Tag Archives: logging

Malware Archaeology Updates Windows Logging Cheat-Sheets

The ‘Windows Logging Cheat Sheet’, ‘Windows File Auditing Cheat Sheet’ and ‘Registry Auditing Cheat Sheet’ have been updated for 2016.  The cheat sheets have been updated in part due to auditing improvments[sic] added by the ‘Windows 10 Anniversary Update’ released earlier this year.  We also took the opportunity to do some cleanup and add more autorun keys to the registry auditing cheat sheet.  Updates are easy to spot, just look for ‘new‘.

Go get ’em and watch for the updated Log-MD!

http://hackerhurricane.blogspot.com/2016/10/the-windows-logging-file-and-registry.html

InfoSec Handlers Diary Blog – Egress Filtering? What – do we have a bird problem?

Via InfoSec Handlers Diary Blog – Egress Filtering? What – do we have a bird problem?, a very good article on getting started in egress filtering.

One of the major tools that we have in our arsenal to control malware is outbound filtering at firewalls and other network “choke points”. Over the years, it’s become obvious that “enumerating badness” on the internet is next to impossible, it’s generally much easier to enumerate “known good” traffic, and simply deny the rest as bad or at least suspect. Often the management response is “we trust our people”, but that’s not really the point. While maybe you can trust all of your people, you can’t trust the malware they may have, or all the links they might click. But let’s be honest, it’s likely that you can’t trust all of your people to never install a bittorrent client or other higher-risk program.

When you know what legitimate traffic is leaving your organization, you can watch for the bad stuff.

And even beyond that, you want to know what legitimate traffic is leaving your organization, right?

Citigroup Credit Card Portal Breach Compromises 200,000 Customers

Here’s an exciting story:  Citigroup Credit Card Portal Breach Compromises 200,000 Customers – Security – News & Reviews – eWeek.com.

Cyber-attackers have breached financial giant Citigroup’s Web portal and gained access to customer credit card information. The company said the most sensitive information remained safe.

The perpetrators broke into Citi Account Online and viewed customer names, account numbers and some contact information such as email addresses, Citigroup said in a statement June 9. Social Security numbers, birth dates, card expiration dates and the security codes generally found on the back of the credit cards were not compromised as they are stored elsewhere.

Now they know real customers’ contact info, and can phish away, if not fabricate new identities from it.

While 200,000 sounds “kind of small” when compared to what happened in recent breaches, such Sony’s 100 million, the number of records compromised is “not the important  thing here,” Anup Ghosh, founder and chief scientist of Invincea told eWEEK. “It’s the loss of faith in the institution’s ability to protect us,” Ghosh said.

Financial institutions are “principal” targets for cyber-criminals, according to Brendan Hannigan, CEO of Q1 Labs. “Security trust means more than just making sure you’re in compliance with regulations,” Hannigan told eWEEK.

I’d sincerely hope Citibank is PCI DSS compliant, but as they said, it’s a baseline, not an ultimate goal.

Citi discovered the hacking incidents in early May during routine monitoring, according to The Financial Times, which broke the story June 9. Citigroup likely had spent the time trying to “quantify what was touched and what had happened,” Ghosh said.

Watch those logs!

Citigroup global enterprise payments head Paul Galant, who previously ran the bank’s credit card unit, told Reuters in April that security breaches are a fact of life for financial institutions. However, companies need to be “thinking like hackers do,” Mark Hatton, president and CEO of Core Security, told eWEEK, noting that deploying defensive technologies and hoping they keep the bad guys out is “clearly not working.”

Businesse (sic) are relying on defense mechanisms that were “developed in the last century” and have not changed since then, while attackers are creating new threats and “evolving every day,” said Ghosh.

Coincidentally, Martin covered this very idea in a recent post: Fundamental flaw in thinking: We’re responsible.

Facebook, Google Chat Used as Control Sites for Malware Attackers

While it isn’t exactly groundbreaking news that malware attackers are using social media to control their botnets, certain aspects are notable:

In each of these cases, the attackers’ remote activity looked like normal SSL-encrypted traffic to popular Internet sites, making it nearly impossible for packet inspection and netflow anomaly analysis tools to differentiate the malicious from benign activity.

If you can’t read the packet because it’s encrypted, it is very difficult to detect what it is doing.

Prevention efforts will typically not work against APT, Mandiant said. Instead of trying to stop APT intruders from using legitimate sites to compromise their networks, organizations should make it difficult for the APT intruders to stay in the breached network, ultimately making them “too expensive” to attack, according to Mandiant.

This is achieved when the security team can determine what the attacker is doing and to anticipate what the attacker will do next, Mandiant said. Organizations need to increase visibility across the enterprise by incorporating specialized monitoring systems that provide host- and network-based visibility, increased logging, and log aggregation, Mandiant said.

Host-based detection tools look for indicators that the host had been compromised as well as signs of the tools, tactics and procedures used by the attacker. These tools can find unknown malware because they aren’t looking for actual signatures like a traditional anti-virus, the researchers said. Network-based tools do the same search on network traffic. Mandiant researchers listed nine different logs security managers should be looking at regularly, including internal DNS server logs, DHCP logs, internal Web proxy logs, firewall logs with ingress/egress TCP header information, and external Webmail access logs. Log aggregation tools help managers correlate information from numerous sources, highlight critical information and indexes all information for easy searching. The security team can use all the information to effectively detect and remove the compromised host, repeatedly forcing the attacker to start over to regain control, Mandiant said.

Anton Chuvakin was right about logs all along!

via Facebook, Google Chat Used as Control Sites for Malware Attackers – Security – News & Reviews – eWeek.com.