Using Lancope to identify Putter Panda, Heartbleed and other attacks

what-is-forensic-locksmithing Lancope is a NetFlow based tool that can turn your network into a gigantic sensor grid. This includes routers, switches, wireless access points, virtual systems aka servers in your data center and so on. So rather than having a handful of security tools looking for threats, your entire network takes part in your security defense against cyber attacks. I’ve wrote about Lancope HERE as well as how to build your own Lancope lab HERE. Lancope-Infographic-option2 The Lancope team runs a blog found HERE that has provided posts about using their solution to identify the latest cyber attacks. Some interesting articles recently posted focus on threats like Heartbleed, Putter Panda and Saffron Rose. Continue reading

VN:F [1.9.22_1171]
Rating: 3.8/5 (6 votes cast)

Five Myths about NetFlow

Alicia Butler from Lancope wrote a interesting post about the 5th Myths about NetFlow. You can find the original post HERE


NetFlow is an important tool for incident responders, providing valuable insight into the activities that take place on organizations networks. NetFlow is capable of summarizing information about network traffic into brief records that may be maintained indefinitely, providing a running history of network connections that may be referenced during incident response.

With all the good NetFlow brings, there are still some misconceptions about NetFlow that need to be dispelled. Continue reading

VN:F [1.9.22_1171]
Rating: 5.0/5 (1 vote cast)

Visual Investigations of Botnet Command and Control Behavior Infographic

Here is a really cool infographic developed by the director of researcher at Lancope. The original post can be found HERE.

In October, Tom Cross, Lancope’s Director of Research, presented a poster at Visualization for Cyber Security (VizSec) 2013 in Atlanta, GA . The poster included visualizations of the command-and-control channels of nearly two million botnet samples in an effort to help foster a better understanding of how botnets operate, and more effectively differentiate them from legitimate network traffic. The poster was created as a result of data analysis conducted by Lancope’s StealthWatch Labs research team. Continue reading

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Post NAC: Cisco Identity Services Engine (ISE) and Lancope StealthWatch for Total Access Control

Controlling who and what access your network is a critical element to keep your resources safe from malicious threats. Network Admission Control (NAC) solutions like the Cisco Identity Services Engine (ISE) can police who and what is permitted network access as well as enforce policy for those devices. Examples would be permitting an administrator with a government furnished Windows 7 laptop access to VLAN 10, which holds internal servers, while provisioning a marketing professional’s iPad with VLAN 20 access, which is limited to Internet and email through the use of ACLs. Continue reading

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Breaking WPA2-PSK with Kali Linux : wireless.

Great post by Aamir Lakhani on breaking WPA2_PSK. The original can be found HERE 

WPA2-PSK may not be as safe as you think. There are a few attacks against WAP2-PSK. One of the most common attacks is against WPA2 is exploiting a weak passphrase.

Below you will find a few easy steps on how to break WPA2 with a weak passphrase.

Breaking the wireless Lab Home Network: Continue reading

VN:F [1.9.22_1171]
Rating: 4.0/5 (10 votes cast)

SSL Strip – Breaking Secure Websites

Aamir Lakhani wrote a overview of how to perform a ssl strip attack. The original post can be found HERE


Before beginning the lab, make sure you have Backtrack 5 R3 VM imported into VMWare Player/Workstation/Server/Fusion, or what ever Virtual machine environment you have chosen to utilize.

The following is an excerpt from the VMWare “Getting started with VMWare Player” VMWare Player 4.0 user guide. Continue reading

VN:F [1.9.22_1171]
Rating: 3.3/5 (3 votes cast)

How Hackers Crack Weak Passwords

People use weak password practices to secure critical information. Weak password practices include using the same password for multiple systems regardless of the value of the asset, dictionary words, short phases and keeping the same passwords for extended periods of time. For example, it’s common to find a password on a non-critical asset such as a PlayStation 3 be the same as a person’s bank account login.

The more information an attack knows about your password profile, the more likely they will crack your password. For example, a policy of “6-10 characters with one upper case letter and special character” actually helps an attacker reduce the target space meaning passwords are weaker with the policy. If an hacker captures a password for another system and notices a formula such as ‘<dictionary word>’ followed by ‘<3 numbers>’, it helps the attacker prepare a dictionary attack (utilities such as Crunch makes this easy). Any password shorter than 10 characters is an easy target to brute force attack based on today’s system process power. Continue reading

VN:F [1.9.22_1171]
Rating: 5.0/5 (2 votes cast)

Verizon’s 2013 Data Breach Investigations Report

VerizonCover1Verizon recently released their annual Data Breach Report (download HERE). This report is based on statics from 19 organizations and showcases 621 security breaches and 47,000 security incidents with the goal of educating the public of the current risks from cyber threats. All results are built from first-hand evidence collected during paid external forensic investigations and related intelligence operations conducted by Verizon from 2004 through 2012.

There are a lot of interesting findings that range from most common attacks to popular targets. According to the report, everybody is a target. The report states, “from pubs to public agencies, mom-and-ops to multi-nations, nobody was immune”. Some attacks had as high as 95% success rates such as phishing meaning “most attackers would be able to slap a “guaranteed” sticker on getting a click”. They even call out that most agencies should mentally be thinking they are already compromised.

To break things down, here are some highlights:

  • Who are the targets? – Everybody
  • Who is perpetrating breaches? The majority of attacks are outsiders (92%) however insider is on the rise (14%).
  • How do breaches occur? 76% was based on weak or stolen credentials followed by hacking (52%) and Malware (40%).
  • How sophisticated are the attacks? From a range of High to Very Low, the majority of first breaches were done leveraging Low level attacks. I like how they put it by saying “Would you fire a guided missile at an unlocked screen door”.
  • Who are the Criminals? Organized Crime made up the majority of external attacks (over 50%) while others fell around 20% or less.
  • The leader for espionage was China while Romania followed by the USA lead for financial crimes. Spyware (including keyloggers) is the common method for financial crimes while multiple forms of malware are typical for espionage.
  • Social Engineering took a dip the last two years but is now up according to 2012 (29%)
  • Installing Malware to compromised systems is still the most common vector to be breached.
  • ATM hacking was top of the list for physical crimes. I wonder if this was triggered by Barnaby Jack’s Blackhat.
  • 2/3 of data compromised was data at rest meaning on an asset like a database or file server. 1/3 of the data was compromised when the data was being processed such as Ramp scrapers, skimmers and key loggers. No data was compromised while in transit (IE compromising a backbone router).

Screen Shot 2013-05-06 at 3.40.18 PM

The Verizon report is another confirmation that cyber threats are very real and probably active insider your network. The reports calls out that the most common attacks are easy to execute and have very high success rates (such as phishing campaigns). Standard security products that leverage signatures will not catch many threats called out in this report. The best way to identify these threats is monitoring behavior inside the network and utilize a layered approach to building your security strategy.

VN:F [1.9.22_1171]
Rating: 5.0/5 (1 vote cast)