Users Leaving? How to get an audit trail

Network users come and go. When new employees start we create sign on accounts and assign any relevant permissions. When employees leave we typically transfer their data over to someone else and disable any logon accounts.

During this transition period, an audit trail can be an invaluable resource. Sometimes users think they are doing everyone a favor by deleting what they think is old data or they move data around without telling anyone. In other cases, users may copy large volumes of data from the network with the intention of using it in their new job.

There are two main ways of getting an audit trail of user activity on your network. You can either install client\agent software on every network device or you can monitor network traffic inside your network. Client or agent software can be problematic as users can disable it or it may not be feasible to install it on personal devices.

Network traffic analysis is the most independent with no requirement for any client software or server logs. You just need to capture network traffic at the correct points and extract the relevant metadata. It is an ideal data source for network visibility, security, and compliance.

Monitoring Network Traffic

Network traffic analysis tools use deep packet inspection technologies to extract certain metadata from network traffic. Traffic is typically captured at the core of a network using a SPAN, mirror port, TAP or packet broker. Metadata can be something like a filename or a SQL query. When captured and stored this metadata can be then used to build an audit trail of user activity.

Focusing on an individual user for a specific time period

Recently we heard from a customer who had an issue when an employee was leaving. This employee moved, renamed and deleted some files off network shares. Using their LANGuardian, the network manager was able to get an audit trail of file and folder activity to find out what had been changed. It was then just a matter of putting everything back in its original location which saved the IT department a lot of time trying to figure out what files needed to be restored.

The image below shows a sample of the LANGuardian file activity monitoring reports. Data in this report is acquired by analyzing the network traffic associated with the SMB or NFS protocols.  Here we can see where user Leo deleted a profit and loss database together with the exact date and time when this action was seen.

It may also be worth looking at other user metadata when suspicious file activity is observed. The image below from a LANGuardian system shows that this user accessed some customer and sales data (1) and at the same time, data transfers were associated with Dropbox (2).

Cloud-based storage systems like Dropbox can be used to copy data out of a network and you may want to set up alerts if activity like this is detected on your network. We will follow up with another post showing how you can set this up with LANGuardian, just subscribe to our blog to get updates.

Click on the image below to access the user forensics section of our online demo.

What is RDP? (Remote Desktop Protocol)

RDP is a proprietary protocol developed by Microsoft. It provides a user with a graphical interface to connect to another computer over a network connection. It has been a native OS feature since Windows XP.

Most of the time, RDP is used for legitimate remote administration: when companies outsource IT, or remote admins have to access a server or a network users machine, they most commonly use RDP to connect to it.

Risks Associated With RDP

One of the main risks associated with RDP comes when you allow external clients access to your network. The RDP protocol typically uses TCP port 3389. Attackers often find instances of this port open by scanning infrastructure exposed to the Internet and using brute force to access open ports. Automated tools and the Shodan search engine help them find systems configured for RDP access online.

Once on a system attackers can disable endpoint protection, establish a foothold in the organization and more. Once this happens, no endpoint security solution can save you. They might download and install low-level system tweaking software and use it to disable or reconfigure anti-malware software on the machine, Sophos researchers explained in a post on RDP and ransomware distribution. RDP connections can also be used to transfer data out of a network.

Recently I spoke to a network manager who was running a trial of our LANGuardian product. Their business need was around getting visibility inside their network and not for RDP specifically. Shortly after they started to monitor network traffic they noticed a lot of inbound RDP connections from many different countries.

When their firewall was checked they found what they described as a legacy rule to allow third party vendor access. Nobody checked this and as they had no visibility inside their network they had no idea systems running RDP were exposed to external clients. They implemented a quick fix which was to block inbound RDP connection attempts.

In July this year, the SamSam group infected some 7,000 Windows PCs and 1,900 servers at LabCorp with ransomware via a brute force attack on an RDP server. In another incident this year, Hancock Health was forced to pay over $50,000 in ransom to regain access to critical data that criminals had encrypted after breaking into its network via a hospital server running RDP services.

How to Detect RDP Activity

One quick check you can do to check for RDP activity is to see if TCP port 3389 is open on your firewall. While this is not an indication of activity you should consider shutting it down for all external clients. It is also possible to run RDP over a different port number so focusing on TCP port 3389 alone is not enough.

A better approach is to monitor network traffic going to and from the Internet using a SPAN, mirror port or network TAP. Once a traffic source is established you can use a product like our own LANGuardian to detect if RDP is in use on your network. You will need a system which is application aware as RDP can run over any network port so looking for activity on TCP port 3389 alone is not sufficient.

The image below shows an example of what to look out for. In this case we can see evidence of RDP activity.  Clicking on the traffic total allows us to drill down to investigate further.

Further drilldown reveals that the RDP activity is originating from a client in China and it is connecting to a host located inside the network. An immediate action would be to block that IP address on the firewall if a connection to the network from China is not expected. Blocking port 3389 would also be recommended in this case.

Getting an alert if an external client connects to your network using RDP

While running reports are useful when it comes to forensics on a past event, most network and security managers want to be notified immediately if someone external connects to their network using RDP. Follow these steps to get alerting setup on your LANGuardian:

1. Select the report Applications in Use and enter all subnets in use on your network preceded with the ! symbol into the source report filter.
2. Select Remote Desktop Protocol from the Protocol drop down
3. Run report and then click on the Actions option and choose Save As. Enter a report name and then save.

The final step is to use this custom report to trigger an alert if RDP is detected. Click on gear symbol top right then Settings / Email and alerts configuration.

Select Add New List and then give it a name, add email addresses, select custom report and tick the last 3 boxes as per the image below.

What Should You do About RDP?

1. Limit access: Consider changing the default port of TCP 3389, using virtual networking/VLANs/etc. to limit access to critical systems via RDP. Block inbound RDP access from the Internet, it is far too risky to leave open.
2. Make sure systems that have RDP enabled use network level authentication with complex passwords and all activity is monitored closely.
3. Monitor endpoints. Make sure you have visibility on your network and you know who is connection to what. This is especially true for inbound connections from hosts on the Internet.
4. If you have a requirement for remote desktop access from outside your network, consider using a commercial product with encryption and more advanced user account options.

What is Hostname Annotation?

In computer networking hostname annotation is typically referred to the way a text based name is assigned to an IP address. This makes it easier for users to remember what they need to connect to. This concept is nothing new, we use a similar approach when it comes to phone numbers. Our phone contains a database of names and their corresponding numbers and most of us just remember the name part.

A hostname may be a domain name like www.netfort.com or it could be the name assigned to your laptop. In corporate environments computer names usually follow a naming convention so when you see the hostname you will also instantly know who the computer was assigned to.

Hostnames are also very useful when it comes to network incident response. Many logs on devices such as firewalls and servers will have IP address information but then you are left with the question “what hostname does this IP address represent?” Knowing this usually speeds up the process to get to the root cause of the problem.

How to capture hostnames

Gathering a comprehensive database of hostnames requires multiple data sources. Local machine names could be gathered from DHCP logs and Internet hostnames can sometimes be gathered by doing a reverse DNS lookup.

Away from logs there is a rich data source for hostnames on all networks. If you monitor network traffic at strategic locations you can use deep packet inspection to extract the hostnames. Network traffic can be captured using a SPAN, mirror port or network TAP. Capturing hostnames this way is passive and you don’t need to enable any logging on any network device. Strategic locations to capture network traffic would include

• Local DNS servers
• DHCP servers
• Internet gateways

A look at hostnames captured from network traffic

The following screenshots were taken from a LANGuardian system that I have in my lab. It uses network traffic as a data source and captures the hostname information using a series of application aware analysis engines. While you can capture hostname information manually from traffic using tools like Wireshark, LANGuardian delivers automatic hostname annotation capture which is always on.

1. DNS Traffic

In this first example we can see the output of the LANGuardian DNS lookup report. As you can see DNS traffic contains a wealth of hostname information. Click on the image to access the report in our online demo.

2. DHCP Requests

Hostnames are transmitted when a client (wired or wireless) requests an IP address from a DHCP server. In my example I am using LANGuardian to build an inventory of all wired and wireless devices that connect. Click on the image to access the report in our online demo.

3. HTTP Headers

HTTP header fields are components of the header section of request and response messages in the Hypertext Transfer Protocol (HTTP). They define the operating parameters of an HTTP transaction. When users want to browse a website the hostname of the site can be found in the HTTP header generated by their browser. The image below shows how this information can then be used to build an Internet domain style report. Click on the image to access the report in our online demo.

4. SSL/TLS Certificates

An SSL/TLS certificate is like a driver’s license, it serves two functions. It grants permissions to use encrypted communication via Public Key Infrastructure, and also authenticates the identity of the certificate’s holder. This identity information will contain a hostname and it is transmitted in clear text during the cert negotiation process.

The image below shows an example of this hostname annotation which LANGuardian extracted from network traffic captured at the perimeter of a network. Click on the image to access the report in our online demo.

For more information on how LANGuardian works, check out this page. You can also download a trial version of LANGuardian if you want to test how hostname annotations can be quickly captures from network traffic.

What is Apache Struts and vulnerability CVE-2018-11776

Apache Struts is a free and open-source framework used to build Java web applications. On Wednesday, August 22, 2018, the Apache Foundation released a security bulletin for a critical vulnerability in the Apache Struts framework. Applications developed using Apache Struts are potentially vulnerable.

The vulnerability (CVE-2018-11776) was identified and reported by Man Yue Mo from the Semmle Security Research Team, which works to find and report critical vulnerabilities in widely used open source software. This is not the first remote code execution vulnerability discovered on Apache Struts. Previously the framework was targeted with vulnerabilities CVE-2017-9793, CVE-2017-9804, and CVE-2017-9805

Cryptocurrency miners have begun using these vulnerabilities to compromise servers to mine the Monero digital currency. Tools such as Apache Struts Version 3 can also be used to exploit vulnerabilities on ApacheStruts. The reality is that unpatched Apache Struts installations can leave organizations open to significant risks.

How to detect if attackers are targeting the CVE-2018-11776 vulnerability on your network

When in comes to monitoring, there are certain packet payloads and DNS requests that you should watch out for. Suspicious payloads can be detected by using an Intrusion Detection System (IDS) and DNS lookups can be tracked down by using a traffic analysis application like our own LANGuardian.

There are two IDS signatures in our current LANGuardian ruleset which focus on the Apache Struts Vulnerability CVE-2018-11776:

• ET EXPLOIT Apache Struts RCE CVE-2018-11776 POC M1′  sid 2026025
• ET EXPLOIT Apache Struts RCE CVE-2018-11776 POC M2′  sid 2026026

Constant monitoring of DNS queries is a good way to keep an inventory of what types of services clients on your network are trying to connect to. At the moment attackers who are successfully exploiting Apache Struts deployments via CVE-2018-11776 are using them to mine Cryptocurrency. One of the indicators of this is any DNS lookups to the domain:

• us-east.cryptonight-hub.miningpoolhub.com

Running LANGuardian reports associated with CVE-2018-1177

Conclusion

The Apache Struts framework continues to be targeted by attackers due to a steady stream of vulnerabilities. It is important that organizations remain diligent, ensuring this software is updated quickly when new patches are released or otherwise limiting external access to websites leveraging it.

Although the main payload for Apache Struts exploits at the moment appears to be cryptocurrency miners, failure to patch also leaves an organization open to significant risk that goes beyond cryptomining.

Make sure you monitor network traffic going to and from any Apache servers that you host on your network. This is especially true of the servers that can be accessed by external hosts. Also, make sure that your traffic monitoring application is updated with the latest IDS or DNS malware lists so that you can quickly spot problems.

What is SMBv1?

SMB operates as an application-layer network protocol mainly used for providing shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. Microsoft has implemented three versions of SMB over the years; SMBv2 and SMBv3 are much more secure than SMBv1.

Many Ransomware and Cryptocurrency mining malware variants spread from computer to computer by exploiting critical vulnerabilities in Microsoft’s implementation of SMB version 1. Microsoft recently announced that their security visualization tool (VAST) can report on SMBv1 activity. This is in a response to demand from network and security managers who want to find out if SMBv1 is still active on their networks. However, before you download VAST let’s take a look at the alternatives.

How to root out SMBv1 from your network. Should you download VAST or use an alternative?

There are two primary ways to detect SMBv1 activity on your network. You can either use log files or you can analyze the network traffic going to and from your file servers. Log files will require changes on your file servers, you will need to increase the logging to capture SMBv1 events. Traffic analysis is passive and will not have any performance or storage impact on your servers but you do need to setup a SPAN or mirror port.

Using log files to detect SMBv1

At the end of March 2018 , Microsoft unveiled Project VAST or the Visual Auditing Security Tool (VAST). It uses Windows event logs as a data source and Azure Log Analytics to filter on EventID 3000 for each and every time that a client attempts to access the server using SMB1. You do need to enable auditing on every file server using the command below and this approach does not work for non Windows devices like NAS units.

“$computers = Get-Content “c:\SMB_computers.txt” foreach ($computer in $computers) {Invoke-Command -ComputerName $computer -ScriptBlock {set-smbserverconfiguration -auditsmb1Access $true -Force}}”

The image below shows an example of these events. You could manually check for these events if you only have a single file server but you will be better off to use a separate application to do this job if you have multiple servers.

Using network traffic analysis to detect SMBv1

A more passive approach to detecting SMBv1 involves the use of network traffic analysis. To get a data source you need to monitor network traffic going to and from any file server or network attached storage device. This is easy to setup as all managed switches have a feature called SPAN ports or port mirroring.

The image below shows a typical setup. A copy of the traffic passing through the core switch is sent to the monitoring port. You need to connect your traffic analysis application\device to this port and it checks the file share traffic for SMBv1 activity.

If you host your file servers on virtual platforms such as VMWare ESX you don’t need the SPAN or mirror port, you can monitor the traffic within the virtual environment by setting up a special virtual port group. We have a couple of videos on this page which describe the setup process.

The image below shows a sample report from our LANGuardian system which can be used to detect SMBv1 activity. It also integrates with Active Directory so you can also see the associated username.

Make sure you look at alternatives before you download VAST or similar log analysis tools. Will it be easier to monitor the traffic than make changes on your servers? Do you have any file sharing devices that don’t have logging capabilities?

Our LANGuardian product is available as a 30 day trial. You can download it from here and it will give you an idea as to the scale of your SMBv1 problem in less than an hour. Make sure you check this out before you download VAST.

Using MSP services? Make sure you have independent monitoring in place

A third party such as a managed services provider (MSP) is most often an information technology (IT) services provider that manages and assumes responsibility for providing a defined set of services to its clients either proactively or as the MSP (not the client) determines that services are needed. The main drivers for the adoption of MSPs is the desire to improve operations and cut expenses.

Even years ago before the term MSP was popular, many organizations used external contractors and services to install and configure critical security equipment like firewalls.  Firewalls configurations and rules can be very complex, how do you check them? Make sure they are correct? One option is to look at the traffic and activity inside the firewall.

Recently I worked on an interesting problem with a client who was using a MSP to manage their firewall. They were happy with this arrangement as the MSP did not report any problems and they had nothing independent to highlight any issues.

Case study: Unreported hole in firewall

One thing this client needed outside of the MSP services was a tool to monitor network traffic . They needed a high level view of bandwidth use at their network edge and they contacted us. A trial of our LANGuardian product was deployed, the ability to monitor web traffic and capture associated metadata is one of its many features.

When we started to look at the data captured we noticed something very strange with inbound traffic patterns. We define inbound traffic as a connection were the source IP address is outside the network perimeter (outside the firewall). Over 98% of traffic was associated with LDAP traffic over UDP 389 to one of their domain controllers. Traffic over UDP 389 is typically connection-less LDAP (CLDAP), a variant of LDAP that uses the User Datagram Protocol (UDP) for transport.

Our LANGuardian product has an application recognition engine and so it reported the activity correctly as LDAP. If you are using a tool which uses port numbers (port 80, etc…) to report on activity you may miss things like LDAP.

Drilling down on this traffic we could see connections from China, Russia and many other countries. Our determination was that the domain controller was been used as part of an amplification based DDoS botnet. Infosec attackers are now abusing exposed LDAP servers to amplify DDoS attacks.

We immediately put in a change request to the MSP to block UDP port 389 on the firewall. As you can see from the image below the inbound traffic dropped significantly once the firewall change was implemented.

The big lesson here was the need to have something in place to provide visibility of what was happening on the network. The hole in their firewall was an old NAT rule that was long since outdated. However, their MSP did not pick up on this activity. It needed an independent monitoring tool which could show what was happening on their network.

Finding out what is going in and out of your network with LANGuardian.

LANGuardian comes with a selection of reports which can be customized to filter on certain activity. For this use case we selected the Applications in Use report and we used a specific source and destination IP address filter. You can also use the Report Variables feature to define what subnets are in use inside your network. Follow these steps to get these custom reports setup on your LANGuardian.

1. Create report variables to define what subnets exist on your LAN. If you use private address ranges then you can use the exact same setup as the image below. The only difference between the External and Internal variable is the use of the ! character. This character denotes NOT so any subnet outside of this is not on your LAN.

2. Click on All Reports and select the Applications in Use report. Click the drop down next to Source IP / Subnet on the left and select the External report variable. Click the drop down next to Destination IP / Subnet on the left and select the Internal report variable.

Click on Run Report. You should get an output like the one shown below. In my case I will need to drill down on that SMB activity as I would not expect to see file sharing traffic where the client (source) is outside my network.

3. You can then save this as a custom report by clicking on Actions \ Save As or create a line graph by selecting the Trend Report option.

4. Finally, repeat the steps to show what applications clients are using on the Internet by selecting Internal as a source and External as the destination within the Applications in Use report.

Why do we need to track MAC addresses?

A media access control address (MAC address) of a device is a unique identifier assigned to a network interface controller (NIC) for communications at the data link layer of a network segment. As they are unique, they are used by network devices such as switches to maintain an inventory of what is connected to what switch port.

The concept of a network inventory has been around for a long time, it is one of the fundamentals of networking. Devices cannot exchange data unless they know who to share it with. However, a lot of this inventory information is hidden behind the scenes, buried in MAC tables on switches and distributed across multiple devices.

Many compliance standards such as GDPR now require network managers to maintain a list of what is active on their networks. However, it is good practice to maintain a list of what is connected to your network. If you get hit with something like Ransomware, you will need to act fast and track down what is connected to your network quickly.

Where can you capture MAC address information?

The easiest way to capture MAC addresses is to monitor network traffic via a SPAN, mirror port or TAP. This will give you access to network packets and each packet will contain MAC addresses. You need to be careful about where you capture this information. If you monitor traffic on the wrong side of a routing device like a firewall or network router, you may find that all traffic is associated with the firewall\router MAC address.

An ideal location for capturing MAC addresses is the network core where traffic from clients and servers converges. The image below shows a sample output from our own LANGuardian system which captures metadata like MAC addresses from network traffic.

Server logs and flow data are not good data sources when it comes to capturing data for a MAC address tracker. Logs and flow records focus more on IP addresses which can move from device to device on networks that use DHCP. The image below shows a typical flow record with date, time, IP and port information.

Common use cases for a MAC address tracker

In the past MAC address capturing was typically done using packet analysis tools such as Wireshark. While this is useful for troubleshooting isolated issues, it is not very scalable when it comes to tracking all network device activity.

Recently one of our customers had an issue during a very busy and critical time of the day, the switches were reporting ‘Broadcast storm detected’ and had applied filters as a defense mechanism. This resulted in connectivity issues on their network. As they had an inventory of MAC addresses and associated broadcast traffic, they located the rogue network device quickly. In their case it was a faulty IP phone and normal network operations resumed after it was shutdown.

A use case like the one above shows that the need to track devices on network is important. Common use cases that we come across include:

1. Generating a list of network devices for compliance standards such as GDPR
2. Detect faulty network equipment which may be responsible for broadcast traffic storms
3. Quickly locate problematic devices in the event of a malware outbreak such as Ransomware
4. See the corresponding MAC address associated with copyright violations where clients are using applications like BitTorrent
5. Capture additional metadata for your existing network monitor or SIEM application
6. Track specific application like web traffic by MAC address

The video below shows how you can use a network traffic analysis application to find the host-name or MAC addresses of devices connected to your network.

Most popular LANGuardian reports with links to our demo

Here we have compiled a list of the top 20 LANGuardian based on customer feedback. They are a mix of operational and security reports. If you click on the report name it will link to our online demo and you can check-out the report and output yourself.

1. Traffic & Protocol Analysis : Applications in Use
2. Security : Top Network Events
3. Security : Network Scanners
4. Web : Top Website Domains
5. Windows File Shares : Top File Share Actions
6. Bandwidth : Top Users
7. Encryption Protocols in Use (SSL/TLS)
8. SQL Server : Top MS SQL Statement Type
9. Ethernet : DHCP Lease Assignments
10. Ethernet : Top Broadcasters
11. Services : DNS Servers
12. BitTorrent : Search by Info Hash
13. E-mail : SMTP Emails Sent with Attachments
14. Identity : Directory Logins
15. Traffic Analysis : Countries by Client Location
16. Bandwidth : Inbound TCP Connections
17. Bandwidth : Top AD Departments
18. Ransomware : Top Clients Renaming Files
19. Top Proxy Client IPs
20. Web : Top Website Categories

Detect SMBv1 scanning and active or established connections

Detecting SMBv1 activity is a subject we have covered previously. It has been used as an attack vector for Ransomware and Cryptocurrency Mining. Microsoft has advised all customers to stop using SMBv1. SMBv2 was introduced with Windows Vista in 2006 and the latest version is SMB 3.1.1 which was introduced with Windows 10 and Windows Server 2016. At a minimum, you should make sure that all Windows systems on your network have the MS17-010 patch applied.

One of the easiest ways to detect SMBv1 activity on your network is to monitor network traffic going to and from your file servers. You can do this by setting up a SPAN, mirror port or use a network TAP. This will give you a copy of all activity going to and from the servers.

Once you have your data source which is sometimes referred to as wire data, you can use a network traffic analysis application like our own LANGuardian to extract the file and folder information from the network packets.

SMBv1 scanning vs established connections

There are two types of activity to watch out for when it comes to SMBv1 activity. Clients which are trying to use SMBv1 and clients which are successfully connecting to servers using the SMBv1 protocol. The latter is more serious as you actually have servers on your network supporting and using SMBv1. Microsoft recommends immediately removing this old and vulnerable file sharing protocol from all networks. The recent WannaCry and Petya ransomware attacks for example actually used the same SMBv1 exploit to replicate through networks.

1. SMBv1 connection attempts or SMBv1 scanning. This is where a client sends an SMB request to a server and the version flag is set to v1. The server may or may not accept the connection request.
2. SMBv1 connections. This is where a client and server have established a connection using SMBv1. You need to root out these first. At a minimum make sure the client and server are fully patched.

The video below shows an example of what to look out for once you get network traffic monitoring in place. A trial version of LANGuardian can be used to perform a quick audit if you do not have something in place already.

Video: Detect SMBv1 scanning & established connections

Reporting on traffic between network devices

Recently one of our customers got in contact with this simple query.

“I am looking to find out if it’s possible to get traffic between a certain source IP and destination IP along with the time of the connections.”

They needed a historical report so there was no point in launching a tool like Wireshark as it would not report on the historical activity. As they have LANGuardian installed they have 24/7 visibility throughout their network. By utilizing a SPAN, mirror port or network TAP at strategic locations you can monitor network traffic you can spot abnormal behavioral patterns as they occur. But, critically for this use case, the LANGuardian retains rich network traffic metadata very cost effectively for long periods.

Network traffic reports

The image below shows a sample output from a LANGuardian IP search. Click on the image to access our demo where you can drill down on sample data. The element (1) shows the traffic between a certain source IP and destination IP which is what the customer was looking for. LANGuardian also shows what applications (2) were in use by this network device, suspicious events (3) triggered by the IP. In this case we can see that there was a Malware infection as well as some BitTorrent activity.

Other uses for network traffic analysis

Network traffic analysis was traditionally seen as an operational tool. Something to report bandwidth usage on WAN and Internet links. However, it is an excellent data source for network security use cases including:

• Internal and east-west traffic analysis
• Ransomware detection
• Automated threat hunting
• Passive detection of weak ciphers and vulnerable SSL certificates
• Report on insecure protocol use such as FTP and Telnet
• Root out network devices scanning your internal networks

By monitoring network traffic on your network you can get visibility as to what is happening without the need for agents or log files. Agents can be difficult to deploy and scale and they become one other thing to update and manage. Log files do not always have the answer as they only report about local server issues. Wire data which can be extracted from network traffic, is instant and way more flexible than log data. It can provide high-fidelity user and application evidence to enhance your evolving security operations center (SOC).

Just over 2 weeks ago, we received an inquiry from a large US multinational in the financial sector. They had a very specific requirement, ‘we want to know how much SMBv1 is still in use on our network and start the cleanup’. They had tried just turning it off and waiting for the calls to see who complained but they came and that didn’t work. So basically, they want to get a list of all file share servers accepting SMBV1 connection requests and ‘root it out’.

Makes sense, it is an old vulnerable protocol and recent attacks like Wannacry have demonstrated that it is common sense to ensure it is not in use. It also critical to prep and get as much visibility as possible into the servers still supporting it, and the clients using or depending on it before just disabling it and potentially have a serious impact on the business.

This organisation has a large and complex network, over 50k users and 12 data centres. As they have also acquired several other companies in their space which is not unusual, the network, software and applications are complex and diverse. Making any global change, even a simple upgrade across such a complex network of this size is not a trivial task, and of course, if it is not broken, still supporting the business, why risk it?

We arranged a webex and our demo focussed on this very specific use case. Every device, user and application on the network automatically leaves a trail, a traffic trail. There is no need to turn it ON, to enable logging or install a client. If they are active on the network they leave a trail. LANGuardian ‘sniffs’ this trail, usually via a tap, SPAN or port mirror and using its deep packet inspection engine, extracts application specific metadata for the most critical applications. It also enriches the metadata with usernames extracted using WMI from the logs of the domain controllers. We support a number of ‘critical’ applications, web, SQL, SMTP, BitTorrent, DNS, DHCP and SMB.  With SMB, for example, we extract information such as the client and server IP address, file and folder names and action.

One of the advantages of capturing data ‘off the wire’ is that one has the option or flexibility on selecting the specific details or data to look out for and store and report on demand. The initial SMB client-server negotiation, for example, includes the actual version the client requests and is looking for the server to support and communicate over. So, in the case of SMBV1 the client sends an SMBV1 connection attempt and then if the server supports it, it sends back an SMBV1 connection established. Luckily for us, we supported analysis down to this level, and could instantly show during the demo, all clients on the network initiating a SMBV1 connection request and the servers responding:

Using our report filters to query the database, one can get very specific and list only the servers on any part of the network responding to SMB1 connection requests with success and establishing a SMBV1 connection:

All good so far, this covers the use case required, we have the level of granular detail. The final and most critical step is implementation, critical for such a large network. The system is very easy to use and requires minimum training, so we are good there. LANGuardian can be downloaded and deployed on standard server hardware or VMware. The download and installation, the configuration on the physical or virtual device requires less than 30 minutes, not bad.

The final and crucial step, especially for the network of this size and complexity is sensor placement, how do I see the ‘SMB traffic trail’ or all traffic to and from all file share servers on the network with the minimum number of sensors? Are all the servers in one VLAN and can I just mirror that VLAN for example? Or can I approach it from the client perspective and mirror the point or points in that data centre all clients connect in from? Where are all my file shares? I need to see all traffic to/from all file share servers in order to extract the SMB version information required.

To be investigated….to be continued.

What is Cryptocurrency Mining?

Bitcoin or Cryptocurrency mining is the process by which Cryptocurrency transactions are verified and added to the public ledger, known as the block chain, and also the means through which new bitcoin are released. Anyone with access to the internet and suitable hardware can participate in mining.

The mining process involves compiling recent transactions into blocks and trying to solve a computationally difficult puzzle.  The participant who first solves the puzzle gets to place the next block on the block chain and claim the rewards.  The rewards, which incentivize mining, are both the transaction fees associated with the transactions compiled in the block as well as newly released bitcoin.

Cryptocurrency mining is painstaking, expensive, and only sporadically rewarding. Mining is competitive and today can only be done profitably with the latest ASICs.  When using CPUs, GPUs, or even the older ASICs, the cost of energy consumption is greater than the revenue generated.

Away from using specialized hardware, the most common way to mine cryptocurrency on standard hardware is to install Crypto mining client software and leave it running in the background. Cyber criminals can also use your computer to mine Cryptocurrencies by hosting Cryptocurrency mining hijacker on websites. If you visit the site without adequate virus protection your browser and CPU will be hijacked by the website operators.

Recently a piece of Malware called PowerGhost Malware has been spreading across corporate networks infecting both servers and workstations to illegally mining the crypt-currency and Perform DDoS Attacks.

In this case, attackers using file-less malware techniques to maintain the persistence which is then used to bypass the antivirus detection and leverage the corporate vulnerabilities using known exploits such as Eternalblue.

PowerGhost is unique for two reasons: firstly, it focuses on attacking corporate networks and secondly, it is file-less. This permits the miner to be able to cling to the servers and workstations of victims without being noticed. PowerGhost’s reign of terror has just began, and so far, reports of attacks have been seen Turkey, India, Brazil, and Colombia.

What are the risks associated with Cryptocurrency Mining?

Only those with specialized, high-powered machinery are able to profitably extract bitcoins nowadays. While mining is still technically possible for anyone, those with under-powered setups will find more money is spent on electricity than is generated through mining. If you have clients on your network running crypto mining software then it is costing your business money.

Many cyber criminals now favor anonymous Cryptocurrencies, with Monero being the most prominent. Cryptocurrencies are popular as they are both secure, private and difficult to trace. Servers are often targeted and since many of them are not updated or patched on a regular basis, attackers have a bigger chance of success.

Recently more than 526,000 Windows hosts, mostly Windows servers, have been infected by a Monero miner known as Smominru, according to researchers at Proofpoint. It spreads using the EternalBlue exploit (CVE-2017-0144) which targeted the SMBv1 protocol.

Cryptocurrency mining malware like this covertly mines for coins using the victim’s GPU horsepower without them knowing about it. It has potential for longer-term gains. When a computer is infected many people will fail to notice fans spinning up, or computers under higher load or just plain old not responding. A lot of those people may just pass it off as “one of those things my computer does.”

How to detect Cryptocurrency mining activity on your network

When it comes to detecting Cryptocurrency mining, you need to be looking at multiple data sources.

1. Analysis of all DNS client traffic
2. Use IDS (Intrusion detection software) to detect specific text strings\patterns in network packets
3. Monitor all IRC communications on your network

DNS query logs can be very useful when it comes to detecting suspicious activity or for use in follow up forensics. Searching DNS queries for text strings like bitcoin or crypto can be used to identify clients running crypto mining software. You can get DNS query information from DNS server logs or if you monitor network traffic going to and from your DNS servers.

Intrusion detection software typically uses pattern matching techniques to spot suspicious activity on a network. Applications such as Snort can be used to detect Crypto mining activity. You just need to make sure you install a well maintained IDS signature set such as those provided by EmergingThreats.

Internet Relay Chat (IRC) is an application layer protocol that facilitates communication in the form of text. Some Crypto miners use IRC but can be detected if they try an use IRC on a nonstandard port, IRC typically uses TCP port 6667.

Using LANGuardian to detect Cryptocurrency mining activity

Our own LANGuardian product uses a combination of network traffic analysis and IDS to provide visibility, context and alerts as to what is happening on a network. The following set of screen shots show how LANGuardian can be used to detect Crypto mining activity on a network. The primary data source would be a SPAN or mirror port which is monitoring all traffic going to or from the Internet. It is also advisable to monitor network traffic going to and from your DNS servers as this can also be used to detect Crypto mining activity. The video below shows how to use LANGuardian to detect Cryptocurrency mining on a network.

The follow image shows the output of a LANGuardian Network Events report which shows Crypto mining activity. The first event is associated with a Windows based (W32) Crypto mining client.  The second event is associated with a client visiting a compromised website that is hosting a Cryptocurrency mining hijacker. The third event in the report is reporting that something is using IRC on a non standard port. This may not be associated with Crypto mining but it is worth investigating.

The next image shows what IP addresses are associated with this activity. LANGuardian also includes an Active Directory module so you can drill-down to see what users are associated with this activity. In this example we can see that the Crypto mining is associated with a single client within the network and it is communicating with external systems hosted in the Netherlands and France.

Next we take a look at the DNS activity associated with this client. If we filter on any domains containing the word coin we find that this client is also looking up numerous Bitcoin related sites. You can configure alerts on LANGuardian if you want to be notified about this activity. Alerts can be delivered as an email or as SYSLOG which can be then used to block the client via a firewall or NAC device.

As I mentioned previously, you need to continuously monitor network traffic to have a reliable way to detect Crypto mining activity on your network. You can quickly get a data source in place by setting up a SPAN or mirror port to get a copy of all network traffic going to or from your Internet gateway. Once this is in place you can extend the monitoring to include traffic associated with your DNS servers. The video below goes through the process of getting network traffic monitoring in place.

How to monitor Internet traffic using a SPAN or mirror port

Telnet. One of the oldest network protocols

Telnet is a protocol used on the Internet or local area networks to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection. Telnet was developed in 1969 and it is still widely used today for configuring network devices.

Why worry about Telnet?

Because Telnet is an unencrypted protocol, session traffic will reveal command line interface (CLI) command sequences appropriate for the make and model of the device. CLI strings may reveal login procedures, presentation of user credentials, commands to display boot or running configuration, copying files and creation or destruction of GRE tunnels, etc…

A recent cyber briefing from the UK based National Cyber Security Centre (NCSC) recommends that you check your network for any devices running unencrypted management protocols such as:

• Telnet
• Hypertext Transport Protocol (HTTP, port 80)
• Simple Network Management Protocol (SNMP, ports 161/162)
• Cisco Smart Install (SMI port 4786)

If these services are in use the NCSC recommends the following:

• Do not allow unencrypted (i.e. plaintext) management protocols (e.g. Telnet) to enter an organisation from the Internet. When encrypted protocols such as SSH, HTTPS, or TLS are not possible, management activities from outside the organisation should be done through an encrypted Virtual Private Network (VPN) where both ends are mutually authenticated.
• Do not allow Internet access to the management interface of any network device. The best practice is to block Internet-sourced access to the device management interface and restrict device management to an internal trusted and whitelisted host or LAN. If access to the management interface cannot be restricted to an internal trusted network, restrict remote management access via encrypted VPN capability where both ends are mutually authenticated. Whitelist the network or host from which the VPN connection is allowed, and deny all others.
• Disable legacy unencrypted protocols such as Telnet and SNMPv1 or v2c. Where possible, use modern encrypted protocols such as SSH and SNMPv3. Harden the encrypted protocols based on current best security practice. The NCSC and Department of Homeland Security (DHS) strongly advise owners and operators to retire and replace legacy devices that cannot be configured to use SNMP V3.
• Immediately change default passwords and enforce a strong password policy. Do not reuse the same password across multiple devices. Each device should have a unique password. Where possible, avoid legacy password-based authentication, and implement two-factor authentication based on public-private keys.

Using network traffic analysis to detect Telnet activity

As I mentioned previously, Telnet normally runs over TCP port 23. However, you can configure Telnet to run over any port and so you cannot just watch out for network traffic running on TCP port 23. You must be able to monitor all traffic and pick out the Telnet traffic by using some form of application detection.

Wireshark is one of the most popular traffic analysis tools and has the capability to detect Telnet traffic as it has access to packet payloads which can be used for application identification. Flow based tools (NetFlow, SFlow) are not suitable for detecting Telnet activity as they are not application aware. Wireshark is fine for low network traffic volumes or if you have a PCAP file that you want to analyze.

If you want to get continous monitoring in place then you need to look at setting up a data source such as a SPAN, mirror port or network TAP. Once you have a data source then you need a commercial network traffic analysis system in place like our own LANGuardian. It has an application recognition engine which can report on any Telnet activity no matter what port it is running over.

Using LANGuardian to detect Telnet activity on your network

LANGuardian uses Content-Based Application Recognition (CBAR) to identify what applications are running on your network. With support for hundreds of the most common applications and protocols, and a unique deep packet inspection algorithm, CBAR delivers greater accuracy and fewer false positives than other approaches to application recognition.

A sample output of this Applications in Use report is shown below. Here we can see that some Telnet activity has been detected.

Drilling down on this Telnet traffic then reveals that Telnet services are active on two seperate ports on a single server as you can see in the image below. LANGuardian can also alert you if a new server port becomes active which is useful for watching out for new activations of Telnet services on your network.

You can download a 30 day trial of LANGuardian from here and use it to detect any device running Telnet services on your network. You do not need any logs or client software. Just setup a SPAN or mirror port and you can passively monitor activity at your network edge and east west traffic moving within your network.

Weak SSL/TLS encryption. Why worry?

A Google search for “GDPR countdown clock” yielded 18,900 results for me this morning so probably the last thing we need to consider is another countdown clock, but here is one for PCI compliance anyway.

The clock highlights 30 June 2018,  an important deadline for online security and network Administrators; a date from which older versions of TLS and all SSL should be confined to history for PCI compliant networks. From 30 June 2018, to be compliant with PCI DSS 3.2, SSL and “early versions” of TLS protocol should be eliminated from use (with some exceptions for POS terminals). This is because PCI requires the use of “strong encryption” and known weakness in all SSL, some TLS versions and some cipher suites mean they fail the ‘strong encryption’ standard.

“Early TLS” is defined as anything before TLS 1.1; however TLS 1.1 is also vulnerable as it allows use of bad ciphers; so TLS 1.2 is a better choice. Along with this version change, the ciphers that are used by SSL/TLS need to be carefully managed too. The ciphers and the SSL/TLS protocol versions are separate, but not completely independent of each other.

Even if you don’t care about PCI compliance, this is important for all networks running SSL/TLS; that includes your own networks, partner or client networks, that interact with your infrastructure. GDPR regulations (article 31) require use of “state of the art” technical and organisational measures to ensure security. While the GDPR language lacks specifics, we can look to PCI 3.2 and NIST guidelines (800-52 Rev 1) which strongly recommend use of TLS1.2 only, to know that SSL, TLS1.0 and TLS1.1 are not state of the art, and so fail the GDPR test. The NIST draft for 800-52 Rev 2 explicitly prohibits use of TLS 1.1.

What’s the problem, SSL provides encryption doesn’t it?

Since the mid 1990’s, SSL/TLS encryption has underpinned much of online security and is the defacto choice for encrypting our web based online shopping and payment transactions. SSL/TLS keeps our transactions private and unaltered. However, researchers and attackers have identified and published weaknesses in the aging versions of the protocols, from SSL2.0, SSL3.0, TLS1.0 and TLS1.1. and in the ciphers that they use. There are three sources of weakness here to be aware of:

1. Some weaknesses are in the protocol implementation itself, for example Heartbleed exploited a read buffer overflow in OpenSSL’s implementation of in the heartbeat extension. This allowed attacking clients to read private key information from the server.
2. Other weaknesses are in the ciphers supported SSL/TLS. For example, increased computation along with the increased volumes of data being transferred, mean that 3DES cipher can be compromised in about 1 hour, using the Sweet 32 attacks. RC4 can also be compromised by brute force attacks. These weaker ciphers are supported by all versions of SSL/TLS up to version 1.2. However, newer. stronger ciphers such as AES are only supported by newer versions of SSL/TLS. So, use new version of TLS to enable use of stronger ciphers.
3. Weakness in the protocol itself

Even if properly implemented, according to the spec, with good ciphers, TLS1.1 is still vulnerable. The PRF (pseudorandom function) is based on broken cryptographic hashes MD5 or SHA1 and its use of ciphers in CBC mode is insecure.

There are no available fixes for these weakness, so the only avenue to remain secure is to use the newer more robust versions.

TLS1.3, the newest, most secure version of TLS resolves the known weakness with the protocol, prohibits use of weak ciphers and has a much shorter setup time. TLS1.3 was in draft form when PCI 3.2 was adopted, so it isn’t mentioned in the PCI 3.2 document (TLS1.3 was formally adopted in March 2018. Mandating use of TLS1.3 at this stage could lead to interoperability problems).

Using Network Monitoring for SSL/TLS analysis

There are various techniques for identifying the SSL/TLS versions and ciphers that servers will support, such as nmap or just running Openssl from the command line. However, this requires that periodic checks are carried, the full inventory is always known, and you have access to scan the network. The PCI Security Standards Council emphasise the important of ensuring adherence to standards at all times and not just once per year to close audit requirements!

Continuous adherence is just good business and security practice and essentially points to continuous monitoring, rather than scheduled pen testing efforts. If you monitor network traffic within your network and perform packet analysis at session startup time, it’s possible to view the SSl/TLS versions and cipher used, as well as the certificates used on encrypted protocols (excluding TLS 1.3) .

You can do this without any access to the servers (i.e you can do it from the client or partner network) and without terminating any of the SSL/TLS sessions (i.e you don’t have to use man in the middle devices). This is possible as the opening salvos in SSL/TLS session establishment happen in the clear. The protocol negotiation, cipher choice and certificate exchange are all readable. Add to this the Server Name Indication (SNI) extension and a packet monitoring application can extract a lot of useful information about the nature of encrypted sessions on the network.

LANGuardian 14.4.1 includes features that are useful for monitoring the status of SSL/TLS on your network.

NetFort LANGuardian is deep-packet inspection software that monitors network and user activity passively via a SPAN\Mirror port or TAP. Here are a couple of use cases which cover how it can be used to detect the use of weak SSL/TLS encryption on your network.

The first is an inventory of SSL/TLS servers. Built from passive traffic analysis, this shows every SSL/TLS server, that has generated traffic on the network. The server can be internal or external (e.g a HTTPS website). The inventory report for each server shows some details of the server certificate, with expiry date and signature algorithm. It also shows the SSL/TLS protocol versions that the server has used to communicate with clients. Issues are highlighted in red, such as expired certificates or weak certificate signature algorithms, such as SHA1. A set of filters help identify conditions, such as use of SHA1 and help identify servers that need configuration or updates.

Filters for reporting on SSL/TLS Sever Inventory

Report on a single SSL server, showing expired certificate, weak protocol used, weak SHA1 algorithm

The other feature is a report on all the SSL/TLS sessions that have occurred on the network. This report (and its drilldowns), identifies all clients and servers that use SSL/TLS encryption, identifying the version of SSL/TLS used and the cipher that is used. Filters can be used to focus on versions of SSL/TLS, identify where SSL3.0 is used for example, or identify where any communication occurs that does not use TLS1.2.

Report showing use of weak SSL/TLS versions

Report drilldown showing cipher used by weak SSL3.0 session

A filter is also provided for the ciphers that are used. Ciphers suites have a specific naming scheme, which identity various attributes of the cipher used, viz:

TLS_KeyExchangeAlg_WITH_EncryptionAlg_MessageAuthenticationAlg.

For example, the cipher TLS_RSA_WITH_AES_128_CBC_SHA

is for use with TLS, using RSA for key exchange, AES 128 bit encryption, with SHA digests.

Report showing use of 3DES cipher

Filter support for SSL/TLS Versions and Ciphers

The list of supported ciphers for various versions of SSL/TLS is extensive (many hundreds) and there’s a balance between security and interoperability to consider when choosing which ciphers should be supported. Recommendations generally are to avoid RC4 and 3DES.

Continuous Network Monitoring is a useful tool for ensuring your network is operating to whatever standards or compliance regulations the you are required to adhere. Without using man in the middle decryption devices, it is possible to learn about the activity on your network.

Video Guide: How to detect weak SSL/TLS encryption on your network

Here are some links for further reading.

https://www.pcisecuritystandards.org/pdfs/PCI_SSC_Migrating_from_SSL_and_Early_TLS_Resource_Guide.pdf

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf

https://tools.ietf.org/html/rfc7540#appendix-A

You can download a 30 day trial of LANGuardian from here and use it to detect the use of weak SSL/TLS encryption on your network. You do not need any logs or client software. Just setup a SPAN or mirror port and you can passively monitor activity at your network edge and horizontal traffic moving within your network.

LANGuardian 14.4.1

NetFort are delighted to announce the availability of the latest major LANGuardian release, V14.4.1. This release introduces some changes and new features to help with compliance monitoring, including a new compliance section presents reports for monitoring technical security compliance with CIS CSC 20 and GDPR. Highlights of this release include:

• SMB fileshare alerts on failed attempts to map network shares, create or read files and folders.
• Encrypted sessions analysis of SSL/TLS/QUIC versions and ciphers used
• Detect new server ports in use on your network
• New Applications in use black/whitelist.
• Allign report names more with compliance standards.

SMB fileshare alerts on failed attempts to map network shares, create or read files and folders

For some time now we have included a file activity monitoring feature in our LANGuardian product. It passively generates an audit trail of file and folder activity using network traffic as a data source. LANGuardian 14.4.1 extends this monitoring to now include the capture of failed access attempts. Many compliance standards require this so that you can detect anomalous activity where a user or device is attempting to access sensitive data.

You can read more about this feature in this blog post which looks at why is it important to monitor for failed access attempts. The screen shot below shows an example of the report output.

Encrypted sessions analysis of SSL/TLS/QUIC versions and ciphers used.

Since the mid 1990’s, SSL/TLS encryption has underpinned much of online security and is the defacto choice for encrypting our web based online shopping and payment transactions. SSL/TLS keeps our transactions private and unaltered. However, researchers and attackers have identified and published weaknesses in the aging versions of the protocols, from SSL2.0, SSL3.0, TLS1.0 and TLS1.1. and in the ciphers that they use.

LANGuardian 14.4.1 includes features that are useful for monitoring the status of SSL/TLS on your network. They include:

• Inventory of SSL/TLS servers
• Report on all the SSL/TLS sessions that have occurred on the network
• A filter is also provided for the ciphers that are used

Learn more in this blog post which looks at how to detect weak SSL/TLS encryption on your network. The sample report below shows how LANGuardian can be used to show use of weak SSL/TLS versions.

Detect new server ports in use on your network

Opening new ports on a server increases that servers attack surface. Keeping the attack surface as small as possible is a basic security measure. New ports become active if you install new software or if you enable a new service on the server. For important servers on your network you should have an inventory of what applications or services are running so that changes can be detected.

If compliance standards such as GDPR are a concern then server monitoring is not just a nice to have, it becomes mandatory. You must maintain an inventory of who is connecting to what if you store sensitive or personal data. LANGuardian 14.4.1 now logs certain information when a port becomes active on a server for the first time. Read more in this blog post which looks at how to detect new server ports in use on your network using LANGuardian. The screen shot below shows an example of the report output.

Applications in use. Build white or black lists

LANGuardian uses an advanced application recognition engine to report on network activity. Instead of matching up port numbers with application names, it analyzes packet payloads to work out what applications are in use. LANGuardian 14.4.1 now includes new report filters which allow you to build lists of white or blacklists. You can then use these lists to detect new applications in critical areas such as your server VLAN.

You can access these new filters in the Applications in Use report. Click on the Protocol dropdown to start to build application lists.

Align report names more with compliance standards.

LANGuardian 14.4.1 includes a new compliance section which groups reports for monitoring technical security compliance with CIS CSC 20 and GDPR standards. Many reports have been renamed so that they are more aligned with compliance standards. For example Top DNS Servers was renamed to DNS Servers. A full list of reports which were renamed can be found within the 14.4.1 release notes.

Video Guide: LANGuardian 14.4.1

Why is it important to monitor for failed access attempts?

For some time now we have included a file activity monitoring feature in our LANGuardian product. It passively generates an audit trail of file and folder activity using network traffic as a data source. All you need to do is monitor network traffic going to and from your file servers and you can easily see who is doing what with your files and folders. The image below shows an output of a sample report.

With the release of LANGuardian 14.4.1 we can now report on successful and failed access attempts to network file shares. The failed access attempts can be viewed in report format or they can also trigger alerts via email or SYSLOG.

For many compliance standards such as GDPR and CIS CSC 20 you also need to monitor for failed access attempts.  This is useful for generating alerts on anomalous activity where a user or device is attempting to access sensitive data. When it comes to GDPR and failed access attempts, this is what you need to focus on and how LANGuardian can help:

A closer look at the LANGuardian failed access reports

The image below shows a sample output. Here can see some failed file open attempts originating from client 192.168.127.237. Drilling down further will show the date and time that this event was triggered and you can also get associated usernames if you have configured the Active Directory integration.

Video Guide: Generating an Audit Trail of Failed Access Attempts to Files or Folders

You can download a 30 day trial of LANGuardian from here and use it to monitor, track file and folder activity on your network. You do not need any logs or client software. Just setup a SPAN or mirror port and you can passively monitor activity to and from your file servers.

What is a server?

In client-server processes that use Transmission Control Protocol/Internet Protocol (TCP/IP) or User Datagram Protocol (UDP), the client initiates communication with a server through one of the many well-known ports. In computer networking, a port is an endpoint of communication in an operating system. While the term is also used for physical devices, in software it is a logical construct that identifies a specific process or a type of network service. For example, HTTP traffic typically uses TCP port 80.

What makes a server is that it is the one that accepts a connection from a client. Typically, this port is left open or running so that clients can connect at any time. It is good security policy to restrict the number of ports which are open on a server. Each open port is a way to gain access to that server. In recent times several Ransomware variants spread around networks by exploiting a vulnerability in SMBv1. Infected clients searched for any host with TCP port 445 active and then tried to communicate using the SMBv1 protocol. The image below shows the handshake that makes up a TCP connection request.

Why worry about new server ports?

As I mentioned previously, opening new ports on a server increases that servers attack surface. Keeping the attack surface as small as possible is a basic security measure. New ports become active if you install new software or if you enable a new service on the server. Enabling something such as RDP (remote desktop protocol) can compromise the entire server and provides a way for data to be transferred off.

For important servers on your network you should have an inventory of what applications or services are running so that changes can be detected. You can do this by constantly polling the server on every port number or monitor network traffic going to and from the server. The polling method can be problematic as you will need to constantly bombard the server with connection requests and you may miss something if the application or service was only active for a short time.

If compliance standards such as GDPR are a concern then server monitoring is not just a nice to have, it becomes mandatory. You must maintain an inventory of who is connecting to what if you store sensitive or personal data.

Detecting new server ports by monitoring network traffic

If you monitor network traffic going to and from your important servers you can build up an inventory of what ports are open without the need to interact with the servers. One way to do this is to use a SPAN or mirror port to get a copy of the network traffic going to and from your servers. You would then need a network traffic analysis tool such as LANGuardian to process this data and extract the relevant metadata from the network packets. The image below shows an example of what would be required. The four servers can be monitored via a single SPAN or mirror port.

Detecting new server ports with LANGuardian

Once you have your SPAN or mirror port in place and you have a LANGuardian installed monitoring the network traffic you can start to build up an inventory of new server ports. Type “server ports” into the search field at the top of the LANGuardian web interface and select “Network Events (New Server Ports)“. Pick a date range and then see if any new server ports became active during the selected time period. The image below shows a sample of the report output.

The report contains a number of fields

1. Sensor: LANGuardian can process traffic from multiple network points via remote sensors. The sensor field shows which sensor detected activity on the new server port.
2. Server address: The network device which is accepting client requests.
3. Port: Which port the server is listening on. Some ports will be labelled.
4. When detected: The date and time when communication was first detected.
5. Server reply: This is section of the servers reply to a client. In some cases it is human readable in others it is just a binary string of random characters.

The video below shows an example of this report in action.

It is back to work and school this week, following the most severe blizzard in years to hit Ireland, storm Emma (Emma, who decides the name?). The country was under the highest weather warning, a red alert, as the worst snow in 35 years swept north across the island. All shops were closed because of the weather and because they had no fresh meat, bread or milk left!  There seemed to be more talk regarding the lack of bread on shelves than the weather which is really unusual for the Irish. I saw some students walking home from the stores with cases of beer, pizza, beer, movies, no mortgage to pay, no worries, happy days, good for them!

Anyway, this storm has reminded me of another one that is on the way, and will also have a severe impact, the ‘GDPR’ storm.  GDPR is a hot topic for many people and organizations all over the world at the moment, not just across the EU but for also for ‘non-EU’ companies, even if they are not based in the EU. It is such an important market and as a result, they have EU ‘data’ and they are impacted.

It is such an important market and as a result, many organizations have EU ‘data’ and they are impacted. The port in this storm for many companies may be the CIS CSC 20.

Obviously, there is also a lot of hype and companies jumping on the bandwagon. Some of our customers have mentioned that they are sick of receiving sales calls from vendors, consultants, etc at this stage on the subject.

We in NetFort have been contacted by our customers, mostly our Irish and UK ones to date, asking us how we can help. ‘We have already purchased a LANGuardian, have been a good customer for years, we want to buy as few tools as possible, how can you help?’ Makes sense, most companies already have too many point security solutions and are trying to consolidate, NOT buy more.

We have also secured some new EU customers in central Europe. One for example, when asked why they purchased, came back with the following interesting information:

“On our side, our GDPR” requirements are (so far):

• Who is doing what on any shared file?
• Who is sending or receiving a file on the Internet?
• What is done on a database (SQL query is fine)?
• What rights are given to some user?
• What Admin are doing (reading CEO files or mail for example)?
• What email is sent, to whom, with an attachment- for SMTP’
• Some kind of IDS (have we been attacked) from either the internal network and the outside’

The image below shows a section from our CIS CSC 20 reports which we built using customer feedback like that shown above.

So we have taken the approach of firstly trying to work with and help our current customers and taking it from there.

Our LANGuardian  analyses raw network traffic or wire data, extracts application specific metadata and integrates with Active Directory to enrich the traffic metadata and add usernames. It enables visibility, drill down, context into both Internet and internal network user and device activity including shared Data (file shares and SQL databases)  Inventory, Users, and Applications.  The LANGuardian is ideal for continuous monitoring, troubleshooting, forensics and as result an ideal data source or tool to help demonstrate visibility, control, and compliance. It retains an audit trail of network activity very cost effectively for long periods but we needed to convince ourselves first of the compliance and GDPR usefulness, then discuss it with our customers and get their reaction.

Our or my first piece of learning was that GDPR is very vague, time-consuming and difficult to read and understand. I’m an engineer, I want hard facts, the detail I can read and believe in. I understand GDPR is still in its infancy but at the moment it is almost so vague it is frightening a lot of organizations and as a result, they are waiting to see what will happen. Risky approach.

From a security perspective, Article 32 specifically compels companies to look at existing best practices. For example, The UK’s National Cyber Security Centre “10 Steps to Cyber Security’ or ISO 27001 or the CIS CSC 20 Security Controls.  In our opinion, one very practical and detailed option is the CIS Critical Security Controls, originally the SANS Top 20.  Lot of good information here: https://www.cisecurity.org/controls/

So we have studied them and tried to understand the detail. There is a lot of good practical information, readable which is critical but also realistic. GDPR aside, organizations should use these or an equivalent as guidelines, a good checklist. Recently I have met a number of our customers face to face and made a presentation on the CIS CSC 20 and how they can help. I wasn’t trying to sell to them, they are already customers. Just trying to have a discussion and get their reaction.

I was surprised to discover that about 50% of them to date had been studying the CIS CSC 20 and the current goal was to target the top 5 and be able to demonstrate compliance with these by May:

1. CSC 1, Inventory of Authorized and Unauthorized Devices
2. CSC 2, Inventory of Authorized and Unauthorized Software
3. CSC 3, Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
4. CSC 4, Continuous Vulnerability Assessment and Remediation
5. CSC 5, Controlled Use of Administrative Privileges

Seems like a good approach to us, take it step by step, be realistic. Be able to demonstrate that you are trying, taking it seriously, doing your best to be compliant. The goal is not just a checklist, it is to improve security and AVOID a breach. Everybody wins.

So now we ARE on a mission, on the CIS CSC 20 bandwagon because they are a very good practical set of security guidelines and realistic for organizations of all sizes.  We are trying to leverage them and show how our LANGuardian internal visibility and continuous monitoring of network and user activity can try and help our customers.

We now have a GDPR and CIS CSC 20 tab on our LANGuardian system, access it directly here.

Stay tuned to this blog for more and more practical information and learnings.

John Brosnan

CEO, NetFort

HTTP Background

Designed in the early 1990s, HTTP is an application layer protocol that is sent over TCP, though any reliable transport protocol could theoretically be used. Typically it uses TCP port 80 but this can be changed. Due to its extensibility, it is used to not only fetch hypertext documents, but also images and videos or to post content to servers, like with HTML form results. HTTP can also be used to fetch parts of documents to update Web pages on demand.

Google are promoting a move away from HTTP

For the past several years, Google have moved towards a more secure web by strongly advocating that sites adopt HTTPS encryption. It started back in 2014 when they announced that they were using HTTPS as a ranking signal. If you moved your site away from HTTP and onto HTTPS you would receive a tiny boost in the Google search rankings.

Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”. If you host your own web servers it could mean that users will be less likely to interact with them if their browsers are marking them as insecure. Now is the time to move your websites from HTTP to HTTPS.

Generating an inventory of HTTP servers using network traffic analysis.

HTTP servers normally run over TCP port 80.However, you can configure HTTP servers to run over any port so generating a list of web servers running over TCP port 80 may not result in the complete list. Another method to detect webservers would be to use a network scanning too that would check for anything listening on port 80 or other ports.

One thing to watch with the scanning approach is to make sure all servers are powered up when you run the network scan. Another issue with this approach is that you won’t be able to find out if users from outside your network are accessing these servers, you will just know that they are active.

Our recommended appoach is to monitor network traffic going to and from your web servers. You can do this by setting up a SPAN\Mirror port or by using a TAP device. If you are only concerned about users outside of your network, you just need to monitor your Internet gateway points. The video below goes through the process of getting network monitoring in place at your network edge.

Once you have a data source in place (SPAN\Mirror\TAP) you can then check for web server activity by searching for specific metadata such as a HTTP GET. For small networks you can manually do this using tools like Wireshark. For larger networks you can automate this with an application such as our own LANGuardian. It has built in web traffic decoders which can automatically build a HTTP server inventory 24/7.

Using LANGuardian to passively detect HTTP servers on your network

LANGuardian comes with an application recognition engine which can report on what applications are in use on your network. If you combine these reports with filters you can quickly find out what web servers are on your network and also which are being accessed by clients and their countries outside your network.

The image below shows an example of the output. Here we can see that we had 6 HTTP servers active on our network for the past 1 hour sample time period. Also worth noting is that some of these web servers are running on non standard ports; 8080 and 5357.

If you have a LANGuardian on your network you need to select the “Top Website Domains” report and use these filters

1. Source = External
2. Destination = Internal
3. Protocol = HTTP

Click on the image above to access this report directly on our live demo system and drill down.

Ransomware Cryptocurrency Link

During 2017 we saw advances in security tools which have meant IT and network security managers have become better equipped to deal with ransomware threats. In addition, lots of standalone programs have been made by independent researchers to decrypt files. This increased awareness of ransomware prevention (backing up files) and Ransomware detection tools has really helped to reduce the Ransomware problem.

Bitcoin is frequently associated with Ransomware as it is a popular payment type demanded by ransomware authors. There are many types of crypto currency available today which you can acquire with money or goods or you can mine them using one or more computers.

The primary purpose of mining is to allow Bitcoin nodes to reach a secure, tamper-resistant consensus. Mining is also the mechanism used to introduce Bitcoins into the system: Miners are paid any transaction fees as well as a “subsidy” of newly created coins. The image below shows an example of a large bitcoin mining rig, lots of processing power and associated cooling fans to keep it operational.

One of the new trends with Malware is the move away from data encryption to a more stealthy bitcoin mining strategy. Bitcoin mining can happen in the background. No need for any splash screens or data destruction.

Crypto Mining Malware & Association With SMBv1

Many attackers now favor anonymous cryptocurrencies, with Monero being the most prominent. Crypto currencies are popular as they are both secure, private and difficult to trace. Servers are often targeted and since many of them are not updated or patched on a regular basis, attackers have a bigger chance of success.

Recently more than 526,000 Windows hosts, mostly Windows servers, have been infected by a Monero miner known as Smominru, according to researchers at Proofpoint. It spreads using the EternalBlue exploit (CVE-2017-0144) which targeted the SMBv1 protocol.

Crypto mining malware like this covertly mines for coins using the victim’s GPU horsepower without them knowing about it. It has potential for longer-term gains. When a computer is infected many people will fail to notice fans spinning up, or computers under higher load or just plain old not responding. A lot of those people may just pass it off as “one of those things my computer does.”

How to Detect SMBv1 Use on Your Network

As I mentioned earlier, the ExternalBlue exploit is being used by a lot of attackers to install Ransomware or Crypto Miners on victims PC’s. Systems are compromised when an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server

Because of this, you need to make sure you detect SMBv1 use on your network and switch off the protocol on any systems which has it enabled. SMBv1 has been superceeded by SMBv2 and SMBv3 which are far more efficient and secure.

However, sometimes reality is more difficult than the theory. I met with some of our LANGuardian customers this week. They said that when they disabled SMBv1 on some servers they had issues with a loss in connectivity to some printers. I also had issues in my home lab where certain Android devices lost connectivity to a NAS system when SMBv1 was disabled. The easy thing to do is to re-enable SMBv1 but that will increase the attack vector of your network.

Using LANGuardian to Detect SMBv1 Use

The video below shows how a traffic analysis tool like our own LANGuardian can be used to root out SMB1 clients and servers on your network. Make sure you can detect this activity by monitoring communication between clients and servers or check each network device to see if SMBv1 is enabled.

Why worry about unauthorised DNS servers?

DNS remains a vital part of computer networking. The foundation of DNS was laid in 1983 by Paul ­Mockapetris, then at the University of Southern California, in the days of ­ARPAnet, the U.S. Defense Department research project that linked computers at a small number of universities and research institutions and ultimately led to the Internet. The system is designed to work like a telephone company’s 411 service: given a name, it looks up the numbers that will lead to the bearer of that name.

DNS was never designed as a very secure protocol and it is popular target for attackers. There are two ways DNS can be hacked: by using protocol attacks (attacks based on how DNS is actually working) or by using server attacks (attacks based on the bugs or flaws of the programs or machines running DNS services).

One of the more recent protocol attacks was the DNSChanger malware. It typically changes DNS server settings on infected computers, allowing attackers to route internet traffic through malicious servers and intercept sensitive information. There is also a similar variant targeting Apple Mac computers dubbed OSX/MaMi, an unsigned Mach-O 64-bit executable.

In both of these cases the attackers change your DNS server from 8.8.8.8 (Google) for example to one of their own DNS servers. Most of your DNS queries will be handled correctly and you will get correct IP addresses. However, for certain site like banking the attackers will direct you to a mocked up website which looks like a valid banking one. You logon details are captured once you start to interact with the site and these are then used to steal your money.

Detecting unauthorised DNS server use with LANGuardian

Our LANGuardian product includes both a DNS traffic decoder and an number of alerting features which you can use to track down unauthorised DNS server use. The image below shows an example of the DNS traffic decoder. Here we can see how LANGuardian can build up an inventory of all DNS servers and client queries to them.

Having a DNS audit trail like this will also give you the data you need to investigate other DNS issues such as cache poisoning.

How to generate alerts if a device uses an unauthorised DNS server

LANGuardian includes a customizable alerting engine where you can define whitelists of valid servers and get alerts if users try an access others. For the purposes of this example we are going to create a DNS whitelist containing these servers:

• 192.168.127.22 (hosted internally on network)
• 8.8.8.8 (google1)
• 8.8.4.4 (google2)

We then use the LANGuardian alerts configuration option to create a DNS alerting rule which would trigger if queries to other servers are detected. The screenshot below shows an example of this.

Once the rule is saved it will look like this on the LANGuardian alerts list.

Once the unauthorised DNS server alert is triggered, LANGuardian will capture certain DNS metadata like source and destination IP addresses, country where DNS server is registered and the domain names that were queried. The image below shows an example of what the alerts look like.

These alerts can also be exported as SYSLOG so that they can be processed by a blocking device such as a firewall or NAC (Network Access Control) system.

How to monitor DNS traffic

One of the best ways to monitor DNS traffic is to port mirror traffic going to and from your local DNS servers and all Internet traffic. Monitoring Internet traffic is crucial so that you can pick up on devices using external DNS servers so it is really easy to monitor network traffic on your network. Most managed switches support SPAN or mirror ports. If you have a switch that does not have any traffic monitoring options there are many alternatives for SPAN ports. The video below shows the steps needed to monitor Internet traffic and you should extend this to also monitor local DNS servers.

LANGuardian 14.4

NetFort are delighted to announce the availability of the latest major LANGuardian release, V14.4. It includes a number of major enhancements including GeoIP traffic reporting, improvements to the alerting engine and the ability to capture network traffic and generate a PCAP via any LANGuardian sensor on the network.

The main themes of this release are to improve traffic analysis, better alerting and to enhance the product so that it is better able to address compliance standards such as a CSC and GDPR. LANGuardian 14.4 includes:

• New GeoIP filtering and displays.
• New MetaData alerting GUI and rules support.
• New user credentials from SMB sessions.
• New Windows Services (DCERPC) decoder.
• New full packet capture mechanism to save PCAPs from any LANGuardian sensor.
• Improved accuracy of Google QUIC fingerprinting.
• New PDF format option for scheduled reports.

New GeoIP filtering and displays

GeoIP is a feature where IP addresses are automatically matched with the country where they are registered. This is very useful if you want to track which countries are connecting to your network or what countries clients on your network are connecting to. Use this for improving your network security or to meet data export compliance regulations, such as GDPR.

We have included two new reports which can be found under the Traffic Analysis report category.

• Top Countries by Client Location. This report shows the total bandwidth, displayed by the country location of the client.
• Top Countries by Server Location. This report shows the total bandwidth, displayed by the country location of the server.

The image below shows an example of the report output.

New MetaData alerting GUI and rules support

We regularly host customer days where users of our products can review our roadmap or try out beta versions of our software. One of the most common recent requests was a need for better alerting. Customers want an easy way to configure alerts so that they are automatically notified of security or operational events that matter to them.

LANGuardian 14.4 has an updated metaData alerting GUI and rules support, to alert on a wide range of conditions and events that LANGuardian monitors for, such as authorized applications, unknown DNS servers, inter-subnet access attempts and much more. Use this to implement network usage policy alerting for security and compliance. This is a upgrade on the previous version and further enhancements are planned in the next LANGuardian version.

The image below shows an example of how an alert is configured. This alert will trigger if any user deletes a file called budget2018.xlsx off the network.

New user credentials from SMB sessions

One of the unique selling points of LANGuardian is its ability to associate network activity with actual usernames. It does this by working out what users are assigned what IP addresses on the network. However, it is possible to logon to the network with one username and then use another username to connect to a Windows file share.

LANGuardian 14.4 can now passively capture what usernames and being used to connect to Windows files shares. This is very useful for reporting on what users are connecting to file shares using administrator accounts. It is also very useful when it comes to compliance standards such as GDPR where you may have to identify sharing of credentials to comply with Identity and Access Management (IAM).

The following image shows an example of domain user association with network file share activity. The user logged onto the workstation that accessed the Profit & Loss file was darragh.delaney

The next image shows an example of the new passive username capture from SMB sessions. The actual user that was used to connect to the file server was darragh.

Windows Services (DCERPC) decoder

New New DCE/RPC, short for “Distributed Computing Environment / Remote Procedure Calls”, is the remote procedure call system developed for the Distributed Computing Environment (DCE). This system allows programmers to write distributed software as if it were all working on the same computer, without having to worry about the underlying network code.

A lot of Windows applications use DCERPC to communicate between clients and servers. Examples of this would be network based printing or some Microsoft Exchange services. Previous versions of LANGuardian were able to detect DCERPC but could not drilldown to see what applications were in use. LANGuardian 14.4 now includes a DCERPC decoder so you can drilldown and see what applications are in use.

The screenshot below shows an example of the drilldown. Here we can see how DCERPC is being used mostly for printing and Exchange on my network.

New full packet capture mechanism

We introduced a full packet capture feature in LANGuardian last year. Customers wanted the ability to capture unprocessed network traffic so that they could take a look at it outside of LANGuardian. The first version only allowed you to take packet captures off local network interface cards.

LANGuardian 14.4 now allows you to save PCAPs from any LANGuardian sensor on your network from a centralized GUI. Leverage your LANGuardian installation to get complete coverage for troubleshooting or forensics. The image below shows the packet capture option in use. Clicking on the network interface dropdown now allows you to select any sensor.

Improved accuracy of Google QUIC fingerprinting

QUIC (Quick UDP Internet Connections, pronounced quick) is a transport layer network protocol designed by Jim Roskind at Google. The most common use of QUIC today is for streaming YouTube videos. If you use a Chrome browser then data associated with your YouTube activity uses the QUIC protocol.

LANGuardian 14.4 includes improved detection capabilities for this protocol. The screenshot below shows a typical drilldown. Majority of traffic will be associated with YouTube but you will see QUIC associated with other Google services.

New PDF format option for scheduled reports

Automated email reports are popular with our customers. Many will choose to get reports like Top Network Events, Top Users or Top Applications delivered to their mailboxes every day. For some time these reports were delivered in HTML format. LANGuardian 14.4 now includes a new option where you can get your reports delivered as PDF attachments.

Video: A quick tour of the new features in LANGuardian 14.4

You can download a 30 day trial of LANGuardian from here.

New Devices = New Year Challenges

As 2017 draws to a close I would like to take this opportunity to wish all my business and Infosec contacts a Happy Christmas and best wishes for the new year. It is also the season for exchanging gifts and the top of many peoples list is a new phone, tablet or some other IoT gadget. It is amazing what you can get for so little now. I just watched a video about an Android powered smartwatch that comes with a SIM slot, camera, touchscreen, access to Play Store plus many other features and you get all this for $12.

The challenge that these devices brings is that they may end up on corporate networks. No big deal you may say but all it takes is for one compromised system to bring down your network with a malware infection. The portability is the problem, users walk past your firewall with their shiny new device and suddenly you have a problem inside your network.

Another issue is the potential bandwith grab that new devices bring. Many will need updates and as soon as they get on a network with lots of bandwidth they start downloading updates. Some of these can be over 2GB in size which can swamp WAN or Internet connections.

How can you detect new devices on your network?

One of the best ways to detect new devices on your network is to monitor network traffic going to and from a number of key points including:

1. Internet gateway
2. Internal interfaces of proxy servers
3. DHCP queries
4. DNS queries
5. Network interfaces going to WAN routers

One of the easiest ways to monitor network traffic is to use a SPAN, mirror port or TAP. These allow you to get a full copy of network traffic as it passes through a switch. The main thing to remember is that you don’t need to monitor every port on your network, just focus on the ones I have listed above.

Once you have a traffic source in place you then need to extract certain information from the network packets which will allow you to report on new network devices. For the purposes of this blog I am going to use our own LANGuardian system and it can extract device metadata from the packets. The video below details the steps neccessary to monitor Internet traffic and you can extend this to include other network points.

Monitoring Internet Traffic. Proxy & Direct

One of the richest sources of data when it comes to monitoring new devices is Internet traffic. Most wired and wireless devices try an access external services to download updates or to send and receive data to cloud services. Buried within this data will be certain pieces of metadata which can reveal what devices are on your network.

The image below shows an example of metadata captured from Internet traffic which is then used to build up an inventory of what devices are connecting to your network.

Monitoring DHCP Requests

New devices connecting to your network will normally send out a DHCP request so that it can get an IP address which it then uses to communicate. If you monitor these DHCP requests you can start to build up an inventory of what devices are connecting to your network. The screen shot below shows an example of what you should be capturing. Here you can see the device MAC addresses with associated hostname and IP address. An alert can be triggered on LANGuardian if the MAC address is new so you know when a new device connects to your network.

Monitoring DNS Queries

Once you start to build an inventory of what is connecting to your network, you should also try and capture some associated data. A good example would be to capture all DNS queries that devices on your network are sending. These queries can reveal a lot about what the devices are doing and what sort of applications they are running. In the example below we can see that there is a device active on our network and it is running cloud apps like WhatsApp and GMail and it is running the Township game.

Monitoring network interfaces going to WAN routers

As I mentioned previously, wireless\IoT devices can consume large volumes of bandwidth. Businesses can be impacted if users in remote sites start complaining that the “network is slow” and all it takes is for one device update to swamp a link. Make sure you are monitoring what applications are using your bandwidth.

An easy way to do this is to monitor the network interfaces on your WAN routers with a product like LANGuardian. It can also associated network activity with usernames so you know who is doing what on your network. A sample of this username integration is shown in the image below.

Why worry about VPN clients?

VPNs have been around for a long time. A VPN extends a private network across a public network, and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. Applications running across the VPN may therefore benefit from the functionality, security, and management of the private network.

If you use public WiFi networks such as those found in airports and cafes then it is recommended that you use a VPN service. A VPN will ensure that all of your communication is encrypted.

Common uses for VPN clients

Good

1. Site to site connectivity where a branch office can connect to HQ via the Internet
2. Allows remote workers to connect to HQ
3. Encrypts your data when you are on a public WiFi network

Bad

1. Bypass web filters (some may not see this as bad)
2. Allows you to run applications which are blocked
3. Create a hole in a Firewall which may become the source of a Malware infection
4. Can be used for data exfiltration

How to detect VPN clients on your network

VPN clients can be difficult to detect as they typically use a port such as 443 over UDP or TCP which is normally open on a firewall. However, there are a number of things to watch out for. First we need to understand how the most common VPN clients work.

Most VPN clients come as a software pack which include the actual VPN software and a database of VPN servers. The idea is that everything you need is included when you install so you don’t need to access a specifc website to connect to anything. If you did it would be easy to block access to these websites. This makes it hard to detect VPN clients if you are looking at reports from something like a web filter.

Once you select a VPN server, an encrypted connection is created between your client and the VPN server. All of your Internet bound activity is then routed through this VPN connection. If you want to browse a website for example, the VPN server connects to the website and sends the text\images\media back to you via your encrypted connection. This is what makes them secure, someone ‘sniffing’ your local traffic can’t see what you are accessing.

In summary, a VPN client makes a direct connection to a VPN server and this server then does the job of accessing what service\application your requested. This differs from users connecting to websites or applications directly. For example I may go and visit YouTube using a web browser. When I type in YouTube.com my computer will go and resolve this name to an IP address using DNS. Computers use IP addresses to connect, not human readable names.

What you need to watch out for is any sessions to external IP addresses which have no hostnames associated with the server. If the connection is over TCP or UDP port 443 then you are probably looking at VPN client activity. The image below shows an example of what to watch out for if you want to detect VPN clients. The first client listed is connecting directly to an IP address as no hostname is shown. The other connections are to Googlevideo which are part of the YouTube service.

Check out the video below to learn more about how you can use our LANGuardian product to detect VPN clients.

Along comes another one. Scarab Ransomware

Scarab Ransomware is just another in a series of Ransomware variants that appeared in 2017. It falls into the crypto Ransomware category which typically go after user data on hard drives and network shares and encrypts it. Scarab Ransomware has the typical three stage infection process:

1. Get a user to click on a link or open an attachment infected with Malware
2. Connect to external websites to download the actual Ransomware
3. Encrypt the users data and leave a ransom note

The name Scarab is also associated with a family of beetles. Scarabs are stout-bodied beetles, many with bright metallic colours, measuring between 1.5 and 160 mm. They are also known as a dung beetle.

Detecting the presence of Scarab Ransomware

First spotted on November 23, the Scarab ransomware is being sent primarily to .com addresses, followed by co.uk inboxes. It was sent to millions of email addresses in the first four hours alone, according to Forcepoint. The emails are originating from hosts within the Necurs Botnet.

The unsolicited emails in question come with the well-worn “Scanned from {printer company name}” subject line and contain a 7zip attachment with a VBScript downloader. Use SMTP traffic monitoring or check the logs on your email server for any subject lines which start with “Scanned from”.

Another key indicator of Scarab Ransomware is the presence of these types of files on network shares:

• Files with the extension “.[suupport@protonmail.com].scarab”
• Ransom notes which are saved as text files with the name “IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT”

The image below shows how our LANGuardian product detected suspicious activity on a network share by monitoring network traffic going to and from the file servers. When you monitor network traffic like this you can passively generate a list of all file and folder activity without the need for logging or agents.

Watch out for an increase in file renames. A sure sign of Scarab Ransomware activity

File renames are not a common action when it comes to activity on network file shares. Over the course of a normal day, you may end up with just a handful of renames even if you have hundreds of users on your network. When Scarab Ransomware strikes, it will result in a massive increase in file renames as your data gets encrypted.

You can use this behavior to trigger an alert. If the number of renames go above a certain threshold, then you have a potential Ransomware issue. Our recommendation is to base your alert on 4 or more renames per second.

The video below shows how you can setup a LANGuardian trend graph which you can then use to create an alert. It also demonstrates how you can setup a file activity monitoring report which shows any filenames with extensions known to be associated with Ransomware. You just need to change the file extensions to the ones mentioned earlier in this blog post.

What are SYN packets?

Last week I was on the road in Scotland visiting some of our university customers. During a meeting with a Network Security Specialist, a network issue popped up and he said to me “our firewall is triggering SYN packet alerts, is there anything you can do to help?”

SYN packets are normally generated when a client attempts to start a TCP connection to a server, the client and server exchange a series of messages which normally runs like this:

1. The client requests a connection by sending a SYN (synchronize) message to the server.
2. The server acknowledges this request by sending SYN-ACK back to the client.
3. The client responds with an ACK, and the connection is established.

This is called the TCP three-way handshake, and is the foundation for every connection established using the TCP protocol. In the past attackers could bring down a firewall by sending lots of SYN packets. Each SYN packet would use up firewall resources and eventually it would stop accepting new connections. This can result in a massive business problem now that so many applications are cloud based and need fast and reliable Internet access.

A SYN alert could be the sign of attacker reconnaissance

Modern firewalls are able to deal with SYN attacks better by limiting the rate of SYN requests amoungst other things. However, they still retain their alerting features so if something usual is spotted they will trigger an alarm.

Not all SYN alerts are attacks designed to bring down your firewall. This was the case with the customer I mentioned earlier. In summary they were getting a lot of connections from a host in China which was trying to find any systems running SSH services. This is very common, attackers often seek out SSH servers, once found they try and do a dictionary attack against the root or other accounts. If they are successful then they have full access to the LAN segment that the SSH server sits on.

The image below shows a sample of the events from our LANGuardian system. Each one of these is triggered when a host tries to connect to more than 300 other systems in 25 seconds or less. At the same time the firewall on the same network was triggering excessive SYN packets alerts. The fix in this case was to get the ISP to block the Chinese host.

How to get visibility at the network edge

If you want to see what is hitting your firewall then you need to monitor network traffic hitting the outside network interfaces. Typically this is done by setting up a SPAN or mirror port on the network switch which connects to the external interfaces.

The image below shows a typical setup. Network packets destined for the LAN or DMZ are analyzied by a traffic analysis tool connnected to the network switch which connects devices together outside the LAN firewall. Most servers located here will have a public IP address and so would be open to network scanning activity. You can also detect SYN packet rates at this point, see what is hitting your main firewall.

One of the main things I watch out for in the DMZ is the rate of connection attempts. This is similar to detecting SYN attacks but as I mentioned, most of this activity is associated with reconnaissance, attackers trying to find a backdoor into your network. Some of the firewalls I looked at will trigger SYN attack alerts when they start received around 10,000 connection attempts per second but this can vary.

The image below is from one of our LANGuardian systems. It is reporting the level of what we call netscans, a netscan is triggered when one host tries to connect to more than 300 others in less than 25 seconds. An alert is triggered when this goes over 20 events per second. Our testing has shown that some firewalls start triggering their own alerts when this rate is reached and may start dropping  or refusing connections.

We have seen instances, for example DDOS attacks, where the organisation’s firewall is under some much pressure trying to handle the attack, it cannot be accessed and used as a reporting or forensics tool. Another advantage of using a continuous but passive system such as the LANGuardian, it can always be accessed when required and as it is not inline, can never have any impact on network availability or performance.

The video below goes through the steps needed to setup a SPAN or mirror port to monitor network traffic. The example covered looks at monitoring the internal LAN interfaces of a firewall but you can apply a similar approach when it comes to monitoring the external interfaces.

Using Traffic Analysis as a Data Source

As we have mentioned numerous times in our blogs, Network Traffic Analysis or (DPI) Deep Packet Inspection is a very flexible technology. It can be used for many use cases including continuous monitoring of user and device activity, reporting, forensics, analytics and of course troubleshooting of everyday  problems. One of the benefits of using a DPI engine to analyse network traffic flows, is the rich application specific detail and context, metadata that can be extracted and presented in real time or stored for forensics. Data ideal for many IT security and operational use cases.

DPI can sometimes be seen as a ‘complex and expensive technology’ only suitable for large enterprise, but not with the latest engines as found in the NetFort LANGuardian. The basic principle of the LANGuardian engine is to get the engine to do all the ‘heavy lifting’, reassembly, analysis, alerting thus making it very easy to use and read, ideal for all skill levels across organisations of all sizes with minimum training.

Actionable Alerts That Our Customers Requested

Recently we have been asked by our customers to generate real time alerts on various network and user activities that are critical to them. Examples, in the customers own words include:

• US Manufacturing company
  • ‘Alert if a user or device generates more than x GB of data over a given time?’
  • ‘Alert if certain file types are detected (e.g. mkv files)? ‘
• Large EU University
  • ‘Alert when a machine on our network is maliciously scanning 100,000’s of IP addresses across
    the globe. ‘
• EU Online retail company
  • ‘Any internal ip address making a connection to an external ip where the connection (TCP/UDP) was not preceded by a DNS query that returned the external ip’
• EU Government organisation
  • ‘Alert on any web accesses not via the proxy server’
• US City Council
  • ‘I’m trying to figure out the syntax for a rule to detect when the BitTorrent protocol is detected’
  • Oct 2016 ‘ Detect SMB1 traffic Is there a way to detect SMB1 traffic? Microsoft recommends to stop using it so I’d like to see if it’s being used in our network.’
• US Law firm
  • ‘Alert if a lawyer uploads huge files to our shared server within a short period of time using up all our space’

Some seem very obvious, simple but on closer examination, most make sense. Also, it is interesting to note that most customers do not request that many, maybe because they are already flooded with false positives and find it almost impossible to actually spot the real actionable alerts.

Machine Learning

I had a chat with a customer last week who purchased a pretty well known ‘machine learning’  based network security products 6 months ago, when he mentioned the product name, I was very curious and asked how it was going. ‘Nothing yet, 6 months of false positives, but you know, it is still learning’. So now not alone have they invested a lot of time and money in purchasing and implementing a product but it is also costing them time wise every day, as it giving them even more false positives to investigate!

Actually, a small number of our customers who requested the alerts included in the list above have recently implemented some expensive ‘Machine learning’ based security products. We started discussing it here internally and it got us wondering about the massive hype by vendors, analysts etc, around machine learning with respect to security. What is really driving it ? The lack of skilled security analysts is definitely one factor, big data another, but another one is surely the current set of overly complex and expensive security products ? And maybe he venture capitalists who have invested huge amounts of money in companies developing this technology, many of whom are struggling with sales ?

Developing Our Own Alerting Engine

We are putting huge focus on the usability of our alert engine, make sure it is as easy as possible to define the rules that generate real actionable alerts, not false positives, the alerts important to the user, the organisation, the business.

Of course, sometimes the simple and best ones are not that easy to implement. For example, as in the case of a lack of a DNS query require context/state and some understanding of the protocol in use in order to generate an alert. As mentioned by one of our engineers, some are also somewhat vague and require more detail. It may also be that some do not require an instant alerts, a simple email sent to the administrator each morning may suffice.

It will take time to get right, some tuning, knowledge of the network etc. Ease of use, readable data, is a must otherwise it will never work. These are basics some security vendors simply do not pay enough attention to but instead spend a lot of time and money on graphics and web interfaces designed by gamers, dark constellations which look fantastic but when you start to look at the detail, looking for actionable intelligence, you start thinking what is this really telling me ?

There are many common and critical threats or ‘bad’ network and user activities that do not require sophisticated artificial intelligence or machine learning.  Most organisations do not have the resources to monitor various dashboards to actually try and detect suspicious activity in real time,  but simply want a real alert with some readable context and data to understand what the alert is actually telling them.

Where to Start

Is it not common sense, start small, work the basics. Use a network traffic analysis for example to monitor internal activity and get the visibility you need to understand what is happening on your network. Modify your ‘active’ systems for example your firewall, to get rid of everything that could widen your attack surface and then add alerts, one by one, to ensure you are immediately notified the next time.  Use forums, blogs, your own network to keep in touch and build and update your own alert set. Add them one by one, you will be amazed with the size of your list after a few months and the lack of false positives.

Network Zombies

Now that Halloween is behind us we can put away the scary decorations and funny costumes. It may also be a good time to check our networks for zombie hosts or users. They can take many forms

1. Clients infected with Malware which form part of an external botnet
2. Faulty equipment which may be generating excessive broadcast traffic
3. Rouge IoT devices eating bandwidth
4. External clients scanning your network perimeter and exploiting firewall holes
5. Misuse of network resources by one or more users

Infected Clients

Many networks have lots of security devices at the network edge. From Firewalls to IPS type systems, securing the perimeter has been a priority for many IT managers. The trouble is that while this is a good thing to do, malware can still get in and unless you are monitoring what is going on inside your network you may be at risk. A user may bring in a USB stick laden with Malware for example and walk past your firewall.

I recently read about this network breach where unauthorized software was found on a server and it may have led to data loss. Some time ago I installed a trial version of our LANGuardian product onto a network and we found a client sending over 10,000 SPAM emails per hour. The interesting thing here was that the user of the computer was not complaining and an antivirus scan did not find anything. In the end the IT manager had to get the system reinstalled.

One way to find out what is happening on your internal network is to monitor network traffic moving through your core switch by setting up a SPAN or mirror port. Network traffic is an excellent source of user and application information. Once you have your data source in place a combination of network based intrusion detection and metadata analysis will root out any suspicious activity.

The image below taken from our own LANGuardian system shows an example of what to look out for. Events such as ET MALWARE Win32/InstallCore Initial Install Activity 1 or ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 need to be investigated and the associated clients need to be removed from the network.

Faulty Network Equipment

Technology can be wonderful when it works but when something goes bad it can be a nightmare to figure out what went wrong. A few years back there was massive disruption to air traffic at Dublin airport when a network card went faulty and caused the breakdown of a radar system. Our support team here worked with one of our own customers a while back when a faulty IP phone brought down an entire network segment by sending out large volumes of broadcast traffic.

Make sure you have some sort of internal traffic monitoring in place and watch out for what systems are sending large volumes of broadcast or multicast traffic. In other cases you may need to look at switch interface counters such as collisions or CRC rates. The image below is from our LANGuardian product and show a sample report which is the top clients associated with broadcast traffic. Any devices associated with hundreds of megabytes of broadcast traffic would need to be investigated.

Rogue IoT devices

Almost everything in today’s world is connected. From light bulbs to fridges, many devices now want to share data and metrics. However, this IoT world is not without its challenges. Recently security researches uncovered a botnet called Reaper which may have infected over 1 million networks.

IoT Botnets are Internet connected smart devices which have been infected by the same malware and are controlled by a threat actor from a remote location. They have been behind some of the most damaging cyberattacks against organizations worldwide, including hospitals, national transport links, communication companies and political movements.

You need to be aware of what is connecting to your network. One way to do this is to monitor all traffic going to and from your DHCP and DNS servers. This can reveal a lot about what is connecting to your network and what they are trying to get to. The images below from our LANGuardian product show how metadata captured from DHCP and DNS traffic can used to get an inventory of what is on your network.

If you do have IoT devices on your network, you need to make sure they are fully patched and not using any default passwords.

External Clients Targeting Your Network

As I mentioned previously there are large botnets out there ready to target unsuspecting businesses and organizations. If you re unlucky enough to be targeted you could be on the receiving end of large DDoS attack. Typically NTP or DNS traffic is used to overload your Internet gateways resulting in a loss of connectivity for internal and external clients. Make sure you are monitoring all traffic at your network edge especially the levels of UDP based protocols such as NTP or DNS.

Also watch out for any external clients scanning your network looking for open ports on firewalls. Common scans would be on RDP (TCP 3389), SSH (TCP 22) or SQL (1433). You need to take action if you see any connections on your internal network from clients which are outside the network. Either block the external IP address or shutdown the port they are using on your firewall. Don’t forget to carry out a forensic investigation on any incidents and see if any other client was targeted inside your network.

The image below from our LANGuardian product shows and example of what to watch out for. Here we can see an external IP which is registered in Russia connecting to servers on the local network over TCP port 445.

Rogue Network Users

Sometimes a network user can go bad. Maybe they install an application such as Bittorrent and hog all of the Internet bandwidth or maybe someone accidentally or deliberately deletes data. Can you track down all activity by username? One way to do this is to capture user logon information from Active Directory and use this to match it to IP addresses so you can see who is doing what.

The image below from our LANGuardian product shows a sample user report which lists the top users active on the network based on data downloaded or uploaded. You may want to consider getting alerts if users go above certain levels.

What is Badrabbit Ransomware?

A new strain of ransomware nicknamed “Bad Rabbit” has been found spreading in Russia, Ukraine and Germany. The outbreak bears similarities to the WannaCry and Petya ransomware outbreaks that spread around the world causing widespread disruption earlier this year. This Ransomware encrypts data on infected machines or on network file shares before demanding a payment of 0.05 bitcoin (£250) for the decryption key.

They main way Bad Rabbit spreads has been identified as drive-by downloads on hacked websites. No exploits are used, rather visitors to compromised websites – some of which have been compromised since June – are told that they need to install a Flash update. Of course, this is no Flash update, but a dropper for the malicious install.

Once a user facilitates the initial infection the malware leverages existing methods to propagate around a network without user interaction. This involves leveraging an exploit in the SMB protocol and a hacking tool known as Mimikatz, which is able to obtain passwords from memory on the infected system,

Checking your IDS

An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Most look for certain data strings within network packets which will then trigger an alert. In the case of Badrabbit you need to be watching out for the following emerging treats rules.

• emerging-trojan ET TROJAN BadRabbit Ransomware Activity Via WebDAV (cscc)
• emerging-trojan ET TROJAN BadRabbit Ransomware Activity Via WebDAV (infpub)
• emerging-trojan ET TROJAN BadRabbit Ransomware Payment Onion Domain

If you are using our LANGuardian product, check the report Top Network Events. This is also available in the trial version.

Suspicious Domains

Badrabbit uses a number of domains for command and control services. Check your DNS traffic and/or your web activity logs for any activity associated with these domains. If you detect any activity, remove the client which issued the DNS query or tried to access the domain from your network.

1dnscontrol.com
an-crimea.ru
ankerch-crimea.ru
argumenti.ru
fastmonitor1.net
caforssztxqzf2nm.onion

If you are using our LANGuardian product, check the report Network Events (DNS Lookups). This is also available in the trial version.

Watch out for an increase in file renames.

File renames are not a common action when it comes to activity on network file shares. Over the course of a normal day, you may end up with just a handful of renames even if you have hundreds of users on your network. When Ransomware like Badrabbit strikes, it will result in a massive increase in file renames as your data gets encrypted. Note that Badrabbit will use the same file names so there are no file extensions to watch out for.

You can use this behavior to trigger an alert. If the number of renames go above a certain threshold, then you have a potential Ransomware issue. Our recommendation is to base your alert on 4 or more renames per second.

The video below shows how you can setup a LANGuardian trend graph which you can then use to create an alert. It also demonstrates how you can setup a file activity monitoring report which shows any filenames with extensions known to be associated with Ransomware.