Category Archives: HoneyPoint

HoneyPoint Wasp Now Monitors Domain User and Admin Accounts

Posted on by
Reply


Do you:

  • Need a quick and easy way to provide monitoring of when new user accounts are created in your AD forest and domains?

    •  

  • Need an easy way to know when a user becomes a member of the administrator groups?

    •  

  • Want a powerful, flexible and effective tool for knowing what is running on your AD servers and when new code gets executed on these critical devices?

    •  

If you answered yes to any of these questions, read on.

HoneyPoint Wasp, a bleeding edge tool for anomaly detection on Windows Desktops and Servers has just been enhanced with the current release to extend these types of coverage (and more) to Windows 2003 & 2008 servers running an AD context of Primary Domain Controller & Backup Domain Controller. Yes, our customers have been asking for it, and we listened. Now, with a simple, no signature/no tuning/0-interface deployment, you can get centralized monitoring and visibility over your critical AD identity store. You can know what is running on these essential servers all of the time and when new users are created or promoted to administrative status.

Attackers commonly infect AD components as they move through the enterprise, often adding and promoting users as they go. In most incidents we have worked over the last several years, these changes have usually gone unnoticed until it was too late. That’s exactly why we built HoneyPoint in general and Wasp in particular, to answer this dire need and to help turn the tide against malware-based compromises.

Want to discuss how Wasp fits in your organization? Simply drop us a line at: (1info2@3microsolved4.5com6) (remove the numbers/spam protection), or give us a call at 614-351-1237 to discuss it with your account rep. Wasp is powerful, yet easy to use, detection and with it in your corner, “Attackers Get Stung, Instead of YOU.”

Thanks for reading and stay safe out there!

Massachusetts Getting Tough On Data Breach Law

Posted on by
Reply

From Slashdot:

“A Massachusetts restaurant chain was the first company fined under the state’s toughest-in-the-nation data breach law, according to a statement by the Massachusetts Attorney General. The Briar Group, which owns a number of bars and restaurants in Boston, is charged with failing to protect patrons’ personal information following an April, 2009 malware infestation. It was ordered to pay $110,000 in penalties and, essentially, get its *&@! together. Among the revelations from the settlement: Briar took six months to detect and remove the data stealing malware, continuing to take credit and debit cards from patrons even after learning of the data breach, said Massachusetts Attorney General Martha Coakley.”

Full Story

This is exactly why we developed our latest addition to our HoneyPoint family of products: HoneyPoint Wasp. It is a great way to monitor Windows-based desktops with minimal fuss, decreasing help desk calls while allowing the IT department to quickly take action when malware is detected. Learn more about HoneyPoint Wasp.

Learning USB Lessons the Hard Way

Posted on by
Reply


I worked an incident recently that was a pretty interesting one.
The company involved has an application running on a set of Windows kiosks on a hardened, private network that though geographically diverse, is architected in such a way that no Internet access is possible at any machine or point. The kiosk machines are completely tied to a centralized web-based application at a central datacenter and that’s all the kiosk machines can talk to. Pretty common for such installs and generally, a pretty secure architecture.

The client had just chosen to install HoneyPoint and Wasp into this closed network the previous week to give them a new layer of detection and visibility into the kiosk systems since they are so far apart and physical access to them is quite difficult in some locations. The Wasp installs went fine and the product had reached the point where it was learning the baselines and humming along well. That’s when the trouble began. On Saturday, at around 5am Eastern time, Wasp identified a new application running on about 6 of the kiosk machines. The piece of code was flagged by Wasp and reported to the console. The path, name and MD5 hash did not match any of the applications the client had installed and only these 6 machines were running it, with all of them being within about 20 miles of each other. This piqued our curiosity as they brought us in, especially given that no Internet access is possible on these machines and users are locked into the specific web application the environment was designed for.

Our team quickly isolated the 6 hosts and began log reviews, which sure enough showed outbound attempts on port 80 to a host in China known to host malware and bots. The 6 machines were inspected and revealed a job in the scheduler, set to kick off on Saturdays at 5am. The scheduler launched this particular malware component which appeared to be designed to grab the cookies from the browser and some credentials from the system and users and throw them out to the host in China. In this case, the closed network stopped the egress, so little harm was done. Anti-virus installed on the kiosk machines showed clean, completely missing the code installed. A later scan of the components on virustotal.com also showed no detections, though the sample has now been shared with the appropriate vendors so they can work on detections.

In the end, the 6 machines were blown away and re-installed from scratch, which is the response we highly suggest against today’s malware. The big question was how did it get there? It turned out that a bit of digging uncovered a single technician that had visited all 6 sites the previous week. This technician had just had a baby and he was doing as all proud fathers do and showing off pictures of his child. He was doing so by carrying a USB key with him holding the pictures. Since he was a maintenance tech, he had access to drop out of the kiosk and perform system management, including browsing USB devices, which he did to show his pictures to his friends. This completely human, innocent act of love, though much understandable, had dire results. It exposed the business, the users, the customers and his career to potential danger. Fortunately, thanks to a secure architecture, excellent detection with Wasp, good incident planning and a very understanding boss, no harm was done. The young man got his lesson taught to him and the errors of his ways explained to him in “deep detail”. Close call, but excellent lessons and payoff on hard work done BEFORE the security issue ever happened.

Wasp brought excellent visibility to this company and let them quickly identify activity outside the norm. It did so with very little effort in deployment and management, but with HUGE payoff when things went wrong. Hopefully this story helps folks understand where Wasp can prove useful for them. After all, not all networks are closed to the Internet. Is yours? If you had infected hosts like this and AV didn’t catch it, would you know? If not, give us a call or drop us a line and let’s talk about how it might fit for your team. As always, thanks for reading!

MicroSolved, Inc. Releases New Malware Protection for MS Windows

Posted on by
Reply

Our HoneyPoint Wasp 1.50 is cleaner, faster, and more flexible than ever!

COLUMBUS, Ohio March 14, 2011 — MicroSolved, Inc. is pleased to announce their new version of HoneyPoint Wasp 1.50. The new Wasp gives more capability to the security team to easily gain visibility into Windows systems and more power to their efforts to secure them against intrusion.

HoneyPoint Wasp, a tool used to monitor the security of user workstations, has been upgraded with several new features. New behavior-based detections are now included to help extend your existing AV investment. This will provide an extra layer of detection for malware that slips past the AV shield.

Wasp detects infections frequently missed by other malware tools in laboratory testing and real world environments.

“We’re proud of Wasp’s ability to identify compromised systems that other tools and techniques would have shown to be OK, leaving systems online and under attacker control for a longer period than needed,” said Brent Huston, CEO and Security Visionary for MicroSolved. “With HoneyPoint Wasp, you can more quickly and easily take compromised machines away from the attacker and significantly raise the bar in what they have to do to compromise your environment, avoid detection and steal your data.”

To learn more about HoneyPoint Wasp and how it can help an organization protect their desktop network, please visit our HoneyPoint Wasp page!

More Tales From the Tweetstream: HoneyPoint Wasp Detects Trojan Attack

Posted on by
Reply

A very interesting discovery!

[blackbirdpie url=”http://twitter.com/#!/lbhuston/status/44751049545879552″]

[blackbirdpie url=”http://twitter.com/#!/lbhuston/status/44751709305708544″]

[blackbirdpie url=”http://twitter.com/#!/lbhuston/status/44752439404011520″]

We’re pretty proud of HoneyPoint Wasp, our newest addition to our HoneyPoint family; for exactly this reason. It is able to detecti attacks earlier, automatically disrupting attacker activity and by giving you intelligence about the source, intent and capability of attackers.

Want to learn more? Check out our HoneyPoint Wasp page!

InfoSec Insights: Getting Indexed Via Twitter – Good & Bad

Posted on by
1

Earlier this week, I did a quick experiment in the MSI Threat Lab. I wanted to see what happened when someone mentioned a URL on Twitter. I took a HoneyPoint Agent and stood it up exposed it to the Internet on port 80.

I then mapped the HoneyPoint to a URL using a dynamic IP service and tweeted the URL via a test account.

Interestingly, for the good, within about 30 seconds, the HoneyPoint had been touched by 9 different source IP addresses. The search engines, it seems, quickly picked the URL out of the stream, did some basic traffic and I assume queued the site for crawling and indexing in the near future. A few actually indexed the sites immediately. The HoneyPoint cataloged touches from 4 different Amazon hosts, Yahoo, Twitter itself, Google, PSINet/Cogent and NTT America. It took less than an hour for the site to be searchable in many of the engines. It seems that this might be an easier approach to getting a site indexed then the old visit each engine and register approach, or even using a basic register tool. Simply tweet the URL and get the ball rolling for the major engines. 🙂

On the bummer side, it only took about 10 minutes for the HoneyPoint to be probed by attacker scanning tools. We can’t tie cause to the tweeting, but it did target that specific URL and did not touch other HoneyPoints deployed in the range which certainly seems correlative. Clearly, search engines aren’t the only types of automated applications watching the Twitter stream. My guess is that scanning engines watch it too, to some extent, and queue up hosts in a similar manner. Just like all things, there are good and bad nuances to the tweet to get indexed approach.

Further research is needed in what happens when a URL is tweeted, but I thought this was an interesting enough topic to share. Perhaps you’ll find it useful, or perhaps it will explain where some of that index traffic (and scanner probes) come from. As always, your mileage and paranoia may vary. Thanks for reading!

Jumphosts Are a Great Place For HoneyPoint Wasp

Posted on by
Reply

As the idea of network segmentation, or enclaving, becomes more and more popular, many organizations are also implementing so called “jumphosts” for their critical systems. Typically, a jumphost is a terminal server or Citrix host that users and admins connect to, then ride a terminal server or Citrix connection into the segmented critical hosts. This connection is usually filtered by a firewall, screening router or other access control method which segments the critical hosts from other parts of the infrastructure. Given the critical role these jumphosts play in the operations, it is essential that they be highly protected and monitored.

This is where HoneyPoint Wasp comes in. One of the strongest use cases for Wasp in the field has been to help protect these critical jumphosts from compromise and give the security team deeper visibility into their operation. Wasp lends itself well to this task, especially given the static nature of the systems, by extending normal anti-virus to include deeper, more accurate behavior-based anomaly detection. For example, Wasp maintains a white-list of known applications on the jumphost. If a user or attacker starts a new process that Wasp has never seen before, an alert is generated for the security team to investigate.

This white-listing approach is not reliant on signatures or heuristics to determine if a process is malware or the like, it just learns what is known on the jumphost and when something new is observed, it alerts. In addition, with Wasp in place, the jumphosts are continually monitored for other common signs of infection and intrusion, like newly opened listening IP ports, changes to critical files in the file system, new accounts being created locally or changes to the population of the local administrators group, etc. This new vision into changes on the jumphost can give the security team a heads up when an attack against the critical core is in process. Further, it does so without false positives or noise to degrade their performance over time.

Pricing for HoneyPoint Wasp is comparable to anti-virus pricing. Wasp is designed to work in conjunction with normal anti-virus and is available for Windows systems. Other components of the HoneyPoint product suite are also being used heavily in enclaved environments to bring detection to areas of the network defined as being of the highest priority. Deployments of these tools are in place in government systems, financial organizations, telecomm, manufacturing and critical infrastructure, including SCADA networks. For more information about what HoneyPoint Wasp can bring to your IT environment, give us a call or drop us a line.

InfoWorld Reviews Honey Pots and HoneyPoint

Posted on by
Reply

MicroSolved, Inc. was recently featured in InfoWorld’s article, “Intrusion detection honeypots simplify network security,” by Roger A. Grimes.

It’s a great review of MSI’s HoneyPoint technology, along with two other honey pot software solutions. The article is very thorough, testing everything from features and logging capability to ease-of-use and value. As Roger stated, intrusion detection is a complicated business, which is why we continue to strive to increase the visibility of the security team within an ever-increasingly insecure world. His use cases are very specific and the article presents a powerful argument for honey pots and their role in modern information security. We commend the author for his work and very much appreciate HoneyPoint’s inclusion in the solution set.

Some of HoneyPoint’s features, namely defensive fuzzing (HornetPoint behavior) and port mining appear to have been misunderstood by the reviewer. He mistakenly compares it to “tarpitting”, which is a technique used to slow down scans by tampering with the TCP packets in the 3 way handshake to delay connections. HornetPoints do not perform any actions at the packet layer, but instead, apply fuzzing routines within the specific emulated protocol (HTTP, SMTP, etc.) to attempt to cause the scanner or worm to fault on the attacking system, a form of self-defense. Port mining simply shoves a large binary file at attacker tools, again with the intent of crashing them, not simply slowing them down. These differences did not seem to be communicated well in the review when we read it.

We completely agree with the author that HoneyPoint has a large feature set and that our reporting and event tracking make it a powerful enterprise tool. We also appreciate his coverage of the plugin capability that allows users to extend and automate their alerting and response capabilities with HoneyPoint. We designed the product to be easy to use and most customers learn to install, configure and manage the product in a simple 2-4 hour virtual session included in every purchase. Our customer’s experience and rating for ease of use varies from what is presented in the review. Customers continually praise HoneyPoint as being one of the easiest enterprise products they have deployed and used.

Lastly, the author’s review makes the point that honey pot tools cannot bind to ports already in use, making them essentially blind to attack traffic on those services already installed on the hosts on which the tool is running. This is a valid truth and represents one of the core reasons why we felt it was important to design HoneyPoint to run across platforms. If a honey pot product can only run in Windows, it cannot bind to ports like 135-139 and 445, which are the common ports used for Windows CIFS. It also cannot bind to ports, and thus provide detection on Windows RPC ports that are in use. As such, a low interaction honey pot deployed only on a stock Windows workstation cannot perform detection of threats like Conficker and other traditional Windows-centric attacks. This leaves an organization using a Windows-constrained detection tool unable to emulate these services and detect these attacks. HoneyPoint, on the other hand, can just as easily be deployed on Linux as on Windows. Using a simple liveCD install (such as Puppy, DSL or the Ubuntu, etc.) you can deploy HoneyPoint on these ports, emulating Windows and thus gaining detection and visibility not available with a Windows-constrained product. We feel, as do many of our clients, that this is a powerful difference between our product and others and that it gives our clients the ability to stud their environment with detection decoys, even at the Windows protocol level, where others are blind.

We designed HoneyPoint not as an academic tool for laboratory use or for those folks wishing to capture packets of the attack tools and write papers about them, but as a real-life, deploy and forget, enterprise threat management system for businesses interested in breaking the attacker life cycle. We are quite proud that the tool is functional, flexible and simplistic. That was the goal from the beginning. We are as proud of the things that our product DOESN’T do to maintain that core focus as we are of the things it DOES do and how it accomplishes them.

Overall, we are in full agreement with InfoWorld: the impact of honey pots in the corporate environment is best understood by serving as an early-warning system. When honey pots are utilized in this way, they are economical and efficient, yet meet the need to identify threats in the network environment. We extend kudos to Roger for his review and for the hard and complex work he did reviewing and comparing the three products.

MSI welcomes this type of review, because our quest to make you safer is what drives us. Clients tell us that we’re good listeners and we love to hear feedback from the community. We will not stop improving our efforts to protect our clients because frankly, the attackers will not stop searching for vulnerabilities. As always, thanks for reading and stay safe out there!

OpenSSL Vulnerability

Posted on by
Reply

A new security issue in OpenSSL should be on the radar of your security team. While Stunnel and Apache are NOT affected, many many other packages appear to be. The issue allows denial of service and possibly remote code execution.

Patches for OpenSSL and many packages that use it are starting to roll in. Check with your favorite vendor on the issue for more information. The CVE is: CVE-2010-3864

HoneyPoint users who leverage black hole defenses should ensure that they have exposed port 443/tcp honeypoints and have dilated other common ports for their applications that might be vulnerable. Internal HoneyPoint users should already have these ports deployed, but if not, now is a good time to ensure that you have HoneyPoint coverage for any internal applications that might be using OpenSSL. Detecting scans and probes across the environment for this issue is highly suggested given the high number of impacted applications and platforms.

If you have any questions about this issue or the proper HoneyPoint deployment to detect probes and scans for it, please give us a call or drop us a line. We will be happy to discuss it and assist you.