A Day in the Life of Guardicore’s CISO – Part II

					<div>
						<div>
				<div>
		<div>
						<div>
					
					<div>
						<div>
				<div>
		<div>
						<div>
					<div>
			<div>
							<div>
				<p>In my <a href="https://www.guardicore.com/blog/ciso-a-day-in-the-life/" rel="noreferrer" target="_blank">previous blog</a> I shared some of the complex tasks I have to deal with as a CISO of a developing startup company. A quick reminder- most of the services we consume are from cloud providers, SaaS and IaaS. At the same time, most of the services we provide to our customers are in the cloud as SaaS. The environment is under regulatory requirements and the ongoing monitoring of our customers, who do not tolerate any security issue that may put their assets at risk.</p><p>The day to day work of a CISO in a cybersecurity company is pretty challenging. Employees often know information security better than you do. Customers are cyber security experts of the largest organizations who breathe information security on a daily basis. There is room to make any mistake. You have to be focused and clear on your tasks, provide quick answers and allow enterprise information systems to function uninterrupted and with a high level of security.</p><p>For that, the CISO needs a good team and decent security tools that he can trust. Tools that can give him a good visibility of what is going on in the network and drive the security policies and security measures end to end within the organization. And usually all these under human resources constraints.</p>					</div>
					</div>
			</div>
					</div>
				</div>
	</div>
							</div>
				</div>
	
					</div>
				</div>
	</div>
							</div>
				</div>
	
			
					<div>
						<div>
				<div>
		<div>
						<div>
					<div>
			<div>
		<h2>Swiss Army Knife</h2>		</div>
			</div>
					</div>
				</div>
	</div>
							</div>
				</div>
	
			
					<div>
						<div>
				<div>
		<div>
						<div>
					<div>
			<div>
							<div>
				<p>In my case it was quite simple. Along with other information security products, I am using our own flagship product, <a href="https://www.guardicore.com/cyber-security-platform/" rel="noreferrer" target="_blank">Centra</a>. A security tool that allows me with minimal resources to get a clear visibility of all traffic and processes and at the same time take smart decisions based on application roles, vulnerability level and more to push the policy throughout the organization no matter where the assets reside, locally in the datacenter, in the cloud or a shadow IT behind the developer desk.&nbsp;&nbsp;</p><p>I know, I’m biased. I’m using and promoting here my company product, Centra but truly, you can use any products of your own that can give you similar functionality. In the past I even used other products. But it is now that Centra gives me a much broader picture of the organization’s traffic up to applications, users and cmdlines, and much more.</p>					</div>
					</div>
			</div>
					</div>
				</div>
	</div>
							</div>
				</div>
	
			
					<div>
						<div>
				<div>
		<div>
						<div>
					<div>
			<div>
		<h2>Automating the process</h2>		</div>
			</div>
					</div>
				</div>
	</div>
							</div>
				</div>
	
			
					<div>
						<div>
				<div>
		<div>
						<div>
					
					<div>
						<div>
				<div>
		<div>
						<div>
					<div>
			<div>
							<div>
				<p>As part of the daily compliance tasks, we also have to go through a large amount of logs for early detection of security events and malfunction processes that may impact the organization’s information security. The main goal is to detect and identify, as soon as possible, indicators of compromise within the logs to reduce the time an attacker or a malicious code can freely move&nbsp; within the network.</p><p>At Guardicore we have that team, the <a href="https://www.guardicore.com/services/#cyber_security" rel="noreferrer" target="_blank">Cyber Security Analysts (CSA)</a>, who regularly provides discovery and threat hunting services to our customers. With a set of tools they developed, we are able to digest a large amount of logs, correlate the results with a number of sources&nbsp; and cross-reference with external intelligence to obtain a correct and reliable picture of the traffic within the organization.</p><p>We are now able to add many security measures, which in the past we had to ignore due to the amount of time and resources they consumed.&nbsp;</p><p>For example, on a couple of risk assessments we have noticed a large number of commands are encoded, which make them difficult to analyze and detect. Data Encoding is a known technique (MITRE ATT&amp;CK <a href="https://attack.mitre.org/techniques/T1132/" rel="noreferrer" target="_blank">T1132</a> &amp; <a href="https://attack.mitre.org/techniques/T1140/" rel="noreferrer" target="_blank">T1140</a>) where adversaries encode data to make the content of C2 traffic commands and artifacts of an intrusion more difficult to detect.</p>					</div>
					</div>
			</div>
					</div>
				</div>
	</div>
							</div>
				</div>
	
					</div>
				</div>
	</div>
							</div>
				</div>
	
			
					<div>
						<div>
				<div>
		<div>
						<div>
					<div>
			<div>
		<h2>It's all about Traffic Analysis</h2>		</div>
			</div>
					</div>
				</div>
	</div>
							</div>
				</div>
	
			
					<div>
						<div>
				<div>
		<div>
						<div>
					<div>
			<div>
							<div>
				<p>With the CSA team tools, we are able to collect and locate cmdlines that contain base64 and decode them almost near real time. Analysis of decoded data is also done on the fly and suspected commands are sent to human investigation.</p>					</div>
					</div>
			</div>
			<div>
			<div>
				<div>
		<pre>
			<code>
				CWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjkxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjkxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzI5MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURqbmxweC5vcmlnRmlsZW5hbWVBcmc9QzpcVXNlcnNcYmFyLmNhc3RlbFxEb3dubG9hZHNcdmlld2VyICgzKS5qbmxwAC1Eam5scHgucmVtb3ZlPXRy:\Program Files\Java\jre1.8.0_291\bin\jp2launcher.exe -secure -javaws -jre C:\Program Files\Java\jre1.8.0_291 -vma LdWUALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF8yOTFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzI5MVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjkxXGxpYlxwbHVnaW4uamFyAC1Eam5scHguc3BsYXNocG9ydD01MzY5MQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjkxXGJpblxqYXZhdy5leGU= -ma QzpcVXNlcnNcWFhYWFhcRG93bmxvYWRzXHZpZXdlciAoMykuam5scA==
			</code>
		</pre>
	</div>
			</div>
			</div>
					</div>
				</div>
	</div>
							</div>
				</div>
	
			
					<div>
						<div>
				<div>
		<div>
						<div>
					<div>
			<div>
							<div>
				Base64 encoded data					</div>
					</div>
			</div>
					</div>
				</div>
	</div>
							</div>
				</div>
	
			
					<div>
						<div>
				<div>
		<div>
						<div>
					<div>
			<div>
				<div>
		<pre>
			<code>
				C:\Program Files\Java\jre1.8.0_291\bin\jp2launcher.exe -secure -javaws -jre C:\Program Files\Java\jre1.8.0_291 -vma -classpath\x00C:\\Program Files\\Java\\jre1.8.0_291\\lib\\deploy.jar\x00-Djava.security.policy=file:C:\\Program Files\\Java\\jre1.8.0_291\\lib\\security\\javaws.policy\x00-DtrustProxy=true\x00-Xverify:remote\x00-Djnlpx.home=C:\\Program Files\\Java\\jre1.8.0_291\\bin\x00-Djava.security.manager\x00-Djnlpx.origFilenameArg=C:\\Users\\XXXXX\\Downloads\\viewer (3).jnlp\x00-Djnlpx.remove=true\x00-Dsun.awt.warmup=true\x00-Xbootclasspath/a:C:\\Program Files\\Java\\jre1.8.0_291\\lib\\javaws.jar;C:\\Program Files\\Java\\jre1.8.0_291\\lib\\deploy.jar;C:\\Program Files\\Java\\jre1.8.0_291\\lib\\plugin.jar\x00-Djnlpx.splashport=53691\x00-Djnlpx.jvm=C:\\Program Files\\Java\\jre1.8.0_291\\bin\\javaw.exe -ma C:\Users\XXXXX\Downloads\viewer (3).jnlp
			</code>
		</pre>
	</div>
			</div>
			</div>
					</div>
				</div>
	</div>
							</div>
				</div>
	
			
					<div>
						<div>
				<div>
		<div>
						<div>
					<div>
			<div>
							<div>
				<p><strong>Decoded data</strong></p>					</div>
					</div>
			</div>
					</div>
				</div>
	</div>
							</div>
				</div>
	
			
					<div>
						<div>
				<div>
		<div>
						<div>
					<div>
			<div>
							<div>
				<p>While analyzing large amounts of cmdlines we have also noticed many automated processes, part of CI-CD tools and scripts, contain clear text credentials that can be easily dumped by adversaries to gain access to the network (MITRE ATT&amp;CK <a href="https://attack.mitre.org/tactics/TA0006/" rel="noreferrer" target="_blank">TA0006</a>, <a href="https://attack.mitre.org/techniques/T1552/" rel="noreferrer" target="_blank">T1552</a>). Passwords in command lines are visible in many tools that collect logs from the system but also visible to anyone sharing the same system. Normally this is a bad security practice that we tend to ignore due to technical constraints from network administrators.&nbsp;</p><p>With Centra we are able now to filter out all those command lines containing cleartext credentials and build with the network administrator a strategy that replaces those cleartext credentials with a secured solution.</p>					</div>
					</div>
			</div>
			<div>
			<div>
				<div>
		<pre>
			<code>
				cmdline': 'C:\\Program Files (x86)\\mRemoteNG\\PuTTYNG.exe -load management -ssh -2 -l root -pw XXXXX -P 222 10.0.2.192 -hwndparent 3017890'
			</code>
		</pre>
	</div>
			</div>
			</div>
			<div>
			<div>
							<div>
				<p><strong>Cleartext credentials in CMDline</strong></p>					</div>
					</div>
			</div>
					</div>
				</div>
	</div>
							</div>
				</div>
	
			
					<div>
						<div>
				<div>
		<div>
						<div>
					
					<div>
						<div>
				<div>
		<div>
						<div>
					<div>
			<div>
							<div>
				<p>Another MITRE Persistence technique, which we capture with Centra is Local Accounts (MITRE ATT&amp;CK <a href="https://attack.mitre.org/techniques/T1136/" rel="noreferrer" target="_blank">T1136</a>). Within this technique adversaries may create local accounts to maintain access on the victim systems. Local accounts are also configured by users, administrators and services for many reasons , like for remote support or service accounts. Normally local accounts are not affected by the domain security policies and less minitored, which makes them favored by adversaries.&nbsp;</p><p>It is not only the local account that we are able to&nbsp; identify with the automated tools but also the process that was run by this user. This information makes the investigation shorter and simpler, and dramatically reduces the time it takes to identify a malicious activity.</p>					</div>
					</div>
			</div>
			<div>
			<div>
				<div>
		<pre>
			<code>
				Process: nc64	

IP: 10.0.1.183
User: win2019tmp\administrator
Process_path: c:\users\administrator\desktop\netcat-win32-1.12\nc64.exe
Asset_ID: e10130d8-3833-487b-b7e1-c0cfdf9e7dc2

			</code>
		</pre>
	</div>
			</div>
			</div>
			<div>
			<div>
							<div>
				<p><strong>Local Account with a suspected process</strong></p>					</div>
					</div>
			</div>
					</div>
				</div>
	</div>
							</div>
				</div>
	
					</div>
				</div>
	</div>
							</div>
				</div>
	
			
					<div>
						<div>
				<div>
		<div>
						<div>
					
					<div>
						<div>
				<div>
		<div>
						<div>
					<div>
			<div>
							<div>
				<p>A simple attack technique we are also automating is masquerading (MITRE ATT&amp;CK <a href="https://attack.mitre.org/techniques/T1036/" rel="noreferrer" target="_blank">T1036</a>). With this technique adversaries rename their malicious programs to look like a legitimate system program. That simple technique tries to evade many security tools that check the running process by a simple regex query.</p><p>What we do is collecting and comparing disk and resource filenames for binaries by looking to see their location, then comparing suspected hash files with external intelligence, like VirusTotal.</p>					</div>
					</div>
			</div>
			<div>
			<div>
				<div>
		<pre>
			<code>
				'file_path': 'C:\\System\\spoolsv.exe',

‘file_hash’: ‘8ed45e6605802ec66f0ef83f1c593811039de1be147881560b43a060b65eb560’,
‘request_time’: datetime.datetime(2021, 5, 1, 23, 24, 58, 909000),
‘client_id’: ‘5a12f7d1-bbe3-445d-8f71-f6236b82cbc4’

			</code>
		</pre>
	</div>
			</div>
			</div>
					</div>
				</div>
	</div>
							</div>
				</div>
	
			<div>
			<div>
							<div>
				<p><strong>ncat.exe masquerade as legitimate system file spoolsv.exe&nbsp; </strong></p>					</div>
					</div>
			</div>
					</div>
				</div>
	</div>
							</div>
				</div>
	
			
					<div>
						<div>
				<div>
		<div>
						<div>
					
					<div>
						<div>
				<div>
		<div>
						<div>
					<div>
			<div>
							<div>
				<p>These are some examples, of many others, that show how we are automating traffic forensics so we can leverage the security and IT teams to other tasks, while at the same time decreasing the malware and attacker dwell time in the network. It creates a solid visibility architecture and practice that strengthens our security posture, leaving us well prepared if an attack takes place.</p>					</div>
					</div>
			</div>
					</div>
				</div>
	</div>
							</div>
				</div>
	
					</div>
				</div>
	</div>
							</div>
				</div>
	
					</div>
					</div>
				</div>

Article Link: A Day in the Life of Guardicore’s CISO - Part II - Guardicore