Daily Archives: May 11, 2018

Syn/Ack Unique Proactive Protection Technique

McAfee’s Advanced Threat Research team has performed analysis on samples of Syn/Ack ransomware implementing Process Doppelgänging.  For those who are concerned about the potential impact of this ransomware but are currently unable to implement McAfee product protections, we have found a simple but interesting alternative method.  Prior to encryption and ransom, the malware first checks if one of several hardcoded keyboards or languages is installed on the target machine.  If found, the malicious code will terminate, effectively resulting in an extremely simple “patch” of sorts. We have tested the following steps to be effective on several versions of Windows 7 and theoretically on Windows 10 – preventing the malware from encryption and ransom.  These steps can be taken proactively.  Due to limited scope of testing at this time, this technique may not work on all systems, release versions, and configurations.

Windows 7 – Adding Keyboard Layout:

Control Panel > Clock, Language, and Region > Region and Language > Keyboards and Languages

Click the “Change Keyboards” tab

In the Installed Services section click “add”

Select Keyboard – For example: Russian (Russia) > Keyboard > Russian

Click “Ok”

Click “Apply”

Click “Ok”

Here is the list of keyboards layouts you can add – any will suffice:

  • Armenian
  • Azeri, (Cyrillic, Azerbaijan)
  • Belarusian
  • Georgian
  • Kazakh
  • Ukrainian
  • Uzbek (Cryillic, Uzbekistan)
  • Uzbek (Latin,Uzbekistan)
  • Russian
  • Tajik

Windows 10 – Adding Language Support:

Control Panel > Language > Add a language

  • Armenian
  • Azeri, (Cyrillic, Azerbaijan)
  • Belarusian
  • Georgian
  • Kazakh
  • Ukrainian
  • Uzbek (Cryillic, Uzbekistan)
  • Uzbek (Latin,Uzbekistan)
  • Russian
  • Tajik

That’s all it takes!  Please note – this should not be considered a fully effective or long-term strategy.  It is highly likely the malware will change based on this finding; thus, we recommend the McAfee product protections referenced above for best effect.

The post Syn/Ack Unique Proactive Protection Technique appeared first on McAfee Blogs.

ThreatConnect and the Rise of the Security Developer

Taking Your Team & Career to the Next Level with ThreatConnect's GitHub Repositories

Going to the Next Level with ThreatConnect's GitHub Repositories

When I walk the show floors at RSA or Black Hat, I'm always struck by the number of new products that pop up every year. The "hot topic" varies - this year it was AI - but new booths springing up from the expo center carpet like magic is a constant. It can be a bit overwhelming: like showing up at a bar with an outrageously huge beer selection. But it can also be exciting, like (responsibly) trying all of those beers.


Yep, this is what Black Hat is like. In so, so many ways.


We get it. There's finally a hot new EDR or UEBA tool that does everything that you want, but you're nervous: will it work in your environment? Can your existing tools talk to it? Will your team understand how to use it? At ThreatConnect, our vision is to ensure that your answer is consistently "yes": if you're excited about new software, you should be able to integrate it into your team, your processes, and your tech stack. We've written at length about our platform strategy, but that "yes" is what it really comes down to.

The Rise of the Security Developer

One trend that makes this strategy possible is the rise of the Security Developer - security analysts who are dangerous enough with Python to take advantage of all of these new tools. If you're able to get that new EDR or UEBA or AMA or vulnerability scanner to work with your existing SIEM, ticketing system, whatever... you'll be a hero. Honing your skills with Python (or other security-friendly scripting language) and becoming familiar with APIs are big parts of becoming a Security Developer. To really take advantage of those skills, though, you need a "partner in crime": an extensible security platform that can bring all those APIs and exciting tools into a central location where all of your data and teammates can take advantage. Like ThreatConnect.

To enable new and mature Security Developers, we've created robust SDKs that can help you write apps, build automations, and more. A great place to get started is in our documentation.



Dogs are the best.

No One is an Island

Our Security Developer customers make extensive use of these tools in their own ThreatConnect environments: integrating systems, automating common tasks, and flexing their developer muscles. But part of growing as a Security Developer is collaborating with other Security Developers.

We provide an exclusive Slack workspace¹ for our customers to exchange best practices about threat intelligence, security, and ThreatConnect. One day, something exciting happened: customers started sharing ThreatConnect software they'd built on Slack. This was amazing! Security Developers were collaborating!

Of course, while we love Slack, it's not the best tool for sharing software.

To more effectively enable our Security Developer users, we're excited to announce the launch of four GitHub repositories (repos) that they can use to share and collaborate. Our hope is that these repos not only help our users share successes and get more value out of ThreatConnect, but also help them hone their skills and make themselves and their teams more effective defenders.


¹ If you're a current customer and are interested in joining our Slack community, please contact your
customer success manager.

Announcing: ThreatConnect GitHub Repositories

To more effectively enable our Security Developer users, we're excited to announce the launch of four GitHub repositories (repos) that they can use to share and collaborate. Our hope is that these repos not only help our users share successes and get more value out of ThreatConnect, but also help them hone their skills and make themselves and their teams more effective defenders.



This is more like it.


Let's go over the four repositories:

Spaces Repository

Available here: https://GitHub.com/ThreatConnect-Inc/threatconnect-spaces

"Spaces" are applications that run in the ThreatConnect UI. Using Spaces, you can extend the abilities of ThreatConnect in a way that benefits other analysts. Enrich indicators in VirusTotal or DomainTools, visualize relationships between intelligence, do some quick static analysis: these are all tools that users have built using Spaces that run smartly in ThreatConnect.

Jobs Repository

Available here: https://GitHub.com/ThreatConnect-Inc/threatconnect-jobs

"Jobs" are apps that run in the background: collecting data from external feeds, enriching indicators in bulk, deploying indicators to a SIEM based on rules, etc.

Tools Repository

Available here: https://GitHub.com/ThreatConnect-Inc/threatconnect-tools

Unlike the other repos, this one is intended for software that doesn't run in ThreatConnect, but instead is designed to enable developers in other ways. A tool to make it easier to developer other ThreatConnect apps, a Chrome extension, etc.

Playbooks Repository

Available here: https://github.com/ThreatConnect-Inc/threatconnect-playbooks

Playbooks are custom, intelligence-driven automated or partially automated processes that users can build in ThreatConnect. The Playbooks Repository allows users to collaborate on a variety of Playbooks resources: one of these is obviously Playbooks themselves, but the two most important are Components and Apps.

Integrations between security products today are more and more commonplace, but they are largely point solutions. It's nearly impossible for them on their own to incorporate logic based on what your team is doing or what all other products across your security technology stack are seeing. Furthermore, these integrations often lack some desired functionality that is unique to your needs. That's part of why your role as a Security Developer is so valuable: you can tune integrations to your needs and automate the processes that make them and your teams work together. What makes your job easier isn't a silver bullet, it's having the right building blocks. Components and Playbook Apps are those building blocks.

Playbook Components

Components allow users to utilize any Playbook App: HTTP Client for REST API calls, Email and Slack apps for notification, JSON Path for JSON queries, and the Regex App for data extractions as just a few examples. These Components give users quite a bit of power and can be turned into reusable components in any Playbook (it's like writing a Python function). For example, we've been able to build enrichment Components that call an API with authorization, extract data using JSON Path, and expose them as variables for other apps in a Playbook. Components can be reused in multiple Playbooks and look just like apps. It's a good way to create basic integrations with Playbooks that can then be integrated into other processes.

Playbook Apps

For when you need to build or modify an app, we provide a SDK and app framework so they can build any Playbook App in Python or Java. While you need to be comfortable in Python (...or Java) , it gives users full control over the functionality. Your apps behave just like any other app in Playbooks with inputs and outputs.

Ready to Start or Learn More?

The next time you're at a show like RSA and are overwhelmed by all the new tools you know your CISO is going to buy, just remind yourself: I have ThreatConnect. I have the support of the entire ThreatConnect Security Developer community. I can make this work.

If you're ready to start contributing or leveraging what others are doing, go ahead and check out the GitHub repos now! If you'd like to learn more about them, please contact support@threatconnect.com. For product feedback, please contact me directly at dcole@threatconnect.com.

The post ThreatConnect and the Rise of the Security Developer appeared first on ThreatConnect | Enterprise Threat Intelligence Platform.

McAfee Protects Against Doppelgänging Technique

This blog was co-written with Brook Schoenfield.

That adversaries adopt new techniques is a known fact. However, the speed they include new innovative techniques to bypass end-point security and or evade sandboxing appears to be at an ever-increasing pace. Indeed, adversary adoption is often faster than the InfoSec industry can implement and test effective countermeasures. For example, in December 2017, a tool was released to hide PowerShell in a graphic file. Within 7 days of the release, McAfee Advanced Threat Research started to see the technique being exploited by a Nation State actor. From announcement to inclusion, test and use in production within 7 days is impressive.

This week, security-researchers from Kaspersky discovered that an actor was applying the so-called Process Doppelgänging technique in what has been named the “SynAck” ransomware. (https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/)

So What is the Process Doppelgänging Technique in a Nutshell?

Using this technique gives the malware writer an ability to run malicious code/executable under the cover of a legitimate executable by using the transaction features of the NTFS filesystem (Windows Transactional NTFS API).

McAfee Detects and Protects

Since the initial release of this technique in December 2017, McAfee Labs has been investigating this technique and how we might protect our customers. In contrast to adversaries who can release mistakes in code and implementation, we simply cannot. We have to thoroughly test to ensure that when we release our solution it detects correctly and does not disrupt or break other software.

McAfee’s Product Security Incident Team (PSIRT), working in coordination with McAfee’s product teams1 delivered a protection to Process Doppelgänging in two of McAfee’s product suites (see below for more detail). McAfee’s protection has tested effective against EnSilo’s original proof of concept (PoC) and other examples. As an example, we tested recent malware using the technique against our detection feature with success:

McAfee’s protection prevents execution of a file if changes to it are contained within a Windows NTFS transaction. There are no legitimate uses for the Transactional API to be used in this way, so far as McAfee know.

Details of products that include protection against Process Doppelgänging follow:

  • ENS 10.5.4, released April 24, 2018
  • VSE 8.8 patch 11, released April 24, 2018
  • ENS 10.6, Public Beta available March 9, 2018. Release is targeted around June 1, 2018

WSS 16.0.12 will include the same protection.  Release of WSS is targeted for the end of May, or the beginning of June, 2018.

What Is Protected 

Windows 7 & 8 -> McAfee protection is effective

Win 10 RS3 -> McAfee protection is effective

Win 10 RS4 -> Microsoft has implemented the same protection as McAfee

EnSilo have documented that attempts to exploit Win 10 Pre RS3 results in a Windows crash, “Blue Screen of Death” (BSOD). McAfee’s testing confirms Ensilo’s results.

Users may not see a detection alert with some versions of McAfee products under some versions of Windows. McAfee testing indicates that all versions of product under every Windows version listed above are protected.


1McAfee thanks McAfee Software Engineer, Alnoor Allidina for the diligence and insight that lead to the Process Dopplegänging protection.

The post McAfee Protects Against Doppelgänging Technique appeared first on McAfee Blogs.

10 competitors Cisco just can’t kill off

10 competitors Cisco just can't kill off
Network World / Cisco Survivors [Slide-00]

Image by IDG / jesadaphorn, Getty Images

Creating a short list of key Cisco competitors is no easy task as the company now competes in multiple markets.  In this case we tried to pick companies that have been around awhile or firms that have developed key technologies that directly impacted the networking giant. Cisco is now pushing heavily into software and security, a move that will open it up to myriad new competitors as well. Take a look.

To read this article in full, please click here