Author Archives: Brent Huston

About Brent Huston

I am the CEO of MicroSolved, Inc. and a security evangelist. I have spent the last 20+ years working to make the Internet safer for everyone on a global scale. I believe the Internet has the capability to contribute to the next great leap for mankind, and I want to help make that happen!

3 Tools Security Teams Need to Look at Today

Posted on by
8

I would urge most security teams to hit pause for an hour and take a moment to look at these three tools that may add leverage to the work you are doing.

1. Python LogTools – This is an excellent python library that makes parsing web logs, primarily Apache logs, easy and useful. The capability also can be trivially expanded to analyze other types of logs and system outputs with a little bit of text hacking. Seriously, we know you aren’t reading the logs – find a way to use programatic tools – even if that just means you are parsing for specific issues. I know, I know – you have the SEIM – but honestly, parse the logs. You’ll likely be amazed what you find…

2. Open Source Web Task Manager – Taskfreak – Nearly every team we talk to asks about coordinating task and resource management on other security teams. Here is a free tool set that you can you can use, apart from the more difficult enterprise tools and bloatware. Get a team server or instance and share tasks and resources. Done! 

3. Nmap – yeah, we said it – NMAP! – Oh, I know – you’ve used it. It comes on Kali and nearly every distro – but forget using it for pen-testing and auditing. Now, with a clear mind – begin to think about how you can use nmap to know what’s out there. Inventory of systems and services, done. Ongoing runs to detect new devices, done. Ongoing runs to find new services on known network segments, done. Periodic runs to test network speeds and connectivity for routing issues, done. Gateway checks, done. Detection of new devices by parsing DHCP logs and launching runs – a poor man’s NAC tool, done. There are so many things you can do with nmap other than pen-testing that I am thinking of just becoming an nmap consultant. C’mon – learn the basics and then use the basic tool in new ways to solve problems you already have. Nmap and some simple scripting can up your security team’s game. Give it a shot… 

Got other ideas? Let us know on Twitter (@microsolved). See you there! 

The Dark Net Seems to be Changing

Posted on by
6

The dark net is astounding in its rapid growth and adoption. In my ongoing research work around underground sites, I continue to be amazed at just how much traditional web-based info is making its way to the dark net. As an example, in the last few research sessions, I have noticed several sites archiving educational white papers, economic analyses and more traditional business data – across a variety of languages. I am also starting to see changes in the tide of criminal-related data and “black market” data, in that the density of that data has begun to get displaced, in my opinion, by more traditional forms of data, discourse and commercialization.

It is not quite to the level of even the early world wide web, but it is clearly headed in a direction where the criminal element, underground markets and other forms of illicit data are being forced to share the dark net with significantly more commercial and social-centric data. Or at least, it feels that way to me. I certainly don’t have hard metrics to back it up, but it feels that way as I am working and moving through the dark net in my research. 

There is still a ways to go, before .onion sites are paved and turned into consumer malls – but that horizon seems closer now than ever before. Let me know what you think on Twitter (@lbhuston).

Great Article on Spotting Skimmers

Posted on by
3

I ran across this great article with tips on spotting credit card skimmers. Check it out for some pretty good info.

Ever wondered about the prices that criminals pay for skimmers? We recently studied this and found that the average price for magnetic stripe skimmers was between $100 – $300 US. Kits that include cameras and other techniques for also capturing PIN data (ATM & Chip/PIN transactions) were around 10x that amount on the black market. Home grown solutions are significantly cheaper to build, but often lack the subtlety and camouflage of the more “commercial” offerings.

By the way, note that even where Chip and PIN transactions have become the norm (outside the US), capturing the magnetic track data is still useful for attackers to focus on e-commerce and other card holder not present transactions.

Just a few things to think about… While the credit card theft underground is robust, interesting and dynamic, companies and issuers are working hard to stay on top of things. Unfortunately, the economics involved is complex, and attackers are continually refining all phases of their operations.  

Emulating SIP with HoneyPoint

Posted on by
6

Last week, Hos and I worked on identifying how to emulate a SIP endpoint with HoneyPoint Security Server. We identified an easy way to do it using the BasicTCP capability. This emulation component emulates a basic TCP service and performs in the following manner:

  • Listens for connections
  • Upon connection, logs the connection details
  • Sends the banner file and awaits a response
  • Upon response, logs the response data
  • Sends the response, repeating the wait and log loop, resending the response to every request
  • When the connection limit is reached, it closes the connection
It has two associated files for the emulation:
  • The banner file – “banner”
  • The response file – “response”

In our testing, we were able to closely emulate a SIP connection by creating a banner file that was blank or contained only a CR/LF. Then we added the appropriate SIP messaging into the response file. This emulates a service where thew connection is completed and logged, and the system appears to wait on input. Once input is received, then a SIP message is delivered to the client. In our testing, the SIP tools we worked with accepted the emulation as SIP server and did not flag any anomalies.

I’ll leave the actual SIP messaging as a research project for the reader, to preserve some anonymity for HPSS users. But, if you are an HPSS user and would like to do this, contact support and we will provide you with the specific messaging that we used in our testing.

As always, thanks for reading and especially thanks for being interested in HoneyPoint. We are prepping the next release, and I think you will be blown away by some of the new features and the updates to the documentation. We have been hard at work on this for a while, and I can’t wait to share it with you shortly!

MSI’s Targeted Threat Intelligence is Adding Huge Value to M&A Due Diligence

Posted on by
5

Many of our clients have been using our Targeted Threat Intelligence service offerings to assist them with due diligence efforts around mergers and acquisitions activities. For many years, clients have leveraged MSI services during and after an acquisition, usually to perform security assessments, identify control gaps and validate remediations. Our network discovery and mapping tools, including MachineTruth, have been an excellent fit for helping them understand exactly what their new architectures look like and where it makes sense for interconnections and network hardening.

Now, with TigerTrax™ and MSI’s passive assessment platform, our threat intelligence and passive assessment capabilities are aiding clients in the due diligence process, making us an excellent partner throughout the M&A lifecycle! These new offerings allow us to add brand/trend data and cyber-security analysis to potential M&A targets, before they are even aware that they are prospects and without their knowledge or contractual engagement. It allows organizations more flexibility in identifying potential Intellectual Property leaks, poor security practices or other IT risks before approaching an acquisition target. The brand/trend reputational data is blended in, providing a new lens to look for potential issues around customer service, activism, impacts from poor online or data hygiene, etc.

While these same techniques have proven to be a boon for vendor supply chain security, they have been leveraged in M&A activity for a year longer. MSI has a strong history in this space and continues to innovate with new data sources, optimized processes and bleeding edge tools for making M&A safer, more efficient and more profitable. To learn more about our M&A offerings, hear about our work and research in the M&A space or discuss how we can assist your organization with M&A services, please drop us a line at info@microsolved.com, or give us a call at (614) 351-1237 today. We look forward to working with you! 

Join the MSI Team and Take Your Python Skills to the Edge

Posted on by
14

MSI is currently seeking a full time Python programmer to join our team at HQ in Columbus!

If you more than “know your way around Python”, like to build web front ends and bleeding-edge cool machine learning/NLP back ends, get in touch.

We are seeking someone to assist with ongoing development of our current product line and to help in developing new products and capabilities to extend our concepts even further.

Must be located in Columbus, OH – sadly, no relocation or remote working for this position. But, Columbus is an amazing place to live and has an awesome tech community, so we love it here! 

To join our team, you must be an excellent Python problem solver, be willing to tackle tough technical issues, be self motivated, enjoy working with Linux, Windows and OS X and be a good fit for a close group of highly technical team members who are also close friends. Our team has a 24 year history of excellence, so bring your A game…

If you’d like to talk to us about becoming a part of MSI, drop us a line – info@microsolved.com with your resume, a couple of paragraphs about why you would like to join us and some links to code or projects online that you have created. We look forward to hearing from you!

Hosting Providers Matter as Business Partners

Posted on by
1

Hosting providers seem to be an often overlooked exposure area for many small and mid-size organizations. In the last several weeks, as we have been growing the use of our passive assessment platform for supply chain assessments, we have identified several instances where the web site hosting company (or design/development company) is among the weakest links. Likely, this is due to the idea that these services are commodities and they are among the first areas where organizations look to lower costs.

The fall out of that issue, though, can be problematic. In some cases, organizations are finding themselves doing business with hosting providers who reduce their operational costs by failing to invest in information security.* Here are just a few of the most significant issues that we have seen in this space:
  • “PCI accredited” checkout pages hosted on the same server as other sites that are clearly under the control of an attacker
  • Exposed applications and services with default credentials on the same systems used to host web sites belonging to critical infrastructure organizations
  • Dangerous service exposures on hosted systems
  • Malware infested hosting provider ad pages, linked to hundreds or thousands of their client sites hosted with them
  • Poorly managed encryption that impacts hundreds or thousands of their hosted customer sites
  • An interesting correlation of blacklisted host density to geographic location and the targeted verticals that some hosting providers sell to
  • Pornography being distributed from the same physical and logical servers as traditional businesses and critical infrastructure organizations
  • A clear lack of DoS protection or monitoring
  • A clear lack of detection, investigation, incident response and recovery maturity on the part of many of the vendors 
It is very important that organizations realize that today, much of your risk extends well beyond the network and architectures under your direct control. Partners, and especially hosting companies and cloud providers, are part of your data footprint. They can represent significant portions of your risk, and yet, are areas where you may have very limited control. 
 
If you would like to learn more about using our passive assessment platform and our vendor supply chain security services to help you identify, manage and reduce your risk – please give us a call (614-351-1237) or drop us a line (info /at/ MicroSolved /dot/ com). We’d love to walk you through some of the findings we have identified and share some of the insights we have gleaned from our analysis.
 
Until next time, thanks for reading and stay safe out there!
 
*Caveat: This should not be taken that information security is correlated with cost. We have seen plenty of “high end”, high cost hosting companies with very poor security practices. The inverse is also true. Validation is the key…

Bonus from March: Supply Chain Security Model

Posted on by
3

Thanks for reading our supply chain security content throughout the month of March. We just wanted to sneak this one in, despite the calendar… 🙂 

If you click here, you can download a PDF version of a nice maturity model for assessing your vendor supply chain security maturity. We added passive assessments in to it to make it easy to show where you can leverage this powerful new approach. 

Check it out, and let us know if you would like help building, improving or auditing your program. In addition, if you would like to retain MSI for your third party oversight needs, please get in touch with your account executive or call us at (614) 351-1237. We have a strong history of program oversight across disciplines and would be happy to help keep your initiative on track!

Have a great April!

How to Engage MSI for Supply Chain Security Help

Posted on by
2

The month of March is about to wrap up and come to a close. I hope it was a great month for you and your security initiatives. I also hope you took advantage of our focused content this month on Supply Chain Security. If you want to go back and read through some of the articles, here are quick links:

3 Reasons Your Supply Chain Security Stinks

Ideas for Vendor Discovery

Sorting Vendors into Tiers

Mapping Control Requirements to Vendor Tiers

An Example Control Matrix for Supply Chain Security

What is MSI’s Passive Assessment & How Does it Empower Supply Chain Security?

Many folks have asked us about how to engage with MSI around the Supply Chain. I wanted to add this bit of information in order to make it easier for folks to know how we can assist them.

You can engage with MSI around Supply Chain Security in three primary models:

  • Focused Mission Consulting Model – This model is when you have a specific set of tasks and deliverables in mind that you would like MSI to create/review/audit or test. We scope the work effort up front and provide a flat rate engagement price. The work is then completed, usually offsite, and the deliverables are worked through until completed. This is fantastic for organizations looking to build a program, create their tiers and control matrices and document the processes involved. Basically, you hire us to do the heavy lifting…
  • Retainer-Based Consulting Model – This model lets you hire MSI resources for a specific time frame (usually 1 year) for periodic oversight, design, review or operational tasks. Our team supplements your team, providing experience and assistance to your process. Basically, you do the heavy lifting – and we make sure you build an efficient, effective and safe program for supply chain security. This is a flat rate, billed monthly, for a set number of resource hours.
  • Virtual CISO Model – In this model, you can hire MSI to manage and provide oversight for security needs across the enterprise. You get an assigned MSI resource who is responsible for ensuring your initiatives get completed and performed in accordance with best practices. This resource can draw from other MSI subject matter experts and our services, as needed, to build out/supplement or support your security initiative. This is a great offering for small and mid-size organizations who need deep expertise, but who might not have the budget or capability to retain world class talent across multiple security domains. Basically, in this type of engagement – you hire us to solve your security problems and build/manage your security program. We do that with attention to cost/efficiency/effectiveness and safety. Pricing for this service type varies based on the maturity and requirements of the security program.

You can also retain MSI to leverage our passive assessment platform to assess your vendors passively, “en masse”. For information about how to engage with us to serve as a fulcrum for your security program, arrange for a free, no pressure, exploration call with your account executive. If you don’t have an account executive, give us a call at (614) 351-1237 or drop us a line at info (at) microsolved /dot/ com and let us know of your interest. We would love to share some demo information with you and walk you through how we can help.

If you have any other questions about Supply Chain Security or other issues, please get in touch, as above. You can also reach out to me on Twitter. As always, thanks for reading and until next time, stay safe out there!

What is MSI Passive Assessment & How Does it Empower Supply Chain Security

Posted on by
2
MSI’s passive assessment represents a new approach to understanding the security risks associated with an organization, be it yours or a vendor, prospect or business partner’s. MSI’s passive assessment leverages the unique power of the MSI TigerTrax™ analytics platform to perform automated research, intelligence gathering and correlation from hundreds of sources, both public and private, that describe the effective security posture of an organization.
 
The engine is able to combine the power of hundreds of existing tools to build the definitive profile of an organization’s security posture –  such as:
  • open source intelligence
  • corporate data analytics
  • honeypot sources
  • deep & dark net search engines
  • other data mining tools 
 
MSI’s passive assessment gives you current and historical information about the security posture of the target, such as:
  • Current IOCs associated with them or their hosted applications/systems (perfect for cloud environments!)
  • Historic campaigns, breaches or outbreaks that have been identified or reported in public and in our proprietary intelligence sources
  • Leaked credentials, account information or intellectual property associated with the target
  • Underground and dark net data associated with the target
  • Misconfigurations or risky exposures of systems and services that could empower attackers
  • Public vulnerabilities
  • Other relevant intelligence about their risks, threats and vulnerabilities – new sources added weekly…
 
Best of all, it gathers and correlates that data without touching the target’s network or systems directly in any way. That means you do not need the organization’s permission or knowledge of your research, so you can keep your interest private!
 
In the supply chain security use case, the tool can be run against organizations as a replacement for full risk assessment processes and used as an initial layer to identify and focus on vendors with identified security issues. You can find more information about it used in the following posts about creating a process for supply chain security initiatives:
 
Clients are currently using this service for M&A, vendor supply chain security management, risk assessment and to get an attacker’s eye view of their own networks or cloud deployments/hosted solutions.
 
To learn more about MSI’s passive assessment, please talk with your MSI account executive today!