Network Visualization &
Vulnerability Detection

07.

Vulnerability detection tools allows the administrator to view hidden vulnerabilities on the network. The automation of the detection tool saves time for personnel on researching CVE's and secure configurations for most nodes and services currently running.

Sample Documents

Creating a Home Security Lab

Step by step instruction to build a home security lab

Example Training Listing for a New Network Security Tool

New network tools require learning before and after use

Understanding TLS with Wireshark

An introduction of using Wireshark to see TLS traffic

TLS Protocol Implementation Table

Summary table from RFC5256, a look on secure TLS setup

Topic Examples

Thoughts how discovering vulnerabilities on the changing network boundary

Step by step instruction to build a home security lab

Thoughts on training requirements for a new security tool

Introduction to Network Visualization & Vulnerability Detection

Network visualization tools allows the security professional to map out the network and depict the enterprise's environment. The business can add more devices, departments, floors, or other branches, and the visualization tool can monitor the new connections and identify any problems. For managing nodes in a large geographic area, the visualization tool will automatically place nodes or group nodes to a map with geolocation.
 

Vulnerability detection tools allows the administrator to view hidden vulnerabilities on all nodes connected on the network. The automation of the detection tool saves time for personnel on researching CVE's and secure configurations for all devices and services currently running.  Good detection tools will offer remediation information on how to patch the vulnerability of the device or service.
 

Boundary protection tools and data security tools are equally important. Boundary protection tools like firewalls, ACLs, and multifactor authentication provide access to the correct users to the data according to need. Data security tools like encryption modules and data loss prevention (DLP) help protect the data when those boundaries are crossed.
 
Many of today’s networks include BYOD and mobile policies that may contain sensitive data when email and other applications are accessed. It’s important for the organization to have a plan to protect that data when the device is lost or stolen. The first industry that comes to mind are the fines placed on HIPAA regulated environments when unencrypted data is exposed. Using technologies to encrypt information in storage and in transit keep customers information secure.
 
Boundary protection is not 100% secure against a determine adversary. The tools used for boundary protection need to be patched, updated, upgraded, configured, and implemented correctly. One misconfiguration, botched update, or late patch will open the doors for intrusion. Encryption, DLP, and network monitoring tools are crucial barrier to hacks using 0-days that may involve the boundary protection mechanisms. Executives may hesitate to include encryption or DLP tools due to the cost, maintenance of keys, and increased processing time for customers.  Therefore, the data protection plan must be customized to the organizations unique architecture and use best practices when planning.

 
Spider Web

Building a Home Security Lab

Develop a security lab using Oracle's virtual box

 

Training a Team for IoT

The new training features for a security team are dependent on the technology challenges that IoT present and the features provided by the solutions.  To better illustrate these challenges and security features, I selected the DoD’s example of selecting ForeScout CounterACT for its IoT management solution (ForeScout, 2018a).  The C2C requirements for the DoD were the following:
 

  • Network-based discovery and classification of devices

  • Redundant manageability and control of devices

  • Orchestration with other mandated security technologies, such as the DoD’s Host Based Security System (HBSS) and Assured Compliance Assessment Solution (ACAS) – confirming these third-party tools are configured and functioning properly

  • Continuous monitoring of connected devices

  • Helps the DoD enforce its policies prohibiting personal and/or wearable devices or applications on DoD workstations and networks
    (ForeScout, 2018a)
     

Using the ForeScout CounterACT datasheets and guides, we can get a sense of the diverse types of trainings features to be learned by the team. Using the ForeScout IoT Solutions Brief, we see what needs to be learned by a security team by analyzing the “technical challenges”:
 

  • Discover unknown devices on the network in real time that do not include management agents

  • Validate device identities

  • Classify devices and determine their owners

  • Discover and fix IoT devices with weak or factory-default passwords

  • Continuously assess and monitor devices to determine anomalous behavior

  • Prevent infected or non-compliant devices from spreading malware across the network
    (ForeScout, 2017)


This list clearly shows the training that will be needed (with special attention to devices and protocols to nodes specialized to a particular industry).

discussion-pic-1_orig.png

(ForeScout, 2016a)

See this document for matching up tool capability to training requirements.

For further ideas on how to train for IoT in a Defense environment, one can look up a variety of STIGS for vendors used for IoT management. Appendix D of the Cloud Alliance Future-proofing the “Connected World: 13 Steps to Developing Secure IoT Products”

“The Defense Information Systems Agency (DISA) has a long history of providing Security Technical Implementation Guides (STIGs) for development teams to use in securing their products. One in particular that IoT product developers may find useful is the Application Security and Development STIG. This STIG provides guidance on development, design, testing, maintenance, configuration management and training” (CSA, 2016).

The online trust alliance have provided the following checklist for IoT devices:

discussion-pic-2_orig.png

(Otalliance.org, 2018)

The above checklist can be cross references with ForeScout’s CounterACT capabilities or device settings to develop an SOP for various IOT devices. The training would include a comprehensive understanding on how to navigate device settings and policy creation in the SIEM.
 

References
CSA. (2016). Future-proofing the Connected World: 13 Steps to Developing Secure IoT Products.  Retrieved from https://downloads.cloudsecurityalliance.org/assets/research/internet-of-things/future-proofing-the-connected-world.pdf
 

ForeScout. (2016a). ForeScout CounterACT Datasheet. Retrieved from https://www.forescout.com/wp-content/uploads/2015/12/ForeScout-CounterACT-Datasheet.pdf
 

ForeScout. (2016b). ForeScout ControlFabric® Architecture. Retrieved from https://www.forescout.com/wp-content/uploads/2015/12/ForeScout-ControlFabric-Architecture-Brochure-1.pdf
 

ForeScout. (2018a, March 12). U.S. Department of Defense Validates ForeScout for IoT Security. Retrieved from https://www.forescout.com/company/news/press-release/u-s-department-defense-validates-forescout-iot-security/

ForeScout. (2018b, April 10). ForeScout CounterACT® Administration Guide. Retrieved from https://www.forescout.com/wp-content/uploads/2018/04/CounterACT_Administration_Guide_8.0.pdf
 

ForeScout. (2018c, May 7). ForeScout CounterACT® Installation Guide. Retrieved from https://www.forescout.com/wp-content/uploads/2018/05/CounterACT_Installation_Guide_8.0_050718.pdf
 

Otalliance.org. (2018c). THE ENTERPRISE IOT SECURITY CHECKLIST. Retrieved from https://otalliance.org/system/files/files/initiative/documents/enterprise_iot_checklist.pdf
 

 

Understanding and Implementing TLS

We can use the open source application WireShark to analyze TLS connections to a website.



 

The TLS protocol implementation recommendations are listed in RFC 5256, specifically “Appendix D: Implementation Notes”. Below is a summary table:

 

Understanding Botnet Command & Control (C&C)

The Spamhaus Botnet Threat Report of 2018 provides a great summary of emerging botnet trends. It appears they don’t rely on any unique methods other than using fraudulent sign-ups, using protected servers overseas, or compromising legitimate sites with vulnerability scanning software. According to the report, C&C listings increased by 32% in 2017 and more than a 90% increase since 2014.

“The statistics exclude botnet controllers that are hosted on the dark web (like Tor). The use of such anonymization networks by botnet operators became more popular starting in 2016 because the location of the botnet controller can’t be identified and hence a takedown of the server is almost impossible”

Solution: White list approach, block access to service except for users who need it (Spamhaus, 2018). Below are the common domains used for C&C comparing 2016 and 2017 totals:

discussionpic_orig.png

“It can be quite difficult for an ISP or hosting provider to prevent the compromise of a customer’s server or website, since these are often fully under the control of the customer. In fact, many servers and websites are running outdated software, which makes them vulnerable to many attacks from the internet. It is an easy task for a cyber criminal to scan the internet for servers or websites that are running outdated or vulnerable software. Some of the most popular open source content management systems (CMS) like WordPress, Joomla, Typo3 or Drupal are especially popular targets, due the high number of poorly maintained installations of these packages.”
 

Solution: Proactive ISPs and hosting providers to use newer tools and methods to track down outdated software and monitor C&C traffic (Spamhaus, 2018).
 

The most interesting Botnet found during the research was the Hide ‘N Seek IOT Botnet reported by Bitdefender:
 

“The HNS botnet communicates in a complex and decentralized manner and uses multiple anti-tampering techniques to prevent a third party from hijacking/poisoning it. The bot can perform web exploitation against a series of devices via the same exploit as Reaper (CVE-2016-10401 and other vulnerabilities against networking equipment).”
 

“The bot features a worm-like spreading mechanism that randomly generates a list of IP addresses to get potential targets. It then initiates a raw socket SYN connection to each host in the list and continues communication with those that answer the request on specific destination ports (23 2323, 80, 8080).”
 

“The samples identified in our honeypots on Jan. 10 revolved around IP cameras manufactured by a Korean company. These devices seemed to play a major role in the botnet as, out of the 12 IP addresses hardcoded in the sample, 10 used to belong to Focus H&S devices. The new version, observed on Jan. 20, dropped the hardcoded IPs.”
 

“The discoveries made during the investigation of the Hide and Seek bot reveal greater levels of complexity and novel capabilities such as information theft – potentially suitable for espionage or extortion” (Botezatu, 2018).
 

How do you think we can prevent C&C in general? Also, on the topic of anonymity, do you think a new method can be produced in order to track down Botmasters?
 

In that Spamhaus report I mentioned they suggested:
 

  • “hope that cloud hosting providers will speed up and increase their abuse desks to not only respond to abuse problems in time but also to take preventive measures to battle fraudulent sign ups.”
     

  • “we recommend network owners to block traffic to anonymization services like Tor by default and provide users who want or need to access to services the possibility to ‘Opt-In’“
     

  • “we would like to see Registries and Registrars taking their responsibility by implementing appropriate mechanisms to prevent fraudulent domain registrations. For example, it is embarrassing that botnet operators are able to register DGA botnet controller domains under their account again and again while the sponsoring domain name registrar is not taking action against the offensive account.”
     

Additionally, from the nature of botnets, an international coalition will be needed to track and trace the botnets in a timely fashion. This is important as botnets often grow exponentially in a very short period of time. It wouldn’t be any more different than tracking international hackers.
 

It appears if we look at the rise of crypto currency and botnets there is a strong correlation.  Do you agree?


Coindesk reported a large botnet for Monero coins:
 

“More than half a million machines have been hijacked by a cryptocurrency miner botnet, forcing them to mine nearly 9,000 monero tokens (worth roughly $3.6 million), according to a new report” (Milano, 2018).
 

In another crypto related botnet, Duo security found the following botnet on twitter:
 

Using knowledge of how Twitter generates user IDs, we gathered a dataset of 88 million public Twitter profiles consisting of standard account information represented in the Twitter API, such as screen name, tweet count, followers/following counts, avatar and description.
 

  • As API limits allow, this dataset was enriched with both the tweets posted by accounts, as well as with targeted social network information (follower/following) information.
     

  • Practical data science techniques can be applied to create a classifier that is effective at finding automated Twitter accounts, also known as “bots.”
     

  • A case study detailing a large botnet of at least 15,000 bots spreading a cryptocurrency scam. By monitoring the botnet over time, we discover ways the bots evolve to evade detection.
     

  • Our cryptobot scam case study demonstrates that, after finding initial bots using the tools and techniques described in this paper, a thread can be followed that can result in the discovery and unraveling of an entire botnet. For this botnet, we use targeted social network analysis to reveal a unique three-tiered hierarchical structure.


References
 

Botezatu, B. (2018, January 24). New Hide ‘N Seek IoT Botnet using custom-built Peer-to-Peer communication spotted in the wild. Retrieved from https://labs.bitdefender.com/2018/01/new-hide-n-seek-iot-botnet-using-custom-built-peer-to-peer-communication-spotted-in-the-wild/
 

Milano, A. (2018, February 2). Botnet Infects Half a Million Servers to Mine Thousands of Monero. Retrieved from https://www.coindesk.com/botnet-infects-half-million-servers-mine-thousands-monero/
 

Wright, J., Anise, O. (2018, August 6). Don't @ Me: Hunting Twitter Bots at Scale. Retrieved from https://duo.com/blog/dont-me-hunting-twitter-bots-at-scale
 

Spamhaus. (2018). Spamhaus Botnet Threat Report 2018. Retrieved from https://spamhaus-cdn.s3.amazonaws.com/uploads/2018/07/REPORT-Botnet-Threat-2018.pdf