Part 1 of a series of white papers and blogs that illustrate how Snare helps you identify and resolve issues highlighted in the Mitre ATT&CK knowledge base.

U.S. Presidential Executive Order on Cybersecurity

On Wednesday May 12, 2021, President Biden signed an executive order aimed at strengthening U.S. cybersecurity. The order was prompted by a series of sweeping cyberattacks on public companies, companies supplying the U.S. Federal Government, and Federal Government networks over the past year. This includes the 2020 SolarWinds attack and the most recent attack on the Colonial Pipeline by the hacker group DarkSide.

Both attacks are examples of criminal groups and state actors exploiting U.S. cyber vulnerabilities. To help protect the U.S. Government, agencies, and both public and private companies from future attacks, the May Presidential Executive Order calls for the Federal Government and private sector to partner to confront “persistent and increasingly sophisticated malicious cyber campaigns” that threaten U.S. security.

To learn more about Memorandum M-21-31 and the Maturity Model for Log Management, read our updated article >>

How Snare Can Help

To meet existing and updated cybersecurity requirements laid out by the Executive Order, and to improve your organization’s cyber posture, a Snare solution can help organizations in many ways.

  • Central log collection, analysis and reporting – by collecting all the important logs from all critical assets in the business, Snare facilitates the capability to do forensic analysis of what the criminal groups and other APTs are doing in the network. Without the needed logs, you’re flying blind with no clear knowledge of an incident that happened or is in progress now.
    • Government agencies and businesses need to know:
      • Who did the actions. Was it a normal user, an admin, some credentials that were breached? How much lateral movement was involved?
      • What data or systems were affected, how many were there, which networks were affected? What commands were run on each system, what parameters were used? were other tools loaded to help the attacker? Was data exfiltrated out of the environment. Have they established a beachhead in the network?
      • When the activities occurred. Covering the exact time and dates. Was it small amounts over time or a focused effort over a short period of time.
      • Where the specific actions took place.

Having Snare Central or Snare Agents in place can help security teams gather the forensic data required to answer who, what, when, where, why, and how – and ‘how bad is it’.

Zero Trust Initiative

There can be several methods of using Snare to help detect activities. As part of the Zero Trust initiative, adequate detection is key to ensure controls are functioning correctly. If there is nothing to perform analysis on, there can be no validation of technical controls working correctly, and no information for adequate remediation in the event of a problem or incident response. Section 3(e) states that within 90 days all agencies should implement a logging solution to:

    • Collect logs from as many sources as possible – all servers, desktops, network devices, everything that can send a syslog. All devices should have some form of logging or monitoring in place.
    • Use FIM, FAM, RIM and RAM to track and monitor all key files and system configuration. Know who and when files were changing and what tools they used.
    • Use Database Activity Monitoring (DAM) to track key activity on SQL databases. Know if admin accounts are being abused and validate that key data has not been tampered with.
    • Having evidence to show if the attack vectors came in via email, USB, a web link download, a software update are all important to knowing how they got in.

The Snare software suite provides an easy-to-use solution that is fast-to-deploy using our lightweight agents and Snare Central Server centralized logging platform. Most sites are up and running in as little as an hour, and immediately capable of collecting and reporting on activity. With around 400 out-of-the box, customizable reports, dynamic query for advanced searching and drill-down on data, active dashboards, key statistics on system logs, real time alerting and threshold reporting, Snare Central provides a comprehensive logging, detection, and analysis tool for any cyber team.

Customers are not penalized from collecting more data by having additional charges. Customers can collect as much data as they like and keep it for as long as they need, as they can manage the storage needs of the system for the business. Data is often needed for several years for longterm incidents where the bad actors have been in a network for an extended time and keeping a low profile to help avoid detection.

As per 7 (c,d) the Snare CLM suite helps to facilitate and compliment EDR solutions with enhanced logging and detection to provide the needed forensics with threat hunting.

As per 8(b) Snare Central uses cryptographic hashing functions to validate the logs collected have not been tampered with along with other forensic meta data in events.

 

“I tend to use Snare when customers have a lot of end points, 1,000 or more though particularly over 10K windows end points and they know they want to monitor each and every one of them. I know Snare will report in every time, all the time, even in large scale environments. Snare is well documented and easy to install. Snare also does encryption from the agent to the QRadar host, which is very important for most organizations, though in particular federal customers.”

Peter “S14” Szczepankiewicz, IBM

Learn More About Snare Central & Snare Agents

Snare is the go-to centralized logging solution that pairs well with any SIEM or Security Analytics platform. Snare helps companies around the world improve their log collection, management and analysis with dependable tools that save timesave money & reduce risk.

Comprised of over 100 companies and growing, AUCYBERSCAPE is Australia’s first national cyber security digital ecosystem, showcasing Australian cyber capability and the abundance of Aussie-owned companies that are putting the region on the map as a global hub for innovation in cyber security technology.

The online platform features companies from Australia’s most promising growth sector and enables security teams in APAC and across the world to source Australian cyber security providers – which is becoming critically important as sovereign capabilities play a decisive role in cyber security purchase decisions and the building of secure supply chains.

Read more about this important topic in a recent article by our CEO >>

The Australian Cyber Landscape

“Global spending on cyber security products and services increased by 30 per cent from 2017 to 2020.  This year alone, Australians spent approximately A$5.6 billion on cyber security from both local and international providers, a figure that is expected to increase to A$7.6 billion by 2024.” (AUCYBER)


About AUCYBERSCAPE

AUCYBERSCAPE is a ‘one-stop-shop’ digital marketplace for businesses, government, investors and individuals to better understand cyber security, explore the Australian sector and connect with the cyber security companies or products and services they may be looking for.

Australian cyber security companies can:

  • showcase their cyber security products and services, business solutions and sector experience
  • connect with customers e.g. businesses, government, individuals and investors
  • access information to support their company development and growth

Customers can:

  • understand more about cyber security and their cyber security needs
  • search for and directly connect with Australian cyber security companies
  • learn about cyber security career pathways and education opportunities
  • explore the Australian cyber security sector

The delivery of AUCYBERSCAPE is a partnership between the Australian Cyber Security Growth Network (AustCyber), Insurance Australia Group (IAG) and the State and Territory Governments of the Australian Capital Territory, New South Wales, Queensland, South Australia, Tasmania, Victoria and Western Australia.

Learn more about AUCYBERSCAPE and find Snare Solutions – a subsididary of Prophecy International (ASX:PRO) – on AUCYBERSCAPE, here.

This blog contains some immediate guidance on using Snare Agents and Snare Central to detect activity on your network from the SUNBURST Backdoor malware delivered by SolarWinds Orion Software.

Background on Sunburst Backdoor

Several advisories have been provided by FireEye and CISA over the malware backdoor used in the SolarWinds compromise. FireEye provided a great white paper on the topic here. The US CISA also provided good detail here.

Import Information

As mentioned in the FireEye report, it reveals that this attack was perpetrated by an advanced adversary who carefully selected targets and changed their attacking infrastructure to match geographical location and even named attacking hosts to match their victims to disguise their traffic better. By using a trusted software partner like SolarWinds Orion, they could utilize SolarWinds’ position in the network to spread laterally across on-premises systems and cloud infrastructure to capture and exfiltrate data.

While the SUNBURST Backdoor is a sophisticated attack vector, it is still just a trojan on a network with lateral movement. Many of your typical network defense techniques and incident response techniques can be utilized immediately. If you happen to know which hosts on your network are running SolarWinds Orion, start your hunting with those hosts as this is where the adversary gains a foothold. The SUNBURST Backdoor should only be effective on those hosts. Still, the added threat here is any lateral movement out from the Orion hosts, using common techniques or credentials harvested from Orion.

Detection using Snare Agents and Snare Central

Some IOCs that FireEye kindly released in their GitHub report covers hashes, snort rules and IP address details. After the initial compromise its important to understand what was done on the corporate network and what the bad guys were up to. Things needed to help detect the malicious activity:

  • Install the Snare Agents to collect system event logs, enable FIM and RIM on key software and operating system locations to generate the required hashes. If the Snare agent was already installed having FAM and RAM configured for the same operating systems and application locations would help provide details on what accounts were used, programs used to make changes to the host files. Having Snare agents on other systems to collect the system logs would also assist with detecting lateral movement of users and potential account breaches on other host systems.
  • Use Snare agents to collect DNS log activity. We have good FAQ guide here.
  • Other logs like proxy logs can also be useful for determining internet access paths, source and destination systems. These can be collected using the Snare Windows or Linux agents.
  • Performing Database Activity Monitoring with the Snare MS SQL agent. This allows tracking of the users into Microsoft SQL Server databases to see if user accounts are compromised, data was changed or being exfiltrated.
  • Install Snare Central to collect logs from Snare Agents and other syslog devices like firewalls, routers, switches, and software like Snort or other IDS/IPS systems.

You can create reports in Snare Central to search the logs for for malicious activity as detected from the Snare Agents and network devices from the SolarWinds servers covering the syslog logins, malicious DLL thats been trojanized, DNS lookups, Firewall and proxy log traffic profiles,  The Snare Dynamic Search can be used to hunt for threats in an ad hoc fashion, you can also save the queries for later use or as templates to make new queries. The dynamic search allows for searching multiple log types at once to look for key words, IP addresses, Domain names to find the access paths the malicious software is performing.

Searching Logs

Searching for netsetupsvc.dll in dynamic search can be done either using the basic search by entering netsetupsve.dll in the search field or advanced search and paste the search options below.

DATE=’TODAY’ AND ALLFIELDS REGEXI ‘netsetupsvc\.dll’ – the time period can be adjusted to review larger ranged as required.

searching for the last 30 days would be as follows

DATE>=’30’ AND ALLFIELDS REGEXI ‘netsetupsvc\.dll’

Search DNS logs for the following string for the Command and Control (C2)  domains

DATE>=’30’ AND ALLFIELDS REGEXI ‘avsvmcloud|appsync-api’

Proxy Logs

Proxy logs can be searched using the standard reports where the logs were collected using the Snare agents. the proxy logs maybe a path to the Internet to access malicious content, or used to exfiltrate data. By reviewing the top sites or users it may highlight who and where the activity was coming from for compromised users and systems. The standard reports are located here:

Reports\Application Audit\Proxy Servers

User Lateral Movement

Logins to other systems can be detected using the standard login reports to show which systems users are logging into. The report can be cloned as many times as needed with each of them having additional filters applied for specific users or groups of users to filter down to specific user account logging in to multiple systems. This could be an indication of account compromise if the user access was not legitimate. Out of hours login reports can also be run to see which accounts are being used in non standard working hours when the accounts would not normally be used. Location for user login activity is found here for Windows and other operating systems.

Reports\Operating Systems\Login Activity

User and group changes can also be tracked and reported on. One of the changes the malware does is to change or add users to have privileged access. Tracking if users have been added or removed, system policy changes occurring, audit logs being cleared can be a sign of malicious activity with the attacker trying to hide their tracks, group and group member changes as well as specific user changes for additional access. Snare Central has reports for tracking administrative user activity located here:

Reports\Operating Systems\Administrative Activity

Process Execution

Reviewing process execution can be complicated in understanding what are normal applications used on the corporate network what is not. However getting context of what is run then seeing what is abnormal can be done with reviewing the activities of the key systems then expand to review other systems as needed. Where application white listing has been implemented the risk maybe lower, but not all organisations have been able to white list all application usage. Snare Central has some base reports that allow the user to show what commands are being run on the systems. If the customer has sysmon also installed then it will provide additional information and parameters used in commands that are run including PowerShell commands. The reports can be cloned as many times as needed and adjusted with additional filters to search for specific applications or exclude known whitelisted applications and then report on other unknown applications. Location for process Monitoring can be found here:

Reports\Operating Systems\Process Monitoring

Network Activity Monitoring

Where Snare Central is collecting firewall, router, switch and other logs from snort or other IDS/IPS systems it can help correlate actions performed by systems and/or users to show where downloads of malicious content or where data is being exfiltrated to. Reports can be created for a variety of network devices with filters being created to look for specific IP addresses of interest from either internal or external sites. In the case of this malware using the source address of the SolarWinds server and any other compromised server may help narrow down what the actions were and how they were performed on the corporate network. Some of the standard Network activity monitoring reports can be found here:

Reports\Network

Database Activity Monitoring

Database Activity Monitoring as provided using our Snare MS SQL agent can help provide additional information on what corporate data was accessed inside the MS SQL Server databases. By tracking the access to the databases and reviewing the contents of the SQL commands and who was running them it can provide additional forensics combined with the other user activity performed on the systems. There are several standard reports in Snare Central that provide details on Admin and DBA activity, Database Activity and usage for specific commands. Users can report on login activity, use of user rights, review specific SQL events, report on objects accessed by using custom reports and tune them based on the customers specific naming conventions. Some of the standard reports can be found here:

Reports\Application Audit\MSSQL Server

For additional information please contact our sales team via the email contacts on here.