Threat Intelligence Archives

Learn how Adlumin’s Threat Research Team is dissecting emerging threats and providing invaluable insights that empower organizations to proactively defend against ever-evolving cyberattacks.

The Science of Cybersecurity and The Human Element

July 12, 2022/in Blog Post Kevin O’Connor/by Adlumin Staff

By Kevin O’Connor, Director of Threat Research at Adlumin, Inc.

The “Human Element” of cybersecurity is often one of the most challenging aspects to manage when considering the defense of a network. At Adlumin’s Threat Research group, we work to merge the science of cybersecurity with the mindset of how users and threats engage with Information Technology (IT) systems. Let’s dive deeper into how the human element manages both the defense of networks and the threat against them.

Defense

The most evident area where the Human Element plays into the defense of IT systems is anywhere there’s user interaction with the system, which has a security-relevant context. Users need not only to be trained on how to use their system – but also on the basics of end-user cybersecurity to prevent simple attacks like drive-by-downloads and attachment-based malware.

Phishing

One of the biggest threats facing the human-machine interface is phishing. The U.S. Department of Homeland Security’s Computer Information Security Agency (CISA) says that “phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization [or source].” While true, what’s missing in this definition is that phishing attacks are one of the most popular ways attackers will gain access to a user’s system through malicious attachments, such as macro-enabled malware or malicious links, to gain a foothold in a targeted network.

Defending Against Phishing

Technical controls exist which can help mitigate the threat of phishing-related attacks. Email filtering appliances/applications can automate the heavy lifting of denying known-bad actors that have engaged in more extensive and previously seen campaigns. The further application of machine learning in the message content is also promising. From there, security administrators can implement controls to scan or block attachments or mitigate specific technical vulnerabilities like macro-based malware by disabling macros or denying permissions to run downloaded attachments or other ‘online’ sourced software.

Getting closer to the human element controls that require users to participate in opening links actively can help. To avoid users accidentally clicking on a malicious link, applications like Outlook can disable links in emails requiring the user to manually copy and paste links from their email into their browser to visit sites ($LINK). This extra step can go a long way in getting the human behind the keyboard to think about the site they’re going to.

But these controls are either; incomplete, limiting, or require some level of user participation. Without proper training on identifying phishing and malicious emails, users can still fall prey to craftily composed messages or spoofed or compromised accounts from legitimate senders. The risk stemming from this human element-based threat must be mitigated through training, monitoring, continual awareness, and testing. Adlumin partners with KnowBe4, which offers user training, and we’ve integrated KnowBe4 phishing capabilities into our platform ($LINK).

Credential & Business Email Compromise

Another human element in cybersecurity that needs consideration is the Credential and Business Email Compromise (BEC). The FBI says Business Email Compromise is

“One of the most financially damaging online crimes. It exploits the fact that so many of us rely on email to conduct business—both personal and professional. In a BEC scam, criminals send an email message that appears to come from a known source making a legitimate request.”
FBI, 2020

The risks BEC and other account compromises have to a business are potentially devastating. The FBI’s Internet Crime Complaint Center (IC3) reported $43 billion in cost between June 2016 and December 2021 (IC3, 2022 Business Email Compromise).

Credential and Business Email Compromise can be costly and is an evolving threat, with IC3 also reporting that there’s been an introduction and then an increase in the use of Virtual Meeting Platforms in conducting the attack (IC3, 2022 Business Email Compromise: Virtual)

These are often fundamentally human-centric attacks relying on combinations of social engineering or stolen credentials to bypass the need for in-depth technical exploitation or gain an initial foothold against a target network or business.

Defending Against Credential & Business Account Compromise

Technical controls can help mitigate credential compromise or BEC, including implementing 2-Factor Authentication wherever possible. Mandatory password expiration can also limit the time an exposed account or credential can be used for malicious purposes.

Logging, monitoring, and Auditing user accesses can help identify potential cases of account compromise by looking at the user’s typical activity and alerting or taking Security Orchestration Automation and Response (SOAR) action when there’s abnormal or suspicious activity. Adlumin is an example of a Managed Detection and Response (MDR) platform that can help identify and act on such malicious activity. Adlumin uses machine learning algorithms for User & Entity Behavior Analytics (UEBA) to help detect and respond to illicitly used credentials and accounts. Adlumin will monitor, track, and alert on expired credentials and accounts.

Another vector for credential compromise and BAC is through Darknet and other public data breaches and account/credential dumps. As a Human Element, users often reuse passwords across multiple accounts or will use business emails (and possibly shared passwords) on platforms that are then compromised. These compromised credentials can be a great source of intelligence for attackers, potentially giving them validly credentialed access to the compromised account. Defending against this, tools like Adlumin’s Darknet Exposure Module can monitor for exposed credentials on the Darkweb and alert or take immediate SOAR action before attackers can exploit them.

Sources:

Computer Information Security Agency, CISA (2022, August 25). Security tip (ST04-014). CISA. Retrieved June 10, 2022, from https://www.cisa.gov/uscert/ncas/tips/ST04-014

FBI, Federal Bureau of Investigation (2020, April 17). Business email compromise. FBI. Retrieved June 10, 2022, from https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/business-email-compromise

Internet Crime Complaint Center, IC3 (2022, February 16). Business email compromise: Virtual meeting platforms. Business Email Compromise: Virtual Meeting Platforms. Retrieved June 10, 2022, from https://www.ic3.gov/Media/Y2022/PSA220216

Internet Crime Complaint Center, IC3 (2022, May 4). Business email compromise: The $43 billion scam. Business Email Compromise: The $43 Billion Scam. Retrieved June 10, 2022, from https://www.ic3.gov/Media/Y2022/PSA220504

What is Cisco Duo? Here's What You Need to Know

June 29, 2022/in Blog Post Massie Hussaini/by Adlumin Staff

Adlumin is pleased to announce an integration with Cisco Duo. Duo is the leading provider of unified access security and multi-factor authentication delivered through the cloud. Duo’s solution verifies the identity of users and the health of their devices before granting them access to applications, helping prevent cybersecurity breaches.

Duo provides secure access to your applications and data, no matter where your users are – on any device, from anywhere. Duo’s adaptive Multi-Factor Authentication (MFA) creates trust in users, devices, and the applications they access. Cisco, one of the largest networking and communications suite of security products, provides a different suite of protection that is being added to the Adlumin product. Below is a view of a sample alert from Cisco Duo:

Adlumin’s integration with Duo allows users with a Duo account to import their authentication events into Adlumin’s centralized security system. This automatically provides machine learning-based threat analysis, incident management, custom threat detection filters, geolocation reports, and more. Our integration queries the public Duo API endpoint every 15 minutes for authentication logs, pulling data such as usernames, hostnames, IP addresses, authentication devices, and more.

Continuous Vulnerability Management - Complexities of the Remediation Process

June 14, 2022/in Blog Post Miguel Hablutzel/by Adlumin Staff

The Center for Internet Security (CIS) describes Continuous Vulnerability Management as “a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure, to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information.”

Cyber defenders must have timely threat information about software updates, patches, security advisories, threat bulletins, etc. They should consistently review their IT environment to look for these vulnerabilities before cybercriminals do.

Managing and understanding vulnerabilities is a continuous activity, requiring the focus of time, attention, and dedicated resources.

Organizations face challenges in scaling remediation across an entire enterprise, and prioritizing actions with conflicting priorities, while not impacting the enterprise’s business or mission.

Often, remediating vulnerabilities requires expertise beyond the deployment of a simple patch.

For example, a configuration change and deploying a patch to remediate the Spectre/Meltdown vulnerability are required. Also, vulnerabilities need different types of patches- for example, some need an update to a customer software or a registry key change without a patch.

Researching, understanding, and mapping the vulnerabilities to the remediation actions are complex and time-consuming tasks. Many organizations fail to complete this process quickly and efficiently because they don’t have an expert and dedicated team that can map the vulnerabilities to the proper remediation and, at the same time, evaluate the potential operational risk introduced by changes to the environment.

Organizations can minimize operational risk by moving towards a proactive remediation approach. This approach demands selecting the right vulnerability management solution that will deliver the capability to streamline the remediation process by automatically mapping the vulnerability to the correct patch(es) required in your specific environment.

Additionally, the solution should also streamline the application of patches for compliance by creating a zero-touch patch job to automate vulnerability remediation based on criteria that apply uniquely to your organization. This should reduce operational risk and remediation time, helping security teams align with regulatory and internal security policies.

Finally, the solution must make sure that endpoints are quickly and consistently patched, via the cloud, regardless of their location or connection to an organization’s network, which reduces the cost of securing a primary vector of attack. Eliminating the need to go over VPN for patching can save time and significantly reduce costs.

Threat Intelligence: The Human Element of Cybersecurity

June 9, 2022/in Blog Post Brittany Demendi/by Adlumin Staff

In today’s cyber world, full of uncertainty and constantly evolving threats and data obligations, have you ever wondered, “how can my organization protect itself against the unknown?” The quick answer to that question is threat intelligence, the human element that leverages cyber intuition and honed investigation skills to pre-empt attacks. Threat intelligence is actionable, timely, and provides context to threats. Let’s delve into the details and better understand all that threat intelligence has to offer the industry.

What is Threat Intelligence?

Threat intelligence gathers multi-source, raw, curated data about existing threat actors and their tactics, techniques, and procedures (TTPs). This cyber modus operandi helps analysts understand the tactics used by adversaries and identify signs or signals of their unauthorized presence in a target environment. In fact, it helps cyber analysts identify likely future targets by understanding their motivation, transferrable phishing campaigns, and other tools that could be applied from one target to another. For example, a campaign that uses stolen lawsuit information to target law firms could be modified to target healthcare organizations by using stolen malpractice litigation documents.

This knowledge and understanding of the adversary can prevent future attacks by helping organizations to develop defenses based on likely attack scenarios. In essence, threat intelligence is a way to proactively defend your organization and remain a few steps ahead of cybercriminals. It’s not a crystal ball, but it could be a money ball approach to cybersecurity.

Threat intelligence professionals threat hunt by proactively searching for suspicious activity indicating malicious or network compromise. It is often a manual process backed by automated searches and existing collected network data correlation. Other prevention and detection methods can only detect known and categorized threats. Below are some requirements for a threat hunting tool:

Practical Threat Hunting Tool Requirements:

Proactive threat hunting quickly establishes itself as a critical pillar in security strategies and ensures situational awareness that other methods do not offer. This approach requires the expertise of cybersecurity professionals who can draw from the knowledge of a system’s specific functionality and connectivity. In addition, they understand the attacker’s tactics, techniques, and procedures (TTPs) and capabilities to expose potential attacks and compromises. For additional context, below are a few threat intelligence challenges and benefits:

Threat Intelligence Challenges

Threat Intelligence Benefits

Who Should Invest in Threat Intelligence?

Threat intelligence adds value across security functions for companies of all sizes. When threat intelligence is integrated into an organization’s IT team, it can assist with adequately prioritizing and helping with incoming threats. Threat intelligence provides external insights and context when accurately prioritizing essential vulnerabilities. It also provides context around threat actors’ TTPs. Fraud protection, risk analysis, and high-level security processes become enriched by understanding threat intelligence’s high-level security knowledge.

Proactive threat intelligence and hunting require 24/7 continuous scanning, which is typically a challenge for organizations that struggle to source the right talent or have a low budget. A standard cost-effective solution can be to outsource the skill and expertise needed.

Move Beyond Automation: Take Charge

In today’s world, adding threat intelligence to your cybersecurity strategy is no longer a luxury; it is a necessity. It’s said to be the way of the future for detecting and responding to advanced threats. Threat intelligence assists with lowering cybercrime and data breach costs. There is a significant cybersecurity transformation, and organizations can’t be waiting around to be attacked anymore. The key is adding elements that strengthen your organization for battle— the human element within threat intelligence. Taking charge is more than a suggestion; it’s a critical move that, if not made correctly, will result in irreversible damages to pay.

The Ransomware Threat and Trends

June 8, 2022/in Blog Post Kevin O’Connor/by Adlumin Staff

At Adlumin, we are constantly monitoring trends in malware and the capabilities used by threat actors to attack customer networks. Ransomware poses a unique threat to customer environments and businesses as attackers’ use of the technique continually evolves and spreads while payouts increase.

The Threat

Ransomware is a popular method of computer network exploitation, extortion, and a potentially big payday for cybercriminals. In a ransomware attack, malware specializes in detecting local and network-shared user files and then encrypting the victims’ data implanted on a device. Once encrypted, unless there are unaffected backups, the user’s documents and data are rendered inaccessible and unreadable. That is until the victim pays up. Ransomware attackers set up payment portals through the clear, dark web and the bridges between them so that victims can ‘conveniently’ make an online payment to decrypt their files and access their data.

Foundations

While the widespread use of ransomware targeting businesses for financial gain is relatively new, modern examples started to trend in the mid-2000s and picked up in 2013– the first examples can trace their roots back to the 80s – decades before modern times, payment methods like cryptocurrencies existed. In 1989 Joseph Popp authored and deployed the “AIDS Trojan”. This first-of-its-kind malware hid the user’s files, encrypted their names, then displayed a message demanding a $189 payment to “PC Cyborg Corporation” to receive a repair tool under an expired software license. It’s worth noting that this early ransomware sample was vulnerable to extracting the decryption keys from the sample as it used symmetric encryption to encrypt the files. This meant that the same key was used to encrypt and decrypt data which had to be handled by the malware to encrypt the files.

By the mid-90s, researchers had introduced the idea of using public-key cryptography to enable ransomware’s encryption of data without the need to store the decryption keys in the malware, leaving it vulnerable to reverse engineering and key-recovery-based remediation. This was a critical step in the attacker’s ability to ensure decryption keys couldn’t be recovered reliably, and ransomware remained a profitable problem.

In 2006, multiple public-key enabled ransomware families caused trouble in networks worldwide. These attacks weren’t typically pointed at individual targets and often spread through file-sharing platforms. By 2009 ransomware variants had shifted to using secure 1024-bit RSA-driven encryption implementations, which essentially prevented the ability to recover decryption keys through static analysis.

In 2013 ransomware began its modern popularity with the explosion of the CryptoLocker malware. CryptoLocker propagated through a botnet or as an attachment to an email message which appeared to be sourced from a legitimate company. The ZIP file attached to the message contained a Window’s executable disguised as a PDF by changing the executable’s icon. CryptoLocker used public-key encryption to ensure the decryption key was only hosted on the malware command and control server. When paired with strong key strength and algorithms, decryption by means other than payment is impossible. The malware would encrypt files across the local and mapped network drives targeting only specific file extensions such as those associated with Microsoft Office Suite, documents, and images.

Since CryptoLocker, hundreds of ransomware families and variants have been introduced to networks worldwide. Locky followed as a spiritual successor to Crypto lockers; WannaCry affected networks globally and leveraged a zero-day to spread relentlessly across a network, bringing organizations like the British NHS to their knees. Ryuk appeared in 2018 and targeted specific organizations and industries for their deep pockets and ability to pay. Ryuk led to Conti, which recently announced its support of Russia and threatened to deploy “retaliatory measures” if cyberattacks were launched against the country in response to the 2022 Russian invasion of Ukraine. As these attacks grow, we’ve seen considerable impacts on business and industry, such as in the 2021 Colonial Pipeline attack, which led to the shutting down of control systems and oil delivery pipelines, leading to increased prices and limited availability, and panic-buying.

Trends

Adlumin’s Threat Research group has identified two primary trends in ransomware that increase the risk associated with ransomware attacks: the continued shift to ransomware-as-a-service (RaaS) and the growth of data-exposure driven double-extorsion models. These trends represent a widening in ransomware capabilities and prevalence and a decrease in an organization’s ability to control a breach.

Ransomware-as-a-Service (RaaS)

Ransomware as an attacker methodology has grown from initial custom development of tools for individual exploitation campaigns to large-scale availability as a commodity product with the sale of ransomware capabilities taking place on clear and darknet markets. Ransomware capabilities are now available for sale or lease, decreasing the technical capability required to conduct these attacks and lowering the barrier to entry for would-be attackers.

These capabilities can range from costing as little as $20 to thousands depending on the ransomware’s; capabilities, the scope of allowed usage, detection mitigations, automation, exclusivity rights, and inclusion of management or victim portals.

Ransomware has moved from a tailored and unique exploitation method to a pay-for-play access model.

Data Breach & Double-Extortion

Globally, ransomware groups and attacks have started to incorporate more direct extorsion methods – shifting from pay-for-decryption to a combination methodology involving the potential release of stolen, often sensitive, data. To ensure payout from victims, attackers have had to mitigate the impact increased defenses and updated cyber best practices have had on ransomware.

A defensive shift in segmenting devices and services to prevent lateral infection and the ability to restore from otherwise unaffected backups on non-critical systems have lessened businesses’ potential need to pay ransom to recover from an attack. To ensure their operations remain profitable, attackers have begun stealing data from companies and ransoming the possible public release of the stolen data. Such data might include customer PII, payment information, or business secrets – and public release of that data may have severe reputational, business, financial, and regulatory impacts on the affected business, further increasing the cost of a single breach.

This data exposure or “Double Extorsion” tactic means the attackers can choose to require two ransoms – one to decrypt the data and another to delete the data stolen before encryption. The potential release of data is an intense pressure to pay for victims who may not even know what information was stolen.

Explosive Growth

Ransomware as an attacker capability and exploitation method has experienced explosive growth since the introduction of cryptocurrency payments and continued profitable attacks. According to the FBI’s Internet Crime Complaint Center (IC3), CISA reported, ransomware incidents continue to rise, with 2,474 incidents reported for all of 2020 and 2,084 complaints between January and July of 2021 alone, a doubling of reported incidents. The cost and ransom amount have also grown with a 225 increase in ransom demands, and victims are on track to hit over $40M in losses.

What You Can Do

Your business or organization isn’t helpless in preventing ransomware attacks and limiting their impact when they make it past defenses. In a joint 2022 release by cybersecurity authorities in the United States, Australia, and the United Kingdom which included the FBI, the Cybersecurity and Infrastructure Agency (CISA), and the National Security Agency (NSA) – authorities recommended multiple best practices for protecting your network:

Keep all operating systems and software up to date If you use RDP or other potentially risky services, secure and monitor them closely. Implement a user training program and phishing exercises Require MFA Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to have strong, unique passwords. Using Linux, use a Linux security module (such as SELinux, AppArmor, or SecComp) for defense in depth. Protect cloud storage by backing up to multiple locations, requiring MFA for access, and encrypting data in the cloud. Segment Networks help prevent the spread of ransomware by controlling traffic flows between – and access to – various subnetworks by restricting adversary lateral movement. Implement end-to-end encryption, which can prevent eavesdropping on communications, which, in turn, can prevent cyber threat actors from gaining insights needed to advance a ransomware attack. A network-monitoring tool identifies, detects, and investigates abnormal activity and potential traversal of the indicated ransomware. Document external remote connections. Enforce the principle of least privilege through authorization policies. Reduce credential exposure. Disable unneeded command-line utilities; constrain scripting activities and permissions, and monitor their usage. Maintain offline (i.e., physically disconnected) backups of data and regularly test backup and restoration Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure Collect telemetry from cloud environments

Follina: A New Microsoft Office and Windows Zero-Day Vulnerability

June 7, 2022/in Blog Post Kevin O’Connor/by Adlumin Staff

On Friday, May 27, 2022, a new zero-day remote code execution vulnerability was reported by security researcher “nao_sec” on Twitter. Validated by the community and given the Common Vulnerabilities and Exposure (CVE) designation CVE-2022-30190, the vulnerability dubbed Follina, takes advantage of a flaw in Microsoft Office. It allows attackers to call the Microsoft Support Diagnostics Tool (msdt.exe) to launch malicious executions, including PowerShell commands.

The vulnerability has been confirmed as present and effective against Office Pro Plus, Office 2013, Office 2016, Office 2019, and Office 2021 and affects the following operating systems: Windows 7, Windows 8.1, Windows 10, Windows 11, Windows Server 2008, Windows Server 2012, Windows Server 2016, Windows Server 2019, and Windows Server 2022. It leaves most combinations of Office and Windows susceptible to exploitation and should be assumed that all versions of Office are vulnerable.

Technical Details

Follina was first observed as active in the wild and took advantage of a flaw in Microsoft Office and Windows, which allows for arbitrary remote code execution giving attackers potential control of the victim’s machine. Unlike traditional Microsoft Office-based attacks, which typically leverage document macro functionality to gain execution—a generally mitigated strategy—Follina takes advantage of Office’s remote template feature to gain initial execution.

The office template feature allows the infected file to retrieve a remote HTML file containing JavaScript code that executes malicious code in the command line using the Microsoft Support Diagnostics Tool (MSDT / msdt.exe). As a result, PowerShell scripts are typically run at the opening user’s privilege level, allowing the attacker to modify, view, or destroy data and install additional programs and malware.

Detection, Defenses, and Mitigations with Adlumin

Adlumin allows security administrators to collect and query security-relevant logs from multiple sources, including network endpoints and process executions. Using this capability, we can develop a query to look for potential instances of exploitation of this vulnerability.

The exploitation of Follina / CVE-2022-30190 should create multiple recorded artifacts, which can be searched to see if the vulnerability has been used in a network. To query for these instances, we can search for endpoint process executions where the parent process is a Microsoft Office product and the child process launched by it is the process msdt.exe or sdiagnhost.exe.

Adlumin stores historical customer data to identify if this vulnerability was leveraged months before the exploit was publicly released. Searching the data set, Adlumin’s Threat Research team could not find any examples of exploitation among our customers.

Defenses

At the time of the vulnerability’s disclosure to the public, there was not, and still is no, official patch from Microsoft to address the vulnerability. Microsoft has come forward recommending disabling the MSDT URL protocol as potential mitigation to the vulnerability.

Disabling the MSDT URL Protocol

Disabling the MSDT URL protocol prevents troubleshooters from being launched as links, including links through the operation system. The following steps will disable the MSDT URL protocol protecting systems from the Follina vulnerability:

Run Command Prompt as Administrator
Backup the registry key:
- reg export HKEY_CLASSES_ROOTms-msdt backup
Delete the following registry key:
- reg delete HKEY_CLASSES_ROOTms-msdt /f

Additionally, Microsoft recommends customers with Microsoft Defender Antivirus turn on cloud-delivered protection and automatic sample submission to help quickly identify and stop new unknown threats. Microsoft Defender for Endpoint customers can enable attack surface reduction by setting the rule for “Block All Office applications from creating child processes” (GUID: d4f940ab-401b-4efc-aadc-ad5f3c50688a).

Continuous Monitoring

Adlumin recommends using a Continuous Vulnerability Management product to collect the needed data from endpoints to determine if they are running vulnerable versions of Microsoft Windows and Office. The Continuous Vulnerability Management software can also be used to identify those assets which have or do not have the official Microsoft mitigation in place.

Adlumin also recommends leveraging our managed security services product to continually search and alert for suspicious executions, which may result from the exploitation of the vulnerability.

Dive deeper into the Follina vulnerability – read Adlumin’s latest customer use case here.

Look Out for Golden Tickets

May 26, 2022/in Blog Post Josh Beach/by Adlumin Staff

In the book Charlie and the Chocolate Factory, a young boy receives a “golden ticket” that provides him access to Willy Wonka’s chocolate factory. In a cybersecurity context, a Golden Ticket attack means a cybercriminal has gained access to an organization’s entire Active Directory (AD) domain for up to 10 years. As the name and description suggest, these attacks can be devastatingly invasive and leave a network at the attacker’s mercy for long periods of time.

A core concept in the mechanism of these attacks is the Kerberos Key Distribution Center (KDC). The KDC functions as a trusted third-party authentication service as part of every domain controller within an AD. Kerberos grants a Ticket Granting Ticket (TGT) to prove recent authentication, allowing users to access resources without constantly reauthenticating.

Kerberos

The user requests a TGT from the Authentication Server encrypted with the user’s password to access a resource.
Kerberos checks for user access rights and prepares a TGT and session key, including a timestamp to dictate the duration of a session is valid. Before being sent, the TGT is encrypted with the KRBTGT password hash (this is shared amongst all the domain controllers in the AD).
The user then requests a service granting ticket with the TGT they received.
The Ticket Granting Service (TGS) then verifies this request using the TGT and returns a service ticket and session key for the requested Resource Server.
The user sends a request with this ticket and session key to the Resource Server.
The Resource Server verifies the ticket and session key match and then grants access, thus providing mutual authentication.

The Attack

During a Golden Ticket incident, attackers bypass steps 1 and 2 in the above example and forge the TGTs themselves. Forging TGTs can be done manually but is commonly done using an exploitation software called mimikatz, which needs four information parameters to forge a TGT convincingly:

Domain name
Domain Security Identifier (SID)
An account with ‘Replicating Directory Changes All’ and ‘Replicating Directory Changes’ privileges enabled (typically admins)
The KRBTGT Password hash

Assuming parameter 3 is met, the other parameters can be gathered by simple PowerShell commands and mimikatz. Running the whoami /user command, using the account provides an attacker with the domain name and domain SID. Running a DCSync attack with mimikatz will lead to the KRBTGT password hash. Mimikatz can then use this information to generate a Golden Ticket. An attacker can then access network resources as a domain administrator on any account within the domain.

Adlumin Defense

Golden Ticket Attacks are hard to detect because there are many ways to gather the above parameters beyond the standard technique. Adlumin Data Science takes a practical approach to build a defense – instead of tracking an attacker’s journey to obtaining fake credentials, parsing Windows event logs for end-result signatures of a Golden Ticket attack can be more fruitful. For example, attackers will look to obfuscate their activity by reusing an existing SID with an account that may or may not have an account name similar to that of the original SID owner. Thus, evidence of SID duplication can be a warning sign.

Adlumin Data Science is developing a suite of alerts based on attack signatures like the one mentioned above—being holistically deployed as a comprehensive defense against Windows authentication exploits. Watch our announcement forums for more on this soon.

Adlumin provides a Software-as-a-Service SIEM and managed security services. Our SIEM allows ingestion from multiple and diverse data sources from Office 365 events to Windows Critical Events and Linux Syslog and those from your existing security appliances and solutions.

Remote Work in 2022: Cybersecurity Risks and Challenges

May 12, 2022/in Blog Post Kevin O’Connor/by Adlumin Staff

An increasingly remote workforce spurred by the COVID-19 pandemic has brought changes to the information security landscape. Users have shifted from working in carefully constructed walled gardens to café hotspots and home networks with no security assurances. Adlumin’s Threat Research group outlines some of the new and rising challenges of increased Remote Work adoption in the security landscape.

Increased Attack Surface

Every additional web application or service introduced to an environment increases businesses’ risk and attack surface. The increased risk and potential threat of any added service should be tied to the service’s permissions and role in the network. Many applications introduced to support remote work requirements would be categorized as high-risk introductions to a typical network. Virtual Desktop Interface (VDI) solutions, Remote Desktops, Virtual Private Networks (VPNs), and other remote access solutions are critical to many Remote Work architectures. Typically, they are associated as high risk due to their attractive accesses, permissions, and location in data’s lifecycle.

Administrators and security staff must ensure that all internet-facing devices are patched promptly. They should regularly monitor the systems logs, accesses, connections, and behavior to ensure its security. Additionally, it is essential to continually monitor the organization’s web exposure to ensure that only documented and secured services, not malicious backdoors, or outdated products, are associated. (Note: Adlumin offers Adlumin Perimeter Defense, which gives you insight into your network from an attacker’s perspective.)

User Origin Tracking

Gone are the days of employees working out of a single central office with a sprinkling of branch offices and remote sites diversifying the network’s architecture. Modern remote work requirements include supporting remote employees on a state, country, or globally diverse level.

The mentioned techniques are the processes of monitoring for suspicious traffic by geolocating access and login requests. Requests are compared to a baseline or set of rules which can alert to potentially malicious access indicated by a remote endpoint connecting or acting from outside the business’s pre-defined operating area. The expansion of the security domain complicates but does not prohibit user origination tracking and access origination monitoring and alerting.

To overcome the challenge of manually creating alerting mechanisms for logins outside a central office or branch location, more complex machine learning algorithms are required to learn about a user’s access behavior over time. This includes continually analyzing a user’s current and historical access location, behavior, and relationships in the network to draw conclusions beyond an endpoint’s origination. (Note: Adlumin User & Entity Behavior Analytics (UEBA) – Adlumin uses proprietary UEBA data science to identify, detect, analyze, and prioritize anomalous behavior—without any input from your cybersecurity team—that will likely present a risk to your network’s security in real-time)

Crossing Security Domains – Split Tunneling and Introduction of Remote Endpoints

Removing endpoints into your business network can bring additional risk through added surface area and exposure. The usage of split tunneling in Virtual Private Networks (VPNs) and the abstracted idea of letting a device live in two security domains or jump between them is an added risk. Split tunneling is an example concerning just network traffic related to VPN access, whereby some traffic is routed securely to the business network. In contrast, other traffic routes to the local network or internet. This creates a potential vulnerability where a device is bridging a trusted and untrusted network, potentially linking the security domains. This same potential vulnerability can be abstracted to any device or user access to a business application from networks or sources that cannot always be trusted.

Administrators and security staff must ensure that any systems matching this pattern, such as business-owned and issued laptops used in remote work situations by connecting to the business through an employee’s local home intranet, are secured. This involves strong log management and analysis, aggressive patching, endpoint protection products, and security-oriented architectures.

Data in Transit

With a partially or fully remote workforce accessing business assets from locations distant to hosted infrastructure, businesses are forced to send data that was once transiting dedicated ethernet connects and leased fiber MPLS circuits over untrusted infrastructure. From coffee shops or home wireless networks to cellular-based-access and remote data centers, modern remote access requirements are diverse and may change for users regularly.

Nearly all remote services supporting remote work require sending sensitive data across unmonitored, unmanaged, and potentially hostile networks. Rooted in applications requiring high reliability, network routes that traffic takes from the remote user to the business are dynamic, difficult, or impossible to predict or manage. They are often subject to interception by arbitrary service providers and attackers.

In a recent February 2022 attack suspected to be of Chinese origin, the routing protocol used to direct traffic over the internet was abused. As a result, traffic was validly routed to transit locations thought friendly to attacker intercept and inspection¹. This technique isn’t new and has been used by multiple nation-state attackers and e-crime organizations alike since at least 2004.²In addition to threats from APTs and eCrime actors, ISPs along the transit route, which can’t be controlled, also can inspect, or inject network traffic.³

To help mitigate the risks of sending business data over untrusted infrastructure, a business should consider at least one layer of encryption mandatory for all business traffic. This can be provided at the application level, commonly through TLS/SSL, or at the transport layer through IPsec and TLS VPNs. Businesses should also consider layering encryption to provide a double-wrapping of sensitive traffic. Such as requiring remote web applications to only be accessible over an IPsec-backed VPN connection layered with an HTTPS TLS/SSL back connection to the remote resource. When possible, businesses should diversify the encryption algorithms and supporting libraries and implementations to ensure that a single vulnerability or compromise does not expose data. (Note: Adlumin supports ingestion of security logs from VPN appliances and firewalls)

Data At Rest

Even when paying careful attention to implementing secure remote access, some critical business data related to IT or other sensitive operations is left locally stored on the device. Outside of the most stringent thin-client solutions and implementations, users will typically have locally stored data on their business device and, at a minimum, will typically have some sensitive data stored in its internet, application, and memory caches. Data could include sensitive business information, customer, or employee PII, chats, emails, credentials, and accounts.

To ensure data at rest remains protected, organizations should adopt Full Disk Encryption (FDE) policies backed by secure implementations and encryption algorithms. Most operating systems now support native full disk encryption solutions, including Windows through BitLocker, MacOS through FileVault 2, and Linux through dm-crypt with LUKS (Note: Adlumin supports ingestion and alerting of logs related to FDE features)

What happened?

Bob is an employee of Business Bank who recently shifted many of its onsite staff to a work-from-home setup with a company-owned laptop. Bob has a home computer with an out-of-date antivirus and several update cycles behind.

His home computer gets infected with malware, and an attacker leverages his home machine to stage an attack against the Business Bank laptop over an SMB vulnerability. The next time he connects his laptop to Business Bank’s internal network through the VPN connection, a ransomware attack is launched against the domain.

Future Prevention Method

In this case, Business Bank could have saved itself by implementing tighter security controls and monitoring. In addition to modifying its host-based access policies to restrict inbound traffic not required to establish the VPN connection, it should have implemented a monitoring solution and SIEM to identify the abnormal connection from Bob’s home computer.

Ransomware Protection Suite: Adlumin’s Method to Combatting Madness

April 29, 2022/in Blog Post Massie Hussaini/by Adlumin Staff

Ransomware attacks are increasing by the day, and they’re wreaking havoc across a range of industries. Adlumin has launched the beginning of its Ransomware Protection Suite of products: The Ransomware Self-Assessment Tool (R-SAT). During the early days of COVID-19, which provided new opportunities for attackers, ransomware attacks surged. According to Statista, “ransomware attacks experienced annually by organizations have been on the rise since 2018, peaking at 68.5% in 2021.”

Ransomware is a type of malware designed to encrypt files on a device, making any files and systems that rely on them unusable. When a cybercriminal maliciously encrypts confidential files within an organization’s system, a subsequent monetary demand and payment must ensue before the perpetrator releases the information back to the organization.

R-SAT helps institutions, regardless of size, assess their level of information security, recognize gaps in that security and measure their ability to mitigate the possibility of a ransomware attack. Understanding the vulnerabilities in your institution’s security processes and procedures is imperative to aid in your protection from ransomware. R-SAT is a solid place to start to help identify gaps in your protection strategy and validate effective security practices.

To protect yourself from ransomware, it is critical to recognize the vulnerabilities in your security practices regardless of whether your data is held on-premise or third party. If your organization is victimized by ransomware, many questions may immediately come to mind: If you provide the money, are you certain the information will be released? Will the data be released to the public if you refuse to pay? R-SAT can assist and better prepare you to respond.

Adlumin looks to continue to add to its suite of Ransomware tools such as greater reporting, automated alerts, and more. Below are just a few cost and payment trends for ransomware:

“The total cost of a ransomware breach was an average of $4.62 million in 2021, not including a ransom.” (IBM)
“The average cost for education institutions to rectify the impacts of a ransomware attack, including the ransom itself, was $2.73 million in 2021 — 48% higher than the global average for all sectors.” (EdScoop)
“The 2,084 ransomware complaints received by the IC3 in the first half of 2021 amounted to over $16.8 million in losses.” (FBI and CISA)

Log Parsing for Network Security Threat Detection

September 1, 2021/in Blog Post Mahkah Wu/by Adlumin Staff

Firewall, VPN, and network security device logs can provide insight into a wide variety of malicious activities, including remote code executions, port scanning, denial of service attacks, and network intrusions. However, analyzing these logs presents several challenges.

These data streams are high velocity; even small and medium networks can produce thousands of logs per second with significant fluctuations throughout the day. A network comprises several different devices manufactured by different companies, so manually defining rules for parsing log data is unfeasible and would break as devices are updated. Preventive measures against malicious activity must be taken quickly, meaning that we need an online process to deliver insights that are useful for more than forensics.

At Adlumin, we’ve designed around these challenges and built a fast, parallelizable system capable of handling new log formats and deployable on streaming data. We own a patent that covers this method for ascertaining whether log data is anomalous and indicative of threats, malfunctions, and IT operations failures

Malicious activity nearly always produces unusual log data, so our system focuses first on finding anomalous data. Focusing on anomalous logs drastically decreases the volume of data that must be analyzed for malicious activity without running the risk of ignoring pertinent data. In this discussion, we’ll focus on how we determine whether log data is anomalous, as doing so enables a wide variety of techniques for searching for malicious activity.

As an overview, our system trains itself on-device log data that we’ve recently received. Based on the data, the system builds a set of templates that correspond to commonly seen log content and structure. The system also computes a measure of how rare each template is and builds an anomalous scoring threshold. When new data is received, it’s checked against this template set and assigned a score based on the template that best matches the data. If new data that does not directly correspond to a template arrives, then a measure of the difference is added to the score. Data with a score above the anomalous scoring threshold is considered anomalous.

Training

We begin by training our system in a batch process on recently ingested log data. We create a set of templates by grouping similar logs together. Automated systems generate logs, so they contain a mix of parameters (e.g., an IP address, a timestamp, or a username) and fixed messages (e.g., “connection opened” or “user logged in”). Our system uses a token-based parser tree to associate logs that have the same fixed messages, but that may have differing parameters.

Before applying the parser tree, logs are preprocessed. Logs are tokenized according to common delimiters. Then, they are preprocessed by applying pre-defined regex patterns that replace well-known parameters (e.g., r’ [0-9a-fA-F]{12}’ for a 12-digit hexadecimal value) with specialized parameter tokens. Typically, any token that contains a number is also treated as a parameter and replaced with a parameter token. Once preprocessed, the parser tree can determine log associations.

Thus, the intuition is that logs said to be similar in the content will have similar sequences of messages and parameters that can be represented as tokens for easy comparison. The first layer of the parser tree is assigned based on the total number of tokens in the preprocessed log. This step is utilized because parameters are typically a fixed number of tokens, meaning this step quickly groups associated logs. Subsequent layers of the parser tree are fit according to the token in the nth position of the preprocessed log, where n comes from a pre-defined set of token positions. To prevent parser tree explosion, if the number of branches at any given layer exceeds a threshold, then a wild card token is used for all new tokens.

Once the bottom of the parser tree is reached, if there are no other logs already at this position of the parser tree, then the incoming log is used as a new log format. Otherwise, the incoming log is compared to the log formats at this position using token edit distance.

If the incoming log is sufficiently similar to an existing log format, then the log is associated with that format. In addition, the log format is updated such that any dissimilar tokens between the log format and the incoming log are replaced with wildcard tokens. If the incoming log is insufficiently similar to all existing log formats, then the incoming log is used as a new log format.

Once all training logs have been processed, all the log formats generated by the parser tree are returned. Particularly rare log formats are dropped. For each log format, we generate a log template which includes: a regular expression pattern capable of matching logs associated with the template, a set of the tokens contained in the log template, and a log template score based on the frequency that the log template appeared in the training set.

Another set of recent log data is used to generate a score threshold. Logs in this dataset are scored using the log templates. To score, an incoming log is preprocessed and checked to see if it matches any log templates’ regular expression pattern. If the incoming log matches a regular expression pattern, then it is assigned the score associated with the log template that it matches.

Otherwise, the incoming log’s tokens are compared to each of the log templates’ token sets using Jaccard similarity. The incoming log is associated with the log template that has the most similar token set and assigned a score based on the log template’s score and the similarity between the token sets. This matching process allows previously unseen log formats to be assigned appropriate rarity scores.

Once all the score threshold dataset has been processed, all scores assigned to logs are considered. Based on these scores, a global score threshold is determined using the percentile score and standard deviation of the set of all scores.

Inference

In contrast to the training process, inference occurs in a streaming environment and finds anomalous records in near real-time.

As in the score threshold process, incoming logs are preprocessed and either matched to log templates using regular expression patterns or token set similarity. The incoming log is assigned a score of the matched log template or the matched log template and a similarity measure, respectively. If the incoming log’s score is greater than the score threshold, then the log is considered anomalous.

To facilitate real-time analysis, we utilize AWS Lambda for conducting inference and a DynamoDB table for template storage. We’re able to spin up additional Lambda instances automatically and adjust DynamoDB read capacity as needs demand them.

Classifying logs and assigning rarity scores opens a wide variety of analysis opportunities: keyword lists that would otherwise generate numerous false positives are more effective when applied to the anomalous dataset. Log template associations enable time series analysis of specific log messages. By determining the location of parameters, specific information can be extracted and analyzed, even in unseen log formats. At Adlumin, we utilize a variety of these techniques to provide preventative alerts of specific threats, malfunctions, and IT operations failures.