Monthly Archives: December 2017

Why I Do, What I Do

Folks,

I trust you're well. Today, I just wanted to take a few minutes to answer a few questions that I've been asked so many times.


Here are the answers to the Top-5 questions I am frequently asked -

  1. You're the CEO of a company (Paramount Defenses), so why do you blog so often, and how do you have time to do so?

    Good question. This is a bit of a unique situation, in that whilst I am the CEO of a company, I am also a subject matter expert in Active Directory Security (simply by virtue of my background) and thus I feel that it is my civic duty to help organizations understand the paramount importance of securing their foundational Active Directory deployments.

    In fact, over the last 7+ years, I've penned 150+ blog posts on Active Directory Security (here) and Cyber Security (here) on various topics such as Active Directory Privilege Escalation, the OPM Breach, Kerberos Token Bloat, Eff Perms, AdminSDHolder, Mimikatz DCSync, Sneaky Persistence, How to Correctly Identify Stealthy Admins in Active Directory, How to Correctly Identify Shadow Admins in Active Directory etc. and most recently on Active Directory Botnets.

    As to how I have the time to do so, that's actually not that difficult. We have a world-class team at Paramount Defenses, and I've been able to delegate a substantial amount of my CEO-related work amongst our executive leadership team.




  2. Speaking of which, how big is Paramount Defenses?

    At Paramount Defenses, we believe that less is more, so our entire global team is less than a 100 people. For security reasons, 100% of our staff are U.S. Citizens, and to-date, the entirety of our R&D team are former Microsoft employees.

    If by how big we are, you meant how many organizations we impact, today our unique high-value cyber security solutions and insights help adequately secure and defend thousands of prominent organizations across six continents worldwide.




  3. Why is it just you (and why aren't your employees) on Social Media (e.g. LinkedIn, Facebook, Twitter etc.)?

    The simple answer to this question - For Security Reasons.

    At Paramount Defenses, we care deeply about cyber security, so we also strive to lead by example in every way.

    As it pertains to cyber security, we have found that the presence of an organization's employees on social-media almost always results in excessive information disclosure that could be very valuable for hackers and various other entities who may have malicious intent, so our corporate policies do not permit a social media presence.

    Also, we're not huge fans of Twitter, and we certainly don't care about being on Facebook. We do like and appreciate LinkedIn, and in fact, we lead the world's largest community of Active Directory Security Professionals on LinkedIn.




  4. What do you intend to accomplish by blogging?

    The intention is to help organizations worldwide understand just how profoundly important Active Directory Security is to organizational cyber security, and how paramount Active Directory Effective Permissions are to Active Directory Security.

    That's because this impacts global security today, and here's why -




    You see, the Crown Jewels of cyber security reside in Active Directory, and if they're compromised, its Game Over. By Crown Jewels, I'm referring to privileged access, or as commonly known, Domain Admin equivalent accounts.

    It is a fact that 100% of all major recent cyber security breaches (except Equifax) involved the compromise of a single Active Directory privileged user account. Such accounts are Target #1 for hackers, which is why it is so very important that organizations be able to exactly identify and minimize the number of such privileged accounts in Active Directory.

    Now, when it comes to identifying privileged user accounts in Active Directory, most organizations focus on enumerating the memberships of their default administrative groups in Active Directory, and that's it. Unfortunately, that's just the Tip of the Iceberg, and we have found that most of them do not even seem to know that in fact there are FAR many more accounts with varying levels of elevated admin/privileged access in Active Directory than they seem to know about.

    This isn't a secret; its something you know if you've ever heard about Active Directory's most powerful and capable cyber security feature - Delegation of Administration. The truth is that at most organizations, a substantial amount of delegation has been done over the years, yet no one seems to have a clue as to who has what privileged access. Here's why.

    In fact, Active Directory privileged access accounts have been getting a lot of attention lately, because so many cyber security experts and companies are starting to realize that there exists a treasure-trove of privileged access in Active Directory. Thus, recently many such cyber security expert and companies have started shedding light on them (for example, one, two, three etc.), and some have even started developing amateur tools to identify such accounts.

    What these experts and companies may not know is that their amateur tools are substantially inaccurate since they rely on finding out "Who has what Permissions in Active Directory" WHEREAS the ONLY way to correctly identify privileged user accounts in Active Directory is by accurately finding out "Who has what Effective Permissions in Active Directory?"

    On a lighter note, I find it rather amusing that for lack of knowing better, most cyber security experts and vendors that may be new to Active Directory Security have been referring to such accounts as Stealthy Admins, Shadow Admins etc.

    To make matters worse, there are many prominent vendors in the Active Directory space that merely offer basic Active Directory Permissions Analysis/Audit Tooling, yet they mislead organizations by claiming to help them "Find out who has what privileged access in Active Directory," and since so many IT personnel don't seem to know better, they get misled.

    Thus, there's an imperative need to help organizations learn how to correctly audit privileged users in Active Directory.

    Consequently, the intention of my blogging is to HELP thousands of organizations and cyber security experts worldwide UNDERSTAND that the ONLY correct way to identify privileged users in Active Directory is by accurately determining effective permissions / effective access in Active Directory. There is only ONE correct way to accomplish this objective.




  5. Why have you been a little hard on Microsoft lately?

    Let me begin by saying that I deeply love and care for Microsoft. It may appear that I may have been a tad hard on them, but that is all well-intentioned and only meant to help them realize that they have an obligation to their global customer base to adequately educate them about various aspects of cyber security in Windows, particularly the most vital aspects.

    In that regard, if you truly understand cyber security in Windows environments, you know that Active Directory Effective Permissions and Active Directory Effective Access play an absolutely paramount role in securing Windows deployments worldwide, and since Active Directory has been around for almost two decades by now, one would expect the world to unequivocally understand this by now. Unfortunately, we found that (as evidenced above) no one seems to have a clue.

    You may be surprised if I were to share with you that at most organizations worldwide, hardly anyone seems to even know about what Active Directory Effective Permissions are, let alone why they're paramount to their security, and this a highly concerning fact, because this means that most organizations worldwide are operating in the proverbial dark today.

    It is upon looking into the reason for this that we realized that in the last decade, it appears that (for whatever reason) Microsoft may not have educated its global customer based about Active Directory Effective Permissions at all - Proof.

    Thus, it is in the best interest of organizations worldwide that we felt a need to substantially raise awareness.

    As to how on earth Microsoft may have completely forgotten to educate the world about this, I can only guess that perhaps they must've gotten so involved in building their Cloud offering and dealing with the menace of local-machine credential-theft attack vectors that they completely seem to have missed this one paramount aspect of Windows security.

    Fortunately for them and the world, we've had our eye on this problem for a decade know and we've been laser-focused. Besides, actions speak louder than words, so once you understand what it is we do at Paramount Defenses, you'll see that we've done more to help secure Microsoft's global customer base than possibly any other company on the planet.

    Those who understand what we've built, know that we may be Microsoft's most strategic ally in the cyber security space.


Finally, the most important reason as to why I do, what I do is because I care deeply and passionately about cyber security.

Best wishes,

DEMANDS ON ETHICAL HACKERS ARE RAPIDLY GROWING

SINGAPORE: The Ministry of Interior and Defence (Mindef) will be inviting about 300 international and local hackers to hunt for vulnerabilities in its Internet-connected systems next year (2018), in a bid to guard against ever-evolving cyber threats.

From Jan 15 to Feb 4, these selected experts will try to penetrate eight of Mindef's Internet-facing systems, such as the Mindef website, the NS Portal and LearNet 2 Portal, a learning resource portal for trainees.

--------------------------------------------
RELATED POSTS
--------------------------------------------

These registered hackers can earn cash rewards - or bounties - between $150 and $20,000, based on how critical the flaws discovered are. Called the Mindef Bug Bounty Programme, it will be the Government's first crowdsourced hacking programme.


This follows an incident earlier this year when Mindef discovered that hackers had stolen the NRIC numbers, telephone numbers and birth dates of 854 personnel through a breach of its I-Net system.

One of the systems being tested, Defence Mail, uses the I-Net system for Mindef and SAF personnel to connect to the Internet.

On Tuesday (Dec 12), defence cyber chief David Koh announced the new programme after a visit to the Cyber Defence Test and Evaluation Centre (CyTEC) - a cyber "live-firing range" where servicemen train against simulated cyber-attacks - at Stagmont Camp in Choa Chu Kang.

--------------------------------------------
UPDATES: “Ransomware assaults seem to be getting increasingly dangerous,” said Marty P. Kamden, CMO of NordVPN. “Besides, system administrators are not ready to protect their networks from more sophisticated breaches. We believe that attacks will only keep getting worse.”
--------------------------------------------

On the significance of the "Hack Mindef" initiative, he told reporters: "The SAF is a highly networked force. How we conduct our military operations depends on networking across the army, navy, air force and the joint staff.

"Every day, we see new cyber attacks launched by malicious actors who are constantly seeking new ways to breach our systems... Clearly, this is a fast-evolving environment and increasingly, you see that it is one that is of relevance to the defence and security domain."

The bigger picture is that cyberspace is emerging as the next battlefield, said Mr Koh, who is also deputy secretary for special projects at Mindef.

"Some countries have begun to recognise cyber as a domain similar to air, land and sea. Some have even gone so far as to say that the next major conflict will see cyber activity as the first activity of a major conflict," he added.



While there will be some risks in inviting hackers to test the systems, such as an increase in website traffic and the chance that these "white hat" hackers will turn over discovered vulnerabilities to the dark Web, measures will be put in place.

"(If) we can't even manage the increase in traffic, that in itself would be a vulnerability that we would need to address," said Mr Koh.

White-hat hackers are those who break into protected systems to improve security, while black-hat hackers are malicious ones who aim to exploit flaws.

The programme conducted by US-based bug bounty company HackerOne is expected to cost about $100,000, depending on the bugs found. But Mr Koh noted that this would be less than hiring a dedicated vulnerability assessment team, which might cost up to a million dollars.

Mr Teo Chin Hock, deputy chief executive for development at the Cyber Security Agency (CSA), said: "By embarking on a bug bounty programme, companies have the advantage of uncovering security vulnerabilities on their own by harnessing the collective intelligence and capabilities of these experts and addressing these vulnerabilities before the black hats do."


In a statement, he added that the CSA is currently in discussions with some of Singapore's 11 designated critical information infrastructure sectors which have expressed interest in exploring a similar programme for their public-facing systems.

Large organisations, such as Facebook and the United States Department of Defence, have embarked on similar initiatives with some success.

For instance, a similar Hack the Pentagon programme, also conducted by HackerOne, was launched by the US defence department in 2016. A total of 138 bugs were found by more than a thousand individuals within three weeks.

The initiative caps a year in which Singapore has been gearing up for the battlefront in cyberspace.


In March, it was announced that the Defence Cyber Organisation will be set up to bolster Singapore's cyber defence, with a force of cyber defenders trained to help in this fight.

Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure

Introduction

Mandiant recently responded to an incident at a critical infrastructure organization where an attacker deployed malware designed to manipulate industrial safety systems. The targeted systems provided emergency shutdown capability for industrial processes. We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shutdown operations. This malware, which we call TRITON, is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers. We have not attributed the incident to a threat actor, though we believe the activity is consistent with a nation state preparing for an attack.

TRITON is one of a limited number of publicly identified malicious software families targeted at industrial control systems (ICS). It follows Stuxnet which was used against Iran in 2010 and Industroyer which we believe was deployed by Sandworm Team against Ukraine in 2016. TRITON is consistent with these attacks, in that it could prevent safety mechanisms from executing their intended function, resulting in a physical consequence.

Malware Family

Main Modules

Description

TRITON

trilog.exe

Main executable leveraging libraries.zip

library.zip

Custom communication library for interaction with Triconex controllers.

Table 1: Description of TRITON Malware

Incident Summary

The attacker gained remote access to an SIS engineering workstation and deployed the TRITON attack framework to reprogram the SIS controllers. During the incident, some SIS controllers entered a failed safe state, which automatically shutdown the industrial process and prompted the asset owner to initiate an investigation. The investigation found that the SIS controllers initiated a safe shutdown when application code between redundant processing units failed a validation check -- resulting in an MP diagnostic failure message.

We assess with moderate confidence that the attacker inadvertently shutdown operations while developing the ability to cause physical damage for the following reasons:

  • Modifying the SIS could prevent it from functioning correctly, increasing the likelihood of a failure that would result in physical consequences.
  • TRITON was used to modify application memory on SIS controllers in the environment, which could have led to a failed validation check.
  • The failure occurred during the time period when TRITON was used.
  • It is not likely that existing or external conditions, in isolation, caused a fault during the time of the incident.

Attribution

FireEye has not connected this activity to any actor we currently track; however, we assess with moderate confidence that the actor is sponsored by a nation state. The targeting of critical infrastructure as well as the attacker’s persistence, lack of any clear monetary goal and the technical resources necessary to create the attack framework suggest a well-resourced nation state actor.  Specifically, the following facts support this assessment:

The attacker targeted the SIS suggesting an interest in causing a high-impact attack with physical consequences. This is an attack objective not typically seen from cyber-crime groups.

The attacker deployed TRITON shortly after gaining access to the SIS system, indicating that they had pre-built and tested the tool which would require access to hardware and software that is not widely available. TRITON is also designed to communicate using the proprietary TriStation protocol which is not publicly documented suggesting the adversary independently reverse engineered this protocol.

The targeting of critical infrastructure to disrupt, degrade, or destroy systems is consistent with numerous attack and reconnaissance activities carried out globally by Russian, Iranian, North Korean, U.S., and Israeli nation state actors. Intrusions of this nature do not necessarily indicate an immediate intent to disrupt targeted systems, and may be preparation for a contingency.

Background on Process Control and Safety Instrumented Systems


Figure 1: ICS Reference Architecture

Modern industrial process control and automation systems rely on a variety of sophisticated control systems and safety functions. These systems and functions are often referred to as Industrial Control Systems (ICS) or Operational Technology (OT).

A Distributed Control System (DCS) provides human operators with the ability to remotely monitor and control an industrial process. It is a computerized control system consisting of computers, software applications and controllers. An Engineering Workstation is a computer used for configuration, maintenance and diagnostics of the control system applications and other control system equipment.

A SIS is an autonomous control system that independently monitors the status of the process under control. If the process exceeds the parameters that define a hazardous state, the SIS attempts to bring the process back into a safe state or automatically performs a safe shutdown of the process. If the SIS and DCS controls fail, the final line of defense is the design of the industrial facility, which includes mechanical protections on equipment (e.g. rupture discs), physical alarms, emergency response procedures and other mechanisms to mitigate dangerous situations.

Asset owners employ varied approaches to interface their plant's DCS with the SIS. The traditional approach relies on the principles of segregation for both communication infrastructures and control strategies. For at least the past decade, there has been a trend towards integrating DCS and SIS designs for various reasons including lower cost, ease of use, and benefits achieved from exchanging information between the DCS and SIS. We believe TRITON acutely demonstrates the risk associated with integrated designs that allow bi-directional communication between DCS and SIS network hosts.

Safety Instrumented Systems Threat Model and Attack Scenarios


Figure 2: Temporal Relationship Between Cyber Security and Safety

The attack lifecycle for disruptive attacks against ICS is similar to other types of cyber attacks, with a few key distinctions. First, the attacker’s mission is to disrupt an operational process rather than steal data. Second, the attacker must have performed OT reconnaissance and have sufficient specialized engineering knowledge to understand the industrial process being controlled and successfully manipulate it.

Figure 2 represents the relationship between cyber security and safety controls in a process control environment. Even if cyber security measures fail, safety controls are designed to prevent physical damage. To maximize physical impact, a cyber attacker would also need to bypass safety controls.

The SIS threat model below highlights some of the options available to an attacker who has successfully compromised an SIS.

Attack Option 1: Use the SIS to shutdown the process

  • The attacker can reprogram the SIS logic to cause it to trip and shutdown a process that is, in actuality, in a safe state. In other words, trigger a false positive.
  • Implication: Financial losses due to process downtime and complex plant start up procedure after the shutdown.

Attack Option 2: Reprogram the SIS to allow an unsafe state

  • The attacker can reprogram the SIS logic to allow unsafe conditions to persist.
  • Implication: Increased risk that a hazardous situation will cause physical consequences (e.g. impact to equipment, product, environment and human safety) due to a loss of SIS functionality.

Attack Option 3: Reprogram the SIS to allow an unsafe state – while using the DCS to create an unsafe state or hazard

  • The attacker can manipulate the process into an unsafe state from the DCS while preventing the SIS from functioning appropriately.
  • Implication: Impact to human safety, the environment, or damage to equipment, the extent of which depends on the physical constraints of the process and the plant design.

Analysis of Attacker Intent

We assess with moderate confidence that the attacker’s long-term objective was to develop the capability to cause a physical consequence. We base this on the fact that the attacker initially obtained a reliable foothold on the DCS and could have developed the capability to manipulate the process or shutdown the plant, but instead proceeded to compromise the SIS system. Compromising both the DCS and SIS system would enable the attacker to develop and carry out an attack that causes the maximum amount of damage allowed by the physical and mechanical safeguards in place.

Once on the SIS network, the attacker used their pre-built TRITON attack framework to interact with the SIS controllers using the TriStation protocol. The attacker could have caused a process shutdown by issuing a halt command or intentionally uploading flawed code to the SIS controller to cause it to fail. Instead, the attacker made several attempts over a period of time to develop and deliver functioning control logic for the SIS controllers in this target environment. While these attempts appear to have failed due one of the attack scripts’ conditional checks, the attacker persisted with their efforts. This suggests the attacker was intent on causing a specific outcome beyond a process shutdown.

Of note, on several occasions, we have observed evidence of long term intrusions into ICS which were not ultimately used to disrupt or disable operations. For instance, Russian operators, such as Sandworm Team, have compromised Western ICS over a multi-year period without causing a disruption.

Summary of Malware Capabilities

The TRITON attack tool was built with a number of features, including the ability to read and write programs, read and write individual functions and query the state of the SIS controller. However, only some of these capabilities were leveraged in the trilog.exe sample (e.g. the attacker did not leverage all of TRITON’s extensive reconnaissance capabilities).

The TRITON malware contained the capability to communicate with Triconex SIS controllers (e.g. send specific commands such as halt or read its memory content) and remotely reprogram them with an attacker-defined payload. The TRITON sample Mandiant analyzed added an attacker-provided program to the execution table of the Triconex controller. This sample left legitimate programs in place, expecting the controller to continue operating without a fault or exception. If the controller failed, TRITON would attempt to return it to a running state. If the controller did not recover within a defined time window, this sample would overwrite the malicious program with invalid data to cover its tracks.

Recommendations

Asset owners who wish to defend against the capabilities demonstrated in the incident, should consider the following controls:

  • Where technically feasible, segregate safety system networks from process control and information system networks. Engineering workstations capable of programming SIS controllers should not be dual-homed to any other DCS process control or information system network.
  • Leverage hardware features that provide for physical control of the ability to program safety controllers. These usually take the form of switches controlled by a physical key. On Triconex controllers, keys should not be left in the PROGRAM mode other than during scheduled programming events.
  • Implement change management procedures for changes to key position. Audit current key state regularly.
  • Use a unidirectional gateway rather than bidirectional network connections for any applications that depend on the data provided by the SIS.
  • Implement strict access control and application whitelisting on any server or workstation endpoints that can reach the SIS system over TCP/IP.
  • Monitor ICS network traffic for unexpected communication flows and other anomalous activity.


Figure 3: Triconex Key Switch (source)

Appendix: Technical Analysis


Figure 4: TRITON Architecture and Attack Scenario

TRITON was deployed on an SIS engineering workstation running the Microsoft Windows operating system. The malware was named to masquerade as the legitimate Triconex Trilog application. This application is used for reviewing logs and is a part of the TriStation application suite. The malware was delivered as a Py2EXE compiled python script dependent on a zip file containing standard Python libraries, open source libraries, as well as the attacker-developed Triconex attack framework for interacting with the Triconex controllers. Along with the executable, two binary files, inject.bin (malicious function code) and imain.bin (malicious control logic), were deployed as the controller’s payload. These file names were hard coded in the Py2EXE compiled python script.

Trilog.exe took one option from the command line, which was a single IP address of the target Triconex device. It did not leverage the underlying TRITON library’s capability for Triconex device discovery, instead an instance of trilog.exe had to be invoked separately for each target controller in the environment. Once invoked, trilog.exe checked the status of the controller, then read the configuration information exposed by the TriStation protocol. If the controller was in a running state, trilog.exe encoded the two payload files inject.bin and imain.bin and passed them to the communication libraries to be appended to the controller’s program memory and execution table.

After payload files were inserted into memory on the Triconex controller, the script initiated a countdown, periodically checking the status of the controller. If an error was detected, the communication library’s method SafeAppendProgramMod attempted to reset the controller to the previous state using a TriStation protocol command. If this failed, trilog.exe attempted to write a small ‘dummy’ program to memory. We assess that this was an anti-forensics technique to hide the presence of the attacker code on the Triconex controller.

Working with the asset owner, Mandiant ran trilog.exe in a lab environment with a valid Triconex controller and discovered a conditional check in the malware that prevented the payload binary from persisting in the environment. Mandiant confirmed that, after correcting patching the attack script to remove this check, the payload binary would persist in controller memory, and the controller would continue to run.

TRITON implements the TriStation protocol, which is the protocol used by the legitimate TriStation application, to configure controllers.

TsHi is the high-level interface created by the malware’s authors that allows the threat actor’s operators to implement attack scripts using the TRITON framework. It exposes functions for both reconnaissance and attack. The functions generally accept binary data from the user, and handle the code ‘signing’ and check sums prior to passing the data to lower level libraries for serialization on to the network.

TsBase, another attacker-written module, contains the functions called by TsHi, which translate the attacker’s intended action to the appropriate TriStation protocol function code. For certain functions, it also packs and pads the data in to the appropriate format.

TsLow is an additional attacker module that implements the TriStation UDP wire protocol. The TsBase library primarily depends on the ts_exec method. This method takes the function code and expected response code, and serializes the commands payload over UDP. It checks the response from the controller against the expected value and returns a result data structure indicating success or a False object representing failure.

TsLow also exposes the connect method used to check connectivity to the target controller. If invoked with no targets, it runs the device discovery function detect_ip. This leverages a "ping" message over the TriStation protocol using IP broadcast to find controllers that are reachable via a router from where the script is invoked.

Indicators

Filename

Hash

trilog.exe

MD5: 6c39c3f4a08d3d78f2eb973a94bd7718
SHA-256:
e8542c07b2af63ee7e72ce5d97d91036c5da56e2b091aa2afe737b224305d230

imain.bin

MD5: 437f135ba179959a580412e564d3107f
SHA-256:
08c34c6ac9186b61d9f29a77ef5e618067e0bc9fe85cab1ad25dc6049c376949

inject.bin

MD5: 0544d425c7555dc4e9d76b571f31f500
SHA-256:
5fc4b0076eac7aa7815302b0c3158076e3569086c4c6aa2f71cd258238440d14

library.zip

MD5: 0face841f7b2953e7c29c064d6886523
SHA-256:
bef59b9a3e00a14956e0cd4a1f3e7524448cbe5d3cc1295d95a15b83a3579c59

TS_cnames.pyc

MD5: e98f4f3505f05bf90e17554fbc97bba9
SHA-256:
2c1d3d0a9c6f76726994b88589219cb8d9c39dd9924bc8d2d02bf41d955fe326

TsBase.pyc

MD5: 288166952f934146be172f6353e9a1f5
SHA-256:
1a2ab4df156ccd685f795baee7df49f8e701f271d3e5676b507112e30ce03c42

TsHi.pyc

MD5: 27c69aa39024d21ea109cc9c9d944a04
SHA-256:
758598370c3b84c6fbb452e3d7119f700f970ed566171e879d3cb41102154272

TsLow.pyc

MD5: f6b3a73c8c87506acda430671360ce15
SHA-256:
5c776a33568f4c16fee7140c249c0d2b1e0798a96c7a01bfd2d5684e58c9bb32

sh.pyc

MD5: 8b675db417cc8b23f4c43f3de5c83438
SHA-256:
c96ed56bf7ee85a4398cc43a98b4db86d3da311c619f17c8540ae424ca6546e1

Detection

rule TRITON_ICS_FRAMEWORK
{
      meta:
          author = "nicholas.carr @itsreallynick"
          md5 = "0face841f7b2953e7c29c064d6886523"
          description = "TRITON framework recovered during Mandiant ICS incident response"
      strings:
          $python_compiled = ".pyc" nocase ascii wide
          $python_module_01 = "__module__" nocase ascii wide
          $python_module_02 = "<module>" nocase ascii wide
          $python_script_01 = "import Ts" nocase ascii wide
          $python_script_02 = "def ts_" nocase ascii wide  

          $py_cnames_01 = "TS_cnames.py" nocase ascii wide
          $py_cnames_02 = "TRICON" nocase ascii wide
          $py_cnames_03 = "TriStation " nocase ascii wide
          $py_cnames_04 = " chassis " nocase ascii wide  

          $py_tslibs_01 = "GetCpStatus" nocase ascii wide
          $py_tslibs_02 = "ts_" ascii wide
          $py_tslibs_03 = " sequence" nocase ascii wide
          $py_tslibs_04 = /import Ts(Hi|Low|Base)[^:alpha:]/ nocase ascii wide
          $py_tslibs_05 = /module\s?version/ nocase ascii wide
          $py_tslibs_06 = "bad " nocase ascii wide
          $py_tslibs_07 = "prog_cnt" nocase ascii wide  

          $py_tsbase_01 = "TsBase.py" nocase ascii wide
          $py_tsbase_02 = ".TsBase(" nocase ascii wide 
         
          $py_tshi_01 = "TsHi.py" nocase ascii wide
          $py_tshi_02 = "keystate" nocase ascii wide
          $py_tshi_03 = "GetProjectInfo" nocase ascii wide
          $py_tshi_04 = "GetProgramTable" nocase ascii wide
          $py_tshi_05 = "SafeAppendProgramMod" nocase ascii wide
          $py_tshi_06 = ".TsHi(" ascii nocase wide  

          $py_tslow_01 = "TsLow.py" nocase ascii wide
          $py_tslow_02 = "print_last_error" ascii nocase wide
          $py_tslow_03 = ".TsLow(" ascii nocase wide
          $py_tslow_04 = "tcm_" ascii wide
          $py_tslow_05 = " TCM found" nocase ascii wide  

          $py_crc_01 = "crc.pyc" nocase ascii wide
          $py_crc_02 = "CRC16_MODBUS" ascii wide
          $py_crc_03 = "Kotov Alaxander" nocase ascii wide
          $py_crc_04 = "CRC_CCITT_XMODEM" ascii wide
          $py_crc_05 = "crc16ret" ascii wide
          $py_crc_06 = "CRC16_CCITT_x1D0F" ascii wide
          $py_crc_07 = /CRC16_CCITT[^_]/ ascii wide  

          $py_sh_01 = "sh.pyc" nocase ascii wide  

          $py_keyword_01 = " FAILURE" ascii wide
          $py_keyword_02 = "symbol table" nocase ascii wide  

          $py_TRIDENT_01 = "inject.bin" ascii nocase wide
          $py_TRIDENT_02 = "imain.bin" ascii nocase wide  

      condition:
          2 of ($python_*) and 7 of ($py_*) and filesize < 3MB
}

Time to DEMONSTRATE Thought Leadership in the Cyber Security Space

Folks,

Hope you're all well. Last year I had said that it was time for us to provide Thought Leadership to the Cyber Security space.


Since then, I've penned over 50 blog posts, on numerous important topics,
and helped 1000s of organizations worldwide better understand -

  1. The Importance of Active Directory Security

  2. Insight into Active Directory ACLs - Attack and Defense

  3. How to Defend Active Directory Against Cyber Attacks

  4. How to Mitigate the Risk Posed by Mimikatz DCSync

  5. How to Thwart Sneaky Persistence in Active Directory

  1. How to Identify Stealthy Admins in Active Directory

  2. Understand Windows Elevation of Privilege Vulnerability

  3. Illustrate Active Directory Privilege Escalation

  4. Correctly Identify Privileged Users in Active Directory

  5. Importance of Active Directory Effective Permissions
There's so much more to share, and I will continue to do so.





A Paramount Global Cyber Security Need

Today, I wanted to take a moment to touch upon one (not so) little aspect of cyber security that today profoundly impacts the foundational security of 85% of all business and government organizations worldwide, including most cyber security companies.

Folks, I am talking about empowering organizations worldwide identify exactly who holds the proverbial "Keys to the Kingdom" i.e. helping them accurately identify exactly who actually possesses what privileged access in Active Directory deployments.


The reason this is so important is because 100% of all major recent cyber security breaches (e.g. Snowden, Target, JP Morgan, Sony, Anthem, OPM) involved the compromise and misuse of guess what - just ONE Active Directory Privileged User Account.

Since we've been silently working on this 2006, we've a head start of about a decade. Over the last few months, we've seen several prominent vendors finally realize the importance of doing so, and we've seen them share guidance to this subject.

Unfortunately, just about every piece of advice out there, whether it be from prominent cyber security experts or billion dollar cyber security companies, on how to actually correctly audit privileged access in Active Directory, is dangerously inaccurate.





Thought Leadership

There's an old saying - "Actions Speak Louder Than Words." While there's no dearth of talk by so many big names out there on how to improve cyber security, identify privileged users etc., the key to actually (demonstrably and provably) enhancing cyber security lies in actually helping organizations do so, and we've been silently at work for a decade to help organizations do so.

So, in days to come, right here on this blog, I'm going to (hopefully for one last time), share exactly how organizations worldwide can today accurately and efficiently identify privileged access in their foundational Active Directory deployments worldwide.


In doing so, we will yet again demonstrate Thought Leadership in the Cyber Security space. By the way, this is neither about us, nor about pride. I've already said I'm just a nobody (, whose work possibly impacts everybody.) This is about a desire to help.

So, that post should be out right here on this blog next week, possibly as early as Monday morning.

Best wishes,
Sanjay

KUELEKEA MWISHO WA MWAKA TUNATEGEMEA MASHAMBULIZI MTANDAO ZAIDI

Nikizungumza na kundi maalum katika vikao vinavyoendelea nimewasilisha ujumbe wa Tahadhari ambapo Uma umetahadharishwa juu ya mashambulizi takriban Milioni hamsini (50 Milioni) duniani kote katika kipindi cha sikukuu yatakayo gharimu kati ya Dola 50 – Dola 5’000 kwa kila shambulizi.

Matarajio hayo ni kutokana na matumizi makubwa ya mtandao katika kufanya miamala mbali mbali ya manunuzi ya bidhaa katika kipindi hiki cha sikukuu ambapo watu wengi duniani kote wamekua wakinunua vitu mbali mbali kwa wingi kwa njia ya mitandao.

------------------------------
RELATED POST:
------------------------------

Kwa mujibu wa ripoti ya kitelijensia ya matishio mtandao, iliyo wasilishwa na NTT Security – Imeeleza uwepo wa takriban utengenezwaji wa tovutiMilioni moja na nusu zenye mlengo wa kurubuni  kila mwezi ambazo baadhi yao zinadumu kati ya masaa ma nne had inane na kutoweka. Hili niongezeko la asilimia 74 (74%) kulinganisha na takwimu za miezi sita iliyopita.




Maangalizo kadhaa ya muhimu ambayo watumia mitandao wanatakiwa kuzingatia ili walau kupunguza wimbi hili la uhalifu mtandao ni kama ifuatavyo:-

Jiepushe kutumia Wi-Fi za bure unapofanya miamala kwa njia ya mtandao.

Kua makini na program tumishi unazopakua mtandaoni – hakikisha zinatoka katika vyanzo vyenye sifa njema na kuaminika.

Usisambaze mtandaoni taarifa zako binafsi ikiwa ni pamoja na Nywila (neon siri)
Hakikisha unatumia neon siri (Nywila) madhubuti ili kujiepusha na udukuzi unaoweza kukukuta.

Upokeapo jumbe mtandaoni zenye mlengo wa ushawishi wa kukupatia zawadi na kukutaka ufungue viambatanishi, Usifungue viambatanishi hivyo kwani wahalifu mtandao wanatumia fursa hii kusambaza virusi vinavyoweza kukuletea athari mbali mbali ikiwemo kupelekea wizi mtandao.

------------------------------------
NEWS BRIEF:
"In the first half of 2017, 1.9 billion data records were either lost or stolen through 918 cyber-attacks. Most of the attacks used ransomware, a malware that infects computers and restricts access to files in exchange for a ransom"
------------------------------------

Kakikisha vifaa vyako unavyotumia kwa ajili ya mtandao (Simu, Tableti , Komputa yako na vinginevyo) vimewekwa Ant-Virus iliyo ndani ya wakati na pia una sakinisha (Install patches) mara tu zinapo tolewa.

 Jijengee tabia ya kupitia taarifa fupi za miamala (Bank statement) na unapo ona kuna muamala usio utambua utoe taarifa mara moja kwa hatua Zaidi.

------------------------------------
UPDATES:
" We have seen many incidents using anti-forensics tools and methods in an effort to erase signs of their presence and increase the time they are able to explore the network before they are detected, commonly known as “dwell time”.
------------------------------------

Aidha, Kwa Upande Mwingine - Baroness Shields (Mshauri wa waziri mkuu wa uingereza) ametoa wito kwa wabunge wa nchini humo kuacha mara moja tabia ya kuweka wazi maneno yao ya siri (Nywila) au kuwapatia wasaidizi wao.



Akizungumza nao, Aliwaeleza wakiona kuna umuhimu basi wasaidizi wao watapatiwa maneno siri yao (Nywila) pale wanapo wahudumia katika kazi zao.