Category: Digital Forensics
Finding Security Issues in the HTTP Request Headers, and the Mac OSX Flashback Botnet
LogRhythm Labs has recently initiated a research project into HTTP Request Header analysis, to include User Agent strings, both in proxy logs as well as web server logs. A few recent events have validated our interest in this topic.
The recently identified botnet targeting Mac OSX machines, reportedly with more than 600,000 hosts compromised (conficker-sized!), uses the bot’s MAC address as the User Agent when phoning home to C&C. Hosts infected with the Backdoor.Flashback.39 trojan can be identified with a simple regex looking for MAC address patterns in an organization’s proxy logs (see below for example regex’s).
We’ve also gotten our hands on some IIS log data from a recent high-profile breach. What we found was very interesting. The attackers didn’t bother to change the User Agent for the SQLi tools that were used. Both Havij and sqlmap were identified. Some simple whitelisting or blacklisting against the UA in the IIS logs would have easily caught these low-hanging fruit.
Stay tuned for more in-depth analysis of User Agent strings and HTTP Request Headers, as well as out-of-the-box content to help secure web applications using SIEM.
Example MAC Address Regex’s:
No dashes, colons, or spaces: [a-fA-F0-9]{12}
With dashes, colons, or spaces: ([a-fA-F0-9]{2}(:|-|\s)){5}[a-fA-F0-9]
UPDATE:
Kaspersky Labs gives an example User Agent string for the Flashback malware. Here’s a regex that will match it in proxy logs: id:[a-fA-F0-9]{8}-\w{4}-[a-fA-F0-9]{4}-\w{4}-[a-fA-F0-9]{12}
Tags: flashback, http headers, osx, sql injection, sqli, user agent
Continuous Monitoring: How a SIEM Platform Can Help with this Daunting Requirement
(3rd in a series of 3)
Today’s blog entry is the third and final blog in the series on SIEM features which support continuous monitoring requirements. The past two blog entries covered situational awareness, threats, assessing security controls, and collecting, correlating, and analyzing security information. In today’s entry I will cover security status communication and risk management requirements for continuous monitoring.
The FIFTH requirement is “providing actionable communication of security status across all tiers of the organization.” This requirement has to do with the organizations capability to provide accurate communication on the current security status of the organization at all levels within the organization and provide recommended action when needed. This particular requirement is focused on defining, providing, and communicating security status and metrics. A SIEM should be capable of providing notification of security-related issues to owners of particular systems allowing them to take remediation action as necessary. The more advance SIEMs actually have the capability to provide automated remediation actions when specific issues are identified. The metric portion of the requirement quantifies the current status of information security at all levels of the organization. The SIEM at a minimum should be able to provide an audit trail of the actual uses of the SIEM as part of a metric. The SIEM should audit alerts generated by critical events, the analyst’s acknowledgment of the alert, investigations initiated by the analyst in response to the event, and actions taken to remediate the threat of the event, and review of the event by management.
The SIXTH and final requirement is “active management of risk by organizational officials.” This particular requirement indicates that management must actively manage organizational risks. This is really an extension of the risk assessment process which ensures all risks are identified, mitigated, and acknowledged by management. A SIEM should extend managements view of the organizations risk landscape by providing a view of critical risks such as threats and vulnerabilities, and provide visibility to the effectiveness of mitigating controls such as anti-malware, firewalls, IDS, patch management, vulnerability scanners, etc…
A SIEM can be a powerful tool to meet continuous monitoring requirements through automated means. Keep in mind not all SIEMs are created equally and some provide limited functionality at a premium price. Ensure the organization performs an in-depth review of the regulatory requirements along with functional requirements before a SIEM selection is made. Robust SIEMs often provide mappings of key features directly to regulatory control requirements which they meet or supplement. Advance SIEMs which provide capability such as built-in alerts, threat advisories, and automated remediation functionality can help organizations stay informed and better prepared to quickly remediate security risks.
Continuous Monitoring: How a SIEM Platform Can Help with this Daunting Requirement
Blog 1 of 3
Continuous monitoring is one area where most organizations often experience audit related issues during their regulatory review. The most typical issues are often related to analyzing security related information and assessing security controls. Many of my clients would enable logging on the majority of their systems but would not actually analyze any of their logs due to the large volume. I can certainly empathize with them having been in their shoes myself. However it’s not acceptable to stop monitoring critical system logs because the task seems too daunting, there is a better way. A robust SIEM (Security Information and Event Management) solution can centrally collect millions of logs, correlate information across the organizational infrastructure, and alarm on user-defined critical conditions resulting in a manageable subset of security related events. There are many different players in the SIEM market and a wide range of functionality offered; over the next three days my blog entries will tell you about specific features to look for in a SIEM to help meet continuous monitoring requirements.
FIRST, it is important to understand the six main continuous monitoring requirements outlined in NIST (National Institute of Standards and technology) 800-137 before seeking a SIEM solution. The first requirement is “maintaining situational awareness of all systems across the organization.” This describes the need for the organization to keep an awareness of all systems in their organization. Organizations should have an asset management program which actively maintains inventories of systems, software, and network diagrams. A SIEM should supplementary support the asset management program by providing details of all known assets (hosts, network devices, physical devices, security devices, etc…) within the organizations infrastructure. It is also best practice to implement technologies such as NAC (Network Access Control Systems) which have the ability to detect unidentified systems and deny them access to the infrastructure. A SIEM should also collect logs from these types of devices and generate alarms when unidentified systems are detected.
The SECOND requirement is “maintaining an understanding of threats and threat activities.” Organization must stay up to date on current threats and have the capacity to identify specific threats to their organization to meet this requirement. They are expected to keep their knowledge of threats current by researching in-scope threats to their systems on a regular basis. There are a variety of content providers which focus on providing threat advisories via RSS feeds. Organizational threats should be identified and assessed through the risk assessment process. However a SIEM should provide continuous threat assessment by collecting, correlating, and identifying threats from network and host anti-malware systems, firewalls, and IDSs (Intrusion Detection Systems). The more advanced SIEMs have the capability to give additional information about an identified threat through knowledge bases or 3rd party advisories.
Tune in for tomorrow’s blog entry where I will continue the discussion by covering requirements for assessing security controls and collecting, correlating, and analyzing security information.
Just The Facts – It’s When, Not If
Following the significant shift in the cyber threat landscape, the mindset of information security professionals has changed substantially. Eighteen months ago, most reasonably funded information security groups felt that the tools, processes and people they had in place were fairly strong relative to the risks and threats they were designed to address. As such, most felt that, while by no means bullet-proof, their defenses were likely to keep the bad guys at bay and targeting more vulnerable organizations. Oh, what a difference a year and a half makes.
The rapidly maturing cyber crime economy and supporting supply chain have led information security professionals to realize that the bad guys are getting more sophisticated and more numerous at an accelerating pace. Since this time last year, most InfoSec pros have accepted the idea that “It’s when, not if” their organization will experience a breach. While this mentality seemed to be pervasive as we approached the end of 2011, we wanted to put some hard numbers to it; Just how exposed do organizations believe they are? To answer that question, we conducted a survey of over 200 information security professional on their organizations’ Cyber Threat Readiness. The results, while not surprising, are alarming and reflect the need for better detection and response capabilities: to know sooner when breaches occur and to be empowered to respond faster and more effectively when it happens.
82% of respondents stated they have firewalls in place and use anti-malware/anti-virus 
solutions, but 75% said they lack confidence in their ability to detect activity commonly tied to breaches and cyber crime (e.g., to know when credentials or hosts are compromised). The bright spot in the survey results is that organizations taking steps to deploy technology such as NGFW and SIEM to improve their visibility and response capability were twice as likely to be confident in their ability detect cyber attacks and breaches.
You can check out the Cyber Threat Readiness survey results for yourself in today’s press release. And as you’re reading the results and considering the scenarios to which most organizations are blind, answer the question “Would you know if…”.
Security Not a Top Priority for Many Small Businesses
I recently found an article that outlined a study about cyber security and small businesses. In the study, by Newtek Business Services’ Small Business Authority, it was discovered that “just 27 percent of small business owners have had an outside party test their computer systems to ensure that they are hacker-proof…” I found this to be a relatively shocking number, but one that is believable in today’s tough economy. It would seem that most small organizations would be watching every penny and often during that type of number crunching, Information Technology and I.T. Security budgets are often the first to
get cut. Security has always been one of those items that, to most organizations, has been a hard sell to upper management, particularly if that organization has never experienced any sort of security or data breach. Security budgets are often looked upon as, “Why are we spending so much money on something that may happen.” Until an organization is hit, it is often a tough sell for many to pass a decent security budget.
This same article also highlights a recent study by PwC that “found 43 percent of global companies think they have an effective information security strategy in place and are proactively executing their plans.” Another interesting finding in this report was the number of respondents that have “confidence” in their plans. “Seventy-two percent of the more than 9,600 security executives…report confidence in the effectiveness of their organization’s information security activities… (a number that) has declined markedly since 2006.” This figure, in my opinion, shows that even the large organizations, as much as they may feel prepared, really are not too confident in their security preparations.
Maybe their lack of confidence comes from the large number of data and security breaches that are reported every day. In addition to these breaches are numbers that are behind them. Another study from the Ponemon Institute, sponsored by Symantec, found “that the average cost of a data breach increased by seven percent to $7.2million in 2010-with the most expensive data breach jumping 15 percent over the previous high to a whopping $35.3 million.” In addition, the study calculated that “the average data breach cost per individual compromised record is $214.” This is a staggering figure when you look at many of the breaches that have been reported, in most there are hundreds of thousand s of records lost each time. Multiply these numbers by $214 and the fines and associated fees per breach will climb quickly.
With these numbers in mind, this goes back to my original point, that only 27 percent of small business owners value security enough to have an outside company come in a test their security. Taking into account that many small organizations may not have the capital available for such security or “penetration” tests, it also begs the question, “Will they have enough capital to cover the fines and other fees associated with a data breach ($7.2million in 2010)?”
LogRhythm wins "Innovator of the Year" from SC Magazine. "This is not your father's log manager."