Today, September 8, 2017, Equifax, one of the largest credit reporting agencies in the United States, has disclosed that they suffered a massive data breach because their network was compromised by unknown hackers. According to the Equifax’s press release, attackers gained access to personal data of almost 143 million Americans. Social security numbers, birth dates and addresses of nearly half the population lost in this breach of the US could be misused by hackers for years to come. Credit card numbers of US-customers and non-US customers were also stolen. After Equifax announced the cyberattack, their shares dropped 13%.
Official information posted on the Equifax website states: “Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017.” The breach was disclosed only yesterday, meaning it took six weeks to detect the cyberattack.
Network security solutions like GREYCORTEX that identify anomalous behavior within your network are especially important in this situation. These solutions mean your IT team can identify malware by its anomalous movement within the network, and identify it as it replicates. GREYCORTEX MENDEL identifies such anomalous behavior, offers deep network visibility, and differentiates between human and machine behavior, meaning you can find infected devices within your network and secure your company’s data and reputation.
BEING “SMART” DOESN’T MAKE YOU SAFE
MENDEL 3.3 RELEASED
April 16, 2019
GREYCORTEX has released the latest version of our MENDEL network traffic analysis solution. Version 3.3 has several important new features which improve detection and response for the network security team.
The biggest is that MENDEL’s detection and visibility capabilities are now available for SCADA/ICS environments. This new capability goes beyond support for several protocols found in earlier versions of MENDEL, and extends it to a whole new module, including the ability to visualize not just devices, but time series in IEC 61850 Goose, SNMP, and IEC104 protocols.
Not content with just SCADA features, we have added new reporting for managers and security analysts, detection and logging of TLS 1.3, and fingerprinting of encrypted traffic on the JA3 framework, as well as increasing the capabilities of the multi-sensor configurations.
New features
- New managerial and security analyst reports summarize network data and security threats
- New module for processing and visualization of SCADA protocols, including new dashboards for visualizing time series in IEC 61850 Goose, SNMP, and IEC 104 protocols
- Added support for parsing CC-link protocol
- Added support for parsing Enip/CIP protocol
- Added support for parsing Kerberos protocol
- Added support for parsing TFTP protocol
- Added support for parsing IKEv2 protocol
- Added support for parsing FTP protocol including parsing FTP data streams
- Added detection engine for SSL/TLS client fingerprints JA3
- Added multi-disc installation of MENDEL
- Added GUI localization into Polish and Korean
- Introduced new light color scheme
- Integration with firewalls from Check Point
Please note New system of reports will replace in the near future the old type of reports. If you use them don’t forget to configure new reports.
Enhancements
- Improved installer with enhanced user interface and new features
- Improved dark color scheme
- Redesigned severity color scheme
- Reorganized main menu for better accessibility
- Redesigned user dashboards for better user experience
- Improved network capture module for better performance and less resource consumption
- Improved network models for faster detection and reduced storage demands
- Improved task planner and optimization of parallelized processing in the service for better resource consumption and management creating faster processing for multiple sensors on one collector
- Improved detection and reparation of unusual, incomplete, or swapped flows
- Improved parsing of incomplete or unidirectional flows
- Improved network capture default configuration for better capture on all configurations
- Improved processing of Active Directory events for better calculation of logged users
- Improved Mikrotik plugin
- Added button to restore user dashboards to default
- Improved creation of complex firewall rules in plugin
- Improved HTTP proxy pairing for incomplete or invalid communication
Bug Fixes
In general, our development team focused on improving the user experience and reporting.
Contact your local GREYCORTEX partner to find out how you can put MENDEL v3.3 to work for you.
GREYCORTEX RELEASES MENDEL 3.0
March brings the most recent version of GREYCORTEX MENDEL; Version 3.0. As part of this release, MENDEL 3.0 brings several new features SOC administrators will love, as well as continued expansion for SCADA networks and upgraded hardware support.
Specifically, MENDEL now supports the latest in DELL Rx40 hardware. Those in SCADA network environments will enjoy updates to the MENDEL IDS system. Version 3.0 also includes visibility for the NFS (Network File System) and IEC 60870 5 101/104 protocols. SOC users will note that dashboards have been adjusted to better accommodate multiple sensors, and that the overall capacity for sensors connected to one collector has been increased to 30. Finally, MENDEL’s capabilities have been expanded to include the ability to add your own blacklist file, as well as export files to IBM Qradar SIEM via the LEEF format.
New Features
- GREYCORTEX has added support for the latest Dell servers (Rx40) so users will now be able to use the latest hardware.
- SCADA support continues, with updates to the MENDEL IDS engine to include visibility IEC 60870 5 101/104 protocols – bringing new security for professionals in the energy infrastructure sector.
- SOC administrators will appreciate several new features in version 3.0, including new dashboard settings suitable for multiple sensors for better SOC visualization, as well as the ability to add up to 30 sensors on one collector, and finally; LEEF expert format for events exported to IBM Qradar SIEM, and the ability to upload users’ own blacklists in .csv file.
Improvements
Several MENDEL features were improved. These included easier license extension, host identification, decryption performance, status monitoring, and data export.
Bug Fixes
In general, our development team focused on improving the user experience and reporting.
Please note that updating to version 3.0 requires appliance restart and may take up to one hour.
Contact your local GREYCORTEX partner to find out how you can put MENDEL v3.0 to work for you.
NEW VERSION 2.3 RELEASED
GREYCORTEX launched a new 2.3 version MENDEL Analyst. It added standardized support of NetFlow and IPFIX, new ways of data presentation and several performance improvements and more.
New features
- New tool in GUI “Network Analysis” – user defined aggregated statistics for better analysis of network traffic and security incidents
- Standardized NetFlow with IPFIX fully supported
- New user account administration page
- Changelog page with history and enhanced updating using RPM packaging system
Improvements
- Major performance improvements of signature-based detection engine
- Improved DNS cache with TTL support for better hostname resolution
- Improved algorithm for matching hosts with Active Directory users
- Inserted GUI URLs kept after login
- Improved export of charts
- Enhanced system log management with filtering by time and a system component
REVIEW OF GREYCORTEX MENDEL
A USEFUL SECURITY PRODUCT THAT OFFERS A WIDE VARIETY OF INTERESTING POSSIBILITIES
GREYCORTEX MENDEL is a solution for detection, monitoring and analysis of advanced security incidents in network traffic. This solution is based on a combination of various types of detection technologies:
- Intrusion Detection System (IDS), including Deep Packet Inspection (DPI)
- Network Behavior Analysis (NBA); the analysis is based on the principles of artificial intelligence
- Network Performance Monitoring (NPM) and Application Performance Monitoring (APM)
- A tool for event correlation and risk assessment
During the initial design, the focus was on custom Advanced Security Network Metric (ASNM), large scale data mining based on artificial intelligence, and unique specialized algorithms providing detection of the entire scale of threats and anomalies. Immediate outcomes can be obtained via an intuitive user interface and user-defined reports. GREYCORTEX also brings a whole lot of other interesting options, e.g. for forensic purposes, it provides a complex and detailed overview and history of network traffic, behavior of users, network hosts, applications and services.
DATA SOURCES
The main input is a network data from a mirror port on a backbone switch or a network tap. The NBA detectors are able to accept summarized data in the format of custom ASNM metrics or according to NetFlow v5/9 and IPFIX for IPv4 and IPv6. In addition to the network traffic, the product is able to identify identity context using the company’s LDAP or the Active Directory services. These technologies can also be used for user management and authentication.
Detection signatures dataset containing over 30,000 rules is obtained from external sources. IP address blacklists and their reputation (trustworthiness) are also obtained. These lists are regularly updated on an hourly or on a daily basis. This enables the tool to obtain information about generally known malware and about Command and Control (C&C) attack servers, sources of attack, and known botnets. Moreover, uses a list of known sources of spam, information about Tor[1] networks and about proxy servers as well as information about ownership and geographic position of the communicating hosts and domains.
ASNM PROTOCOL
The ASNM protocol is used to track over 70 attributes of each individual flow in the network. For each flow, it generates information about the source and the target, its duration, size of the data portion and packet counters. MENDEL also retrieves information about frequency spectrum and performance such as Application Response Time (ART), Round Trip Time (RTT), Jitter, and other.
The functions enabling the detection of anomalous and potentially undesirable behavior work similarly in NetFlow protocol; however, thanks to ANSM, they are more detailed and therefore more effective. Another difference consists in the ability to identify consistent bidirectional flows in the network. For application detection, a custom application protocol recognition mechanism similar to NBAR (Network-Based Application Recognition) standard used in Cisco devices is employed; the mechanism can recognize hundreds of protocols. The DPI technology enables extraction of metadata for almost 30 application protocols, even in tunneled traffic.
DETECTION MECHANISMS
The incident detection is based on two methods, first based on signatures (IDS) and anomaly detection (NBA) based on machine learning and artificial intelligence. The whole mechanism of learning consists in detailed modelling of the whole network on various levels. From models of the entire network to models of individual services of individual hosts and devices.
The application is continuously learning to distinguish characteristics of anomalous flows from the normal ones based on probability and statistical models without the need for decoding or decrypting the data. After installation into a network, it is necessary to let the application train itself in a new environment for at least a couple of hours. It gains the complete knowledge after approximately one week.
The following algorithms of machine learning are based on the ASNM protocol:
- Selection of relevant individual metrics
- Bayesian analysis based on learned probability of events
- GMM/EM (Gaussian Mixture Models/Expectation-Maximisation) probability models
Probability based (Bayesian) modelling provides almost 1,000 parameters divided for each flow of a host in a network or subnetwork and its services provided locally or remotely. A separate model is created for each service of the host, network device, services aggregated on the network, subnetwork mask, state and ASN (Autonomous System Number).
OUTPUTS
GREYCORTEX MENDEL enables the user to export the created events in various formats and send them via e-mail or to remote SIEM (Security Information and Event Management) servers for archiving or further processing. This makes it possible to generate alerts based on defined conditions and notifications about the detected anomalies. In this way, it is possible to create user configured reports containing text or graphic visualization of the detected events, network performance or applications and other data in the system. The messages can include a variety of adjustable elements including tables and graphs. The messages can be exported to standard document formats such as DOCX or PDF.
The e-mail system supports connection to standard e-mail servers with SMTP protocol and encrypted communication based on PGP (Pretty Good Privacy). The data exports can also be performed in preset intervals or during detection of a particularly important event. The tool also supports export to SIEM systems using Syslog, CEF format (Common Event Format) or IDEA (Intrusion Detection Extensible Alert). These messages can be previously configured and filtered according to the requirements of system integration.
It is possible to detect:
- RAT Trojan horses (Remote Access Trojan) including C&C system activities
- Zero-day type of vulnerabilities and exploitation of services
- Malware on mobile and embedded devices
- Long-term APT attacks (Advanced Persistent Threats)
- Data leaks with DNS, SSH, HTTP(S), etc.
- Tunneled traffic
- Protocol anomalies indicating a long-term port scanning and other attacker activities
- Masquerade attacks (the attacker pretends to be someone else), dictionary attacks and brute force attacks
- Spam detection
- Preparation for data theft and exfiltration (e.g. by employees)
- Automated data harvesting
- Data theft (e.g. from web applications)
- Phishing attacks
- Violation of internal security rules and policies
- Faulty network settings
- Network and application performance issues
- Dos and DDoS attacks
- New or unknown devices, e.g., of the BYOD type (Bring Your Own Device)
Data fusion and correlation techniques enable the detection of a wide spectrum of threats and activities. These techniques analyze the most interesting information about a particular network obtained through various detection mechanisms. It is possible to find event correlations, eliminate false positives and perform risk estimates. The system is also compatible with systems for risk categorization such as CVSS (Common Vulnerability Scoring System) or NIST Critical Infrastructure Cybersecurity Framework, etc.
INSTALLATION PROCESS
The application is supplied as a hardware appliance or as an installation ISO file for a virtual hypervisor. Depending on the mode of deployment, the appliance is supplied with 2, 4 or 8 network interfaces enabling the monitoring of the required number of source lines. The solution can be installed in a probe/collector configuration that enables monitoring geographically remote networks or as a cloud.
We tested the version 2.2.0 of the product at Karel Engliš College (VŠKE). For testing purposes, we selected the virtual deployment on the base of a fully functional 30-day demo. To ensure that the application runs correctly, it is necessary that the server includes a processor with at least 8 virtual cores, 32 GB of RAM, disk capacity of 500 GB and two network interfaces; VM-ESXi virtualization system was used. The installation went smoothly, without any issues.
Tabs for the individual configuration areas are placed well, they enable a quick transition to settings of monitored networks and policies (Policies tab), Detection mechanisms (Detection tab), notifications and exports (Exports tab), and authenticating mechanisms, users and their rights (Users tab). In the Network tab, there is a practical priority setting.
USE OF THE TOOL
At first glance, working with GREYCORTEX is very pleasant, mainly thanks to the elaborate filtering options and user-configurable overview dashboards. The possibility of a quick display of the communication of each device and all its services was interesting for me. In particular, it is the security visibility and transparency network that the applications brings. The overview of incidents detected at the level of detection patterns is ideally complemented by incidents identified by NBA methods.
In the Detection tab, it is possible to display the defined blacklists and false alarms, set the NBA detection mechanisms and policies for IDS rules, create the necessary correlation rules, also capture and save network traffic on the basis of a defined filter into PCAP format files.
The Export tab allows to define exports; we at VŠKE use SIEM; therefore, the possibility of exporting the data into this system was interesting for us. However, we encountered an issue particularly relevant for schools; instead of one application we now need two: SIEM and GREYCORTEX.
CONCLUDING REMARKS
What particularly excites me about this product is the possibility to analyze incidents (we have quite a few of them in the student subnetwork) both from the point of view of their progress in time and in the smallest details. I also appreciate the elaborate elimination of false alarms. The documentation fulfills the basic criteria, but I believe it would be convenient to add some examples of typical settings. The product is still being developed and I am curious about what next the producer will come up with.
Doc. Ing. Jaroslav Dočkal, CSc.
Graduate of VDU Martin and VAAZ, currently the vice-dean of science and creative development at Karel Engliš College. He gives lectures at Masaryk University and University of Defence. He’ is also a lecturer at Cisco Academy, a tutor of HP and a member of DSM magazine editorial board.
GREYCORTEX RELEASES MENDEL 2.9
GREYCORTEX is happy to announce the latest version of GREYCORTEX MENDEL; Version 2.9.0. This version includes several new important features: the first is the Flow Exporter, which gives you the possibility to export flows from MENDEL to your SIEM solution. The second important feature is the ability to execute script commands to other devices e.g. a firewall systems in order to block communications. SCADA network protocols Modbus and DNP3 L7 visibility have also been added, as has the ability to audit commands executed from ssh connections.
New Features
- Added a Flow Export feature, which allows you to export flows from MENDEL to your favorite SIEM tool. This allows you to have the same data detail of a much more expensive SIEM-specific flow export tool, at a fraction of the cost.
- Added ability to execute and send scripts, e.g. to a firewall – which means you can identify and stop incoming malware at the firewall, without ever leaving MENDEL.
- Added integrated Modbus and DNP3 SCADA protocol visibility. Think of it as MENDEL for the industrial control systems. GREYCORTEX takes its next steps into protecting not just “traditional” networks, but also SCADA systems as well with these protocols.
- Added SSH auditing (turn on the SSH audit signature in status monitor signatures)
- Added possibility to filter by group of entities (subnet, host, mac, user) to extend filtering options using comma “,”, e.g. src:172.16.9.20,172.16.9.21 & dst:1.2.3.4 which shows communication between source IPs 172.16.9.20 or 172.16.9.21 and destination IP 8.8.8.8. In a nutshell: much more efficient filtering capabilities are now yours. Identify communication from not just one source and destination, but several hosts to a single destination, so complicated attacks are now clear.
- MENDEL is powerful and detailed, but now it works just as well for the T1 Security Analyst. New installations and newly created users will see new default dashboards with Overview, Performance, and Security tabs included, for ease of use by everyone.
Improvements
Several different features of MENDEL were improved. These included improvements to the installation and update process, optimization of flows, and detection features – including the ability to choose your favorite IDS ruleset, or better L7 application service recognition.
Bug Fixes
In general, our development team focused on repairing inconsistencies in user experience and connectivity.
GREYCORTEX MENDEL DETECTS BADRABBIT
GREYCORTEX is happy to report that it is able to detect the BadRabbit ransomware. This ransomware appeared in Eastern Europe (Russia, Ukraine) but has begun to spread across several countries including South Korea, Poland, the Baltic, and regions. It uses an NSA-based exploit known as “EternalRomance” to enter networks and spreads by SMB port.
MENDEL is able to detect this ransomware in two different ways:
- MENDEL’s integrated ruleset includes a rule specifically detecting the BadRabbit ransomware.
- Independent from this IDS rule, MENDEL’s advanced artificial intelligence and machine learning detects the ransomware’s anomalous port sweep activity.
This detection capability demonstrates that MENDEL can identify unknown threats before rules are created in rules-based security tools. MENDEL provides network security teams vital extra time to protect their networks.
MENDEL 2.8 RELEASED
We are happy to announce the latest version of GREYCORTEX MENDEL. Version 2.8 includes three new important features: the first is the Event Collector. Released as part of v2.7 (a limited release), the Event Collector offers the opportunity to centrally monitor events from several remote GREYCORTEX MENDEL collectors. The second major new feature is the Correlation Engine. This tool correlates individual, less-serious events – which together may be indicative of attacks within the network, to more effectively alert security analysts. Finally, MENDEL 2.8 includes proxy pairing functionality which identifies source or destination addresses hidden by proxy servers, which will allow security analysts to better identify potential issues on the network and provide even greater visibility.
New Features
- Added a beta version of the Correlation Engine, including seven tuned rules which further increase security (The feature may be turned on by going to Settings->System Components)
- Added a proxy pairing feature to display source or destination addresses hidden by a proxy server
Improvements
- Optimized the display of charts and tables in the Network module
- Added information about the type of key exchange algorithms in HTTPS and TLS flows
- Improved the calculation of flow metrics to show values valid for specific parts
Bug Fixes
- Fixed issues with disabling deep packet inspection and enabling rules in IDS
- Fixed an issue with updates to older installations
- Fixed issues with MS-SQL protocol parsing at higher speeds
- Fixed an issue with displaying current values on the Network Services tab
- Fixed an issue with displaying multiple VLAN IDs in a single flow
- Fixed issues with parsing SMB flows
- Fixed issues with editing export definitions
- Fixed an issue with pagination results in the Peers graph
- Fixed issues with restarting services
- Fixed an issue with filtering by protocol type
- Fixed an issue with deleting user-defined filters
- Fixed an issue with saving user-created or user-defined filters
- Fixed an issue with displaying VLAN statistics in the Analysis module
- Fixed an issue with exporting records in CEF and Syslog formats
- Fixed an issue with long hostnames
- Fixed issues with calculating the minimum and maximum duration of flows
- Fixed link formatting in Exports
- Fixed an issue with displaying ASN names in flows
- Fixed an issue with displaying host information in the Analysis module
- Fixed the calculation of RTT and ART metrics in long term flows with unfinished communication
- Fixed an issue with the validation of row counts in Column Manager