NetFort Advertising

Network Security Monitoring

Why network security monitoring?

In as much as network security monitoring is important to detect threats originating from outside the network, it can also be used to detect threats originating from within.

The Intel Security Report “Grand Theft Data” revealed that 43% of all security breaches are attributable to internal actors. Although half of data breaches are unintentional, the loss of data and financial cost of an internal breach can be significant because, in many cases, the perpetrator knows where to look.

Network security monitoring using LANGuardian

Effective network security monitoring with LANGuardian can prevent many insider thefts. Historical data can be analyzed to identify unusual or suspicious fileshare access, and alerts can be set up to warn of specific network activity.

LANGuardian includes both a traffic analysis and IDS engine to root out suspicious activity from your on premise or cloud networks.

Network security monitoring in this manner is far more effective than individual user logging, as it helps prevent unintentional data breaches as well as those conducted for malicious purposes.

To find out more about how you can detect and prevent threats from both outside and within your network, read our network security monitor blog posts. If, after reading about how LANGuardian can be used as an effective network security monitoring solution, do not hesitate to contact us if you have any questions.

Alternatively, you can download your free trial of LANGuardian today and start monitoring your network security effectively today.

Beware of Exposed Ports at Your Networks Edge

More reasons to check inbound traffic on your network

Looking though the latest infosec news this week I spotted two exploits which use similar attack methods.

  • Printers targeted via TCP port 9100 by external clients
  • Poorly configured Ethereum nodes targeted over port 8545

In both cases hosts located outside your network try to connect to devices hosted inside your LAN or cloud environments. The printer exploit is an unusual one. It’s main purpose is to deliver PewDiePie propaganda around the world. PewDiePie is currently the most subscribed to channel on YouTube. Recently it has been in a battle for this position with an Indian company called T-Series.

Over the last couple of days, Twitter users have been posting screenshots of unsolicited printouts from internet-connected printers that say that PewDiePie needs their help. A Twitter user called TheHackerGiraffe has claimed responsibility but had claimed they did this to raise awareness of printers and printer security.

pewdiepie hack

The second inbound exploit attempt has a more sinister background. A cybercriminal group has managed to steal a total of 38,642 Ethereum, worth more than $20,500,000, from clients exposing the unsecured interface on port 8545. The process behind this is simple. External clients scan your network on port 8545, looking for geth clients and stealing their cryptocurrency. Geth is a multipurpose command line tool that runs a full Ethereum node implemented in Go.

How to monitor inbound traffic on your LAN

One quick check you can do to check for port 9100 or 8545 activity is to check if the ports are open on your firewall. While this is not an indication of activity you should consider shutting them down for all external clients.

A better approach is to monitor network traffic going to and from the Internet using a SPAN, mirror port or network TAP. Once a traffic source is established you can use a product like our own LANGuardian to report on what ports and applications are been used.

The image below shows an example of what to look out for. In this case we can see evidence of SMB activity. Ports like 9100 or SMB which uses 445 should not be open for unknown clients. Click on the image below to access this report on our online demo.

Inbound traffic on ports 9100 or 8545

In the next example we are looking at what ports are accepting connections from external clients. Again we can see the activity on TCP port 445. Looking though the results, I also need to check the activity on port 49158. Click on this image to access the report on our online demo.

Inbound TCP ports which are open on firewall

In order to check your firewall configuration and get visibility of traffic at an application level allowed in through your firewall, simply deploy a traffic analysis system such as LANGuardian and configure the sensor SPAN or mirror port correctly.

You can easily use a SPAN port for example to monitor traffic from your  internal network to and from the firewall. A very useful and simple validation of those firewall rules sometimes configured by an external consultant. The video below goes through what is needed to get network traffic analysis in place at your network edge together with the steps to get LANGuardian in place monitoring this traffic.

How to monitor inbound traffic in the cloud

When an infosec alert like the ones mentioned above goes out, the oblivious thing to do is check your on premise data centers for suspicious activity. This is certainly a good starting point. However, don’t forget about your cloud based networks. They may be targeted even more than your on premise networks. Getting visibility in the cloud is not as straightforward as with a more traditional on premise network.

Recently we announced support for AWS VPC Flow Log Analysis and we will also have an option for Azure monitoring shortly. I took a look at reports associated with our AWS estate and sure enough there is evidence of inbound activity on port 9100, see image below. In our case this was blocked. I observed similar activity for inbound connections on 8545.

AWS flow logs showing activity on ports 9100 and 8545

If you have any questions about how to monitor traffic on your network using LANGuardian, or would like to know more about how our network traffic monitoring tool can meet your organization´s requirements, do not hesitate to contact us and speak with one of our helpful technical support team.

What Traffic Reports To Focus on if You Are Dealing With Google Unusual Traffic Notifications

Why does Google sometimes show unusual traffic messages?

Recently I worked with a number of network managers who downloaded our LANGuardian software to try and find the source of malware on their networks. The issue they faced was that clients were been presented with the message “Our systems have detected unusual traffic – possibly Malware from your computer network” when they tried to access Google services.

You then get a reCAPTCHA. To continue using Google, you have to solve the reCAPTCHA. It’s how Google knows you’re a human, not a robot. After you solve the reCAPTCHA, the message will go away and you can use Google again. The image below shows an example of what is displayed.

Google recaptcha which is displayed if Google google has detected unusual traffic coming from your network

Google closely monitors what network traffic is directed at their infrastructure. If devices on your network seem to be sending automated traffic to Google, you might see “Our systems have detected unusual traffic from your computer network.” Google considers automated traffic to be:

  • Searches from a robot, computer program, automated service, malware (true?) or search scraper
  • Software that sends searches to Google to see how a website or webpage ranks on Google

The main reason behind all of this is that Google does not want any automated traffic which is designed to influence search results.

How can I monitor Google traffic on my network?

All Google traffic will flow in and out of your Internet gateways so this is where you need to capture traffic. Use a SPAN or mirror port to capture a copy of traffic going to and from your firewall. Make sure you capture the data inside your network so you can identify what client is sending unusual traffic.

The image below shows a typical setup if you want to detect any unusual traffic on your network. In this we use our LANGuardian traffic analysis tool to monitor traffic coming from a SPAN\Mirror port on our core switch. LANGuardian is deep-packet inspection software that monitors network and user activity. The core switch is configured to send a copy of all traffic going to and from the firewall to the monitoring port which is also known as a SPAN or mirror port.

Monitoring network traffic using a SPAN or mirror port

What traffic reports do I need to look at?

Our LANGuardian product is available as a 30 day trial. This should give you enough time to get to the root of the problem. Once you have the trial installed there are two key reports to focus on. Use the search bar at the top of the LANGuardian GUI to search for these reports:

  • Top Website Domains with Client IPs (Page Hits)
  • Top Website Domains with Client IPs

In both cases enter Google into the Website Domain report filter on the left. The first report will show the top clients connecting to Google services based on the number of connections. The second report shows the top clients on your network connecting to Google services based on traffic volumes. Unusual traffic would be seen as a client which is establishing thousands of connections in a short time period like one hour. Unusual traffic volumes can be seen as multiple gigabyte levels to Google search or Google API services.

Click on the image below to access our online demo and see what the reports look like.

Two traffic reports to look at if you want to find the source of unusual traffic on your network

If you have any questions about how to monitor traffic on your network using LANGuardian, or would like to know more about how our network traffic monitoring tool can meet your organization´s requirements, do not hesitate to contact us and speak with one of our helpful technical support team.

5 Tips For Monitoring Network Traffic on Your Network

Monitor Network Traffic

Monitoring traffic on your network is important if you want to keep it secure and running efficiently. The information obtained by network traffic monitoring tools can be used in multiple security and IT operational use cases to identify security vulnerabilities, troubleshoot network issues and analyze the impact new applications will have on the network. These 5 tips should help you get the most out of your network traffic monitoring application.

1.    Choose the right data source

Whatever your motive for monitoring network traffic, you have two main data sources to choose from:

  1. Flow data: which can be acquired from layer 3 devices like routers
  2. Packet data: which can be sourced from SPAN, mirror ports or via TAPs

Flow data is great if you are looking for traffic volumes and mapping the journey of a network packet from its origin to its destination. This level of information can help detect unauthorized WAN traffic and utilize network resources and performance. However, flow-based tools for monitoring network traffic lack the detailed data to detect many network security issues or perform true root cause analysis.

Packet data extracted from network packets can help network managers understand how users are implementing/operating applications, track usage on WAN links, and monitor for suspicious malware or other security incidents. Deep packet inspection tools provide 100% visibility over the network by transforming the raw metadata into a readable format and enabling network managers to drill down to the minutest detail.

2.    Pick the correct points on the network to monitor

Naturally with agent-based software, you have to install software on each device you want to monitor. This is not only an expensive way of monitoring network traffic but it creates a significant implementation and maintenance overhead for IT teams. Furthermore, if your objective is to monitor activity on a BYOD or publicly-accessible network, agent-based software will not give you the full picture of user activity because it is impractical (and in some states illegal) to monitor activity on users´ personal devices.

Even with agent-free software, a common mistake many people make when deploying tools to monitor network traffic is that they include too many data sources at the start. There is no need to monitor every network point. Instead you need to pick points where data converges. Examples of this would be Internet gateways, Ethernet ports on WAN routers or VLANs associated with critical servers.

If you are new to getting tools in place to monitor network traffic, I would suggest you start by monitoring your Internet gateway(s). This can be an excellent source of security and operational data. This short video below explains how you can do this with Cisco switches – a similar approach can be applied to other switch vendors.

The image below shows a good approach when it comes to network traffic monitoring for most networks. A SPAN or mirror port is configured at the network core which allows for the capture of any traffic passing through. In my example this would allow me to capture traffic going to and from the Internet as well as traffic associated with important servers.

network diagram showing how you can monitor network traffic

3.    Sometimes real-time data is not enough

The ability to monitor network traffic in real-time is sufficient to achieve many objectives of network traffic monitoring, but sometimes real-time data is not enough. Historical traffic metadata is ideal for network forensics and is just as important if you want to analyze past events, identify trends or compare current network activity with the previous week. For these objectives, it is best to use tools for monitoring network traffic with deep packet inspection.

Some tools for monitoring network traffic choose to age data. This means the further back you go historically, the less detail you get. While this can save on disk space, it is not an ideal solution if you are trying to determine how an intruder managed to overcome your defenses to plant malware on the network. Without accurate and complete data relating to the event, you can be left looking for answers that no longer exist.

It is also a good idea to be aware that some SIEM and network traffic monitoring systems base their pricing on the amount of data you want to store. Keep a watchful eye out for this when you are evaluating solutions. Other appliance-based tools are limited based on the specifications of the system you buy, and an upgrade becomes a replacement appliance which can be expensive. The most flexible option is a network traffic monitoring tool that is software-based and allows you to allocate whatever disk space you think is appropriate.

4.   Associate the data with usernames

Traditional network traffic monitoring tools usually report on activity using IP or MAC addresses. While this is useful information, it can be problematic in DHCP environments if you are trying to find a problematic device. One piece of information that can bring together network activity and devices is usernames. Username association will let you know who is doing what on the network.

user network traffic

5.    Check the flows and packet payloads for suspicious content

Many networks have intrusion detection systems at the edge but very few have this type of technology monitoring internal traffic. All it takes is one rogue mobile or IoT device to compromise a network. Another issue I often see are firewalls allowing  suspicious traffic through where a rule was misconfigured.

The image below shows an example of this: someone created a rule to allow traffic inbound on TCP 5901 (VLC remote desktop sharing), but they did not limit it to one source and destination. The source addresses in this case appear to be registered in China and connections from this country would not be expected to connect to this network.

Detecting IoT devices with network traffic monitoring

Summary

Not all tools for monitoring network traffic are the same. Generally they can be broken down into two types – flow-based tools and deep packet inspection tools. Within these two types you have the choice of tools that use/don´t use software agents, tools that store/don´t store historical data, and tools with intrusion detection systems that monitor network traffic within the network as well as at the network edge.

  • Choose flow based analysis tools if you want to get traffic volumes and IP addresses associated with WAN or other layer 3 links
  • Choose packet analysis tools if you need traffic volumes, IP addresses and more detail to investigate security or operational issues.

If you would like to discuss any of the points raised in this article, do not hesitate to contact us.

Detect Hosts Targeting Apache Struts Vulnerability CVE-2018-11776

Apache Struts Vulnerability

What is Apache Struts and vulnerability CVE-2018-11776

Apache Struts is a free and open-source framework used to build Java web applications. On Wednesday, August 22, 2018, the Apache Foundation released a security bulletin for a critical vulnerability in the Apache Struts framework. Applications developed using Apache Struts are potentially vulnerable.

The vulnerability (CVE-2018-11776) was identified and reported by Man Yue Mo from the Semmle Security Research Team, which works to find and report critical vulnerabilities in widely used open source software. This is not the first remote code execution vulnerability discovered on Apache Struts. Previously the framework was targeted with vulnerabilities CVE-2017-9793, CVE-2017-9804, and CVE-2017-9805

Cryptocurrency miners have begun using these vulnerabilities to compromise servers to mine the Monero digital currency. Tools such as Apache Struts Version 3 can also be used to exploit vulnerabilities on ApacheStruts. The reality is that unpatched Apache Struts installations can leave organizations open to significant risks.

How to detect if attackers are targeting the CVE-2018-11776 vulnerability on your network

When in comes to monitoring, there are certain packet payloads and DNS requests that you should watch out for. Suspicious payloads can be detected by using an Intrusion Detection System (IDS) and DNS lookups can be tracked down by using a traffic analysis application like our own LANGuardian.

There are two IDS signatures in our current LANGuardian ruleset which focus on the Apache Struts Vulnerability CVE-2018-11776:

  • ET EXPLOIT Apache Struts RCE CVE-2018-11776 POC M1′  sid 2026025
  • ET EXPLOIT Apache Struts RCE CVE-2018-11776 POC M2′  sid 2026026

Constant monitoring of DNS queries is a good way to keep an inventory of what types of services clients on your network are trying to connect to. At the moment attackers who are successfully exploiting Apache Struts deployments via CVE-2018-11776 are using them to mine Cryptocurrency. One of the indicators of this is any DNS lookups to the domain:

  • us-east.cryptonight-hub.miningpoolhub.com

Running LANGuardian reports associated with CVE-2018-1177

DNS Lookups

  1. Enter DNS lookups into the LANGuardian search bar
  2. Select the report Security :: DNS Lookups Associated with Malware Domains by User
  3. Enter us-east.cryptonight-hub.miningpoolhub.com into the Host Name report filter
  4. Select a time period and run report
  5. Save as custom report if necessary by clicking on Actions / Save As
CVE-2018-11776 DNS Lookup

IDS Signatures

  1. Enter All Events into the LANGuardian search bar
  2. Select the report All Events :: Events by Signature
  3. Enter CVE-2018-11776 into the Signature Name report filter
  4. Select a time period and run report
  5. Save as custom report if necessary by clicking on Actions / Save As
CVE-2018-11776 Snort IDS events

Conclusion

The Apache Struts framework continues to be targeted by attackers due to a steady stream of vulnerabilities. It is important that organizations remain diligent, ensuring this software is updated quickly when new patches are released or otherwise limiting external access to websites leveraging it.

Although the main payload for Apache Struts exploits at the moment appears to be cryptocurrency miners, failure to patch also leaves an organization open to significant risk that goes beyond cryptomining.

Make sure you monitor network traffic going to and from any Apache servers that you host on your network. This is especially true of the servers that can be accessed by external hosts. Also, make sure that your traffic monitoring application is updated with the latest IDS or DNS malware lists so that you can quickly spot problems.

Looking to Download VAST to Root Out SMBv1? Try This Alternative

What is SMBv1?

SMB operates as an application-layer network protocol mainly used for providing shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. Microsoft has implemented three versions of SMB over the years; SMBv2 and SMBv3 are much more secure than SMBv1.

Many Ransomware and Cryptocurrency mining malware variants spread from computer to computer by exploiting critical vulnerabilities in Microsoft’s implementation of SMB version 1. Microsoft recently announced that their security visualization tool (VAST) can report on SMBv1 activity. This is in a response to demand from network and security managers who want to find out if SMBv1 is still active on their networks. However, before you download VAST let’s take a look at the alternatives.

How to root out SMBv1 from your network. Should you download VAST or use an alternative?

There are two primary ways to detect SMBv1 activity on your network. You can either use log files or you can analyze the network traffic going to and from your file servers. Log files will require changes on your file servers, you will need to increase the logging to capture SMBv1 events. Traffic analysis is passive and will not have any performance or storage impact on your servers but you do need to setup a SPAN or mirror port.

Using log files to detect SMBv1

At the end of March 2018 , Microsoft unveiled Project VAST or the Visual Auditing Security Tool (VAST). It uses Windows event logs as a data source and Azure Log Analytics to filter on EventID 3000 for each and every time that a client attempts to access the server using SMB1. You do need to enable auditing on every file server using the command below and this approach does not work for non Windows devices like NAS units.

$computers = Get-Content “c:\SMB_computers.txt” foreach ($computer in $computers) {Invoke-Command -ComputerName $computer -ScriptBlock {set-smbserverconfiguration -auditsmb1Access $true -Force}}

The image below shows an example of these events. You could manually check for these events if you only have a single file server but you will be better off to use a separate application to do this job if you have multiple servers.

SMBv1 EventID 3000. Download VAST if you need a tool to filter these events in a report

Using network traffic analysis to detect SMBv1

A more passive approach to detecting SMBv1 involves the use of network traffic analysis. To get a data source you need to monitor network traffic going to and from any file server or network attached storage device. This is easy to setup as all managed switches have a feature called SPAN ports or port mirroring.

The image below shows a typical setup. A copy of the traffic passing through the core switch is sent to the monitoring port. You need to connect your traffic analysis application\device to this port and it checks the file share traffic for SMBv1 activity.

Capturing SMBv1 activity from network traffic

If you host your file servers on virtual platforms such as VMWare ESX you don’t need the SPAN or mirror port, you can monitor the traffic within the virtual environment by setting up a special virtual port group. We have a couple of videos on this page which describe the setup process.

The image below shows a sample report from our LANGuardian system which can be used to detect SMBv1 activity. It also integrates with Active Directory so you can also see the associated username.

Make sure you look at alternatives before you download VAST or similar log analysis tools. Will it be easier to monitor the traffic than make changes on your servers? Do you have any file sharing devices that don’t have logging capabilities?

Our LANGuardian product is available as a 30 day trial. You can download it from here and it will give you an idea as to the scale of your SMBv1 problem in less than an hour. Make sure you check this out before you download VAST.

MSP Managing Your Network? Make Sure You Have Independent Visibility

MSP did not identify hole in firewall

Using MSP services? Make sure you have independent monitoring in place

A third party such as a managed services provider (MSP) is most often an information technology (IT) services provider that manages and assumes responsibility for providing a defined set of services to its clients either proactively or as the MSP (not the client) determines that services are needed. The main drivers for the adoption of MSPs is the desire to improve operations and cut expenses.

Even years ago before the term MSP was popular, many organizations used external contractors and services to install and configure critical security equipment like firewalls.  Firewalls configurations and rules can be very complex, how do you check them? Make sure they are correct? One option is to look at the traffic and activity inside the firewall.

Recently I worked on an interesting problem with a client who was using a MSP to manage their firewall. They were happy with this arrangement as the MSP did not report any problems and they had nothing independent to highlight any issues.

Case study: Unreported hole in firewall

One thing this client needed outside of the MSP services was a tool to monitor network traffic . They needed a high level view of bandwidth use at their network edge and they contacted us. A trial of our LANGuardian product was deployed, the ability to monitor web traffic and capture associated metadata is one of its many features.

When we started to look at the data captured we noticed something very strange with inbound traffic patterns. We define inbound traffic as a connection were the source IP address is outside the network perimeter (outside the firewall). Over 98% of traffic was associated with LDAP traffic over UDP 389 to one of their domain controllers. Traffic over UDP 389 is typically connection-less LDAP (CLDAP), a variant of LDAP that uses the User Datagram Protocol (UDP) for transport.

Our LANGuardian product has an application recognition engine and so it reported the activity correctly as LDAP. If you are using a tool which uses port numbers (port 80, etc…) to report on activity you may miss things like LDAP.

Drilling down on this traffic we could see connections from China, Russia and many other countries. Our determination was that the domain controller was been used as part of an amplification based DDoS botnet. Infosec attackers are now abusing exposed LDAP servers to amplify DDoS attacks.

We immediately put in a change request to the MSP to block UDP port 389 on the firewall. As you can see from the image below the inbound traffic dropped significantly once the firewall change was implemented.

Connectionless LDAP (CLDAP), a variant of LDAP that uses the User Datagram Protocol (UDP) for transport

The big lesson here was the need to have something in place to provide visibility of what was happening on the network. The hole in their firewall was an old NAT rule that was long since outdated. However, their MSP did not pick up on this activity. It needed an independent monitoring tool which could show what was happening on their network.

Finding out what is going in and out of your network with LANGuardian.

LANGuardian comes with a selection of reports which can be customized to filter on certain activity. For this use case we selected the Applications in Use report and we used a specific source and destination IP address filter. You can also use the Report Variables feature to define what subnets are in use inside your network. Follow these steps to get these custom reports setup on your LANGuardian.

1. Create report variables to define what subnets exist on your LAN. If you use private address ranges then you can use the exact same setup as the image below. The only difference between the External and Internal variable is the use of the ! character. This character denotes NOT so any subnet outside of this is not on your LAN.

2. Click on All Reports and select the Applications in Use report. Click the drop down next to Source IP / Subnet on the left and select the External report variable. Click the drop down next to Destination IP / Subnet on the left and select the Internal report variable.

Click on Run Report. You should get an output like the one shown below. In my case I will need to drill down on that SMB activity as I would not expect to see file sharing traffic where the client (source) is outside my network.

3. You can then save this as a custom report by clicking on Actions \ Save As or create a line graph by selecting the Trend Report option.

4. Finally, repeat the steps to show what applications clients are using on the Internet by selecting Internal as a source and External as the destination within the Applications in Use report.

Detecting Emotet Trojan Malware

Emotet Trojan Malware threat

A bank targeted malware threat called Emotet has been affecting organizations around the world for the past four years. More recently, the Emotet trojan has been used as the carrier of a family of trojans which collect everything from banking to email credentials, browser information e.g. history and saved passwords, to Outlook email addresses (potentially to send phishing emails from that account later) and network credentials.

Emotet’s method of self-propagation—brute forcing passwords—has additional potential to cause major headaches for organizations as it may result in multiple failed login attempts, which can lead to users becoming locked out of their network accounts.

The data collected from infected machines is then sent back to a central server and the threat moves quickly to infect other machines on the network.

The initial infection will typically come from an email which purports to be from a legitimate organization e.g. PayPal, and contains subjects related to invoices or shipping details. Once that first email is opened, the spread of the trojan does not require any user interaction and Emotet uses a number of strategies to remain undetected and so, the threat can be difficult to catch before real damage is done.

Emotet can also spread to additional computers using a spam module that it installs on infected victim machines. This module generates emails that use standard social engineering techniques and typically contain subject lines including words such as “Invoice”. Some subject lines include the name of the person whose email account has been compromised, to make it seem less like a spam email. The emails typically contain a malicious link or attachment which if launched will result in them becoming infected with the Malware.

Detecting Emotet With LANGuardian

You can look for instances of Emotet on your network if you monitor network traffic using a SPAN, mirror port, or TAP. Our own LANGuardian product uses this data source and receives regular IDS ruleset updates from multiple threat intelligence providers. These rulesets include Emotet signatures, which monitor your incoming traffic for known Emotet characteristics.

You can view these signatures by clicking > Settings > Alert List > Add New Marked Signature. Here you will be able to search by signature ID or name, priority or ruleset, as seen below:

Emotet IDS Ruleset

To be notified of a possible Emotet trojan threat, click on ‘mark‘ so you can receive an email or send to a Syslog collector, as seen below:

Alert on Emotet activity
It’s also possible to create a report specifically for Emotet threats, to be displayed on your dashboards.

To do this, run an All Events :: Events by Signature name report > choose your time frame, type ’emotet’ into the Signature name field > apply any other relevant filters and Run Report.

  • To save the report after it has run, click on Actions > Save As and give your new custom report a name e.g. Emotet Threats and Save.
  • To find this new report, go to All Reports and you will find it under My Reports.

You can also generate alerts by clicking on the signature and set it to send SMTP emails and/or SYSLOG events.

Watch out for any new sources of email on your network. Malware like Emotet can use its own email engine to send malware infected emails. Check the sources of email on your network using the report E-mail :: Emails by source.

Aside from this, ensure your machines are patched, that users are aware of social engineering tactics so they do not open unsolicited emails and if the network is infected, not to login to an infected machine with administrator credentials, which can make the threat spread faster!

(more…)

The easiest way to root out SMBV1 on an Enterprise network

Root out SMBV1 from network

Just over 2 weeks ago, we received an inquiry from a large US multinational in the financial sector. They had a very specific requirement, ‘we want to know how much SMBv1 is still in use on our network and start the cleanup’. They had tried just turning it off and waiting for the calls to see who complained but they came and that didn’t work. So basically, they want to get a list of all file share servers accepting SMBV1 connection requests and ‘root it out’.

Makes sense, it is an old vulnerable protocol and recent attacks like Wannacry have demonstrated that it is common sense to ensure it is not in use. It also critical to prep and get as much visibility as possible into the servers still supporting it, and the clients using or depending on it before just disabling it and potentially have a serious impact on the business.

This organisation has a large and complex network, over 50k users and 12 data centres. As they have also acquired several other companies in their space which is not unusual, the network, software and applications are complex and diverse. Making any global change, even a simple upgrade across such a complex network of this size is not a trivial task, and of course, if it is not broken, still supporting the business, why risk it?

We arranged a webex and our demo focussed on this very specific use case. Every device, user and application on the network automatically leaves a trail, a traffic trail. There is no need to turn it ON, to enable logging or install a client. If they are active on the network they leave a trail. LANGuardian ‘sniffs’ this trail, usually via a tap, SPAN or port mirror and using its deep packet inspection engine, extracts application specific metadata for the most critical applications. It also enriches the metadata with usernames extracted using WMI from the logs of the domain controllers. We support a number of ‘critical’ applications, web, SQL, SMTP, BitTorrent, DNS, DHCP and SMB.  With SMB, for example, we extract information such as the client and server IP address, file and folder names and action.

One of the advantages of capturing data ‘off the wire’ is that one has the option or flexibility on selecting the specific details or data to look out for and store and report on demand. The initial SMB client-server negotiation, for example, includes the actual version the client requests and is looking for the server to support and communicate over. So, in the case of SMBV1 the client sends an SMBV1 connection attempt and then if the server supports it, it sends back an SMBV1 connection established. Luckily for us, we supported analysis down to this level, and could instantly show during the demo, all clients on the network initiating a SMBV1 connection request and the servers responding:

Network user SMBv1 actions

Using our report filters to query the database, one can get very specific and list only the servers on any part of the network responding to SMB1 connection requests with success and establishing a SMBV1 connection:

An example of SMBv1 connections on a network

All good so far, this covers the use case required, we have the level of granular detail. The final and most critical step is implementation, critical for such a large network. The system is very easy to use and requires minimum training, so we are good there. LANGuardian can be downloaded and deployed on standard server hardware or VMware. The download and installation, the configuration on the physical or virtual device requires less than 30 minutes, not bad.

The final and crucial step, especially for the network of this size and complexity is sensor placement, how do I see the ‘SMB traffic trail’ or all traffic to and from all file share servers on the network with the minimum number of sensors? Are all the servers in one VLAN and can I just mirror that VLAN for example? Or can I approach it from the client perspective and mirror the point or points in that data centre all clients connect in from? Where are all my file shares? I need to see all traffic to/from all file share servers in order to extract the SMB version information required.

To be investigated….to be continued.

Crypto Mining Malware Spreading Via SMBv1 Vulnerability

Crypto Mining Malware

Ransomware Cryptocurrency Link

During 2017 we saw advances in security tools which have meant IT and network security managers have become better equipped to deal with ransomware threats. In addition, lots of standalone programs have been made by independent researchers to decrypt files. This increased awareness of ransomware prevention (backing up files) and Ransomware detection tools has really helped to reduce the Ransomware problem.

Bitcoin is frequently associated with Ransomware as it is a popular payment type demanded by ransomware authors. There are many types of crypto currency available today which you can acquire with money or goods or you can mine them using one or more computers.

The primary purpose of mining is to allow Bitcoin nodes to reach a secure, tamper-resistant consensus. Mining is also the mechanism used to introduce Bitcoins into the system: Miners are paid any transaction fees as well as a “subsidy” of newly created coins. The image below shows an example of a large bitcoin mining rig, lots of processing power and associated cooling fans to keep it operational.

Icarus Bitcoin Mining rig

One of the new trends with Malware is the move away from data encryption to a more stealthy bitcoin mining strategy. Bitcoin mining can happen in the background. No need for any splash screens or data destruction.

Crypto Mining Malware & Association With SMBv1

Many attackers now favor anonymous cryptocurrencies, with Monero being the most prominent. Crypto currencies are popular as they are both secure, private and difficult to trace. Servers are often targeted and since many of them are not updated or patched on a regular basis, attackers have a bigger chance of success.

Recently more than 526,000 Windows hosts, mostly Windows servers, have been infected by a Monero miner known as Smominru, according to researchers at Proofpoint. It spreads using the EternalBlue exploit (CVE-2017-0144) which targeted the SMBv1 protocol.

Crypto mining malware like this covertly mines for coins using the victim’s GPU horsepower without them knowing about it. It has potential for longer-term gains. When a computer is infected many people will fail to notice fans spinning up, or computers under higher load or just plain old not responding. A lot of those people may just pass it off as “one of those things my computer does.”

How to Detect SMBv1 Use on Your Network

As I mentioned earlier, the ExternalBlue exploit is being used by a lot of attackers to install Ransomware or Crypto Miners on victims PC’s. Systems are compromised when an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server

Because of this, you need to make sure you detect SMBv1 use on your network and switch off the protocol on any systems which has it enabled. SMBv1 has been superceeded by SMBv2 and SMBv3 which are far more efficient and secure.

However, sometimes reality is more difficult than the theory. I met with some of our LANGuardian customers this week. They said that when they disabled SMBv1 on some servers they had issues with a loss in connectivity to some printers. I also had issues in my home lab where certain Android devices lost connectivity to a NAS system when SMBv1 was disabled. The easy thing to do is to re-enable SMBv1 but that will increase the attack vector of your network.

Using LANGuardian to Detect SMBv1 Use

The video below shows how a traffic analysis tool like our own LANGuardian can be used to root out SMB1 clients and servers on your network. Make sure you can detect this activity by monitoring communication between clients and servers or check each network device to see if SMBv1 is enabled.

Find Out What Systems Are Using SMBv1 on Your Network

Use the deep packet inspection engine of LANGuardian to report on SMBv1 activity by IP address or Username. Real time and historical reports available. No need to install any agents or client software.

  • See what servers are allowing connections on SMBv1
  • Find out what clients are attempting to connect using SMBv1
  • Can be deployed as a virtual machine

All analysis is done passively using network traffic analysis and you will see results within minutes.

How To Detect Unauthorised DNS Servers On Your Network

Detecting unauthorized DNS servers to prevent DNS poisoning

Why worry about unauthorised DNS servers?

DNS remains a vital part of computer networking. The foundation of DNS was laid in 1983 by Paul ­Mockapetris, then at the University of Southern California, in the days of ­ARPAnet, the U.S. Defense Department research project that linked computers at a small number of universities and research institutions and ultimately led to the Internet. The system is designed to work like a telephone company’s 411 service: given a name, it looks up the numbers that will lead to the bearer of that name.

DNS was never designed as a very secure protocol and it is popular target for attackers. There are two ways DNS can be hacked: by using protocol attacks (attacks based on how DNS is actually working) or by using server attacks (attacks based on the bugs or flaws of the programs or machines running DNS services).

One of the more recent protocol attacks was the

In both of these cases the attackers change your DNS server from 8.8.8.8 (Google) for example to one of their own DNS servers. Most of your DNS queries will be handled correctly and you will get correct IP addresses. However, for certain site like banking the attackers will direct you to a mocked up website which looks like a valid banking one. You logon details are captured once you start to interact with the site and these are then used to steal your money.

Detecting unauthorised DNS server use with LANGuardian

Our LANGuardian product includes both a DNS traffic decoder and an number of alerting features which you can use to track down unauthorised DNS server use. The image below shows an example of the DNS traffic decoder. Here we can see how LANGuardian can build up an inventory of all DNS servers and client queries to them.

A LANGuardian report showing unauthorised DNS server use

Having a DNS audit trail like this will also give you the data you need to investigate other DNS issues such as cache poisoning.

How to generate alerts if a device uses an unauthorised DNS server

LANGuardian includes a customizable alerting engine where you can define whitelists of valid servers and get alerts if users try an access others. For the purposes of this example we are going to create a DNS whitelist containing these servers:

  • 192.168.127.22 (hosted internally on network)
  • 8.8.8.8 (google1)
  • 8.8.4.4 (google2)

We then use the LANGuardian alerts configuration option to create a DNS alerting rule which would trigger if queries to other servers are detected. The screenshot below shows an example of this.

Unauthorised DNS servers alert configuration

Once the rule is saved it will look like this on the LANGuardian alerts list.

LANGuardian DNS Alert Rule

Once the unauthorised DNS server alert is triggered, LANGuardian will capture certain DNS metadata like source and destination IP addresses, country where DNS server is registered and the domain names that were queried. The image below shows an example of what the alerts look like.

A list of unauthorised servers detected on the network using network traffic analysis

These alerts can also be exported as SYSLOG so that they can be processed by a blocking device such as a firewall or NAC (Network Access Control) system.

How to monitor DNS traffic

One of the best ways to monitor DNS traffic is to port mirror traffic going to and from your local DNS servers and all Internet traffic. Monitoring Internet traffic is crucial so that you can pick up on devices using external DNS servers so it is really easy to monitor network traffic on your network. Most managed switches support SPAN or mirror ports. If you have a switch that does not have any traffic monitoring options there are many alternatives for SPAN ports. The video below shows the steps needed to monitor Internet traffic and you should extend this to also monitor local DNS servers.

Find Out What DNS Servers Are In Use On Your Network

Use the deep packet inspection engine of LANGuardian to report on what DNS servers are in use on your network. Real time and historical reports available. No need to install any agents or client software.

  • See what DNS servers are in use
  • Generate alerts if  a network device uses an unauthorised DNS server
  • Capture DNS metadata so you can troubleshoot DNS issues and perform forensics on past events.

All analysis is done passively using network traffic analysis and you will see results within minutes.

How to Passively Detect VPN Clients on Your Network

How to detect the presence of VPN clients

Why worry about VPN clients?

VPNs have been around for a long time. A VPN extends a private network across a public network, and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. Applications running across the VPN may therefore benefit from the functionality, security, and management of the private network.

If you use public WiFi networks such as those found in airports and cafes then it is recommended that you use a VPN service. A VPN will ensure that all of your communication is encrypted.

However, there are times when VPN activity is suspicious and/or bad. I see an increasing amount of VPN actvity on college\school networks. In most cases end users are using a VPN to get around a web filter or use a blocked application such as Bittorrent. A VPN will also punch a hole in your firewall and it may become a route for nasties such as Ransomware.

“A VPN client will punch a hole through your firewall”

Common uses for VPN clients

Good

  1. Site to site connectivity where a branch office can connect to HQ via the Internet
  2. Allows remote workers to connect to HQ
  3. Encrypts your data when you are on a public WiFi network

Bad

  1. Bypass web filters (some may not see this as bad)
  2. Allows you to run applications which are blocked
  3. Create a hole in a Firewall which may become the source of a Malware infection
  4. Can be used for data exfiltration

How to detect VPN clients on your network

VPN clients can be difficult to detect as they typically use a port such as 443 over UDP or TCP which is normally open on a firewall. However, there are a number of things to watch out for. First we need to understand how the most common VPN clients work.

Most VPN clients come as a software pack which include the actual VPN software and a database of VPN servers. The idea is that everything you need is included when you install so you don’t need to access a specifc website to connect to anything. If you did it would be easy to block access to these websites. This makes it hard to detect VPN clients if you are looking at reports from something like a web filter.

Once you select a VPN server, an encrypted connection is created between your client and the VPN server. All of your Internet bound activity is then routed through this VPN connection. If you want to browse a website for example, the VPN server connects to the website and sends the text\images\media back to you via your encrypted connection. This is what makes them secure, someone ‘sniffing’ your local traffic can’t see what you are accessing.

How VPN works

In summary, a VPN client makes a direct connection to a VPN server and this server then does the job of accessing what service\application your requested. This differs from users connecting to websites or applications directly. For example I may go and visit YouTube using a web browser. When I type in YouTube.com my computer will go and resolve this name to an IP address using DNS. Computers use IP addresses to connect, not human readable names.

In order to detect VPN clients on a network, we need to watch out for any client sessions where there is client to server connections with no DNS resolutions. To do this you need to monitor network traffic going to and from your Internet gateway and you also need to monitor DNS traffic hitting your DNS servers if you host them locally.

Detecting VPN Clients

  1. Monitor Internet traffic
  2. Monitor DNS queries
  3. Watch out for client connections to external hosts with no name resolution

What you need to watch out for is any sessions to external IP addresses which have no hostnames associated with the server. If the connection is over TCP or UDP port 443 then you are probably looking at VPN client activity. The image below shows an example of what to watch out for if you want to detect VPN clients. The first client listed is connecting directly to an IP address as no hostname is shown. The other connections are to Googlevideo which are part of the YouTube service.

Report showing a VPN client connecting to an external VPN server

Check out the video below to learn more about how you can use our LANGuardian product to detect VPN clients.

Firewall Reporting Excessive SYN Packets? Check Rate of Connections

TCP handshake showing SYN packets

What are SYN packets?

Last week I was on the road in Scotland visiting some of our university customers. During a meeting with a Network Security Specialist, a network issue popped up and he said to me “our firewall is triggering SYN packet alerts, is there anything you can do to help?

SYN packets are normally generated when a client attempts to start a TCP connection to a server, the client and server exchange a series of messages which normally runs like this:

  1. The client requests a connection by sending a SYN (synchronize) message to the server.
  2. The server acknowledges this request by sending SYN-ACK back to the client.
  3. The client responds with an ACK, and the connection is established.

This is called the TCP three-way handshake, and is the foundation for every connection established using the TCP protocol. In the past attackers could bring down a firewall by sending lots of SYN packets. Each SYN packet would use up firewall resources and eventually it would stop accepting new connections. This can result in a massive business problem now that so many applications are cloud based and need fast and reliable Internet access.

A SYN alert could be the sign of attacker reconnaissance

Modern firewalls are able to deal with SYN attacks better by limiting the rate of SYN requests amoungst other things. However, they still retain their alerting features so if something usual is spotted they will trigger an alarm.

Not all SYN alerts are attacks designed to bring down your firewall. This was the case with the customer I mentioned earlier. In summary they were getting a lot of connections from a host in China which was trying to find any systems running SSH services. This is very common, attackers often seek out SSH servers, once found they try and do a dictionary attack against the root or other accounts. If they are successful then they have full access to the LAN segment that the SSH server sits on.

The image below shows a sample of the events from our LANGuardian system. Each one of these is triggered when a host tries to connect to more than 300 other systems in 25 seconds or less. At the same time the firewall on the same network was triggering excessive SYN packets alerts. The fix in this case was to get the ISP to block the Chinese host.

SYN alerts generated by lots of connections from a single host

How to get visibility at the network edge

If you want to see what is hitting your firewall then you need to monitor network traffic hitting the outside network interfaces. Typically this is done by setting up a SPAN or mirror port on the network switch which connects to the external interfaces.

The image below shows a typical setup. Network packets destined for the LAN or DMZ are analyzied by a traffic analysis tool connnected to the network switch which connects devices together outside the LAN firewall. Most servers located here will have a public IP address and so would be open to network scanning activity. You can also detect SYN packet rates at this point, see what is hitting your main firewall.

DMZ network with traffic monitoring tool in place

One of the main things I watch out for in the DMZ is the rate of connection attempts. This is similar to detecting SYN attacks but as I mentioned, most of this activity is associated with reconnaissance, attackers trying to find a backdoor into your network. Some of the firewalls I looked at will trigger SYN attack alerts when they start received around 10,000 connection attempts per second but this can vary.

The image below is from one of our LANGuardian systems. It is reporting the level of what we call netscans, a netscan is triggered when one host tries to connect to more than 300 others in less than 25 seconds. An alert is triggered when this goes over 20 events per second. Our testing has shown that some firewalls start triggering their own alerts when this rate is reached and may start dropping  or refusing connections.

Network scan levels

We have seen instances, for example DDOS attacks, where the organisation’s firewall is under some much pressure trying to handle the attack, it cannot be accessed and used as a reporting or forensics tool. Another advantage of using a continuous but passive system such as the LANGuardian, it can always be accessed when required and as it is not inline, can never have any impact on network availability or performance.

The video below goes through the steps needed to setup a SPAN or mirror port to monitor network traffic. The example covered looks at monitoring the internal LAN interfaces of a firewall but you can apply a similar approach when it comes to monitoring the external interfaces.

Why a CCTV type system is a necessity for Monitoring Network Traffic

CCTV for computer networks

Why monitor network traffic?

The recent Equifax security breach resulted in hackers getting their hands on the sensitive personal information of 143 million American consumers. The breach lasted from mid-May 2017 through July 2017. The hackers accessed people’s names, social security numbers, birth dates, addresses and, in some instances, driver’s license numbers. They also stole credit card numbers from about 209,000 people and dispute documents with personal identifying information from about 182,000 people; they also grabbed personal information of people in the UK and Canada.

This information was not carried in briefcases. It left the organization as a payload in network traffic, mixed in with the massive amounts of legitimate traffic that would have left Equifax during the hacking period. While it is good practice to have firewalls and threat detection systems, many of them rely on known signatures of exploit attempts. This approach fails if you are targeted with something new, or if your security applications are missing detection capabilities for a specific type of attack. This is one of the main reasons why you need to constantly monitor network traffic leaving and entering your network.

What is a CCTV system for monitoring network traffic?

When I talk about a CCTV type system for monitoring network traffic, I usually give this analogy. When we want to protect physical buildings, we invest in locks, gates, walls and other physical barriers to protect our property and physical assets.

We also invest in CCTV systems so that if there is a break in, we can see what is happening in real time and get recordings so we can look back over events. If you have a breach, it is important to know what happened so that we can make changes to prevent further breaches happening in the future. CCTV systems can also alert if someone enters a premises outside of normal working hours.

Monitoring network edge

Too often in the digital world, we forget about monitoring tools. Senior management often sees them as a ‘nice to have’ as there is no obvious payback. It is easy to get seduced into spending IT budgets on fancy firewalls and threat prevention systems as they can take an action. However, the Equifax hack has reminded us that we need eyes on our networks 24/7 and we need to keep historical records of who is connecting to what so that we can go back and see how someone hacked into our network.

network flows

A CCTV system for network traffic can be based on flow or packet analysis. If you use managed switches or if you have a router, you will have a data source. From this analysis, you need to be capturing information such as:

  • True application names as you cannot rely on port labels
  • Resource (URI) names
  • HTTP header fields
  • Web client information
  • DHCP data such as IP addresses, MAC and host-names
  • SMTP metadata such as email addresses and subject lines
  • BitTorrent Hash values
  • DNS SPAM detection
  • SMB and NFS metadata
  • Ingress and egress IP flows including IP addresses and port numbers
  • Associated GeoIP details
  • Packets counts
  • IP flow counts
  • Detect application layer attacks
  • Associated usernames
  • Accurate web domain names from DNS, HTTP or HTTPS traffic analysis

One of the most important things is that you get both a real-time and historical view of this data. Most network monitoring applications do real-time monitoring. Some do historical reporting but may age and compress data to cut down on disk usage. This is not ideal, as you will want to store as much detail as possible so that you can investigate historical events. Make sure you choose a forensics or monitoring application that retains all information captured.

Integrating IDS (Intrusion Detection System) and traffic analysis are also beneficial. This allows you to detect known attacks as well was providing extra context like what connections were made and if the attackers targeted any other systems on your network. You will only get good threat detection with packet analysis, flow (NetFlow, IPFIX, etc) will struggle as they don’t look at packet payloads.

Your monitoring tool needs to be independent of edge equipment

Many firewalls now come with advanced logging and reporting capabilities. On paper, they tick boxes for both prevention and reporting. However, if your network is under attack you may find that these logs become inaccessible.

Some time ago I attended a JANET conference in the UK. A number of universities had been targeted with DDoS attacks. Many network managers spoke about how they struggled to understand what was happening, as their firewall logs were inaccessible or were filling up so quickly it was difficult to get an overall view of where the DDoS traffic was coming from. One of the recommendations from the conference was to ensure your monitoring tools were independent of edge devices such as firewalls or routers.

Don’t wait for a breach before investing in monitoring tools

The worst way to implement monitoring tools is to do so in the middle of an attack. You will never capture all the information you need and you may be rushed into buying tools that don’t address your requirements. Get something in place ASAP and use the CCTV analogy when discussing with senior management.  In today’s world, you need to be watching over your network 24/7.

23 NYCRR 500 – How LANGuardian can help with Compliance

23 NYCRR 500

The New York State Department of Financial Services (“DFS”) has been closely monitoring the ever-growing threat posed to information and financial systems by nation-states, terrorist organizations and independent criminal actors. Recently, cybercriminals have sought to exploit technological vulnerabilities to gain access to sensitive electronic data.

“New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever increasing threat of cyber-attacks. These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber-crimes.”

Governor Andrew Cuomo

23 NYCRR 500: What it means for you

NYCRR 500 is a regulatory compliance standard that regulates the Financial Services Industry (FSI) in New York. This regulation mandates each institution have a cyber security program, Chief Information Security Officer (CISO), access controls, asset management, data governance, software development practices, annual certification of their compliance, and more.

NYCRR 500 requires that banks, insurance companies, and other financial services institutions regulated by DFS to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.

The key date to keep in mind is September 1, 2017: that date marks the end of the 180 day period to comply with the guidelines set forth in 23 NYCRR 500.

The key elements of the proposal are as follows, and a summary of these elements can be found here:

  1. Establishment of a Cybersecurity Program to include:
    • Adoption of a written Cybersecurity Policy
    • Identify and assess internal and external Cybersecurity risks that may threaten the security or integrity of data stored in an organization’s IT systems.
    • Use defensive infrastructure and implementation of policies and procedures to protect the IT systems from unauthorized access or malicious acts.
    • Detect cybersecurity events.
    • Respond to identified or detected Cybersecurity events to mitigate any negative effects.
    • Recover from Cybersecurity Events and restore normal operations and services.
    • Fulfill applicable regulatory reporting requirements.
  2. Mandatory Chief Information Security Officer
  3. Cybersecurity Training for Employees
  4. Third-Party Service Providers Risk
  5. Incident Monitoring and Reporting
  6. Information Security Audits

How LANGuardian can help with 23 NYCRR 500

While no one system can provide the full range of compliance across all of the regulatory requirements, a forensic threat investigation solution and incident response plan will be the most important tools for demonstrating compliance.

Written policies (as defined in section 500.3) are an important first step, but compliance requires the demonstration of consistent policy enforcement. Forensic data and reporting are needed to demonstrate consistent enforcement of these new rules, and there are four sections in particular where LANGuardian provides many benefits.

Section 500.02 Cybersecurity Program (1) (3)

Identify and assess internal and external cybersecurity risks that may threaten the security or integrity of Nonpublic Information stored on the Covered Entity’s Information Systems.

LANGuardian includes both an intrusion detection system (IDS) and and advanced network traffic analysis engine. This allows you to spot rogue devices on the network as well as providing the ability to generate alerts when cybersecurity events are detected.

Information Security—500.3 (a)

Being able to protect the sensitive and confidential information hosted on systems is critical in the financial industry. You must have a policy in place that allows you to identify who should have access to sensitive information. When a security breach takes place, you need to see what the bad actors have gained access to and what saw. Finally, you need to be able to prove if somebody outside of your authorized list accessed the sensitive information.

LANGuardian can monitor network actvity both inside and at the network edge. No need for agent or client software and because it is not inline it will not impact on the performance of your network. The image below shows an sample LANGuardian report which is listing what users accessed certain files on a network share.

Systems and Network Security—500.3 (g)

When it comes to systems and network security, there should be a policy that defines what security tools are in place and the protections that they offer. What tools do you have in place, and how do you know what security functions they provide? Regardless of the tools, you need to define a policy outlining how the tools protect your sensitive information.

The image below shows how LANGuardian highlighted a suspicous network scan originating from an external IP address. In this case we would use LANGuardian to firstly identify when the scanning started and if the external clients accessed any other systems on the network. Based on this forensic analysis we would then take an appropiate action like block certain ports on the firewall.

Network Security Events

Systems and Network Monitoring—500.3 (h)

To enforce the policies of systems and network security, active surveillance and analysis of network systems are required. Without baselining user and traffic behavior, network and security teams are blind to network activity. You need to have an exhaustive record of normal traffic patterns, and you must set up a system that alerts when traffic deviates.

LANGuardian uses a combination of metadata capture and network based intrusion detection to monitor network traffic on a network. It does not age data, so you can look back at historical data in the event of a security breach. The image below shows a LANGuardian report which lists what clients were making outbound connections from a network.

monitor network traffic

Incident Response—500.3 (n)

The main goal in any incident response and forensic threat investigation solution is to provide teams with the ability to respond quickly to incidents. With that in mind, using such a solution provides organizations with the ability to respond quickly to threats and discover where they’ve gone.

LANGuardian can generate email alerts, or export alerts as SYSLOG events, which can be picked up by SIEM systems. The image below shows a sample of event types that can be triggered by LANGuardian.

network events triggered by IDS

Creating a Ransomware Monitoring Dashboard

Ransomware Monitoring Dashboard

Creating a Ransomware Monitoring Dashboard with LANGuardian

Ransomware has really hit the headlines since WannaCry was first detected. If you want to learn more about this variant, check out our latest blog post which takes a look at how to detect the presence of WannaCry Ransomware and SMBv1 servers on your network.

We regularly send security bulletins to customers and one of the most common questions when it came to Ransomware was what would be a good set of reports to add to a Ransomware Monitoring dashboard. As WannaCrypt and its variants are very prominent at the moment, the focus is on it. However, as you can see from the video below, the dashboard can be used to monitor many other Ransomware variants.

Ransomware Monitoring Elements

This list shows the 8 elements that make up our basic Ransomware monitoring dashboard. We will publish more information at a later date as we learn more about WanaCrypt0r 2.0 and other variants. The video below explains more about how to setup each element and how to interpret the data returned.

  1. Filename extensions associated with WannaCry. This list may grow in time and you can add to it.
  2. Any activity associated with WannaCry web domains.
  3. A list of Windows XP clients; as these use SMBv1, they are seen as vulnerable.
  4. A list of servers running SMBv1.
  5. Graphic showing rate of file renames on network shares. High numbers of file renames is a sure sign of Ransomware.
  6. Top clients (you can also get usernames) renaming files on your network
  7. Any outbound activity on your network using TCP port 445
  8. Any instances of ransom note text files associated with WannaCry

The video references these variables which you can copy\paste when needed.

  • WannaCry file extensions: \.wnry$|\.wcry$|\.wncry|\.wncryt$
  • WannaCry web domain: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
  • WannaCry ransom note text file: @Please_Read_Me@.txt

If you want to add elements for detecting XData Ransomware, use these variables

  1. Search for any file containing the text string XData
  2. Search for any file names matching HOW_CAN_I_DECRYPT_MY_FILES.txt.

We are also working on an update to LANGuardian which can trigger an alert whenever an SMB1 protocol request or response is seen. This will then enable you to use the Ransomware Monitoring dashboard and get alerts, if required.

Video Guide: Setting up a Ransomware Monitoring dashboard

How to detect the presence of WannaCry Ransomware and SMBv1 servers on your network

Wannacry Ransomware

How to detect the presence of WannaCry Ransomware and SMBv1 servers

WannaCry Ransomware has become very active in May 2017. It looks to be targeting servers using the SMBv1 protocol. SMBv1 is an outdated protocol that should be disabled on all networks. One of the big lessons from this Ransomware outbreak is that it is vital that you have monitoring in place on your network. You need to be able to quickly identify suspicious activity. When it comes to detecting Ransomware there are three key things to watch out for

  1. An increase in file renaming on your network shares.
  2. SMBv1 activity
  3. Inbound SMB activity if TCP port 445 is open on your Firewall

Passively Detect Ransomware Using Network Traffic Analysis

Network traffic monitoring is an ideal way of monitoring what is happening on your network, as you don’t need to install agents or client software on your network devices. It is also a very useful option for continuously checking your network for vulnerable legacy systems like Windows XP or systems that can use SMB1 which is deemed to be insecure.

Detecting Ransomware Step 1 – Setup a Data Source

One of the easiest ways to monitor what is happening on your network is to setup a SPAN\Mirror port or use a network TAP. This will give you access to flows and packet payloads, so you can see who is connecting to what and if there is anything suspicious moving around.

Check out this blog post if you use Cisco switches, as it explains how you can monitor multiple network segments without the need to remember what is connected to what switch port. If you don’t use Cisco switches, there is an excellent resource on the Wireshark wiki site which looks at how to setup monitoring on other switches.

As I mention above, you can monitor what is happening on your network by monitoring network traffic. However, you do need an application that can process network packets to get meaningful information. Tools like Wireshark may struggle if you are dealing with large volumes of traffic.

Our own product LANGuardian can be used to monitor network traffic. It does not store every packet, instead it captures metadata which can used to spot security or operational issues on networks. It includes a SMB and NFS decoder as well as having a built in Intrusion Detection System (IDS). When it comes to Ransomware, these metadata values are useful for spotting problems:

  • File names, specifically those hosted on Windows file shares
  • File actions like rename or create
  • File sharing protocol versions like SMBv1
  • Capturing specific packets associated with known Ransomware variants
  • Flow records of clients connecting to external IP addresses

Even if you don’t plan on using LANGuardian, check if your existing network monitoring tools have the ability to capture this data. Flow based tools are not good at detecting Ransomware, as they see the packet payloads which are required to see if your file shares are under attack.

Step 2. How to Focus on WannaCry Ransomware

There are six things to watch out for when it comes to detecting WannaCry Ransomware:

  1. Check for SMBv1 use. This Ransomware is not limited to just Windows server 2003 and XP clients. A large number of WannaCry victims were running Windows 7. SMBv1 can run on all Windows versions so check your network for any activity.
  2. Check your web and DNS traffic for any attempts to connect to these domains:
    • iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com.
    • ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com
    • ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com
    • iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea.com
    • iuqerfsodp9ifjaposdfjhgosurijfaewrwergweb.com
  3. Check for an increase in the rate of file renames on your network
  4. Look out for any outbound traffic on TCP 445. This really should be blocked
  5. Check for any instances of the file @Please_Read_Me@.txt on your file shares
  6. Check for any instances of files with these extensions
    • .wnry
    • .wcry
    • .wncry
    • .wncryt

SMBv1 is deprecated and should be removed from your network. SMBv1 isn’t safe and you lose key protections offered by later SMB protocol versions. At a minimum, you should be patching your systems as per Microsoft Security Bulletin MS17-010. In the video below, I cover off more on how you can use LANGuardian to detect SMBv1 and suspicious file activity.

Top Tips for preventing Ransomware on your Network

  1. Backup your files regularly and make sure to keep a copy off site. This may be stating the obvious, but a lot of people get caught out when they go to restore files. Build a test server and see if you can restore onto it.
  2. Limit the use of Microsoft Office Macros: A lot of Ransomware is spread using Office attachments.  Microsoft recently published an add-on which can stop you from enabling macros in documents downloaded from the Internet. Some more reading here.
  3. Be careful of opening attachments from unknown sources: This is especially true for employees who may receive CVs or financial documents. It may seem normal for them to open attachments from strangers. I have seen targeted attacks where a company advertised a job on the Internet. The HR department received applications with attachments which contained malware associated with Ransomware. Make sure you tell applicants to only send PDF type attachments.
  4. Keep your systems patched: WannaCry and other WannaCrypt variants targeted systems running SMBv1. Microsoft had published Security Bulletin MS17-010 which addressed issues with SMBv1. At a minimum, you should disable SMBv1 and patch all relevant systems on your network. However, the advice is to stay on top of getting update installs, you just never know what will be targeted next.
  5. Know what is happening on your network: When Ransomware strikes it can be difficult to figure out what data was encrypted. Users will report that they cannot access certain files or folders, but they won’t know what exactly was targeted.  Get an audit trail of all file and folder activity. You can implement file activity monitoring passively using network traffic analysis.
  6. Know what is happening at the edge of your network: When it comes to keeping your network safe, it is vital that you know what is going in and out of the network edge. Don’t rely on firewall logs as they may become inaccessible when your network is under attack. Look at deploying a combination of intrusion detection (IDS) and flow analysis with metadata capture. Information captured at this point can be crucial if your network is attacked. Look at capturing:
    • IP addresses with associated GeoIP details
    • Flow information such as source and destination TCP or UDP ports. WannaCry targeted networks where TCP port 445 was open so you should block this type of activity at the edge.
    • DNS traffic details like hostnames and DNS server addresses
    • Attachments inbound and outbound via SMTP
    • Web domain names – HTTP and HTTPS
    • IDS events associated with suspicious packet payloads
    • Associated usernames so you can track who is doing what
    • Web client information such as operating type and browser type
  7. Don’t rely on log files alone for investigating issues. Log management tools have their uses but they can be compromised if a network is attacked. Recently a number of school districts were targeted with a Ransomware attack in the US and the hacking group turned off the logs recording who accessed their systems.

How to disable SMBv1

Server Message Block (SMB) is a protocol mainly used for providing shared access to files and printers on computer networks. Microsoft is recommending that SMBv1 is disabled on all server and client Windows installs as it is insecure and has been replaced. If you detect any SMB1 activity on your network, these steps for shutting down the protocol should apply to the most popular Windows versions. Take a read of this article on how to enable and disable SMBv1 in Windows and Windows Server.

For client operating systems:

  1. Open Control Panel, click Programs, and then click Turn Windows features on or off.
  2. In the Windows Features window, clear the SMB1.0/CIFS File Sharing Support checkbox, and then click OK to close the window.
  3. Restart the system.

For server operating systems:

  1. Open Server Manager and then click the Manage menu and select Remove Roles and Features.
  2. In the Features window, clear the SMB1.0/CIFS File Sharing Support check box, and then click OK to close the window.
  3. Restart the system

There is some additional reading in this Microsoft post which includes some customer guidance for WannaCrypt attacks.

I don’t have Ransomware on my network; should I worry?

If you have good update procedures and network users are cautious when it comes to clicking on attachments and strange links, you should be able to keep the WannaCry Ransomware away from your network. However, now is the time to get an inventory of what SMB versions you are running on your file servers and take action if you find SMBv1.

Now is also the ideal time to get a good network monitoring system in place. Don’t wait for Ransomware to strike, it is much easier to get something in place when your network is not under attack.

Providing for more Visibility of Threats in your Network

isibility of Threats on your network

 Visibility of Threats. A must have for all Network Managers

One of the most common requirements Network Managers have at the moment, is for tools which can provide more visibility of threats on their networks. For a lot of Managers, a majority of the devices on their networks aren’t theirs and so endpoint security can only go so far. Network users can also use the network to access blocked or copyrighted material through small media devices running Kodi and a number of plugins.

With the rise in mobile, devices, IoT devices, smart TV’s, etc., they need something with a little more intelligence than just the logs from firewalls. Firewall logs are also problematic when a network is under attack as you may find that they are inaccessible due to resource load on the firewall, or they get overwritten very quickly and you end up losing vital forensic information.

Diagnostics tools such as Wireshark can provide for some excellent low level information but this has issues with scale. If you try and look at traffic from a SPAN, mirror port or TAP it can get overloaded. Commercial packet recorders are very expensive, and many of them need dedicated security personnel to maintain them. Many Network Managers do not have the luxury of having separate network operations and security specialists.

Network Security Analytics

The website NetworkWorld recently published an interesting article to coincide with RSA Conference 2017.  In it, they look at how DDoS protection, network security analytics and cloud solutions will take center stage at this year’s conference. Network security analytics is moving from just capturing flow data to the capture of  metadata from layer 3 through 7 by using network packet information as a data source.

Actionable events can be generated by aligning external threat intelligence with network traffic telemetry. External threat intelligence sources can include things like:

An example of GeoIP integration is shown below. By simply associating IP addresses with the countries where they are registered, makes it it much easier to spot suspicious activity.

GeoIP traffic report to get Visibility of Threats

Visibility of Threats: Next Steps

Capturing logs from firewalls is still recommended. However, you should include network traffic analysis as part of your operational and security tool set. This will allow you to capture threats which may have been carried into your network such as malware laden user devices. It will also give you a secondary source of data if your firewall logs are not available. Applications which use a SPAN, mirror port or TAP to monitor network traffic are vendor agnostic so you can use them to monitor IoT type devices.

Looking back at our 2016 Top Blog Posts

2016 Top Blog Posts

2016 Top Blog Posts

As we look back on 2016, we review our top 5 blog posts from the year that highlight key challenges and share solutions on how we have helped our customers (I know most like to show their top 10 blog posts, but we think that’s too many to read all at once!).

 1. Tracking Web Activity by MAC Address (Read)

Tracking web activity is nothing new! For many years, IT managers have tried to get some sort of visibility at the network edge so that they can see what is happening. One of the main drivers for this is the need to keep the network secure no matter what type of device gets connected. As Internet usage is constantly growing, malicious, phishing, scamming and fraudulent sites are also evolving. In this post, we take a look at how to track web activity back to MAC addresses.

2. Five Methods for Detecting Ransomware Activity (Read)

New variants of Ransomware are appearing on a daily basis and traditional security tools like antivirus are struggling to keep up. New variants have also changed the way they encrypt files and what happens your data once it is encrypted. Here, we take a look at 5 methods for detecting and alerting on Ransomware activity.

3. Forensic Analysis of a DDoS Attack (Read)

2016 was a busy year for DDoS style attacks and a recent article from the BBC also suggests that website-crippling cyber-attacks are set to rise. We look at what happens when a network is targeted and what you should watch out for on your own network.

4. Monitoring multiple VLANs with a single SPAN session (Read)

SPAN or mirror ports can be a rich source of network and user activity data. Most people set them up so that one port is mirroring another port. However, most switches support many-to-one port mirroring and some even support VLAN monitoring. In this post, we look at how you can configure VLAN monitoring on a Cisco switch.

5. Building Your Own Cryptolocker Monitoring Dashboard (Read)

This is the second Ransomware themed post in our top 5 which indicates how much of a problem Ransomware was in 2016. In this post, we look at how you can build a LANGuardian dashboard to focus on suspicious network file share activity.

Let us know what your favorite blogs were in 2016 in the comments below – and perhaps, tell us what you would like us to cover. We are always listening!

So, you don’t miss any of our blogs in 2017, subscribe here!

Detecting BlackNurse attacks using Snort IDS

Blacknurse Attack

BlackNurse attack

Recently, Danish researchers at the Security Operations Center of telecom operator TDC uncovered a security vulnerability associated with many well-known firewalls. All it takes is for one computer to bring vulnerable Cisco, SonicWall, Palo Alto and Zyxel firewalls to their knees. More information can be found in the document they published on the BlackNurse attack.

This attack uses ICMP Type 3 “unreachable” messages, specifically ICMP Type 3 Code 3 “port unreachable” messages. Those ICMP messages can overload a firewall CPU and result in a DoS state.

Detecting BlackNurse attacks using Snort IDS

Snort is an open-source network intrusion detection system (NIDS) and is typically used to detect new and legacy threats. It has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks.  In intrusion detection mode, the Snort can monitor network traffic and analyze it against a rule set. The rules shown below can be used to detect BlackNurse attacks from internal and external sources.

Snort IDS Rules to detect signs of the BlackNurse Attack.

alert icmp $EXTERNAL_NET any -> $HOME_NET  any (msg:”TDC-SOC–Possible BlackNurse attack from external source”; itype:3; icode:3; detection_filter:track by_dst,count 250, seconds 1; reference:url,soc.tdc.dk/blacknurse/blacknurse.pdf; metadata:TDC-SOC-CERT,18032016; priority:3; sid:88000012;  rev:1;)

alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:”TDC-SOC–Possible BlackNurse attack from internal source”; itype:3; icode:3; detection_filter:track by_dst, count 250, seconds 1; reference:url,soc.tdc.dk/blacknurse/blacknurse.pdf; metadata:TDC-SOC-CERT,18032016; priority:3; sid:88000013;  rev:1;)

Detect BlackNurse Attacks On Your Network

Use the IDS and deep packet inspection engines of LANGuardian to detect the presence of BlackNurse attacks on your network. Real time and historical reports available.

Manually adding Snort Rules to LANGuardian

The LANGuardian security module includes the Snort IDS engine which enables real-time detection and alerting of malicious events that occur on your network. LANGuardian seamlessly integrates data from the IDS with traffic analysis data to provide an unprecedented level of visibility into activity on your network. While the LANGuardian IDS rule set is updated automatically, you can still manually add the BlackNurse signatures.

  1. Click on the gear symbol at the top right of the LANGuardian and select settings
  2. Within setting click on Local IDS Signatures
BlackNurse Snort IDS Signatures

3. Click on Add new signature and paste in one of the Snort rules shown above in this post.

4. Repeat the Add new signature step for the second Snort rule.

Once added to LANGuardian, you can detect the presence of BlackNurse attacks via the Top Network Events report. A event triggered by the internal rule is reporting that one or more clients on your network is generating  ICMP Type 3 Code 3 “port unreachable” messages which could be used to take down a firewall. You can click on the value within the total column to get the IP address and associated username of the problematic client(s).

Snort IDS detecting BlackNurse attack

Events triggered by the external rule report that one or more clients outside of your network are generating  ICMP Type 3 Code 3 “port unreachable” messages, which could be used to take down a firewall. You can click on the value within the total column to get the IP address problematic client(s) and block them if necessary.

About NetFort

NetFort provides network traffic and security monitoring software for virtual and physical networks. NetFort’s flagship product, LANGuardian, is unique in the marketplace thanks to its powerful deep-packet inspection technology that can be downloaded and deployed on standard physical or virtual hardware to provide comprehensive visibility in minutes. Organizations worldwide depend on LANGuardian solutions from monitoring user activity to file activity monitoring, web activity monitoring, network security monitoring,bandwidth monitoring, wire data analytics, network forensics to packet capture.

Monitoring IP Spoofing activity on your network

In my opinion, network traffic analysis and bandwidth monitoring solutions are a must have. You can closely monitor bandwidth and traffic patterns to identify any anomalies that can be addressed before they become threats. The trick is to capture usernames and other metadata as well as the usual IP addresses and flow information, so that you can fully understand what is happening on your network and spot suspicious traffic like IP spoofing.

Last week, I worked on an interesting network issue which involved IP Spoofing. One of our LANGuardian customers reported that they were seeing a lot of network scans from IP addresses that were not part of their local address schemes. Network scans are typically triggered when a single IP addresses attempts to connect to hundreds of other clients in a short time period.

Network Scans

The customer was using 10.0.0.0/8 addressing but the scans were originating from 172.16.0.0/12 addresses. For a 24 hour period, we detected over 5.5 million connection attempts. What was unusual here is the source address range, it is private so it should not be routing in from the Internet.

The customer wanted to know if this was IP Spoofing or if the traffic from this network had somehow made its way into their main corporate network. IP Spoofing involves the creation of IP packets with a false source IP address for the purpose of hiding the identity of the sender or impersonating another computing system.

IP Spoofing is also widely used in DDoS amplification attacks. For most DNS and NTP amplification attacks, the destination IP is spoofed which will flood it with unsolicited responses. DDoS attacks like this can overwhelm networks, a recent attack on the Krebs on Security blog resulted in 665Gbs of traffic.

If you do spot suspicious traffic or IP addresses on your network, you first must work out if it is spoofed or if actual connections were established. Many traffic analysis or IDS systems can trigger alerts when a single source attempts to connect many other devices on a network. In most cases, they are watching out for SYN packets which try to initiate a connection. If the target host responds then a connection may be possible.

Your first priority will be to look at flow reports associated with the source addresses. For the purposes of this demonstration, I am going to use our own product LANGuardian. However, you can use a similar approach with other network traffic monitoring applications. I am also going to focus on the 10.11.0.0/16 network which is the source of the scans in my case.

As can be seen from the image below, we do not detect any flows or connections associated with this subnet. This would suggest that the source device(s) of these packets is spoofing the IP addresses them.

Ip Spoofing Dashboard

The next step of your investigation would be to determine what are the MAC addresses associated with these addresses. Again I am using the built in inventory reports of LANGuardian to resolve the MAC address of the suspicious IP addresses. In my case, I narrowed the search down to a single Dell system.

MAC Address

My next step would be to check the MAC tables on my switches so that I can find what port the device is connected to and shut it down. Going back to the customer issue I worked on, we traced the problem back to one of their firewalls. It had a known issue where it would send out random IP packets associated with the 172.16.0.0/12 network. An upgrade sorted the issue resulting in the disappearance of the spoofed packets.

For additional information on IP Spoofing; take a moment to watch this short video 

About NetFort

NetFort provides network traffic and security monitoring software for virtual and physical networks. NetFort’s flagship product, LANGuardian, is unique in the marketplace thanks to its powerful deep-packet inspection technology that can be downloaded and deployed on standard physical or virtual hardware to provide comprehensive visibility in minutes. Organizations worldwide depend on LANGuardian solutions from monitoring user activity to file activity monitoring, web activity monitoring, network security monitoring,bandwidth monitoring, wire data analytics, network forensics to packet capture.

To see LANGuardian in action – try our interactive demo today!

How to Generate a SHA-1 Certificate Inventory

how to generate a SHA-a inventory with NetFort LANGuardian

Background to the SHA-1 changes

The Secure Hash Algorithm is a family of cryptographic hash functions published by the National Institute of Standards and Technology (NIST) as a U.S. Federal Information Processing Standard (FIPS). SHA-1 is a 160-bit hash function which resembles the earlier MD5 algorithm. Cryptographic weaknesses were discovered in SHA-1, and the standard was no longer approved for most cryptographic uses after 2010.

It is recommended that you don’t use SHA-1 certificates past 2016 for a number of reasons:

What you need to do right now

If you are running public facing web services, then this problem may seem obvious. However, many network devices such as printers run web engines so the SHA-1 issue will impact on nearly all computer networks. The advice is to spend some time looking at the problem now, rather than wait for user complaints in 2017. At a minimum, we recommend the following:

  1. Inventory your existing certificates. This can be tricky if you do not have network monitoring tools in place. If you don’t have anything at present, you can download a trial version of our LANGuardian product which has SHA-1 reporting built-in.
  2. Replace SHA-1 certificates that expire after 2015. This may require a new server platform as operating systems such as Windows Server 2003 are not able to support SHA256 certificates.
  3. Ensure new certificate and their chains are based on SHA-2.

Generating a SHA-1 inventory using network traffic analysis

LANGuardian 14.1 includes a new feature that allows you to generate a list of all servers on your network running SSL services. Those devices that need to be updated are highlighted within the report. LANGuardian uses network traffic as data source, so you just need to setup a SPAN or mirror port on your core switch to get started. We have a couple of video guides on this subject within the resources section of this website which explain things in more detail.

To access the SSL reports, you need to click on All Reports from within the LANGuardian GUI and navigate to the Inventory section. If you don’t have an inventory section, you will need to upgrade your LANGuardian to the latest release. Please contact our support team if you have any questions about this.

You can filter based on variables like IP addresses, subnets and specific time ranges. Servers running expired or outdated protocol versions will be highlighted in red.

The IP address link within the report allows you to drill down and see what clients are connecting to this server. This can be very useful data, if you are planning to shut down any outdated systems. In my example, the device is actually a printer running an insecure SHA-1 certificate.

Outdated SHA-1 certificate

In some cases, you may need to replace certificates running on servers where in others situations, you may need to do firmware updates. Whatever the remedy, you can use LANGuardian to check if the device or server is updated. Just run the Servers Running SSL report again and change the date\time filter so you are looking at data which was captured after the time of upgrade.

About NetFort

NetFort provides network traffic and security monitoring software for virtual and physical networks. NetFort’s flagship product, LANGuardian, is unique in the marketplace thanks to its powerful deep-packet inspection technology that can be downloaded and deployed on standard physical or virtual hardware to provide comprehensive visibility in minutes. Organizations worldwide depend on LANGuardian solutions from monitoring user activity to file activity monitoring, web activity monitoring, network security monitoring, bandwidth troubleshooting, wire data analytics, network forensics to packet capture.

To see LANGuardian in action – try our interactive demo today!

When it comes to Infosec, don’t forget about the old stuff

INFOSEC issues on todays networks

When it comes to INFOSEC you need to focus on the new and the old!

Last week, I worked with a client who needed some help with an INFOSEC issue associated with Ransomware. To summarize, they needed to put an early warning system in place should one or more clients start to rename large numbers of files on network shares. Ransomware continues to be a very hot topic with some recent reports highlighting that 63% of UK Universities have been hit with Ransomware and a retooled Locky Ransomware has started to pummel networks in the healthcare sector.

If you include other topical security issues like DDoS and advanced phishing attacks, it may indicate that people lose interest in older threats and vulnerabilities. If Network Managers just focus on recent security issues, there is more than enough work there to keep them busy. However, this is a dangerous approach, as you need to keep a watchful eye on the old security issues as well as being able to deal with the new.

Our LANGuardian product includes both an IDS and advanced traffic analysis capabilities and so, it is an excellent tool for forensic type use cases. A good example of this materialized a few days ago, while I was working on another clients network. I was reviewing their Network Events report and I noticed Conficker activity.

INFOSEC Issue - Conficker Worm

Conficker is old Malware which was first detected back in 2008; but there it was, trying to connect outbound to Chinese, Mexican and German IP addresses over port 80, as well as scanning the internal network trying to infect other hosts. From what I understand, the infected host was a piece of equipment with an embedded Windows OS which made it difficult to patch.

I also picked up on suspicious inbound traffic over port 22 to a client which in turn was sending SPAM type emails. These are issues that we all worked on years ago, but here they are once again and still causing problems in 2016. This can be easy to detect, but only if you are monitoring what is happening inside your network.

It really served as a reminder that while it is important to watch out for the new threats, neither should you forget about the old stuff. Indeed, you may well have an INFOSEC dinosaur lurking in the corner of your network trying to cause damage. So, ensure everything is patched and back this up with good monitoring tools to spot the bad stuff.

About NetFort

NetFort provides network traffic and security monitoring software for virtual and physical networks. NetFort’s flagship product, LANGuardian, is unique in the marketplace thanks to its powerful deep-packet inspection technology that can be downloaded and deployed on standard physical or virtual hardware to provide comprehensive visibility in minutes. Organizations worldwide depend on LANGuardian solutions from monitoring user activity to file activity monitoring, web activity monitoring, network security monitoring, bandwidth troubleshooting, wire data analytics, network forensics to packet capture.

To see LANGuardian in action – try our interactive demo today!

5 Methods For Detecting Ransomware Activity

Ransomware attacks on the rise

See Also:

How to detect the presence of WannaCry Ransomware and SMBv1 servers on your network

 

According to a new report from McAfee Labs, Ransomware will remain a major and rapidly growing threat in 2016. New variants of Ransomware are appearing on a daily basis and traditional security tools like antivirus are struggling to keep up. New variants have also changed the way they encrypt files and what happens your data once it is encrypted. This includes:

  • Ransomware-Locky removes the volume shadow copies from the compromised system, thereby preventing the user from restoring the encrypted files.
  • Filecoder.Jigsaw is really aggressive and deletes some of the encrypted files every hour. Newer variants of Jigsaw are branded CryptoHitman and displays a series of pornographic images on the victim’s computer.
  • Latest variant of the TeslaCrypt ransomware no longer uses an extension for encrypted files, making it more difficult for victims to identify the threat. However, a master decryption key for TeslaCrypt was released in May 2016 that unlocks files encrypted by the malware.
  • Master boot record killers like Petya have the ability to install a second file-encrypting program. However, if you can extract some data from the disk you may be able to get your data back without paying the ransom.
  • The authors of the CryptMix Ransomware are offering to donate ransom fees to a children’s charity but this is belived to be another scam to dupe victims into paying the ransom.
  • Tech support scammers have begun using Ransomware tools to increase their chances of extracting money from victims. New variants warn the user that they cannot access their computer due to an expired license key.
Filecoder.Jigsaw

Previously, we have looked at many ways of preventing Ransomware attacks on our blog. The #1 tip is to backup your data and make sure you do a test restore. However, even with the latest generation firewalls and antivirus on all desktops, Ransomware can still get into a network. The most common attacks use email phishing with dodgy attachments but we have also seen attacks using remote desktop services and infected data storage devices.

How you can detect the presence of Ransomware on your network

The first variants of Ransomware used a small number of very specific file extensions like .crypt. However, each new variant seems to use different extensions and some even keep the file name intact. Because of this, you need to watch out for multiple symptoms of an attack; here, we take a look at 5 of them:

1. Watch out for known file extensions

Even though the list of known Ransomware file extensions is growing rapidly, it is still a useful method for detecting suspicious activity. Before you do anything you need to get file activity monitoring in place so that you have both a real time and historical record of all file and folder activity on your network file shares.

There is an interesting discussion on this Reddit post which has a link to a number of resources including this spreadsheet which has a comprehensive list of all known Ransomware variants. We currently work off this list and you can use this on your LANGuardian to create a custom report. As the list is in Regex format, you may be able to use it on other monitoring systems. The video further down in this blog post shows you how you can use this list on LANGuardian.

\.enc|\.R5A|\.R4A|\.encrypt|\.locky|\.clf|\.lock|\.cerber|\.crypt|\.txt|\.coverton|\.enigma|\.czvxce|\.{CRYPTENDBLACKDC}|\.scl|\.crinf|\.crjoker|\.encrypted|\.code|\.CryptoTorLocker2015!|\.crypt|\.ctbl|\.html|\.locked| \.ha3|\.enigma|\.html|\.cry|\.crime|\.btc|\.kkk|\.fun|\.gws|\.keybtc@inbox_com| \.kimcilware.LeChiffre|\.crime|\.oor|\.magic|\.fucked|\.KEYZ|\.KEYH0LES|\.crypted|\.LOL!|\.OMG!|\.EXE|\.porno|\.RDM|\.RRK| \.RADAMANT|\.kraken|\.darkness|\.nochance|\.oshit|\.oplata@qq_com|\.relock@qq_com|\.crypto|\.helpdecrypt@ukr|\.net|\.pizda@qq_com| \.dyatel@qq_com_ryp|\.nalog@qq_com| \.chifrator@qq_com|\.gruzin@qq_com|\.troyancoder@qq_com|\.encrypted|\.cry| \.AES256|\.enc|\.hb15|\.vscrypt|\.infected|\.bloc|\.korrektor|\.remind|\.rokku|\.encryptedAES|\.encryptedRSA| \.encedRSA|\.justbtcwillhelpyou|\.btcbtcbtc|\.btc-help-you| \.only-we_can-help_you|\.sanction|\.sport|\.surprise|\.vvv|\.ecc|\.exx|\.ezz|\.abc|\.aaa|\.zzz|\.xyz|\.biz|\.micro|\.xxx|\.ttt|\.mp3|\.Encrypted| \.better_call_saul|\.xtbl|\.enc|\.vault|\.xort|\.trun|\.CrySiS|\.EnCiPhErEd|\.73i87A|\.p5tkjw|\.PoAr2w|\.xrtn|\.vault|\.PORNO

2. Watch out for an increase in file renames

File renames are not a common action when it comes to activity on network file shares. Over the course of a normal day, you may end up with just a handful of renames even if you have hundreds of users on your network. When Ransomware strikes, it will result in a massive increase in file renames as your data gets encrypted.

You can use this behavior to trigger an alert. However, if the number of renames go above a certain threshold, then you have a potential Ransomware issue. Our recommendation is to base your alert on anything above 4 renames per second.

Our video (opposite) shows how you can setup a LANGuardian trend graph which you can then use to create an alert. It also demonstrates how you can setup a file activity monitoring report which shows any filenames with extensions known to be associated with Ransomware.

3. Create a sacrificial network share

When Ransomware strikes, it typically looks for local files first and then moves onto network shares. Most of the variants that I have looked at, go through the network shares in alphabetical order G: drive then H: drive etc…

A sacrificial network share can act as an early warning system and also delay the Ransomware from getting to your critical data. Use an early drive letter like E:, something that comes before your proper drive mappings. The network share should be setup on old slow disks and contain thousands of small random files.

When doing small random files, there’s no easy way to get the list of files in the right order to avoid lots of seeking around the disk. Depending on how it is implemented, the cipher might need to be re-initialized for each file and thus slowing down the encryption process.

The slower the disk the better. You could go to the extreme and put it behind a router and limit data throughput to this network share. It may add a slight delay to the logon process but this honeypot may give you enough time to shut client machines down if they get infected with Ransomware.

You could also setup an alert which would trigger if a specific file was accessed somewhere within the network share. This would be a sure sign that something was going through your file shares. You just need to educate your users to stay away from this network share.

Sacrifical network share

4. Update your IDS systems with exploit kit detection rules

Many IDS, IPS and firewall systems come with exploit detection features. Exploit kits are used as a way to get Ransomware onto a client through malspam or via compromised websites.

The two most common exploit kits (EK) associated with Ransomware are the Neutrino EK and the Angler EK. Check if your network security monitoring systems are up to date and see if they have the capability to detect exploit kits.

LANGuardian includes the Snort IDS system which supports the detection of exploit kits. Watch out for any activity in the Top Network Events report.

5. Use client based anti-ransomware agents

Over the past few months companies like Malwarebytes have released anti-ransomware software applications. These are designed to run in the background and block attempts by Ransomware to encrypt data. They also monitor the Windows registry for text strings known to be associated with Ransomware. The problem with this approach is that you will need to install client software on every network device.

Researchers are also looking at ways to ‘crash’ computer systems when droppers are detected. Droppers are small applications that first infect target machines in preparation for downloading the main malware payloads. This will likely mean that the system is sent to IT where the attack should be discovered.

You should also inform your network users to avoid installing agents themselves. There is too much of a risk that they will install the wrong agent or they end up install more malware on their systems.

If you are dealing with a Ransomware attack you can download our LANGuardian product trial to find the source of the infection. Trial version has all relevant reports available.

Will Ransomware go away?

The simple answer to this is no! All of the indicators suggest that Ransomware will remain a major and rapidly growing threat, fueled by anonymizing networks and payment methods.

Expect to see an increase in Ransomware variants which target websites instead of file stores. Linux.Encoder.1 is an example of this threat. When a website is attacked the Ransomware will hold the site’s files, pages and images for ransom.

There are two key lessons here:

  1. Ensure you are backing up your website
  2. Keep the website operating system and CMS fully patched

Ransomware is also a growing problem for users of mobile devices. Lock-screen types and file-encrypting variants: lock screen Ransomware will stop you from accessing anything on your mobile device and file encrypting variants will encrypt data stored on the device. You can decrease you chances of an attack, by avoiding unofficial app stores and by keeping your mobile device and apps updated.

I’ll finish by repeating the advice: ensure you backup all of your personal and work data. Educate users on the risks and disconnect problematic users from sensitive data.

Building Your Own Cryptolocker Monitoring Dashboard

CryptoWall Monitoring Dashboard

Cryptolocker Monitoring – How to Build Your Own Dashboard

Last Friday, one of our public sector customers got hit by Cryptolocker Ransomware. Because their LANGuardian is continuously monitoring the network, it proved to be a crucial ‘go to system’ for quickly investigating the attack, for forensics. It had all the detail to really understand what happened. Within a very short time frame they were able to track down infected hosts and get the associated username so that the outbreak was contained very quickly.

This blog post looks at what you need to do to setup your own Cryptolocker Monitoring Dashboard. The examples shown here use the LANGuardian system but you can adopt a similar approach if you are collecting file and network activity through other means.

A sample of this Cryptolocker monitoring dashboard is shown below. This is from a network which is not under Ransomware attack. Most reports are not showing results and only small numbers of file renames are being reported which would be seen as normal network activity.

Cryptolocker Monitoring Dashboard

Step 1 – Watch out for .micro file extensions

The first report we created checks for any files with the .Micro extension.These are known to be associated with TeslaCrypt Ransomware and thousands of these will appear on your network when you get hit with this Malware. The report should remain blank. If results are shown then you should check any client machines listed for a Cryptolocker infection.

LANGuardian Report – Use Search By Filename from the Windows File Shares report section. Use the filename filter to show any files with the .micro extension.

micro file extensions

Step 2 – Track down clients renaming large numbers of files.

When Cryptolocker strikes it encrypts files and at the same time it renames the files so that they have different file extensions.

You should create a report to focus in on top clients based on the number of file renames. In normal operation you should not see thousands of renames over a 1 hour period. The report will normally show results but you are watching out for clients associated with hundreds\thousands or renames

LANGuardian Report – Use Top Clients :: by Num of Events from the Windows File Shares report section. Use the action filter to only show renames.

Step 3 – Cryptolocker Canary.

Ransomware infections can result in the creation of files like INSTALL_TOR.txt and DECRYPT_INSTRUCTION.txt.  TOR (the onion router) is free software for enabling anonymous communication and is used by the cyber criminals to communicate with you.

A Cryptolocker Canary can be created by alerting if any of these files are detected on network shares. You just need to create a report to look for these files. In normal operation the report should remain blank. If results are shown then you should check the client machine for a Cryptolocker infection.

LANGuardian Report – Use Search By Filename from the Windows File Shares report section. Use the filename filter to show any files called INSTALL_TOR.txt or DECRYPT_INSTRUCTION.txt. 

Step 4 – Root out filenames associated with other Crypto variants.

New Cryptolocker variants are appearing on a daily basis. Applications like Tox require very little technical skills to use and are designed to let almost anyone deploy Ransomware in three easy steps.

File types known to be associated with other Cyrpto variants include restore_Files*.*, *djqfu*.* or *.aaa

LANGuardian Report – Use Search By Filename from the Windows File Shares report section. Use the filename filter to show any files called restore_Files*.*, *djqfu*.* or ones ending with *.aaa

The report should remain blank. If results are shown then you should check the client machine for a Cryptolocker infection.

Cryptolocker variants

Step 5 – Focus in on Cryptowall 4.0 infections.

Cryptowall 4.0 infections can result in the creation of files like help_your_files*.* or  help_decrypt

Look at setting up alerting if any of these files are detected on network shares. You can start by setting up a report to look for these files. In normal operation the report should remain blank. If results are shown then you should check the client machine for a Cryptolocker infection.

LANGuardian Report – Use Search By Filename from the Windows File Shares report section. Use the filename filter to show any files called help_your_files*.* or help_decrypt

LANGuardian Online Demo
Download LANGuardian Trial

Forensic Analysis of a DDoS Attack

forensic analysis of a DDoS attack

In this blog post we are going to do a forensic analysis of a DDoS attack. The DDoS analysis is supported by screenshots captured from a LANGuardian system that was monitoring network edge traffic via a SPAN port at the time of the attack.

The purpose of our DDoS analysis is to demonstrate how DDoS monitoring can identify an attack in progress. With the information gathered by using a DDoS attack monitor, we can then take steps to mitigate against these types of DDoS attacks.

Why DDoS Monitoring is Important

Over the past ten days in Ireland, numerous online services and public networks have been targeted by DDoS attacks. A recent article from the BBC also suggests that website-crippling cyber-attacks are to rise in 2016 – the organization itself having been taken offline by a massive DDoS attack at the end of last year.

The majority of the recent attacks in Ireland were NTP amplification attacks. NTP is a popular vector for DDoS attacks because, like DNS, it is a simple UDP-based protocol that can be persuaded to return large replies to small requests. It has been estimated there are over a hundred thousand abusable NTP servers with administrative functions incorrectly open to the general Internet.

Using LANGuardian as a DDoS Attack Monitor

All of the following screenshots were taken using LANGuardian as a DDoS attack monitor on a real network. The network was one of many that suffered multiple DDoS attacks during January 2016. The first image below shows traffic associated with this network at a time when it was not under attack. What I am watching out for here is:

  1. The majority of the traffic is IPv4.
  2. Over 97% of traffic is TCP with small amounts of UDP. This is very normal and what I would expect.
  3. Drilldown on the UDP traffic shows the majority is DNS. For most networks DNS Would be the most active UDP protocol. Exceptions this this would be on networks where applications like Bittorrent are allowed.
DDoS monitoring dashboard

The next screen shot shows the network traffic profile during a time when the network was under attack. The main thing that stands out is the UDP traffic is now the majority. This is the classic fingerprint of a UDP based amplification attack. You can read more about amplification attacks here and here.

UDP Traffic associated with DDoS attack

Drilling down on the UDP traffic reveals that the network is receiving large amounts of NTP and DNS traffic. Both of these are important protocols so you cannot just block them. The other issue is that the network packets will contain spoofed IP addresses so basic firewall rules are useless.

Composed of legitimate-appearing requests, massive numbers of “zombies” and spoofed identities that make it virtually impossible to identify and block these malicious flows.

UDP Protocol Analysis

Drilling down further reveals that the traffic appears to originate from 4700 different servers.  We can do a WHOIS by IP address and determine that these are valid NTP servers, owned by reputable organizations.

It’s unlikely that 4700 reputable NTP servers are compromised and targeting an attack at the network, so something else is happening here.

The NTP protocol is based on UDP, a connection-less protocol. This means that a malicious client can create an NTP request, but instead of using its own IP address as the source, it uses the IP address of the target network. The NTP server assumes the request is genuine and responds, sending the response, not to the originating client, but to the target network.

This is known as a reflection attack. We can determine this is occurring, because our network has not sent any NTP packets to the NTP servers in question (zero packets sent, zero bytes sent) as seen here.

Further, we can calculate that the average received NTP response packet size is about 440 bytes, significantly larger than a standard NTP response packet (about 90 bytes). The 440 byte packet is likely a response to a ‘monlist’ request, a remote command in older NTP servers to return a list of the last clients to contact it. The ‘monlist’ command returns multiple packets of this size in response to a single request. This is known a amplification, where a small request generates big responses.

DDoS packet numbers

Finally, what of the client that originated the NTP request? We have no information about that client, as it successfully forged the source IP address in the original NTP request. We can assume that the client was a member of a botnet and was issued commands to target this network. There can be many thousands of compromised clients in a given botnet.

The scenario is shown in the diagram below, showing how a single C&C, controls many zombie clients, to generate malformed NTP requests to many servers, which in turn send amplified responses to the target network. Click on image to zoom in.

DDoS Amplification Traffic

Any local servers shown in the reports would need to be checked for malware activity. It could end up as a zombie host in a botnet or it may also be serving up Malware.

Using DDoS Analysis to Mitigate Against DDoS Attacks

When it comes to mitigating against DDoS attacks, you do have a number of options. It does depend on what stage you are at. If you are presently under attack, you may need to weather the storm a bit and avoid any rush decisions. Blocking traffic for example may only introduce other problems and you may end up with a network cut off from the outside world.

It is critical that you have some type of network activity monitoring in place prior to and during an attack. Make sure you can see where the traffic is coming from and what servers are being targeted. To try and mitigate against an attack you should consider the following.

  1. See if your ISP can black hole the suspicious traffic. Most will not get involved but if you are an education or government institute you may be able to address the issue at an ISP level.
  2. If you host your own web applications or servers you could consider a local DDoS protection system. These high-performance appliances enable attack traffic analysis and cleaning of the traffic, enabling a defense against large-scale DDoS attacks. Good traffic goes one way and bad traffic is dropped.
  3. If your website is hosted externally you could consider something like the Cloudflare DDoS protection infrastructure. They do the job of sorting out the good traffic from the bad in the cloud.
  4. In some extreme cases I have heard of companies changing their ISP to get away from the problem. Their public IP addresses seem to be a constant target to the only way out is to change them by moving to a different ISP.

Do you have any tips for mitigating against DDoS attacks? Comments welcome.

LANGuardian Online Demo
Download LANGuardian Trial

CryptoWall infection – Verifying that there are no other infected PC’s active

CryptoWall infection screenshot

Using LANGuardian to manage a CryptoWall infection

One of the most important tasks when dealing with a CryptoWall infection is to locate the PC(s) on your network that introduced the malware. If you don’t locate this system your files will keep getting encrypted after you restore them or pay the ransom.

In a recent blog post I looked at Auditing File Access on File Servers. One method for auditing file activity involves deep packet inspection and this is ideal for cleaning up after a CryptoWall infection. Malware like  CryptoWall leaves certain traces behind and you just need to watch out for these to trace the clients responsible.

Check file share activity for certain text strings

When CryptoWall infections target file shares it creates text and/or HTML files within folders where data has been encrypted. Typically the file names are HOWDECRYPT.txt and HOWDECRYPT.html. These files contain instructions on how to get the data decrypted. What you need to do is find the clients which created the files as they are the ones infected with the Ransomware.

You need to check for the presence of these files through network traffic analysis or log files. There is no point in searching for them through applications like Windows explorer. You may find the files but you won’t be able to see what clients created them.

Manage CryptoWall infections on YOUR network

Use the advanced deep packet inspection features in LANGuardian to track down hosts encrypting data on your network file shares. Active Directory integration also lets you see the associated username.

You can use the LANGuardian search feature to track activity associated with suspicious file names. It uses deep packet inspection to capture file names, IP addresses, actions and user names from network packets. You just need to setup a SPAN\mirror port or use a network TAP to get a copy of the network traffic going to and from your file servers. Once you have LANGuardian installed you need to follow these steps to track down CryptoWall infections.

  1. Click on the down arrow beside the search field
  2. Enter DECRYPT into the File Name
    field
  3. Modify the time range so that includes the date and time of when the CryptoWall infection was reported
CryptoWall infection file search

Once you click on the search option you should see a report like the one below. This reveals what IP address is associated with the CyrptoWall infection. In my case the suspicious IP address is 10.1.1.151

HOWDECRYPT files in Windows file shares

Find out what users are responsible for CryptoWall infections

Tracking down the network clients associated with CryptoWall infections may be all you need. However, if you use DHCP you may need to find out what usernames are associated with the Ransomware.

Once you have an IP address you can either cross reference your Windows domain controller security log files or use the LANGuardian user reports to identify the usernames. You do need to make sure you are auditing domain logons to get this data.

To reveal usernames in LANGuardian you should click on the arrow symbol in the top right panel of either of the reports shown above. This will return all results. Then click on the View by: User Name option in the top right hand side and you will see what users names are associated with the file share activity.

Users accessing files on network shares

Auditing File Access on File Servers

Auditing File Access on File Servers

See what is happening on your Windows file shares with LANGuardian.

LANGuardian monitors and records every access to file shares, recording details of user name, client IP address, server name, event type, file name, and data volume. Just setup a SPAN or mirror port to sniff the traffic. No agents or client software required and no need to enable auditing on your file servers.

Why you should consider auditing file access activity

File activity monitoring solutions are designed to monitor the patterns of users accessing file shares. From a network operations point of view there are a few important reasons why you should look at file activity logging:

  • Quickly track down when a file was deleted and by whom.
  • Find the source of Ransomware or other Malware which targets file stores.
  • Identify who accessed a specific file or folder for a given time period.

Compliance standards which mandate some form of file access logging include:

  • PCI (Payment Card Industry) DSS 10.5.5, 11.5, 12.9.5
  • SOX (Sarbanes-Oxley) DS5.5
  • GLBA 16 CFR Part 314.4(b) and (3)
  • HIPAA 164.312(b)
  • FISMA AC-19, CP-9, SI-1, SI-7
  • ISO 27001/27002 12.3, 12.5.1, 12.5.3, 15.3

How to enable file access logging

There are two main approaches when it comes to file access logging. You can install an agent or enable file auditing on the file servers. The other approach is to passively capture the activity from network traffic using deep packet inspection.

If you install an agent or enable auditing on your file servers you also need a log file collector. A SIEM would be the most popular choice for storing the events.

Using log files on servers

In order to track file and folder access on a Windows Server using log files you need to enable file and folder auditing and then identify the files and folders that are to be audited. Once correctly configured, the server security logs will then contain information about attempts to access, delete or change the designated files and folders.

The image below shows a typical deployment. File access logs are generated when (1) a user logged onto wired or wireless devices accesses file shares across the network. The server (2) will log this activity in a database or in the Windows event log. The log collector (3) will read these records at regular intervals and store them within its own database. A log collector is required as server event logs can fill up very quickly.

Auditing File Access activity using log files

A sample event is shown below. Hundreds of these are created when a user accesses a single file which is why log files can fill up very quickly.

Log Name:                    Security
Source:                         Microsoft-Windows-Security-Auditing
Date:                             8/14/2015 5:51:48 AM
Event ID:                       4663
Task Category:              File System
Level:                            Information
Keywords:                     Audit Success
User:                             N/A

Computer:                     FileServer1.acme.com
Description:
An attempt was made to access an object.
Subject:
Security ID:           GLOBAL1\jjbloggs
Account Name:      jjbloggs
Account Domain:  GLOBAL1

Logon ID:              0x17235b
Object:
Object Server:      Security
Object Type:         File
Object Name:       C:\Shares\Finance\Budgets\BusinessBudget2016.xls
Handle ID:            0x1b4
Process Information:
Process ID:          0x2f8
Process Name:    C:\Windows\System32\dllhost.exe
Access Request Information:
Accesses:            READ_CONTROL
Access Mask:      0x20000

Using network traffic to monitor file share activity

The most popular file sharing protocols are SMB (Windows file shares) and NFS (UNIX file shares). These protocols handle the file and folder transactions between the clients and servers. What you need to do is captures this traffic as it flows around the network and extract the file activity data from the packet payloads.

The image below shows a typical way this can be done. Users (1) connect to file servers (2) using wired or wireless devices. This traffic flows through a network switch where a SPAN or mirror port is configured. This SPAN port sends a copy of the traffic to the network traffic analyzer where the file names and actions (metadata) are extracted from the packet payloads.

Auditing File Access activity using network traffic

Other information like IP addresses, usernames and data volume associated with the file transfer can also be extracted so that you end up with a proper audit trail of file access activity.

capturing file activity information from network traffic

Should you choose traffic or logs?

Both methods mentioned for auditing file access have their advantages and disadvantages. Log files may be fine for monitoring specific folders on certain servers. You can also monitor activity if administrators log onto the server directly.

Network traffic monitoring is ideal if you don’t want to make any changes to the configuration of the file servers or if logging is not available. Traffic monitoring will passively capture the file access activity as users access the file shares across the network.

Traffic monitoring won’t include activity where administrators log directly onto servers. In this case you may want to consider a hybrid approach where you capture most of the audit information from network traffic and use local auditing for really sensitive data. This hybrid approach will avoid over loading log files with millions of entries for less sensitive data.

Tunnelling Bittorrent Over Port 80 – How to Detect Activity on Your Network

Bittorrent Over TCP Port 80

Bittorrent is a very popular file sharing protocol. As a way of distributing content from many hosts, it is second to none. It is very popular with movie\music pirates as it does not require a central server for the storage of data. A downloader (peer) can contact other peers and download pieces of content and that peer will automatically share any content it has downloaded. It does have many other uses such as a platform for distributing software updates.

When it comes to network management, most administrators try to block Bittorrent use. The main reason behind this is that it can use up massive amounts of network bandwidth and disk storage. Many high definition movies are now 6GB+ in size so all it takes is for a few clients to clog up a network. Bittorrent clients also create thousands of network connections to other peers which can overload some firewalls.

Blocking access to sites like ThePirateBay may work in the short term but the introduction of magnet links makes site blocking more difficult. If you are successful in blocking the torrent sites, users can still access them at home and use your network to download the content.

How to detect Bittorrent tunnelling activity on your network

Traditional firewalls which use port blocking are useless when it comes to Bittorrent. The protocol will seek out open TCP or UDP ports and use these to tunnel\transfer data. Even newer firewalls struggle with the Bittorrent protocol due to encryption and other recent changes.

In today’s world, the only way to accurately identify Bittorrent is to be application aware. What I mean by this is to forget about identifying applications based on the port numbers they use to communicate. Assume that TCP port 80 could be any application, HTTP, Skype, Bittorrent, etc…. You need to take a look inside the network packets and work out what application it is based on what the packet payload or content is.

This all sounds very complicated and it is if you have to sort through packets using something like Wireshark. It is not impossible but you will find it is very time consuming. The other issue is scale, Wireshark works fine for analyzing a single client but it will get overloaded if you are monitoring hundreds of clients.

Find Out Who is Tunneling Bittorrent on YOUR Network

Use the power of LANGuardian deep packet inspection to find out who is tunneling Bittorrent traffic on your network. No need for client or agent software, just setup a SPAN or mirror port. Active Directory integration allows you to associate Bittorrent activity with usernames too.

What you are looking to do is extract certain metadata from the network packets. There is no need to store the contents of every packet unless you plan to replay the traffic for further analysis. This approach is also referred to as deep packet inspection.  Aim to capture these fields at a minimum:

  • Source IP Address
  • Source Port
  • Destination IP Address
  • Destination Port
  • Info_hash: urlencoded 20-byte SHA1 hash

A simple way to get visibility of Bittorrent on your network is via a SPAN or mirror port. Find where your Internet connection connects to your network switch infrastructure then configure it to send a copy of traffic going to and from the Internet to a switch port of your choice, this switch port is known as a SPAN or mirror port. It’s just a regular port but you configure it to be the destination for the SPAN traffic. See video below which covers this in more detail.

Tracking down Bittorrent activity with deep packet inspection

Once you have your SPAN port setup, you need to plug in a network analyzer which can process network packets. We develop one called LANGuardian but there are other options out there. For this example I will use a LANGuardian installed on my own network to track down Bittorrent tunneling. LANGuardian has the advantage of been able to report on real-time and historical activity.

Step 1 – Run a Top Applications Report

In my case I am going to take a look at activity over the past 4 hours and I also want to focus in on applications using port 80.

Top Network Applications

Step 2 – Drill Down on the Bittorrent Traffic

Most traffic on my network using port 80 is HTTP but I have a small amount of Bittorrent traffic using this port. To drill-down I click on the traffic volumes

Bittorrent Tunneling activity on network

Here I can clearly see the client IP address, host-name and info-hash values associated with this Bittorrent activity. Further details like other associated port numbers and external IP addresses can be got by drilling down further.

5 Tips for Dealing with Unusual Traffic Detected Notifications

Unusual traffic detected screenshot

How to Deal With Unusual Traffic Detected Notifications

If you get an unusual traffic detected notification from Google, it usually means your IP address was or still is sending suspicious network traffic. Google can detect this and has recently implemented security measures to protect against DDoS, other server attacks and SEO rank manipulation.

The key thing to remember is that the notification is based on your Internet facing IP address, not your private IP address which is assigned to your laptop\PC\device. If you don’t know what your Internet facing (or public) IP address is you can use something like this service.

Top tips for dealing with unusual traffic detected messages:

  1. Get an inventory. Do you have unknown devices on your network? There are many free applications which can do network scans. Another option is to deploy deep packet inspection tools which will passively detect what is running on your network.
  2. Monitor traffic on your Internet gateway. Watch out for things like network scans, traffic on unusual port numbers, TOR traffic. I have included a video below which explains how you can do this.
  3. Track down the device using its MAC address. Network switches maintain a list of what MAC addresses are associated with what network switch ports. The guide at this link shows you how to do this on Cisco switches but similar commands are available on other switch models.
  4. See if your IP address is blacklisted  You can use something like this http://www.ipvoid.com/ to see if your IP address is known black lists.
  5. If you cannot find any issues, talk to your ISP. Maybe you need an IP change. IP addresses are recycled so it could be that you were allocated a dodgy one. This is a remote possibility so make sure you cover tips 1 to 4 first.

Further reading

In a previous blog post I also looked at how you can use LANGuardian to track down the source of unusual traffic on your network.

Please don’t hesitate to get in contact with our support team if you are having an issue with a unusual traffic notification. They can help you quickly get to the root cause of issues associated with suspicious network traffic.

Darragh Delaney

5 Quick Tips To Hunt Down Ransomware With LANGuardian

CryptoWall 3.0 Ransomware

How To Hunt Down Ransomware With LANGuardian

When infected by Ransomware there is usually an initial infection vector with something like a user clicking on an attachment in an email, an infected advertisement on a site or something pushing the Angler Exploit kit for example that will then pull down the Cryptowall payload to the machine.

If you have been infected by Ransomware use the search page up the top left in order to either:

  1. Enter the IP of the infected machine in the forensic search https://x.x.x.x/main.cgi
  2. Enter the name of the file into the ‘Filename’ field that has been modified on your machine e.g. HELP_DECRYPT.txt to see if it has spread and to where, also located on the search page https://x.x.x.x/main.cgi
  3. Run the All Events::By Signature report – https://x.x.x.x/netmon/view.cgi?id=&rid=52
  4. Run the All Events::By Destination report https://x.x.x.x/netmon/view.cgi?id=&rid=106 putting the infected machine IP in the destination filter field.
  5. Check for any websites or IP addresses visited during the time period of the initial infection and you should see communication between the C&C. Confirm the website or IP is malicious by checking it with Virustotal’s URL adviser. It’s also a good way to see if anybody else has been infected by running a website search for the specific domain over the last 24 hours for example.

Following the steps above you should be able hunt down Ransomware and find out when and where the initial infection came from.