.

You can use this behavior to trigger an alert. If the number of renames go above a certain threshold, then you have a potential Ransomware issue. Our recommendation is to base your alert on 4 or more renames per second.

The video below shows how you can setup a LANGuardian trend graph which you can then use to create an alert. It also demonstrates how you can setup a file activity monitoring report which shows any filenames with extensions known to be associated with Ransomware. You just need to change the file extensions to the ones mentioned earlier in this blog post.

Firewall Reporting Excessive SYN Packets? Check Rate of Connections

TCP handshake showing SYN packets

What are SYN packets?

Last week I was on the road in Scotland visiting some of our university customers. During a meeting with a Network Security Specialist, a network issue popped up and he said to me “our firewall is triggering SYN packet alerts, is there anything you can do to help?

SYN packets are normally generated when a client attempts to start a TCP connection to a server, the client and server exchange a series of messages which normally runs like this:

  1. The client requests a connection by sending a SYN (synchronize) message to the server.
  2. The server acknowledges this request by sending SYN-ACK back to the client.
  3. The client responds with an ACK, and the connection is established.

This is called the TCP three-way handshake, and is the foundation for every connection established using the TCP protocol. In the past attackers could bring down a firewall by sending lots of SYN packets. Each SYN packet would use up firewall resources and eventually it would stop accepting new connections. This can result in a massive business problem now that so many applications are cloud based and need fast and reliable Internet access.

A SYN alert could be the sign of attacker reconnaissance

Modern firewalls are able to deal with SYN attacks better by limiting the rate of SYN requests amoungst other things. However, they still retain their alerting features so if something usual is spotted they will trigger an alarm.

Not all SYN alerts are attacks designed to bring down your firewall. This was the case with the customer I mentioned earlier. In summary they were getting a lot of connections from a host in China which was trying to find any systems running SSH services. This is very common, attackers often seek out SSH servers, once found they try and do a dictionary attack against the root or other accounts. If they are successful then they have full access to the LAN segment that the SSH server sits on.

The image below shows a sample of the events from our LANGuardian system. Each one of these is triggered when a host tries to connect to more than 300 other systems in 25 seconds or less. At the same time the firewall on the same network was triggering excessive SYN packets alerts. The fix in this case was to get the ISP to block the Chinese host.

SYN alerts generated by lots of connections from a single host

How to get visibility at the network edge

If you want to see what is hitting your firewall then you need to monitor network traffic hitting the outside network interfaces. Typically this is done by setting up a SPAN or mirror port on the network switch which connects to the external interfaces.

The image below shows a typical setup. Network packets destined for the LAN or DMZ are analyzied by a traffic analysis tool connnected to the network switch which connects devices together outside the LAN firewall. Most servers located here will have a public IP address and so would be open to network scanning activity. You can also detect SYN packet rates at this point, see what is hitting your main firewall.

DMZ network with traffic monitoring tool in place

One of the main things I watch out for in the DMZ is the rate of connection attempts. This is similar to detecting SYN attacks but as I mentioned, most of this activity is associated with reconnaissance, attackers trying to find a backdoor into your network. Some of the firewalls I looked at will trigger SYN attack alerts when they start received around 10,000 connection attempts per second but this can vary.

The image below is from one of our LANGuardian systems. It is reporting the level of what we call netscans, a netscan is triggered when one host tries to connect to more than 300 others in less than 25 seconds. An alert is triggered when this goes over 20 events per second. Our testing has shown that some firewalls start triggering their own alerts when this rate is reached and may start dropping  or refusing connections.

Network scan levels

We have seen instances, for example DDOS attacks, where the organisation’s firewall is under some much pressure trying to handle the attack, it cannot be accessed and used as a reporting or forensics tool. Another advantage of using a continuous but passive system such as the LANGuardian, it can always be accessed when required and as it is not inline, can never have any impact on network availability or performance.

The video below goes through the steps needed to setup a SPAN or mirror port to monitor network traffic. The example covered looks at monitoring the internal LAN interfaces of a firewall but you can apply a similar approach when it comes to monitoring the external interfaces.

Do you really need ‘Artificial Intelligence’ for actionable alerts

Alert image

Using Traffic Analysis as a Data Source

As we have mentioned numerous times in our blogs, Network Traffic Analysis or (DPI) Deep Packet Inspection is a very flexible technology. It can be used for many use cases including continuous monitoring of user and device activity, reporting, forensics, analytics and of course troubleshooting of everyday  problems. One of the benefits of using a DPI engine to analyse network traffic flows, is the rich application specific detail and context, metadata that can be extracted and presented in real time or stored for forensics. Data ideal for many IT security and operational use cases.

DPI can sometimes be seen as a ‘complex and expensive technology’ only suitable for large enterprise, but not with the latest engines as found in the NetFort LANGuardian. The basic principle of the LANGuardian engine is to get the engine to do all the ‘heavy lifting’, reassembly, analysis, alerting thus making it very easy to use and read, ideal for all skill levels across organisations of all sizes with minimum training.

Actionable Alerts That Our Customers Requested

Recently we have been asked by our customers to generate real time alerts on various network and user activities that are critical to them. Examples, in the customers own words include:

  • US Manufacturing company
    • ‘Alert if a user or device generates more than x GB of data over a given time?’
    • ‘Alert if certain file types are detected (e.g. mkv files)? ‘
  • Large EU University
    • ‘Alert when a machine on our network is maliciously scanning 100,000’s of IP addresses across
      the globe. ‘
  • EU Online retail company
    • ‘Any internal ip address making a connection to an external ip where the connection (TCP/UDP) was not preceded by a DNS query that returned the external ip’
  • EU Government organisation
    • ‘Alert on any web accesses not via the proxy server’
  • US City Council
    • ‘I’m trying to figure out the syntax for a rule to detect when the BitTorrent protocol is detected’
    • Oct 2016 ‘ Detect SMB1 traffic Is there a way to detect SMB1 traffic? Microsoft recommends to stop using it so I’d like to see if it’s being used in our network.’
  • US Law firm
    • ‘Alert if a lawyer uploads huge files to our shared server within a short period of time using up all our space’

Some seem very obvious, simple but on closer examination, most make sense. Also, it is interesting to note that most customers do not request that many, maybe because they are already flooded with false positives and find it almost impossible to actually spot the real actionable alerts.

Machine Learning

I had a chat with a customer last week who purchased a pretty well known ‘machine learning’  based network security products 6 months ago, when he mentioned the product name, I was very curious and asked how it was going. ‘Nothing yet, 6 months of false positives, but you know, it is still learning’. So now not alone have they invested a lot of time and money in purchasing and implementing a product but it is also costing them time wise every day, as it giving them even more false positives to investigate!

Actually, a small number of our customers who requested the alerts included in the list above have recently implemented some expensive ‘Machine learning’ based security products. We started discussing it here internally and it got us wondering about the massive hype by vendors, analysts etc, around machine learning with respect to security. What is really driving it ? The lack of skilled security analysts is definitely one factor, big data another, but another one is surely the current set of overly complex and expensive security products ? And maybe he venture capitalists who have invested huge amounts of money in companies developing this technology, many of whom are struggling with sales ?

Developing Our Own Alerting Engine

We are putting huge focus on the usability of our alert engine, make sure it is as easy as possible to define the rules that generate real actionable alerts, not false positives, the alerts important to the user, the organisation, the business.

Of course, sometimes the simple and best ones are not that easy to implement. For example, as in the case of a lack of a DNS query require context/state and some understanding of the protocol in use in order to generate an alert. As mentioned by one of our engineers, some are also somewhat vague and require more detail. It may also be that some do not require an instant alerts, a simple email sent to the administrator each morning may suffice.

It will take time to get right, some tuning, knowledge of the network etc. Ease of use, readable data, is a must otherwise it will never work. These are basics some security vendors simply do not pay enough attention to but instead spend a lot of time and money on graphics and web interfaces designed by gamers, dark constellations which look fantastic but when you start to look at the detail, looking for actionable intelligence, you start thinking what is this really telling me ?

There are many common and critical threats or ‘bad’ network and user activities that do not require sophisticated artificial intelligence or machine learning.  Most organisations do not have the resources to monitor various dashboards to actually try and detect suspicious activity in real time,  but simply want a real alert with some readable context and data to understand what the alert is actually telling them.

Where to Start

Is it not common sense, start small, work the basics. Use a network traffic analysis for example to monitor internal activity and get the visibility you need to understand what is happening on your network. Modify your ‘active’ systems for example your firewall, to get rid of everything that could widen your attack surface and then add alerts, one by one, to ensure you are immediately notified the next time.  Use forums, blogs, your own network to keep in touch and build and update your own alert set. Add them one by one, you will be amazed with the size of your list after a few months and the lack of false positives.

Did Any Zombie Creep Into Your Network During Halloween?

zombie on network

Network Zombies

Now that Halloween is behind us we can put away the scary decorations and funny costumes. It may also be a good time to check our networks for zombie hosts or users. They can take many forms

  1. Clients infected with Malware which form part of an external botnet
  2. Faulty equipment which may be generating excessive broadcast traffic
  3. Rouge IoT devices eating bandwidth
  4. External clients scanning your network perimeter and exploiting firewall holes
  5. Misuse of network resources by one or more users

Infected Clients

Many networks have lots of security devices at the network edge. From Firewalls to IPS type systems, securing the perimeter has been a priority for many IT managers. The trouble is that while this is a good thing to do, malware can still get in and unless you are monitoring what is going on inside your network you may be at risk. A user may bring in a USB stick laden with Malware for example and walk past your firewall.

I recently read about this network breach where unauthorized software was found on a server and it may have led to data loss. Some time ago I installed a trial version of our LANGuardian product onto a network and we found a client sending over 10,000 SPAM emails per hour. The interesting thing here was that the user of the computer was not complaining and an antivirus scan did not find anything. In the end the IT manager had to get the system reinstalled.

One way to find out what is happening on your internal network is to monitor network traffic moving through your core switch by setting up a SPAN or mirror port. Network traffic is an excellent source of user and application information. Once you have your data source in place a combination of network based intrusion detection and metadata analysis will root out any suspicious activity.

The image below taken from our own LANGuardian system shows an example of what to look out for. Events such as ET MALWARE Win32/InstallCore Initial Install Activity 1 or ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 need to be investigated and the associated clients need to be removed from the network.

Network based IDS

Faulty Network Equipment

Technology can be wonderful when it works but when something goes bad it can be a nightmare to figure out what went wrong. A few years back there was massive disruption to air traffic at Dublin airport when a network card went faulty and caused the breakdown of a radar system. Our support team here worked with one of our own customers a while back when a faulty IP phone brought down an entire network segment by sending out large volumes of broadcast traffic.

Make sure you have some sort of internal traffic monitoring in place and watch out for what systems are sending large volumes of broadcast or multicast traffic. In other cases you may need to look at switch interface counters such as collisions or CRC rates. The image below is from our LANGuardian product and show a sample report which is the top clients associated with broadcast traffic. Any devices associated with hundreds of megabytes of broadcast traffic would need to be investigated.

Rogue IoT devices

Almost everything in today’s world is connected. From light bulbs to fridges, many devices now want to share data and metrics. However, this IoT world is not without its challenges. Recently security researches uncovered a botnet called Reaper which may have infected over 1 million networks.

IoT Botnets are Internet connected smart devices which have been infected by the same malware and are controlled by a threat actor from a remote location. They have been behind some of the most damaging cyberattacks against organizations worldwide, including hospitals, national transport links, communication companies and political movements.

You need to be aware of what is connecting to your network. One way to do this is to monitor all traffic going to and from your DHCP and DNS servers. This can reveal a lot about what is connecting to your network and what they are trying to get to. The images below from our LANGuardian product show how metadata captured from DHCP and DNS traffic can used to get an inventory of what is on your network.

If you do have IoT devices on your network, you need to make sure they are fully patched and not using any default passwords.

External Clients Targeting Your Network

As I mentioned previously there are large botnets out there ready to target unsuspecting businesses and organizations. If you re unlucky enough to be targeted you could be on the receiving end of large DDoS attack. Typically NTP or DNS traffic is used to overload your Internet gateways resulting in a loss of connectivity for internal and external clients. Make sure you are monitoring all traffic at your network edge especially the levels of UDP based protocols such as NTP or DNS.

Also watch out for any external clients scanning your network looking for open ports on firewalls. Common scans would be on RDP (TCP 3389), SSH (TCP 22) or SQL (1433). You need to take action if you see any connections on your internal network from clients which are outside the network. Either block the external IP address or shutdown the port they are using on your firewall. Don’t forget to carry out a forensic investigation on any incidents and see if any other client was targeted inside your network.

The image below from our LANGuardian product shows and example of what to watch out for. Here we can see an external IP which is registered in Russia connecting to servers on the local network over TCP port 445.

Rogue Network Users

Sometimes a network user can go bad. Maybe they install an application such as Bittorrent and hog all of the Internet bandwidth or maybe someone accidentally or deliberately deletes data. Can you track down all activity by username? One way to do this is to capture user logon information from Active Directory and use this to match it to IP addresses so you can see who is doing what.

The image below from our LANGuardian product shows a sample user report which lists the top users active on the network based on data downloaded or uploaded. You may want to consider getting alerts if users go above certain levels.

Root Out Zombies on Your Network

Use the deep packet inspection engine of LANGuardian to continuously monitor user and device activity and root out any zombies on your network. Real time and historical reports available. No need to install any agents or client software

  • Built in intrusion detection system
  • GeoIP reports allow you so see what countries are connecting to your network
  • AD integration associates usernames with network activity

All analysis is done passively using network traffic analysis and you will see results within minutes.

How to Detect Badrabbit Ransomware on Your Network

Badrabbit Ransomware

What is Badrabbit Ransomware?

A new strain of ransomware nicknamed “Bad Rabbit” has been found spreading in Russia, Ukraine and Germany. The outbreak bears similarities to the WannaCry and Petya ransomware outbreaks that spread around the world causing widespread disruption earlier this year. This Ransomware encrypts data on infected machines or on network file shares before demanding a payment of 0.05 bitcoin (£250) for the decryption key.

They main way Bad Rabbit spreads has been identified as drive-by downloads on hacked websites. No exploits are used, rather visitors to compromised websites – some of which have been compromised since June – are told that they need to install a Flash update. Of course, this is no Flash update, but a dropper for the malicious install.

Once a user facilitates the initial infection the malware leverages existing methods to propagate around a network without user interaction. This involves leveraging an exploit in the SMB protocol and a hacking tool known as Mimikatz, which is able to obtain passwords from memory on the infected system,

Monitoring File Activity on Your Network

You need to be monitoring file and folder activity before you can detect Ransomware like Badrabbit active on your network. One of the easiest ways to do this is to monitor the network traffic going to and from your network file servers. Most managed switches support SPAN or mirror ports and these allow you to get a copy of the network packets going to and from your file servers.

Once you have your data source in place you can use a tool like our own LANGuardian to extract file and folder metadata from the network packets. Metadata includes things like filenames, actions and usernames. As well as monitoring traffic associated with your file servers we also recommend that you monitor all traffic at your network perimeter. Ransomware needs to communicate with the outside world so having visibility at the network edge is important when it comes to detecting and alerting on Ransomware like Badrabbit. There are specific domains that you need to watch out for which are listed below.

How to detect the presence of Badrabbit Ransomware

  1. Check your IDS for specific Badrabbit events
  2. Generate a list of clients accessing suspicious web domains
  3. An increase in file renames is a sure sign of Ransomware

Checking your IDS

An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Most look for certain data strings within network packets which will then trigger an alert. In the case of Badrabbit you need to be watching out for the following emerging treats rules.

  • emerging-trojan ET TROJAN BadRabbit Ransomware Activity Via WebDAV (cscc)
  • emerging-trojan ET TROJAN BadRabbit Ransomware Activity Via WebDAV (infpub)
  • emerging-trojan ET TROJAN BadRabbit Ransomware Payment Onion Domain

If you are using our LANGuardian product, check the report Top Network Events. This is also available in the trial version.

Suspicious Domains

Badrabbit uses a number of domains for command and control services. Check your DNS traffic and/or your web activity logs for any activity associated with these domains. If you detect any activity, remove the client which issued the DNS query or tried to access the domain from your network.

1dnscontrol.com
an-crimea.ru
ankerch-crimea.ru
argumenti.ru
fastmonitor1.net
caforssztxqzf2nm.onion

If you are using our LANGuardian product, check the report Network Events (DNS Lookups). This is also available in the trial version.

Watch out for an increase in file renames.

File renames are not a common action when it comes to activity on network file shares. Over the course of a normal day, you may end up with just a handful of renames even if you have hundreds of users on your network. When Ransomware like Badrabbit strikes, it will result in a massive increase in file renames as your data gets encrypted. Note that Badrabbit will use the same file names so there are no file extensions to watch out for.

You can use this behavior to trigger an alert. If the number of renames go above a certain threshold, then you have a potential Ransomware issue. Our recommendation is to base your alert on 4 or more renames per second.

The video below shows how you can setup a LANGuardian trend graph which you can then use to create an alert. It also demonstrates how you can setup a file activity monitoring report which shows any filenames with extensions known to be associated with Ransomware.

Worried about Ransomware? Download a free trial of LANGuardian today

If you want to audit your network for signs of Ransomware activity; download a 30-day free trial of LANGuardian here. This includes a pre-configured Ransomware dashboard, so you get instant visibility of any suspicious activity.

How to Detect Magniber Ransomware on Your Network

22 October 2017 NetFort Blog By: Darragh Delaney
Magniber Ransomware Splash Screen

What is Magniber Ransomware?

Magniber Ransomware was first discovered by security researcher Michael Gillespie. It is a crypto ransomware, which aims to encrypt personal data and files. At the moment it is only targeting users in South Korea and the Asia-Pacific regions. The Ransomware is primarily being distributed by the Magnitude exploit kit, a primary distribution vehicle in the past for Cerber Ransomware.

Monitoring File Activity on Your Network

You need to be monitoring file and folder activity before you can detect any variant of Ransomware on your network. One of the easiest ways to do this is to monitor the network traffic going to and from your network file servers. Most managed switches support SPAN or mirror ports and these allow you to get a copy of the network packets going to and from your file servers.

Once you have your data source in place you can use a tool like our own LANGuardian to extract file and folder metadata from the network packets. Metadata includes things like filenames, actions and usernames. As well as monitoring traffic associated with your file servers we also recommend that you monitor all traffic at your network perimeter. Ransomware needs to communicate with the outside world so having visibility at the network edge is important when it comes to detecting and alerting on Ransomware activity.

How to detect the presence of Magniber Ransomware

  1. Watch for any files with .ihsdj & .kgpvwnr  extensions
  2. Ransom notes associated with Magniber will contain the text READ_ME_FOR_DECRYPT
  3. An increase in file renames is a sure sign of Ransomware.
  4. Check for the presence of any TOR clients on your network

.ihsdj and .kgpvwnr  file extensions

Magniber Ransomware targets certain file extensions. When it encounters a targeted file type, it will encrypt the file and append the extension .ihsdj or .kgpvwnr to the to the encrypted file’s name. Watch out for any files with extensions like these on network file shares. If you spot any you need to take the client that created them off the network.

The image below shows an example of what to look out for. It was generated by using the LANGuardian Windows File Shares :: Filenames by Actions report to focus on any files with the extension .ihsdj or .kgpvwnr

Ransom note filename will contain the text READ_ME_FOR_DECRYPT

While encrypting your data, Magniber will create a ransom note named READ_ME_FOR_DECRYPT_[id].txt in each folder that a file is encrypted. The ID will be unique to you. Any clients creating these text files need to be removed from your network and blocked permanently or reinstalled.

The image below shows an example of what to look out for. It was generated by using the LANGuardian Windows File Shares :: Filenames by Actions report to focus on any files with this text string in the name.

Magniber Ransomware Ransom Note

Watch out for an increase in file renames. A sure sign of Ransomware activity

File renames are not a common action when it comes to activity on network file shares. Over the course of a normal day, you may end up with just a handful of renames even if you have hundreds of users on your network. When Ransomware strikes, it will result in a massive increase in file renames as your data gets encrypted.

You can use this behavior to trigger an alert. If the number of renames go above a certain threshold, then you have a potential Ransomware issue. Our recommendation is to base your alert on 4 or more renames per second.

The video below shows how you can setup a LANGuardian trend graph which you can then use to create an alert. It also demonstrates how you can setup a file activity monitoring report which shows any filenames with extensions known to be associated with Ransomware.

Watch out for TOR clients on your network

Tor is free software for enabling anonymous communication. The name is derived from an acronym for the original software project name “The Onion Router”. Tor directs Internet traffic through a free, worldwide, volunteer overlay network consisting of more than seven thousand relays to conceal a user’s location and usage from anyone conducting network surveillance or traffic analysis.

Magniber Ransomware uses TOR based payment systems called My Decryptor that is located at the TOR url [victim_id].ofotqrmsrdc6c3rz.onion. This site will provide information on the ransom amount, the bitcoin address payments must be made, and information on how to purchase bitcoins.

As IDS system can detect the presence of TOR clients on your network. While a TOR client is not an indication of Ransomware activity, you should look at removing them from your network or find out why users need to use such a service. The image below shows an example of what to watch out for.

TOR IDS Signatures

Worried about Ransomware? Download a free trial of LANGuardian today

If you want to audit your network for signs of Ransomware activity; download a 30-day free trial of LANGuardian here. This includes a pre-configured Ransomware dashboard, so you get instant visibility of any suspicious activity.

QUIC Protocol Detection Now Available in LANGuardian

QUIC Protocol

What is the QUIC Protocol?

QUIC (Quick UDP Internet Connections, pronounced quick) is a transport layer network protocol designed by Jim Roskind at Google. QUIC supports a set of multiplexed connections between two endpoints over User Datagram Protocol (UDP), and was designed to provide security protection equivalent to TLS/SSL, along with reduced connection and transport latency, and bandwidth estimation in each direction to avoid congestion. QUIC aims to be nearly equivalent to an independent TCP connection, but with much reduced latency.

The most common use of QUIC today is for streaming YouTube videos. If you use a Chrome browser then data associated with your YouTube activity uses the QUIC protocol. Some reports suggest that QUIC now accounts for more than 5% of Internet Traffic. Other browsers such as Opera version 16 and above also support the QUIC protocol but don’t have it enabled by default.

How to detect QUIC protocol use on your network

The most reliable way to detect QUIC protocol use on your network is to monitor network traffic at your network edge. Our LANGuardian product can use this data source to look at packet payloads and identify what protocols are in use. The video below shows how to set up a SPAN or mirror port to capture traffic at your network edge.

Once you have your LANGuardian in place you need to click on Reports \ Top Protocols. In my case the QUIC protocol account for 78% of bandwidth use.

Drilling down on this we can then see the Googlevideo domain and the usernames associated with this activity. Googlevideo is the domain Google use for streaming YouTube content.

Drilling down on QUIC traffic

Upgrade your LANGuardian to enable QUIC detection

QUIC detection was added to LANGuardian version 14.3.2. If you are a customer you must upgrade to this or higher version. Click on the gear symbol top right, then settings \ LANGuardian software upgrade. Your LANGuardian must have Internet access to check for and download the latest version.

If you are not a LANGuardian customer then you can download a 30 day trial and see within minutes how much bandwidth the QUIC protocol is using on your network.

How to Detect BitTorrent Traffic on your Network

Monitor Bittorrent Traffic

What is BitTorrent Traffic?

BitTorrent is a communication protocol for peer-to-peer file sharing (“P2P”) which is used to distribute data and electronic files over the Internet. It is most famous as a method for downloading copyrighted material such as movies and music. However, it can be used for software delivery and Microsoft have some P2P capabilities built into Windows 10 for distributing Windows updates.

When it comes to monitoring BitTorrent traffic you need to understand how the protocol works. It is not like a traditional download, where you download everything from a single link or IP address. Instead, you download pieces from other clients (peers) and the management is looked after by trackers or more commonly Distributed Hash Tables. Every download has an associated INFO-HASH value which is unique to it and this is an important piece of data when it comes to identifying BitTorrent traffic.

Capturing BitTorrent Traffic

There are multiple potential data sources if you want to monitor BitTorrent traffic on your network.

  • Monitor network traffic at your network edge using a SPAN, mirror port or TAP
  • Flow records such as NetFlow or IPFIX
  • Firewall logs

The most reliable source is network traffic as “packets don’t lie”. Flow records will not capture metadata such as INFO-HASH values, so you will never know for definite that traffic is associated with BitTorrent activity. Firewall logs may indicate the presence of BitTorrent, but they are not designed as a forensics tool to store long-term records of all traffic and application information.

The video below shows how to set up a SPAN or mirror port to capture traffic at your network edge. With a tool like LANGuardian connected to this, you can identify BitTorrent traffic and capture important metadata such as INFO-HASH, IP addresses, external clients and file names.

Analyzing BitTorrent Traffic

When it comes to analyzing BitTorrent traffic you need to be watching out for these applications:

  • BitTorrent DHT Tracker
  • BitTorrent Peer Traffic

Once you detect these applications on your network, you need to capture certain metadata so you don’t need to store every packet which can be expensive. The image below shows the output of a LANGuardian BitTorrent analysis report. Note how you can see the network user, IP address, INFO-HASH and file name.

Bittorrent Traffic With Usernames

If the download is associated with a private tracker you may not see any filenames. In that case you should look at the destination IP addresses as they can reveal a lot about the applications associated with the Bittorrent traffic. In the image below we can see that there is some Bittorrent activity associated with a client and looking at the destination IP addresses it would appear that the user has the uTorrent application installed.

Private Bittorrent Tracket

Tracking BitTorrent Traffic on Your Network

Download a free trial of LANGuardian today, if you would like to check for any BitTorrent activity on your network. It comes with a fully featured BitTorrent reporting engine together with Active Directory integration, so you can associate network activity with usernames.

Integrating LANGuardian with Active Directory using WMI

3 October 2017 NetFort Blog By: Darragh Delaney
Active Directory Integration

Integrating LANGuardian with Active Directory allows you to search network activity by user name as well as IP address. It is ideal for environments where DHCP is used. You need to complete these five steps to enable the integration.

  1. Create an AD account which your LANGuardian will use for logging onto domain
  2. Assign WMI permissions to this user
  3. Add user to Performance Log Users  and Event Log Readers groups
  4. Check access rights using wbemtest application
  5. Configure AD integration on LANGuardian

1. Create a standard user logon for LANGuardian

You can use an existing account for AD integration, but for the purposes of this guide, we are going to create a new one called LANGuardian. This account does not need to be an administrator or in the domain admins group but it does need extra permissions which are described below.

We recommend that the account is set with a password which does not expire as there is no facility within the LANGuardian GUI to set AD passwords.

2. Assign WMI permissions

You need to logon to each domain controller and grant specific WMI permissions to the new user.

Click on start\run and type in wmimgmt.msc. In the WMI Management window, right click on the WMI Control sub menu and select Properties. Under Security Tab select CIMV2 and click on the Security button in the bottom right corner.

Add the LANGuardian AD account and verify that Enable Account, Remote Enable and Read Security is Allowed, if not, enable those permissions and apply your settings.

wmimgmt

3. Add user to Performance Log Users  and Event Log Readers groups

Use the Active Directory Users and Computers application to add the LANGuardian AD account to the groups Performance Log Users and Event Log Readers.

Active Directory Groups

4. Check configuration and permission using the wbemtest application

Test the WMI configuration and permissions using the native Windows tool WBEMTEST from your desktop

  1. Click on run and type in wbemtest on a Windows 7 or 10 system
  2. Click on connect and type in \\x.x.x.x\root\cimv2 into the namespace field where x.x.x.x is the IP address of a domain controller
  3. Use the LANGuardian AD account with password and click on connect
  4. If the account has permissions to connect via WMI you should not see any error messages

If the steps above fail add the LANGuardian user account to the domain group Performance Log Users and try running the test again. If this fails then try the test using the Administrator account to see if the server is blocking all remote WMI connections.

Optionally click on Query and type in:

SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Security' AND EventCode = '4624'

This command verifies that the account can run a query and see the user logon events. If you do not get any data back from the query you may not be auditing user logon events or the LANGuardian AD account is not in the Event Log Readers group.

webemtest

5. Configure AD integration on LANGuardian

Logon to the LANGuardian GUI and click on the gear symbol top left then settings \ Identity \ Active Directory. Click on add domain and enter the IP address of one domain controller together with the LANGuardian AD account.

Video Guide: How to setup Active Directory integration using WMI

How to detect the presence of Gryphon Ransomware on your network

Gryphon Ransomware Screenshot

Gryphon Ransomware

Gryphon Ransomware is actually a variant of the BTCWare ransomware. This family of Ransomware typically uses RDP (remote desktop protocol) brute force attacks to spread within computer networks. Once the hacker gains access to a computer, they will install the ransomware and encrypt the victim’s files.

What you need to watch out for

1. Inbound RDP connections

RDP can be a useful IT tool for managing user systems remotely. However, it is not a protocol that you should leave open at your network edge. Watch out for inbound RDP connections from external clients. RDP typically uses TCP port 3389 for connections. The screen shot below shows an example of what you should be capturing with your network traffic monitoring tool. In my case, the connections are local to my LAN.

2. Increase in file renames on network shares

When Ransomware strikes it often seeks out network file shares as that is where the most valuable data is. One way to detect if Ransomware has become active on your network is to monitor the rate of file renames. When Ransomware encrypts data it renames files with a new extension.

File rename rates can be captured by monitoring the network traffic going to and from your network file servers. A tool such as our own LANGuardian can then use this data source to create an audit trail of file and folder activity.

The image below is an example of what you should be watching out for. The graph shows an increase in file renames and the client responsible for this is also shown. An alert can also be triggered when this activity is detected.

file renames

3. Crypton file extensions

When Gryphon Ransomware strikes a network it appends the .Crypton extension to encrypted files. Any client that is renaming files with this extension, need to be taken off the network immediately. The image below shows an example of what you should be watching out for; in this example, a database file was renamed with the .Crypton file extension.

Crypton file extension

Worried about Ransomware? Download a free trial of LANGuardian today

If you want to audit your network for signs of Ransomware activity; download a 30-day free trial of LANGuardian here. This includes a pre-configured Ransomware dashboard, so you get instant visibility of any suspicious activity.

How to monitor for BEC Scams: Common Subject Lines

13 September 2017 NetFort Blog By: Aisling Brennan
BEC Scams

BEC Scams

Business Email Compromise (BEC) is a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The spear phishing campaign is carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.

BEC scam example

Google and Facebook both fell victim to a BEC scam that swindled $100 from the two tech firms. Read more here.

According to Symantec’s 2017 Internet Security Threat Report, “Request” was the most popular keyword used in subject lines for BEC scam emails; followed by “Payment” (15%) and “Urgent” (10%).

BEC scam subject lines

A number of NetFort’s customers are finding the LANGuardian SMTP Email Decoder pretty useful for detecting BEC spammers, as it allows you to search by subject, along with more detailed information such as sender, recipient, attachment name, mime type, attachment description, timestamps and the IP address of sender and recipient.

Checking for specific Email subject lines

Emails by Subject

The steps to create this report are as follows:

1. Click on All Reports in the LANGuardian menu bar. In the Inventory section, click on E-mail.
2. In the E-mail section, click on Emails by Subject.
3. Enter the subject lines transfer|payment|urgent and matches regexp selected in the Subject field. Click Run Report.
4. When LANGuardian displays the report, click Actions on the report menu bar and select Save As. Enter a name and description for the report, then click Save. The new report will be listed in the My Reports section.
5. In this post, we look at setting up an alert when certain traffic is found on the network. You can apply the same principles to this situation.

According to the FBI’s Internet Crime Complaint Center (IC3), “the BEC scam continues to grow, evolve, and target businesses of all sizes”. Read more here

The key takeaway here is to carefully scrutinize all emails. Be wary of irregular emails sent from C-Suite Executives, as they are used to trick employees into acting with urgency. Carefully review and verify fund transfer requests.

Why a CCTV type system is a necessity for Monitoring Network Traffic

CCTV for computer networks

Why monitor network traffic?

The recent Equifax security breach resulted in hackers getting their hands on the sensitive personal information of 143 million American consumers. The breach lasted from mid-May 2017 through July 2017. The hackers accessed people’s names, social security numbers, birth dates, addresses and, in some instances, driver’s license numbers. They also stole credit card numbers from about 209,000 people and dispute documents with personal identifying information from about 182,000 people; they also grabbed personal information of people in the UK and Canada.

This information was not carried in briefcases. It left the organization as a payload in network traffic, mixed in with the massive amounts of legitimate traffic that would have left Equifax during the hacking period. While it is good practice to have firewalls and threat detection systems, many of them rely on known signatures of exploit attempts. This approach fails if you are targeted with something new, or if your security applications are missing detection capabilities for a specific type of attack. This is one of the main reasons why you need to constantly monitor network traffic leaving and entering your network.

What is a CCTV system for monitoring network traffic?

When I talk about a CCTV type system for monitoring network traffic, I usually give this analogy. When we want to protect physical buildings, we invest in locks, gates, walls and other physical barriers to protect our property and physical assets.

We also invest in CCTV systems so that if there is a break in, we can see what is happening in real time and get recordings so we can look back over events. If you have a breach, it is important to know what happened so that we can make changes to prevent further breaches happening in the future. CCTV systems can also alert if someone enters a premises outside of normal working hours.

Monitoring network edge

Too often in the digital world, we forget about monitoring tools. Senior management often sees them as a ‘nice to have’ as there is no obvious payback. It is easy to get seduced into spending IT budgets on fancy firewalls and threat prevention systems as they can take an action. However, the Equifax hack has reminded us that we need eyes on our networks 24/7 and we need to keep historical records of who is connecting to what so that we can go back and see how someone hacked into our network.

network flows

A CCTV system for network traffic can be based on flow or packet analysis. If you use managed switches or if you have a router, you will have a data source. From this analysis, you need to be capturing information such as:

  • True application names as you cannot rely on port labels
  • Resource (URI) names
  • HTTP header fields
  • Web client information
  • DHCP data such as IP addresses, MAC and host-names
  • SMTP metadata such as email addresses and subject lines
  • BitTorrent Hash values
  • DNS SPAM detection
  • SMB and NFS metadata
  • Ingress and egress IP flows including IP addresses and port numbers
  • Associated GeoIP details
  • Packets counts
  • IP flow counts
  • Detect application layer attacks
  • Associated usernames
  • Accurate web domain names from DNS, HTTP or HTTPS traffic analysis

One of the most important things is that you get both a real-time and historical view of this data. Most network monitoring applications do real-time monitoring. Some do historical reporting but may age and compress data to cut down on disk usage. This is not ideal, as you will want to store as much detail as possible so that you can investigate historical events. Make sure you choose a forensics or monitoring application that retains all information captured.

Integrating IDS (Intrusion Detection System) and traffic analysis are also beneficial. This allows you to detect known attacks as well was providing extra context like what connections were made and if the attackers targeted any other systems on your network. You will only get good threat detection with packet analysis, flow (NetFlow, IPFIX, etc) will struggle as they don’t look at packet payloads.

Your monitoring tool needs to be independent of edge equipment

Many firewalls now come with advanced logging and reporting capabilities. On paper, they tick boxes for both prevention and reporting. However, if your network is under attack you may find that these logs become inaccessible.

Some time ago I attended a JANET conference in the UK. A number of universities had been targeted with DDoS attacks. Many network managers spoke about how they struggled to understand what was happening, as their firewall logs were inaccessible or were filling up so quickly it was difficult to get an overall view of where the DDoS traffic was coming from. One of the recommendations from the conference was to ensure your monitoring tools were independent of edge devices such as firewalls or routers.

Don’t wait for a breach before investing in monitoring tools

The worst way to implement monitoring tools is to do so in the middle of an attack. You will never capture all the information you need and you may be rushed into buying tools that don’t address your requirements. Get something in place ASAP and use the CCTV analogy when discussing with senior management.  In today’s world, you need to be watching over your network 24/7.

How to deal with the Locky Ransomware Email Campaign

Locky Ransomware Screenshot

Locky Ransomware

Ransomware has been the number one cyber-security threat in 2017. Outbreaks such as WannaCry have caused massive amounts of damage worldwide. If you want to detect Ransomware such as WannaCry you should watch out for an increase in file renames and deploy technologies such as IDS to identify outbreaks on your network.

Recently there has been an increase in activity associated with the Locky variant of Ransomware. Locky was first detected in 2016 and one of its first victims was the Hollywood Presbyterian Medical Center in Los Angeles, California. The infection encrypted systems throughout the medical center, locking staff out of computers and electronic records.

5 Locky Fingerprints that you need to watch out for

If you want to detect Locky activity on your network, you need to watch out for this activity. Some are directly associated with Locky, others would be suspicious and would need to be checked.

  • Dodgy subject lines which are known to be associated with Locky distribution
  • Clients trying to access the domain greatesthits.mygoldmusic.com
  • Lukitus file extensions on network drives
  • Increase in file renames
  • ZIP file attachments

Further information below on each of these.

Search inbound email for specific subject lines

The email campaign associated with the latest outbreak of Locky uses this list of subject lines:

  • please print
  • documents
  • photo
  • images
  • scans
  • pictures

If you host your own email servers, you should monitor all SMTP servers and alert if any emails using these subject lines are detected. One way to do this is to use our own LANGuardian product to extract the email metadata from network traffic which can be sourced from a SPAN or a mirror port. The image below shows an example of what you should be watching out for.

Locky Ransomware email

Monitor DNS or Web Traffic for activity associated with Locky domains

This Locky outbreak uses Visual Basic Script (VBS) files embedded in zip email attachments. The emails do not contain the Ransomware code. When a user opens the attachment the VBS script attempts to connect to the domain greatesthits.mygoldmusic.com. From here, it pulls down the Locky Ransomware and then goes about encrypting files. You can check for activity associated with this domain by monitoring web or DNS traffic. It may also be possible to do this with a firewall or proxy logging, but check your device to see if it capture domain names.

The image below shows an example of what you should be watching out for. Here, we can see that a client attempted to access a suspicious domain and would need to be taken off the network and checked.

Locky Ransomware Domain

Watch out for Lukitus file extensions

Once this variant of Locky is active on a network, it will seek out local folders and network based file shares. Files are encrypted and a Lukitus file extension is appended to each file. Make sure you are monitoring all activity to your important network shares. One way to do this is to monitor network traffic to and from the file servers.

The image below shows an example of what you need to watch out for. The client associated with this event would need to be removed from the network and checked for Ransomware infection.

lukitus file extension

A sudden increase in file renames is a sign of Ransomware

All variants of Ransomware which target end user data have common attributes which are to take the user data, encrypt and then rename with a new file extension. In some cases, the files are encrypted with their original file names but the rename action still occurs.

We recommend that you constantly monitor the rate of file renames on all of your network shares. A good starting point would be to alert on any instances, where the number of file renames goes above 4 per second. Our lab analysis shows that this is a good indicator of mass renaming which is typically associated with Ransomware. Make sure your alerts also contain the client IP address associated with the renaming as they need to be removed from the network immediately.

File renames associated with Ransomware

Get an inventory of what ZIP files are coming into your network

Compressed files (ZIP and others) are often used to deliver malware via email. Many email servers block attachments if they have strange file extensions. However, if the malware is embedded within a ZIP  file, it can get through some filters. Most network devices are able to open ZIP files which is why they are used.

If you host your own email servers, we recommend that you monitor all attachments that are inbound into your network. One way to do this is to monitor network traffic going to and from your email servers. A system such as our own LANGuardian can extract attachment names from this traffic and provide reports and alerts on suspicious activity.

For more information, take a read of this blog post which looks at 5 Methods For Detecting Ransomware Activity. If you need to put monitoring in place today; download a 30 day trial of our LANGuardian product, which includes a Ransomware monitoring dashboard out of the box.

23 NYCRR 500 – How LANGuardian can help with Compliance

23 NYCRR 500

The New York State Department of Financial Services (“DFS”) has been closely monitoring the ever-growing threat posed to information and financial systems by nation-states, terrorist organizations and independent criminal actors. Recently, cybercriminals have sought to exploit technological vulnerabilities to gain access to sensitive electronic data.

“New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever increasing threat of cyber-attacks. These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber-crimes.”

Governor Andrew Cuomo

23 NYCRR 500: What it means for you

NYCRR 500 is a regulatory compliance standard that regulates the Financial Services Industry (FSI) in New York. This regulation mandates each institution have a cyber security program, Chief Information Security Officer (CISO), access controls, asset management, data governance, software development practices, annual certification of their compliance, and more.

NYCRR 500 requires that banks, insurance companies, and other financial services institutions regulated by DFS to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.

The key date to keep in mind is September 1, 2017: that date marks the end of the 180 day period to comply with the guidelines set forth in 23 NYCRR 500.

The key elements of the proposal are as follows, and a summary of these elements can be found here:

  1. Establishment of a Cybersecurity Program to include:
    • Adoption of a written Cybersecurity Policy
    • Identify and assess internal and external Cybersecurity risks that may threaten the security or integrity of data stored in an organization’s IT systems.
    • Use defensive infrastructure and implementation of policies and procedures to protect the IT systems from unauthorized access or malicious acts.
    • Detect cybersecurity events.
    • Respond to identified or detected Cybersecurity events to mitigate any negative effects.
    • Recover from Cybersecurity Events and restore normal operations and services.
    • Fulfill applicable regulatory reporting requirements.
  2. Mandatory Chief Information Security Officer
  3. Cybersecurity Training for Employees
  4. Third-Party Service Providers Risk
  5. Incident Monitoring and Reporting
  6. Information Security Audits

How LANGuardian can help with 23 NYCRR 500

While no one system can provide the full range of compliance across all of the regulatory requirements, a forensic threat investigation solution and incident response plan will be the most important tools for demonstrating compliance.

Written policies (as defined in section 500.3) are an important first step, but compliance requires the demonstration of consistent policy enforcement. Forensic data and reporting are needed to demonstrate consistent enforcement of these new rules, and there are four sections in particular where LANGuardian provides many benefits.

Section 500.02 Cybersecurity Program (1) (3)

Identify and assess internal and external cybersecurity risks that may threaten the security or integrity of Nonpublic Information stored on the Covered Entity’s Information Systems.

LANGuardian includes both an intrusion detection system (IDS) and and advanced network traffic analysis engine. This allows you to spot rogue devices on the network as well as providing the ability to generate alerts when cybersecurity events are detected.

Information Security—500.3 (a)

Being able to protect the sensitive and confidential information hosted on systems is critical in the financial industry. You must have a policy in place that allows you to identify who should have access to sensitive information. When a security breach takes place, you need to see what the bad actors have gained access to and what saw. Finally, you need to be able to prove if somebody outside of your authorized list accessed the sensitive information.

LANGuardian can monitor network actvity both inside and at the network edge. No need for agent or client software and because it is not inline it will not impact on the performance of your network. The image below shows an sample LANGuardian report which is listing what users accessed certain files on a network share.

Systems and Network Security—500.3 (g)

When it comes to systems and network security, there should be a policy that defines what security tools are in place and the protections that they offer. What tools do you have in place, and how do you know what security functions they provide? Regardless of the tools, you need to define a policy outlining how the tools protect your sensitive information.

The image below shows how LANGuardian highlighted a suspicous network scan originating from an external IP address. In this case we would use LANGuardian to firstly identify when the scanning started and if the external clients accessed any other systems on the network. Based on this forensic analysis we would then take an appropiate action like block certain ports on the firewall.

Network Security Events

Systems and Network Monitoring—500.3 (h)

To enforce the policies of systems and network security, active surveillance and analysis of network systems are required. Without baselining user and traffic behavior, network and security teams are blind to network activity. You need to have an exhaustive record of normal traffic patterns, and you must set up a system that alerts when traffic deviates.

LANGuardian uses a combination of metadata capture and network based intrusion detection to monitor network traffic on a network. It does not age data, so you can look back at historical data in the event of a security breach. The image below shows a LANGuardian report which lists what clients were making outbound connections from a network.

monitor network traffic

Incident Response—500.3 (n)

The main goal in any incident response and forensic threat investigation solution is to provide teams with the ability to respond quickly to incidents. With that in mind, using such a solution provides organizations with the ability to respond quickly to threats and discover where they’ve gone.

LANGuardian can generate email alerts, or export alerts as SYSLOG events, which can be picked up by SIEM systems. The image below shows a sample of event types that can be triggered by LANGuardian.

network events triggered by IDS

How to Prevent Attacks Associated with the SMBLoris Vulnerability

1 August 2017 NetFort Blog By: Darragh Delaney
SlowLoris Server Crash

What is SMBLoris?

SMBLoris is a memory-handling bug which was revealed last week at DEF CON. Infosec researcher, Jenna Magius provided more details about the bug on her Twitter feed. The vulnerability affects every version of the SMB protocol and every Windows version dating back to Windows 2000. Initial reports suggested that SMBLoris was only associated with SMBv1 but this is not the case.

The SMBLoris attack is able to allocate all available memory that a server has, to the point where it won’t even blue screen, and eventually the operating system crashes. It can also prevent logging on to the server because there’s no memory available. If you reboot the server, log files will be of no use if you need to figure out what clients targeted your server.

What you need to do to prevent SMBLoris attacks?

Microsoft have not released a patch for this vulnerability and their advice is to block access from the internet to SMB servers. SMB typically runs over TCP ports 445 and 139.

It is possible to launch an internal attack, so you should also watch out for any network scanning on your network over TCP ports 445 or 139. It could be a sign of a compromised client seeking out active SMB servers.

Using LANGuardian to check for suspicious SMB activity

Our LANGuardian product passively captures network traffic via SPAN, mirrors ports or TAPs. It then analyzes this traffic and captures metadata such as IP addresses, application protocols and versions, user names, file and folder names, web domains and URIs. When it comes to spotting SMBLoris activity, there are two things to watch out for:

Identify Inbound traffic on TCP port 445 or 139

Use the LANGuardian Top Clients report to focus on network traffic where the client IP address is outside your network, and the destination port is TCP 445 or 139. If you get results in the report, then you should block the clients shown if you are not familiar with them or block all inbound access on these SMB ports.

The screenshot below shows an example where a client with an IP address registered in Russia has established connections to servers inside the perimeter firewalls.

Clients connecting inbound on TCP ports 445 or 139

Check for any network scanning on TCP ports 445 or 139

The greatest risk with SMBLoris is with external clients targeting SMB servers hosted locally on your network. However, there is still a risk that a compromised client on your network could bring down your SMB servers. Watch out for any scanning activity associated with TCP ports 445 or 139. It can be a sign of a client generating an inventory of what SMB servers exist on a network.

Use the LANGuardian Network Scanners by Port report to focus in on any scanning activity locally on your network. The screenshot below shows an example of the output of this report. In this case, we do not see any suspicious SMB scanning activity.

SMB Network Scans

The video below shows how you can check your network traffic for any suspicious SMBLoris activity.

If you would like to audit your network, then go ahead and download a 30 day free trial of LANGuardian today.  You have the option to deploy it as a physical or virtual machine, and there are no changes required on your files servers.

NetFort celebrate a successful Customer Event

NetFort Customer Event London

A few weeks ago, we held yet another successful customer event, this time in Central London, on Fenchurch Street – which by the way is a terrific location for an event! This event brought together a community of our customers to network and collaborate on our latest LANGuardian release.

The event kicked off with welcoming comments from myself, followed by a number of dynamic presentations which were jointly delivered by our Technical Director, Darragh Delaney and myself. Throughout the half-day event, we presented the latest features in LANGuardian, shared our road map and gave an overview of our technical integrations along with several product demonstrations.

We love to host such customer events, as it gives us the opportunity to share our recent announcements, meet our customers face-to-face and listen to their feedback on what they would like to see in future product developments. Additionally, we were on hand to answer any critical issues from novice and experienced users alike.

A wide range of training topics were delivered throughout the morning, ranging from:

Creating a Ransomware Monitoring Dashboard
How to detect SMBv1 use on your network
• How to use the Direct Packet Capture option on LANGuardian, so that it saves packets from a flow when a particular trigger is asserted
• How to use our DNS Traffic Decoding feature to collect DNS queries for all running sensors

NetFort Customer Event London

We were thrilled with the post-event feedback, so I thought I would share a small sample of this here:

• “It was all good, very informative” – Infrastructure Support Specialist, Financial & Insurance Services
 “I thought it was great overall, although it could be a whole-day training session with more hands-on” – R&D and Infrastructure Engineer, Managed IT Outsourcing
• “The most useful part of this training for me was the demos, especially for Ransomware + DDoS” – Infrastructure Operations Manager, Housing Association
• “Very useful, would be good to have it on an annual basis. We were very impressed with the communications on the WannaCry outbreak; it was very useful” – Network Technician, UK University

Are you a NetFort customer who would like to attend our next event?
Watch out for our upcoming events on our website, community forum or email aisling.brennan@netfort.com to register your interest.

Thanks!

Prevent Petya Ransomware by disabling SMBv1 on your Network

NotPetya Petya Petna Ransomware

Last Updated: July 3rd, 2017

Petya \ GoldenEye encrypts entire disks

A new variant of Petya ransomware, also known as Petrwrap, NotPetya, or GoldenEye, is spreading rapidly with the help of the same Windows SMBv1 vulnerability that the WannaCry ransomware abused to infect 300,000 systems and servers worldwide in just 72 hours. Petya ransomware has been delivered via phishing emails pretending to provide a resume which is, in fact, a malicious dropper. Make sure your users are aware of the risks of opening attachments from unknown sources.

Unlike most ransomware, the new GoldenEye variant has two layers of encryption: one that individually encrypts target files on the computer and another one that encrypts NTFS structures. This approach prevents victims computers from being booted up in a live OS environment and retrieving their data.

Just like Petya, GoldenEye encrypts the entire hard disk drive and denies the user access to the computer. However, unlike Petya, there is no workaround to help victims retrieve the decryption keys from the computer. It encrypts the hard drive’s master file table (MFT) and rendering the master boot record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk.

What you should do right now to prevent a Petya \ NoPetya outbreak

  1. Deploy the Microsoft Security Bulletin MS17-010 patch
  2. Add a read only file called C:\Windows\perfc to all Windows clients
  3. Avoid giving users adminstrator access to their local machines
  4. Watch out for any inbound or outbound activity associated with TCP ports 445 or 139
  5. Use traffic analysis to identify if any systems are connecting or trying to connect using SMBv1
  6. Root out any clients or servers scanning your network over TCP port 445 or 139

Further details below

Patch your Windows systems to remove one attack vector for Petya Ransomware

It is critial that you address Microsoft Security Bulletin MS17-010 and patch all Windows clients on your network. Microsoft have published a good post at this link which more background on this and also includes some information on what they are doing to prevent the spread of this Ransomware.

Petya or Petrwap is spreading by exploiting an NSA-built Windows exploit known as “Eternal Blue” which targets the SMBv1 protocol. While SMBv1 is a legacy protocol, it is still available in the latest Microsoft operating systems including:

  • Windows XP (all services pack) (x86) (x64)
  • Windows Server 2003 SP0 (x86)
  • Windows Server 2003 SP1/SP2 (x86)
  • Windows Server 2003 (x64)
  • Windows Vista (x86)
  • Windows Vista (x64)
  • Windows Server 2008 (x86
  • Windows Server 2008 R2 (x86) (x64)
  • Windows 7 (all services pack) (x86) (x64)

In parallel to applying the patch, you should disable SMBv1 use on your network. You can do this by running these commands in Power Shell on each system. Further information on how to disable SMBv1 on other systems are available here.

  • Check for SMBv1
    • Get-SmbServerConfiguration | Select EnableSMB1Protocol
  • To disable SMBv1 on the SMB server
    •    Set-SmbServerConfiguration -EnableSMB1Protocol $false

Create a read only file called C:\Windows\perfc

A researcher called Amit Serper discovered that NotPetya/Petya/Petna would search for a local file and would exit its encryption routine if that file already existed on disk.

To vaccinate your computer so that you are unable to get infected with the current strain of this Ransomware simply create a file called perfc in the C:\Windows folder and make it read only. If you are unsure how to do this, follow this guide or follow the steps in the video below.

Avoid giving users administrator access

Peyta \ GoldenEye first encrypts the files on the computer and then tries to install the MBR bootkit to encrypt the drive’s MFT. The GoldenEye variant starts by encrypting the user’s files, just like regular ransomware. For each file it encrypts, GoldenEye appends a random 8-character extension at the end.

The ransomware then modifies the user’s hard drive MBR (Master Boot Record), with a custom boot loader. Petya \GoldenEye ransomware must obtain administrative permissions to overwrite a computer’s MBR (Master Boot Record). Make sure you limit what users have administrator access to the network and local PCs’. You can use the Microsoft Local Administrator Password Solution (LAPS) to manage the local account passwords of domain-joined computers.

Once it gains administrator access on a machine, it then leverages that power to commandeer other computers on the network or sniff domain admin credentials present in memory to take control over the entire Windows network.

Check for suspicious traffic flows on your network

You also should review your network traffic flows for any activity associated with Microsoft SMB ports and external addresses. SMB typically uses TCP port 445 and this is one of the main attack vectors used for recent Ransomware attacks. You can monitor network traffic by using SPAN or mirror ports off your core switches.

The image below is an example of what to watch out for. I used a Top Clients report from our LANGuardian product to show all connections over TCP port 445 where the client IP address was external. Based on this data I need to make sure the target machines are not running SMBv1 and I will also block TCP 445 access on my firewall.

Peyta activity over TCP port 445

Infected machines may also scan the network looking for other Microsoft clients. Watch out for the following behaviour

  • Workstations scanning ports tcp/139 and tcp/445 on their own local (/24) network scope
  • Servers (in particular, domain controllers) scanning ports tcp/139 and tcp/445 across multiple /24 scopes

How to passively detect SMBv1 use on your network

Even if you think you have patched all systems on your network, you should still run an audit to check for any activity associated with SMBv1. Some network devices may have embedded operating systems which could easily be missed. One method to do this is to use network traffic analysis to detect the presence of clients attempting to connect to other systems using SMBv1.

Our own LANGuardian product can be used to report on SMBv1 use and an example of this is shown in the video below.

We will continue to update this post as we learn more about this Ransomware variant.

Other indicators of Petya \ NoPetya

Watch out for any activity on your network associated with these IP addresses. Check any local systems on your network if they are trying to connnect to these or if you have any inbound activity through your firewall(s) associated with them.

  • 95.141.115.108
  • 185.165.29.78
  • 84.200.16.242
  • 111.90.139.247

Monitoring Network Traffic Going In and Out of Your Network

Why you need to watch out for traffic going in and out of your network

One of the most common requests from customers at the moment is the need to create LANGuardian reports which show what network traffic is entering and leaving their network. The recent WannaCry Ransomware outbreak has really made this type of reporting vital for all Network and Security Managers. WannaCry actively scanned for networks which had TCP port 445 opened and then used a vulnerability in SMBv1 to access network file shares.

Leaving Ransomware to one side, it is always good practice to keep a very close eye on your network perimeter. Even if you have a very good Firewall, mistakes can happen and rogue traffic will get through or users will use various methods including tunneling, external anonymizers and VPNs to get around firewall rules.

Defining what is your network edge

Typically, your network edge perpetrates the local subnets on your network from all the external subnets out on your network. Many of you will use private addresses internally, but it is not uncommon to find public IP blocks in use as well. In order to report on what is entering and leaving your network, you need to define what subnets are in use. If you only use private address ranges then your internal networks could be represented as this list of subnets.

10.0.0.0/8,192.168.0.0/16,172.16.0.0/12

Creating subnet variables for use with LANGuardian reports

While you can use subnets directly within LANGuardian reports, you can save some time in the long run by using report variables. Click on the gear symbol top right and select Customization. From here, click on Report Variables and then Add New Report Variable.

  • Create a variable called External by using the subnet filter !10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
  • Create a variable called Internal by using the subnet filter 10.0.0.0/8,192.168.0.0/16,172.16.0.0/12

Note that you will need to change the subnet lists above if you use public IP blocks inside your network. Just add them to the list using comma separators.

Top Tip: Add all of your remote sites and VLAN subnets as report variable to speed up troubleshooting. You can quickly see what applications are hogging bandwidth on WAN links by using LANGuardian to focus on traffic associated with the relevant subnet ranges.

Network edge report variables

Creating custom LANGuardian reports to focus on network edge activity

There are two reports I recommend you look at when it comes to network edge activity.

  1. Top external clients connecting inbound to my network
  2. Internal to External traffic flows

The steps to create a custom Top Clients report are as follows:

  1. Use the search box to locate the Bandwidth :: Top Clients report
  2. Click on the Source IP/Subnet box and select External
  3. Click Run Report
  4. When LANGuardian displays the report, click Actions on the report menu bar and select Save As.
  5. Enter a name and description, then click Save

The new report will be listed in the My Reports section

The steps to create a custom Internal to External report are as follows:

  1. Use the Search box to locate the Bandwidth :: Sessions report.
  2. Click on the Source IP/Subnet field and select Internal
  3. Click on the Destination IP/Subnet field and select External
  4. Click Run Report
  5. When LANGuardian displays the report, click Actions on the report menu bar and select Save As.
  6. Enter a Name and Description, then click Save.

The new report will be listed in the My Reports section.

network sessions

Take a read of this blog post, if you would like to learn more on how to monitor network traffic on your network. It contains some handy tips on how to get visibility as to what is happening inside your network.

How to detect SMBv1 use on your Network

SMBv1 file sharing

How can I find out if SMBv1 is being used on my network?

Even if you disable SMBv1 on all clients and servers, it is still good practice to check if any systems on your network are using this protocol. You may have un-managed systems like personal laptops or embedded operating systems within other network connected devices. These are the most common ways to find out if SMB1 is in use on your network:

  1. Run Get -SmbConnection on a client
  2. Scan your network using a vulnerability scanner
  3. Take a packet capture off the network and use Wireshark to identify what version of server message block you are running
  4. Use a network traffic analysis system connected to a SPAN/mirror port or network TAP

What is SMBv1?

Server message block (SMB) is an application layer network protocol used typically to provide shared access to files and printers. It is also known as Common Internet File System (CIFS). Most data is transferred via TCP port 445 although, it also uses TCP port 137 and 139.

SMB was first used in Windows operating systems around 1992. Windows Server 2003, and older NAS devices use SMBv1 natively. It is a very inefficient protocol; Microsoft have advised all customers to stop using SMBv1. SMBv2 was introduced with Windows Vista in 2006 and the latest version is SMB 3.1.1 which was introduced with Windows 10 and Windows Server 2016.

Find Out What Systems Are Using SMBv1 on Your Network

Use the deep packet inspection engine of LANGuardian to report on SMBv1 activity by IP address or Username. Real time and historical reports available. No need to install any agents or client software.

  • See what servers are allowing connections on SMBv1
  • Find out what clients are attempting to connect using SMBv1
  • Can be deployed as a virtual machine

All analysis is done passively using network traffic analysis and you will see results within minutes.

Customer Use Case – Is there a way to detect SMB1 traffic?

Way back in October 2016 a US public sector customer sent us this query

“Is there a way to detect SMB1 traffic? Microsoft recommends to stop using it so I’d like to see if it’s being used in our network.

IT Manager”

At that time our LANGuardian product could detect SMB traffic and extract metadata such as filenames and actions but it did not capture and store the SMB version. Our product management team looked at this and we decided to modify our SMB decoder to capture the following information

  1. Capture and store the SMB version of all SMB traffic.
  2. Generate an alert if a client or server establishes a connection using SMBv1
  3. Generate an alert if a client tries to connect to another network device using SMBv1

This use case also highlight the flexibility and power of using wire traffic data as opposed to logs to get visibility, to get the critical detail, in this case the SMB version. Some critical details like the SMB version may not be available from logs, but are available via network traffic analysis.

It is worth noting that at the time our customer did not have a Ransomware problem. They were being proactive by dealing with the SMBv1 problem before it could be exploited on their network. This is still very relevant today. Too many networks are still using SMBv1 and IT managers have no visibility into what protocols are being used on their internal networks.

Why all the attention about SMBv1?

In May 2017, the WannaCry Ransomware started to infect computer networks around the world. It was the first in the family of WannaCrypt Ransomware which targeted both locally stored data and network based file shares. It has become a huge problem, and most IT and Security Managers have made detecting WannaCry Ransomware their top priority.

There are three known attack vectors for WannaCry. Some computers were accessed directly, some people opened email attachments and some were redirected to websites where they downloaded the malware.  Direct access is an unusual attack vector and occurred if a network allowed NetBIOS packets from external networks.

Data from antivirus provider Kaspersky Lab showed that 98% of the victims were actually running Windows 7. When the Ransomware first came out it was suggested that it was targeting Windows XP systems but the number of affected Windows XP systems looks to be insignificant.

This could be one reason for the widespread infection seen in this outbreak and why many people are unsure about the initial infection vector of the malware. More the reason why need to know what is going in and out of your network. Not just in real-time but also historically so you can look back and see what happened.

Once downloaded the malicious code in the zip file infects the local computer, which then does two things:

  • Encrypts the local filesystem
  • Attempts to infect other systems, by exploiting vulnerabilities SMBv1 (EternalBlue)

A further exploit known as DoublePulsar is then used to create a backdoor and inject malicious DLLs into the target system’s kernel. The EternalBlue and DoublePulsar exploits are linked to tools originally developed by the NSA which were recently exposed by the Shadows Brokers group.

What systems are at risk?

Any Windows system that supports SMBv1 and does not have patch MS17-010 applied is potentially at risk. This is not limited to just Windows Server 2003 and Windows XP clients. As far back as September 2016 Microsoft the removal of SMBv1 from networks. Potentially all Windows clients on your network need to be checked and patched. Publicly available exploit code lists targets as:

  • Windows XP (all services pack) (x86) (x64)
  • Windows Server 2003 SP0 (x86)
  • Windows Server 2003 SP1/SP2 (x86)
  • Windows Server 2003 (x64)
  • Windows Vista (x86)
  • Windows Vista (x64)
  • Windows Server 2008 (x86
  • Windows Server 2008 R2 (x86) (x64)
  • Windows 7 (all services pack) (x86) (x64)

Windows XP and Windows Server 2003 can only support SMBv1. Aim to cease use of these systems on your network, as they are end-of-life and Microsoft does not provide regular updates. The latest Windows 10 indsider build removes the SMBv1 server software. he client SMB1 remains, so that users can connect to devices still using the protocol, but server-side is gone.

What should I do?

Make sure you apply patch MS17-010. Disable SMBv1 on systems that can support SMBv2 and SMBv3. SMBv1 and SMBv3 are much more efficient and will use less network resources. Check your backups, are they running and have you tested restoring data.

To disable SMBv1 you need to run these commands in Power Shell on each system.

  • Check for SMBv1
    • Get-SmbServerConfiguration | Select EnableSMB1Protocol
  • To disable SMBv1 on the SMB server
    •    Set-SmbServerConfiguration -EnableSMB1Protocol $false

Further information on how to disable SMBv1 on other systems available here. You can also disable SMBv1 via Group Policy preferences. This approach will allow you to configure and enforce the registry settings related to disabling SMBv1 client and server components for Windows Vista and Server 2008 and later.

Checking SMB version on a client

The version of SMB used between a client and the server will be the highest dialect supported by both the client and server.

This means if a Windows 10 machine is talking to a Windows Server 2012 machine, it will use SMB 3.0. If a Windows 8 machine is talking to Windows Server 2008 R2, then the highest common level is SMB 2.1.

To check which dialect version you are using, run the the PowerShell cmdlet: Get-SmbConnection

Get-SmbConnection

Scan your network using a vulnerability scanner

Various vulnerability scanners may help with this, but need to know which systems to query. Microsoft have released Desired State Configuration Environment Analyzer which is a PowerShell module which can be used to scan a Windows Server 2012 R2 environment to see if any of the systems have SMB1 installed. Further reading in this post which also contains a sample script.

Using packet capture and analysis to detect SMBv1 activity

One of the easiest ways to detect what versions of server message block you are using is to use network traffic capture. You can do this locally on a client or server or use a SPAN\Mirror port. Once you have a source of network packets you need to process them using a network traffic monitoring application.

Microsoft have some guides on how to use their Message Analyzer application to audit active SMB1 usage. Further reading on this page which includes some screenshots of what to look out for. As per the image below, Wireshark can also be used to check for SMB1 connections from live traffic or from a PCAP file. However, WireShark and Microsoft Message Analyzer do not monitor continuously and do not alert.

Should I worry about non Windows operating systems?

The main target for Ransomware is Windows based file shares. However, variants such as KeRanger are designed to target maxOS systems. In recent days the Samba team released a patch (CVE-2017-7494) on May 24 for a critical remote code execution vulnerability in Samba, the most popular file sharing service for all Linux systems.

All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.

There is a high probability that this could be the target of a Linux specific Ransomware variant. It is even trending as SambaCry on Twitter at the moment. According to the Shodan computer search engine, more than 485,000 Samba-enabled computers exposed port 445 on the Internet. The main advice you can take from this is to make sure you patch vulnerable Linux systems and close access to TCP port 445 on your firewall if it is not needed.

What does LANGuardian do and how can it monitor SMBv1 traffic?

Deep Packet Inspection Software can monitor all client network connections and if equipped with sufficiently sophisticated application layer decoders, can determine the version of SMB protocol that is being used. All you need is a data source which is typically a SPAN\Mirror port or network TAP. Our own LANGuardian product includes a deep packet inspection engine which can be used to monitor network traffic on any network that has a managed switch.

LANGuardian can detect, report and alert on the following scenarios:

  • A client connection request to any server, using SMBv1 protocol
  • A successful connection response from a server using SMBv1
  • Any file share actions (file write, rename, read etc) transacted using the SMBv1 protocol

The advantages of this continuous monitoring are:

  • Any attempt by an infected client to infect any other system on the network (lateral movement) via SMBv1 can be detected.  It is not possible for a client to hide its “network traffic trail”
  • Clients do not have to be known by the monitoring system beforehand (so monitors managed and unmanaged devices)
  • Detects embedded systems that may not be patched
  • No endpoint software is needed such as agents or client software
  • Very easy to deploy, simply SPAN or mirror the traffic to and from the file share servers (usually on the same VLAN) to get instant visibility
  • No logs are required, no configuration changes or extra load on servers

The video below shows LANGuardian in action and how it can be used to root out SMB1 clients and servers on your network.

Creating a Ransomware Monitoring Dashboard

Ransomware Monitoring Dashboard

Creating a Ransomware Monitoring Dashboard with LANGuardian

Ransomware has really hit the headlines since WannaCry was first detected. If you want to learn more about this variant, check out our latest blog post which takes a look at how to detect the presence of WannaCry Ransomware and SMBv1 servers on your network.

We regularly send security bulletins to customers and one of the most common questions when it came to Ransomware was what would be a good set of reports to add to a Ransomware Monitoring dashboard. As WannaCrypt and its variants are very prominent at the moment, the focus is on it. However, as you can see from the video below, the dashboard can be used to monitor many other Ransomware variants.

Ransomware Monitoring Elements

This list shows the 8 elements that make up our basic Ransomware monitoring dashboard. We will publish more information at a later date as we learn more about WanaCrypt0r 2.0 and other variants. The video below explains more about how to setup each element and how to interpret the data returned.

  1. Filename extensions associated with WannaCry. This list may grow in time and you can add to it.
  2. Any activity associated with WannaCry web domains.
  3. A list of Windows XP clients; as these use SMBv1, they are seen as vulnerable.
  4. A list of servers running SMBv1.
  5. Graphic showing rate of file renames on network shares. High numbers of file renames is a sure sign of Ransomware.
  6. Top clients (you can also get usernames) renaming files on your network
  7. Any outbound activity on your network using TCP port 445
  8. Any instances of ransom note text files associated with WannaCry

The video references these variables which you can copy\paste when needed.

  • WannaCry file extensions: \.wnry$|\.wcry$|\.wncry|\.wncryt$
  • WannaCry web domain: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
  • WannaCry ransom note text file: @Please_Read_Me@.txt

If you want to add elements for detecting XData Ransomware, use these variables

  1. Search for any file containing the text string XData
  2. Search for any file names matching HOW_CAN_I_DECRYPT_MY_FILES.txt.

We are also working on an update to LANGuardian which can trigger an alert whenever an SMB1 protocol request or response is seen. This will then enable you to use the Ransomware Monitoring dashboard and get alerts, if required.

Video Guide: Setting up a Ransomware Monitoring dashboard

How to detect the presence of WannaCry Ransomware and SMBv1 servers on your network

Wannacry Ransomware

How to detect the presence of WannaCry Ransomware and SMBv1 servers

WannaCry Ransomware has become very active in May 2017. It looks to be targeting servers using the SMBv1 protocol. SMBv1 is an outdated protocol that should be disabled on all networks. One of the big lessons from this Ransomware outbreak is that it is vital that you have monitoring in place on your network. You need to be able to quickly identify suspicious activity.

Passively monitor network and user activity using network traffic analysis

One of the easiest ways to monitor what is happening on your network is to setup a SPAN\Mirror port or use a network TAP. This will give you access to flows and packet payloads, so you can see who is connecting to what and if there is anything suspicious moving around.

Check out this blog post if you use Cisco switches, as it explains how you can monitor multiple network segments without the need to remember what is connected to what switch port. If you don’t use Cisco switches, there is an excellent resource on the Wireshark wiki site which looks at how to setup monitoring on other switches.

Network traffic monitoring is an ideal way of monitoring what is happening on your network, as you don’t need to install agents or client software on your network devices. It is also a very useful option for continuously checking your network for vulnerable legacy systems like Windows XP or systems that can use SMB1 which is deemed to be insecure.

Detecting Ransomware – Setup a data source

As I mention above, you can monitor what is happening on your network by monitoring network traffic. However, you do need an application that can process network packets to get meaningful information. Tools like Wireshark may struggle if you are dealing with large volumes of traffic.

Our own product LANGuardian can be used to monitor network traffic. It does not store every packet, instead it captures metadata which can used to spot security or operational issues on networks. It includes a SMB and NFS decoder as well as having a built in Intrusion Detection System (IDS). When it comes to Ransomware, these metadata values are useful for spotting problems:

  • File names, specifically those hosted on Windows file shares
  • File actions like rename or create
  • File sharing protocol versions like SMBv1
  • Capturing specific packets associated with known Ransomware variants
  • Flow records of clients connecting to external IP addresses

Even if you don’t plan on using LANGuardian, check if your existing network monitoring tools have the ability to capture this data. Flow based tools are not good at detecting Ransomware, as they see the packet payloads which are required to see if your file shares are under attack.

Focusing on WannaCry Ransomware

There are six things to watch out for when it comes to detecting WannaCry Ransomware:

  1. Check for SMBv1 use. This Ransomware is not limited to just Windows server 2003 and XP clients. A large number of WannaCry victims were running Windows 7. SMBv1 can run on all Windows versions so check your network for any activity.
  2. Check your web and DNS traffic for any attempts to connect to these domains:
    • iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com.
    • ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com
    • ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com
    • iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea.com
    • iuqerfsodp9ifjaposdfjhgosurijfaewrwergweb.com
  3. Check for an increase in the rate of file renames on your network
  4. Look out for any outbound traffic on TCP 445. This really should be blocked
  5. Check for any instances of the file @Please_Read_Me@.txt on your file shares
  6. Check for any instances of files with these extensions
    • .wnry
    • .wcry
    • .wncry
    • .wncryt

SMBv1 is deprecated and should be removed from your network. SMBv1 isn’t safe and you lose key protections offered by later SMB protocol versions. At a minimum, you should be patching your systems as per Microsoft Security Bulletin MS17-010. In the video below, I cover off more on how you can use LANGuardian to detect SMBv1 and suspicious file activity.

Top Tips for preventing Ransomware on your Network

  1. Backup your files regularly and make sure to keep a copy off site. This may be stating the obvious, but a lot of people get caught out when they go to restore files. Build a test server and see if you can restore onto it.
  2. Limit the use of Microsoft Office Macros: A lot of Ransomware is spread using Office attachments.  Microsoft recently published an add-on which can stop you from enabling macros in documents downloaded from the Internet. Some more reading here.
  3. Be careful of opening attachments from unknown sources: This is especially true for employees who may receive CVs or financial documents. It may seem normal for them to open attachments from strangers. I have seen targeted attacks where a company advertised a job on the Internet. The HR department received applications with attachments which contained malware associated with Ransomware. Make sure you tell applicants to only send PDF type attachments.
  4. Keep your systems patched: WannaCry and other WannaCrypt variants targeted systems running SMBv1. Microsoft had published Security Bulletin MS17-010 which addressed issues with SMBv1. At a minimum, you should disable SMBv1 and patch all relevant systems on your network. However, the advice is to stay on top of getting update installs, you just never know what will be targeted next.
  5. Know what is happening on your network: When Ransomware strikes it can be difficult to figure out what data was encrypted. Users will report that they cannot access certain files or folders, but they won’t know what exactly was targeted.  Get an audit trail of all file and folder activity. You can implement file activity monitoring passively using network traffic analysis.
  6. Know what is happening at the edge of your network: When it comes to keeping your network safe, it is vital that you know what is going in and out of the network edge. Don’t rely on firewall logs as they may become inaccessible when your network is under attack. Look at deploying a combination of intrusion detection (IDS) and flow analysis with metadata capture. Information captured at this point can be crucial if your network is attacked. Look at capturing:
    • IP addresses with associated GeoIP details
    • Flow information such as source and destination TCP or UDP ports. WannaCry targeted networks where TCP port 445 was open so you should block this type of activity at the edge.
    • DNS traffic details like hostnames and DNS server addresses
    • Attachments inbound and outbound via SMTP
    • Web domain names – HTTP and HTTPS
    • IDS events associated with suspicious packet payloads
    • Associated usernames so you can track who is doing what
    • Web client information such as operating type and browser type
  7. Don’t rely on log files alone for investigating issues. Log management tools have their uses but they can be compromised if a network is attacked. Recently a number of school districts were targeted with a Ransomware attack in the US and the hacking group turned off the logs recording who accessed their systems.

How to disable SMBv1

Server Message Block (SMB) is a protocol mainly used for providing shared access to files and printers on computer networks. Microsoft is recommending that SMBv1 is disabled on all server and client Windows installs as it is insecure and has been replaced. If you detect any SMB1 activity on your network, these steps for shutting down the protocol should apply to the most popular Windows versions. Take a read of this article on how to enable and disable SMBv1 in Windows and Windows Server.

For client operating systems:

  1. Open Control Panel, click Programs, and then click Turn Windows features on or off.
  2. In the Windows Features window, clear the SMB1.0/CIFS File Sharing Support checkbox, and then click OK to close the window.
  3. Restart the system.

For server operating systems:

  1. Open Server Manager and then click the Manage menu and select Remove Roles and Features.
  2. In the Features window, clear the SMB1.0/CIFS File Sharing Support check box, and then click OK to close the window.
  3. Restart the system

There is some additional reading in this Microsoft post which includes some customer guidance for WannaCrypt attacks.

I don’t have Ransomware on my network; should I worry?

If you have good update procedures and network users are cautious when it comes to clicking on attachments and strange links, you should be able to keep the WannaCry Ransomware away from your network. However, now is the time to get an inventory of what SMB versions you are running on your file servers and take action if you find SMBv1.

Now is also the ideal time to get a good network monitoring system in place. Don’t wait for Ransomware to strike, it is much easier to get something in place when your network is not under attack.

Looking back on CoSN 2017 – ABCDE approach to digital transformation

27 April 2017 NetFort Blog By: Darragh Delaney
CoSN 2017

I am just back from a couple of weeks in the US. The early part of my trip revolved around the 2017 CoSN event in Chicago. CoSN (the Consortium for School Networking) is a professional association for school system technology leaders. We have a number of K12 school district customers in the US so having a presence at events like this is important.

One thing that struck me on this trip is the way everything has gone cloud\app based. You can now book everything online and travel around without ever speaking to anyone. All the airlines have good mobile apps now which include electronic boarding passes, Airbnb delivers excellent value when it comes to accommodation and you may never meet your host, as I normally collect the keys through a lockbox. Uber gets you where you need to go when you arrive and because your destination is preset you don’t need to go through the hassle of explaining exactly where you want to go. Even the restaurants have iPads instead of menus where you can pick exactly what you want without ever needing to speak to a waiter. Convenient yes, but it’s a bit robotic and cold sometimes.

One would have to question where is this technology leading us. Both Mark Zuckerburg and Elon Musk have announced plans to develop technology to bridge the gap between humans and machines. Musk’s project is called Neuralink which is aimed at helping humans keep pace with the rapid advances in AI. This would be achieved by basically integrating AI with human consciousness.

It may seem like something from the movies, but you can see the drivers of this in today’s world. Last week, as I was waiting for someone just outside Penn station in New York, I observed hundreds of people going about their business and a significant percentage were using their phones. The problem is that phones are fast and our brains are fast but the bits in between like our fingers or even speech is slow to transmit our thoughts\data. We need something to increase the bandwidth between our brains and cloud-based AI computing.

CoSN 2017 was held in the Sheraton Grand Chicago in Chicago. In my opinion, the main theme of this years conference was the ABCDE approach to digital transformation.

  • A: Applications
  • B: Bandwidth
  • C: Connectivity
  • D: Device
  • E: Educate the educator

Many of the speakers at this year’s CoSN event, spoke about how technology within schools is more about selecting the right applications and ensuring that students and teachers had access to a robust network to access these.

CoSN 2017

The opening session at CoSN 2017 was delivered by Alberto Carvalho, Superintendent of Miami-Dade County Public Schools, the fourth-largest district in the country. He also spoke about how some school districts put too much focus on trying to get to a 1:1 ratio of students to devices. Instead, he recommended that districts focus on delivering robust digital tools by looking at what applications need to be rolled out, is their network bandwidth available and is there connectivity, not just to schools, but also to homes and libraries when students need to work outside of school hours. When it came to connectivity some schools even parked up buses at the weekend with WiFi access so that students had somewhere to go to complete their assignments.

Alberto definitely has a point, I work with a lot of school districts in the US and in a lot of cases, we are trying to get to the root cause of bandwidth congestion problems. Staff and student devices can easily fill up bandwidth capacity on school WAN links if they pull down Windows\Apple updates or watch YouTube videos in HD. Assigning a device to every student is like giving every student a car. In most cases, the school infrastructure cannot deal with this, car parks will fill up and roads to the school will be congested. What you need to do is, monitor how these electronic devices use resources on the network and make changes if necessary. In some cases, this may mean upgraded links but for others it may mean putting cache servers at schools so that devices can download Apple\Windows updates locally.

Another interesting topic that seemed to come up at multiple sessions was the diversity of devices that are brought into schools. Some years ago, all the talk was about iPads. Now you have anything from Android based tablets, Windows devices and Chromebooks. Chromebooks appear to get a mixed reception from K12 technology leaders. They are cheap, but they have a proper keyboard as well as providing for the touchscreen tablet experience. However, they are reliant on cloud services and are difficult to integrate with authentication systems like Active Directory. I am not sure if it was a sign of the times, but I called into two Walmarts and both stores were sold out of Chromebooks, but had any amount of tablets available.

If you want to learn more about how K12 school districts are using network traffic analysis to address operational issues and security issues, you can download a case study from this link which looks at how Aiken County Public Schools used LANGuardian to get to the root of its bandwidth problems.

Comparing Network Analysis and Visibility (NAV) Tools to SIEM Systems

22 February 2017 NetFort Blog By: Darragh Delaney
SIEM Tools

What is a Network Analysis and Visibility Tool?

A Network Analysis and Visibility (NAV) is an application or appliance which captures user and application data by analyzing network traffic as it flows around a network. This information which is sometimes referred to as metadata, is then stored in a database so that it can be used for real time or historical analysis of security or operational problems. Our own LANGuardian is a typical example of what a NAV tool looks like. Customers use it for many use cases such as, Network Operations Monitoring, Security, Governance and User Monitoring.

Is it designed to be deployed quickly and provide information immediately.  The generation and presentation of NetFort Metadata is designed to provide high level overviews, with drill down to detail for users of various levels of expertise (you don’t have to be a network or packet analysis expert to use LANGuardian). It is very easy to see what’s on and what is happening on the network. Some of the use cases that LANGuardian is used for include:

  • Detection of ransomware activity
  • Monitoring data exfiltration/internet activity
  • Monitor access to files on file servers or MSSQL databases
  • Track a user’s activity on the network, though User Forensics reporting
  • Provide an inventory of what devices, servers and services are running on the network
  • Highlight and identity root cause of bandwidth peaks on the network

LANGuardian can be installed onto a physical or virtual server in approx. 20 minutes. Once it is connected to a SPAN port, it starts collecting information. It does not require any agents, reconfiguration of audit logs or any additional software. LANGuardian can monitor any device that generates network traffic. It doesn’t need any prior information about the device, so for example, BYOD devices are automatically monitored.

Comparing SIEM to Network Analysis and Visibility solution based on LANGuardian platform

In summary, a network analysis and visibility tool like LANGuardian provides simple deployment and easy access to overview and drill down detail for operations, security, governance and user monitoring.

What are SIEM systems?

A SIEM can be used to describe two different types of systems:

(1) Basic log managers

(2) Log managers with built-in rules and a correlation engine

Basic Log Manager: The first and most basic is a log manager or quite often referred to as a log collector. This system is used to collect and store event logs in one central location generated by various systems on the network (firewalls, proxies, files servers, database servers).

Log managers simply collects logs and saves them in a single, central location. Log systems generally don’t do any analysis on the logs and do not provide much in the way of reporting. They are generally used to comply with data retention policies. All devices that require to have their logs saved, need to be configured to send the logs to a log manager. Log managers will not automatically detect new servers, as they are added to the network. Hence, log files are not always the answer, when it comes to finding out what is happening on your network.

A Log manager with a built-in rules and a correlation engine is better known as a true SIEM system. The SIEM system is designed to analyse logs from various different sources and generates an alert if certain conditions are met. The image below shows a typically example of what firewall log files look like.

log file sample

The rule and correlation engine allows the Administrator to create (or import) simple or complex rules that look for patterns in the log entries, match log entries from different systems and determine if an alert should be raised. Some SIEM systems (Splunk, LogRythm) also have traffic analysis add-ons, that generate log entries from network traffic. Most SIEMs come with some prepacked rules. The SIEM system does not typically provide any overall view of the network but only an “event list” type output. The focus is primarily on security events.

SIEM deployment and management is typically a significant project, requiring external consultants to configure the SIEM, along with all the servers that need to send logs and to create the correlation rules. As new servers and services are added to the network, the SIEM configuration has to be updated.  The cost associated with SIEM deployment and maintenance can often be significant and without the correct expertise, frequently SIEM projects return little value (and become little more than expensive Log Managers).

If you are in the market for a log manager\collector or a SIEM system, watch out for these pitfalls:

  • Log files can be easily removed or overwritten
  • When you enable logs on some servers\devices it can impact on system performance
  • Log files are not always available. Some systems like NetApp servers to not come with native logging
  • If a system is under load or attack, the log files may not be accessible; hence you will struggle to troubleshoot issues at critical times.
  • Cost – some SIEMs charge based on the amount of data logged and can end up being very expensive

What should you choose?

If you just want to collect some very specific log files for compliance or other reasons, a log manager may be your best option. If you need a real time and historical view of what is happening on your network then you should look towards SIEM or Network Analysis and Visibility tools.

Remember, the installation of a SIEM tool is only a small part of the solution, the difficult part is getting actionable alerts from the mountain of data that they collect. A network analysis and visibility tool can collect user and application information directly from network traffic. However, ensure you are familiar with SPAN, mirror ports and TAPs before you make that purchase decision!

Providing for more Visibility of Threats in your Network

isibility of Threats on your network

 Visibility of Threats. A must have for all Network Managers

One of the most common requirements Network Managers have at the moment, is for tools which can provide more visibility of threats on their networks. For a lot of Managers, a majority of the devices on their networks aren’t theirs and so endpoint security can only go so far. Network users can also use the network to access blocked or copyrighted material through small media devices running Kodi and a number of plugins.

With the rise in mobile, devices, IoT devices, smart TV’s, etc., they need something with a little more intelligence than just the logs from firewalls. Firewall logs are also problematic when a network is under attack as you may find that they are inaccessible due to resource load on the firewall, or they get overwritten very quickly and you end up losing vital forensic information.

Diagnostics tools such as Wireshark can provide for some excellent low level information but this has issues with scale. If you try and look at traffic from a SPAN, mirror port or TAP it can get overloaded. Commercial packet recorders are very expensive, and many of them need dedicated security personnel to maintain them. Many Network Managers do not have the luxury of having separate network operations and security specialists.

Network Security Analytics

The website NetworkWorld recently published an interesting article to coincide with RSA Conference 2017.  In it, they look at how DDoS protection, network security analytics and cloud solutions will take center stage at this year’s conference. Network security analytics is moving from just capturing flow data to the capture of  metadata from layer 3 through 7 by using network packet information as a data source.

Actionable events can be generated by aligning external threat intelligence with network traffic telemetry. External threat intelligence sources can include things like:

An example of GeoIP integration is shown below. By simply associating IP addresses with the countries where they are registered, makes it it much easier to spot suspicious activity.

GeoIP traffic report to get Visibility of Threats

Visibility of Threats: Next Steps

Capturing logs from firewalls is still recommended. However, you should include network traffic analysis as part of your operational and security tool set. This will allow you to capture threats which may have been carried into your network such as malware laden user devices. It will also give you a secondary source of data if your firewall logs are not available. Applications which use a SPAN, mirror port or TAP to monitor network traffic are vendor agnostic so you can use them to monitor IoT type devices.

Monitoring OneDrive Traffic

monitor onedrive traffic

How to monitor OneDrive traffic

OneDrive is a file hosting service developed by Microsoft that allows users to sync files and later access them from any web browser or mobile device. Presently, their basic OneDrive free package allows for 5GB of storage and you can upgrade to a premium offering which allows for 1TB of storage. This can result in high bandwidth use associated with OneDrive traffic.

A common question asked by our customers is how to provide reports about flow data usage by the Microsoft OneDrive application. The application requires access to a range of external websites and port numbers which can make it tricky to get a top level view of bandwidth use.

From an IP lookup point of view, all of the IP addresses are registered to Microsoft, so you may not be able to definitely say it was OneDrive traffic activity using IP look up alone.

Firstly, all of the traffic is encrypted, ignore the HTTP part as that was me browsing other sites. This would be standard practice for all cloud storage services; I would be very surprised to find one that was not using encryption and if so, I would refuse to use it.

Drilling down on the HTTPS traffic, it revealed that the data was associated with the live.com domain. This would make perfect sense as OneDrive is included in the suite of online services formerly known as Windows Live.

onedrive domains

Further analysis highlights that this activity is associated with storage sub domains within live.com. LANGuardian captures this by dissecting the server’s SSL certificate (which is always required to be presented to the client) and at this point, it can extract the server\domain name. By filtering on this sub domain info, it would then be possible to show how much data is associated with OneDrive.

associated onedrive traffic domains

Finally, looking at the GeoIP data, I can see that the IP addresses are registered in the US. Nothing strange here, as I think all of Microsoft’s IP blocks are US registered.

onedrive geoip information

If you want to check for OneDrive traffic volumes on your network, download a 30 day trial of LANGuardian, install on a standard server, VMware or Hyper-V and simply connect to a SPAN port or port mirror, to find out what is happening on your network within minutes.