Author: livio

Uncovering True Positives

MetaFlows is now using our sandbox results as an intelligence feed for ranking events. This method of using the sandbox as an intelligence source for ranking signatures allows us to catch infections or high-risk behavior, even if we only see one piece of the traditional malware life cycle. The picture below illustrates a sandbox report that shows where the signature was first observed in association with malware.

Selection_002

How It Works

Individual IDS signatures can now be ranked as a priority threat if they have been triggering inside the MetaFlows sandbox in association with malware. These signatures are only considered for special ranking if they are statistically rare among events across all MetaFlows monitored networks. Given their nature, these events are likely to missed by an analyst among the many other events that may be normally low ranked. The image below displays a ranked event on the user’s dashboard showing an alert identified with the new threat category.

Selection_001

You can see what kinds of events are triggering in the MetaFlows sandbox by visiting our statistics page.

FireEye Foibles

On February 15th, Blue Frost Security released a statement regarding an analysis engine evasion that was identified in regards to FireEye’s virtualization-based dynamic analysis. Their statement reads, “An analysis engine evasion was identified which allows an attacker to completely bypass FireEye’s virtualization-based dynamic analysis on Windows and whitelist arbitrary malicious binaries.”

We now have a signature to detect this method of evading FireEye:

2022554 || ET EXPLOIT FireEye Detection Evasion %temp% attempt – Inbound ||

Any customers who are also using the FireEye system may want to set up additional rank or email classes for this rule so that they can be alerted to malware that may be attempting to bypass their FireEye appliance. FireEye has released an update for this that users should apply immediately, if they have not done so already. However, even once the issue has been patched, seeing the attempt of this bypass can be a valuable indicator of malicious activity on its own. This may be tried alongside future evasion attempts.

Predictive Global Correlation Feed

After months of data gathering, we turned on a new global correlation feature that complements the existing local multi-session correlation. The aim is to further tighten the net and catch more bad stuff while also decreasing false positives.

We now show the ranking as total/global when we display an alert. When the global ranking is missing, it is because that event is only ranked locally and the global portion is unknown. When the total and global rank are the same (like 187/187 in the example below), it means that an event was ranked exclusively using global relevance and it would have been missed by the local analysis.

You can see the global ranks by going to the IDS rule management interface. IDS rules listed there will have the current global rank assigned to them for that day (if any).

blog

This additional information complements the local multi-session correlation analysis by trying to look at things from a global intra-domain prospective:

If a domain similar to yours has experienced a significant amounts of high-priority network security incidents involving a particular IDS signature, that signature will receive a positive global rank in your domain.

The key here is the word “similar”. The events each customer generates are used to compute a similarity matrix that tells us how similar each network is to the others. Using this information, rather than recommending all high-priority signatures to all domains (we call this simple prediction), we only recommend what is most likely relevant to your domain (we call it predictive correlation).

 

Let us know how this works for you and if you have any questions.

Thanks!

The Skinny on CVE-2015-7547

While the DNS exploit CVE-2015-7547 was discovered a week ago, the code containing the flaw has been in use since May, 2008. CVE-2015-7547 works by allowing arbitrary code to execute on any system reliant on glibc by way of a malformed query response. As discovered by Redhat Linux and Google, there are flaws in GNU C Library. The GNU C Library connects to DNS to resolve names. This problematic code effects all versions of glbc since 2.9 and allows for remote code execution.

We have seven signatures, the first of which was released the day after the exploit was discovered. We were able to push the beta version of the rule to our research partners immediately, and to all sensors during the normal daily signature update.

2022531 || ET EXPLOIT Possible 2015-7547 Malformed Server response || cve,2015-7547

2022542 || ET EXPLOIT Possible 2015-7547 PoC Server Response || cve,2015-7547

2022543 || ET EXPLOIT Possible CVE-2015-7547 Long Response to A lookup || cve,2015-7547

2022544 || ET EXPLOIT Possible CVE-2015-7547 Long Response to AAAA lookup || cve,2015-7547

2022545 || ET EXPLOIT Possible CVE-2015-7547 Malformed Server Response A/AAAA || cve,2015-7547

2022546 || ET EXPLOIT Possible CVE-2015-7547 A/AAAA Record Lookup Possible Forced FallBack(fb set) || cve,2015-7547

2022547 || ET EXPLOIT Possible CVE-2015-7547 Large Response to A/AAAA query || cve,2015-7547

Signature 2022547 is currently triggering on multiple customer sites, but at least for now it is in low volume. However, according to Dan Kaminsky, this is a threat that could swiftly escalate as more and more adversaries improve their attack strategies to increase the damage made possible by CVE-2015-7547. Patching this particular bug is paramount, as well as continually monitoring your system for the exploit.

 

Measured Antivirus Effectiveness

I wanted to share with you some insight from the data that originated from our customers’ networks last week. This time, we wanted to provide some information on how different antivirus vendors perform on the .exe, .dll, .pdf, and .zip files seen around the world.
This table shows the relative hit ratio of all the antivirus vendors hosted by Virus Total on 697 confirmed bad files. You will notice that 43% of the time none of the antivirus products detected anything. The top performer is McAfee-GW-Edition with a 37% detection rate.

Looking at the types of samples detected, one can also consider which Antivirus Vendors were able catch the worst malicious code. We assigned an Average Priority of 1 to spyware or unwanted software and an Average Priority of 100 to known Trojans or unclassified malware. Then, we multiplyed the Average Priority by the Detection Rate, giving rise to the Severity column. This column shows which Antivirus Vendors found the most dangerous code. This week Arcabit wins with a Detection Rate of 29%, an Average Priority of 30.17, and a Severity of 8.96.

Antivirus Vendor True Positives Average Priority Detection Rate Severity
None 300 0.430416 (mss)
Arcabit 207 30.17 0.296987 8.96
F-Secure 192 28.84 0.275466 7.95
ESET-NOD32 205 24.18 0.294118 7.11
AVG 129 37.07 0.185079 6.86
Avast 200 23.77 0.286944 6.82
Qihoo-360 207 22.52 0.296987 6.69
GData 223 20.09 0.319943 6.43
McAfee-GW-Edition 264 16.75 0.378766 6.34
CAT-QuickHeal 162 27.28 0.232425 6.34
VIPRE 172 23.45 0.246772 5.79
Cyren 201 19.72 0.288379 5.69
Panda 85 46.42 0.121951 5.66
F-Prot 160 24.51 0.229555 5.63
ClamAV 62 63.27 0.088953 5.63
Fortinet 105 29.29 0.150646 4.41
McAfee 117 25.54 0.167862 4.29
Avira 210 12.79 0.301291 3.85
Bkav 83 30.82 0.119082 3.67
MicroWorld-eScan 162 15.06 0.232425 3.50
BitDefender 161 15.14 0.230990 3.50
Emsisoft 160 15.23 0.229555 3.50
CMC 24 100.00 0.034433 3.44
Kaspersky 86 27.48 0.123386 3.39
TrendMicro 63 37.14 0.090387 3.36
Ad-Aware 140 16.56 0.200861 3.33
Ikarus 209 10.95 0.299857 3.28
AVware 95 23.93 0.136298 3.26
Comodo 69 26.83 0.098996 2.66
Sophos 77 20.29 0.110473 2.24
Rising 195 7.09 0.279770 1.98
Tencent 50 24.76 0.071736 1.78
ALYac 108 9.25 0.154950 1.43
Microsoft 25 36.64 0.035868 1.31
K7AntiVirus 109 5.54 0.156385 0.87
DrWeb 134 3.96 0.192253 0.76
Malwarebytes 222 1.89 0.318508 0.60
K7GW 120 3.48 0.172166 0.60
Antiy-AVL 74 5.01 0.106169 0.53
Symantec 161 1.61 0.230990 0.37
VBA32 53 4.74 0.076040 0.36
nProtect 16 13.38 0.022956 0.31
NANO-Antivirus 76 2.30 0.109039 0.25
SUPERAntiSpyware 38 3.61 0.054519 0.20
Jiangmin 38 3.61 0.054519 0.20
Zillya 131 1.00 0.187948 0.19
ByteHero 4 25.75 0.005739 0.15
Baidu-International 83 1.00 0.119082 0.12
AhnLab-V3 80 1.00 0.114778 0.11
Agnitum 57 1.00 0.081779 0.08
ViRobot 12 1.00 0.017217 0.02
AegisLab 9 1.00 0.012912 0.01
TotalDefense 2 1.00 0.002869 0.00
Zoner 1 1.00 0.001435 0.00
Alibaba 1 1.00 0.001435 0.00

Our sandbox was able to detect the remaining samples (the missing 43%).

antivirus

The bubble graph above illusrates the Severity (Detection Rate * Average Priority) verses the Prevalence (Detection Rate * Total Priority). The detection rate is encoded in color and the size of the bubble is proportional to how many customers saw the malware.
If you are curious about more statistics like this, you can visit https://www.metaflows.com/stats/ (best viewed on a desktop) for a ton of additional information. If you want a quick fix, watch some of our videos at https://www.metaflows.com/saas/.

The Raw Data

We wanted to share with you some insight from the 50M+ security events that originated from our customers’ networks last week. We reported different security event invariants that were confirmed to be true positives and how they fit within a global, multi-domain context. The data and several interesting graphs can be obtained at https://www.metaflows.com/stats (best viewed on a desktop).

12.14.15 Image 1

For example, the top OpenAppIDs that were the best predictors of a compromise last week are shown below. Interestingly, we also detected that the google_update OpenAppID predicts with fifty percent (50%) accuracy malware activity designed to evade application firewalls. Remember, these are actual measurements across 50M+ records. As a result, they should be relevant to any network.

 

Table

Below is a visualization of the IDS rules with greater than 95% accuracy last week. Please visit our stats page at https://www.metaflows.com/stats/ for more detailed information.

12.14.15 Image 2

MetaFlows offers a compelling product that will provide an unprecedented level of protection to any network. If you decide to run a trial, in addition to automated incident reports with extremely low false positive rates, you will also get a personalized multi-domain report for the events found on your network.

User to IP Address Mapping Through Active Directory

We have added support for extracting successful user logins through MS Active Directory for Silver and Gold subscriptions. You can now install a MetaFlows agent (nsm_logc) on your Active Directory servers to export Windows logs to your sensor(s). The agent will also export other critical Windows events to the sensor so that you can record that information and perhaps correlate it with other security events. Although we recommend installing the MetaFlows agent nsm_logc, this mechanism will also work if you install Snare (commercial) or eventlog-to-syslog (open source) instead of nsm_logc. One advantage of nsm_logc is that the logs are exported through an encrypted channel rather than being sent in clear text.

In any case, the end result will be that any time a user logs in from a specific IP Address, (1) a real-time service discovery alert is generated and logged, and (2) his/her identity is associated with any alert which involves that IP Address. The user identity is appended to the alert messages and is therefore searchable as any other string. Information on how to install the AD agents and some screen shots are here.

As always, do not hesitate to contact us if you have any questions or if you encounter any problems implementing this exciting new feature.

Happy Hunting!

The MetaFlows Team

Command Line Interface Is Here!

As a new feature to the MetaFlows MSS, we have added the ability to query the MSS for both historical flow data (with payload coming from the sensor) and historical event data (coming from our data base). The flow data text output can be formatted to look like what Argus provides (-f -X) or what Bro provides (-c), depending on the options that are selected. We have also added JSON output (-J) for those of you that use Splunk, and want to do some integration work. The MetaFlows Wiki has been deeply revamped and the CLI documentation is at:

https://docs.metaflows.com/Command_Line_InterfaceScreen Shot 2015-09-14 at 4.33.05 PM

The CLI client is written in Perl and can be copied to any system after initialization – so you may execute the CLI queries from any host. Also, if you dare, you can modify the Perl code to change the output formats or to add your own command line switches.

To wet your appetite, the following query will return all the latest malicious content from your sensors:

getflows.pl -u api1:xxxx -B

This query, for example, shows all of the clients on your network attacking Chinese Web Servers:

getflows.pl -E -u api1:xxxx -w 360000 -Q modsec_out | grep CRITICAL | grep :CN

We encourage you to invest some time in looking at this CLI interface. As always, do not hesitate to drop us a line at support@metaflows.com.

Thanks!

The MetaFlows Team

Taking Care of Business: The FTC Guidelines Part Two

20699620022_47e832b2ee_oThis post is a follow up to Part 1 of Taking Care of Business: Information Retention & Responsibility. Here, we will be covering items six through ten, with a wrap-up of what this document means and what we can do to help you stay secure, ethically responsible, and on the right side of the FTC’s standards.

Item six on their list is, “Secure Remote Access to Your Network.” Their bulletin points under this heading are Ensure End Point Security, meaning that you must control who can log on remotely and determining that they are doing it safely. One way is to require two factor authentication for logins. This demands that each user have the ability to generate a token on a separate device (a cell phone) and use that in combination with a token created by a key fob. Biometrics and PINS are also considered types two-factor authentication.

The FTC would also prefer that businesses limit the amount of access that users have when away from the office. This is the part where it is useful to discuss third party access. By restricting the amount of data and the type of data that a third party or an off site worker can get to means that the truly important data has a better chance of staying safe. Offering limited, one-time access is a great way to approach giving accessibility to a third party user.

Item seven on the list is, “Apply Sound Security Practices When Developing New Products” and the first subheading asks that you “train your engineers in secure coding.” This is something tackled at the pre-design stage. It is up to your software developers to create code that is secure and will not unnecessarily put your business and clients at risk. For that to happen, they must be trained effectively on how to do so. A lack of education and foresight at this stage could be fatal before your product or service even launches.

The FTC’s second sub-heading involves following platform guidelines for security. Secure development practice guidelines are out there, and available for use. Failing to follow these can allow you to open your business up to man-in-the-middle attacks through mobile applications and other dangers. It is not a requirement that one reinvent the wheel, but instead use resources that are already available in regards to creating secure software.

The last two bullet points are closely linked, “Verify that privacy and security features work” and “Test for common vulnerabilities.” This is something that even the big guys miss, much less the smaller companies out there. Often, it is smart to invest in an individual or company that provides penetration testing (pen testing). It is their job to try to get into your network in as many ways as possible. They will evaluate any weaknesses that exist within your code, and review the results with you. Large companies such as Microsoft and others, offer Bug Bounties, meaning that if a hacker (with their permission and under their conditions) finds a bug or security issue with their software, that hacker is rewarded and the bug can be fixed. Adobe, after some major security gaffs, has enlisted the help of the Bug Bounty program to help tighten up their software.

Issue eight of the last ten states, “Make Sure Your Service Providers Implement Reasonable Security Measures.” Since points six and seven warn you to get your software and users in line, the natural progression leads to the idea that you should evaluate anyone that you do business with. They advise that you “put it in writing” and “verify compliance.” Your security measures matter as much as the security measures of the individuals that provide you with valuable services such as connectivity and cloud computing, just to name a few. Taking someone’s word or accepting a hand-shake with the assumption that any promises they make outside of writing will be upheld is inadvisable at best. Any company’s website should list their regulatory compliance information, which is easy to verify. This is ours.

In point nine, “Put Your Procedures in Place to Keep Your Security Current and Address Vulnerabilities That May Arise,” they put their focus on not only how you go about maintaining your security practices, but also those of any third-party vendors you may work with. This is where documentation is essential, to prove that should you be summoned to court that you have been maintaining a good-faith relationship in regards to your security. Also, even after the pen-test phase, it is vital to keep on top of any perforations in your company’s defense against adversaries. If six months or nine years after a product is released, one you are responsible for, you must act upon any reports warning of a security risk with your product. Put together a way of collecting these issues and a mechanism in place to address them. Do not let them get lost in the shuffle and ignore them at your peril. This of course, also requires that you stay on top of any third-party services or vendors you may use to make sure that they are making good on their promise of security to you.

Last but not least, the FTC advises that you, “Secure Paper, Physical Media, and Devices.” Everything that was already recommended in regards to your network and digital data also applies to any hard copies. The FTC asks that you, “securely store sensitive files,” “protect devices that process personal information,” “keep safety standards in place when data is en route,” “dispose of sensitive data securely.” All of this may seem like common sense and somewhat of a no-brainer but it is worth remembering that if enterprises, both small and large, did these things the FTC would have never had to address gaffs in data containment by Rite Aid, CVS Caremark, and many unfortunate others.

We decided to use this precious blog space to bring these ten items to your attention, as it is our goal to keep you and your data safe. The MetaFlows MSS is continually evolving to help you better protect your enterprise from adversaries and the potential legal fallout from any success that they might have not had otherwise. A tired truth is that a best defense is actually a good offense and in the world of business and information security, having the right service in place can make all the difference.

InfoSec and the Great Gender Gap: The Revolving Ten Percent

love2d beginner game programming workshop at the Berlin Google office in August 2015 as part of Women Techmakers.That there is a dearth of women in the Information Security (InfoSec) community is not news. The news would be if that number were to ratchet up to fifteen or twenty percent, in keeping with the growth that other STEM positions are close to hitting. Women make up only 27% of the population in Science, Technology, Engineering and Math (STEM) careers; 12% of the computer science degree holders were women according to a census in 2011. The number of women currently holding positions in Information Security is a marginal 10-12%. Even as other areas of STEM show an improvement in numbers, the Information Security field remains stagnant.

It is easy to look at these numbers and agree with InfoSec professionals retort that women just are not suited to this kind of work. They cite a lack of women in university courses, training events, and conferences as a sign that women do not seem interested and/or incapable of producing the kind of results that the job requires. Sure, women might start in the industry and if they disappear, the reasoning falls along the lines of imaging they left to start a family or something along those lines. Looking inward, to assign blame, is often quite difficult and not the most natural, first reaction.

“The shortage of women in the field creates a vicious cycle. The profession is seen as unwelcoming by women first choosing a career. And women who are already in the profession can find themselves singled out and stereotyped. That, in turn, makes women feel devalued and passed over for promotions, and means that they are more likely to leave their companies”, according to a recent report from the Anita Borg Institute.

The misogyny is not necessarily entirely mean-spirited and the perpetrators may firmly believe that there is nothing wrong with their behavior. However, after attending Beyond The Gender Gap: Empowering Women In Security at Black Hat 2015, and talking to the four women at my table, it became clear that this is an ongoing/recurring issue. The offenses listed by my table companions, women employed at such companies as Microsoft and IGX, range from what some call passive misogyny which includes:

  • companies sponsoring competitions offering prizes that are only suitable for male contestants,
  • assuming that if a woman is present at an interview/meeting she must be the project manager, or human resources liaison or quite possibly even the secretary duty bound to fetch refreshments,
  • not addressing sexist language/objectionable materials in the work place,
  • and using gendered language in their job proposals.

They also cited more active forms of misogyny that include but are not limited to:

  • being passed over for advancement,
  • and actively denied mentorship.

All of these issues seem to occur as a default to the expectations of former societal norms with outdated expectations, and a focus on exclusivity rather inclusivity. Why bother promoting or investing in a woman, as she will doubtless leave to start a family and default on the investment of on-boarding her in the first place?

If a woman does manage to brave the obstacles against her, the path does not become easier, but presents only new difficulties. Recently, the #ILookLikeAnEngineer campaign highlighted some of the key issues of women in tech. When Isis Wenger started the Twitter hashtag, it was because she fell under heavy criticism for an advertisement campaign run by her employer. “People generating discussions about whether or not I really was a platform engineer for OneLogin were also rather shocking,” she said. The reason behind questioning the legitimacy of the ad is simple yet profoundly disturbing; Wenger was considered too attractive to be an actual platform engineer.

She is an engineer.
She is an engineer.

When one openly acknowledges that they are a minority and comes to the startling conclusion that if they are not willing to plow the way ahead for the next one, well, no one will. However, the acceptance of this path comes at a steep personal cost and the numbers reveal that women, when it comes to working in the InfoSec profession, have decided that it is not worth it. As more women enter STEM, one would imagine that the number of female InfoSec professionals would grow but that is not the case. Women entering the profession are only doing so at a rate that replaces the number of women leaving the profession. The reasons for this can be intensely personal, as well as professional.

According to Marsha Wilson in her article, A Woman’s Journey to Cyber Security, “Being a woman in infosec requires you re-demonstrate your chops with every new IS dude gang. It gets exhausting but I find it is just part of the culture. If you don’t like it, you better build a thick skin or go elsewhere.” In short, a woman in the InfoSec community had best accommodate herself to an environment created exclusively by men, for men. This environment certainly does not come across as an inviting atmosphere; her use of the words “exhausting” and “dude gang,” indicates exactly what is likely preventing women from staying in the field once they gain employment.

While the answers to the quandary regarding women in the InfoSec community will likely not be solved tomorrow, all statistics prove that the sooner the gender gap is closed, the better. This blog post barely scratches the surface of what appears to be a complex and ever-evolving problem. However, it behooves us to conclude on a positive note. There are people who have made it their goal to help women join the InfoSec community and their visibility on the web is growing. All of the groups and communities listed below contain inspirational articles, information on classes/workshops, and links to even more resources. The InfoSec community is one of growth and in truth, it needs more women.

Double Union

Executive Women’s Forum (EWF)

Girl Develop It (GDI)

Girls Who Code (GWC)

Women in Cyber Security (WiCyS)

Women in Technology MeetUp

Women Who Code (WWC)