Archive for the "Malware" Category

Webinar wrap up: “Safeguarding your network from Data Exfiltration attacks”



Read a recent news article about a data breach and it will likely mention data exfiltration. It’s usually the last event of a string of seemingly preventable mishaps that result in a lot of people getting free credit reporting (or, as of late, uncomfortable conversations with your spouse). The exfiltration bit can usually be found right before a “I-told-you-so” quote from a vendor:

“OMG you guys, we all need to start dealing with these attacks! We can help, please Google us.” Capt. Obvious, Chief Quote Officer, Security Vendor, Inc.

But what exactly is data exfiltration and what solutions exist to prevent it? Exfiltration is a nebulous concept that doesn’t have it’s own Gartner Magic Quadrant. It’s also not something many organizations are focusing on. We find that the response to data exfiltration is to throw a bunch of different security technologies together – hoping that it covers the final stage of an attack. Organizations stitch together different security solutions and controls to prevent it: IDS/IPS, firewalls, DLP, endpoint agents, etc.

Then what does the industry do to test the racks of gear blinking away in the data center? A penetration test. Penetration testing serves is an important role within your security program but it ignores exfiltration testing, offering the customer a snapshot-in-time view of their security posture. This offers critical validation (or negation) of your security posture and is something every organization should be doing. However, historically the focus of penetration tests has been on the “tip of the iceberg”, from the outside in, and don’t take the overall environment and processes into account. It’s a very perimeter-intrusion-centric approach.

Organizations spend a lot of money on security. But does it work?  

Ask yourself: “Do our penetration tests cover all layers of our security budget?”

Last week our CTO, Trevor Hawthorn, presented on “Safeguarding your network from Data Exfiltration attacks. During the talk, Trevor discussed recent data breaches, how attackers typically transmit data out of the victim’s network during a data breach and why victim organizations are usually unaware of data being exfiltrated.

Testing for data exfiltration is very important, as it is part of the final steps taken by an attacker and the last chance to prevent a breach.

We believe the symphony of exfiltration requires an orchestrated approach, which is exactly why we developed XFIL.

XFIL is a patented data exfiltration testing platform that simulates the final stages of an attack: lateral movement and data exfiltration out of your network. The platform can help an organization test and validate existing security controls, network visibility, and identify weaknesses that could be exploited to circumvent those controls. XFIL simulates 260+ methods that are used to sneak data out of your network.

During our webinars, we try to save a lot of time for Q&A as it’s often the most informative part of the talk. Below are answers to some great questions about XFIL that were asked by attendees, for those who were unable to attend.

Q&A Recap:

Can we run XFIL from multiple networks? Yes, that is one of the intended use cases. Everyone has networks of differing levels of trust, so XFIL is meant to be run from those different networks and to test the layers of your defense.

What is a tactful way to address “we just had a pen test and they found nothing so are we certified and good to go?” (client has no IPS or SIEM so the findings are not accurate) You don’t want the absence of a really bad finding to be interpreted as a clean bill of health. Having a third party perform an assessment on your network/system/application is typically a time-based test that might not cover all the possible factors and situations. It is good that (at this particular moment) the test did not find any issues with your “fill in the blank” however you still need to ensure you have the appropriate levels of controls in place as well as the people, processes and visibility to protect it.

Do customers use this (XFIL) to test their MSSP? Absolutely, your Managed Security Service Provider is part of your overall “system” and security monitoring processes. It is always recommended to test and validate that all of the different components of your security program are working in an orchestrated manner.

Will organizations be allowed to use XFIL to test their third parties? The short answer is yes. Part of XFIL’s functionality helps you answer some of the difficult questions regarding your security, such as how porous is this network, what do the internal network controls look like, and how mature is the security program. Your third party vendors can be seen as an extension of your organization and if you have the contract language to do so, you could quickly understand the maturity of the security posture of the third party by running XFIL in their environment.

Does this help at all with PCI and/or gaining PCI compliance? PCI DSS (Requirement 1.2) requires firewall and router configurations to implement default deny. XFIL performs outbound port scanning that will identify allowed services for easy comparison with approved business requirements.

How do we go back and correlate alerts and events with what XFIL does? We have two answers for this question, how things work currently and what we’re planning to implement in the near future. Right now you can review the results of the XFIL assessment in the XFIL console as well as whatever log management/SIEM solution(s) you have in place. We hope to have an updated answer (or solution) such as a custom Splunk application to assist with correlation in a more efficient manner in the near future.

Can XFIL simulate malware indicators? Yes, there are several ways we currently do this today such as from a network standpoint beaconing out to known bad DNS names. As part of our product roadmap, we plan to build out various malware modules for clients where they can simulate recent malware indicators or command and control activities.

We appreciate all the questions and feedback from our webinar, if you have any additional thoughts and/or questions please feel free to send an email to the Stratum/XFIL team which can be reached via or you can learn more about XFIL here:

Slides from the webinar can be downloaded from here.

Analyzing DNS Logs Using Splunk


Back in December of 2011 I wrote a post on the ThreatSim blog called “Fighting The Advanced Attacker: 9 Security Controls You Should Add To Your Network Right Now“. One of the controls we recommended that folks implement was to log all DNS queries and the client that requested it:

Log DNS queries and the client that requested it: It’s been said that DNS is the linchpin of the Internet. It’s arguably the most basic and under appreciated human-to-technology interface. It’s no different for malware. When you suspect that a device has been compromised on your network, it’s important to be able to see what the suspected device has been up to. The DNS logs of a compromised machine will quickly allow responders to identify other machines that may also be infected.

Telling people to log DNS requests is super easy. Logging DNS queries is pretty easy too. Understanding how to ingest, analyze, process the data is where you need to bring in some tools. We love Splunk (as do many of our customers).  Splunk is the perfect tool for the job of figuring out what your clients are up to and who they are talking to. You can also set up real-time alerts if Splunk sees a DNS lookup for a known bad domain name.

Let’s implement our recommendation in real life. Here is what we did:

Read More

Fake MS Word 2012 in the Apple App Store right now


A user on Hacker News pointed out that there is an app in the Apple App Store right now that claims to be MS Word 2012. Which I found literally seconds after we were just chatting about this ThreatPost post regarding a fake Android app that is actually Zeus.

I’m not sure how long the app will stay in the App Store, but I’m thinking not very long. Screen show below:

Update: And it’s gone as of 21:00 6/18/2012 EDT.


Follow us: @stratumsecurity

22 Interesting Confessions of A Botmaster


A few weeks ago there was an IAMA on Reddit from a malware author and botnet operator. An IAMA is an Q&A session on that allows Reddit users to ask the poster questions. We’ve distilled down the large thread to the most interesting questions and answers here.

It was a very interesting read into the mind, methods, and tools within the botnet community. The person spent a long time answering questions and providing insight into malware, botnets, attacker motivations, and the underground economy. We scoured the threads for the salient points and have distilled them here.

He provided the following screen capture as proof (opens in a new window since it’s rather large):

Botnet Proof

Read more