Language does not matter

It’s been years since I have made time and written in this blog. I plan to start back writing on interesting things I read or experience from now on. Here’s what I found interesting for this month.

I was searching for reports on security attacks and found the following interesting sites –

Cyber Attacks http://hackmageddon.com/2014/05/19/jan-apr-2014-cyber-attacks-statistics/

Data breaches - http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

Data losses - http://datalossdb.org/

Reading information on all the above sites, one and only thing clearly standing out is “LANGUAGE DOES NOT MATTER”. No matter what language or script is used in developing applications, it is prone to one or other type of attack. Companies are aware of the importance of writing secure code, using static code analysis tools to detect code flaws, ensure to focus on security in between or in every layers of application development architecture, secure infrastructures by deploying of best of security products which all aim to protect the companies from any attack. But is it really helping?. Why is there such an exponential growth in cyber-attacks, data breaches every year?. What more needs to be done to avoid attacks and protect data?.  Looks like the ground reality is different, though there’s lot of talks on security, not everything is actually functional or operational at ground. Unless the security measures are ensured to be functional at every layer in enterprise, the cyber-attacks and data breaches will continue to grow and take advantage of every small vulnerable flaw in IT setup's.

Common Attacks 1- Password Guessing

Password guessing is an incessant activity for applications and services which are facing public Internet. It is also done on internal network by malicious insiders. Dictionary and brute force attacks are the most common mechanisms used in Password guessing. One of the possible means to investigate remote password attacks is by analysing the logs from enterprise applications collected from SIEM Products (Security Incident and Event Management). The investigation to be carried out for this type of attack is discussed in briefly here.

SIEM should collect logs from all systems in the enterprise that can be targeted for Password guessing attacks.
• Log events with multiple invalid credentials count on a single application or across systems indicate that it was an attempt to guess the user name on a particular application or across systems.
• Log events with common/standard user names across many systems will indicate that it was an attempt to perform the password guessing attack.
• Also, log events with simple combinations of invalid credentials used will indicate the attempt to perform this attack. Hence successful login after many failed login attempts from same source, from unusual IP and/or unusual hours, from passive users are the situations to be investigated and to be focused during log analysis from the SIEM products. These can be easily detected by applying correlation rules form SIEM products. A rule to check invalid authentication attempts followed by successful authentication will automate the investigation and attack confirmation.

Once the attack is confirmed, further steps would be to perform extended analysis on the results derived from investigations. I would call them as 'SIT' analysis and it stands for Source analysis, Impact analysis and Target analysis.
• The Source analysis will help in understanding the party performing the attack, and matching that with other activities from the same IP address or the same network range.
• The Impact analysis will help in understanding the overall impact of these activities on IT environment.
• The Target analysis will help in figuring out whether attack targets were affected by the attack in any material way.

All investigation even the minor ones will leads to action items. Confirmed authentication attacks should always trigger an immediate response, even for non-privileged accounts. Response actions can be to enforce password change for all enterprise users, de-provision or terminate the compromised account, block the external source IP and increase the monitoring of the target systems and network. The enterprises can have secure network, by ensuring continues investigations of attacks on its network and performing the right actions in response to investigations.

Detecting Malware on systems before AV finds it !

I was looking for options to detect malware before antivirus signatures find it. Here is what i read about using SCAP standards.

As written earlier, MAEC from mitre provides schema for malware characterization. OVAL from mitre has defined the language schema to represent system characteristics, machine state and provide results of assessment in standard format. OVAL also has a reference implementation which can scan the system and provide results in oval results format. This interpreter can be used to execute the test cases as defined in MACE schema to find system characteristics. Once the system had been scanned and assessed the results are available in OVAL format which can be used to identify malware even before the AV signatures are available. This would would only require some code/script to convert MAEC defined definitions to OVAL definitions or test cases. This seemed to be a cool idea and wanted to share it in my blog. Please check maec.mitre.org and oval.mitre.org for more details.

Asset Identification and Asset Identification Specification

Asset is anything that has value to an organization. It can be person, information technology system (IT), network, virtual machine or software. Asset Identification provides the method and format to identify and represent asset. There are many specifications available to identify assets automatically in an enterprise. Automated security specifications use varying mechanisms to identity assets which are incompatible, inconsistent and incomplete information. To address this issue, NIST has Asset specification which describes how assets may be identified by using a combination of zero or more canonical identifiers and some set of identifying information. Canonical identifiers are nothing but the identifiers assigned my many tools to manage them. This can be in the context of a namespace. If the assigned identifier is not available, information collectable or discoverable for assets can be used in accurate identification. Eg., hostname, IPv4address, MAC address from Devices, Fullname, location and organization from People and Name and type attributes from organization are some of the information which can be used to uniquely identify assets. This would provide complete and accurate information about each asset which can be used for reporting on metrics and automatic compatibility of identification with other specification. Check out the asset identification document at http://csrc.nist.gov/publications/drafts/ir7693/draft-NISTIR-7693-AI_20101204.pdf for further details on asset identification.

Malware Threats

Found this excellent flow chart which provides financial motivations and technical path with which malware threats are implemented.

http://computerschool.org/computers/malware/

MAEC and sample tools used to detect malware

Malware Attribute Enumeration and Characterization (MAEC) is the standard to represent malware by attributes. MAEC provides schema which can be used as a basis for creating malware repositories. It can also be used as the format to share malware information between applications. Basically, either Static and Dynamic analysis techniques are used to discover attributes of malware. Static analysis is performee by looking at the code and dynamic analysis is by at tracking the behaviour of system. Once the attributes are discovered with any of the techniques the applications can adopt MACE to report on discovered attributes of malware.

CWSandbox is one of tools which uses dynamic analysis techinque to report on detected malware. It is available for windows and yet to adopt MAEC.

ThreatExpert has tools for detecting malware on windows and does it by looking at changes in file system, memory, registry, and Outbound and SMTP traffic data. Here is the sample report form ThreatExpert memory scan from my system -

Full Scan Summary:
Scan details:
Scan started: Tuesday, November 30, 2010 20:15:23
Scan time: 01 minutes, 53 seconds
Number of memory objects scanned: 9356
processes: 60
modules: 3085
heap pages: 6211
Number of suspicious memory objects detected: 0
Number of malicious memory objects detected: 0
Overall Risk Level: Safe
Summary of the detected threat characteristics:
No suspicious characteristics detected.
Summary of the detected memory objects:
No suspicious memory objects detected.

For now, i could use the above tools and looking for other free tools which can be used to detect malware. Also looking out for tools which can report using MAEC schema format. Will keep this bolg updated on my findings. Adieos till then.

Sources -
http://maec.mitre.org
http://mwanalysis.org
http://www.threatexpert.com

Vulnerability Assessment and Management

Vulnerability is weakness which can be exploited in a system. To find all the weaknesses in a system, Vulnerability scanning is performed. It involves running a program on one machine and then connecting via a network to machines that you choose to check.
This would help to find and fix weaknesses in systems before someone else finds it and decides to break in.

Vulnerability scanning is a part of Defense in depth strategy and would lead to
• Asset discovery.
• Provides necessary information to ensure that hosts with an enterprise are safe from known attacks.
• Provides enough data for tracking internal security posture over time.

Hence it is a key part of managing risk and will identify the risk of every system, not just the ones we know about.

To know the state of systems, we need to understand the weakness we are trying to defend against and where possible, remove those weaknesses. For this we need a source of all known vulnerabilities and what patches are available to address these vulnerabilities. This can be done by monitoring individual software manufacturer or get consolidated notifications from provider such as http://securitytracker.com.

The scanning can be performed either by deploying Vulnerability scanning application in the enterprise or by using SAAS services by VAM service providers such as http://securityspace.com or http://www.qualys.com.

When ever new update is released, system administrator should evaluate and determine its application for the organization and then install it.

NIST has defined various SCAP (Security Content Automation Protocol)standards which provides standard format to collect application/system attributes, performing assessments using specific tests and displaying results. When vendors follow these standards in providing its output, the results can be easily consumed by other products.

Some of standards that can be used with VAM are
CPE - Common Platform Enumeration, format to be followed for providing platform specific details such as attributes of OS.
CVE - Common Vulnerabilities and Exposures, a way to provide vulnerability and exposure information by product vendors.
OVAL – Open vulnerability and assessment language, which is an open standard from MITRE. It Enables automated assessment and compliance checking.
It provides standard schema for entire Assessment process
1. Data collection
Collect data bout the system under test. This would have oval system characteristics. There are oval definitions available for this.
2. Analysis
Collect and organize results from assessment. Oval definitions are available for this.
3. Results
Arrange detected data against defined machine states. Oval results schema is available for this.

Once the scanning is performed, useful metrics should be derived and reported on. Some of the metrics like percentage of vulnerable systems, Time from discovery to remediate, will benefit custodians and updated required enterprise policy to improve compliance.

Vulnerability scanning on regular basis generates a lot of data. Only by demonstrating that the data collected can be of real benefit will the enterprise come forward to deploy Vulnerability and Asset Management (VAM) application in the enterprise. New deployments of VAM should use security products which are certified with NIST standards.

References:
http://oval.mitre.org
Articles/papers from SANS reading room http://www.sans.org/