This blog contains some immediate guidance on using Snare agents and Snare Central to detect activity on your network from the Sunburst Backdoor malware delivered by SolarWinds Orion Software.

Background on Sunburst Backdoor

Several advisories have been provided by FireEye and CISA over the malware backdoor used in the SolarWinds compromise. FireEye provided a great white paper on the topic here. The US CISA also provided good detail here.

Import Information

As mentioned in the FireEye report, it reveals that this attack was perpetrated by an advanced adversary who carefully selected targets and changed their attacking infrastructure to match geographical location and even named attacking hosts to match their victims to disguise their traffic better. By using a trusted software partner like SolarWinds Orion, they could utilize SolarWinds’ position in the network to spread laterally across on-premises systems and cloud infrastructure to capture and exfiltrate data.

While the Sunburst Backdoor is a sophisticated attack vector, it is still just a trojan on a network with lateral movement. Many of your typical network defense techniques and incident response techniques can be utilized immediately. If you happen to know which hosts on your network are running SolarWinds Orion, start your hunting with those hosts as this is where the adversary gains a foothold. The Sunburst Backdoor should only be effective on those hosts. Still, the added threat here is any lateral movement out from the Orion hosts, using common techniques or credentials harvested from Orion.

Detection using Snare Agents and Snare Central

Some IOCs that FireEye kindly released in their GitHub report covers hashes, snort rules and IP address details. After the initial compromise its important to understand what was done on the corporate network and what the bad guys were up to. Things needed to help detect the malicious activity:

  • Install the Snare Agents to collect system event logs, enable FIM and RIM on key software and operating system locations to generate the required hashes. If the Snare agent was already installed having FAM and RAM configured for the same operating systems and application locations would help provide details on what accounts were used, programs used to make changes to the host files. Having Snare agents on other systems to collect the system logs would also assist with detecting lateral movement of users and potential account breaches on other host systems.
  • Use Snare agents to collect DNS log activity. We have good FAQ guide here.
  • Other logs like proxy logs can also be useful for determining internet access paths, source and destination systems. These can be collected using the Snare Windows or Linux agents.
  • Performing Database Activity Monitoring with the Snare MS SQL agent. This allows tracking of the users into Microsoft SQL Server databases to see if user accounts are compromised, data was changed or being exfiltrated.
  • Install Snare Central to collect logs from Snare Agents and other syslog devices like firewalls, routers, switches, and software like Snort or other IDS/IPS systems.

You can create reports in Snare Central to search the logs for for malicious activity as detected from the Snare Agents and network devices from the SolarWinds servers covering the syslog logins, malicious DLL thats been trojanized, DNS lookups, Firewall and proxy log traffic profiles,  The Snare Dynamic Search can be used to hunt for threats in an ad hoc fashion, you can also save the queries for later use or as templates to make new queries. The dynamic search allows for searching multiple log types at once to look for key words, IP addresses, Domain names to find the access paths the malicious software is performing.

Searching Logs

Searching for netsetupsvc.dll in dynamic search can be done either using the basic search by entering netsetupsve.dll in the search field or advanced search and paste the search options below.

DATE=’TODAY’ AND ALLFIELDS REGEXI ‘netsetupsvc\.dll’ – the time period can be adjusted to review larger ranged as required.

searching for the last 30 days would be as follows

DATE>=’30’ AND ALLFIELDS REGEXI ‘netsetupsvc\.dll’

Search DNS logs for the following string for the Command and Control (C2)  domains

DATE>=’30’ AND ALLFIELDS REGEXI ‘avsvmcloud|appsync-api’

Proxy Logs

Proxy logs can be searched using the standard reports where the logs were collected using the Snare agents. the proxy logs maybe a path to the Internet to access malicious content, or used to exfiltrate data. By reviewing the top sites or users it may highlight who and where the activity was coming from for compromised users and systems. The standard reports are located here:

Reports\Application Audit\Proxy Servers

User Lateral Movement

Logins to other systems can be detected using the standard login reports to show which systems users are logging into. The report can be cloned as many times as needed with each of them having additional filters applied for specific users or groups of users to filter down to specific user account logging in to multiple systems. This could be an indication of account compromise if the user access was not legitimate. Out of hours login reports can also be run to see which accounts are being used in non standard working hours when the accounts would not normally be used. Location for user login activity is found here for Windows and other operating systems.

Reports\Operating Systems\Login Activity

User and group changes can also be tracked and reported on. One of the changes the malware does is to change or add users to have privileged access. Tracking if users have been added or removed, system policy changes occurring, audit logs being cleared can be a sign of malicious activity with the attacker trying to hide their tracks, group and group member changes as well as specific user changes for additional access. Snare Central has reports for tracking administrative user activity located here:

Reports\Operating Systems\Administrative Activity

Process Execution

Reviewing process execution can be complicated in understanding what are normal applications used on the corporate network what is not. However getting context of what is run then seeing what is abnormal can be done with reviewing the activities of the key systems then expand to review other systems as needed. Where application white listing has been implemented the risk maybe lower, but not all organisations have been able to white list all application usage. Snare Central has some base reports that allow the user to show what commands are being run on the systems. If the customer has sysmon also installed then it will provide additional information and parameters used in commands that are run including PowerShell commands. The reports can be cloned as many times as needed and adjusted with additional filters to search for specific applications or exclude known whitelisted applications and then report on other unknown applications. Location for process Monitoring can be found here:

Reports\Operating Systems\Process Monitoring

Network Activity Monitoring

Where Snare Central is collecting firewall, router, switch and other logs from snort or other IDS/IPS systems it can help correlate actions performed by systems and/or users to show where downloads of malicious content or where data is being exfiltrated to. Reports can be created for a variety of network devices with filters being created to look for specific IP addresses of interest from either internal or external sites. In the case of this malware using the source address of the SolarWinds server and any other compromised server may help narrow down what the actions were and how they were performed on the corporate network. Some of the standard Network activity monitoring reports can be found here:

Reports\Network

Database Activity Monitoring

Database Activity Monitoring as provided using our Snare MS SQL agent can help provide additional information on what corporate data was accessed inside the MS SQL Server databases. By tracking the access to the databases and reviewing the contents of the SQL commands and who was running them it can provide additional forensics combined with the other user activity performed on the systems. There are several standard reports in Snare Central that provide details on Admin and DBA activity, Database Activity and usage for specific commands. Users can report on login activity, use of user rights, review specific SQL events, report on objects accessed by using custom reports and tune them based on the customers specific naming conventions. Some of the standard reports can be found here:

Reports\Application Audit\MSSQL Server

 

For additional information please contact our sales team via the email contacts on here.

Why did you buy a SIEM?

Of course, you take cyber security seriously and have spent a lot of money on tech to help you detect threats and protect your business from ransomware, IP theft, data theft and loss of PII. You also need to be compliant to regulations that are specific to your industry and boy are you paying for it. Cyber security is one of the biggest spend categories in IT still and shows no signs of slowing.

Of course you have SIEM. Everyone has SIEM. SIEM has always promised much, but has it really delivered? What promises are you paying for and have those promises been kept? Maybe there are a few things that you really need from SIEM but are you still paying extra for the undelivered promises?

Every vendor telling you they have the magic bullet that can solve all your cyber problems just compounds the issue and adds to the fatigue of managing risk with too few resources and not enough money.

So, let’s look at core SIEM capability and see what we really need.

  • Log collection and correlation – secure and complete collection of logs, normalisation and parsing of log data for analysis
  • Alerting – customisable thresholds for real time alerts.
  • Drill down into events – threat hunting through a combination or drill down and query based searching
  • Log storage, retention and forensics – ability to efficiently store (data compression, filtration and truncation) of log data for compliance and forensics
  • User monitoring – who’s doing what, with what systems and with what privileges?
  • Reporting and compliance – out of the box compliance reports for a range of use cases
  • Dashboards & Analytics – visualisation of areas of concern and policy management

The Cost of Your SIEM + A SIEM Alternative

Ultimately for most it is about finding indicators of compromise and eliminating false positives and avoiding “alert fatigue”.

This is probably what you are getting from your SIEM, but are you also paying for “AI” or “Machine Learning”, “anomaly detection”, “advanced UEBA” or other advanced functionality even its it’s not mature and is still of questionable value, or if you don’t have the team available to take advantage of it?

That’s another thing, many of these SIEM systems are large, complex, technically difficult to deploy and manage, policy is hard to apply and you need someone “driving it” constantly. Probably a team of people.

Many customers are not even sure that they are collecting all the logs they should be, as there is no mechanism to check the log collection capability to ensure collection, or the secure encryption of those logs in transit. Or worse still, they simply can’t afford to collect all the logs because the SIEM vendor charges by the GB.

The other major issue I see in the market is that many companies don’t have a SIEM – they have three! Consolidating these systems, sending the same logs to multiple destinations (including their MSSP partner) is almost impossible. Migration from one platform to another is hard and the vendor has locked you in because you are using their tool to collect the logs. Dammit!

Maybe your company is mid-size, growing, but not yet on the Fortune 2000 list. You still need to comply with regulation but cant afford the bells, whistles and promises of the big SIEM vendors or the expensive and skilled staff to manage these systems.  What do you do then? You need a SIEM alternative.

And so this brings us back to the original question. Why do you need (another) SIEM?

Maybe you don’t.

A very good Centralized Log Management platform (CLM) like Snare can give you all the core capability you need from SIEM at a fraction of the price and use a fraction of the resources. A good CLM can also add extra advanced functionality like File and Registry Monitoring (FIM & RIM) and Database Activity Monitoring (DAM) as well. You might even be able to rationalise some vendors with a good CLM like Snare and avoid vendor lock-in if you ever want to change.

So before you read the next “buyers guide” to selecting a SIEM – brought to you by “insert vendor here” have a look at a really good CLM platform like Snare as a SIEM alternative.

Snare’s Commitment to Security

 

In light of recent malicious activities by foreign actors, we seek to ensure our Snare customers, partners, and prospects that we are are committed to providing the most secure platform we can based on the primary pillars of cybersecurity:

 

C. Confidentiality.

I. Integrity.

A. Availability.

 

Our customers must authenticate to get their software and license downloads – we do not issue software. The software is downloaded over encrypted channels after the customer has authenticated to the customer portal.

 

We harden the software stack for the Snare Agents and Snare Central software so they do what they need to and nothing else.

 

We do not use third party software such as .Net or Java in the agent software to minimize its footprint to potential vulnerabilities.

 

We contain our own micro web server in the agents that only does what it needs to do, as they don’t need a full stack web server.

 

We use separation of duties – The Security admin can control the agent and Snare Central policy, not the SysAdmin, to ensure that policies are set and logs are collected.

 

We watch the watcher – Snare Agents audit and log local user changes and activity to customers’ systems and the Snare software itself.

 

We have independent third party verification being Veracode Verified status for our Snare Windows Agent and Snare Agent Manager.

 

We mask sensitive data via the Snare reflector and our Snare Database Activity Monitoring (DAM) solutions to ensure that the logging system is not storing sensitive data when there are regional PII related compliance needs.

 

We provide over the wire encryption using TLS for web access, for sending logs, and mutual authentication options when both ends need to be validated to ensure that the log data is kept private on the network.

 

We provide destination failover using options like DNS updates to change the destination logs are being sent to.

 

We are committed to providing you the most secure platform possible. Share with us your ideas.

 

 

Big Retail = A Honey Pot of Data

The retail industry is a high value target for cyber attacks, simply due to the transactional nature of the business. The large numbers of financial transactions means that there is a honey pot of data and countless opportunities for cyber criminals to steal sensitive customer information.

Online transactions, Point of Sale (POS) systems, and retail environments where there are transient workforces and high staff turnover simply equals increased risk. And far too often, POS systems run on old systems with no Malware protection and sometimes unpatched operating systems. Big retailers with operations that include a large numbers of stores, hundreds of POS systems, fragmented procurement, and multiple distribution centers are attractive environments for a cyber criminal or criminals planning an attack.

To further the risk of an attack or breach, many retailers also outsource their IT or cyber security capabilities to third parties – which means retail organizations need to (seriously) consider supply chain security as well.

Review our other blog on this topic here.

Preventing eCommerce Cyber Attacks – It’s all about the Benjamins

The threats of cyber attacks for retail companies are very clear and unfortunately abundant, from the introduction of Malware to steal financial data, unauthorized insiders gaining access to private systems and databases, to the creation of fraudulent transactions and routing money to other destinations. It’s all about the Benjamins baby.

A high profile example of the risks in retail comes from Forever 21 in 2017. A large number of the company’s POS systems were infected with Malware for nearly seven months, enabling cyber criminals to steal credit card data that had been stored in the logs of completed transactions. Forever 21 reported that the Malware obtained the shoppers’ card number, expiration date, internal verification code – and in some cases also cardholders’ names.

Another well known name that has fallen foul of cyber attack(s) is Macy’s. An investigation into the 2019 breach of Macys.com found that the attack was linked to a website that stole customer payment data on the “Checkout” and “My Wallet” pages. Macy’s was also attacked in 2018. That breach allowed criminals access to sensitive credit and debit card information, names, and birthdays of “a small number” of Macys.com and Bloomingdales.com customers.

Right now, as business across the globe becomes increasingly more digital and as eCommerce continues to expand – particularly as COVID-19 has kept consumers at home and driven them to shop almost exclusively online – the reality is that digital retailers simply cannot operate without prioritizing cyber security.

Protecting Credit Card Transactions

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for any company that handles credit card payments.

Among the requirements for achieving PCI compliance is the ability to monitor access to systems and any activity on the network, ensuring that encryption and perimeter security is active, restricting access to data and systems, and requiring the use of strong passwords. Monitoring and reporting are key requirements for PCI DSS.

The PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment. The cardholder data environment (CDE) is comprised of people, processes and technologies that store, process, or transmit cardholder data or sensitive authentication data. “System components” include network devices, servers, computing devices, and applications. 

Examples of system components include, but are not limited to the following:

  • Systems that provide security services (for example, authentication servers), facilitate segmentation (for example, internal firewalls), or may impact the security of (for example, name resolution or web redirection servers) the CDE.
  • Virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors.
  • Network components including but not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances.
  • Server types including but not limited to web, application, database, authentication, mail, proxy, Network Time Protocol (NTP), and Domain Name System (DNS).
  • Applications including all purchased and custom applications, including internal and external (for example, Internet) applications.
  • Any other component or device located within or connected to the CDE.

Reference Payment Card Industry Data Security Standard (PCI DSS) Version 3.2.1 May 2018

Log Management & Cyber Security

Logging mechanisms and the ability to track user activities are critical for effective forensics and vulnerability management. The presence of logs in all environments allows thorough tracking and analysis if something goes wrong. Determining the cause of a compromise is very difficult without system activity logs.

Effective log collection & management will allow you to:

  • Implement audit trails to link all access to system components to each individual user.
  • Implement automated audit trails for all system components for reconstructing these events: all individual user accesses to cardholder data; all actions taken by any individual with root or administrative privileges; access to all audit trails; invalid logical access attempts; use of and changes to identification and authentication mechanisms (including creation of new accounts, elevation of privileges), and all changes, additions, deletions to accounts with root or administrative privileges; initialization, stopping or pausing of the audit logs; creation and deletion of system-level objects.
  • Record audit trail entries for all system components for each event, including at a minimum: user identification, type of event, date and time, success or failure indication, origination of event, and identity or name of affected data, system component or resource.
  • Use time synchronization technology, synchronize all critical system clocks and times, and implement controls for acquiring, distributing, and storing time.
  • Secure audit trails so they cannot be altered.
  • Review logs and security events for all system components to identify anomalies or suspicious activity. Perform critical log reviews at least daily.
  • Retain audit trail history for at least one year; at least three months of history must be immediately available for analysis

One of the key requirements is not just collecting log data on these activities but also having the ability to review it daily as required by the regulation. Snare makes this easy by providing out-of-the-box capability to generate the appropriate reports needed to be compliance for PCI DSS.

Further to this capability Snare can also provide Database Activity Monitoring (DAM) to ensure that application level controls are not bypassed and direct database access is used instead, and both File Integrity Monitoring (FIM) and Registry Integrity Monitoring (RIM) to ensure that changes made to key files or suspicious registry activity (including the installation of malicious applications) is detected.

Make sure you also check out our best practices white paper for PCI DSS here.

Need to get your log management solution in place?

Reach out to our team. We work with over 4,000 customers across the world to help manage logs and prevent the types of costly and damaging cyber security breaches referenced in this article.