Google Project Zero

Google has revealed that it plans to recruit experienced hackers to a new team known as ‘Project Zero’.  The new recruits will be employed to find serious weaknesses in internet security in order to prevent cyber attacks.   The main focus for the team will be finding ‘zero-day’ vulnerabilities and, importantly, to widely share the information they find – something others have been criticized for failing to do.  Among other internet security assignments, the team will also be tasked with conducting research into how attacks are carried out and how best to stop them.

As an organization at the forefront of online innovation, Google is certainly well placed to be exploring the web for trouble and should be highly commended for doing so.  Too many organizations have a ‘finders keepers’ attitude towards sharing information, which is both unhelpful and dangerous.  By searching for and revealing bugs, vulnerabilities and, I imagine, a whole host of other online ‘nasties’, Google will likely save many organizations from disastrous attacks.

Of course, Google may recruit the best team possible, but the nature of zero-day attacks, and today’s connected world in general, means that, inevitably, things will fall through the cracks.  While many of us may rely solely on Google to answer our day-to-day search queries, it would be an error to rely on them to protect our networks in equal measure.

Every business needs to be monitoring its own IT systems for unusual activity – whether that’s files moving in a suspicious fashion, or users logging on at odd times.  Understanding ‘normal’ network activity is key to noticing abnormal events – and who is going to be better placed than the business itself to separate the routine from the abnormal? The utopia of cyber security would see constant monitoring and collaborative intelligence, and hopefully Google’s Project Zero team will move us one step closer to this idyll.  We’re all building a similar jigsaw and working together could just help us find a crucial missing piece.

none | Uncategorized


Tube to Work Day: The Most Exhilarating Commute Ever

Last week, when Ajay sent an email to the company about the upcoming Tube to Work Day in Boulder, my first reaction was, “Is this for real?”  This was quickly followed by “What a crazy, unique, yet awesome idea that I actually could do and, for some reason, really want to do.”  I was all in.  Having made it past 50 and my first root canal, it was time for my first tube to work day.  The water was running fast after a heavy year of snow and rain, which would make for an exciting ride and a fast “commute.” But it wasn’t sky diving or bungee jumping from a skyscraper. So, it felt like the right level of adventure on the calculated risk continuum.

I soon had 15 LogRhythm teammates willing to join me on this wacky adventure.  In the end, we had 11 actually do it on Tuesday. I got a little concerned when I realized I was the only one over 30 in the group, but I was committed at that point. The LogRhythm contingent, some wearing ties and others in full suits, started at Eben Fine Park at the mouth of Boulder Canyon with about 30 other comrades in loony-ness. It almost felt like a tube to work flash mob.There was an instant camaraderie with our fellow tube to workers as we navigated rapids and frigid water and made our way hooting, hollering and high-fiving down Boulder Creek. There were some dicey spots and a few of us flipped into the water, but nothing too bad, and we helped each other get out of some jams. So, yeah, we were on an official company team building exercise. Unfortunately, our team in the UK wasn’t able to participate, but sent pictures of commuters crowding into the London subway/”Tube”, lamenting that their tube to work day was not quite as interesting.

Ready for work

Ready for work

I have to say that it was an absolute, unqualified awesome time…pure fun and truly exhilarating.  I was on a natural Colorado high the rest of the day.  Major kudos to Jeff Kagen for originating this in 2008.  It is truly an “only in Boulder event” and the only one in the world as far as I can tell. So I contemplated after the fact why we did it and what was the appeal? I realize there is an alternative transportation angle to it and there is some small awareness element there, but this is not bike to work day. There you have a realistic commuting option, exercise, environmental benefits and time to think.  In reality, the creek is not a realistic commuting option for 99.9 percent of folks for 80 percent of the year.   For “tube to work day,” we all drove to work and then took a van and truck to the launch point.   So, we didn’t really help the environment.  In the end, we did it because a) we could and b) it was such a unique and fun thing to try and do together.

I’m actually surprised it hasn’t gained even more traction in Boulder. Maybe we did our part today to help it accelerate. LogRhythm represented about 20 percent of the “tube to workers” Tuesday and we went the farthest, going almost 3 miles from Eben Fine park to our offices east of Foothills Parkway.  Most did only about half our distance.

So, I’m thinking we must have set two world records…one for number of employees from the same company tubing to work and one for total distance tubed to work.  Congrats to Ariel, Brian, Tyler, Robbie, Chad, Colby, Kyle, Alex, Riley and Jimmy for helping set these world records.  Not surprising, of course, from the company that has managed to also take Security Intelligence to a whole new level and win several awards in the process. I knew I’d somehow be able to tie this back to the business :). My natural competitive drive and world record fever aside, Tube to Work day is not about competition.  It seems all about fun, wackiness, actively enjoying nature and bonding with your co-workers and fellow Boulderites. This is the kind of thing the highlights how great a place Boulder (and Colorado) is to live and work.   We have a thriving business community and a very healthy and innovative technology sector that is producing many great products and services.  We work hard and are passionate about what we do, but we also value work/life balance and don’t take ourselves too seriously. And there is a level of collaboration and community that you don’t see in other technology business hubs.

I can see Tube to Work day growing in popularity. I can certainly see the LogRhythm contingent growing and I encourage others to take the splash. Why, you ask? Well, why not?  I guarantee you won’t find a more interesting and exhilarating commute anywhere.

3 miles. 11 employees. World Record.

3 miles. 11 employees. World Record.


Tags: , ,

none | Uncategorized


The Rise of Cyber Extortion

Malicious software must be becoming more difficult to monetize. While in the past malware has been written to display adware, perform clickjacking to make ad revenue, or build botnets to perform more complex tasks, the recent trend has been toward direct monetization through cyber extortion. The Ransomware Cryptolocker came onto the scene in September of last year and many variants and similar pieces of malware have been seen since then. Ericka Chickowski at Dark Reading has put together an interesting piece that describes a number of extortion attempts, past and present. See number 6 (the Durham Police Department) for an example of an organization prepared to respond to this situation.

none | Uncategorized


Hunting Retail Cyber Crime with LogRhythm

Recently I was on site with a customer whom we were working with to provide an extra level of support configuring LogRhythm to target and detect attacks specific to the retail industry.

This includes activity such as deviant behavior in the point of sale environment, potential theft of customer data from corporate IT resources, etc…

We began the process by looking for the malicious activity this module is designed to detect in order to identify anything that had taken place prior to implementation.

During the course of this investigation, we identified a set of activity that indicated there was communication on a known bad channel. This prompted an immediate investigation into the activity to identify all the relevant details surrounding this event so that we could provide forensic evidence of a data breach if necessary. Over the next few days, I will be explaining this process in greater detail.

Step 1.  Identifying a potential breach.

In this first installment, I’ll explain how we initially identified the activity that immediately raised concerns that a breach might have take place.  It started with an alarm that indicated some entity was utilizing a known malicious command shell port within this network.

LogRhythm Alert Metasploit

LogRhythm Alert Metasploit detected

The destination port number 4444 is the default Metasploit “Command Shell” communication port. To a hacker using Metasploit for this type of attack the command shell might display communication from the attacker to the target host like this:


Sample Metasploit

Figure 1:

In this particular instance we used LogRhythm to quickly drill down and locate the specific log messages which identified this attack. It seems as though a connection was made to a few internal Customer Servers. Then something more alarming was revealed when we saw that the last connection was made to a server in Japan.

The FTP server seen making connection 2 and 3 (see image below), are potential prime targets for malicious activity. This server frequently receives remote retail store inventory in the form of PDF’s files via FTP. This makes it a prime target to package a Metasploit Trojan in the form of a PDF file that will wait dormant until someone mistakenly executes it.

Metasploit Log Detail

Metasploit Log Detail

Note: This retail store chain only has business in the United States. It seems that whomever created this connection was a little bit deliberate in their attempts to mask this traffic.

The origin source for connection one and two, and found in the second to last column. They do not originate from a random high number port as one would expect. Instead those connections are masking themselves as the service ports for their respective host jobs.

After the forensic investigation was complete, LogRhythm learned there was a corporate relationship between the offending entity and has chosen to mask the public destination IP.

Since we needed more information, we performed a quick, right click correlation within LogRhythm:

Right Click -> Correlate on OHost = FTP(MaskedData)

This quickly brought back an hour’s worth of log data detailing the origin host’s recent activity.

A visual baseline clearly identified that one host communicating with the corporate network was geographically district from typical network traffic.

Show me the traffic LogRhythm

Another right click correlation pulled up the destination coordinates for the communication path.


Additional questions arose. What is this server? Who owns it? What is that IP address doing? The investigation led us to open a browser to see if it server had a publically facing website, which it did.


This is an externally facing default Apache Tomcat Server. Doing nothing. Often times, in this line of work, un-configured servers mean that someone was in a hurry to quickly stand something up that can receive data quickly and with little configuration. For example: A cyber attacker needing a place to upload a whole bunch of your corporate data quickly.

In addition to searching for originating IP address, we had started a virus scan on the FTP server. Zero results returned.

If this were an attack, you would think we’d see something on the server from the AV scan, so this was initially confusing. However, a quick investigation showed that a process was running tied to a legitimate Windows executable (Metasploit) being used to perform suspicious activity, which may not be picked up by an AV scan.


Based on our research we were able to provide the customer with the follow options going forward. Continue the investigation with an endpoint forensics tool, block the attack from happening in the future via firewall rules, or add a packet capture device and keep the investigation going.

none | Digital Forensics


The Diamond Model of Intrusion Analysis

Although every organization is a potential victim of cyber attacks and espionage, those in certain critical sectors — such as the Federal Government, energy, defense, and finance — face daily attacks from highly sophisticated, highly motivated adversaries. Dealing with this threat on a daily basis requires a structured method for analysis. Having spent years on the front lines against such threats, a former colleague developed such a methodology: The Diamond Model of Intrusion Analysis. After putting it into practice, the Diamond Model became the primary criteria for organizing and verifying advance persistent threats in our Security Operations Center. In this task, it was extremely effective. For organizations with dedicated SOC teams, implementing a proven intrusion analysis framework is a vital step to being able to first understand and then thwart malicious actors.

Fortunately, the model is freely available for unlimited distribution from the Center for Cyber Security and Intelligence Studies at the University of Maryland.

The first axiom of the model is its foundation: “For every intrusion event there exists an adversary taking a step towards an intended goal by using a capability over infrastructure against a victim to produce a result.” To paraphrase, all active intrusions start from an adversary. The adversary has aims against a particular victim, and uses Tools, Techniques, and Procedures (TTPs) along with tech Infrastructure to launch their attacks. Putting this together defines the intrusion event. This can be represented visually through the Diamond Model:


From the SOC level, this should be the basis for grouping and organizing intrusions. Even though in practice, a typical organization does not have the means to make a precise attribution of the malicious actor, grouping intrusion events be accomplished using the other axes of the diamond. This metadata, which should be readily available to competent SOCs — TTPs, infrastructure, and the target — can be connected. For example, if a shared Command and Control (C2) protocol is used after successful spearphishing in two attacks that occurred months apart, it’s likely that they can be grouped together under the same adversary, or Activity Group (as they are known without attribution). If a third attack uses a similar domain name to host exploits and is attempting to access the same information, it would also join the Activity Group. Using this technique, known as Analytic Pivoting, an adversary’s portfolio  – their goals and methods — can be understood, and thus mitigations can be more effectively targeted.

Is a particular adversary targeting senior staff through spearphishing? Implement a training regiment. Does the adversary attempt to gain access through a compromised contractor? Make sure those accounts are heavily monitored. The organization is now actively profiling its adversaries.

This is the foundation of the Diamond Model, but there are many more details available in the paper, including the mathematical basis for the theory, attack graph analysis, in-depth definitions, and more examples. Although relatively simple, incorporating the model’s mindset is amazingly effective at understanding threats that are posed against an organization.


none | Digital ForensicsSecurity