Category Archives: General InfoSec

What is HPSS? :: HoneyPoint Agent

Posted on by
Reply

This post builds on the What is HPSS? Series. Previous posts are here and here


HoneyPoint Agent is the original detection capability of the HoneyPoint Security Server suite. Basically, it allows a system to offer up a variety of “fake services” to the network for the purpose of detection. These services can either be simple port listeners or can be complex, deeper emulations of protocols like SMTP, HTTP, Telnet, FTP, etc. These ports have no real users and no legitimate traffic flows to them. This means that anytime these ports are tampered with, the interactions are “suspicious at best and malicious at worst”. 


HPAgentOverview

Because the Agent is designed to be extremely light weight in terms of computing power needed, the Agents can be sprinkled throughout the network environment easily. Many organizations simply add Agent into default server and workstation builds, turning most of the systems in their network into sensors for detection. 

 

Other organizations deploy Agent more sporadically, either using virtual or physical appliances dedicated to HoneyPoint hosting. These organizations often assign multiple physical or virtual interfaces to the devices, allowing them to have a presence on many network segments at the same time.

 

Still other users leverage an approach called “scattersensing” by deploying HoneyPoint on systems that they move periodically around their environment. This makes for a less dependable detection mechanism, but gives them the capability to get more vision into “hotspots” where targeting is expected or where malware is more likely to pop-up. 

 

The most successful HoneyPoint Agent deployments use a combination of these tactics, along with including strategies like DNS redirection of known command and control sites and other more active forms of getting bad traffic into the HoneyPoint systems.

 

HoneyPoint Agent has proven to be very useful in identifying scanning and malware outbreaks. Customers with supposedly secure networks have found malware that had been missed for years by their traditional internal security tools. These were detected when the ongoing slow and low scanning triggered HoneyPoint deployments, particularly for SQL, Terminal Server and other commonly targeted ports.

 

HoneyPoint Agent can be configured through the command line or via a GUI application, making it easy to manage and deploy. Once installed, it is a “deploy and forget” style tool which doesn’t require ongoing tuning or signature updates. Generally speaking, customers deploy Agent and it runs for years without feeding and care.

 

HoneyPoint Agent also features MSI’s patented “defensive fuzzing” capabilities (previously known as HornetPoint mode), which can create self-defending services that attempt to take down attacker tools during their probing to interfere with propagation. Still other users automate defense with Agent using it as a means for black holing hosts that probe their environment. In these optional, more active roles, Agent can help organizations strengthen their posture with a “one strike and you’re out” kind of approach. 

 

HoneyPoint Agent runs in Linux, Windows and OS X. It communicates securely with the HoneyPoint Console. It also features user configurable services, a known scanning host ignore list (for ongoing vulnerability assessment clients) and a wide variety of common service emulation templates (available through support). 

 

To learn more about HoneyPoint Security Server or to get a demo, please contact us. We would be happy to walk you through the product and discuss how it might fit into your environment. There is even a free for personal use “Community Edition” available to get you started or to let you experience the power, ease and flexibility of the platform yourself. Just give us a call to learn more about HoneyPoint Security Server and HoneyPoint Agent. You’ll be glad you did! 


Malware in Many Places

Posted on by
Reply

 

GlobalDisplay Orig

Just a quick reminder that malware can come in many forms and from many places. These days, it isn’t just phishing, drive-by downloads and stray email attachments that you have to worry about. USB drives, digital picture frames, wireless devices, watches with USB plugs, exercise equipment with public “charge and data monitoring ports” and whole variety of other things.

Basically, today, if it can plug into your systems or talk to your network and has any kind of processing, memory or storage – it can likely carry malware. That’s certainly something to keep in mind as the “Internet of Things” becomes more and more a part of our daily lives. 

All of the usual defenses still apply, but today we need more than just anti-virus to keep us safe. We have to be using a variety of security controls from throughout the spectrum of prevention, detection and response. Since malware can be everywhere, so too must our vigilance against it. 

PS – Those of you with teens and older parents who use/depend on electronics and computers should discuss malware and safer computing with them. They likely have an entirely different risk profile than you do, and they may not be paying as much attention to the impacts that these attacks can have or where they can come from. They may be doing risky things without even knowing it. Talk to them about malware and help keep them safer in the online world.

Java 0-Days are Changing Corporate Use Patterns

Posted on by
Reply

With all of the attention to the last few Java 0-days and the market value for them falling them (which many folks believe indicate there are more out there and more coming), we are starting to hear some organizations change their policies around Java, in general. 

It seems some clients have removed it from their default workstation images, restricting it to the pile of as-needed installs. A few have reported requiring more frequent Java update settings and a couple have talked about switching in-house development away from Java to different languages. 

Is your organization changing the way you view Java? How are things changing around the IT shops you work with? 

Drop us a line in the comments or via Twitter (@microsolved or @lbhuston) and let us know what YOU think!

CMHSecLunch is TODAY

Posted on by
Reply

Don’t forget, the #CMHSecLunch is TODAY, January 14th, 2013. The time is 11:30 and the location this month is at the Easton Mall food court inside the indoor portion of the mall.

We hope to see you there and bring a friend! No admission, no cost (you can buy food if you want) and open to the public. December had a great turn out and some fantastic conversations!

SANS SCADA Security Conference & a DISCOUNT

Posted on by
Reply

SANS has allowed us to offer a 10% discount to our readers who attend their SCADA Security Summit. The event is being held in Orlando this year, February 12-13, with optional training courses wrapped around on both sides. We think this is a great event and we are proud to be able to help SANS promote it.

You can get your discount using the discount code: MicroSolvedSCADA

More information about the event follows below (Overview provided by SANS): 

More than 1,200 security analysts and process control engineers, from government and industry, have attended the SCADA Security Summits. That’s because Summits are the one place where the people shaping the future of control systems security come together to share the lessons they have learned and because the Summits give attendees unique, early access to important new information. This year’s program will be no different. If you have any responsibility for security of control systems – policy, engineering, governance or operations you won’t want to miss the 2013 Summit in Orlando, Florida.

 At the Summit you will:

  • Learn why control systems are so difficult to protect and arm yourself with clear case studies showing what’s been done and what can be done to protect SCADA and other control systems.
  • Learn the language of control systems so you can be of more help to the engineers who plan and deploy such systems.
  • Understand the requirements and constraints faced by owners and operators of automation systems. Determine the state of the art in control system security as a benchmark for your own future planning.
  • How to build an ICS security program and develop your team.
  • Better understand what government can and can’t do by learning the requirements, constraints and current capabilities available to secure critical control systems.

 For more information and to register click here  http://www.sans.org/event/north-american-scada-2013

Gameframe Follow Up

Posted on by
Reply

This is a follow up to the original Gameframe scan post here. (**Note I have defanged the urls, edit them manually if you copy and paste)

Throughout the end of December, we saw just a few more probes in the public HITME that contained the Gameframe pattern. The ports shifted between port 80 and port 3128. The initial bursts of probes we observed were on port 3131, but they seem to now be occurring across the port spectrum.

The only host the public HITME caught these probes from was: 96.254.171.2 – WHOIS – US, Verizon

A Twitter user, (@benediktkr), also pointed out probes on port 8080 from a small batch of source IPs. He also observed the same source IP, which means the scanning is likely pretty wide, given that we have seen it from several of the HITME end points. 

Here is a quick dump of the log for the few we saw at the end of December (Output from a HoneyPoint plugin): 

2012-12-19 08:12:57|96.254.171.2|80|GET hxxp://gameframe.net/headers HTTP/1.1\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28 (.NET CLR 3.5.30729)\nHost: gameframe.net\nAccept-Encoding: deflate, gzip\nProxy-Connection: Keep-Alive\nAccept-Language: en-gb,en;q=0.5\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\nPragma: no-cache\nCache-Control: no-cache\n\n
2012-12-19 12:30:38|96.254.171.2|3128|GET hxxp://gameframe.net/headers HTTP/1.1\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28 (.NET CLR 3.5.30729)\nHost: gameframe.net\nAccept-Encoding: deflate, gzip\nProxy-Connection: Keep-Alive\nAccept-Language: en-gb,en;q=0.5\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\nPragma: no-cache\nCache-Control: no-cache\n\n
2012-12-28 12:46:42|96.254.171.2|3128GET hxxp://gameframe.net/headers HTTP/1.1\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28 (.NET CLR 3.5.30729)\nHost: gameframe.net\nAccept-Encoding: deflate, gzip\nProxy-Connection: Keep-Alive\nAccept-Language: en-gb,en;q=0.5\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\nPragma: no-cache\nCache-Control: no-cache\n\n

We also picked up this probe, which is quite different from the others, which is interesting in general, note that the source host is also different – this time from 92.240.68.153 – WHOIS – Latvia

2012-12-27 10:29:27|92.240.68.153|80|GET hxxp://thumbs.ifood.tv/files/Salmonella_in_Vegetables.jpg HTTP/1.1 User-Agent: webcollage/1.135a Host: thumbs.ifood.tv headers HTTP/1.1\nUser-Agent: Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.10\nHost: gameframe.net\nAccept-Encoding: deflate, gzip\nProxy-Connection: Keep-Alive\nAccept-Language: en-gb,en;q=0.5\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\nPragma: no-cache\nCache-Control: no-cache\n\n

It is likely that others are simply using the headers output of this page for other types of probes and scans, likely to identify open proxies and alternate paths to avoid censorship or to use in proxy chains to help hide their origins for other purposes.

If you run a black list of IPs as a part of your defense, or redirect bad IPs to a HoneyPoint, you should likely add these two sources to the list if you aren’t using the automated approach.

We will continue to observe these probes and let you know what else we see. Thanks for reading.

Watching the Watchers…

Posted on by
Reply

“Who watches the watchers?” is an often overheard question when we assess the information security program of clients. Way too often, the answer is either, “Huh?” or “No one, really.”. That’s a LOT of trust for an organization to place in an individual or small team.

At least in a small team, you hopefully have peers checking each other’s work. You do that right? You either rotate duties, have a peer review process or otherwise make sure that a second set of eyes from the team double checks critical work in a peer review methodology. That’s what mature teams do, and they do it both often and formally. This is a great control and an effective means to build cooperation between team members.

The problem gets harder when your security team (and/or IT team) is one person. Then it absolutely REQUIRES that someone, be it a manager, another department peer, an auditor or even a consultant checks their work periodically. After all, if they manage the servers, the firewall, the network, the intrusion detection and the logging, they essentially have complete control over the data and can do as they please without fear of getting caught. Now, that is not to say that folks in this role aren’t trustworthy. They usually are. The problem is that some are not and to further complicate the matter – it is often quite difficult to tell the difference between the honest and the dishonest humans. So, as we always say, “Trust, but verify…”. Implement an ongoing process for peer review, even if that peer is an auditor or consultant. Have them come in and double check the progress for this quarter. Ask them to spot check reports, logs and configurations. It’s not comprehensive, but it at least sends a message that someone is checking and just having someone checking different items often leads to interesting discoveries, usually not of a malicious nature, but often times something missed in the day to day.

How does your organization use peer review? What works and what hasn’t worked for you? Leave us a comment or drop us a line on Twitter (@lbhuston) and let us know.

Ensuring Security Team Coverage During the Holidays

Posted on by
Reply

Just a quick note to remind you that now is a good time to double check the on-call, vacation and coverage schedules for your infosec team members, all of the key members of your incident response team and the critical managers and department liaisons. It’s a good time to review and update your contact lists for these folks and to identify anyone who might be unavailable during the holidays double check that you have a secondary contact.

While we certainly hope that your team doesn’t have to respond to an incident during the holidays, it is not unheard of. So, a few moments of careful attention now, may save you some stress during an already stressful period.

Thanks for reading, have a great holiday season and stay safe out there!

What is HPSS? :: The Console

Posted on by
Reply

This article builds on the What is HPSS? Series. The original overview article is here

The HoneyPoint Security Server Console is the “brain” of the HoneyPoint product platform. It is the central component responsible for getting alert data from the sensors, tracking and maintaining the alert data, presenting it to the user and safely passing the essential alert data on to the automated plugins or other systems in the security event chain.


HoneyPointConsoleRole

The Console is a GUI application that includes a built-in database engine for tracking Alert Data state and to empower reporting and analysis over time. Alert Data from the sensors are sent to the Console over TCP and the data is encrypted. The Console application runs on Windows, Linux and OS X. 

 

Once the Console receives Alert Data from the sensors, it parses it to validate that the data is good and checks to see what actions it should take based on the alerting configuration, assigned admins list, ignored hosts lists, and other trust rules in place. 

It then presents the alert data to the appropriate mechanisms, alerting users, passing the desired elements of the alert data to syslog/event log on the Console system for upstream processing by SEIMs or other event tools. The Console also passes certain event data as determined by the configuration into the “plugins mechanism”. 

 

The plugins then execute the desired operations on the data, easily allowing the security team to further extend reporting to custom event handlers or perform automated responses. This flexible solution empowers the security team to integrate HoneyPoint Security Server fully into whatever technology platform/response process they desire or have in place.

 

Reporting from the Console is very simple. The included reporting engine can create a wide variety of canned reports in either CSV or HTML format, ensuing that the data in the HoneyPoint system is easy to use. Additionally, other reporting tools like Crystal Reports or the like, or even languages like PERL, Python or Ruby, can easily attach to the Console database to create whatever types of custom reports you desire.

 

All in all, HoneyPoint Security Server was designed to make it easy to use and yet flexible enough for the most demanding and mature infosec teams. The console interface is friendly, functional and easily understandable. Most teams require less than a 30 minute walk through before they are off and running with the basic detection power HoneyPoint provides. When they get comfortable with the system, they quickly master the plugins meta-language and are soon automating large groups of detection and response tasks.

 

To learn more about HoneyPoint Security Server or to get a demo, please contact us. We would be happy to walk you through the product and discuss how it might fit into your environment. There is even a free for personal use “Community Edition” available to get you started or to let you experience the power, ease and flexibility of the platform yourself. Just give us a call to learn more about HoneyPoint Security Server Console. You’ll be glad you did! 


What is this HoneyPoint Thing Anyway?

Posted on by
6

Launched in 2006, initially as a distributed honey pot product, HoneyPoint Security Server (HPSS) has grown well beyond the initial concept. Today HPSS is a platform of components woven into a tightly integrated, fully capable, extremely flexible threat detection product. Organizations around the world are using it as a means of early detection of internal and external attackers, malware outbreaks and signs of users poking around where they shouldn’t be. Mature organizations have leveraged the product as a means of deterring attacks through automated black holing of scanning hosts on their perimeter, embedded detective controls inside their web applications to cut off users violating their terms of service and gather real world threat metrics to feed back into their mature risk management initiatives.

 

In the world of ICS/SCADA, HoneyPoint has found a quickly growing set of fans. HPSS can be deployed in a completely passive way that has no chance of interfering with critical operations, yet still brings incredible detection capability and vision into even the most sensitive of networks. ICS/SCADA environments have traditionally embraced the honeypot ideal, coining the term “canary” for these tools, but never before have they had such an easy to use, distributable, centrally monitored honeypot capability like HoneyPoint brings to the table.

 

Over the next few months, we will be deep diving into each of the HPSS components, but for now, as a high-level overview, here is a quick and dirty explanation of each of them:

 

  • HPSS Console – This is the central “brain” of the product. Designed as an easy to use GUI application, it receives the alerts detected by the sensor components and presents them to the user for analysis. It includes the “plugin” capability which allows for additional reporting and security automation based on the event data detected. The Console provides for “point and click” easy integration with SEIM products for clients who have deeper back-end data aggregation systems in place.
  • HoneyPoint Agent – This is the original HoneyPoint detection capability. Agent creates “fake services” on the network that have no real use other than detection. Since the services aren’t real, any interaction with them is “suspicious at best and malicious at worst”. Agent is capable of emulating a great variety of services and is completely user configurable. Agent runs on Windows, Linux and OS X. 
  • Wasp – Wasp is HoneyPoint’s hybrid client for Windows systems. It offers many of the port dilation features of Agent, but layers on top of that a whitelisting detection mechanism, file change detection for key files and some simple heuristics to identify the most common signs of intrusion. Tiny footprint, immense flexibility, self tuning whitelisting and no interference with operations make it an excellent choice for critical infrastructure use.
  • HoneyPoint Web – This is a completely emulated web environment with a mock up of applications that the organization uses. The entire environment is “fake” and studded with detection mechanisms that capture and measure attacker behavior, intent and capability. It might seem to be a new version of a banking application “accidentally” exposed to the Internet, or a replica of an HMI or maybe a login portal for Sharepoint/VPN or some other mechanism. What it really is is a detection mechanism for the good guys. Completely customized, able to detect the difference between a human attacker and most malware, it offers organizations a deeper, sneakier way to detect illicit behavior and measure the attacker attention various attack surfaces receive.
  • HoneyElements – Embeddable HTML and Javascript objects that can be added to new or existing real web applications, these HoneyPoints extend detection into the layers of the application itself. Integrates well with automated response and attacker black holing defenses to stop attackers and those engaging in undesired behaviors in real time.
  • HoneyBees – These work with Agent to simulate users authenticating to emulated services with plain text credentials. Organizations use this combination of tools to detect sniffing attacks and other attempts to harvest credentials off the wire or from network monitoring systems. 
  • HoneyPoint Trojans – Trojans are “fake” documents, applications or archives that appear to be real, but are actually detection mechanisms. For example, they might appear to be a PDF of some acquisition plans, while in reality they are armed with code to alert the security team when they have been opened or tampered with. Trojans use many of the same tactics as attackers, but instead of infection as a goal, they provide for detection and alerting.
  • HoneyPoint Handler – The Handler is a mechanism for getting external events into the HoneyPoint data ecosystem. Organizations often use the handler to receive events generated by custom nuance detection scripts. For example, a script might routinely check for new files in a directory or new files that contain the call base64decode(). When the script identifies a new file, the script can send an alert to the Handler, which will create a standard HoneyPoint alert from the script’s data and send it to the Console for easy and standardized security event management.
  • HoneyPoint Decoy Appliances – This is a set of hardened Linux powered devices that serve as an appliance for other components, usually Agent and Web. The appliances are available in three physical form factors (a rack mountable server, a mini-desktop, and a field deployable power substation solid state system) and/or a set of virtual appliances for most common virtualization platforms.
  • HoneyPoint Proxy – Lastly, this component is designed to act as an alerting data aggregator to simplify firewall ACLs that might be deployed between DMZ segments, enclaves or other network segments. The proxy can receive events from HoneyPoints and send them on to the Console without the need to expose the Console to each individual HoneyPoint. This makes managing global and highly distributed deployments significantly easier.

 

To learn more about these components and how they can be leveraged to give your organization new, flexible and deep detection capabilities, give us a call. Our engineers would be glad to discuss the technical capabilities and an account executive would be happy to work with you to create a HoneyPoint deployment that meets your needs AND your budget. At MicroSolved, we are passionate about information security and HoneyPoint Security Server is just another that way it shows!