Latest Cyber Security information

Here at Graylog, we have recently had an increase in conversations with security teams from leading companies and were inspired by Rob Joyce’s presentation at the USENIX Enigma 2016 conference. We want to share our key findings with the Graylog community!

This will be a 3 part series covering specific ways log management can be used to tighten security. To kick off Part 1, we have an overview of the 5 phases of intrusion and how to best combat attackers that are trying to infiltrate your networks and computer systems.

In order to stay protected, one must think like an infiltrator. The good thing is that cyber criminals use a methodical approach when planning an attack. By understanding their process and knowing your network, you will be better prepared and able to stay one step ahead.

STAGE 1 OF INTRUSION: RECONNAISSANCE

ATTACKER’S FOCUS: ANALYZING THE TARGET

In this stage, attackers act like detectives, gathering information to truly understand their target. Detail is everything! From examining email lists to open source information, their goal is to know the network better than the people who run and maintain it. They hone in on the security aspect of the technology, study the weaknesses, and use any vulnerability to their advantage.

The reconnaissance stage can be viewed as the most important because it takes patience and time, from weeks to several months. Any information the infiltrator can gather on the company, such as employee names, phone numbers, and email addresses, will be vital. Attackers will also start to poke the network to analyze what systems and hosts are there. They will note any changes in the system that can be used as an entrance point. For example, leaving your network open for a vendor to fix an issue can also allow the cyber criminal to plant himself inside.

By the end of this pre-attack phase, attackers will have created a detailed map of the network, highlighted the system’s weaknesses, and then continue on with their mission. Another point of focus during the reconnaissance stage is understanding the network’s trust boundaries. With an increase in employees working from home or using their personal devices for work, there is an increase in areas of data breaches.

HOW TO COMBAT: KNOW YOUR NETWORK

It is important to fully inspect your network, know the technologies inside, and any possible cracks in your system. The best way to fully understand the network and have information readily available for research is to centrally collect the log messages from your network hardware. A tool like Graylog provides a visual of your network communications and path of connections using the one source of truth: log messages about established or rejected connections. In addition, hiring a red team is a great way to put your security to the test. The red team will test your system to identify vulnerabilities in the infrastructure. If they successfully breach your network, they’ll show you which areas need more protection and how to correct the errors.

STAGE 2: INITIAL EXPLOITATION

ATTACKER’S FOCUS: INTRUSION

Persistence is key and infiltrators use numerous methods in exploitation. Water-holing is used by an attacker to compromise a popular website that is visited by company employees. Once the employee visits the infected site, the cyber criminal can attack their computer in hopes of gaining credentials and access to the company network. Other examples of vectors used by attackers is by spear phishing, SQL injection, infecting emails, and tainting removable media.

HOW TO COMBAT: LOGS AND PROCEDURES

In order to protect your system, you need to focus on the most detailed information about the network, the logs! Logs are the key to spotting any anomalies or breaches in your system. Having an enterprise-ready log management system, such as Graylog, will make it more difficult for cyber criminals. You need to be constantly monitoring your network traffic and looking for anomalies and signs of attacks. Also, to make intrusion harder, among other measures, add two factor authentication to the services your users use or implement the principle of least privilege as extra security methods.

STAGE 3: ESTABLISH PERSISTENCE

ATTACKER’S FOCUS: DIGGING INTO THE SYSTEM

At this point, cyber criminals are in your system and focused on gaining additional access to build up presence. In order to take over the network, they will need to obtain more control and dive deeper into the system. One method is through privilege escalation in which the attacker uses any error or flaw in the system to either vertically or horizontally obtain extra privileges or ones that were not intended for the user. Other points of entry could be through too open systems or finding SSH keys.

HOW TO COMBAT: MONITOR CONNECTION PATHWAYS

With the infiltrator in your network, most likely there will be a command and control channel from the outside into your infrastructure. Your task is to detect and disarm the control channel before the attacker can start to move laterally inside your network, causing more harm. You can use network and operating system logs to find connections from the outside that should not be there. Just like the detection of attackers who are poking on your perimeter security measures, this is also a constant task that should be partly automated or managed with an easy to access dashboard.

STAGE 4: MOVE LATERALLY

ATTACKER’S FOCUS: FINDING KEY PIECES

Cyber criminals usually do not land in the exact spot of their target, thus, they need to move laterally in order to find their key pieces to complete their mission.

HOW TO COMBAT: PROTECTION THROUGHOUT NETWORK

If an attacker has made it inside your system, it is imperative to halt their movement. The amount of protection around your network needs to have the same strength as inside. You can strengthen your defense through network segmentation, monitoring your logs, and limiting administrator privilege.

STAGE 5: COLLECT, EXFIL, AND EXPLOIT

ATTACKER’S FOCUS: GET IN, GET OUT

The attackers have succeeded. They compromised your network and your sensitive data is moved out. The attackers can now leak this information and the ultimate goal of their mission is complete.  

HOW TO COMBAT: ALWAYS BE IMPROVING!

You need to be continually improving your defense systems, implementing policies and procedures, and always be analyzing your logs, because it is the first place to detect malicious activity.

HOW TO MONITOR YOUR NETWORK LOGS WITH GRAYLOG

Our Graylog engineers are always helping the community with using log management to detect anomalies and hardening their infrastructure. Check back next Tuesday for Part 2 where we will discuss the use of log management for network security using Graylog examples.

 

Introduction to Penetration Testing and Web Applications 

CISO and CTO have been spending a huge amount of money on web applications and general IT security without getting the benefits, and they are living with a false sense of security. Although IT security has been a top priority for organizations, there have been some big security breaches in the last few years. The attack on the Target Corp, one of the biggest retailers in the US, exposed around 40 million debitand credit card details and the CEO and CIO were forced to step down. The attack on the Sony PlayStation network was a result of a SQL injection attack—one of the most common web application attacks—and the network was down for 24 days. This exposed personal information of 77 million accounts. These personal details and financial records then end up in underground markets and are used for malicious activities. There have been many more attacks that have not reported in the news with much vigor. Web applications may not be the sole reason for such huge security breaches, but they have always played an assisting role that has helped the attacker to achieve their main goal of planting malware for exposing private data. It’s not only the web server or the website that is responsible for such attacks; the vulnerabilities in the client web browser are equally responsible. A fine example would be the Aurora attack that was aimed at a dozen of high-profile organizations, including Google, Adobe, Yahoo!, and a few others. The attackers exploited a zero-day heap spray vulnerability in Internet Explorer to gain access to corporate systems through end user devices; in this case, a vulnerability in the web browser was a contributing factor.

Another reason why web applications are so prone to attacks is because the typical IT security policies and investments are reactive and not proactive. Although we are moving ahead in the right direction, we are still far away from our goal. Adisgruntled employee or a hacker would not read your network and access control policy before stealing data or think twice before kicking the server off the network, so creating documents would not really help. Application layer firewalls and IPS devices are not keeping up with the pace of evolving attacks. The embracing of BYOD by many companies has increased the attack surface for attackers and has also created additional problems for IT security teams. However, they are here to stay and we need to adapt. Internet-facing websites have been a favorite of attackers and script kiddies. Over-the-counter developed websites and web solutions have mounted more problems. No or little investment in code reviews and a lack of understanding of the importance of encrypting data on a network and on a disk makes the jo of your adversaries far easier. If we take a look at the two of most common types of attack on web applications, that is, SQL injection and Cross-site scripting attack (XSS) (more on this in the coming chapters), both of these attacks are caused because the application did not handle the input from the user properly. You can test your applications in a more proactive way. During the testing phase, you can use different inputs that an attacker would use to exploit the input field in the web form and test it from a perspectiv of the attacker, rather than waiting for the attacker to exploit it and then remediat it. The network firewalls and proxy devices were never designed to block such intrusions; you need to test your applications just how the attacker would do it and this is exactly what we will be covering in the coming chapters. Proactive security testing Penetration testing or ethical hacking is a proactive way of testing your web applications by simulating an attack that’s similar to a real attack that could occur on any given day. We will use the tools provided in Kali Linux to accomplish it. Kali Linux is a re-branded version of Backtrack and is now based on Debian-derived Linux distribution. It is used by security professionals to perform offensive security tasks and is maintained by a company known as Offensive Security Ltd. The predecessor of Kali Linux was Backtrack, which was one of the primary tools used by hackers for more than 6 years until 2013 when it was replaced by Kali Linux. In August 2015 the second version of Kali Linux was released with code name Kali Sana. This version includes new tools and comes with a rebranded GUI based on GNOME3. Kali Linux comes with a large set of popular hacking tools that are ready to use with all the prerequisites installed. We will dive deep into the tools and use them to test web applications which are vulnerable to major flaws found in real-world web applications

Who is a hacker?

A hacker is a person who loves to dig deep into a system out of curiosity in order to

understand the internal working of that particular system and to find vulnerabilities

in it. A hacker is often misunderstood as a person who uses the information acquired

with malicious intent. A cracker is the one who intends to break into a system with

malicious intent.

Hacking into a system that is owned by someone else should always be done after

the consent of the owner. Many organizations have started to hire professional

hackers who point out flaws in in their systems. Getting a written consent from the

client before you start the engagement should always be at the top of your to-do

list. Hacking is also a hotly debated topic in the media; a research paper detailing a

vulnerability that you discovered and released without the consent of the owner of

the product could drag you into a lot of legal trouble even if you had no malicious

intent of using that information.

Crackers are often known as Black Hat hackers.

Hacking has played a major role in improving the security of the computers.

Hackers have been involved in almost all the technologies, be it mobile phones,

SCADA systems, robotics, or airplanes. For example, Windows XP (released in the

year 2001) had far too many vulnerabilities and exploits were released on a daily

basis; in contrast, Windows 8, that was released in the year 2012, was much more

secure and had many mitigation features that could thwart any malicious attempt.

This would have not been possible without the large community of hackers who

regularly exposed security holes in the operating system and helped make it more

secure. IT security is a journey. Although security of computer systems has improved

drastically over the past few years, it needs constant attention as new features are

added and new technologies are developed, and hackers play a major in it.

The Heartbleed, Shellshock, Poodle, GHOST, and Drupal vulnerabilities discovered

over the past 12 months have again emphasized the importance of constantly testing

your systems for vulnerabilities. These vulnerabilities also punch a hole in the

argument that open source software are more secure since the source code is open; a

proper investment of time, money, and qualified resources are the need of the hour.

Different testing methodologies

Often people get confused with the following terms and use them interchangeably

without understanding that although there are some aspects that overlap within

these, there are also subtle differences that needs attention:

Ethical hacking

Penetration testing

Vulnerability assessment

Security audits

Ethical hacking

Very few people know that hacking is a misunderstood term; it means different

things to different people and more often a hacker is thought of as a person sitting

in a closed enclosure with no social life and with a malicious intent. Thus, the word

ethical was prefixed to the term hacking. The term ethical hacking is used to refer to

professionals who work to identify loopholes and vulnerabilities on systems, report

it to the vendor or owner of the system, and also, at times, help them fix it. The tools

and techniques used by an ethical hacker are similar to the ones used by a cracker or

a Black Hat hacker, but the aim is different as it is used in a more professional way.

Ethical hackers are also known as security researchers.

Penetration testing

This is a term that we will use very often in this book and it is a subset of ethical

hacking. Penetration testing is a more professional term used to describe what an

ethical hacker does. If you are planning for a career in hacking, then you would

often see job posting with the title penetration tester. Although penetration testing

is a subset of ethical hacking, it differs in multiple ways. It’s a more streamlined

way of identifying vulnerabilities in the systems and finding if the vulnerability is

exploitable or not. Penetration testing is bound by a contract between the tester and

owner of the systems to be tested. You need to define the scope of the test to identify

the systems to be tested. The rules of engagement need to be defined, which decide

the way in which the testing is to be done.

Vulnerability assessment

At times organizations might want to only identify the vulnerabilities that exist

in their systems without actually exploiting it and gaining access. Vulnerability

assessments are broader than penetration tests. The end result of vulnerability

assessment is a report prioritizing the vulnerabilities found, with the most severe

ones on the top and the ones posing lesser risk lower in the report. This report is

really helpful for clients who know that they have security issues but need to

identify and prioritize the most critical ones.

Security audits

Auditing is systematic procedure that is used to measure the state of a system against

a predetermined set of standards. These standards could be industry best practices or

an in-house checklist. The primary objective of an audit is to measure and report on

conformance. If you are auditing a web server, some of the initial things to look out

for are the ports open on the server, harmful HTTP methods such as TRACE enabled

on the server, the encryption standard used, and the key length.

Rules of engagement

Rules of engagement (RoE) deals with the manner in which the penetration test is to

be conducted. Some of the directives that should be clearly mentioned in the rules of

engagement before you kick start the penetration test are as follows:

Black box testing or Gray box testing

Client contact details

Client IT team notifications

Sensitive data handling

Status meeting

Black box testing or Gray box testing

There are do’s and don’ts of both the ways of testing. With Black box testing, you get

an exact view of an attacker as the penetration tester starts from scratch and tries to

identify the network map, the types of firewalls you use, what are the internet facing

website that you have, and so on. But you need to understand that at times this

information might be easily obtained by the attacker. For example, to identify the

firewall or the web server that you are using, a quick scan through the job postings

on job portals by your company could reveal that information, so why waste your

precious dollars in it? In order to get maximum value out of your penetration test,

you need to choose your tests wisely.