Sled Meta Blog

Home » Sled Meta Blog

Using PacketSled to detect Golden Ticket Attacks

in Network Visibility, Threat Detection by Patrick Kelley Comments are off
2016 was a year of exciting news in Information Security, and unfortunately one of many breaches. As I write this, I’m reading news about continuing leaks from Yahoo and new SCADA attacks.

With over 20 years as a professional in Information Technology, I’m always looking at new methodologies.  However, I’m also looking at the ways things haven’t changed. 

For as long as I remember, privileged account exploitation has always been at the center of targeted cyber attacks. This provides InfoSec Professionals with a constant pattern of events to look for on their networks.

In typical fashion, attackers penetrate the network perimeter using phishing attacks or attacks on mobile devices, hijack credentials and use them to move laterally throughout the network, taking additional credentials and escalating privileges along the way.

During my time as a Penetration Tester, combining privileged accounts with attacks on the Kerberos authentication in Windows domains was a method I always employed, in hopes of compromising the entire network. In fact, my team used to joke that lunch wouldn’t be served until we had “Domain Admin”. During such attacks, my team would target domain administrator privileges, which provide unrestricted access and control of the IT landscape. Armed with these privileges, my team could manipulate Domain Controllers (and Active Directory) and generate Kerberos tickets to obtain unauthorized access.  Our ultimate goal was the “Golden Ticket”!  That’s the ticket that gives us 10 years of unfettered access.



In order to successfully collect one of these tickets, the four things necessary to formulate one is:

·       the account name of a domain administrator

·       the domain name

·       the SID for the domain

·       the password hash of the krbtgt user from the Domain Controller

The good news is that Golden Ticket Attacks are particularly noisy, both in system logs and on the network. With the ability to perform deep packet inspection on Kerberos and DCE-RPC logs, this gives users of PacketSled the ability to look for indicators of these attacks across their entire network, instead of searching through system logs which are often dispersed and not centrally stored while attempting to piece together the pattern for themselves 

In particular, Golden Ticket Attacks require a particular DCE-RPC command on the network, defined as, “DRSGetNCChanges”. This command obtains updates for a specified naming context (NC = partition of the AD database), typically between domain controllers.  This behavior is particularly useful, as knowing that this data would not be transferred between a workstation and a domain controller would be anomalous.



Now, how do you get visibility into these attacks from a central point? Well, deploying a PacketSled sensor to establish a perimeter has never been easier. We have an IR deployment package that can have you up and running in minutes. Provide a SPAN/TAP feed to our sensor(s) and you have perimeter network visibility when you need it most.

Using this approach to develop the security detection moves the security controls from making decisions based on circumstantial, atomic elements and moves towards being more contextual in nature. This can greatly reduce the false-positive rate and make notifications more actionable.

At PacketSled, our researchers are continually pushing the boundaries of using our IRES-based security platform to provide greater value in security notifications. We do so by not just notifying InfoSec Professionals with alarms of potentially malicious behavior, but putting the context of those events in their hands as quickly as possible. 

Let us show you the value of PacketSled network visibility tools. To arrange a product demonstration or talk IR strategies give us a call.

Attacks On Routers and IoT

in Incident Response, Malware, Network Visibility, Security Research by Patrick Kelley Comments are off
Here at PacketSled, we live on the forefront of technological innovation.  Our deployed platform captures multitudes of attacks each day against devices that have just barely made it into the market. To keep up with attacks against “bleeding edge” IoT devices is no small feat.

To understand how to best protect these new assets, it’s best to understand what brought them here.  The adoption of IoT and BYOD has increased with the intent of streamlining technology for the user and easing adoption in the marketplace..  Apps in IoT can become seamless, removing the barrier that a user used to have in determining if they were sharing information with a co-worker or with the Internet.  The more covert we make these transactions, the more risk we are accepting (think tap to pay, passwords transferred through nfc, and magic links as Slack likes to call them).  

Without a clear understanding of standards and services, it’s a challenge to determine how to best approach securing them. In fact, it’s such a challenge that Gartner has claimed that nearly all security vendors will fail at this task. 

Personally, I agree.  

Security budgets are rarely earmarked for efforts around IoT and business scenarios require a delivery mechanism that can also grow and keep pace with security requirements in monitoring, detection, and access control.  Despite this, users continually add more devices to the enterprise network, due to ease of doing so.

Fortunately, PacketSled has been thinking about IoT for quite some time.  Our team has spent many years of focused research on the most common IoT attacks.

One of the most common attacks we witness is authentication bypass. This could be due to poor session handling with predictable IDs or backdoors using hardcoded credentials. Regardless of the means, the outcome is the same – unauthorized access to sensitive information.

A quick search of Shodan will likely provide access to nearly any device, including devices in your infrastructure, an attacker would be interested in. In fact, we need not look further than a recent IoT attack which was seen with Mirai. It worked by scanning the Internet for devices with default credentials and enrolling them into the command and control platform. Once done, all of these devices can be remotely controlled and used to perform nearly any action conceivable. These attacks occurred across a wide spectrum of devices from smart TV’s to routers to really anything with the “smart” monicker attached.

Packetsled is here to help protect by proactively building detections in our platform to look for these behaviors, but our recommendation is to make sure your organization is covering the basics.

Where should you begin? 

Start with the CIS Critical Security Controls with emphasis on the 1st six. 
  1. Inventory of Authorized and Unauthorized devices
  2. Inventory of Authorized and Unauthorized software
  3. Security configurations for hardware and software on mobile and IoT devices
  4. Continuous Vulnerability Assessment and Remediation
  5. Controlled user of administrative or root privileges
  6. Maintenance, Monitoring, and Analysis of Audit Logs
  

With these basics addressed, you will have a more clear understanding of what devices and accounts are in use on your network and how you should expect them to behave.  

Among the many detections that PacketSled provides, you should look for unencrypted credentials present on the network, by issuing the following query in the investigator:

last 24 hours cluster password on [password]





This simple query will provide you with every password observed on the network in the last day.  This list is exportable and can be used to aid in the mitigation of these vulnerabilities.

We also provide extensive support for newer IoT protocols, along with our raw TCP and UDP analyzers, which will allow you to see inside network flows, even when a specific protocol analyzer isn’t available. 

Along with our security platform and the recommendations outlined above, we suggest signing up with each vendor for updates related to security patches, firmware updates and any available alerts provided from the devices, themselves.

 
Written by Patrick Kelley and Chris Mitzlaff 

Analyzing Unknown Protocols – Finding a Piece of Hay in a Hay Stack

in Network Visibility, Threat Detection by Patrick Kelley Comments are off
Over the years, I’ve had the fortune of performing in several differing capacities in the Information Security community.  Some positions have been on “blue teams”, whereas others have been performed more “red team” roles.  One thing that always rings true is the importance of visibility. 

You can’t make decisions around data that you can’t see. 

When PacketSled chose to build our sensors on Bro, we knew that significant effort would be necessary, if we were going to meet our high level of expectations.  Bro provides visibility for around 60 protocols, at this time. Unfortunately, there are literally thousands of protocols. That’s a lot of missed network traffic. 

For those that aren’t aware, WinRM is a remote management service for Windows that is installed in Windows XP and higher versions. Both of these authenticated services are tied to an HTTP or HTTPS SOAP listener and support Kerberos and NTLM authentication by default. It’s important to note that many attacks start with NTLM authentication since it’s already supported in Metasploit.



As our security team began launching live attacks in networks observed by Bro sensors, we realized that many of the Metasploit attacks weren’t being properly observed and tagged.  WinRM traffic is based on HTTP and HTTPS, but isn’t formatted in a manner that is properly recognized and analyzed by Bro. As a company focused on security solutions, we realized that something had to be done to permit our clients to see actionable data in this attack, as well as attacks on other protocols.

Therefore, we built raw TCP and UDP analyzers.  With these analyzers, it’s now possible to build IRES rules or bro-formatted detection scripts to alert on attacks in protocols that aren’t yet supported by the Bro framework.  So, how do you do it? 

By collecting a Packet Capture (pcap) of the attack traffic using our raw analyzers, we were able to extract the associated User-Agents and URI strings associated with these attacks.  

In our case, these were defined as:



User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

URI and Action: POST /wsman HTTP/1.1

Host: 192.168.1.3:5985

Though this was an authenticated session, which later became encrypted, we were still able to see some interesting indicators as the session was established.  The most important being a Mozilla User-Agent connecting to a service that would normally be engaged using a variation WinRM.* as the User-Agent.  Also, we noticed that the listening port was TCP/5985, which is a non-standard HTTP port, and repeated failed authentication attempts.  Knowing this was anomalous and potentially malicious, our team was able to create a simple IRES rule to pull these indicators from our raw TCP analyzed traffic.  By doing so, we were immediately able to recognize a large amount of attacks from Metasploit against WinRM services in our extracted TCP payloads.



The single piece of hay was found in the haystack and what would normally be unrecognizable by standard installations of Bro was quickly brought to the surface.  That is the unmatched power of the PacketSled platform. 

At PacketSled, we’re always striving to provide the greatest visibility with our award-winning platform by continually developing additional protocol analyzers, allowing you to continuously monitor for advanced threats and policy violations missed by other defenses. Allowing you to analyze and remediate in record time. Don’t settle with being an Analyst. Be a Hero!

It’s 10 o’clock; do you know where your data is?

PacketSled Partners with Lyrical Security to Provide Advanced Security Solutions

in Partners by Christina Patten Comments are off
  PacketSled is thrilled to announce a new partnership with Lyrical Security, one of North America’s fastest-growing cyber risk management firms, providing integrated solutions that elevate operations from struggle to success story.  
”We’re excited to take our strategic partnership to the next level,” said Sheldon Malm, Chief Executive Officer of Lyrical Security.  “Packetsled’s innovative platform has become the cornerstone of our Risk Operations Center, enabling our staff to detect threats earlier, accelerate investigations, and manage clients’ risk faster than we could have imagined.  Customer response to the solution has been overwhelmingly positive.”
  Read the Full Release      

It’s 10 PM. Do you know where your data is?

in Security Research by Patrick Kelley Comments are off

I’ve had the fortune of working in Information Technology for over 20 years.  In that time, I’ve realized that this industry is constantly evolving. However, the recent and rapid adoption of cloud-based services has caused a disruption at a magnitude that I had not yet seen.  Unfortunately, it is also happening at a rate that isn’t properly allowing Information Security groups to properly gauge the security ramifications. 

When I first entered this industry, networks were far easier to secure.  We had differentiating operational goals, but what we secured were largely single, flat, and enormous networks with only a handful of entry points.  All data and assets lived within that one or two physical environments with their own dedicated controls.  When we built our enterprise networks, we would build them to support the maximum resources needed to support the assets and needs within that single environment.  It was very linear and, in comparison, far easier to scope and manage than the networks we support today.  Much like today, our worst enemy was downtime, but the rules of engagement has changed, as have the margins for error.

What do users want?  Everything right here. Right now. Oh yeah, we want it to be as cost-effective as possible.

With the benefits of cloud computing including quicker market entry, flexible costs and capacity, larger and more robust network fabric, allowing greater uptime, improved mobility and collaboration, and more fluid merger and acquisitions, it’s easy to understand why there has been such a major push into the IaaS and SaaS space. 

This also means that the “Crown Jewels” live in many new places, around the globe.  Several within the corporation’s complete control, many which does not.  Currently, AWS operates in as many as 13 distinct locations around the world.  That’s a lot of entry and exit points for your data to move.  With the rate of migration and architectural change, most Information Security groups haven’t had the time or resources to assure that proper monitoring is taking place in these new realms.

Let’s face it… It’s a pretty rough day when you experience a breach or network outage in your own network, but it becomes far more complicated when it occurs in your partner’s network.  In reality, the headlines read largely the same. 

Additionally, as compliance oversight and governance won’t go away with the introduction of cloud-services,neither will the requirements for monitoring, reporting, and coordinated incident response with resolution. In addition our research shows that firewall configuration complexity is leaving companies exposed. The technology to keep your networks safe exists, but it’s nearly impossible to manage properly. This is where PacketSled comes in.We build feature-rich, security platforms, which easily enable the aggregation of packet-level, network analysis from multiple IRES sensors deployable around the globe.  

Specifically, PacketSled sensors can live at multiple points throughout your core network, but also live within your cloud-environments. To ease management, we provide a centralized user interface that works for your team, wherever they are in the world.  With an increasing amount of technology partnerships and APIs being developed by Packetsled staff, we also play well with others. 

We understand that innovation is happening and at a rapid pace. With the ease of deploying Packetsled sensors, you can rollout new network coverage in a defined, lockstep approach to make sure you don’t miss an attack on your new infrastructure or initiative.  Best of all, you can launch new sensors when you need the coverage, not months or years beforehand. 

With our service, you always have the most recent detections, protocol analysis, and sensor technology, located in a Data Centre that will adhere to your governance and regulatory compliances.  We perform all of the research and development; you reap all of the benefits.

Wherever your business is today and headed tomorrow. Let us reduce your worries about moving into the cloud. With the Packetsled platform, we’re here to help.

-Patrick Kelley, Sr. Security Researcher

PacketSled is Recognized for the Second Year in a Row as SC Magazine’s Industry Innovator in Next-Generation Security Monitoring and Analytics

in Articles, News, PacketSled by Christina Patten Comments are off
SC Magazine’s 2016 Industry Innovator names PacketSled one of only five who have defined what it really means to be “next-generation.”    
“Applying advanced analytics to threat hunting and evolving an analyst’s tool into an analyst’s tool that also has very strong monitoring, detection, case management and alerting functions.”
The article comes after technology editor Peter Stephenson conducted a second review of the product. In the review, he quickly arrives at yet another one of PacketSled’s key tenants:
“We never have seen that level of support response in any of the products we have reviewed and it provides a realbeneift both to new users and experienced users with a difficult problem.”
Read the Article

Secrutiny and PacketSled- Expanding Incident Response and Automated Network Insight Internationally

in Partners by Christina Patten Comments are off

PacketSled is excited to announce a new partnership with Secrutiny. This partnership allows Secrutiny to resell PacketSled’s cloud-based network security tool, expanding PacketSled’s market internationally. 

 

 

 

“We’re absolutely thrilled to be able to help bring PacketSled’s unique detection, forensics and incident response capabilities to our customers in the UK,” said Founder of Secrutiny, Simon Crumplin. “In today’s threat landscape, attackers are continuously evolving their strategy, which is why we believe that PacketSled’s combination of real-time visibility with full fidelity network history will provide a massive leap forward in information security.” 

 

Secrutiny offers a quick, cost-effective Security Posture Audit to help organizations reveal cyber adversaries are present and active in their network. The company selects only the best technologies and methodology to offer next generation cyber strategy. 

Read the Full Release

 

 

Incident Response Strategy – Establish a Perimeter via Network Visibility

in Incident Response by Mike Spohn Comments are off

As a seasoned incident response practitioner, I am always looking for better ways to manage serious security breaches. Over the last decade, the cyber-security community has refined many strategies and best-practices to help organizations identify, investigate, contain, and remediate advanced threat attacks. This has been enormously helpful.

I have also found it useful to look beyond our own realm in cyber-space and observe how other industries manage large security incidents. A few years ago, I spent some time researching and interviewing public safety, fire, and military professionals. My goal was to determine if there are patterns of behavior in their response tactics that might apply to our IR space. 

Establish a Perimeter

It did not take long to realize that the foundation of most public safety incident handling practices is to, “Establish and secure a perimeter.” This may seem obvious to you, but it is important to realize the safety of human lives is often at stake if this is not done right. When you think about it, almost all public safety, search-and-rescue, and military operations begin with this strategy.

The most obvious example is the fighting of a wildfire. A large percentage of the effort is spent on surrounding the fire and creating a “Dozer line” free of debris to starve the fire. Granted, the firefighters are usually at the mercy of temperature, wind, and humidity. Regardless of the weather, the containment strategy is to surround the fire and work inward to contain it.

Network Visibility is like setting a fire line

Cutting a fire line – Image courtesy of FEMA

 

You see the same behavior when law enforcement agencies are faced with an act of terrorism. From the Boston Marathon attack to the bombing of the Brussels airport, the response was identical. Establish and secure a perimeter and work inward to determine the scope of the incident and look for suspects.

Sometimes this is really difficult. Consider the disappearance of Malaysia Air Flight MH370 on March 8, 2014. Lacking any reliable telemetry to determine where to search for the aircraft, a primary search area (perimeter) of 23,000 square miles was established. Folks, that is a big perimeter. Regardless, the same rule applied: establish a perimeter and search inward.

 

I immediately realized the value of this strategy in cyber-attack incident response investigations. In a cyber-attack response, the “perimeter” is almost always network boundaries. Why? If the source of the attack is not an insider, and the attacker(s) do not have physical access to your computing resources, the source of their attack will be an external network. This dynamic is obvious and compelling.

This makes it easy for incident responders to determine where to ‘establish’ a perimeter. It will always be where any external network has a route to your internal network. The first place to look is where your Internet points-of-presence (POP) are located.

Once you know the “scope” of your perimeter, you have to make some quick decisions on whether or not you “secure” it.

In the case of PCI, HIPAA, or other regulated data loss, you really have no choice but to secure the perimeter by shutting down the network segment. In other cases you need to make a hard decision. Do you lock out the intruders by securing the perimeter, or do you monitor it to learn more about the attacker TTP’s?

Tough choice.

If you secure the perimeter you tip off the attackers you know of their presence, and you lose the ability to collect additional, often critical, evidence. If you monitor the perimeter you run the risk of watching your precious data head to the Far East.

Here at PacketSled, we are all believers in the “Establish/Secure the perimeter and work inward” strategy when dealing with advanced threat actors. In fact, many of our customers rely on PacketSled network sensors to monitor their network perimeters during high-profile incidents.

Network Visibility is the Key to Establishing a Perimeter

Deploying a PacketSled sensor to establish a perimeter is painless. We have an IR deployment package that can have you up and running in minutes. Provide a SPAN/TAP feed to our sensor(s) and you have perimeter network visibility when you need it most.

 

PacketSled Network Visibility Automated Investigation Advanced Threat Hunting

PacketSled Dashboard

 

Let us show you the value of PacketSled network visibility tools. To arrange a product demonstration or talk IR strategies give us a call.

PacketSled at BlackHat 2016 Innovation City Booth #IC29

in Events by rrhyne Comments are off

PacketSled will be at BlackHat 2016 in the Innovation City, booth IC29. Stop by for a demo of IRES, the Incident Response Expert System. Or Schedule a Meeting to take a deeper dive.

bh16usa_1040x400_new_SPONSOR_v1

Data Connectors Anaheim – June 2nd 2016

in Events by rrhyne Comments are off
Join PacketSled June 2nd, 2016 at the Doubletree Anaheim Orange County in Anaheim for Data Connectors Anaheim. packetsled-data-connectors-san-diego tshirt1

We’ll have a giveaway and T-Shirts so be sure to drop by the booth.

Page 2 of 41234

© 2017 PacketSled, Inc.