A Normal Lookup? Or an Imminent Threat? Just ASQ?

Continue the Chase

Cat and mouse.

It’s a theme that’s been repeated in one form or another in stories, songs, parables, and even cartoons. It’s repeated over and over again, because it’s a common theme in life. Unfortunately, it’s also a reality in information security. The really dangerous adversaries (mice) won’t come bounding into an environment, making lots of noise and risking their exposure. It’s the breadcrumbs that are uncovered that can point us to these activities. And it’s equally important to find and close their entry points before the adversary has a chance to exploit them in the first place.

In this installment of our ASQ blog series we will look at how, with the help of the Armis agentless device security platform, we help head off potential exploit targets, and uncover traces that could possibly point to further nefarious activity.

If you missed the start of the series, you can read part one here, part two here and part three here.

Targets

Vulnerability managers have a tough job. Their days are spent reading up on and understanding  new vulnerabilities, assessing the potential impacts the vulnerability might have on their environment, finding devices vulnerable to it, understanding if there are other measures that can help mitigate, and managing the patching process to ensure the holes are closed – all as quickly as possible. Attackers understand this difficulty, and leverage older vulnerabilities successfully on a regular basis.

The Armis agentless device security platform makes the job much easier by passively revealing vulnerability information on hosts and allowing the manager to slice and dice this data in concise, meaningful ways. Following are a few ways the Armis platform can help vulnerability managers analyze this data, which includes the ability to filter by vulnerability:

• Severity
• Exploitability Metrics
• Location
• Device Type
• Impact Metrics

You might be thinking: “Traditional Vulnerability Management tools can do this too”, and you’d be mostly correct. The thing they lack is the ability to understand the environment passively, completely, and continuously like the Armis platform can.

Let’s think about a few situations where these tools may have trouble. Sometimes, certain segments of a network cannot be scanned because traditional tools may be too intrusive, and the mere act of scanning can take them offline. Instead of being able to scan those segments, the owners of that piece of the network often have to sign off that they accept the risk, and any vulnerabilities may go unaddressed. At other times, there may be devices that are simply not seen or discovered, and therefore are not targeted by these scanners in the first place. Lastly, the time it takes to complete a fully scheduled scan can impede the assessment and remediation process.

Knowing the benefits the Armis platform can provide to address the issues noted above, let’s see an example of how easy it can be to find a vulnerable entity. In this example, we are looking for old vulnerabilities in Microsoft Office that haven’t already been patched. It’s a breeze to search on specific vulnerable values associated with Microsoft Office. Below, you can see an example of the Armis Standard Query (ASQ) tool looking for vulnerabilities in devices running Microsoft Office, on the corporate network, and all within the last 7 days.

When the query is complete, the following results will be presented in the results pane:

Finding Oneself 

In the above section, we have shown how potential targets, or vectors, may be identified. Now, we’ll look at traffic that may indicate an infection or malicious actor is looking to gain access.

Some malware will look to automatically find its location to report back to CNC servers, or to prevent executing in certain geolocations. There are several websites available that can allow for this programmatic IP discovery. By calling out to these sites, the malware can understand the publicly accessible IP information belonging to its target. Of course, the malicious actor who controls this malware, will now know how to reach their target. Using this public IP information and then combining it with an exploit for a vulnerable, internet accessible server, they now have a way into the environment. Defenders can then watch for the inevitable lookups to these sites for signs of mischief. There’s an excellent write-up covering this ‘breadcrumb’ in more detail that can be found here.

Be forewarned, that observing these lookups is not a foolproof way of finding malicious activity, but it could be a hint, and you may wish to monitor this as part of a threat hunting strategy.

Since these sites also have legitimate uses, most current network monitoring tools will not identify the traffic as potentially malicious, especially with more conservative rulesets being used with these tools. This is where Armis, in the hands of a threat hunter armed with this knowledge, can allow them to quickly check the environment for this activity, without needing to open a full-fledged investigation with a security operations analyst.

Let’s take a look at how to do this with the Armis platform. We will use the DNS Query Activity type, and combine that with a list of some known IP geolocation hosts. These hosts include:

• checkip.amasonaws.com
• ifconfig.co
• *whatismyip.*
• *whatismyipaddress.*
• *ipinfo.*
• *iplocation.*
• *showmyip.*
• *tracemyip.*
• *checkip.dyndns.*

Note that there are wildcards in the above list using an asterisk. Within Armis, wilcarding is handled by the ‘%’ symbol, as you can see below. This list is not exhaustive, but shown here as an example you could use.

Once the results of the query are returned, you can drill down further into the device details, such as in the below screenshot. With that, you can investigate further looking for other breadcrumbs.

Conclusion

Finding and addressing vulnerabilities in any environment is a challenging job, but having the right tools makes that job easier. Traditional methods often fall short because of the need to schedule scans or install agents. This means vulnerability scans that do not complete, complete within large windows, or necessitate devices that support agents might have incomplete or out of date vulnerability information — or may even be overlooked altogether. Armis’ vulnerability information is passive and ongoing, meaning it doesn’t rely on scheduling scans or installing agents and can be more timely and comprehensive because of it.

We hope you’ve enjoyed reading our series as much as we’ve enjoyed bringing it to you. It is our hope that you will use the examples from this series to expand into more unique ways to defend your networks, and of course, make your life easier by leveraging the power of Armis and the Armis Standard Query (ASQ) language.

For a full demonstration of Armis, please visit www.armis.com/demo.