WannaCry Response

WannaCry hit. There are a million excellent write-ups on the malware. How about one about how to respond if it isn’t via a help desk ticket notifying you of the malware?

Initial reports started coming out in the morning of Friday May 12th that NHS was experiencing a significant outage due to ransomware. I didn’t think anything of it. Ransomware is common enough. It wasn’t until it was specifically given a name and a mention that the method of spread was via MS17-010.

  • In previous incidents, email was the attack vector. Everyone seemed to initially assume there was an email.
  • Windows XP was assumed to be the weakness, instead it is looking like Windows 7 was the weak link for most organizations.
  • Given SMB was the attack vector, how does an organization respond? Most rapid responses for WannaCry seem high risk.
    • I suspect an organization with SMB open at the edge could block it with minimal impact. Throwing up ACL blocks to segment the network or disabling SMBv1 under stress seems like an extremely high risk change.
    • Endpoint vendors (ex: McAfeeSymantec, and Trend Micro) released guides for customers. These seem like lower risk mitigations.
    • Given the attack was on a Friday, ‘malware Monday’ was my real concern. A device leaves a secure network missing a patch, spends the weekend on the open internet, then comes back. Even one device is an issue, let alone any file system it can access or internal movement as it spreads. ACL blocks are high risk, private VLAN’ing would be an absurd to implement as an emergency change.

PS: Splunk finally started releasing dashboards around major security incidents. I’ve been asking for dashboards from them for years. The dashboard seems really well done. It has use cases and an export (with the Splunk logo) suitable for leadership. If I weren’t sure what to do, this is a great start and a great advertisement for the benefit of Splunk come renewal time.

DerbyCon Review / SIEM Management

DerbyCon was amazing as usual.  I can’t recommend the conference enough.

The most useful talk for me was Ryan Voloch’s talk on SIEM management.  I have experience deploying Splunk as a security monitoring solution.  Ryan’s talk focused on managing use cases / searched.  Prior to the talk, I had a note pad for my ideas and used my employer’s ticket system for external requests.  It worked but wasn’t elegant.  I’m in the process of deploying a larger Splunk monitoring solution.  I’m testing the template.

Splunk’ing IBM Domino

[Update: I never succeeded in integrating Domino with Splunk. I encountered license issues and never moved beyond some test data before moving on from an environment containing Lotus Domino. Sorry folks.]

I’ve started integrating IBM Domino logs in to Splunk.  I am blogging about it because I can’t find anyone who has ever Splunk’ed (or SIEM’ed) Lotus Notes logs.  I suspect part of that issue may be that I rarely find people who admit to using Lotus Notes.

Are the logs any good?  We will find out.  Right now I’ve got a Universal Forwarder installed on two IBM Domino servers.  One is a mail server and one is an IMC / IBM Mobile Connect server.

My plan is to build a security focused Dashboard in Splunk.

State Of My Splunking

I love Splunk.  I run it at work and I run it at home.  For the most part, Splunk just works.  This post will serve as a warning  for others looking to deploy Splunk professionally.

I was initially running it at home prior to running it at work.  Offering 500MB / day for home users is awesome.  Between free Splunk, free Nessus, Bro, and DD-WRT, I feel like I’ve got a pretty nice setup at home.  This blog post will continue to be updated as my Splunk instances are updated.

Issues / Observations

  • The Splunkbase Apps are mostly garbage.  I use the Technology-Addons a bunch, but most of the dashboards provide me little value.  I was warned that I’ll likely be building all my own Dashboards and Views, but I didn’t believe anyone.  I should have listened.
  • If you don’t already have logs going to a syslog server or some sort of log aggregation system, you are doomed.  No one seems to be able to estimate their log volume, myself included.
  • Some systems have really terrible logs.  Cisco’s logs are all over the place.  Each module in the ASA has a wildly different logging format.  You’d think Cisco would try to implement uniform logging across their platform.  Microsoft DNS logs are another example.
  • If you are integrating multiple instances of a system, but each owned by someone else, expect pain.  I’ve got some admins that prefer an agent while others prefer WMI.  I’ve got some Linux admins that would prefer to FTP me logs while others like syslog.  I’ve got some admins that prefer log format A while others prefer format B.

Updated Home Network

I’ve updated my home network security posture.  I’m pleased with it.  Prior to the update, I was monitoring my traffic using a span from my internal router to Security Onion.  My home network is an external router (from my ISP), my DMZ equipment (Set Top Box), an internal router (DD-WRT), and then my internal network.

The span was giving me performance issues on my router.  I disabled it.  I’m back to using a physical tap on the external interface of the DD-WRT interface.  I’m losing visibility due to the NAT, but my environment is limited enough that I should be able to infer who is doing what.

My sensor is now a CentOS box with Bro, Splunk, and Nessus.  Bro is monitoring the tap.  I’m in the process of configuring Nessus to scan my hosts.  Splunk is Splunk’ing all the data.  I decided to leave Security Onion since I found the full packet capture to be unnecessary for my environment and I strongly prefer Splunk over Elsa.

2013 Year In Review

Quartz had an excellent article summarizing the year in technology as being lackluster.  It is pretty comprehensive for the industry in general.
Short of any significant technology or process breakthroughs, I suspect 2014 will be the same as 2013 which was the same as 2012.

  • PCI/PHI will be leaked, likely in larger and larger quantities.
  • There will continue to be a fear of ICS attacks, no one will fix anything.
  • Hacktivists will continuing hacking and getting arrested.  Overzealous prosecutors will continue to think the law is the solution.  I don’t see Chelsea Manning, Edward Snowden, Jeremy Hammond, or John Kirikou having any legal luck in 2014.
  • I am optimistic that two-factor authentication and default SSL in the personal space will increase in popularity.

As far as a review of my year:

  • I bought a Fitbit.  It is interesting.  I think it has caused me to increase my physical activity.  I wish it could track more than just walking though.
  • DerbyCon was my favorite conference for the second year in a row.  DEF CON was great, but DerbyCon is the best.
  • For personal development, I am trying to learn Python.  I can modify existing code, but I really want to be able to write new code.
  • Professionally, my Splunk deployment is a massive failure.  I’m not blaming the product.  I didn’t get the appropriate level of support to successfully implement the product.  Hopefully the deployment can be recovered in 2014.  I’ve also got a Nessus deployment on my plate for 2014.

Gift Ideas

These are both pretty cool gift ideas.

A seller named GiantEye offers Lock Pick Earrings on Etsy for $40.  They seem like a good gift idea.  I’m unfamiliar with GiantEye, but the site is advertising the picks can be used.  I don’t know if I’d ever try using them though given their decorative purpose.

Rift Recon is offering a set of small picks called a Bogota.  I was unfamiliar with the term.  It is used to reference smaller lock picks that can be discretely hidden.  These smaller picks are also $40.  I was introduced to Rift Recon at DefCon.  They were demonstrating their Red Team Kit at the Security Sociability party.

I’m considering abandoning Security Onion.  I can’t justify the full packet capture.  I don’t have the hardware resources.  I’m thinking about using a standard Linux install with just Bro and Splunk.  I can’t get in to ELSA and Bro is my favorite part of Security Onion.