HoneyPoint Tales: Conficker Still Out There

Posted on February 22, 2012 by Brent Huston

I had an interesting conversation this week over email with a security admin still fighting Conficker.

If you haven’t recalled Conficker in a while, take a moment and read the wikipedia entry here: (http://en.wikipedia.org/wiki/Conficker). Back in 2008, this nasty bugger spread across the net like wild fire. It was and is, quite persistent.

Back in those days, we even put out a free version of HoneyPoint called HPConficker to act as a scatter sensor for detecting infected hosts on networks around the world. That tool expired eventually, and to be honest, we stopped really tracking Conficker back in 2010 to move on to studying other vectors and exploits. I hadn’t even thought about the HPConficker tool since then, until this week.

In order to help this admin out as they battled the worm, I came in on a vacation day, dug the old code out of the source vault and updated it to run through the end of 2012. I then built a quick compile, zipped it (in my hurry forgetting to remove the OS X file noise) and sent it on to the sales person who was helping the client directly. When I heard that the zip file with OS X noise was a problem, I quickly cleaned the zip and sent it back up to the server for them to re-download, install and use. Sadly, I haven’t yet had time to build a readme file or the like, but the tool is pretty easy to use. Unzip it with folder extraction enabled, execute it and follow the GUI instructions. I haven’t heard back from my new security admin friend, but I hoped it helped them fight the good fight.

I took a couple of key points from this: 1) Conficker is still around and causing trouble; and 2) Helping people with HoneyPoint is still one of the core reasons I do what I do.

I may not say it often enough, but, thanks to all of you for playing with my toys. Since 2006, the knowledge gained, the insights and the outright chance to help people with my software has been a great joy. I look forward to pursuing it for many years to come.

Keep playing with HoneyPoint. Keep talking to us. We want to engage, and we want to help YOU solve YOUR problems. At the core, that’s what MSI is all about. As always, thanks for reading and stay safe out there!

PS – We haven’t decided if we are going to release the tool again. If you want it and it can help you, drop me a line in the comments, send me a tweet (@lbhuston) or get in touch. Even if we don’t push it out in public on the site, it’s here if you need it…

MSI Strategy & Tactics Talk Ep. 24: When Outsourcing Security Tasks Goes Wrong

Posted on February 17, 2012 by Mary Rose Maguire

Outsourcing security tasks can be beneficial to a busy organization. But is there a possible downside? What questions should that organization ask when outsourcing part of their information security tasks? In this episode of MSI Strategy & Tactics, the techs discuss an incident that happened when an organization outsourced a part of their system administration tasks to an outside consulting firm. If you are considering outsourcing part of your security tasks, you’ll want to listen! Discussion questions include:

How important is it for vendors to vet employees before sending them into the field?
How important is it for organizations to be able to see that the vendors have thoroughly done this?

Panelists:

Brent Huston, CEO and Security Evangelist

Phil Grimes, Security Analyst

John Davis, Risk Management Engineer

Mary Rose Maguire, Marketing Communication Specialist and moderator

Click the embedded player to listen. Or click this link to access downloads. Stay safe!

Know Who’s Out to Hack Your Credit Union

Posted on February 1, 2012 by Brent Huston

One of the biggest questions we get when we talk to Credit Unions is about threats. They often want to know who might be targeting Credit Unions and how they might get attacked. Based on these questions and how often we hear them, we have come up with a way for you to actually get some metrics and intelligence around your own threat postures.

I am proud to introduce a new short-term service for Credit Unions that leverages our patent-pending HoneyPoint technology in a useful, powerful, easy and affordable way. The MSI Threat Posture Analysis is a new service that does just that. The service is comprised of the following phases:

1. Initial consultation – our teams work together to plan for a quick, safe and easy deployment of our HoneyPoint technology; this initial discussion helps us decide if we are going to leverage a HoneyPoint hardware, software or combined deployment and exactly what we want to emulate for metrics gathering; the length of the metrics gathering mission is also determined (usually 90 days).

2. Pricing and contracts – based on our work together, fixed bid pricing is provided for the analysis and monitoring.

3. Delivery of technology – our teams work together to deliver and install the technology; MSI monitors the deployment remotely back at our NOC.

4. Analysis – MSI performs analysis of the data gathered; generating a set of reports that details sources of attacks, general estimated capabilities, attack frequency and other metrics designed to feed real world threat data into the Credit Union’s information security program.

5. Decommission and return of the technology – our teams work together to uninstall the technology and return any hardware to MSI.

6. Follow on Q&A – for 3 months, MSI will continue to be available to answer questions or discuss the data and metrics identified in the analysis.

It’s that easy. You can quickly, easily, safely and affordably, move from blunt estimations of threats to real world data and intelligence. If you would like that intelligence as an ongoing basis, give us a call and we can discuss our managed services with you as well.

So, if you’re tired of doing risk assessments without real numbers to back up your data or if your team has hit the maturity point where they can use real world metrics and threat source data to create firewall rules, black holes and other dynamic defenses, this approach can give them the data they are hungry for.

If you would like to discuss the analysis or hear more about it, give your account executive a call or reach out to me on Twitter (@lbhuston). I look forward to talking with you about the successes we are seeing.

As always, thanks for reading and stay safe out there!

Quick Use Case for HoneyPoint in ICS/SCADA Locations

Posted on January 11, 2012 by Brent Huston

This quick diagram shows a couple of ways that many organizations use HoneyPoint as a nuance detection platform inside ICS/SCADA deployments today.

Basically, they use HoneyPoint Agent/Decoy to pick up scans and probes, configuring it to emulate an endpoint or PLC. This is particularly useful for picking up wider area scans, probes and malware propagations.

Additionally, many organizations are finding value in HoneyPoint Wasp, using its white list detection capabilities to identify new code running on HMIs, Historian or other Windows telemetry data systems. In many cases, Wasp can quickly and easily identify malware, worms or even unauthorized updates to the ICS/SCADA components.

HoneyPoint Maturity Model

Posted on September 22, 2011 by Brent Huston

Many folks have asked for a quick review of the way HoneyPoint users progress as they grow their confidence in the product suite and in their capability to manage threat data. To help answer those questions and to give folks a quick way to check out how some folks use HoneyPoint beyond simple scan/probe detection, we put together this quick maturity model to act as a roadmap.

If you are interested in hearing more about a specific set of functions or capabilities, give us a call or drop us a line. We would be happy to walk you through the model or any of the specific items. HoneyPoint users, feel free to engage with support if some of this sparks a new idea for how your organization can deepen your own HoneyPoint use cases. Thanks for reading and stay safe out there!

MicroSolved Releases HoneyPoint Special Edition: Morto

Posted on August 29, 2011 by Brent Huston

We are pleased to announce the immediate availability of a special edition of HoneyPoint that is designed to help organizations identify hosts infected with the Morto worm that is currently circulating.

HPMorto works like this: It opens a TCP listener HoneyPoint on port 3389/TCP (check to make sure that port is NOT in use before running HPMorto). Once in place, the tool will report the source IP of any systems who attempt to connect to it. Identified sources should be investigated as possible infected hosts.

This version will only listen for 3389 connections and will only function through February 28, 2012.

Versions of HPMorto are available for FREE download for:
Windows
Linux
Mac OSX

Give it a try and we hope that this tool help folks manage the problems being caused by Morto around the world.

McAfee: 65 Million Malware Samples — And That’s Just the Tip of the Iceberg

Posted on August 24, 2011 by Brent Huston

I was fascinated by this article that came across my newsfeed earlier this week. In it, McAfee says that they have hit 65 million malware samples in the 2nd quarter of 2011. I have heard similar stories in my frequent conversations with other AV vendors this year. It seems, that the malware cat, truly is out of the bag. I don’t know about you, but it seems like someone forgot to warn the crimeware world about opening Pandora’s box.

One of the things that I think is still interesting about the number of signatures that AV vendors are creating are that they are still hitting only a small portion of the overall mountain of malware. For example, many of the AV vendors do not cover very many of the current PHP and ASP malware that is making the rounds. If you follow me on twitter (@LBHuston), then you have likely seen some of the examples I have been posting for the last year or so about this missing coverage. In addition, in many of the public talks I have been giving, many folks have had wide discussions about whether or not AV vendors should be including such coverage. Many people continue to be amazed at just how difficult the role of the AV vendor has become. With so much malware available, and so many kits on the market, the problem just continues to get worse and worse. Additionally, many vendors are still dealing with even the most simple evasion techniques. With all of that in mind, the role and work of AV vendors is truly becoming a nightmare.

Hopefully, this report will give some folks insight into the challenges that the AV teams are facing. AV is a good baseline solution. However, it is critical that administrators and network security teams understand the limitations of this solution. Simple heuristics will not do in a malware world where code entropy, encoding and new evasion techniques are running wild. AV vendors and the rest of us must begin to embrace the idea of anomaly detection. We must find new ways to identify code, and its behavior mechanisms that are potentially damaging. In our case, we have tried to take such steps forward in our HoneyPoint line of products and our WASP product in particular. While not a panacea, it is a new way of looking at the problem and it brings new visibility and new capability to security teams.

I enjoyed this article and I really hope it creates a new level of discussion around the complexities of malware and the controls that are required by most organizations to manage malware threats. If you still believe that simple AV or no malware controls at all are any kind of a solution, quite frankly, you’re simply doing it wrong. As always, thanks for reading and stay safe out there.

MSI Strategies & Tactics Talk Episode 5: Is Compliance-centric Security The Way To Go?

Posted on June 23, 2011 by Mary Rose Maguire

“Compliance-centric security is bleeding us dry.” – Brent Huston, CEO and Security Evangelist for MSI

Listen in as our tech team discusses compliance-centric security, including:

What is compliance-centric security?
Why is it a problem?
How it creates a “do-the-minimum mentality”
What is the alternative to compliance-centric security?

Panelists:

Brent Huston, CEO and Security Evangelist, MicroSolved, Inc.
Adam Hostetler, Network Engineer and Security Analyst
Phil Grimes, Security Analyst
John Davis, Risk Management Engineer
Mary Rose Maguire, Moderator, Marketing Communication Specialist, MicroSolved, Inc.

Click the embedded player to listen. Or click this link to access downloads. Stay safe!

Audio Blog Post: What Apple’s iCloud Means For The Enterprise

Posted on June 20, 2011 by Brent Huston

Brent Huston shares his thoughts on the upcoming iOS5 and Apple’s iCloud.
Click here to listen

Meet Our New Information Security Account Exec: Chris Lay

Posted on June 17, 2011 by Mary Rose Maguire

Chris talks about MicroSolved, Inc. and shares his excitement about our ability to help companies create a threat-centric information security strategy.

Welcome, Chris!

MSI :: State of Security

Insight from the Information Security Experts

Tag Archives: HoneyPoint