Common Attacks 1- Password Guessing

Password guessing is an incessant activity for applications and services which are facing public Internet. It is also done on internal network by malicious insiders. Dictionary and brute force attacks are the most common mechanisms used in Password guessing. One of the possible means to investigate remote password attacks is by analysing the logs from enterprise applications collected from SIEM Products (Security Incident and Event Management). The investigation to be carried out for this type of attack is discussed in briefly here.

SIEM should collect logs from all systems in the enterprise that can be targeted for Password guessing attacks.
• Log events with multiple invalid credentials count on a single application or across systems indicate that it was an attempt to guess the user name on a particular application or across systems.
• Log events with common/standard user names across many systems will indicate that it was an attempt to perform the password guessing attack.
• Also, log events with simple combinations of invalid credentials used will indicate the attempt to perform this attack. Hence successful login after many failed login attempts from same source, from unusual IP and/or unusual hours, from passive users are the situations to be investigated and to be focused during log analysis from the SIEM products. These can be easily detected by applying correlation rules form SIEM products. A rule to check invalid authentication attempts followed by successful authentication will automate the investigation and attack confirmation.

Once the attack is confirmed, further steps would be to perform extended analysis on the results derived from investigations. I would call them as 'SIT' analysis and it stands for Source analysis, Impact analysis and Target analysis.
• The Source analysis will help in understanding the party performing the attack, and matching that with other activities from the same IP address or the same network range.
• The Impact analysis will help in understanding the overall impact of these activities on IT environment.
• The Target analysis will help in figuring out whether attack targets were affected by the attack in any material way.

All investigation even the minor ones will leads to action items. Confirmed authentication attacks should always trigger an immediate response, even for non-privileged accounts. Response actions can be to enforce password change for all enterprise users, de-provision or terminate the compromised account, block the external source IP and increase the monitoring of the target systems and network. The enterprises can have secure network, by ensuring continues investigations of attacks on its network and performing the right actions in response to investigations.

Detecting Malware on systems before AV finds it !

I was looking for options to detect malware before antivirus signatures find it. Here is what i read about using SCAP standards.

As written earlier, MAEC from mitre provides schema for malware characterization. OVAL from mitre has defined the language schema to represent system characteristics, machine state and provide results of assessment in standard format. OVAL also has a reference implementation which can scan the system and provide results in oval results format. This interpreter can be used to execute the test cases as defined in MACE schema to find system characteristics. Once the system had been scanned and assessed the results are available in OVAL format which can be used to identify malware even before the AV signatures are available. This would would only require some code/script to convert MAEC defined definitions to OVAL definitions or test cases. This seemed to be a cool idea and wanted to share it in my blog. Please check maec.mitre.org and oval.mitre.org for more details.

Asset Identification and Asset Identification Specification

Asset is anything that has value to an organization. It can be person, information technology system (IT), network, virtual machine or software. Asset Identification provides the method and format to identify and represent asset. There are many specifications available to identify assets automatically in an enterprise. Automated security specifications use varying mechanisms to identity assets which are incompatible, inconsistent and incomplete information. To address this issue, NIST has Asset specification which describes how assets may be identified by using a combination of zero or more canonical identifiers and some set of identifying information. Canonical identifiers are nothing but the identifiers assigned my many tools to manage them. This can be in the context of a namespace. If the assigned identifier is not available, information collectable or discoverable for assets can be used in accurate identification. Eg., hostname, IPv4address, MAC address from Devices, Fullname, location and organization from People and Name and type attributes from organization are some of the information which can be used to uniquely identify assets. This would provide complete and accurate information about each asset which can be used for reporting on metrics and automatic compatibility of identification with other specification. Check out the asset identification document at http://csrc.nist.gov/publications/drafts/ir7693/draft-NISTIR-7693-AI_20101204.pdf for further details on asset identification.