Integrating HPSS With Your Existing IDS/IPS

In response to a couple of emails I got from readers in regards to the post about HPSS detecting malicious activity earlier than most NIDS/NIPS I wanted to take a moment and clarify a couple of things.

First, HoneyPoint Security Server (HPSS) is not a panacea. It is one component of a network defense. MSI does not suggest you replace your existing defenses with HPSS, we suggest that you integrate HPSS into your existing environment and use it as a tool to identify malicious traffic in a new way. Quite frankly, using HPSS and a system & log monitoring tool like OSSEC, you can quickly, easily and cheaply create a pretty effective defensive posture for your internal systems and evolve to using NIDS/NIPS as forensic tools, where they are much more effective in terms of ROI.

HPSS is designed to integrate into existing security architectures. Our console can simply drop our security alerts to syslog/event logs and hand them off to any existing tools, aggregators or SIM products you may have in place. Our plugin interface allows you to use third party tools to do things like send SNMP alerts, communicate with other network devices and facilitate IPS-style responses such as quarantine, automated port shutdowns and the like.

By leveraging HPSS and the new capabilities it brings for detecting malicious behaviors, you can make your IDS/IPS postures that much more effective. In the port-scanning model from the previous post, our HoneyPoint detected a single connection. That connection, depending on your environment could be grounds enough to warrant IPS-style responses. So, HPSS could send an alert to your IPS or SIM that could then take the action you deem appropriate – whether that is an email alert to an admin or an automatic port shutdown by your IPS on the network switch of the offender. The point is, you make the decision, as always how to handle issues, but HPSS gives you a faster, more reliable way to identify the bad stuff and can communicate with whatever your existing security infrastructure is to facilitate the responses.

This is just another way that HPSS achieves such a high ROI. You gain new capabilities without throwing away the investments you have already made. Add to that the fact that HPSS runs on your existing hardware, lowers your false positive rate to near zero and helps you focus on the real security issues instead of chasing ghosts and you can pretty easily see why people get so excited about it.

I hope that answers the questions about HPSS integration and strategy. Feel free to email me or give me a call to discuss any other questions you may have!

Unusual Metrics or How HoneyPoint Catches Attacks Faster Than NIDS

I had an interesting and odd conversation with some folks today who were trying to determine how fast NIDS would identify potential attacker traffic that was innocent appearing. When I entered the debate, they were deep in conversation that centered around threshold settings in various IDS/IPS products and their recognition of port scanning. They seemed to be engrossed in how many connection attempts in a second should be considered malicious.

Eventually, they asked me about HoneyPoint and how many connections it takes for it to decide that traffic is malicious. I simply responded “One.” Finally, I explained that since HoneyPoints are psuedo-services and have no real reason for any traffic at all – that ANY CONNECTION to a HoneyPoint was by nature suspicious and we would alert. After about 15 minutes of discussion and further debate, I think I made believers out of them and they have all requested to demo the product for 90 days in their environment.

This is simply another way that HoneyPoint changes the IDS/IPS paradigm. It doesn’t really matter how MANY connections an attacker makes per second unless they are causing DoS on the network. IT REALLY MATTERS WHAT THEY ARE CONNECTING TO!

HoneyPoint can help you determine the criticality of even a single connection to a pseudo-service. You could take action then, or wait to see how things develop. If the attacker hits multiple HoneyPoints on a single host or multiple HoneyPoints on multiple hosts, you can determine what to do based on the risk of the behavior you see. If they begin to probe the HoneyPoints, you can likely very quickly determine what tools they are using, what they seem to be focusing on, etc. All of that helps you make better decisions and to craft smarter, more effective responses.

So, the bottom line is this: As wierd a metric for comparison as port scanning thresholding may be, HoneyPoint can help you drop that number to 1. Using HoneyPoint smartly and effictively – you can secure your environment more rapidly, easily and with greater insight than other technologies. How is that for an unusual metric?

HoneyPoint Swag and Community Links

Please pardon the overt marketing interruption.

You can now get your very own HoneyPoint Swag from Cafe Press. If you are interested in showing the world you are helping to change the way Intrusion Detection is done, please feel free to order your merchandise from here.

Also, while we are overtly promoting this morning, please don’t forget to use the HoneyPoint forum if you have interest in learning more about HoneyPoint, strategies or the like. Real users, a real community. Up and coming – for sure! But check it out if you are a fan of HoneyPoint or honeypots in general. Registration is required. 

Sorry for the overt marketing interruption and we now return you to your regularly scheduled blog.

Keeping The Security Team Engaged

After a discussion today, I wanted to post about a couple of ideas for helping managers keep their security teams engaged in the process.

Burn out is a very common thing in infosec, as it is in a lot of IT – especially in organizations today, when there is so much going on and so few resources to aim at the problems. Here are 3 quick ideas to help you fight burn out amongst the security team.

1. Training or Cross Training – Few things engage people more than learning a new skill, especially one that is new and interesting or that can really help them solve their work problems. Consider teaching a new skill like Perl scripting (or any other language) that might help them automate some of their tasks. If they embrace it, it can mean less work for them and more quality, repeatable results for the team. That is a pretty cool win/win. You might also consider swapping your team around and rotating their responsibilities where possible. Encourage large scale cross-training as way to keep things fresh and to keep new eyes on your common duties. Often times, this plays out well and can lead to some big new ideas or mechanisms that can have huge paybacks!

2. Engage in some branding – Create a team image that exudes confidence. Brand the team members with special events, shirts or other items. Let them name the team and encourage a few group events that establish trust and reinforce rapport. If appropriate, let them build an image around themselves as being “elite” or such. Those images are good for morale and good for building the internal image of you and your group – just make sure it stays realistic and doesn’t go to far.

3. Let some of your team rotate on pet projects – Has your team been bugging you about a new tool or process they need? Have they been asking to build a wiki to maintain their documentation or a new Intranet site for communication with other teams? If so, add it as a project, but communicate that they must rotate who works on it and set a maximum of 2 hours per week. Let them choose a project leader and have that person schedule the work on the pet project and report monthly status updates to the whole team. You just might be suprised how much they get done, and how much such a simple indulgence might reenergize some or all of them!

Leverage these 3 quick ideas to keep your team engaged and running on all cylinders. Got some other ideas you might have had success with? Post them as a comment and I will make sure they get added!

The Value of Threat Intelligence

How much is it worth to know that a new vulnerability has been found in your organization’s favorite application or operating system? Would you pay $50,000.00 a year for alerts to new exploits or attacker trends? Does knowing that these issues exist give your organization a measurable heads up to prevent damages that you don’t have from your regular scanning and assessments? Would that knowledge actually spark action that reduced your risks?

Many other security firms are hoping you say “Yes!” to the above. And, with prices for those alerting mechanisms ranging from that 50K to nearly 200K per year, you had better be pretty sure of the value of those alerts.

At MSI, we believe that such knowledge is valuable. We believe that properly acted upon, such data could help many organizations prepare for security issues, tune their protective postures and increase vigilance around possible weaknesses. However, we just don’t believe that most organizations are willing to spend that 50K per year for such insights, nor do we believe they should. For several years now, we have offerred such a service, called WatchDog for FREE. That’s right, FREE per year.

Our organization does this to give back to the community. We do this because we already have to do the major work anyway to stay current and serve our clients at the level of excellence we are committed to, so why not aggregate that knowledge and give back to the world?

If you are not a WatchDog user yet, or you are considering how you might integrate an intelligence product into your security posture, feel free to give us a try. You can download the product here.

Oh, and if you like it, or the data we provide, please feel free to donate $50,000 or more to your favorite charity. They will thank you and the world will be a better place, just as it should be.

Coming Soon To A State Near You – PCI As Law

We are hearing more and more rumblings these days about making PCI the default standard for infosec, and a lot more legal rumblings of making their standards enforceable as state laws. Already Minnesota has passed the standards into law and Texas seems to be next.

While I see the PCI standards as a step forward for credit card companies, I am not so sure that enforcing it as law is a good thing. Over legislation has done little to secure the Internet thus far (remember the “Can Spam Act”) and in some cases has caused so much legal confusion that small rebellions have broken out (See the DMCA for this one!). I am not sure that organizations will become compliant just because it is law, as opposed to just being a rule from their card processors. After all, does the amount of “large fines and penalties” really matter? Does it really change behavior? I just don’t believe it does.

Nonetheless, PCI has certainly gained momentum and public recognition. Many of our clients who don’t even process credit cards have begun asking about it, siting it as a standard and asking for gap analysis between their processes and the DSS standards. Many of them believe that in the not too distant future, courts may see PCI DSS as the defacto security baseline that helps them determine the difference between liability and negligence for just about all organizations, not just credit card dependant ones. One thing is certain, now would likely be a good time to become familiar with the PCI rules because your management may be asking you sooner rather than later.

LoansCandy Not So Sweet

Our HoneyPoint sensors have been picking up quite a large number of scans for open proxies lately. As usual, much of this traffic is originating in China, where open proxies are used for a number of reasons from spam to political activity to simple uncensored Internet access.

Interestingly, we are seeing a pretty decent increase in the number of probes for open web proxies using a site called as the target. This site, owned by a person in China and hosted in the US seems to be a front site with the main purpose of simply hosting a set of PHP scripts used to verify open proxies and other connections.

Quick Google searches about LoansCandy reveal a short history of scans, probes and semi-malicious activity. Likely, the site is used simply as a collection point for the data and offers little else in real terms. However, it might be wise for organizations to consider blocking any connections to the site, just in case open relays or proxies might be present in their environment.

HoneyPoint has been an essential part of MSI’s infosec intelligence program and continues to prove itself an amazing tool for threat analysis on Internet or internal networks. We continually monitor several HoneyPoint deployments around the world for interesting activity and attacker trends. Look for us to share more data from our captures in the future.

Final ITWorld Weekly Column

As I write this, I am sending my final weekly column over to ITWorld.

After more than six years, ITWorld and I decided to make some changes to the column and site and as a part of those changes, I will be moving my writing over to the blog and focusing on it more in the future.

ITWorld and MSI will continue to work together, and I will likely pop in on the security site from time to time with an occasional article, whitepaper or multi-media presentation. We will also continue to work together on other items as well. They are a great team, and we truly enjoy working with them on a regular basis.

Part of these changes are based on a new direction for the ITWorld site, and part of it is to allow me to focus more on new media work, like blogging and creating richer materials and content to further evangelize MSI and HoneyPoint technologies.

Look for more content here on the blog, more coverage and maybe even some site enhancements as I switch my focal point to be more centered on In the meantime, thanks for your patience, and if you are just coming over from the traditional column, please let me extend a big WELCOME and to point you to the archives. There are a lot of good topics there, and I can assure you a lot more to come.

As always, thanks for reading, in the past and in all of the days to come! You folks really make all of this possible, so Thank You!!!

Trusting Users

I recently came back across a prank that was pulled some years ago against a local news station. Some college students had found out that the school and business tickers that you are probably familiar with, accepted input directly from the news website. All that was required was to sign up, and put in your business, contact, and hours opened/closed. Now one might think that somebody would check these before they go on live TV, but that’s exactly what didn’t happen in this case. The students proceeded to sign up humorous businesses, and have them displayed on live TV. This happened numerous times before someone at the station caught on and disabled the feature.

What I’m getting at here, is that this could have easily been turned into an attack to harm a company’s reputation. They could have easily posted that Joe Shmoe Inc. was doing something illegal, and potentially caused an HR and legal nightmare for that company. Might even be possible to “Denial of Service” the company! Word spreads that there was no work today, nobody shows up, and no work gets done.

The lesson this shows is that user input should never be trusted. When “user input” is described, usually we think about bad characters in input fields, SQL injections, or cross site scripting. But this example goes to show that those issues are not the only things to be considered.

Social Engineering the Troops

On my way in to work this morning I heard a fairly disturbing news report about criminals using basic social engineering techniques to get family members of US military members, that are deployed to Iraq and Afghanistan, to divulge the servicemen and women’s personal information. Here’s how the attack played out:

Criminal obtains a list of members of a specific unit or command and tracks down the phone numbers of family members of those soldiers. Criminal then calls the family member and states that they are calling from the Red Cross and that their son/daughter/spouse has been injured in the course of performing their duties.  Then the criminal states that in order for the Red Cross to be able to transport the service member to a military hospital in Germany, the Red Cross needs to verify the Social Security Number and date of birth of the injured soldier. While the family member is upset, they quickly give out the information to ensure that their loved one gets the medical attention they need. At this point, the criminal now has all the information they need to begin the identity theft that we hear so much about.

This type of attack, while completely abhorent, has worked numerous times.  I have not been able to find any conclusive data that speaks to how many people have been affected, nor do I think it is important for the purposes of this blog.  What is important though, is to consider a couple of things.

1.) The Red Cross would never contact a military member’s family directly, without going through military channels.

2.) The Red Cross or military would never need to verify that type of information in order to proceed with medical attention.

3.) No person should ever give out that type of information over the phone, especially if you did not initiate the call

What really interests me though, is the creativeness of the attack.  It plays on emotion to be successful. Whether you are for the war or against doesn’t matter, everyone should be able to agree that it is an emotional subject, especially when talking about a loved one.  The lesson to learn from this is simple. Guard your personal identity very closely. This example only strengthens the notion that criminals will do very nasty things to get access to your information. This is a business to them…a very profitable business at that.

We know that the average consumer will always choose the metaphorical “Dancing Bear” when confronted with these types of attacks. At MSI, we have refined our services to include rigorous social engineering exercises for our clients.  While we have seen improvement in the security posture of our client’s user base (at least the one’s who have taken advantage of the service offerings), there is a part of me that believes that those users aren’t taking the knowledge we are giving them and applying it to their personal lives.  For the one’s that are, we commend you and hope you continue to interact with the masses in a secure way.  We would love to not hear any more of these types of stories.  Unfortunately, we truely believe that this current trend of identity theft is only going to continue.  At least until “average Joe” begins to understand the threat.