NetFort Advertising

Network Security Monitoring

Inasmuch as network security monitoring is important to detect threats originating from outside the network, it can also be used to detect threats originating from within. The 2015 Intel Security Report “Grand Theft Data” revealed that 43% of all security breaches are attributable to internal actors. Although half of data breaches are unintentional, the loss of data and financial cost of an internal breach can be significant because, in many cases, the perpetrator knows where to look.

Without intending to diminish the threat from ransomware, effective network security monitoring with LANGuardian can prevent many insider thefts. Historical data can be analyzed to identify unusual or suspicious fileshare access, and alerts can be set up to warn of specific network activity. Network security monitoring in this manner is far more effective than individual user logging, as it helps prevent unintentional data breaches as well as those conducted for malicious purposes.

To find out more about how you can detect and prevent threats from both outside and within your network, read our network security monitor blog posts. If, after reading about how LANGuardian can be used as an effective network security monitoring solution, do not hesitate to contact us if you have any questions. Alternatively, you can download your free trial of LANGuardian today and start monitoring your network security effectively today.

Crypto Mining Malware Spreading Via SMBv1 Vulnerability

Crypto Mining Malware

Ransomware Cryptocurrency Link

During 2017 we saw advances in security tools which have meant IT and network security managers have become better equipped to deal with ransomware threats. In addition, lots of standalone programs have been made by independent researchers to decrypt files. This increased awareness of ransomware prevention (backing up files) and Ransomware detection tools has really helped to reduce the Ransomware problem.

Bitcoin is frequently associated with Ransomware as it is a popular payment type demanded by ransomware authors. There are many types of crypto currency available today which you can acquire with money or goods or you can mine them using one or more computers.

The primary purpose of mining is to allow Bitcoin nodes to reach a secure, tamper-resistant consensus. Mining is also the mechanism used to introduce Bitcoins into the system: Miners are paid any transaction fees as well as a “subsidy” of newly created coins. The image below shows an example of a large bitcoin mining rig, lots of processing power and associated cooling fans to keep it operational.

Icarus Bitcoin Mining rig

One of the new trends with Malware is the move away from data encryption to a more stealthy bitcoin mining strategy. Bitcoin mining can happen in the background. No need for any splash screens or data destruction.

Crypto Mining Malware & Association With SMBv1

Many attackers now favor anonymous cryptocurrencies, with Monero being the most prominent. Crypto currencies are popular as they are both secure, private and difficult to trace. Servers are often targeted and since many of them are not updated or patched on a regular basis, attackers have a bigger chance of success.

Recently more than 526,000 Windows hosts, mostly Windows servers, have been infected by a Monero miner known as Smominru, according to researchers at Proofpoint. It spreads using the EternalBlue exploit (CVE-2017-0144) which targeted the SMBv1 protocol.

Crypto mining malware like this covertly mines for coins using the victim’s GPU horsepower without them knowing about it. It has potential for longer-term gains. When a computer is infected many people will fail to notice fans spinning up, or computers under higher load or just plain old not responding. A lot of those people may just pass it off as “one of those things my computer does.”

How to Detect SMBv1 Use on Your Network

As I mentioned earlier, the ExternalBlue exploit is being used by a lot of attackers to install Ransomware or Crypto Miners on victims PC’s. Systems are compromised when an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server

Because of this, you need to make sure you detect SMBv1 use on your network and switch off the protocol on any systems which has it enabled. SMBv1 has been superceeded by SMBv2 and SMBv3 which are far more efficient and secure.

However, sometimes reality is more difficult than the theory. I met with some of our LANGuardian customers this week. They said that when they disabled SMBv1 on some servers they had issues with a loss in connectivity to some printers. I also had issues in my home lab where certain Android devices lost connectivity to a NAS system when SMBv1 was disabled. The easy thing to do is to re-enable SMBv1 but that will increase the attack vector of your network.

Using LANGuardian to Detect SMBv1 Use

The video below shows how a traffic analysis tool like our own LANGuardian can be used to root out SMB1 clients and servers on your network. Make sure you can detect this activity by monitoring communication between clients and servers or check each network device to see if SMBv1 is enabled.

Find Out What Systems Are Using SMBv1 on Your Network

Use the deep packet inspection engine of LANGuardian to report on SMBv1 activity by IP address or Username. Real time and historical reports available. No need to install any agents or client software.

  • See what servers are allowing connections on SMBv1
  • Find out what clients are attempting to connect using SMBv1
  • Can be deployed as a virtual machine

All analysis is done passively using network traffic analysis and you will see results within minutes.

How To Detect Unauthorised DNS Servers On Your Network

Detecting unauthorized DNS servers to prevent DNS poisoning

Why worry about unauthorised DNS servers?

DNS remains a vital part of computer networking. The foundation of DNS was laid in 1983 by Paul ­Mockapetris, then at the University of Southern California, in the days of ­ARPAnet, the U.S. Defense Department research project that linked computers at a small number of universities and research institutions and ultimately led to the Internet. The system is designed to work like a telephone company’s 411 service: given a name, it looks up the numbers that will lead to the bearer of that name.

DNS was never designed as a very secure protocol and it is popular target for attackers. There are two ways DNS can be hacked: by using protocol attacks (attacks based on how DNS is actually working) or by using server attacks (attacks based on the bugs or flaws of the programs or machines running DNS services).

One of the more recent protocol attacks was the

In both of these cases the attackers change your DNS server from (Google) for example to one of their own DNS servers. Most of your DNS queries will be handled correctly and you will get correct IP addresses. However, for certain site like banking the attackers will direct you to a mocked up website which looks like a valid banking one. You logon details are captured once you start to interact with the site and these are then used to steal your money.

Detecting unauthorised DNS server use with LANGuardian

Our LANGuardian product includes both a DNS traffic decoder and an number of alerting features which you can use to track down unauthorised DNS server use. The image below shows an example of the DNS traffic decoder. Here we can see how LANGuardian can build up an inventory of all DNS servers and client queries to them.

A LANGuardian report showing unauthorised DNS server use

Having a DNS audit trail like this will also give you the data you need to investigate other DNS issues such as cache poisoning.

How to generate alerts if a device uses an unauthorised DNS server

LANGuardian includes a customizable alerting engine where you can define whitelists of valid servers and get alerts if users try an access others. For the purposes of this example we are going to create a DNS whitelist containing these servers:

  • (hosted internally on network)
  • (google1)
  • (google2)

We then use the LANGuardian alerts configuration option to create a DNS alerting rule which would trigger if queries to other servers are detected. The screenshot below shows an example of this.

Unauthorised DNS servers alert configuration

Once the rule is saved it will look like this on the LANGuardian alerts list.

LANGuardian DNS Alert Rule

Once the unauthorised DNS server alert is triggered, LANGuardian will capture certain DNS metadata like source and destination IP addresses, country where DNS server is registered and the domain names that were queried. The image below shows an example of what the alerts look like.

A list of unauthorised servers detected on the network using network traffic analysis

These alerts can also be exported as SYSLOG so that they can be processed by a blocking device such as a firewall or NAC (Network Access Control) system.

How to monitor DNS traffic

One of the best ways to monitor DNS traffic is to port mirror traffic going to and from your local DNS servers and all Internet traffic. Monitoring Internet traffic is crucial so that you can pick up on devices using external DNS servers so it is really easy to monitor network traffic on your network. Most managed switches support SPAN or mirror ports. If you have a switch that does not have any traffic monitoring options there are many alternatives for SPAN ports. The video below shows the steps needed to monitor Internet traffic and you should extend this to also monitor local DNS servers.

Find Out What DNS Servers Are In Use On Your Network

Use the deep packet inspection engine of LANGuardian to report on what DNS servers are in use on your network. Real time and historical reports available. No need to install any agents or client software.

  • See what DNS servers are in use
  • Generate alerts if  a network device uses an unauthorised DNS server
  • Capture DNS metadata so you can troubleshoot DNS issues and perform forensics on past events.

All analysis is done passively using network traffic analysis and you will see results within minutes.

How to Passively Detect VPN Clients on Your Network

How to detect the presence of VPN clients

Why worry about VPN clients?

VPNs have been around for a long time. A VPN extends a private network across a public network, and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. Applications running across the VPN may therefore benefit from the functionality, security, and management of the private network.

If you use public WiFi networks such as those found in airports and cafes then it is recommended that you use a VPN service. A VPN will ensure that all of your communication is encrypted.

However, there are times when VPN activity is suspicious and/or bad. I see an increasing amount of VPN actvity on college\school networks. In most cases end users are using a VPN to get around a web filter or use a blocked application such as Bittorrent. A VPN will also punch a hole in your firewall and it may become a route for nasties such as Ransomware.

“A VPN client will punch a hole through your firewall”

Common uses for VPN clients


  1. Site to site connectivity where a branch office can connect to HQ via the Internet
  2. Allows remote workers to connect to HQ
  3. Encrypts your data when you are on a public WiFi network


  1. Bypass web filters (some may not see this as bad)
  2. Allows you to run applications which are blocked
  3. Create a hole in a Firewall which may become the source of a Malware infection
  4. Can be used for data exfiltration

How to detect VPN clients on your network

VPN clients can be difficult to detect as they typically use a port such as 443 over UDP or TCP which is normally open on a firewall. However, there are a number of things to watch out for. First we need to understand how the most common VPN clients work.

Most VPN clients come as a software pack which include the actual VPN software and a database of VPN servers. The idea is that everything you need is included when you install so you don’t need to access a specifc website to connect to anything. If you did it would be easy to block access to these websites. This makes it hard to detect VPN clients if you are looking at reports from something like a web filter.

Once you select a VPN server, an encrypted connection is created between your client and the VPN server. All of your Internet bound activity is then routed through this VPN connection. If you want to browse a website for example, the VPN server connects to the website and sends the text\images\media back to you via your encrypted connection. This is what makes them secure, someone ‘sniffing’ your local traffic can’t see what you are accessing.

How VPN works

In summary, a VPN client makes a direct connection to a VPN server and this server then does the job of accessing what service\application your requested. This differs from users connecting to websites or applications directly. For example I may go and visit YouTube using a web browser. When I type in my computer will go and resolve this name to an IP address using DNS. Computers use IP addresses to connect, not human readable names.

In order to detect VPN clients on a network, we need to watch out for any client sessions where there is client to server connections with no DNS resolutions. To do this you need to monitor network traffic going to and from your Internet gateway and you also need to monitor DNS traffic hitting your DNS servers if you host them locally.

Detecting VPN Clients

  1. Monitor Internet traffic
  2. Monitor DNS queries
  3. Watch out for client connections to external hosts with no name resolution

What you need to watch out for is any sessions to external IP addresses which have no hostnames associated with the server. If the connection is over TCP or UDP port 443 then you are probably looking at VPN client activity. The image below shows an example of what to watch out for if you want to detect VPN clients. The first client listed is connecting directly to an IP address as no hostname is shown. The other connections are to Googlevideo which are part of the YouTube service.

Report showing a VPN client connecting to an external VPN server

Check out the video below to learn more about how you can use our LANGuardian product to detect VPN clients.

Firewall Reporting Excessive SYN Packets? Check Rate of Connections

TCP handshake showing SYN packets

What are SYN packets?

Last week I was on the road in Scotland visiting some of our university customers. During a meeting with a Network Security Specialist, a network issue popped up and he said to me “our firewall is triggering SYN packet alerts, is there anything you can do to help?

SYN packets are normally generated when a client attempts to start a TCP connection to a server, the client and server exchange a series of messages which normally runs like this:

  1. The client requests a connection by sending a SYN (synchronize) message to the server.
  2. The server acknowledges this request by sending SYN-ACK back to the client.
  3. The client responds with an ACK, and the connection is established.

This is called the TCP three-way handshake, and is the foundation for every connection established using the TCP protocol. In the past attackers could bring down a firewall by sending lots of SYN packets. Each SYN packet would use up firewall resources and eventually it would stop accepting new connections. This can result in a massive business problem now that so many applications are cloud based and need fast and reliable Internet access.

A SYN alert could be the sign of attacker reconnaissance

Modern firewalls are able to deal with SYN attacks better by limiting the rate of SYN requests amoungst other things. However, they still retain their alerting features so if something usual is spotted they will trigger an alarm.

Not all SYN alerts are attacks designed to bring down your firewall. This was the case with the customer I mentioned earlier. In summary they were getting a lot of connections from a host in China which was trying to find any systems running SSH services. This is very common, attackers often seek out SSH servers, once found they try and do a dictionary attack against the root or other accounts. If they are successful then they have full access to the LAN segment that the SSH server sits on.

The image below shows a sample of the events from our LANGuardian system. Each one of these is triggered when a host tries to connect to more than 300 other systems in 25 seconds or less. At the same time the firewall on the same network was triggering excessive SYN packets alerts. The fix in this case was to get the ISP to block the Chinese host.

SYN alerts generated by lots of connections from a single host

How to get visibility at the network edge

If you want to see what is hitting your firewall then you need to monitor network traffic hitting the outside network interfaces. Typically this is done by setting up a SPAN or mirror port on the network switch which connects to the external interfaces.

The image below shows a typical setup. Network packets destined for the LAN or DMZ are analyzied by a traffic analysis tool connnected to the network switch which connects devices together outside the LAN firewall. Most servers located here will have a public IP address and so would be open to network scanning activity. You can also detect SYN packet rates at this point, see what is hitting your main firewall.

DMZ network with traffic monitoring tool in place

One of the main things I watch out for in the DMZ is the rate of connection attempts. This is similar to detecting SYN attacks but as I mentioned, most of this activity is associated with reconnaissance, attackers trying to find a backdoor into your network. Some of the firewalls I looked at will trigger SYN attack alerts when they start received around 10,000 connection attempts per second but this can vary.

The image below is from one of our LANGuardian systems. It is reporting the level of what we call netscans, a netscan is triggered when one host tries to connect to more than 300 others in less than 25 seconds. An alert is triggered when this goes over 20 events per second. Our testing has shown that some firewalls start triggering their own alerts when this rate is reached and may start dropping  or refusing connections.

Network scan levels

We have seen instances, for example DDOS attacks, where the organisation’s firewall is under some much pressure trying to handle the attack, it cannot be accessed and used as a reporting or forensics tool. Another advantage of using a continuous but passive system such as the LANGuardian, it can always be accessed when required and as it is not inline, can never have any impact on network availability or performance.

The video below goes through the steps needed to setup a SPAN or mirror port to monitor network traffic. The example covered looks at monitoring the internal LAN interfaces of a firewall but you can apply a similar approach when it comes to monitoring the external interfaces.

Why a CCTV type system is a necessity for Monitoring Network Traffic

CCTV for computer networks

Why monitor network traffic?

The recent Equifax security breach resulted in hackers getting their hands on the sensitive personal information of 143 million American consumers. The breach lasted from mid-May 2017 through July 2017. The hackers accessed people’s names, social security numbers, birth dates, addresses and, in some instances, driver’s license numbers. They also stole credit card numbers from about 209,000 people and dispute documents with personal identifying information from about 182,000 people; they also grabbed personal information of people in the UK and Canada.

This information was not carried in briefcases. It left the organization as a payload in network traffic, mixed in with the massive amounts of legitimate traffic that would have left Equifax during the hacking period. While it is good practice to have firewalls and threat detection systems, many of them rely on known signatures of exploit attempts. This approach fails if you are targeted with something new, or if your security applications are missing detection capabilities for a specific type of attack. This is one of the main reasons why you need to constantly monitor network traffic leaving and entering your network.

What is a CCTV system for monitoring network traffic?

When I talk about a CCTV type system for monitoring network traffic, I usually give this analogy. When we want to protect physical buildings, we invest in locks, gates, walls and other physical barriers to protect our property and physical assets.

We also invest in CCTV systems so that if there is a break in, we can see what is happening in real time and get recordings so we can look back over events. If you have a breach, it is important to know what happened so that we can make changes to prevent further breaches happening in the future. CCTV systems can also alert if someone enters a premises outside of normal working hours.

Monitoring network edge

Too often in the digital world, we forget about monitoring tools. Senior management often sees them as a ‘nice to have’ as there is no obvious payback. It is easy to get seduced into spending IT budgets on fancy firewalls and threat prevention systems as they can take an action. However, the Equifax hack has reminded us that we need eyes on our networks 24/7 and we need to keep historical records of who is connecting to what so that we can go back and see how someone hacked into our network.

network flows

A CCTV system for network traffic can be based on flow or packet analysis. If you use managed switches or if you have a router, you will have a data source. From this analysis, you need to be capturing information such as:

  • True application names as you cannot rely on port labels
  • Resource (URI) names
  • HTTP header fields
  • Web client information
  • DHCP data such as IP addresses, MAC and host-names
  • SMTP metadata such as email addresses and subject lines
  • BitTorrent Hash values
  • DNS SPAM detection
  • SMB and NFS metadata
  • Ingress and egress IP flows including IP addresses and port numbers
  • Associated GeoIP details
  • Packets counts
  • IP flow counts
  • Detect application layer attacks
  • Associated usernames
  • Accurate web domain names from DNS, HTTP or HTTPS traffic analysis

One of the most important things is that you get both a real-time and historical view of this data. Most network monitoring applications do real-time monitoring. Some do historical reporting but may age and compress data to cut down on disk usage. This is not ideal, as you will want to store as much detail as possible so that you can investigate historical events. Make sure you choose a forensics or monitoring application that retains all information captured.

Integrating IDS (Intrusion Detection System) and traffic analysis are also beneficial. This allows you to detect known attacks as well was providing extra context like what connections were made and if the attackers targeted any other systems on your network. You will only get good threat detection with packet analysis, flow (NetFlow, IPFIX, etc) will struggle as they don’t look at packet payloads.

Your monitoring tool needs to be independent of edge equipment

Many firewalls now come with advanced logging and reporting capabilities. On paper, they tick boxes for both prevention and reporting. However, if your network is under attack you may find that these logs become inaccessible.

Some time ago I attended a JANET conference in the UK. A number of universities had been targeted with DDoS attacks. Many network managers spoke about how they struggled to understand what was happening, as their firewall logs were inaccessible or were filling up so quickly it was difficult to get an overall view of where the DDoS traffic was coming from. One of the recommendations from the conference was to ensure your monitoring tools were independent of edge devices such as firewalls or routers.

Don’t wait for a breach before investing in monitoring tools

The worst way to implement monitoring tools is to do so in the middle of an attack. You will never capture all the information you need and you may be rushed into buying tools that don’t address your requirements. Get something in place ASAP and use the CCTV analogy when discussing with senior management.  In today’s world, you need to be watching over your network 24/7.

23 NYCRR 500 – How LANGuardian can help with Compliance

23 NYCRR 500

The New York State Department of Financial Services (“DFS”) has been closely monitoring the ever-growing threat posed to information and financial systems by nation-states, terrorist organizations and independent criminal actors. Recently, cybercriminals have sought to exploit technological vulnerabilities to gain access to sensitive electronic data.

“New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever increasing threat of cyber-attacks. These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber-crimes.”

Governor Andrew Cuomo

23 NYCRR 500: What it means for you

NYCRR 500 is a regulatory compliance standard that regulates the Financial Services Industry (FSI) in New York. This regulation mandates each institution have a cyber security program, Chief Information Security Officer (CISO), access controls, asset management, data governance, software development practices, annual certification of their compliance, and more.

NYCRR 500 requires that banks, insurance companies, and other financial services institutions regulated by DFS to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.

The key date to keep in mind is September 1, 2017: that date marks the end of the 180 day period to comply with the guidelines set forth in 23 NYCRR 500.

The key elements of the proposal are as follows, and a summary of these elements can be found here:

  1. Establishment of a Cybersecurity Program to include:
    • Adoption of a written Cybersecurity Policy
    • Identify and assess internal and external Cybersecurity risks that may threaten the security or integrity of data stored in an organization’s IT systems.
    • Use defensive infrastructure and implementation of policies and procedures to protect the IT systems from unauthorized access or malicious acts.
    • Detect cybersecurity events.
    • Respond to identified or detected Cybersecurity events to mitigate any negative effects.
    • Recover from Cybersecurity Events and restore normal operations and services.
    • Fulfill applicable regulatory reporting requirements.
  2. Mandatory Chief Information Security Officer
  3. Cybersecurity Training for Employees
  4. Third-Party Service Providers Risk
  5. Incident Monitoring and Reporting
  6. Information Security Audits

How LANGuardian can help with 23 NYCRR 500

While no one system can provide the full range of compliance across all of the regulatory requirements, a forensic threat investigation solution and incident response plan will be the most important tools for demonstrating compliance.

Written policies (as defined in section 500.3) are an important first step, but compliance requires the demonstration of consistent policy enforcement. Forensic data and reporting are needed to demonstrate consistent enforcement of these new rules, and there are four sections in particular where LANGuardian provides many benefits.

Section 500.02 Cybersecurity Program (1) (3)

Identify and assess internal and external cybersecurity risks that may threaten the security or integrity of Nonpublic Information stored on the Covered Entity’s Information Systems.

LANGuardian includes both an intrusion detection system (IDS) and and advanced network traffic analysis engine. This allows you to spot rogue devices on the network as well as providing the ability to generate alerts when cybersecurity events are detected.

Information Security—500.3 (a)

Being able to protect the sensitive and confidential information hosted on systems is critical in the financial industry. You must have a policy in place that allows you to identify who should have access to sensitive information. When a security breach takes place, you need to see what the bad actors have gained access to and what saw. Finally, you need to be able to prove if somebody outside of your authorized list accessed the sensitive information.

LANGuardian can monitor network actvity both inside and at the network edge. No need for agent or client software and because it is not inline it will not impact on the performance of your network. The image below shows an sample LANGuardian report which is listing what users accessed certain files on a network share.

Systems and Network Security—500.3 (g)

When it comes to systems and network security, there should be a policy that defines what security tools are in place and the protections that they offer. What tools do you have in place, and how do you know what security functions they provide? Regardless of the tools, you need to define a policy outlining how the tools protect your sensitive information.

The image below shows how LANGuardian highlighted a suspicous network scan originating from an external IP address. In this case we would use LANGuardian to firstly identify when the scanning started and if the external clients accessed any other systems on the network. Based on this forensic analysis we would then take an appropiate action like block certain ports on the firewall.

Network Security Events

Systems and Network Monitoring—500.3 (h)

To enforce the policies of systems and network security, active surveillance and analysis of network systems are required. Without baselining user and traffic behavior, network and security teams are blind to network activity. You need to have an exhaustive record of normal traffic patterns, and you must set up a system that alerts when traffic deviates.

LANGuardian uses a combination of metadata capture and network based intrusion detection to monitor network traffic on a network. It does not age data, so you can look back at historical data in the event of a security breach. The image below shows a LANGuardian report which lists what clients were making outbound connections from a network.

monitor network traffic

Incident Response—500.3 (n)

The main goal in any incident response and forensic threat investigation solution is to provide teams with the ability to respond quickly to incidents. With that in mind, using such a solution provides organizations with the ability to respond quickly to threats and discover where they’ve gone.

LANGuardian can generate email alerts, or export alerts as SYSLOG events, which can be picked up by SIEM systems. The image below shows a sample of event types that can be triggered by LANGuardian.

network events triggered by IDS

Creating a Ransomware Monitoring Dashboard

Ransomware Monitoring Dashboard

Creating a Ransomware Monitoring Dashboard with LANGuardian

Ransomware has really hit the headlines since WannaCry was first detected. If you want to learn more about this variant, check out our latest blog post which takes a look at how to detect the presence of WannaCry Ransomware and SMBv1 servers on your network.

We regularly send security bulletins to customers and one of the most common questions when it came to Ransomware was what would be a good set of reports to add to a Ransomware Monitoring dashboard. As WannaCrypt and its variants are very prominent at the moment, the focus is on it. However, as you can see from the video below, the dashboard can be used to monitor many other Ransomware variants.

Ransomware Monitoring Elements

This list shows the 8 elements that make up our basic Ransomware monitoring dashboard. We will publish more information at a later date as we learn more about WanaCrypt0r 2.0 and other variants. The video below explains more about how to setup each element and how to interpret the data returned.

  1. Filename extensions associated with WannaCry. This list may grow in time and you can add to it.
  2. Any activity associated with WannaCry web domains.
  3. A list of Windows XP clients; as these use SMBv1, they are seen as vulnerable.
  4. A list of servers running SMBv1.
  5. Graphic showing rate of file renames on network shares. High numbers of file renames is a sure sign of Ransomware.
  6. Top clients (you can also get usernames) renaming files on your network
  7. Any outbound activity on your network using TCP port 445
  8. Any instances of ransom note text files associated with WannaCry

The video references these variables which you can copy\paste when needed.

  • WannaCry file extensions: \.wnry$|\.wcry$|\.wncry|\.wncryt$
  • WannaCry web domain:
  • WannaCry ransom note text file: @Please_Read_Me@.txt

If you want to add elements for detecting XData Ransomware, use these variables

  1. Search for any file containing the text string XData
  2. Search for any file names matching HOW_CAN_I_DECRYPT_MY_FILES.txt.

We are also working on an update to LANGuardian which can trigger an alert whenever an SMB1 protocol request or response is seen. This will then enable you to use the Ransomware Monitoring dashboard and get alerts, if required.

Video Guide: Setting up a Ransomware Monitoring dashboard

How to detect the presence of WannaCry Ransomware and SMBv1 servers on your network

Wannacry Ransomware

How to detect the presence of WannaCry Ransomware and SMBv1 servers

WannaCry Ransomware has become very active in May 2017. It looks to be targeting servers using the SMBv1 protocol. SMBv1 is an outdated protocol that should be disabled on all networks. One of the big lessons from this Ransomware outbreak is that it is vital that you have monitoring in place on your network. You need to be able to quickly identify suspicious activity.

Passively monitor network and user activity using network traffic analysis

One of the easiest ways to monitor what is happening on your network is to setup a SPAN\Mirror port or use a network TAP. This will give you access to flows and packet payloads, so you can see who is connecting to what and if there is anything suspicious moving around.

Check out this blog post if you use Cisco switches, as it explains how you can monitor multiple network segments without the need to remember what is connected to what switch port. If you don’t use Cisco switches, there is an excellent resource on the Wireshark wiki site which looks at how to setup monitoring on other switches.

Network traffic monitoring is an ideal way of monitoring what is happening on your network, as you don’t need to install agents or client software on your network devices. It is also a very useful option for continuously checking your network for vulnerable legacy systems like Windows XP or systems that can use SMB1 which is deemed to be insecure.

Detecting Ransomware – Setup a data source

As I mention above, you can monitor what is happening on your network by monitoring network traffic. However, you do need an application that can process network packets to get meaningful information. Tools like Wireshark may struggle if you are dealing with large volumes of traffic.

Our own product LANGuardian can be used to monitor network traffic. It does not store every packet, instead it captures metadata which can used to spot security or operational issues on networks. It includes a SMB and NFS decoder as well as having a built in Intrusion Detection System (IDS). When it comes to Ransomware, these metadata values are useful for spotting problems:

  • File names, specifically those hosted on Windows file shares
  • File actions like rename or create
  • File sharing protocol versions like SMBv1
  • Capturing specific packets associated with known Ransomware variants
  • Flow records of clients connecting to external IP addresses

Even if you don’t plan on using LANGuardian, check if your existing network monitoring tools have the ability to capture this data. Flow based tools are not good at detecting Ransomware, as they see the packet payloads which are required to see if your file shares are under attack.

Focusing on WannaCry Ransomware

There are six things to watch out for when it comes to detecting WannaCry Ransomware:

  1. Check for SMBv1 use. This Ransomware is not limited to just Windows server 2003 and XP clients. A large number of WannaCry victims were running Windows 7. SMBv1 can run on all Windows versions so check your network for any activity.
  2. Check your web and DNS traffic for any attempts to connect to these domains:
  3. Check for an increase in the rate of file renames on your network
  4. Look out for any outbound traffic on TCP 445. This really should be blocked
  5. Check for any instances of the file @Please_Read_Me@.txt on your file shares
  6. Check for any instances of files with these extensions
    • .wnry
    • .wcry
    • .wncry
    • .wncryt

SMBv1 is deprecated and should be removed from your network. SMBv1 isn’t safe and you lose key protections offered by later SMB protocol versions. At a minimum, you should be patching your systems as per Microsoft Security Bulletin MS17-010. In the video below, I cover off more on how you can use LANGuardian to detect SMBv1 and suspicious file activity.

Top Tips for preventing Ransomware on your Network

  1. Backup your files regularly and make sure to keep a copy off site. This may be stating the obvious, but a lot of people get caught out when they go to restore files. Build a test server and see if you can restore onto it.
  2. Limit the use of Microsoft Office Macros: A lot of Ransomware is spread using Office attachments.  Microsoft recently published an add-on which can stop you from enabling macros in documents downloaded from the Internet. Some more reading here.
  3. Be careful of opening attachments from unknown sources: This is especially true for employees who may receive CVs or financial documents. It may seem normal for them to open attachments from strangers. I have seen targeted attacks where a company advertised a job on the Internet. The HR department received applications with attachments which contained malware associated with Ransomware. Make sure you tell applicants to only send PDF type attachments.
  4. Keep your systems patched: WannaCry and other WannaCrypt variants targeted systems running SMBv1. Microsoft had published Security Bulletin MS17-010 which addressed issues with SMBv1. At a minimum, you should disable SMBv1 and patch all relevant systems on your network. However, the advice is to stay on top of getting update installs, you just never know what will be targeted next.
  5. Know what is happening on your network: When Ransomware strikes it can be difficult to figure out what data was encrypted. Users will report that they cannot access certain files or folders, but they won’t know what exactly was targeted.  Get an audit trail of all file and folder activity. You can implement file activity monitoring passively using network traffic analysis.
  6. Know what is happening at the edge of your network: When it comes to keeping your network safe, it is vital that you know what is going in and out of the network edge. Don’t rely on firewall logs as they may become inaccessible when your network is under attack. Look at deploying a combination of intrusion detection (IDS) and flow analysis with metadata capture. Information captured at this point can be crucial if your network is attacked. Look at capturing:
    • IP addresses with associated GeoIP details
    • Flow information such as source and destination TCP or UDP ports. WannaCry targeted networks where TCP port 445 was open so you should block this type of activity at the edge.
    • DNS traffic details like hostnames and DNS server addresses
    • Attachments inbound and outbound via SMTP
    • Web domain names – HTTP and HTTPS
    • IDS events associated with suspicious packet payloads
    • Associated usernames so you can track who is doing what
    • Web client information such as operating type and browser type
  7. Don’t rely on log files alone for investigating issues. Log management tools have their uses but they can be compromised if a network is attacked. Recently a number of school districts were targeted with a Ransomware attack in the US and the hacking group turned off the logs recording who accessed their systems.

How to disable SMBv1

Server Message Block (SMB) is a protocol mainly used for providing shared access to files and printers on computer networks. Microsoft is recommending that SMBv1 is disabled on all server and client Windows installs as it is insecure and has been replaced. If you detect any SMB1 activity on your network, these steps for shutting down the protocol should apply to the most popular Windows versions. Take a read of this article on how to enable and disable SMBv1 in Windows and Windows Server.

For client operating systems:

  1. Open Control Panel, click Programs, and then click Turn Windows features on or off.
  2. In the Windows Features window, clear the SMB1.0/CIFS File Sharing Support checkbox, and then click OK to close the window.
  3. Restart the system.

For server operating systems:

  1. Open Server Manager and then click the Manage menu and select Remove Roles and Features.
  2. In the Features window, clear the SMB1.0/CIFS File Sharing Support check box, and then click OK to close the window.
  3. Restart the system

There is some additional reading in this Microsoft post which includes some customer guidance for WannaCrypt attacks.

I don’t have Ransomware on my network; should I worry?

If you have good update procedures and network users are cautious when it comes to clicking on attachments and strange links, you should be able to keep the WannaCry Ransomware away from your network. However, now is the time to get an inventory of what SMB versions you are running on your file servers and take action if you find SMBv1.

Now is also the ideal time to get a good network monitoring system in place. Don’t wait for Ransomware to strike, it is much easier to get something in place when your network is not under attack.

Providing for more Visibility of Threats in your Network

isibility of Threats on your network

 Visibility of Threats. A must have for all Network Managers

One of the most common requirements Network Managers have at the moment, is for tools which can provide more visibility of threats on their networks. For a lot of Managers, a majority of the devices on their networks aren’t theirs and so endpoint security can only go so far. Network users can also use the network to access blocked or copyrighted material through small media devices running Kodi and a number of plugins.

With the rise in mobile, devices, IoT devices, smart TV’s, etc., they need something with a little more intelligence than just the logs from firewalls. Firewall logs are also problematic when a network is under attack as you may find that they are inaccessible due to resource load on the firewall, or they get overwritten very quickly and you end up losing vital forensic information.

Diagnostics tools such as Wireshark can provide for some excellent low level information but this has issues with scale. If you try and look at traffic from a SPAN, mirror port or TAP it can get overloaded. Commercial packet recorders are very expensive, and many of them need dedicated security personnel to maintain them. Many Network Managers do not have the luxury of having separate network operations and security specialists.

Network Security Analytics

The website NetworkWorld recently published an interesting article to coincide with RSA Conference 2017.  In it, they look at how DDoS protection, network security analytics and cloud solutions will take center stage at this year’s conference. Network security analytics is moving from just capturing flow data to the capture of  metadata from layer 3 through 7 by using network packet information as a data source.

Actionable events can be generated by aligning external threat intelligence with network traffic telemetry. External threat intelligence sources can include things like:

An example of GeoIP integration is shown below. By simply associating IP addresses with the countries where they are registered, makes it it much easier to spot suspicious activity.

GeoIP traffic report to get Visibility of Threats

Visibility of Threats: Next Steps

Capturing logs from firewalls is still recommended. However, you should include network traffic analysis as part of your operational and security tool set. This will allow you to capture threats which may have been carried into your network such as malware laden user devices. It will also give you a secondary source of data if your firewall logs are not available. Applications which use a SPAN, mirror port or TAP to monitor network traffic are vendor agnostic so you can use them to monitor IoT type devices.

Looking back at our 2016 Top Blog Posts

2016 Top Blog Posts

2016 Top Blog Posts

As we look back on 2016, we review our top 5 blog posts from the year that highlight key challenges and share solutions on how we have helped our customers (I know most like to show their top 10 blog posts, but we think that’s too many to read all at once!).

 1. Tracking Web Activity by MAC Address (Read)

Tracking web activity is nothing new! For many years, IT managers have tried to get some sort of visibility at the network edge so that they can see what is happening. One of the main drivers for this is the need to keep the network secure no matter what type of device gets connected. As Internet usage is constantly growing, malicious, phishing, scamming and fraudulent sites are also evolving. In this post, we take a look at how to track web activity back to MAC addresses.

2. Five Methods for Detecting Ransomware Activity (Read)

New variants of Ransomware are appearing on a daily basis and traditional security tools like antivirus are struggling to keep up. New variants have also changed the way they encrypt files and what happens your data once it is encrypted. Here, we take a look at 5 methods for detecting and alerting on Ransomware activity.

3. Forensic Analysis of a DDoS Attack (Read)

2016 was a busy year for DDoS style attacks and a recent article from the BBC also suggests that website-crippling cyber-attacks are set to rise. We look at what happens when a network is targeted and what you should watch out for on your own network.

4. Monitoring multiple VLANs with a single SPAN session (Read)

SPAN or mirror ports can be a rich source of network and user activity data. Most people set them up so that one port is mirroring another port. However, most switches support many-to-one port mirroring and some even support VLAN monitoring. In this post, we look at how you can configure VLAN monitoring on a Cisco switch.

5. Building Your Own Cryptolocker Monitoring Dashboard (Read)

This is the second Ransomware themed post in our top 5 which indicates how much of a problem Ransomware was in 2016. In this post, we look at how you can build a LANGuardian dashboard to focus on suspicious network file share activity.

Let us know what your favorite blogs were in 2016 in the comments below – and perhaps, tell us what you would like us to cover. We are always listening!

So, you don’t miss any of our blogs in 2017, subscribe here!

Detecting BlackNurse attacks using Snort IDS

Blacknurse Attack

BlackNurse attack

Recently, Danish researchers at the Security Operations Center of telecom operator TDC uncovered a security vulnerability associated with many well-known firewalls. All it takes is for one computer to bring vulnerable Cisco, SonicWall, Palo Alto and Zyxel firewalls to their knees. More information can be found in the document they published on the BlackNurse attack.

This attack uses ICMP Type 3 “unreachable” messages, specifically ICMP Type 3 Code 3 “port unreachable” messages. Those ICMP messages can overload a firewall CPU and result in a DoS state.

Detecting BlackNurse attacks using Snort IDS

Snort is an open-source network intrusion detection system (NIDS) and is typically used to detect new and legacy threats. It has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks.  In intrusion detection mode, the Snort can monitor network traffic and analyze it against a rule set. The rules shown below can be used to detect BlackNurse attacks from internal and external sources.

Snort IDS Rules to detect signs of the BlackNurse Attack.

alert icmp $EXTERNAL_NET any -> $HOME_NET  any (msg:”TDC-SOC–Possible BlackNurse attack from external source”; itype:3; icode:3; detection_filter:track by_dst,count 250, seconds 1; reference:url,; metadata:TDC-SOC-CERT,18032016; priority:3; sid:88000012;  rev:1;)

alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:”TDC-SOC–Possible BlackNurse attack from internal source”; itype:3; icode:3; detection_filter:track by_dst, count 250, seconds 1; reference:url,; metadata:TDC-SOC-CERT,18032016; priority:3; sid:88000013;  rev:1;)

Detect BlackNurse Attacks On Your Network

Use the IDS and deep packet inspection engines of LANGuardian to detect the presence of BlackNurse attacks on your network. Real time and historical reports available.

Manually adding Snort Rules to LANGuardian

The LANGuardian security module includes the Snort IDS engine which enables real-time detection and alerting of malicious events that occur on your network. LANGuardian seamlessly integrates data from the IDS with traffic analysis data to provide an unprecedented level of visibility into activity on your network. While the LANGuardian IDS rule set is updated automatically, you can still manually add the BlackNurse signatures.

  1. Click on the gear symbol at the top right of the LANGuardian and select settings
  2. Within setting click on Local IDS Signatures
BlackNurse Snort IDS Signatures

3. Click on Add new signature and paste in one of the Snort rules shown above in this post.

4. Repeat the Add new signature step for the second Snort rule.

Once added to LANGuardian, you can detect the presence of BlackNurse attacks via the Top Network Events report. A event triggered by the internal rule is reporting that one or more clients on your network is generating  ICMP Type 3 Code 3 “port unreachable” messages which could be used to take down a firewall. You can click on the value within the total column to get the IP address and associated username of the problematic client(s).

Snort IDS detecting BlackNurse attack

Events triggered by the external rule report that one or more clients outside of your network are generating  ICMP Type 3 Code 3 “port unreachable” messages, which could be used to take down a firewall. You can click on the value within the total column to get the IP address problematic client(s) and block them if necessary.

About NetFort

NetFort provides network traffic and security monitoring software for virtual and physical networks. NetFort’s flagship product, LANGuardian, is unique in the marketplace thanks to its powerful deep-packet inspection technology that can be downloaded and deployed on standard physical or virtual hardware to provide comprehensive visibility in minutes. Organizations worldwide depend on LANGuardian solutions from monitoring user activity to file activity monitoring, web activity monitoring, network security monitoring,bandwidth monitoring, wire data analytics, network forensics to packet capture.

Monitoring IP Spoofing activity on your network

In my opinion, network traffic analysis and bandwidth monitoring solutions are a must have. You can closely monitor bandwidth and traffic patterns to identify any anomalies that can be addressed before they become threats. The trick is to capture usernames and other metadata as well as the usual IP addresses and flow information, so that you can fully understand what is happening on your network and spot suspicious traffic like IP spoofing.

Last week, I worked on an interesting network issue which involved IP Spoofing. One of our LANGuardian customers reported that they were seeing a lot of network scans from IP addresses that were not part of their local address schemes. Network scans are typically triggered when a single IP addresses attempts to connect to hundreds of other clients in a short time period.

Network Scans

The customer was using addressing but the scans were originating from addresses. For a 24 hour period, we detected over 5.5 million connection attempts. What was unusual here is the source address range, it is private so it should not be routing in from the Internet.

The customer wanted to know if this was IP Spoofing or if the traffic from this network had somehow made its way into their main corporate network. IP Spoofing involves the creation of IP packets with a false source IP address for the purpose of hiding the identity of the sender or impersonating another computing system.

IP Spoofing is also widely used in DDoS amplification attacks. For most DNS and NTP amplification attacks, the destination IP is spoofed which will flood it with unsolicited responses. DDoS attacks like this can overwhelm networks, a recent attack on the Krebs on Security blog resulted in 665Gbs of traffic.

If you do spot suspicious traffic or IP addresses on your network, you first must work out if it is spoofed or if actual connections were established. Many traffic analysis or IDS systems can trigger alerts when a single source attempts to connect many other devices on a network. In most cases, they are watching out for SYN packets which try to initiate a connection. If the target host responds then a connection may be possible.

Your first priority will be to look at flow reports associated with the source addresses. For the purposes of this demonstration, I am going to use our own product LANGuardian. However, you can use a similar approach with other network traffic monitoring applications. I am also going to focus on the network which is the source of the scans in my case.

As can be seen from the image below, we do not detect any flows or connections associated with this subnet. This would suggest that the source device(s) of these packets is spoofing the IP addresses them.

Ip Spoofing Dashboard

The next step of your investigation would be to determine what are the MAC addresses associated with these addresses. Again I am using the built in inventory reports of LANGuardian to resolve the MAC address of the suspicious IP addresses. In my case, I narrowed the search down to a single Dell system.

MAC Address

My next step would be to check the MAC tables on my switches so that I can find what port the device is connected to and shut it down. Going back to the customer issue I worked on, we traced the problem back to one of their firewalls. It had a known issue where it would send out random IP packets associated with the network. An upgrade sorted the issue resulting in the disappearance of the spoofed packets.

For additional information on IP Spoofing; take a moment to watch this short video 

About NetFort

NetFort provides network traffic and security monitoring software for virtual and physical networks. NetFort’s flagship product, LANGuardian, is unique in the marketplace thanks to its powerful deep-packet inspection technology that can be downloaded and deployed on standard physical or virtual hardware to provide comprehensive visibility in minutes. Organizations worldwide depend on LANGuardian solutions from monitoring user activity to file activity monitoring, web activity monitoring, network security monitoring,bandwidth monitoring, wire data analytics, network forensics to packet capture.

To see LANGuardian in action – try our interactive demo today!

How to Generate a SHA-1 Certificate Inventory

how to generate a SHA-a inventory with NetFort LANGuardian

Background to the SHA-1 changes

The Secure Hash Algorithm is a family of cryptographic hash functions published by the National Institute of Standards and Technology (NIST) as a U.S. Federal Information Processing Standard (FIPS). SHA-1 is a 160-bit hash function which resembles the earlier MD5 algorithm. Cryptographic weaknesses were discovered in SHA-1, and the standard was no longer approved for most cryptographic uses after 2010.

It is recommended that you don’t use SHA-1 certificates past 2016 for a number of reasons:

What you need to do right now

If you are running public facing web services, then this problem may seem obvious. However, many network devices such as printers run web engines so the SHA-1 issue will impact on nearly all computer networks. The advice is to spend some time looking at the problem now, rather than wait for user complaints in 2017. At a minimum, we recommend the following:

  1. Inventory your existing certificates. This can be tricky if you do not have network monitoring tools in place. If you don’t have anything at present, you can download a trial version of our LANGuardian product which has SHA-1 reporting built-in.
  2. Replace SHA-1 certificates that expire after 2015. This may require a new server platform as operating systems such as Windows Server 2003 are not able to support SHA256 certificates.
  3. Ensure new certificate and their chains are based on SHA-2.

Generating a SHA-1 inventory using network traffic analysis

LANGuardian 14.1 includes a new feature that allows you to generate a list of all servers on your network running SSL services. Those devices that need to be updated are highlighted within the report. LANGuardian uses network traffic as data source, so you just need to setup a SPAN or mirror port on your core switch to get started. We have a couple of video guides on this subject within the resources section of this website which explain things in more detail.

To access the SSL reports, you need to click on All Reports from within the LANGuardian GUI and navigate to the Inventory section. If you don’t have an inventory section, you will need to upgrade your LANGuardian to the latest release. Please contact our support team if you have any questions about this.

You can filter based on variables like IP addresses, subnets and specific time ranges. Servers running expired or outdated protocol versions will be highlighted in red.

The IP address link within the report allows you to drill down and see what clients are connecting to this server. This can be very useful data, if you are planning to shut down any outdated systems. In my example, the device is actually a printer running an insecure SHA-1 certificate.

Outdated SHA-1 certificate

In some cases, you may need to replace certificates running on servers where in others situations, you may need to do firmware updates. Whatever the remedy, you can use LANGuardian to check if the device or server is updated. Just run the Servers Running SSL report again and change the date\time filter so you are looking at data which was captured after the time of upgrade.

About NetFort

NetFort provides network traffic and security monitoring software for virtual and physical networks. NetFort’s flagship product, LANGuardian, is unique in the marketplace thanks to its powerful deep-packet inspection technology that can be downloaded and deployed on standard physical or virtual hardware to provide comprehensive visibility in minutes. Organizations worldwide depend on LANGuardian solutions from monitoring user activity to file activity monitoring, web activity monitoring, network security monitoring, bandwidth troubleshooting, wire data analytics, network forensics to packet capture.

To see LANGuardian in action – try our interactive demo today!

When it comes to Infosec, don’t forget about the old stuff

INFOSEC issues on todays networks

When it comes to INFOSEC you need to focus on the new and the old!

Last week, I worked with a client who needed some help with an INFOSEC issue associated with Ransomware. To summarize, they needed to put an early warning system in place should one or more clients start to rename large numbers of files on network shares. Ransomware continues to be a very hot topic with some recent reports highlighting that 63% of UK Universities have been hit with Ransomware and a retooled Locky Ransomware has started to pummel networks in the healthcare sector.

If you include other topical security issues like DDoS and advanced phishing attacks, it may indicate that people lose interest in older threats and vulnerabilities. If Network Managers just focus on recent security issues, there is more than enough work there to keep them busy. However, this is a dangerous approach, as you need to keep a watchful eye on the old security issues as well as being able to deal with the new.

Our LANGuardian product includes both an IDS and advanced traffic analysis capabilities and so, it is an excellent tool for forensic type use cases. A good example of this materialized a few days ago, while I was working on another clients network. I was reviewing their Network Events report and I noticed Conficker activity.

INFOSEC Issue - Conficker Worm

Conficker is old Malware which was first detected back in 2008; but there it was, trying to connect outbound to Chinese, Mexican and German IP addresses over port 80, as well as scanning the internal network trying to infect other hosts. From what I understand, the infected host was a piece of equipment with an embedded Windows OS which made it difficult to patch.

I also picked up on suspicious inbound traffic over port 22 to a client which in turn was sending SPAM type emails. These are issues that we all worked on years ago, but here they are once again and still causing problems in 2016. This can be easy to detect, but only if you are monitoring what is happening inside your network.

It really served as a reminder that while it is important to watch out for the new threats, neither should you forget about the old stuff. Indeed, you may well have an INFOSEC dinosaur lurking in the corner of your network trying to cause damage. So, ensure everything is patched and back this up with good monitoring tools to spot the bad stuff.

About NetFort

NetFort provides network traffic and security monitoring software for virtual and physical networks. NetFort’s flagship product, LANGuardian, is unique in the marketplace thanks to its powerful deep-packet inspection technology that can be downloaded and deployed on standard physical or virtual hardware to provide comprehensive visibility in minutes. Organizations worldwide depend on LANGuardian solutions from monitoring user activity to file activity monitoring, web activity monitoring, network security monitoring, bandwidth troubleshooting, wire data analytics, network forensics to packet capture.

To see LANGuardian in action – try our interactive demo today!

5 Methods For Detecting Ransomware Activity

Ransomware attacks on the rise

See Also:

How to detect the presence of WannaCry Ransomware and SMBv1 servers on your network


According to a new report from McAfee Labs, Ransomware will remain a major and rapidly growing threat in 2016. New variants of Ransomware are appearing on a daily basis and traditional security tools like antivirus are struggling to keep up. New variants have also changed the way they encrypt files and what happens your data once it is encrypted. This includes:

  • Ransomware-Locky removes the volume shadow copies from the compromised system, thereby preventing the user from restoring the encrypted files.
  • Filecoder.Jigsaw is really aggressive and deletes some of the encrypted files every hour. Newer variants of Jigsaw are branded CryptoHitman and displays a series of pornographic images on the victim’s computer.
  • Latest variant of the TeslaCrypt ransomware no longer uses an extension for encrypted files, making it more difficult for victims to identify the threat. However, a master decryption key for TeslaCrypt was released in May 2016 that unlocks files encrypted by the malware.
  • Master boot record killers like Petya have the ability to install a second file-encrypting program. However, if you can extract some data from the disk you may be able to get your data back without paying the ransom.
  • The authors of the CryptMix Ransomware are offering to donate ransom fees to a children’s charity but this is belived to be another scam to dupe victims into paying the ransom.
  • Tech support scammers have begun using Ransomware tools to increase their chances of extracting money from victims. New variants warn the user that they cannot access their computer due to an expired license key.

Previously, we have looked at many ways of preventing Ransomware attacks on our blog. The #1 tip is to backup your data and make sure you do a test restore. However, even with the latest generation firewalls and antivirus on all desktops, Ransomware can still get into a network. The most common attacks use email phishing with dodgy attachments but we have also seen attacks using remote desktop services and infected data storage devices.

How you can detect the presence of Ransomware on your network

The first variants of Ransomware used a small number of very specific file extensions like .crypt. However, each new variant seems to use different extensions and some even keep the file name intact. Because of this, you need to watch out for multiple symptoms of an attack; here, we take a look at 5 of them:

1. Watch out for known file extensions

Even though the list of known Ransomware file extensions is growing rapidly, it is still a useful method for detecting suspicious activity. Before you do anything you need to get file activity monitoring in place so that you have both a real time and historical record of all file and folder activity on your network file shares.

There is an interesting discussion on this Reddit post which has a link to a number of resources including this spreadsheet which has a comprehensive list of all known Ransomware variants. We currently work off this list and you can use this on your LANGuardian to create a custom report. As the list is in Regex format, you may be able to use it on other monitoring systems. The video further down in this blog post shows you how you can use this list on LANGuardian.

\.enc|\.R5A|\.R4A|\.encrypt|\.locky|\.clf|\.lock|\.cerber|\.crypt|\.txt|\.coverton|\.enigma|\.czvxce|\.{CRYPTENDBLACKDC}|\.scl|\.crinf|\.crjoker|\.encrypted|\.code|\.CryptoTorLocker2015!|\.crypt|\.ctbl|\.html|\.locked| \.ha3|\.enigma|\.html|\.cry|\.crime|\.btc|\.kkk|\.fun|\.gws|\.keybtc@inbox_com| \.kimcilware.LeChiffre|\.crime|\.oor|\.magic|\.fucked|\.KEYZ|\.KEYH0LES|\.crypted|\.LOL!|\.OMG!|\.EXE|\.porno|\.RDM|\.RRK| \.RADAMANT|\.kraken|\.darkness|\.nochance|\.oshit|\.oplata@qq_com|\.relock@qq_com|\.crypto|\.helpdecrypt@ukr|\.net|\.pizda@qq_com| \.dyatel@qq_com_ryp|\.nalog@qq_com| \.chifrator@qq_com|\.gruzin@qq_com|\.troyancoder@qq_com|\.encrypted|\.cry| \.AES256|\.enc|\.hb15|\.vscrypt|\.infected|\.bloc|\.korrektor|\.remind|\.rokku|\.encryptedAES|\.encryptedRSA| \.encedRSA|\.justbtcwillhelpyou|\.btcbtcbtc|\.btc-help-you| \.only-we_can-help_you|\.sanction|\.sport|\.surprise|\.vvv|\.ecc|\.exx|\.ezz|\.abc|\.aaa|\.zzz|\.xyz|\.biz|\.micro|\.xxx|\.ttt|\.mp3|\.Encrypted| \.better_call_saul|\.xtbl|\.enc|\.vault|\.xort|\.trun|\.CrySiS|\.EnCiPhErEd|\.73i87A|\.p5tkjw|\.PoAr2w|\.xrtn|\.vault|\.PORNO

2. Watch out for an increase in file renames

File renames are not a common action when it comes to activity on network file shares. Over the course of a normal day, you may end up with just a handful of renames even if you have hundreds of users on your network. When Ransomware strikes, it will result in a massive increase in file renames as your data gets encrypted.

You can use this behavior to trigger an alert. However, if the number of renames go above a certain threshold, then you have a potential Ransomware issue. Our recommendation is to base your alert on anything above 4 renames per second.

Our video (opposite) shows how you can setup a LANGuardian trend graph which you can then use to create an alert. It also demonstrates how you can setup a file activity monitoring report which shows any filenames with extensions known to be associated with Ransomware.

3. Create a sacrificial network share

When Ransomware strikes, it typically looks for local files first and then moves onto network shares. Most of the variants that I have looked at, go through the network shares in alphabetical order G: drive then H: drive etc…

A sacrificial network share can act as an early warning system and also delay the Ransomware from getting to your critical data. Use an early drive letter like E:, something that comes before your proper drive mappings. The network share should be setup on old slow disks and contain thousands of small random files.

When doing small random files, there’s no easy way to get the list of files in the right order to avoid lots of seeking around the disk. Depending on how it is implemented, the cipher might need to be re-initialized for each file and thus slowing down the encryption process.

The slower the disk the better. You could go to the extreme and put it behind a router and limit data throughput to this network share. It may add a slight delay to the logon process but this honeypot may give you enough time to shut client machines down if they get infected with Ransomware.

You could also setup an alert which would trigger if a specific file was accessed somewhere within the network share. This would be a sure sign that something was going through your file shares. You just need to educate your users to stay away from this network share.

Sacrifical network share

4. Update your IDS systems with exploit kit detection rules

Many IDS, IPS and firewall systems come with exploit detection features. Exploit kits are used as a way to get Ransomware onto a client through malspam or via compromised websites.

The two most common exploit kits (EK) associated with Ransomware are the Neutrino EK and the Angler EK. Check if your network security monitoring systems are up to date and see if they have the capability to detect exploit kits.

LANGuardian includes the Snort IDS system which supports the detection of exploit kits. Watch out for any activity in the Top Network Events report.

5. Use client based anti-ransomware agents

Over the past few months companies like Malwarebytes have released anti-ransomware software applications. These are designed to run in the background and block attempts by Ransomware to encrypt data. They also monitor the Windows registry for text strings known to be associated with Ransomware. The problem with this approach is that you will need to install client software on every network device.

Researchers are also looking at ways to ‘crash’ computer systems when droppers are detected. Droppers are small applications that first infect target machines in preparation for downloading the main malware payloads. This will likely mean that the system is sent to IT where the attack should be discovered.

You should also inform your network users to avoid installing agents themselves. There is too much of a risk that they will install the wrong agent or they end up install more malware on their systems.

If you are dealing with a Ransomware attack you can download our LANGuardian product trial to find the source of the infection. Trial version has all relevant reports available.

Will Ransomware go away?

The simple answer to this is no! All of the indicators suggest that Ransomware will remain a major and rapidly growing threat, fueled by anonymizing networks and payment methods.

Expect to see an increase in Ransomware variants which target websites instead of file stores. Linux.Encoder.1 is an example of this threat. When a website is attacked the Ransomware will hold the site’s files, pages and images for ransom.

There are two key lessons here:

  1. Ensure you are backing up your website
  2. Keep the website operating system and CMS fully patched

Ransomware is also a growing problem for users of mobile devices. Lock-screen types and file-encrypting variants: lock screen Ransomware will stop you from accessing anything on your mobile device and file encrypting variants will encrypt data stored on the device. You can decrease you chances of an attack, by avoiding unofficial app stores and by keeping your mobile device and apps updated.

I’ll finish by repeating the advice: ensure you backup all of your personal and work data. Educate users on the risks and disconnect problematic users from sensitive data.

Building Your Own Cryptolocker Monitoring Dashboard

CryptoWall Monitoring Dashboard

Cryptolocker Monitoring – How to Build Your Own Dashboard

Last Friday, one of our public sector customers got hit by Cryptolocker Ransomware. Because their LANGuardian is continuously monitoring the network, it proved to be a crucial ‘go to system’ for quickly investigating the attack, for forensics. It had all the detail to really understand what happened. Within a very short time frame they were able to track down infected hosts and get the associated username so that the outbreak was contained very quickly.

This blog post looks at what you need to do to setup your own Cryptolocker Monitoring Dashboard. The examples shown here use the LANGuardian system but you can adopt a similar approach if you are collecting file and network activity through other means.

A sample of this Cryptolocker monitoring dashboard is shown below. This is from a network which is not under Ransomware attack. Most reports are not showing results and only small numbers of file renames are being reported which would be seen as normal network activity.

Cryptolocker Monitoring Dashboard

Step 1 – Watch out for .micro file extensions

The first report we created checks for any files with the .Micro extension.These are known to be associated with TeslaCrypt Ransomware and thousands of these will appear on your network when you get hit with this Malware. The report should remain blank. If results are shown then you should check any client machines listed for a Cryptolocker infection.

LANGuardian Report – Use Search By Filename from the Windows File Shares report section. Use the filename filter to show any files with the .micro extension.

micro file extensions

Step 2 – Track down clients renaming large numbers of files.

When Cryptolocker strikes it encrypts files and at the same time it renames the files so that they have different file extensions.

You should create a report to focus in on top clients based on the number of file renames. In normal operation you should not see thousands of renames over a 1 hour period. The report will normally show results but you are watching out for clients associated with hundreds\thousands or renames

LANGuardian Report – Use Top Clients :: by Num of Events from the Windows File Shares report section. Use the action filter to only show renames.

Step 3 – Cryptolocker Canary.

Ransomware infections can result in the creation of files like INSTALL_TOR.txt and DECRYPT_INSTRUCTION.txt.  TOR (the onion router) is free software for enabling anonymous communication and is used by the cyber criminals to communicate with you.

A Cryptolocker Canary can be created by alerting if any of these files are detected on network shares. You just need to create a report to look for these files. In normal operation the report should remain blank. If results are shown then you should check the client machine for a Cryptolocker infection.

LANGuardian Report – Use Search By Filename from the Windows File Shares report section. Use the filename filter to show any files called INSTALL_TOR.txt or DECRYPT_INSTRUCTION.txt. 

Step 4 – Root out filenames associated with other Crypto variants.

New Cryptolocker variants are appearing on a daily basis. Applications like Tox require very little technical skills to use and are designed to let almost anyone deploy Ransomware in three easy steps.

File types known to be associated with other Cyrpto variants include restore_Files*.*, *djqfu*.* or *.aaa

LANGuardian Report – Use Search By Filename from the Windows File Shares report section. Use the filename filter to show any files called restore_Files*.*, *djqfu*.* or ones ending with *.aaa

The report should remain blank. If results are shown then you should check the client machine for a Cryptolocker infection.

Cryptolocker variants

Step 5 – Focus in on Cryptowall 4.0 infections.

Cryptowall 4.0 infections can result in the creation of files like help_your_files*.* or  help_decrypt

Look at setting up alerting if any of these files are detected on network shares. You can start by setting up a report to look for these files. In normal operation the report should remain blank. If results are shown then you should check the client machine for a Cryptolocker infection.

LANGuardian Report – Use Search By Filename from the Windows File Shares report section. Use the filename filter to show any files called help_your_files*.* or help_decrypt

LANGuardian Online Demo
Download LANGuardian Trial

Forensic Analysis of a DDoS Attack

forensic analysis of a DDoS attack

In this blog post we are going to do a forensic analysis of a DDoS attack. The DDoS analysis is supported by screenshots captured from a LANGuardian system that was monitoring network edge traffic via a SPAN port at the time of the attack.

The purpose of our DDoS analysis is to demonstrate how DDoS monitoring can identify an attack in progress. With the information gathered by using a DDoS attack monitor, we can then take steps to mitigate against these types of DDoS attacks.

Why DDoS Monitoring is Important

Over the past ten days in Ireland, numerous online services and public networks have been targeted by DDoS attacks. A recent article from the BBC also suggests that website-crippling cyber-attacks are to rise in 2016 – the organization itself having been taken offline by a massive DDoS attack at the end of last year.

The majority of the recent attacks in Ireland were NTP amplification attacks. NTP is a popular vector for DDoS attacks because, like DNS, it is a simple UDP-based protocol that can be persuaded to return large replies to small requests. It has been estimated there are over a hundred thousand abusable NTP servers with administrative functions incorrectly open to the general Internet.

Using LANGuardian as a DDoS Attack Monitor

All of the following screenshots were taken using LANGuardian as a DDoS attack monitor on a real network. The network was one of many that suffered multiple DDoS attacks during January 2016. The first image below shows traffic associated with this network at a time when it was not under attack. What I am watching out for here is:

  1. The majority of the traffic is IPv4.
  2. Over 97% of traffic is TCP with small amounts of UDP. This is very normal and what I would expect.
  3. Drilldown on the UDP traffic shows the majority is DNS. For most networks DNS Would be the most active UDP protocol. Exceptions this this would be on networks where applications like Bittorrent are allowed.
DDoS monitoring dashboard

The next screen shot shows the network traffic profile during a time when the network was under attack. The main thing that stands out is the UDP traffic is now the majority. This is the classic fingerprint of a UDP based amplification attack. You can read more about amplification attacks here and here.

UDP Traffic associated with DDoS attack

Drilling down on the UDP traffic reveals that the network is receiving large amounts of NTP and DNS traffic. Both of these are important protocols so you cannot just block them. The other issue is that the network packets will contain spoofed IP addresses so basic firewall rules are useless.

Composed of legitimate-appearing requests, massive numbers of “zombies” and spoofed identities that make it virtually impossible to identify and block these malicious flows.

UDP Protocol Analysis

Drilling down further reveals that the traffic appears to originate from 4700 different servers.  We can do a WHOIS by IP address and determine that these are valid NTP servers, owned by reputable organizations.

It’s unlikely that 4700 reputable NTP servers are compromised and targeting an attack at the network, so something else is happening here.

The NTP protocol is based on UDP, a connection-less protocol. This means that a malicious client can create an NTP request, but instead of using its own IP address as the source, it uses the IP address of the target network. The NTP server assumes the request is genuine and responds, sending the response, not to the originating client, but to the target network.

This is known as a reflection attack. We can determine this is occurring, because our network has not sent any NTP packets to the NTP servers in question (zero packets sent, zero bytes sent) as seen here.

Further, we can calculate that the average received NTP response packet size is about 440 bytes, significantly larger than a standard NTP response packet (about 90 bytes). The 440 byte packet is likely a response to a ‘monlist’ request, a remote command in older NTP servers to return a list of the last clients to contact it. The ‘monlist’ command returns multiple packets of this size in response to a single request. This is known a amplification, where a small request generates big responses.

DDoS packet numbers

Finally, what of the client that originated the NTP request? We have no information about that client, as it successfully forged the source IP address in the original NTP request. We can assume that the client was a member of a botnet and was issued commands to target this network. There can be many thousands of compromised clients in a given botnet.

The scenario is shown in the diagram below, showing how a single C&C, controls many zombie clients, to generate malformed NTP requests to many servers, which in turn send amplified responses to the target network. Click on image to zoom in.

DDoS Amplification Traffic

Any local servers shown in the reports would need to be checked for malware activity. It could end up as a zombie host in a botnet or it may also be serving up Malware.

Using DDoS Analysis to Mitigate Against DDoS Attacks

When it comes to mitigating against DDoS attacks, you do have a number of options. It does depend on what stage you are at. If you are presently under attack, you may need to weather the storm a bit and avoid any rush decisions. Blocking traffic for example may only introduce other problems and you may end up with a network cut off from the outside world.

It is critical that you have some type of network activity monitoring in place prior to and during an attack. Make sure you can see where the traffic is coming from and what servers are being targeted. To try and mitigate against an attack you should consider the following.

  1. See if your ISP can black hole the suspicious traffic. Most will not get involved but if you are an education or government institute you may be able to address the issue at an ISP level.
  2. If you host your own web applications or servers you could consider a local DDoS protection system. These high-performance appliances enable attack traffic analysis and cleaning of the traffic, enabling a defense against large-scale DDoS attacks. Good traffic goes one way and bad traffic is dropped.
  3. If your website is hosted externally you could consider something like the Cloudflare DDoS protection infrastructure. They do the job of sorting out the good traffic from the bad in the cloud.
  4. In some extreme cases I have heard of companies changing their ISP to get away from the problem. Their public IP addresses seem to be a constant target to the only way out is to change them by moving to a different ISP.

Do you have any tips for mitigating against DDoS attacks? Comments welcome.

LANGuardian Online Demo
Download LANGuardian Trial

CryptoWall infection – Verifying that there are no other infected PC’s active

CryptoWall infection screenshot

Using LANGuardian to manage a CryptoWall infection

One of the most important tasks when dealing with a CryptoWall infection is to locate the PC(s) on your network that introduced the malware. If you don’t locate this system your files will keep getting encrypted after you restore them or pay the ransom.

In a recent blog post I looked at Auditing File Access on File Servers. One method for auditing file activity involves deep packet inspection and this is ideal for cleaning up after a CryptoWall infection. Malware like  CryptoWall leaves certain traces behind and you just need to watch out for these to trace the clients responsible.

Check file share activity for certain text strings

When CryptoWall infections target file shares it creates text and/or HTML files within folders where data has been encrypted. Typically the file names are HOWDECRYPT.txt and HOWDECRYPT.html. These files contain instructions on how to get the data decrypted. What you need to do is find the clients which created the files as they are the ones infected with the Ransomware.

You need to check for the presence of these files through network traffic analysis or log files. There is no point in searching for them through applications like Windows explorer. You may find the files but you won’t be able to see what clients created them.

Manage CryptoWall infections on YOUR network

Use the advanced deep packet inspection features in LANGuardian to track down hosts encrypting data on your network file shares. Active Directory integration also lets you see the associated username.

You can use the LANGuardian search feature to track activity associated with suspicious file names. It uses deep packet inspection to capture file names, IP addresses, actions and user names from network packets. You just need to setup a SPAN\mirror port or use a network TAP to get a copy of the network traffic going to and from your file servers. Once you have LANGuardian installed you need to follow these steps to track down CryptoWall infections.

  1. Click on the down arrow beside the search field
  2. Enter DECRYPT into the File Name
  3. Modify the time range so that includes the date and time of when the CryptoWall infection was reported
CryptoWall infection file search

Once you click on the search option you should see a report like the one below. This reveals what IP address is associated with the CyrptoWall infection. In my case the suspicious IP address is

HOWDECRYPT files in Windows file shares

Find out what users are responsible for CryptoWall infections

Tracking down the network clients associated with CryptoWall infections may be all you need. However, if you use DHCP you may need to find out what usernames are associated with the Ransomware.

Once you have an IP address you can either cross reference your Windows domain controller security log files or use the LANGuardian user reports to identify the usernames. You do need to make sure you are auditing domain logons to get this data.

To reveal usernames in LANGuardian you should click on the arrow symbol in the top right panel of either of the reports shown above. This will return all results. Then click on the View by: User Name option in the top right hand side and you will see what users names are associated with the file share activity.

Users accessing files on network shares

Auditing File Access on File Servers

Auditing File Access on File Servers

See what is happening on your Windows file shares with LANGuardian.

LANGuardian monitors and records every access to file shares, recording details of user name, client IP address, server name, event type, file name, and data volume. Just setup a SPAN or mirror port to sniff the traffic. No agents or client software required and no need to enable auditing on your file servers.

Why you should consider auditing file access activity

File activity monitoring solutions are designed to monitor the patterns of users accessing file shares. From a network operations point of view there are a few important reasons why you should look at file activity logging:

  • Quickly track down when a file was deleted and by whom.
  • Find the source of Ransomware or other Malware which targets file stores.
  • Identify who accessed a specific file or folder for a given time period.

Compliance standards which mandate some form of file access logging include:

  • PCI (Payment Card Industry) DSS 10.5.5, 11.5, 12.9.5
  • SOX (Sarbanes-Oxley) DS5.5
  • GLBA 16 CFR Part 314.4(b) and (3)
  • HIPAA 164.312(b)
  • FISMA AC-19, CP-9, SI-1, SI-7
  • ISO 27001/27002 12.3, 12.5.1, 12.5.3, 15.3

How to enable file access logging

There are two main approaches when it comes to file access logging. You can install an agent or enable file auditing on the file servers. The other approach is to passively capture the activity from network traffic using deep packet inspection.

If you install an agent or enable auditing on your file servers you also need a log file collector. A SIEM would be the most popular choice for storing the events.

Using log files on servers

In order to track file and folder access on a Windows Server using log files you need to enable file and folder auditing and then identify the files and folders that are to be audited. Once correctly configured, the server security logs will then contain information about attempts to access, delete or change the designated files and folders.

The image below shows a typical deployment. File access logs are generated when (1) a user logged onto wired or wireless devices accesses file shares across the network. The server (2) will log this activity in a database or in the Windows event log. The log collector (3) will read these records at regular intervals and store them within its own database. A log collector is required as server event logs can fill up very quickly.

Auditing File Access activity using log files

A sample event is shown below. Hundreds of these are created when a user accesses a single file which is why log files can fill up very quickly.

Log Name:                    Security
Source:                         Microsoft-Windows-Security-Auditing
Date:                             8/14/2015 5:51:48 AM
Event ID:                       4663
Task Category:              File System
Level:                            Information
Keywords:                     Audit Success
User:                             N/A

An attempt was made to access an object.
Security ID:           GLOBAL1\jjbloggs
Account Name:      jjbloggs
Account Domain:  GLOBAL1

Logon ID:              0x17235b
Object Server:      Security
Object Type:         File
Object Name:       C:\Shares\Finance\Budgets\BusinessBudget2016.xls
Handle ID:            0x1b4
Process Information:
Process ID:          0x2f8
Process Name:    C:\Windows\System32\dllhost.exe
Access Request Information:
Accesses:            READ_CONTROL
Access Mask:      0x20000

Using network traffic to monitor file share activity

The most popular file sharing protocols are SMB (Windows file shares) and NFS (UNIX file shares). These protocols handle the file and folder transactions between the clients and servers. What you need to do is captures this traffic as it flows around the network and extract the file activity data from the packet payloads.

The image below shows a typical way this can be done. Users (1) connect to file servers (2) using wired or wireless devices. This traffic flows through a network switch where a SPAN or mirror port is configured. This SPAN port sends a copy of the traffic to the network traffic analyzer where the file names and actions (metadata) are extracted from the packet payloads.

Auditing File Access activity using network traffic

Other information like IP addresses, usernames and data volume associated with the file transfer can also be extracted so that you end up with a proper audit trail of file access activity.

capturing file activity information from network traffic

Should you choose traffic or logs?

Both methods mentioned for auditing file access have their advantages and disadvantages. Log files may be fine for monitoring specific folders on certain servers. You can also monitor activity if administrators log onto the server directly.

Network traffic monitoring is ideal if you don’t want to make any changes to the configuration of the file servers or if logging is not available. Traffic monitoring will passively capture the file access activity as users access the file shares across the network.

Traffic monitoring won’t include activity where administrators log directly onto servers. In this case you may want to consider a hybrid approach where you capture most of the audit information from network traffic and use local auditing for really sensitive data. This hybrid approach will avoid over loading log files with millions of entries for less sensitive data.

Tunnelling Bittorrent Over Port 80 – How to Detect Activity on Your Network

Bittorrent Over TCP Port 80

Bittorrent is a very popular file sharing protocol. As a way of distributing content from many hosts, it is second to none. It is very popular with movie\music pirates as it does not require a central server for the storage of data. A downloader (peer) can contact other peers and download pieces of content and that peer will automatically share any content it has downloaded. It does have many other uses such as a platform for distributing software updates.

When it comes to network management, most administrators try to block Bittorrent use. The main reason behind this is that it can use up massive amounts of network bandwidth and disk storage. Many high definition movies are now 6GB+ in size so all it takes is for a few clients to clog up a network. Bittorrent clients also create thousands of network connections to other peers which can overload some firewalls.

Blocking access to sites like ThePirateBay may work in the short term but the introduction of magnet links makes site blocking more difficult. If you are successful in blocking the torrent sites, users can still access them at home and use your network to download the content.

How to detect Bittorrent tunnelling activity on your network

Traditional firewalls which use port blocking are useless when it comes to Bittorrent. The protocol will seek out open TCP or UDP ports and use these to tunnel\transfer data. Even newer firewalls struggle with the Bittorrent protocol due to encryption and other recent changes.

In today’s world, the only way to accurately identify Bittorrent is to be application aware. What I mean by this is to forget about identifying applications based on the port numbers they use to communicate. Assume that TCP port 80 could be any application, HTTP, Skype, Bittorrent, etc…. You need to take a look inside the network packets and work out what application it is based on what the packet payload or content is.

This all sounds very complicated and it is if you have to sort through packets using something like Wireshark. It is not impossible but you will find it is very time consuming. The other issue is scale, Wireshark works fine for analyzing a single client but it will get overloaded if you are monitoring hundreds of clients.

Find Out Who is Tunneling Bittorrent on YOUR Network

Use the power of LANGuardian deep packet inspection to find out who is tunneling Bittorrent traffic on your network. No need for client or agent software, just setup a SPAN or mirror port. Active Directory integration allows you to associate Bittorrent activity with usernames too.

What you are looking to do is extract certain metadata from the network packets. There is no need to store the contents of every packet unless you plan to replay the traffic for further analysis. This approach is also referred to as deep packet inspection.  Aim to capture these fields at a minimum:

  • Source IP Address
  • Source Port
  • Destination IP Address
  • Destination Port
  • Info_hash: urlencoded 20-byte SHA1 hash

A simple way to get visibility of Bittorrent on your network is via a SPAN or mirror port. Find where your Internet connection connects to your network switch infrastructure then configure it to send a copy of traffic going to and from the Internet to a switch port of your choice, this switch port is known as a SPAN or mirror port. It’s just a regular port but you configure it to be the destination for the SPAN traffic. See video below which covers this in more detail.

Tracking down Bittorrent activity with deep packet inspection

Once you have your SPAN port setup, you need to plug in a network analyzer which can process network packets. We develop one called LANGuardian but there are other options out there. For this example I will use a LANGuardian installed on my own network to track down Bittorrent tunneling. LANGuardian has the advantage of been able to report on real-time and historical activity.

Step 1 – Run a Top Applications Report

In my case I am going to take a look at activity over the past 4 hours and I also want to focus in on applications using port 80.

Top Network Applications

Step 2 – Drill Down on the Bittorrent Traffic

Most traffic on my network using port 80 is HTTP but I have a small amount of Bittorrent traffic using this port. To drill-down I click on the traffic volumes

Bittorrent Tunneling activity on network

Here I can clearly see the client IP address, host-name and info-hash values associated with this Bittorrent activity. Further details like other associated port numbers and external IP addresses can be got by drilling down further.

5 Tips for Dealing with Unusual Traffic Detected Notifications

Unusual traffic detected screenshot

How to Deal With Unusual Traffic Detected Notifications

If you get an unusual traffic detected notification from Google, it usually means your IP address was or still is sending suspicious network traffic. Google can detect this and has recently implemented security measures to protect against DDoS, other server attacks and SEO rank manipulation.

The key thing to remember is that the notification is based on your Internet facing IP address, not your private IP address which is assigned to your laptop\PC\device. If you don’t know what your Internet facing (or public) IP address is you can use something like this service.

Top tips for dealing with unusual traffic detected messages:

  1. Get an inventory. Do you have unknown devices on your network? There are many free applications which can do network scans. Another option is to deploy deep packet inspection tools which will passively detect what is running on your network.
  2. Monitor traffic on your Internet gateway. Watch out for things like network scans, traffic on unusual port numbers, TOR traffic. I have included a video below which explains how you can do this.
  3. Track down the device using its MAC address. Network switches maintain a list of what MAC addresses are associated with what network switch ports. The guide at this link shows you how to do this on Cisco switches but similar commands are available on other switch models.
  4. See if your IP address is blacklisted  You can use something like this to see if your IP address is known black lists.
  5. If you cannot find any issues, talk to your ISP. Maybe you need an IP change. IP addresses are recycled so it could be that you were allocated a dodgy one. This is a remote possibility so make sure you cover tips 1 to 4 first.

Further reading

In a previous blog post I also looked at how you can use LANGuardian to track down the source of unusual traffic on your network.

Please don’t hesitate to get in contact with our support team if you are having an issue with a unusual traffic notification. They can help you quickly get to the root cause of issues associated with suspicious network traffic.

Darragh Delaney

5 Quick Tips To Hunt Down Ransomware With LANGuardian

CryptoWall 3.0 Ransomware

How To Hunt Down Ransomware With LANGuardian

When infected by Ransomware there is usually an initial infection vector with something like a user clicking on an attachment in an email, an infected advertisement on a site or something pushing the Angler Exploit kit for example that will then pull down the Cryptowall payload to the machine.

If you have been infected by Ransomware use the search page up the top left in order to either:

  1. Enter the IP of the infected machine in the forensic search https://x.x.x.x/main.cgi
  2. Enter the name of the file into the ‘Filename’ field that has been modified on your machine e.g. HELP_DECRYPT.txt to see if it has spread and to where, also located on the search page https://x.x.x.x/main.cgi
  3. Run the All Events::By Signature report – https://x.x.x.x/netmon/view.cgi?id=&rid=52
  4. Run the All Events::By Destination report https://x.x.x.x/netmon/view.cgi?id=&rid=106 putting the infected machine IP in the destination filter field.
  5. Check for any websites or IP addresses visited during the time period of the initial infection and you should see communication between the C&C. Confirm the website or IP is malicious by checking it with Virustotal’s URL adviser. It’s also a good way to see if anybody else has been infected by running a website search for the specific domain over the last 24 hours for example.

Following the steps above you should be able hunt down Ransomware and find out when and where the initial infection came from.

NetFort 12.4 – Network Traffic and Security Monitoring

LANGuardian 12.4

New Version of NetFort LANGuardian Provides Customers with a Single Point of Reference for Network Traffic and Security Monitoring.

NetFort, a leading provider of network traffic and security monitoring (NTSM) solutions, today unveiled version 12.4 of the LANGuardian application. The new version ensures network teams today have the visibility required to collaborate and work with their security colleagues and manage the daily security issues prevalent in today’s world.

Version 12.4 includes a number of significant changes:

  • SMTP Email Decoder Enhancements
  • HTTPS Website Use Reporting
  • Updated BitTorrent Decoder
  • Snort 2.9
  • SYSLOG Forwarding Feature

SMTP Email Decoder Enhancements

The SMTP decoder is a great feature from a network security monitoring point of view. It is a powerful tool if you want to monitor email for phishing type network attacks. Malicious attachments have made a comeback as top attack vector. An interesting post on this here.The SMTP decoder has been upgraded to record the following information

  • Attachments to SMTP emails, including attachment name, MIME type and description. A sample report is shown below, some information is blurred as it came from a live network.
  • Embedded hyper Link detection in emails. This is a beta release for evaluation. Where an SMTP email contains a hyper link, but the link target doesn’t seem to match the description, LANGuardian will log the link target and the description.
SMTP Decoder

HTTPS Website Use Reporting

The Website monitoring module has been upgraded to now report on HTTPS domains. Domain information (such as and traffic volumes are recorded. As packet payloads are encrypted, Individual URIs cannot be reported.

SSL Traffic Reports

Updated BitTorrent Decoder

BitTorrent continues to be a popular protocol for downloading and uploading media from the Internet. LANGuardian has the ability to detect  BitTorrent use and record metadata such as Infohash values and IP addresses. In 12.4 the BitTorrent decoder has been upgraded to record Peer Exchange messages (PEX). This increases the detection rate for BitTorrent activity and will record media titles, if included in the PEX message.

Bittorrent Protocol Decoder

Snort 2.9

Snort is a network-based intrusion detection system (NIDS) has the ability to perform real-time traffic analysis and packet logging. Snort performs protocol analysis, content searching and matching. LANGuardian 12.4 now includes Snort version 2.9.7. This allows LANGuardian to take advantage of new keywords supported in IDS signatures for Snort 2.9, distributed from the ET Open project

Snort 2.9

SYSLOG Forwarding Feature

Many customers choose LANGuardian as it can integrate with existing tools like SolarWinds, McAfee or WhatsUp. Version 12.4 extends this functionality with the addition of a new configuration page to manage the forwarding of events to external syslog collector (SIEM) systems.

This means you end up with a centralized dashboard for all network activity or as one customer described it “single point of reference for network and user activity monitoring and first stop in troubleshooting any issues”

LANGuardian SYSLOG Support

Version 12.4 is available from our download page and it can be deployed on physical or virtual platforms.

Download LANGuardian
LANGuardian Interactive Demo

How Hiring Employees Increases Your Chance of a Ransomware Attack

How Hiring Employees Increases Your Chance of a Ransomware Attack

Tips For Avoiding Ransomware Attacks

It seems like a strange combination, employee hiring and Ransomware but there is a connection. Ransomware is one of the biggest network security issues in today’s world and businesses have paid out tens of millions in ransoms this year. Thankfully a lot more people are aware of the problems it can cause and how it can get into a network. This is making things more difficult for the virus writers but they are a resourceful bunch with a lot of time on their hands.

Most people avoid opening attachments in emails from strangers. However, there are ways to trick people into opening attachments with virus payloads.

One such way which I observed recently is where companies advertise for new job positions. A common approach is to advertise jobs on websites and make a bit of noise about it on social media. Contact details are usually published and people submit their applications.

What we now have is strangers sending their CV’s as attachments and this introduces a new attack vector as it is not seen as unusual activity. Malicious attachments really have made a comeback as top attack vector.

Ransomware bandits know that sending email to a generic human resources email address may not be successful as HR teams will be used to dealing with attachments. They will employ social engineering tactics and send their ‘CV’ to other email addresses within the company. The helpful recipient will probably forward it on and may even open it. As soon as they do they will find their files are encrypted.

Attack Surface

Advertisements for jobs and other services within a company increases that companies attack surface.

These social engineering attacks are getting more and more advanced. Not that long ago you could spot the suspicious emails easily as they contained lots of spelling mistakes or started off with something like “Dear Firstname”. This is no longer the case, one off emails are written for specific attacks and they can look legitimate at first glance. You should also be on the guard for unsolicited messages in LinkedIn and other social networks.

Anatomy of a Ransomware Attack

Anatomy of a Ransomware Attack

  1. Attacker spots company activity. Job announcements, corporate events, etc…
  2. Email created to match company activity
  3. Email sent to unsuspecting employees with attachment
  4. Attachments opened, files encrypted locally and on shared drives

Tips For Preventing Ransomware Attacks

The lessons here of course are to continue to educate employees on the dangers of opening emails from strangers. Perform spot checks by creating a new Gmail address and send emails to see if employees open them or forward them on to others.

Email attachment with virus
Do we really need email attachments in the era of cloud based applications?

As well as sending in bogus CV’s you will see tactics such as sending bogus purchase orders, software licenses, delivery notices and banking statements. In most cases the email will be tailored to match the recipients role or to coincide with specific company events.

I am beginning to wonder in the age of cloud applications, do we really need to be sending attachments in emails? They have been the source of countless virus outbreaks over the years. For example, the ILOVEYOU virus from a few years ago affected over 45 million computers.

Employee training and security awareness is the number one way you will prevent Ransomware attacks. In parallel to this you should make sure you have some sort of network monitoring tool in place that can track who is accessing file shares and give you warnings when something suspicious is happening. Also consider:

  • Block attachments on emails or restrict them to specific accounts.
  • Use contact forms on your website instead of publishing email addresses.
  • If you use Google Apps check out the attachment filtering feature. It lets you block specific attachment types or quarantine them for review later.

The image below shows a sample SMTP email report from NetFort LANGuardian which shows suspicious looking attachments that were detected moving around on a network. This information was captured using Wire Data Analytics. Two things look strange from this. Firstly the same email was sent to two people and secondly the compressed attachment (zip) is a tactic used to try and get past email filters.

New variants of Ransomware are appearing on a daily basis. Do not rely on host based antivirus as they struggle to keep up. Training and constant monitoring are the most vital activities and don’ forget about your backups.

Dealing With A Ransomware Attack

I would recommend that you create an incident response document before you get hit by Ransomware. Just something basic like backup information, support contact details, what tools to use for forensics etc… Also include notes on shutdown steps for key servers and applications.

If you do get hit, don’t just pay the ransom. As soon as you have it paid you will be dealing with another outbreak. Watch out for infected files on cloud storage services such as DropBox, files encrypted or infected with malware could be synchronized with a cloud service within seconds. It is a good example of why should really know what applications your users are running on your network. We have a few other blog posts which you may find useful in the event of a Ransomware outbreak.

The following video also shows how you can use file activity logs to track down the source of Ransomware on a network

I cannot stress how important training is for the prevention of network security attacks. If you make noise about something within your company like job postings, financial updates or corporate events, be prepared for advanced social engineering attacks.

Do you have any experiences with Ransomware attacks? Comments welcome

Darragh Delaney

Top 5 Alternatives For SPAN or Mirror Ports

Network Security Monitoring Software

Looking for an alternative for SPAN ports?

SPAN (Cisco) or mirror (everyone else) ports are an excellent data source for network security monitoring and traffic analysis. With them you can monitor single or multiple ports or VLANs and they give you access to packet payloads rather than just header information that you get with flow data.

What if you don’t want to use SPAN ports but you still need a source of network packets? Maybe you have used up your SPAN ports or maybe you don’t have access to your switch infrastructure. The good news is there are alternatives and here are the top 5 that you will get on most networks.

Top 5 Alternatives For SPAN or Mirror Ports

  1. Network TAP
  2. Port aggregator
  3. Network visibility solutions
  4. Virtual switches
  5. Use a spare switch to create more SPAN sessions

Network TAP

A network TAP (Test Access Point) is a hardware device that enables network and security personnel to access packet data passing through a network. Taps are passive devices.

Not so long ago, when TAPs were expensive, there was a cheaper option, a simple network hub! It is actually quite difficult to purchase a hub these days!

Most taps pass all seven layers of OSI network traffic (including layer 1 and layer 2 errors) and do not interfere with the performance of the network or the data stream of the network traffic.

They are a low cost option if you want to monitor single ports but more advanced versions are available which allow for many to one port mirroring. The following diagram shows a typical use case. A TAP is used to take a copy of traffic going to\from a firewall and it sends a copy to a network monitoring tool.

Garland TAP

Port Aggregation TAP

A port aggregation TAP is a hardware device which allows you to aggregate the data from multiple source or destination ports. It is not to be confused with the port aggregation protocol which is Cisco proprietary. The most common use case for port aggregators is where you have multiple source ports that you want to monitor with a single network monitoring tool.

Port Aggregation TAP

Network Visibility Solutions

Network visibility appliances include dedicated application processors pre-loaded with packet analyzers, network performance, and security/performance applications on a KVM software environment. Network engineers select traffic to stream or capture for diagnostics and on board storage is included for traffic analysis software and data files. Vendors such as Apcon develop solutions in this space.

Virtual Switch Monitoring

Most data centers now host one or more hypervisor platforms. VMWARE ESX and Microsoft Hyper-V are the most popular and both come with options for virtual packet capture.

VMWARE uses VLAN 4095 for monitoring purposes. You need to create a virtual switch for monitoring purposes and assign VLAN 4095 to this. Once the virtual switch is in place you can connect your network monitoring tools to this.

Hyper-V monitoring is very similar in that you create a virtual switch for monitoring purposes. Instead of VLAN 4095 you set ports as destinations for monitored traffic. Microsoft have more information on this blog post. We recently published a video which looks at how you can deploy LANGuardian on Microsofty Hyper-V servers. The steps shown can be used to deploy any type of monitoring tool which use network packets as a data source.

Use a Spare Switch To Create More SPAN Sessions

If you have a shortage of SPAN ports, network switches can be used to double the number available. You need to connect the SPAN port from one switch to another spare one. Create a new VLAN on the new switch which is used for network monitoring purposes. There is no need to replicate this VLAN on other switches on your network. Once the VLAN is configured you can create two SPAN sessions which use this VLAN as a data source.

Do you have any other ways for capturing network packets off a network? Suggestions welcome in the comments section below.


Darragh Delaney

Can one have too much visibility?

Looking deeper into what is happening on a network

An interesting problem cropped up during our company huddle this morning.  Our head of development had the floor and was giving us an update on some recent modifications to our Bittorent decoder.

Our LANGuardian Bittorent decoder is used heavily, especially by some of our University customers, to track DMCA notices. For example one can enter the info hash into a search field and get back information such as the IP address, user name, etc.

Bittorent is a complex protocol, tracking it and extracting/storing the critical detail is not that easy.   We have to issue regular updates to ensure accuracy and coverage.  Bit of a pain for our development team, I feel for them!

A nice side effect of our latest update is that for some downloads we can also report the actual file, movie, video names, plain text, readable, interpretable but as mentioned by the developer,  maybe too much visibility for some customers? The movie and video names can be very explicit and even upsetting for some people. So do we report the name or not?

Bittorrent file names

But, I also remember back to a meeting years ago in Dublin, where the network admin had investigated one user for continuous bandwidth abuse causing the other users to complain ‘the Internet is slow today’ on that site.  HR got involved, a meeting was called, and the user asked to explain.  User explained he was downloading research papers and doing nothing wrong.

The admin was able to instantly produce a report listing the movie names (including the complete Harry Potter box set) dates, times, the user had downloaded. The smoking gun, proof to eliminate guesswork and save time, stress for everybody. User owned up immediately and the issue was resolved.

And just last week, we had the following feedback from a new customer in the UK, food company.

This product is amazing… I’m getting an insight into the network that I have never had before and seeing activity that I just did know was going on!

This guy, Simon, was definitely not complaining about having too much visibility.

I guess it may be useful to have the information at your fingertips IF and WHEN you need it, the last step of a drill down, but, not in your face all the time? Back to the customer, let’s get their opinion, listen to them.

John Brosnan
NetFort CEO

Google has detected unusual traffic from your network

Google has detected unusual traffic from your network

How to deal with “Google has detected unusual traffic from your network” notifications

Malware on PCs and other devices can lead to all sorts of serious issues. From Ransomware to DDoS activity. Another symptom of malware that I come across a lot is when a Google displays the message “Google has detected unusual traffic from your network” when users search for something. One of the reasons behind this is that Google are probably receiving loads of automated searches from your IP addresses. Typically these searches are automated by Malware installed on one or more systems inside your network.

Unusual outbound connections

Your options are very limited when this happens. One thing would be to ignore it but each time you want to search for something you will have to solve a CAPTCHA (a squiggly word with a box below it). The recommended approach would be to find out what is causing the problem in the first place.

Find the Root Cause of Unusual Traffic on Your Network

Use the deep packet inspection features of LANGuardian to find the source of unusual traffic on your network. Reports based on MAC, IP address and Username. No need to install client or agent software. Just setup a SPAN or mirror port.

The Google notification will give you very little to go on so the main priority is to get visibility as to what is happening on your network. Forget about SNMP or NetFlow, you will need lots of detail to get to the root cause and neither of these protocols will do this.

An ideal data source is a SPAN or mirror port. This will give you access to network packets or wire data as I hear some people describe it. A SPAN port will give you access to crucial information like IP addresses, host-names, web domain names, email addresses, application payloads, or MAC addresses.

Once you have your SPAN port setup you just need to install LANGuardian and take a look at what is happening.

Watch out for systems connecting to external IP addresses or hosts associated with lots of traffic associated with the Google domains. LANGuardian will also associate this network activity with usernames so you know who is causing the problem.

See below for a recent quote from a customer. In this case they did not use LANGuardian to investigate a Google issue. However, it does goes to show how customers are really happy using LANGuardian to find out what is happening on their networks.

LANGuardian is a crucial part of our investigation tools within the network, gets right into what’s happening

James Barnes, ICT Team Leader, Ayrshire College, Scotland.

Please don’t hesitate to get in contact with our support team if you are having an issue with a Google notification. You can also download a free trial of LANGuardian which can help you get to the root cause of any issues fast.

Darragh Delaney

Wire data – more flexible than log data?

Wire Data Analytics

Is Wire Data More Flexible Then Log Data?

Just after finishing a pretty long road trip around the US, New York, New Jersey, Washington DC, Chicago, Austin and San Francisco. Travelling around the US this time of year can be very ‘challenging’ for sure, some airports can handle the snow and some like Newark do an OK job. Although sitting in an airplane at the gate for over 3 hours in Newark Saturday night, waiting for my flight to Shannon to leave and one of the pilots to arrive was not an act of God. Imagine he was the one guy who got caught in traffic, all the other people on the flight knew bad weather was on the way and adjusted travel plans accordingly!

Anyway, it was a great trip, I met some partners and customers, really enjoyed and appreciate their time and feedback. One interesting term that was mentioned a lot was ‘wire data analytics’. Why? What are the use cases? How does ‘wire data’ add value?

A lot of the use cases seem to be security, data related. Comes down to the detail one can get from looking inside the packets and is not available from flow technologies like NetFlow.  Looking inside the packet, deep packet inspection does not always have to be about timings, latency QoE, etc. It can help provide the proof, that final piece of detail to really understand what happened, the domain name and URI for example and amount of data uploaded or downloaded. Critical pieces of information for security forensics.

Learn more about wire data analytics

For example, Ransomware is still very common. One user in a company got hit by cryptolocker, had no backup and were considering paying the ransom. These bad guys are targeting the file shares, creating files with strange file names, like ‘howdecrypt.txt’, encrypting, etc. Boy, do you miss your data when you can’t access it, like when your Windows laptop gets corrupted and will not boot, you will try anything to get your data back.

File Activity Monitoring

So, who does wire data help with Ransomware for example ? Well,  if you can capture the right level of detail ‘off the wire’, like the file name, the user name, the source IP address, the action (say ‘create file’) and  the server IP address. Then one can alert or block the source IP and prevent further infection. Also use the information to see if other hosts or servers have been infected. Comparing wire data and log data in this case is also very interesting.

Log data can also be very useful when troubleshooting, but crucially in this particular use case, if logging is enabled on the Windows file share server, the logged detail does not include the source or client IP address. It includes an awful lot of other detail, sometimes adding huge overhead to the server, but not the source IP, which is usually pretty useful!

But this also demonstrates the flexibility of ‘wire data’, you can of course capture it at any point across the network, SPAN multiple VLANS for example.  Also, if you have a SMB dissector available (as in our NetFort LANGuardian) and it is intelligent and fast enough, the dissector can decide which data to identify, extract, and keep.

You do not want to keep every single packet because then you will have a Big Data problem and you will not be able to see anything useful unless you are an expert. In the case above you can decide to extract and store the client IP address, easier than going back to Microsoft and telling to also log this in a future version!

Wire data is not dependent on the format or content of the log and can be a very flexible and independent option.

John Brosnan
NetFort CEO

Support Team Stories – Detecting the Source of Ransomware


Locating the source of Ransomware on a network

The following case study is from an actual client network and as such some information is masked in the screen shots. The methods used to locate the source of Ransomware can be used on networks of any size.

Incident Background

We were contacted by a client to help with their incident response in tracking down an infection on a clients machine with the new CTB-Locker ransomware (Curve-Tor-Bitcoin Locker) aka Critroni which had no signatures available at the time of infection for this variant.

LANGuardian includes a file share activity monitoring module which provided a very detailed forensic analysis of the ransomware and the paths it had taken in order to encrypt the clients system and also the fileserver in which it was connected to, the initial infection came from the opening of an attachment in an e-mail.

CTB-Locker Ransomware

What type of Ransomware were we dealing with?

CTB-Locker is usually delivered through SPAM e-mail, there is no way to get the data back except by restoring from backup or paying the ransom as per this analysis.

CTB Locker and Network SharesCTB Locker will encrypt data files on network shares only if that network share is mapped as a drive letter on the infected computer. If it is not mapped as a drive letter, then CTB Locker will not encrypt any files on a network share.

It is strongly suggested that you secure all open shares by only allowing writable access to the necessary user groups or authenticated users. This is an important security principle that should be used at all times regardless of infections like CTB Locker.

How we found the source of the Ransomware

Using the LANGuardian forensic dashboard to focus on the specific IP address given (X.X.81.61) for investigation we detected some strange fileshare traffic. If you have a LANGuardian you can do this yourself by following these steps:

Go to the LANGuardian search page (search button top left in GUI). Enter the IP address (X.X.81.61) in the Forensics search panel.

LANGuardian Forensics

Once the next page has loaded change the time and date to the correct date and time of the incident.

Forensics Date Selection

You are then presented with the forensics page which contains a lot of useful information, most notably during this time period the SMB traffic spiked which was spotted by the IDS, Content Based Application Recognition (CBAR) and the Windows File Shares :: Top Fileservers reports:

Forensics Drilldown

Looking a bit closer random files can be seen named “laaaaaaa.tmp” so we decided to dive a bit further and see what was lurking beneath the surface and discovered that it was then contacting X.X.1.182 which was the fileserver, this can also be seen on the dashboard above.

  • Looking up “laaaaa.tmp” online at the time lead to 1 hit on Google in Russian.
  • The infection name is “Win32/Filecoder.DA.Gen

A bit of a closer look at what is happening shows us that the files on the fileshare have been infected and are then encrypted:

Ransomware Encryption

In order to check on the network for any other systems that may have been infected we went back to the search page again and used the file search to track down any further infections on the network.

Search for Ransomware

Looking closer and using the search field for specific file names it appeared that only the machine in question “X.X.81.61” was infected but this also infected a high number of files on the fileserver which had to be restored from backup prior to the infection and encryption process.


It is critical to continuously monitor and alert on suspicious fileshare activity, for example on the creation of filenames associated with malware or renaming of large numbers of files in a short time.  If something gets into your network you need a fast way of locating and disconnecting the source or it will continue to encrypt files as you restore them.

If you need any help with detecting Ransomware on your network, please don’t hesitate to contact us.

NetFort Support Team

Open SNMP service used for an attack

Computer Hacker

Customer Use Case

At NetFort we keep talking about having a unified network visibility for both security and operations. The rationale for us is pretty simple; our already stressed customers have a reference point, a single pane of glass to monitor and troubleshoot any suspicious activity.  It does not matter whether the activity is security or performance related. If users are reporting the ‘network is slow’ or an ISP notifies you of suspicious activity, you need that single reference point to actually see what is going or for network forensics, to see what happened and fast.

This visibility is especially important for organizations such as universities, stadiums, airports that, due to the nature of their business, need to operate open, high speed networks.

In a recent case, one of our customers was running a server that was hijacked and participating in an attack, generating large UDP responses to spoofed SNMP queries.

This ‘SNMP speaking’ device, was configured with the default SNMP community string ‘public’, easily guessed by a third party. A really good example of the risks associated with SNMP and why some organizations disable it entirely. The server was accessible from the public internet.

The attacker identified the server and guessed the SNMP community string. SNMP normally runs on the UDP protocol (and did in this case). UDP doesn’t require a session, so IP addresses and port numbers in a packet can be faked. The attacker fabricated a UDP SNMP query packet (a getbulk request) and used the victims IP address as the source IP address. All that was required was to edit the address, recompute the header checksum and transmit the packet.

The server duly received the packet, verified the checksum, generated the SNMP response and sent it to the victims IP address. Further, the attacker fabricated the source port number and inserted port 80, instead of the usual ephemeral port number. This meant that responses were targeted at the victim’s web services. As responses were large, this constituted a DOS attack on the victim. Our customer appeared to be the source of the attack. This type of attack is know as an amplification attack.

In this case, the customer was immediately alerted because LANGuardian monitoring had been installed and configured and had detected large amounts of egress SNMP traffic on a non standard port number.

SNMP Attack

Recently we’ve all been hearing a lot about APTs (Advanced Persistent Threats) but a recent surveys reports that 90% of successful attacks are as a result of the basics not being covered off,  upgrade, patch, validate configurations, replace unsupported software, training and continuous monitoring.

If you do not continuously monitor so you can clearly see what is actually happening on your network, you will get that phone call or email soon….and it could be at the worst possible time.

John Brosnan
NetFort CEO