How to protect against nation state attackers

Original Entry by : Mark Evans

“One of my worst nightmares [as an attacker] is that out-of-band network tap that really is capturing all the data, understanding anomalous behaviour going on. And someone’s paying attention to it.”
Rob Joyce, NSA: “Disrupting Nation State Attackers, Jan 2016” (22:10)

It’s great to see the efficacy of packet capture and network recording acknowledged by such an eminent cybersecurity Tsar as Rob Joyce.

If you haven’t already seen his video presentation on Disrupting Nation State Attackers, it’s well worth a watch. Before being shoulder-tapped to take up his new role as a cybersecurity advisor to Trump’s National Security Council, Joyce headed up the Tailored Access Operations division of the NSA.

The NSA’s TAO division is responsible for “providing tools and expertise in computer network exploitation to deliver foreign intelligence.” In other words, it is responsible for finding, and taking advantage of, the very network vulnerabilities that we’re all trying to protect against.

In his presentation at the Usenix Enigma conference last year, Joyce outlined key steps organizations can take to protect themselves against the sort of sophisticated techniques employed by Nation State attackers and criminal elements looking to attack your network.

Much of his advice is practical common sense. Know everything on your network, understand it, and update and patch everything. We all know this is critical, but all too often it doesn’t happen. Take patching for example. Joyce says that, in his experience, many organizations undertake security audits to identify known vulnerabilities, but frequently have still not fixed those vulnerabilities by the time the next audit rolls around months later.

Joyce also explodes a common myth – that sophisticated intruders rely on zero day threats. In fact, he says, zero day threats are far from being biggest danger to corporate networks. For any large network, he says:

Persistence and focus will get you in and achieve that exploitation without the zero days. There’s so many vectors that are easier, less risky and quite often more productive.

The cause of most intrusions, says Joyce, come down to one of things (the “Big Three”):

  • Email:  “a user clicked on something they shouldn’t have”
  • Malicious websites“they’ve gotten to a malicious website … and it’s either executed or they’ve run content from that website.”
  • Removable media – “where a user inserted contaminated media“. [As an aside, someone once told me the easiest way to get malware into an organization is to load it on a USB stick labelled “Payroll”, drop it in the carpark and leave the rest to curiosity!].

Joyce outlines the importance of making sure that sources of information about activity on the network – such as log files or network packet captures – are actually being monitored. “You’d be amazed at incident response teams that go in and there’s been some tremendous breach .. Yep, there it is right there in the logs.”

But perhaps the best piece of strategic advice he offers is this:

“Consider that you’re already penetrated. Do you have the means and methods to understand if somebody’s inside your network?”

That change in focus is important. Statistics show intrusions are becoming increasingly commonplace. Once organizations move from “we need to make sure we’re not penetrated” to “maybe we already are penetrated” they start to understand what tools, skills and processes they need to put in place to identify intrusions and stop an initial penetration from going on to become a more serious data breach. Or, if they have already been breached, what do they need to make sure they can identify how it happened and what was compromised?

Joyce’s presentation is a salient reminder that ensuring the basics of network security hygiene is critical. And that the battle to defend against attackers is an ongoing one. As fast as you tighten up your security, new vulnerabilities emerge that put you at risk.

Take a look at the video. You’ll find it’s 30 minutes of your time very well spent!

Cybersecurity Resources

Some of the useful resources that Joyce discusses and recommends are listed below

NOTE: The two links to the IAD site above require installing the DoD Root CA Certificates to avoid getting an “untrusted website” notification. More information here.


Cisco Live Europe 2017 A Great Success

Original Entry by : Mark Evans

Upwards of 12,000 people packed Messe Berlin for the Cisco Live Europe 2017 event last week. It was a busy, exciting and noisy atmosphere and a lot of fun to attend. As a Cisco Solutions Partner, Endace was pleased to be invited to be one of the vendors exhibiting in the Cisco Security Partner Village.

Cybersecurity was a hot topic at Cisco Live, and the Security Partner Village was bustling, with lots of attendees interested in seeing the latest cybersecurity solutions.

Endace’s Sandrine Kubach and Rob Earley were inundated with people interested to find out how we integrate our full packet capture solutions with Cisco’s security solutions.

Sandrine and Rob demonstrated the integration between our EndaceProbe Network Recorders and Cisco’s Firepower NG-IPS.

Endace’s Fusion Connector for Firepower allows security analysts to click from an alert in the Firepower Management Console to instantly view and analyze related network packets recorded on EndaceProbes. This streamlined workflow dramatically reduces investigation times and provides definitive evidence of exactly what has happened so analysts can respond appropriately.

It was great to have another of our partners, Plixer, demonstrating the integration between Scrutinizer and EndaceProbes at a stand just metres away from our own too!

Cisco Live Europe was a fantastic event. To all those who stopped by our stand, thank-you for making the time. It was great to meet you and we look forward to talking to you again soon.

Thanks to the Cisco team for their wonderful organization and support. We’re excited about being at Cisco Live US in Las Vegas later in the year!

If you weren’t able to make it to Berlin, check out the great highlights reel that Cisco has put together – it gives a great sense what a busy event it was:


Sold out Suricon demonstrates strong interest in Suricata

Original Entry by : Endace

Suricata

Having been one of the original sponsors of the OISF, we were thrilled to be involved again as a community partner sponsor at Suricon 2016.  The conference ran Nov 9-10 and with an international contingent of attendees and sponsors, Washington DC on election night was a very unique way to kick off the conference! 

It was great to reacquaint with old friends at the OSIF. Kelley Misata and the Core team did a fantastic job of organizing the conference.  There were some really interesting presentations from Core team presenters and the Suricata community. Check out the conference highlights here for links to some of the presentation slides.

suricon_booth

We had a lot of interest from attendees interested in using Endace DAG cards to improve the performance and fidelity of Suricata. For anyone wanting to find out how to use Suricata with DAG, we put together a technical brief which you can download here.

To celebrate Endace’s return as a sponsor, we offered attendees a special 2-for-1 deal on our DAG 10X2-S cards.  We think this card really hits the price/performance mark, providing a professional capture card at a very attractive price. And judging by level of the interest we saw at the conference, attendees agreed (a reminder to conference attendees, the offer closes Dec 15th, so don’t forget to return your claim form!)

Suricon 2016 was completely sold out and it’s great to see the attendance and interest growing so strongly.  Endace is looking forward to sponsoring Suricon 2017 in Prague which promises to be even bigger and better again!


Inaugural Sharkfest Europe a great success

Original Entry by : Endace

endace-sharkfest-standEurope got its own Sharkfest in October and the inaugural Wireshark Developer and User Conference was a great success with strong attendance from the user and developer community across Europe. Congratulations to Sharkfest Europe for a great launch to what is sure to be a fantastic annual event.

There was a great program of speakers over the three days. Kicking things off with the pre-conference course was Wireshark University’s Laura Chappell. Her Troubleshooting with Wireshark tutorial was well attended and included invaluable tips for working with Wireshark using workflows which make optimal use of Wireshark to quickly highlight potential issues.

Continue reading “Inaugural Sharkfest Europe a great success”


New Partners – Plixer and Cisco

Original Entry by : Endace

plixer-logoLast month we announced a partnership with Plixer to provide integration between EndaceProbe™️ Network Recorders and Plixer’s Scrutinizer™️ NetFlow Analytics suite. This leverages Endace Fusion’s API to enable SOC and NOC teams to pivot directly from Scrutinizer alerts to packet-level detail in traffic recorded on EndaceProbes across the network, delivering the detailed data that enables analysts to quickly investigate and establish the root cause of an alert.

cisco-logoWe have also joined the Cisco Solution Partner program. This partnership provides customers using Cisco’s Firepower™ Management Console with single-click access to EndaceVision for powerful visualization of network traffic and rapid drill down to recorded network packets using Endace Fusion’s Pivot to Vision and Pivot to Packets API functions.

Are you a Cisco Firepower or Plixer Scrutinizer user?

Contact sales@endace.com to organize a demo so you can see how this integration can dramatically speed up your investigations.


Come see us at Black Hat

Original Entry by : Endace

black-hat-logoIt seems everyone is in Las Vegas for Black Hat this week. We’re excited. Yes, we’re here too and we’d love to see you.

So drop in and see us at Booth #1572 where you’ll be able to check out our new EndaceProbe 114 Branch Office Network Recorder, see demos of our Cisco® FireSIGHT™ Management Center and Splunk™ integrations and we’ll also be showing off the new features of EndaceVision 2.0.

Plus we have some handsome battery packs and notebooks to give away. So swing by and say Hi.


EndaceProbe 9000-XS: Industry-leading storage density provides extended back-in-time network history for forensic analysis

Original Entry by : Endace

With up to 192TB of storage per appliance, the new EndaceProbe™ 9000-XS series network recorders provide a highly scalable network recording solution, offering Petabytes of clustered and/or distributed storage capable of storing weeks, or months, of network history.

The massive storage of the 9000-XS EndaceProbes makes them an ideal choice as always-on recorders capturing a detailed history of network activity for forensic analysis of data breaches and speeding up the investigation and resolution of network security or performance issues.

See our press release about the new XS series and check out the complete range of EndaceProbe 100% accurate, high-speed network recorders.

Or download the EndaceProbe 9000 series datasheet.


Who needs Mixed Martial Arts (MMA) when you have Cyber Mondays?

Original Entry by : Sonny Singh

I don’t know about you, but the winter holiday season is a bittersweet pill for me to swallow due in part to two occurrences which are aptly named “Black Friday” and “Cyber Monday.” The connotations themselves conjure up images of sinister malevolence. Black Friday might as well be called “The Black Plague” and Cyber Monday could very well be the title for the next Terminator movie, “Cyber Monday – Rise of the Machines.” The two lexicons of retail mind-control methods are emblazoned in the pre-frontal cortex of every consumer out there…unless by chance, you have been one of the lucky few individuals who is stuck in the 1950’s and opts to buy their holiday presents from the Sears Roebuck Holiday catalog, I envy you.

Continue reading “Who needs Mixed Martial Arts (MMA) when you have Cyber Mondays?”


DDoS Attacks on Port 0 – Does it mean what you think it does?

Original Entry by : Tom Jones

Network monitoring best practice includes watching the latest trends not only in your own network, but also in other networks across the Internet. Fortunately, there are some great companies out there tracking what’s happening and issuing periodic reports to keep the rest of us up to speed.

I was very interested to read the recent report from Arbor Networks with the Q2 DDoS (distributed denial of service) attack data collated through their ATLAS Internet monitoring system. The report highlights a 43% increase in attacks from the same period in 2012.

Continue reading “DDoS Attacks on Port 0 – Does it mean what you think it does?”


Black Hat 2013 – It’s Hogwarts for Information Security Wizards (Or CIA Spooks)

Original Entry by : Sonny Singh

Imagine if Harry Potter’s life had been altered in an Aeon Flux, dystopian kind of way? Instead of inheriting wizard-like-skills and a matching lightning bolt scar on his forehead, he was conversely born with an astute affinity towards programming code, breaching internet firewalls and perhaps secretly working for the CIA?

If this were the case, Harry would clearly need to go to an academic institution worthy of his Information Security (InfoSec) inclined disposition, right? Believe it or not, such an institution actually exists – called “Black Hat,” and it is held yearly in Las Vegas.  Black Hat is a symposium that brings together the best minds in security to define tomorrow’s information security landscape with the ultimate goal of providing the essential knowledge and skills needed to defend the government and enterprises against today’s threats. Before we delve deeper, let’s first define what InfoSec is why it’s an extremely important topic to address in the technology sector.

Continue reading “Black Hat 2013 – It’s Hogwarts for Information Security Wizards (Or CIA Spooks)”