Adobe’s Continuing Affair with Angler and Cryptowall

The latest Adobe Flash Player update has once again proven problematic. We have discovered yet another revision of a pre-existing Angler Exploit Kit disseminating Cryptowall. A customer’s host was compromised following Angler Exploit redirects, dated June 1, 2015, June 16, 2015, and June 30th, 2015, showing that as new adaptations of the kit are added, the older ones are still in use. The latest, June 30th, is more recent than the most up to date patch for Adobe Flash Player 17, version “Customers that are enrolled in “Allow Adobe to Install Updates (recommended)” but have not updated to Flash Player version 18 will receive a new and secure version of Flash Player 17 over the next 24 hours. ”

MetaFlows customers are encouraged to enable automatic blocking for Level 1 Events, which currently include the Angler Exploit rules (, or creating specific block rules to match Angler EK events.

The figure shows an example of the events that are triggered during an Angler Exploit attempt and infection with Cryptowall.


MetaFlows in the Top-20 Security Companies for 2015

CIOReview Magazine has selected MetaFlows as one of the Top 20 Most Promising Enterprise Security Companies in 2015. In the article Cost Effectively Tackling Advanced Security Threats, we outline our approach to the security challenges for the upcoming decade. The internet is shifting from a client/server paradigm to a peer-to-peer, mobile environment.

Your Network Perimeter is Dissolving

breachesHeuristic-based network perimeter defences will become less and less effective because it is like applying medical diagnosis in an environment where new pathogens are created on a daily basis. So, heuristically determining what is bad and what is good may work initially, but it becomes a losing battle unless the network security operators are constantly updating their heuristics. Also, protecting the perimeter is not enough, once something makes it on the inside, the perimeter becomes irrelevant. We have seen that companies adopting this approach can be hacked no matter how much money they spend.

Share Intelligence

internet_graphSingle-vendor network security intelligence feeds have become ineffective due to the sophisticated global cooperation of hackers. Vendors that provide a single box and a single source of network intelligence are selling an inherently flawed promise. Products should be based upon integrating multiple collaborative intelligence feeds. The complexity and interconnectivity of the attacking adversaries requires a similar defense strategy.

MetaFlows has been innovating in these two important dimensions for the past seven years drawing from a thirty year Government-sponsored network security and intrusion detection research. The technical founders of MetaFlows (Livio Ricciulli and Phillip Porras) sharpened their teeth at the Computer Science Laboratory of SRI International, where intrusion detection was first developed back in 1983.

The best part is that these innovations are now commercially available through MetaFlows. The company is improving the security of a large number of networks (big and small) around the world.

MetaFlows at BlackHat 2015

bh15usa_125x125_sponsor_2MetaFlows pleased to announce that we will be an exhibitor at BlackHat USA 2015, August 5th-6th. Please visit our kiosk IC7 to see one of the best IDS/Malware detection systems in the world in action. We will be showing an ongoing, live demonstration of our system in action on a university network processing around 200,000 packets per second. You can witness how malware is caught and stopped in real time as if you were running on your own network. We might even be able to let you drive for a while! Do not miss this opportunity to see the secrets of our success.

MetaFlows Inc. develops SaaS-based, network security software appliances that can reliably find and stop malware hidden in your network. False positives are virtually eliminated by correlating multiple independent flows. False negatives are lowered by combining feeds from Emerging Threats, Cuckoo, VirusTotal, SRI, OSSEC, Trustwave, YARA, ClamAV and Web of Trust.

OpenAppID Support



Cisco released OpenAppID, their answer to Palo Alto Networks’ AppID feature, which allows administrators to know exactly what applications are running in the network.
It has been released as a plugin of the Snort distribution. We have recently upgraded our sensor software to support this feature. OpenAppID results appear as an additional field in the IDS alerts to give better context for the alerts. We also gather this information to associate it with the internal host IP addresses, whether or not they generate an IDS event.

For example, when a user uses Facebook, it will trigger one or more of these:

Facebook Apps
Facebook Chat
Facebook Comment
Facebook Read Email
Facebook Send Email
Facebook Status Update
Facebook search
Facebook event
Facebook post
Facebook video chat
Facebook message
Facebook video

If your software has been upgraded, the file /nsm/bin/snort/src/.version should contain If it does not, you can upgrade by executing this command: /nsm/etc/ restart (Note: MetaFlows UTM appliances do not support OpenAppID yet).

To turn on this feature, check the OpenAppID checkbox in your sensor configuration page and reload or restart the sensor.

Once this feature is turned on, you can look at the daily reports and see the top AppID summary or look at the AppIDs in your IDS events. You can now create user-defined policies that match specific AppIDs!

This new feature requires 40% more memory and in some cases, even though we install it, the system automatically turns it off if you do not have enough memory. You need at least 2 GB RAM per core. For example, if your subscription is for 16 cores and your sensor has 24 GB RAM, the system would disable OpenAppID automatically.

If you do not process a lot of data and have a low memory system, you can force the loading of OpenAppID by adding the line export forceappid=1 at the top of the /nsm/etc/ script. Note that because it uses about 40% more memory, your sensor might slow down if you do not have enough RAM. Please monitor your drop rate closely if you force the OpenAppID functionality.

We highly recommend using this feature. If you have any questions, please do not hesitate to contact our engineers at for more information.

MetaFlows: SC Magazine Innovators Hall of Fame

sc_logo_21413_345884Our friends at SC Magazine have inducted us into the SC Magazine Innovators Hall of Fame. It is nice to be recognized for our innovations. Importantly, this is purely based on their journalistic curiosity; we give them props for performing their reviews based on sound technical knowledge. We refuse to pay money for recognition. You might think we are old-fashioned but this is how we roll at MetaFlows.hall_of_fame_495827

Their article also points out the importance of monitoring beyond the network perimeter using multi-session correlation. If you are not sure what multi-session correlation can do for you, it is best for you to put it to the test. You will be amazed of what you can find out about your network.

Read the article at SC Magazine’s Website

What We Caught at Supercomputing 2014

  1. Scanners (DNS, MYSQL, SSH, Shodan Indexing, portmap)
    DNS and MYSQL scanning from China, SSH brute force from everywhere, Shodan vulnerability indexing, and one very persistent portmap scanner.
  2. Lots of BitTorrent users kicked off the wireless network for illegal file sharing.
    In previous years torrent users have been mostly ignored since there were no good ways to determine which uses of the torrent software were legitimate and which were not. This year, however, these were not hard to find at all. MetaFlows software automatically decodes the torrent and magnet information to determine exactly which files a user is trying to download as well as which files they are seeding to other users. At first we were very picky about only disabling heavy abusers seeding outbound shares of recent movies and current TV shows. As the conference went on we got a bit more aggressive at reporting on and banning downloaders as well. When the user was not on the wireless, they were sometimes a little hard to pin down:

    “…it was from someone who gave a talk for them and plugged into their network. This person will not be presenting again, so they expect we will not see this activity again. Please let them know if we do.

  3. Spyware on the show floor.
    We saw the return of some MarketScore spyware that we had seen at the Denver conference in 2013. Unfortunately we could not always track down adware/spyware cases on the show floor or the wireless since they were a lower priority.
    snort-policy-violation/malware:1.2001564:ET MALWARE Spyware Proxied Traffic
  4. Inbound telnet scanning and the default IPMI port
    A couple of cases of telnet port 23 being accessible by the outside world were discovered before they could be exploited. One of them appeared to be an IPMI port that someone had accidentally plugged in; it was still configured to the default admin/admin password.

    “We chatted with the two booths that have these machines. The one with the admin/admin account has disconnected that interface. The second booth has disabled telnet. Both booths were very happy that we let them know. Thanks!”

  5. Linux Trojans – default/weak passwords led to boxes being added to a DDoS botnet.
    snort-trojan-activity/trojan:1.2018808:ET TROJAN DoS.Linux/Elknot.G Checkin

    Unfortunately the first of these that we reported was left unresolved and its status as a bot was confirmed when it began sending SYN flood attacks overnight. The host did get attended to the next day, and future cases of this infection were taken much more seriously. Once we got the behavior pattern down we found that the infected host downloads a binary payload from a command and control server.

    After adding the binary source to the blackhole list these infections stopped. Generally the cases that remained were resolved by talking to the user and letting them take care of it:

    “The technical guy said that that IP was just a VM and he will shut it down. We are no longer seeing traffic.”

    “I chatted with the guy in booth WXYZ and he is in the process of cleaning up his Linux box. He was thankful for the information, and commented that he had the default username and password for root on the Linux box.”

  6. Suspicious signs of WireLurker on OS X systems.
    We want to research these a bit more, it looked like there were maybe three OS X machines on the network that were triggering alerts to this “evil” domain.

    snort-trojan-activity/trojan:1.2019667:ET TROJAN OSX/WireLurker DNS Query Domain

    This alert was sometimes also seen with weird DNS alerts:

    snort-policy-violation/dns:1.2014703:ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set - Likely Kazy
  7. Large scale SIP Scanning.
    There was a massive DDoS style scan of the network on port 5060 on the second day of the conference, and we suspect it may have contributed to some infrastructure issues and recommended temporarily blocking off that inbound port at the border if there were no known legitimate services running for it. Hundreds of external scanners to thousands of internal hosts? This one stood out to us right away.

Dissolving Perimeter Defense

New internet trends are inexorably dissolving your network perimeter defense.

  1. Peer-to-peer applications are client-based and therefore poke through your firewalls.
  2. Personal end-to-end VPNs allow bypassing of your perimeter by establishing encrypted channels invisible to your network systems.
  3. Mobile devices freely roam different access points downloading content and then running a myriad of applications within you organization.

These are just a few examples of how your perimeter is becoming irrelevant.

If you think of your enterprise network as your home, perimeter defense is a bit like placing good locks on your doors and windows, and then hoping that no thief can get inside. Unfortunately, as we all know, this is hardly enough. It is conventional wisdom: “If thieves want to get in your house, they will”.


It is becoming exceedingly apparent that this is true for your enterprise perimeter as well. No matter how sophisticated your perimeter is, there is always a way in. The increasing rate of data breaches involving large US corporations is good supporting evidence for this. The damages to brand reputation – and the actual costs associated with a data breach – grow exponentially with the size of the enterprise. Any improvement to the old perimeter defense paradigm is financially valuable.

So what is missing from this equation?

Let’s explore some options by comparison to your home’s physical security.

Option 1: “Keep all your valuables in a bank so that even if they break in, they cannot steal anything.”

BankThis approach is very effective, but it undermines your productivity. Keeping your data somewhere else (where it is more secure) works, but the problem is that you cannot really use it now. If you need quick access to your data for your business operations, you are shooting yourself in the foot. Also, the mechanisms to access your remote data are themselves a problem. If you went to your bank everyday to check on your valuables, you would expose yourself to attacks as soon as you come out the bank, so you are back to square one. Likewise, if you have to transmit your data from a more secure location, you then become vulnerable to the transmission mechanism.

Option 2: “Keep a low profile.”

Low Profile This approach helps, but it often goes against your business objectives and revenue potential. If no one knows about your enterprise, you will not be a target but you also will not be attracting customers.



Option 3: “Build even more perimeter defenses.”

CastleBuilding barriers on the outside of your network naturally discourages communications but additional barriers can constantly get in the way of getting your job done. You are limiting access, or making it more difficult to access your network. The other issue is that you are adding more of what was already ineffective. So, does it make sense to invest more on the same thing?

Option 4: “Invest in your internal defenses.”


If you install motion detectors in your house, you can improve your security. Even if someone makes it inside, they will trip the alarms. Sounds too good to be true? Well, it is. The cyber counterparts of motion detectors are prone to false positives (an alert is generated even though there is no nefarious activity). If you have motion detectors in your house and also own a dog/cat, you will know what I am talking about. Fido will almost certainly make your motion detectors useless. Likewise, demanding and inquisitive users in your network will constantly trip your internal monitoring tools.

Fortunately, in cyberspace we deal with digital information rather than analog images. Refining motion detection in cyberspace is easier than in the physical world. Imagine if a motion detector in your house could detect the motion of an individual coming through your living room, and subsequently also detect that the person opened a drawer in your bedroom. That would be interesting, right? A dog would not trip your house alarm, but someone breaking your perimeter and going straight for your possessions would be caught.

Motion detection alone is not very useful. However, if it is paired with some behavioral analysis, it becomes extremely effective. This what MetaFlows does: motion detection (in the cyberspace sense) plus behavioral analysis.

Diagram of behavioral analysis with MetaFlows

Our behavioral analysis requires that the internal alerts indicate more than one symptom, therefore greatly reducing false alarms. We monitor the behavior of every internal asset (even the ones that “walk in”, like smart phones) and wait to see if they exhibit at least two alerts typical of nefarious activity.

Some Simple Examples:

Successful Password Guessing

  1. We detect that host X performs brute-force password guessing on host A .
  2. We detect that host X receives more than 10 kilobytes from host B (another internal host).

Taken separately, neither alert would not be very interesting, but taken together they become very interesting. Likewise, someone trying several keys in your lock would not constitute an interesting event. Someone opening a drawer in your bedroom also would not be an interesting event. However, someone trying several keys and then opening your drawer a minute later is very interesting.

Malware Installation Through Browser Drive-By

  1. An internal host A is detected downloading an unsigned, unknown executable file.
  2. After a few minutes, host A is now communicating to a known malware controller host Y .

Notice again that separately these events are not useful, but together they are. Likewise, if you see a guest at a party carrying a screwdriver you would not think much of it. If a guest stumbles in a bedroom looking for a bathroom you also would not think much of it. However, if you saw a guest handling a screwdriver in one of your bedrooms, you would ask questions, right?


From the examples above, it is evident that behavioral correlation is useful. We have compiled a number of typical behavioral profiles that catch bad internal behavior. Every day, MetaFlows is helping enterprises of all sizes to catch what traditional perimeter systems can’t. To be clear, we do not advocate removing perimeter defense systems (in fact we also provide some of that ourselves), but we believe that it is futile to invest in products that are exclusively focused on securing the perimeter. Instead, we suggest that you try behavioral correlation and see what you can find hidden in your network. Register at for a free trial!

What’s Wrong with NG Firewalls?

Cut Your Cisco Network Hardware CostsNext generation (NG) firewalls allow administrators to efficiently restrict network use policies to prevent infections. These firewalls (Palo Alto Networks is the most notable example) secure your enterprise by blocking everything that is not explicitly allowed by your network administrator. It clamps down on anything unknown: unknown users, unknown applications, unknown ports, etc. NG firewalls also provide some traditional IPS features that can be used to shape traffic coming into the network.v



So what is wrong with locking everything down as a primary defense mechanism? This approach has 2 major drawbacks.

Problem 1: It’s Not Scalable

complaintNG firewalls are basically a heuristics-based approach to security. Some networks and some operators might be a good fit for this, but many are not. This approach works in small, simple networks where the operator is omnipotent and has complete visibility on the network use policies. Unfortunately, most networks are not simple and most operators are not omnipotent.

As new uses for networks evolve and new applications are used, these heuristics need to be constantly updated and evolved as well. After a few months of complaining from their users, operators will start relaxing the policies and therefore leave the network as exposed as it once was with a traditional firewall.


Problem 2: It’s Can’t Actually Stop Active Intrusions

DamOnce something bad makes it inside the network, NG firewalls are no better than a traditional IDS system. They flood network operators with thousands of alerts which can be used as audit trails, but are otherwise useless for detecting active intrusions. This poses a significant risk: most data breaches today happen through legitimate network channels (browser drive-by, spear-phishing, social engineering, etc.). Think about your house: you can put bars on the windows, but if your teenager invites a thief inside the house, the bars and the locks are useless.



Don’t Put All Your Eggs In One Basket

eggsThere is a saying in security: “Hard on the outside and soft and chewy on the inside.” If you are serious about security, you need to lock the gate. But you also need a way to look for anomalies on the inside. That is what MetaFlows does well: we complement your firewall, traditional or next generation. We don’t claim to be able to replace everything in one magical box like most of our competitors, and you shouldn’t put all of your eggs in one basket. Your firewall should do what it does best: lock your door. But firewalls must also be complemented by a security solution that can actively detect and respond to network intrusions. 20 years of cyber-security research helped us to create a product that detects threats, no matter how they got in. Try Metaflows today to see what your firewall is missing!

What’s Wrong with Sandboxing?

How Sand-Boxing Works

The latest and hottest trend in cyber-security is sand-boxing. Sand-boxing is virus detection on steroids. Instead of relying on prior knowledge about particular viruses, this technique emulates a user’s workstation with a sandbox and tracks anything that attempts to go out of the box or attempts to infect other machines. The process is straightforward:

  1. Get all potentially infectious content coming into your organization, and
  2. Emulate each piece of content as if it was executing on your hosts.

Limitations of Sand-Boxing

Sand-boxing has low false positive rates, but causes a lot of false negatives. In other words, when it tells you that something is bad, it is almost certainly bad. But it has the potential to miss a lot of bad things.

Architectural Limitations

PerimeterThis limitation has to do with step 1 above (get all dangerous content coming into your organization). Your defense perimeter is dissolving because of new network trends and applications:

  1. Mobile devices continuously come into and go out from your network.
  2. Peer-to-peer protocols (which go right through sand-boxing and firewall appliances) are becoming mainstream (skype, bittorrent, b2b applications).
  3. Services are being pushed to the cloud, out of the grasp of your sandbox.
  4. Virtual machines move around at the speed of light from one host to another.
  5. IPv6 and other emerging trends are facilitating end-to-end encrypted tunneling right through your perimeter.

So, if you do not have a perimeter, how do you know what is coming in? Well, you don’t! That is why sand-boxing (or pure virus detection) is limited in scope and cannot survive the evolution of malware.

Another architectural limitation has to do with cost. If you run a large network, executing and/or opening every piece of content before it is delivered requires a lot of CPU and will slow down your network. Sand-boxing can only scale to a certain size; beyond that it becomes unrealistic and expensive.

Algorithmic Limitations

EvasionThis limitation has to do with step 2 above (emulate each piece of content as if it was executing on your hosts). Evasion is an information security term that refers to the ability of the bad guys to:

  1. Know how you are detecting them and
  2. Add subterfuges to defeat your specific security measures.

A sandbox can be detected. Once malware realizes that it is in a sandbox, the malware will switch to its best behavior so that the sandbox is happy. Only when the malware gets out of the sandbox and on to the the actual target device will it do its damage.

A second algorithmic limitation is that not every system is the same. Sandboxing a particular version of Microsoft (which is what commercial sandbox solutions do) leaves all you other devices (Linux, Apple, Android, etc.) completely open to attack.

How is MetaFlows Better?

MetaFlows is not an antivirus. We detect the attempts to introduce a virus in your network AND/OR detect the presence of a virus. Think of it as a network-level sandbox that not only inspects individual pieces of content, but also keeps track of the behavior of all your devices over time. There is one thing a malicious host cannot evade: being malicious!

If it looks like a duck, swims like a duck, and quacks like a duck… it is a duck.

How does it work?

MetaFlows looks for classes of odd behavior from hosts on your network:

  1. Scanning behavior
  2. Being attacked on vulnerable ports
  3. Downloading dangerous content
  4. Communication with questionable sites or sites that are already known to be bad
  5. Scanning outward or doing a lot of DNS lookups

If we detect behavior from multiple event classes over a time period (ranging from minutes to hours), MetaFlows triggers an alert.

Here is simple example:

  1. External host B performs a brute force attack to guess your password on port 22 on server A .
  2. One hour later there there is a large transfer of data from server B to another server C (on your network).

Bang! That’s a hit for us. But a sandbox has no clue! By itself, a sandbox would not detect this behavior. The malware could “play nice” once it realizes that it is in a sandbox. The sandbox would then allow the malware to leave and get inside your network, where it could do substantial damage. But MetaFlows can keep an eye on software even after it leaves the sandbox.

biohazard-laptopThe main advantage of a network level sand-box is that it does NOT solely rely on inspecting content (like an antivirus) but instead detects malware in the act of being bad. So, if someone walks in through your front gate with an infected laptop, as soon as that laptop misbehaves, it will be flagged down.


The best part is that MetaFlows works regardless of what devices are on your network – it solves the algorithmic limitations of sandboxes. Our behavioral event classes do not depend on the type of system: if an internal host is performing outbound scanning, we do not care if it is a Microsoft device or an Apple device. All we need to know is that it has engaged in malicious behavior.


networkcableFinally, our approach is much more scalable than a content sandbox. MetaFlows mitigates the architectural limitations of sandboxes by scaling to 10 Gbps links with standard off-the-self quad-CPU systems. The cost and power consumption are orders of magnitude lower.