Anomaly Detection and Cyber Discovery

Utilizing signature-related detection, such as traditional Antivirus or Intrusion Detection Systems, is obviously an important best-practice for any information security operation. However, for detection of advanced threats, static signatures will simply not be effective — even without their techniques being publicly disclosed, advanced malicious actors will constantly change their infrastructure and malicious code to easily avoid these countermeasures.

To find new, previously unknown malicious activity (a process known as ‘cyber discovery’), anomalous behavior detection is the most effective method. Being able to perform cyber discovery is the vital step that separates an active security operation team capable of finding novel, targeted attacks from a reactive one, only capable of implementing signatures after they or another organization have already been compromised. Monitoring suspicious behaviors is one of the first steps that allows the security operations team to actively hunt down advanced threats within their network.

Although there’s no widely accepted taxonomy, the two primary methodologies used to detect security-related anomalous activity are statistical and heuristic:

  • Statistical anomalies – if a measured, important value crosses a threshold or deviates from any type of mathematical norm, this can be used as an indicator or malicious activity. For example, if a user typically sends 2GB of data a day, but is sending 2TB, this might be a sign of data exfiltration.
  • Heuristic anomalies – general, suspicious behaviors that are related to actions a malicious actor takes during an attack cycle. For example, if an organization is seeing many open connections to a country where they don’t conduct business, this should be a warning sign. Likewise, if a point of sale system only ever runs a known group of processes, but then suddenly a new one appears, it should be treated as highly suspect.

Although a vital step for high levels of security, anomaly detection also involves a great deal of time, effort, and expertise. By their definition, anomalies are not necessarily proof of malicious activity, only a clue that something strange is happening. If a signature is considered a ‘strong’ indicator, only firing when the detected behavior exactly matches known malicious activity (eg, a string or URL), then heuristics would be ‘weak’ indicators, firing when something may be malicious. As a result, this will generate many false positive alerts and require more in-depth investigation of those alerts.

Additionally, specialized tools will be needed across a multitude of data sources — network traffic monitoring, host-based monitoring, user activity tracking, etc. Any tools that hope to perform anomaly detection must be both extremely flexible and extremely powerful — storing data and calculating statistical and heuristic anomalies for a multi-Gbps network with thousands of users is incredibly complex and resource intensive. Implementing an interface that easily allows for both the creation of anomaly rules and their investigation is also quite challenging.

Fortunately, SIEMs with advance rule engines (like LogRhythm) can bring together all of the important data across the network, implement anomaly detection rules, and allow analysts to drill down into the results. Just keep in mind that the software itself will never perform cyber discovery — this can only be accomplished when used alongside a trained security operations team capable of analyzing its output. But when used together, an organization has equipped itself with the means of defending against the most advanced adversaries.

Tags: ,

none | SecuritySIEM


Colorado Tough Mudder 2014

This past weekend, I joined 7 other LogRhythm employees and participated in an event called the Tough Mudder, in Snowmass, Colorado.  Tough Mudder events are held around the world, throughout the year, to raise money for Veteran’s Organizations based in various countries, including Wounded Warrior Project (USA), Help for Heroes (UK) and Legacy (AU).  The event was an 11 mile race that began at 8,200 ft. above sea level and climbed an additional 2,500 ft., and included 25 military-style obstacles designed by British Special Forces.

The LogRhythm team consisted of Jay Strickland and Keith Willowhawk from our IT/IS group, Nama Illo from our Customer Care team, JoJo Brotamonte and Eric Howell from Sales, and Katie Herrmann, Colby Schwartz and myself from Marketing.  Despite the heat, the elevation, the electric shock treatments, the “arctic enema” (yes that’s actually the name of an obstacle that is an industrial sized dumpster filled with ice water into which participants are required to plunge), and massive walls of mud and rock, we completed the course with the team intact and with wide, albeit muddy, smiles.

Shock Therapy

Shock Therapy

We all felt the joy and satisfaction that comes from finishing an event like the Tough Mudder.  Coming together as a team in a spirit of comradery, support and collaboration made it even sweeter.  But the peak of our day was toasting the generosity of our supporters and sponsors who collectively donated over $5,300 to the Wounded Warrior Project.  As LogRhythm employees, we get to come to work every day knowing that we’re helping to protect the world from dangerous cyber threats, and that’s pretty cool.  But knowing that spending an afternoon with my coworkers for an adventure in the mud and frigid waters of Snowmass, supported by extremely generous sponsors, will help some true heroes breathe a little easier, walk a little straighter or hug their loved ones a little tighter, takes the joy and satisfaction to a whole new level.

Many thanks to my team members, our generous sponsors, the Tough Mudder organization and the Wounded Warrior Project for making this event so successful.  But most of all, thanks to all of the men and women of our armed services for sacrificing themselves ever day to protect and preserve our very way of life.

LogRhythm Tough Mudders

LogRhythm Tough Mudders

none | Uncategorized


Weak Celebrity Passwords

Last weekend, a significant number of celebrities had their private photos and videos exposed to the internet in the largest celebrity data leak to date. Initial speculation led people to believe that their iCloud accounts were the primary targets. If this is indeed the case, there is a popular theory behind this ‘hack’.

This may have been the result of a brute-force attack against each account using select passwords from the ever popular rockyou password list in conjunction with the ibrute script written by @hackappcom. This python script essentially bypasses the AppleID lock feature of the Find My iPhone application. In an article published by Wired, once the password was successfully brute-forced, the Elcomsoft Phone Password Breaker (EPPB) tool was used to download this data from iCloud backups. This is due to the fact that EPPB allows anyone to impersonate the victim’s iPhone and download the full backup.

If this was indeed the source, it is a result of an amalgamation of the fact that Find My iPhone did not implement adequate brute force protection, these celebrities picked some really weak passwords, and did not implement Apple’s two-factor authentication.

Another aspect to consider is that the culprits gained access to much more than pictures and videos, such as address books and other sensitive data that is all available via iCloud. More importantly, with many organizations adopting iPhones and Androids in the workplace, attacks such as this increase the ever expanding possibility of corporate data loss. One obvious risk with the release of these pictures is that location data, included in the image Exif metadata gives away the locations where the pictures were taken (warning NSFW link).


All things considered, it is unlikely that only one avenue was taken to obtain all of this data. More importantly, just because everything was dumped on the internet at the same time and that a majority of the photos were taken with an iPhone does not at all mean that it was all stolen at the same time or even by the same person. I assume a team with a common goal was behind this, and they used many different means to obtain this data.

Apple released a statement on the leak:

“When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source,” they said. “After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.”

Granted, Apple did fix the Find My iPhone specific vulnerability shortly after discovery, which is very good, but a glaring hole like this should not have made it past QA. The funny thing is, this could have been avoided entirely if the vulnerability was disclosed to Apple prior to its public release. However, researchers may have been more encouraged to share this information with Apple, had they instituted a bug bounty program. Could all this stolen data be from iCloud? Maybe. Could it have been extracted in the same manner? Certainly, but not likely in my opinion. My guess is that good old fashioned social engineering played a part in obtaining access to some accounts.

In the wake of this recent leak, there are a few lessons that we can all take away from this to help better protect our own cloud data, taking into account the many methods by which it can be obtained:

  1. Whenever possible, implement multifactor authentication. Apple has a two-step verification feature which will assist with this.
    1. Nick DePetrillo put together a great step-by-step guide to walk people through configuring this feature and explaining the benefits of two factor authentication.
  2. If multifactor authentication is not an option, question the sensitivity of the data you are storing on the service and do not store it in the cloud if you are worried about someone else getting ahold of it.
  3. Use strong and unique passwords for every site.
  4. Use pass phrases instead of passwords.
  5. Use a password manager to store, manage, and create strong + unique passwords for each site that you use.

None of these security recommendations are in any way new or at all difficult to implement. The problem is that too few people follow these basic guidelines and continue to use the same weak passwords for all of their online activities, resulting in the theft of sensitive data. Do not rely on companies to protect your information, take your own precautions and educate yourself on the risks.

Tags: , , , , , , ,

none | Digital ForensicsSecurity


Adding Items to a LogRhythm List via SmartResponse Plugins

SmartResponse Plugins allow LogRhythm alarm and AI Engine rules to launch nearly any scriptable action. The most widely-used SmartResponse Plugin is Add Item to List. This plugin makes additions to LogRhythm lists — for example, adding a benign IP or URL that triggered an alarm to a Whitelist so that false positives aren’t generated in the future. The default version of this plugin runs in PowerShell, but along with some performance issues, the script has a limited scope. For faster writes and additional functions, I am introducing a Python variant.

In addition to being faster than the default version, v2 adds three new actions. First, the Add Item to File action will allow alarms to write a metadata value directly to a text file. Unlike Lists in LogRhythm, this text file can be accessed by other programs. For example, this is useful when an administrator wants to track every user that logs into a particular system and keep that list of accounts indefinitely. With a few modifications, the action can also add a timestamp alongside each entry in the file.

The second action, Add Unique Items to File, will add an item to a file, but will only do so once for each item. This has come in handy while debugging AI Engine rules. For example, while creating a rule that uses regex to match suspicious values in a URL, unique URLs can be written to a text file to do further regex testing.

The last new addition is Add New Items to File. Unique values are also written to a text file, but in this case, each entry is dated. This is useful for tracking the first time that a value was seen. One use for this is helping to identify malicious domains. Most common domains are visited on a regular basis. On a large network and given enough time, there shouldn’t be too many URLs that haven’t be observed before. This rule then acts as a Discovery analytic — after a period of time, most legitimate domains should be in the list. New ones may be considered suspicious and further investigations can make this determination.

In all of these cases, the text files can be imported into LogRhythm as new Lists.

In my last post, I discussed configuring the Alarm and Response Manager on the Event Manager to work with Python and Wireshark. Because it doesn’t require Wireshark, the Add Item to List v2 Plugin is slightly simpler to implement.

Although not officially supported, this plugin is relatively easy to configure and use. This blog post will go through each process, step by step. The plugin can be downloaded here: Add Item to List v2 Plugin

Setting up the ARM to run Python scripts

1 Determine which LogRhythm appliance is hosting the Alarming and Response Manager service — from the LogRhythm Console Deployment Manager, the host will be listed under the ‘Event Manager’ tab. To double check, it will be listed under ‘services.msc’ on the machine.


2 Install Python 2.7 on the Event Manager.

3 On the Event Manager, hit the Windows key + Pause/Break. This will bring up the System Window. ‘Select Advanced System Settings’, and then ‘Environment Variables’.



4 In the Environment Variables window, scroll to ‘Path’ under the ‘System Variables’ subsection.



5 Click ‘Edit’ and append the string:


– or the appropriate directory for the Python installation. Then close the window.

6 Open ‘services.msc’ and restart the ARM service. Python will now be ready to launch, and Python plugins that use the standard library can be used. This can be tested by opening a new PowerShell or Cmd prompt and entering ‘python’.

7 Optional: install PIP, a tool that will allow for one-line installation of non-standard Python libraries. Follow this guide to install PIP.

Importing a Plugin

1 From the LogRhythm Console, open Deployment Manager and then open the Smart Response Plugin Manager via Tools ->  Administration -> Smart Response Plugin Manager


2 Select Actions -> Import


3 Navigate to the directory containing the Smart Response Plugin, then select the file (of type AR Plugin File, .lpi) and click Open.


4 The Smart Response Plugin should now be visible in the list of plugins in the Smart Response Plugin Manager and the Actions tab for Alarms and AI Engine rules.


Configuring the SmartResponse Action

1 Find an alarm or AI Engine Rule that should trigger the Add Item to List action. For example, the AI Engine Rule ‘Network Anomaly: Internationalized Domain’ would be useful, because analysts can use a text list to determine which IDNs are observed, and then can conduct a quick analysis to determine which are acceptable to be whitelisted. Open the rule and go to the ‘Actions’ tab.


2 From the Actions tab, select the ‘Action’ dropdown at the top, and find the ‘Add Item to List – Python: Add New Items to File’ action and select it.


3 The Parameters section will then be populated. There are two values that need to be specified by the user:

  • File Name: This will be the path to the file where the items will be added. For example, ‘c:\tmp\idns.txt’. Remember that this will be in respect to the Event Manager, so network paths are also acceptable.
  • Item: This is the value that will be added to the file. Typically, the Type should be Alarm Field so that a dynamic metadata value can be used. For domain name, select Group at in the Value column.


4 If the action should not be automatic, use the ‘Approvals’ section to set the Person or Group that needs to authorize the action to run. The approval will need to be done through the Dashboard or Alarm Viewer. If using a new Rule, it’s recommended to require an approver so that the Action doesn’t fire too often or pull down very large amounts of data unintentionally. Leave this section blank to run the action automatically.


5 When finished, hit ‘Ok’. The Plugin should now be working.

The LogRhythm Labs team will continue to release similar unofficial plugins as they are developed. We are also releasing revamped, official plugins, including plugins for integration with LogRhythm partner devices. For questions about this guide, please use the How To section of the Support Forum. This is also where the latest editions of the Threat Detection Cookbook can be found.

Again, the Retrieve NetMon PCAP SmartResponse Plugin can be downloaded here. The guide can be found here.


none | Digital ForensicsSecuritySIEM


Hacker Summer Camp

This past week, I had the privilege of attending Black Hat, DEF CON, and BSides Las Vegas. I had a great time, met some incredibly talented people, gave a talk, learned a ton, and reconnected with old friends. I’m already looking forward to what next year will bring if I’m fortunate enough to return. For those who weren’t able to join in the mischief, I’d like to break down some highlights.


Conference Badges

The general theme for all three conferences was vast but mainly centered around the internet of things, privacy and general disobedience…

Zoz - Discussing Counter Surveillance

Zoz – Discussing Counter Surveillance

There were multiple talks centered around covering our tracks, improving Tor anonymity, enabling the security community, supporting the EFF, and much more. There were some excellent discussions around these topics, and BSidesLV even held an open session with the EFF which was very enlightening.

 [[  Hacks  ]]

It’s been a while since so many neat hacks emerged during these conferences, in particular It was rather enticing to see Zero Day exploits launched publicly against conference goers and newly released security products alike. Among the standard, packet sniffing, USB dropping, social engineering, and device rooting, there was one attack that really stood out among the rest…

In my opinion, the most prominent attack was launched by a fellow who goes by the Twitter handle @ihuntpineapples. He showed up to DEF CON with a clever Zero Day exploit (as many conference attendees do) that takes advantage of insecure code within the Hak5 WiFi Pineapple and turns the device into a paper-weight. Word on the street says that well over 1,000 pineapples were owned by this exploit during the conference…


‘Pineappled’ at DEF CON

This is a good lesson learned for folks new to the security industry… If you don’t know what you’re doing, have not researched how ‘hacking tools’ work underneath the hood, and are planning to mess with people at the largest hacker convention on the planet, you better be prepared for the consequences of those actions. I am rather familiar with the Pineapple myself and like to demonstrate basic wireless attacks using this tool-set; however I am glad I kept it at home this year and would never consider using this or similar script kiddie technology in this setting.

Hak5 Pineapple Van

Hak5 Pineapple Van

note – Hak5 has since released updates to remediate against this vulnerability.

[[  Conferences  ]]


The general atmosphere at BSidesLV is reminiscent of the early days of hacker conferences. They provide top-notch content with the advantage of a more personal venue, allowing attendees to approach speakers in a relaxed atmosphere, fostering collaboration and community. It is a free event that is supported by donations, releasing all presentation recordings (with the exception of Underground tracks) to the community following the event.

Pros vs. Joes CTF

Pros vs. Joes CTF

I tried to attend a majority of the underground sessions since I wouldn’t be able to watch them later and was very impressed with what I saw. One of my favorite tracks was by Dave Kennedy, who presented on ‘secret pentesting techniques part deux’. This session covered at a high level many of the ways his team gets around most all security tools as the malware they generate never touch the disk, leaving little for Security Analysts to go off of.

A unique aspect of BSidesLV that I personally have never seen at any other conference is the speaker development program, dubbed the Proving Ground track. This is a fascinating opportunity for folks new to speaking publicly (such as myself) to get their work out there, present it to a larger audience, and get better at public speaking in general. Once proving ground speakers are selected, they are paired with a mentor, someone who has spoken at many conferences and has significant experience doing so. They guide their protege and give them advice to help tune their talk and get it ready for the public. I was more than happy to take advantage of this opportunity.

BSidesLV and DEF CON 22 Speaker Parade at theSummit (from

I was paired with Kevin Riggins, an InfoSec pro with a long history of producing and presenting top-notch talks. He helped guide me and tune my talk in preparation for the conference. I think I did all right, but you can be the judge of that. :-)

Following my talk I received this neat Challenge Coin.

Challenge Accepted

Challenge Accepted


Black Hat is a very large and impressive conference that is geared primarily towards security vendors and their customers. If you were there, you probably saw me holding down the booth with my awesome co-workers or wandering the halls in search of the next session.

LogRhythm Booth

LogRhythm Booth

I sat in on some excellent talks at this conference, and was incredibly impressed by Dan Geer’s Keynote speech. He covered many topics during his talk, but I was most interested in his thoughts on responsibility. More specifically, the responsibility that organizations owe to their customers and the general public in regards to security best practices.

“Either software houses deliver quality and back it up with liability, or allow users to help themselves [...] You’d better do it well, or be responsible if it goes poorly.” – Dan Geer

What a great way to kick off the conference, if you ask me. The statements he made are exactly in line with what the security community needs right now. It is astonishing the number of companies that are not handling the security of their systems and customer data properly; which puts everyone at risk for identity theft or worse. Having someone of Dan Geer’s status drive these points home in a large setting like Black Hat is key for ensuring progress on these fronts.

Keynote Address Preparation

Keynote Address Preparation

If you didn’t make it out to Black Hat this year, you can watch many of the sessions on the official Black Hat YouTube channel here. If you don’t ever want to trust the devices that you plug into your computer, I highly recommend the BadUSB talk by Karsten Nohl and Jakob Lell. Their research is an absolutely fascinating take on USB attacks that will drastically affect the security industry going forward.


DEF CON, the mother of all Hacker conferences… If you work in the security industry, you owe it to yourself to get to DEF CON at least once. As many folks have been attending the con for years it is constantly gaining in popularity. It’s obvious that it is quickly outgrowing the Rio and there’s a rumor going around that it will be moving to a different venue next year in an attempt to hold the massive crowd that this conference brings to Las Vegas.

Welcome to DEF CON 22

Welcome to DEF CON 22

Since I gave a talk at BSidesLV this year, I was invited to theSummit, an annual party which supports the EFF. This was a really neat event as I had the chance to speak with quite a few of the influential people in the industry whom I’ve looked up to over the years.

Vegas Summit 2.0 Badge and Challenge Coin

Vegas 2.0 Summit Badge and EFF Challenge Coin

There were so many great sessions this year, it’s hard to focus on just one that left the biggest impression. As much as I enjoyed the various NSA Playset talks, the discussions around privacy, and the cavalry; the very last talk I attended actually ended up being one of my favorites – Elevator Hacking, by Deviant Ollam and Howard Payne. This was surprisingly informative and very entertaining as they presented a ton of information in a short amount of time and did it very well, complete with embedded videos and entertaining commentary. If you can, you should watch the live talk as the slides simply won’t do it justice.

From the Pit to the Penthouse

From the Pit to the Penthouse

What I found most intriguing about this talk is the fact that they discussed using event correlation to trigger on physical activities observed within the environment. This hits home for us at LogRhythm as correlation is what we do.

Lately the Labs team has been focused heavily on physical + cyber event correlation use cases such as this. It’s relatively easy to detect physical events using a SIEM, as most everything is networked these days and everything generates log data; the trick is capturing that data, analyzing it, and triggering on the anomalies. One of the examples they demonstrated was exploiting a service elevator that ‘was not supposed to open from the outside on the service floor.’ They utilized cloned keys and opened the elevator, riding it up to gain access to the secure facility. Had the company been alerted to the outside door lock bypass followed by triggering the elevator they would have been caught prior to gaining entry.

[[  Comunity  ]]

If there’s one thing that people should come away from these conferences with it’s a better understanding of the security community.

#303MoshPit - AKA best time I've had at a con in years

#303MoshPit – AKA best time I’ve had at a con party in years

The folks at these conferences are some of the most intelligent folks in the IT industry and most are very friendly and open to talking with just about anyone. If you use your time wisely and approach the right people, I guarantee you will learn something new and have a great time in the process. Heck, even John McAfee made guest appearances at BSidesLV and DEF CON this year and stuck around to chat with folks in the audience! Plus, Dual Core, Dale Chase, DJ Jackalope, YTCracker, and many more were not only up on the big stage, but did shows for private parties and hung out with the crowd afterwards.

Dual Core and Dale Chase at theSummit

Dual Core and Dale Chase at theSummit

Just be careful with what technology you decide to bring with you, it will most likely get pwned



Tags: , , , , , , ,

none | Security