Author: livio

Taking Care of Business: Information Retention & Responsibility

16666571547_6cc99092d3_o

Every business accrues data about their current patrons and prospective clients. What information do you collect about your customers? Do you collect only what is relevant or pursue all of the data you can possibly accumulate? No matter what your approach to data collection, or the why behind it, the FTC thinks that it is time that you reviewed those policies. The Federal Trade Commission (FTC) recently released a document entitled “Start with Security: A Guide for Business.” This may initially seem both dry and somewhat irrelevant. However, choosing to ignore or dismiss these guidelines out of hand will ultimately prove to be expensive. On Monday, a ruling from the United States Court of Appeals for the Third Circuit Court has ruled that the FTC has the ability to take actions on the behalf of consumers against companies that do not follow these guidelines. Established within this document are “10 practical lessons businesses can learn from the FTC’s 50+ data security settlements” and for the purpose of this blog post, we will take a look at the first five points on the list.

The first of which asks that you start with security in mind. Until security is breached, companies are often quite confident in their in-house or SaaS security solutions. The issue with this, of course, is that it is a reactionary strategy to security, not a proactive one. If an in-house security team is not given the tools that they need to do the job properly, expecting them to stay ahead of cyber threats is more than a bit unrealistic, it is irresponsible.

The FTC also advocates that companies do not collect personal data that they do not need or retain data longer than necessary. In translation, you are in charge of making decisions regarding exactly what and how much data that you acquire from your customer base and how long you hang on to it. It is worth keeping in mind that whatever you do choose to collect and store, you are responsible for it. The more data you have, the stronger the security solution you will need, so as not to be found liable should that data become compromised.

When considering stored data, one must also consider who within the company has access to what and how much. The FCC recommends creating user accounts for employees based on a need-to-know basis. (This also includes paper data as well as copies stored on external memory hardware including drives and disks.) Companies should not only restrict access to sensitive data but also limit the administrative access of each user. Much of cyberterrorism functions as partially pure code hacking and the rest social engineering. If an employee is tricked into opening a compromised document or visiting a hijacked web page, they may unleash any number of terrors upon your network. Certainly, every business should invest in backups but beyond that, by controlling employee access one also controls the amount of potential employee damage.

The third point the FTC has chosen to make revolves around passwords. It is responsibility of every business to safeguard their data to make sure only the right people can access only the necessary information. They recommend that businesses “insist on complex and unique passwords,” “store passwords securely,” “guard against brute force attacks,” and “protect against authentication bypass.” When considering password safety, creating and reinforcing password protocols is an absolute necessity. Criminals should not be able to guess their way into your system through weak passwords, reveal unencrypted documents that contain sensitive information, take down your network through the use of automated programs that guess at passwords, or be able to discover back doors that allow access.

Information travels and transferring sensitive data is an absolute requirement. This can be accomplished through cryptography, the use of Transport Layer Security/Secure Sockets Layer (TLS/SSL) and other methods. If data is not resting securely, or being transferred securely in the span of its life in a business, then that business can be held liable should predators acquire that data. By using “industry-tested and accepted methods” business owners can take advantage of all the security research that has come before and has been confirmed as functional and safe. Of course without the proper configuration of all of these elements, businesses become vulnerable to such man-in-the middle attacks that are rather infamous in the world of information security. They allow priceless data to slip through the business’s poor execution of the standards they have put in place.

The fifth and final point we will cover is the requirement to “segment your network and monitor who’s trying to get in and out.” This by far, is one of the most vital items on the list. Firewalls are a very effective tool for regulating access to information by segmenting your network. While it is tempting to connect everything, doing so puts your data and your reputation at risk. You are also required to monitor the activity on your network. This may seem like a daunting task, all of those hackers trying to get in to your system so they can get out with sensitive materials. However, there are products available to help you perform this necessary task

The best way to address the first five points is to use a multi-part IDS, such as MetaFlows MSS. Providing your security team with the best software on the market is the only way to make sure that you are in compliance with the most vital of the FTC’s requirements. If a business’ network is compromised because they did not follow these guidelines to the best of their ability, the FTC can and will take action. In just the first five bullet points of the PDF businesses such as Twitter, DSW, Fandango, and Credit Karma were all publicly revealed as companies with insecure systems and networks. It should never be anyone’s goal to join them.

Common Threads in Black Hat 2015

130659908_922e26a071_oWhen discussing the need for tighter, and better cyber-security one of the common themes discussed at Black Hat centered around the lack of research and preparation on the part of software developers. Katie Moussouris, in speaking at the special event, “Beyond the Gender Gap: Empowering Women in Security,” mentioned that her career revolved round encouraging software developers in major corporations to address security at the design stage or as early as possible in the development phase. The issue with this, of course, is that if a potential exploit is discovered, the individual responsible for that discovery would receive no credit for it. The fix would simply exist as a part of an after-thought – thus encouraging the habit of sitting still, waiting for the problem to become evident, and then offering a security patch. When internal efforts fail, it would behoove developers to seek outside assistance. However, this solution is one that is not readily accepted. In the panel, Moussoris cited Microsoft’s initial commitment to not pay individuals to hack their product, and the challenges she faces in encouraging software developers in their creation of their Bug Bounty programs on sites such as Moussoris’ HackerOne.

In the instance that companies like Adobe institute their Bug Bounty programs, they range in effectiveness as participants can be awarded in everything from cash to a high-five for their efforts. However, when one considers how many vulnerabilities continue to crop up in Adobe’s software, a high-five may not be enough. Given the compromises that their Flash updates have caused, it is clear that Adobe’s approach is failing. The gravity of this issue is especially evident as Cisco’s most recent Midyear Security Report and resulting blog entry call upon companies, “To reduce the occurrence of these common code errors, software developers should participate in regular security training to build awareness of current vulnerabilities, trends, and threats.” Although the ball for creating, publishing, and updating secure software lies within the hands of software developers, only a naïve or irresponsible user would sit back and wait for the developers to handle it.

The pro-active approach, on the user end, is to assume that every software system is inherently flawed and problematic – to have a security solution already in place that can detect when employing a new software system has unintended and quite possibly, disastrous consequences. Defensive security systems must be flexible enough and powerful enough to meet evolving threats coming from an onslaught of flawed software systems and riddled web user interfaces, that can catch users unaware but ideally, not unprepared.

As the Internet of Everything becomes more of a reality, it is the onus of the user to make sure that they are meeting the challenges that come with it. Conferences like Black Hat open up the dialogue by asking important questions, the most resounding being, “What do you plan to do to keep your information secure?” In a room full of options, this question may seem both overwhelming and considerably difficult. No one can afford to spend money on services that (while not being comprehensive) will not work with others, in accidentally duplicating coverage, or even investing in a system that flat does not meet the demands of a connected world.

Finding solutions and making connections are why security professionals attend Black Hat. At the MetaFlows kiosk, our engineers were able to explain to professional after professional as to why the SaaS model works and how the MetaFlows MSS is a cooperative solution that pulls from a variety of sources, partnering with Emerging Threats, Cyber-TA, and Virus Total, to name a few. As Microsoft plans to release Windows 10 and Adobe continues to update their products, it is imperative that every user have a security plan in place to protect the integrity of their data.

MetaFlows Announces Virtual Sandboxing in Amazon Cloud: Advanced Feature in MSS Delivers Unlimited Scalability for Sandboxes

ec2sandbox

Las Vegas, NV, August 4, 2015 — MetaFlows, Inc., a leader in advanced, behavioral network security monitoring, announced today that MetaFlows Security System (MSS) users can now deploy a distributed virtual sandbox using the Amazon EC2 cloud. MetaFlows’ virtual sandbox spawns Amazon EC2 instances. Once the EC2 instance detonates the sample, it is simply wiped out and recycled. This new MSS feature enables users to run exploits exclusively in a virtual environment thus providing unlimited, on-demand sandbox resources.

Exploit samples can be submitted to the sandbox in two ways: discretely by the user, or automatically by the network-level monitoring performed by the MSS. The MSS can extract content from the network stream by either monitoring physical networks, or by performing deep packet inspection in the Amazon EC2 cloud (without requiring access to the networking layer).

“Sandboxing is a key weapon against malware, and users need flexibility and scale to use it properly,” said Frank Dickson, Research Director at Frost & Sullivan. “By initiating sandboxes on the Amazon EC2 cloud, MetaFlows offers sandbox resources on the fly without the expense of local servers.”

Advanced Features Driving MSS Sales

Virtual sandboxing and other exclusive, groundbreaking features (such as advanced multi-session IDS analysis, real-time correlation of collaborative intelligence, and Soft IPS) are driving increasing adoption and sales of MSS; the customer base has increased 400% since 2013. Recently, a cabinet-level department of the US government requisitioned MSS. Other commercial, educational, and government organizations have also acquired MSS. MetaFlows’ products are today enjoying considerable traction with virtually no marketing support because they demonstrably provide an unprecedented combination of cost-effectiveness and sophistication in the detection and prevention of malware and other network-based attacks.

MetaFlows’ MSS product will be on display at Black Hat USA at Paris/Bally’s in Las Vegas on August 5-6 at kiosk I-7. MetaFlows’ engineers will be available for live product demonstrations and deep technical discussions about the numerous innovations unveiled at the conference.

Escaping the Jurassic: Getting Technical at Black Hat

EvolutionThe cyber security world can feel like a competitive scenario, eat or be eaten. However within our own community, the truth is quite a bit different. MetaFlows belongs to a cyber security community and Black Hat is a conference about that community. In their own words, “For more than 16 years, Black Hat has provided attendees with the very latest in information security research, development, and trends in a strictly vendor-neutral environment.” It is a place to meet with the nation’s top security teams about the most cutting edge security issues and solutions.

As a company, attendance at conferences like Black Hat give us an opportunity to contribute in a very concrete way to the intelligence community. Survival has very little to do with being the biggest and the strongest but has everything to do with adaptability. By continually communicating with the security community, our service remains flexible enough to meet emerging threats. The MetaFlows Security System is a multi-faceted approach to enterprise security and that means, of course, staying relevant.

Black Hat allows the MetaFlows team to not only present our unique security solution, but to also connect with fellow security professionals, current customers, and future customers. Our kiosk will have an interactive display and our engineers will be available to explain what it is we do and why it is effective. We look forward to the opportunity to actively participate in the ongoing security dialog. Our continually evolving product is fully scalable to meet the needs of modest business to massive enterprise.

Adobe’s Continuing Affair with Angler and Cryptowall

The latest Adobe Flash Player update has once again proven problematic. We have discovered yet another revision of a pre-existing Angler Exploit Kit disseminating Cryptowall. A customer’s host was compromised following Angler Exploit redirects, dated June 1, 2015, June 16, 2015, and June 30th, 2015, showing that as new adaptations of the kit are added, the older ones are still in use. The latest, June 30th, is more recent than the most up to date patch for Adobe Flash Player 17, version 17.0.0.19. “Customers that are enrolled in “Allow Adobe to Install Updates (recommended)” but have not updated to Flash Player version 18 will receive a new and secure version of Flash Player 17 over the next 24 hours. ”

MetaFlows customers are encouraged to enable automatic blocking for Level 1 Events, which currently include the Angler Exploit rules (https://nsm.metaflows.com/sid_priority.map), or creating specific block rules to match Angler EK events.

The figure shows an example of the events that are triggered during an Angler Exploit attempt and infection with Cryptowall.

Selection_135

Adobe, Angler, and CryptoWall

3997730524_e6cb3e6954_oAdobe Flash is an extremely severe vulnerability when it comes to Crypto-locker/CryptoWall, It seems that every time Adobe comes up with a new patch, the Crypto hackers are quick to discover how to break it. The latest CryptoWall bonanza was the security vulnerability discovered in an Adobe update that was released on May 18th. This is not a singular occurrence, but is rather a part of a larger trend of exploiting security holes in Adobe software.

Just this week, Adobe’s last round of updates for Flash Player have proven problematic. These are new vulnerabilities are being used by the Angler exploit kit, a kit that has been around for some time, a kit that has now found fresh ground. These exploits are used to distribute Cryptowall, as well as other forms of malware. The intent is to encrypt (steal or take data hostage), take over (root kit or remote access tools), or recruit (make it a part of a botnet).

MetaFlows catches these types of fresh exploits better than any other security tool (according to many of our customer).
Several analysts using our system praise us. While they are running several other security products, MetaFlows was the only one to identify this threats. We were able to identify the behavior patterns that were triggered when this exploit was seen on a live network:

 

 

 

 

 

 

 

 

 

As you can see, the IDS events identify the individual behaviors, and our correlation engine recognizes the use of Angler toolkit to infect the target with the intended payload. In this case, it is Cryptowall, a ransomware program that has cost over an estimated $18 million from U.S. users alone. In some other cases odd behavior left undetected can cost the reputation of a brand and cause irreparable loss in intellectual property.

Criminals are swift to take advantage of any emerging opportunity that can penetrate the perimeter (it has become BIG money). You need to start monitoring the behavior of your internal hosts not only the perimeter. Our behavioral analysis and correlation engine are able to identify these threats, even when they occur across multiple sessions and employing zero-day techniques that make it through your perimeter defenses.

Our security professionals have identified the issue and are working to keep our subscriber’s networks and systems safe while Adobe has updated their Security Bulletin site with the appropriate information. Users are advised to download the newest Adobe Flash update immediately. As evidenced by our findings, criminals are swift to take advantage of any opportunity and so employing new advanced detection technologies like the one offered by MetaFlows is key to preventing expensive and sometimes irreparable IT disasters.

Which IDS System is Right for You?

There are so many IDS Systems out there, but how do you pick the right one? Here are some tips to help you get started!

How Do You Pick the Right IDS System?

If you’re a company CEO then you’re probably scared of malware, and if you aren’t, then you should be. The last thing you want is a virus leaking all of your company’s charts, data, and business plans everywhere on the internet or worse, stealing from your company. So in order to protect your company’s computers from viruses and malware you’ll need an IDS system. An IDS system is an Intrusion Detection System, which is a device or software that monitors your network for malicious activity or policy violations – or in other words, a virtual watchdog. So out of all the choices out there which IDS system do you choose? Here are some tips to help you decide:

  • First, perform a risk assessment of your company or organization. This will help you determine potential risks and gain an understanding of the IT environment. Understanding what risks you are vulnerable to will help with choosing which IDS system to use.
  • Have a thorough understanding of your technical environment. This will ensure that you know what your organization needs in terms of protection.
  • Do a cost-benefit analysis. Know what is worth your budget and what is not. Once you know which risks threaten your company, you will be able to better determine what your company can afford.
  • Now choose an IDS system that will protect your company from risks and that will also fit your budget.

MetaFlows is a great option for those who want to be protected from hidden malware. MetaFlows analyzes the behavior and content of your internet traffic to find and stop malware from infecting your network. Sometimes malware security systems are not enough and lack flow analysis, but observing network communication patterns is important for better security. MetaFlows embeds security event information within IDS, Log, and Service events for real-time event information. This allows you to gain better visibility into your network. The comprehensive protection and security MetaFlows offers is something that no company can afford to pass up.

Make sure your company is protected from malware. Act today and find your IDS system and malware security system. MetaFlows offers a free of charge, fourteen-day trial in which you can actively use the system on your network. It comes complete with security updates, a web interface, as well as tech support to assist you in getting it up and running on your network.

Real Time Email Alerts

We have developed a feature that minimizes delay in generating email notifications. The emails are generated within seconds of the event occurrence to catch extremely time sensitive incidents such as crypto-locker infections. To enable this new feature simply define a shell variable near the top of the start up script mss.sh such as:

export emailaddress=”user@mydomain.com”

Also make sure the sensor can send emails by executing the command:

netstat -tapn | grep 127.0.0.1:25

A line similar to the one below should appear:

tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN

If you do not see it, please enable your email daemon on the sensor by executing:

/etc/init.d/postfix start
chkconfig postfix on

Then restart the sensor with the command:

/nsm/etc/mss.sh restart

The sensor will now send real time email alerts matching any of the email notification policies you have defined. Note that:

  • This will not replace the email reports you are receiving already but it will provide advance notifications of the alerts contained in those same reports.
  • The email alerts will originate from the sensor which does not have an MX record; therefore your SPAM filters will most likely block them. Please white list the sensor IP address to bypass the SPAM filter.

As always, thank you for your feedback,

The MetaFlows Team.

Cyber Attacks Global Incident Report Statitstics

We are now generating weekly Global Incident Reports that provide statistics of the invariants present in our global detection infrastructure. The detection infrastructure receives approximately 8 million events per day from a variety of Institutions ranging from small commercial enterprises to very large multinational corporations.

The statistics below are from three main detection components.

The invariants from the events reported by these detection components are extracted and their relative contribution is compared. The contribution of the invariants is measured in three different dimensions:

  • The true positive rate (tpr) of an invariant is measured by dividing the number of confirmed true positive hits by the number of occurrences of the same invariant (whether they are a true positives or not). The true positive rate implicitly also measures false positive rate (1-tpr). For clarity the tpr is called <strong>detection rate</strong> in the Network Anti-virus tables.
  • Severity ranges from 0 to 100 and measures the likelihood that an invariant in a cyber attack compromises the integrity or confidentiality of a system. The severity is scaled down by the tpr and is calculated by multiplying the average priority (0-100) of the invariant times its tpr (which is always less than 1). A low severity score (0-10) typically implies that the cyber attack may reduce security but the loss of security is minimal (for example detecting an ADWare plug-in in your browser). Higher severity scores imply that the cyber threat becomes increasingly important.
  • Prevalence measures how widespread a given cyber attack is across multiple networks. Prevalence is also weighted against the tpr of a given invariant. Prevalence does not have an upper limit because it depends on how many cyber attacks we find in a given time period.

Selection_020Here is an example bubble graph which visually represents the statistics of the top IDS rules which triggered a true positive.

Mousing over the bubbles reveal the actual invariant and its associated statistics.

How to access the statistics

  • The anonymized global report across all of our networks is at https://www.metaflows.com/stats/. From this report there are some hyper-links that query you own database (if you are MetaFlows customer) to see if any of the invariants a re present in you event data.
  • If you are a MetaFlows customer, you can also access a specific report for your own domain which has both (1) links to the invariants found on your own domain and (2) links to the incident reports used to derive the invariants.

Note that both types of reports compare the invariants to the global counts; so, they both should help you understand how widespread and how serious the associated cyber- threats are.

MetaFlows New Packet Data Viewer

Since our first public release, MetaFlows users have been able to use the MetaFlows Real Time and Historical interfaces to download and view raw packet data from their MetaFlows sensors. Today, we are excited to release a major upgrade to the Packet Data page.

New Features:

  1. Packets are now parsed, separated, and colored red or blue depending on which host sent the data. No more digging through raw tcpdump output to find where one packet ends and another begins! Packets are now visibly separated. Server packets use red text. Client packets have blue text.
  2. Packet Data now includes the content of any IDS rules triggered by the flow. Ever opened the Packet Data for a flow and forgotten which alert you were investigating? We now include the full content of all IDS rules that triggered, along with the packet data for the flow.
  3. Packet Data Matcher! This was the most exciting feature to add! The new Packet Data page can highlight the specific content in a packet that caused an IDS alert to trigger! Matching packet data is highlighted in red or blue (depending on whether the packet was sent by the server or client) and includes numbered markers for each condition in the triggered rule. You can even hover your mouse over these markers to see the specific content or pcre condition that matched, along with the condition’s modifiers! For example, the screenshot below shows the packet data for an event matching 1.2003492: ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) :Example of Packet Data Viewer with Packet Data Matcher results.The Packet Data Matcher works best for text flows, such as HTTP requests and responses. For encrypted or binary flows, we will still attempt to match against non-printable characters by using other conditions and context, but some matches might be inaccurate.

This feature is available to all MetaFlows customers starting today. We look forward to your feedback. Happy hunting!