Shellshock – 100 Years after WWI

Shellshock5

The latest epic attack that has everyone’s attention is Shellshock (Bash Bug). In this blog, we’ll provide Click’s take on the vulnerability – as well as what we have done to augment Click Commander’s ability to detect it with Real-time Security Analytics.

Yesterday’s US-CERT announcement identified “shellshock” vulnerabilities involving OpenSSH sshd, mod_cgi, and mod_cgid modules in the Apache HTTP Server, and dhcpd.  Shellshock allows attackers to run deep-level shell commands on a vulnerable machine.  From there, attacks including denial-of-service that enable subsequent login credential guessing can be easily performed.  To learn more about the vulnerability, see CVE-2014-6271.

Has the vulnerability actually been exploited?  Absolutely.   Attempts have been made across the internet where attackers crafted custom web requests and sent those to Internet-facing web servers to either verify a vulnerability, or exploit the target immediately.

How did Click get on the scent?  The first clue surfaced by Click Commander was a Rare Event analytic alert – which notified our analyst that a Data Mining Unit (DMU) indicator of compromise had fired – and one that had never fired before.  A small example perhaps, but an example nonetheless, of how our system works to surface “disturbances in the force” that usually go unnoticed.  Even more interesting, before the Rare Event analytic fired, a BroNotice event indicating an HTTP Header Anomaly fired.  The header’s values fell out of range of our “baseline” of HTTP headers.  At this point, we had two analytics fingering the same “needle in the haystack”.

With a little Click Labs research, we learned that while Shellshock can use multiple attack vectors, attacking through the HTTP protocol is the most common, like this:

  1. Locate a web server running mod_cgi or mod_cgid modules that utilize CGI scripts – which invoke Bash
  2. Set the Bash vulnerability to execute the setting of environment variables
  3. Issue commands immediately following the setting of an environmental variable.

The commands of choice are, of course, limited to those available on the affected web server.  So far, commands including Internet connectivity checks, file reading / writing, and issuing separate web commands (new HTTP requests) have been observed.

With this knowledge, Click Labs quickly developed a new analytic that focuses on HTTP protocol anomalies – one that surfaces even more indicators of compromise presented by commonly used event sources.

Heartbleed was a good one.  ShellShock is even better.  Is this the last one?  You know the answer.  But, this is another example of how Click Commander provides a rapid analytics deployment solution that not only adapts to new attack vectors (or more accurately a very old one but newly exposed) – and can be tied to other analytics such that dangerous actors can be exposed quickly with far less chance of a false.

Perhaps best of all, though, is how Click Commander made it incredibly easy for an analyst to take publicly presented indicators and search our data cache for relevant activity.  It was super fast to determine if we’ve ever seen these indicators before.  A big value for analysts who are usually too swamped to achieve this level of analysis and action at all – let alone fast!

Las Vegas — Here We Come!

Click will be full force in Las Vegas next week.  Check out our booth & speaking schedule below – come see us!

 

Sciatic_Nerd_BSidesLV2014_Winning_Submission

BSides Las Vegas
Tuscany Suites & Casino
David Dorsey & Mike Sconzo
“Cluster $#@! – Actionable Intelligence from Machine Learning”
Tuesday, August 5th at 3:30pm

bh logo

Black Hat USA 2014
Mandalay Bay
Business Hall – Shoreline A
Booth #959
Wednesday, August 6th 10am – 7pm
Thursday, August 7th 10am – 5pm

ISE-logo-Lions-Den (1)

ISE Lion’s Den & Jungle Lounge
Vdara Hotel & Spa
Wednesday, August 6th  3pm – 6:30pm

defcon22 logo

DefCon 22
Rio Hotel & Casino
David Dorsey
“Why Don’t You Just Tell Me Where The ROP Isn’t Supposed To Go?”
Friday, August 8th at 5pm

Click Security adds new Senior Vice President of Sales

 

Company Positions for Sales Expansion in Big Data Security Analytics

 

Lawhorne_PrestonFAUSTIN, TX – July 14, 2014Click Security, a leader in advanced threat detection, today announced Preston Lawhorne has joined as its Senior Vice President of Sales.

“We are excited to have Preston join the Click Security team,” said Marc Willebeek-LeMair, CEO and co-founder.  “He is a seasoned security sales veteran with a strong track record of ramping early stage security businesses to high revenue growth.  With our recent product improvements around expanded analytics, scalability and ease of use – as well as the growing market acceptance that big data security analytics is an important movement – we are poised for strong sales growth, and Preston can help us tremendously.”

Lawhorne is a 40 year tech veteran with experience in building sales strategy and successfully executing go to market plans. Building some of the industry’s most successful “high octane” security sales teams, he has held key leadership roles in businesses including Burroughs/Unisys, Data General/EMC, Oracle, McAfee – and security startups including TippingPoint and LogRhythm.

“I’ve been a part of several important waves in enterprise network security over the years.  There is another wave in front of us as organizations realize spending on traditional prevention technologies alone is not stopping today’s adversaries and their methods”, said Mr. Lawhorne. “I’m excited to be part of Click Security because I believe their solution fills a gap left by today’s traditional security products – and can fundamentally change how we automate the early detection, analysis, and continuous monitoring of advanced threats.”

 

About Click Security

Click Security’s Click Commander runs real-time stream processing analytics against pre-computed log, network, and file/artifact data sources; automatically produces analyst start points with automated actor/event / relationship views; and provides a full attack activity framework – where analysts can interactively visualize, prune, and augment big security data.  Now analysts can gain true security visibility, automatically build rich context around otherwise independent and inconclusive product alerts, detect attack activity missed by traditional security products, and automate the hunt for the unknown.  Please visit us at www.clicksecurity.com for more information or follow us @clicksecurity.

Analyze This.

Analyze This: Big Data Security Analysis Made Easy

Really like John Oltsik’s latest article in Network World — trying to get CISOs to rethink what data to capture and analyze — Big data security analytics mantra: Collect and analyze everything.

“we no longer want (SIEM) technologies mandating what types of data we can and cannot collect and analyze. We used to be limited by analytics platforms and the cost of storage, but this is no longer the case. Big data, cheap storage, and cloud-based storage services have altered the rules of the games from an analytics and economics perspective. The new mantra for security analytics should be, ‘collect and analyze everything.’”

But, in talking with lots of customers, it seems like if you get much below the Fortune 50, the perception is that big data security analysis sounds like a scary complex proposition.

Let’s first agree that “big data” is a highly subjective term.  We can spend days on that one.  So let’s move on.  Don’t get hung up on volume.  It’s more about extracting relevant intelligence in a timely fashion.

Well, what if it was as simple as De Niro (forgive me, I’m a big fan) makes it seem?

At Click Security, we give you an easier path.  With us, you can gain visibility into the adversary activity in your network with as little effort as dropping a single DMU ISO onto a network tap port.  No other data feed configuration necessary.  As you get comfortable, add IPS/IDS data. Then add Windows authentication data.  Then add web proxy data.  The more data, the more we can show you.  But the point is — get started, see fast value, and grow from there.

Take a look at our latest explainer video to learn a bit more.

Or if you’re ready to give it a go, sign up to try Click Commander — no obligation at all.