Event Monitoring

Enhanced Botnet Detection with Nessus

by Ron Gula on March 22, 2012

Tenable’s Research team recently added the ability for Nessus to evaluate audited hosts to see if they are connected to or configured with a known botnet IP address. In this blog entry, we will review all of the features available within Nessus for botnet and malware detection, as well as the types of features that are available in other Tenable products.

New SCADA Plugins for Nessus and Tenable PVS

by Paul Asadoorian on January 31, 2012

Assessing the security of SCADA devices has always been a challenging task. SCADA devices are used in several critical infrastructure industries, including power plants, manufacturing, chemical processing, and nuclear reactors. Thus, the high availability and security of these devices are of the utmost importance. The challenge lies in assessing the security of SCADA devices without causing any adverse effects. The special purpose-built systems often operate within a limited scope and use protocols that are specific to the tasks being performed, such as Modbus, OPC, and DNP3. In 2006, Tenable Network Security released the first Nessus® vulnerability scanner and Tenable Passive Vulnerability Scanner (PVS) SCADA plugins (you can read the original release notes for PVS in a post titled " SCADA Network Monitoring " and the original release for Nessus titled " SCADA Checks For Nessus 3 "). In April 2011, a new round of SCADA plugins were released for Nessus (covering devices from Movicon, 7-Technologies, and more). Tenable is now pleased to announce the availability of additional SCADA plugins for Nessus ProfessionalFeed, Tenable SecurityCenter, and PVS users. Tenable's research team worked alongside SCADA experts from Digital Bond to test and identify a wide variety of common SCADA devices. The plugins were announced at Digital Bond’s S4 Conference on SCADA security held on January 19, 2012. Note: Digital Bond’s Dale Peterson joined us on the Tenable Network Security podcast episode 110 and spoke about the new plugins and SCADA security. Below is a sample of some of the new SCADA plugins:

Security, Log Management & Burying Stumps

by Paul Asadoorian on July 25, 2011

Burying Stumps Recently I've been planning and executing a plan to fix some of the landscaping around my house (as a side note, try not to plan this to happen in the middle of July when it’s 90 degrees). In talking with people who have experience with landscaping projects we seem to always hit the topic of digging up and burying stumps, and whether this is a good idea or a bad idea. For the short term, it seems like a good idea. The stumps take up space in the ground so you need less fill (which saves money), burying is cheaper than grinding them down or having them hauled away, and you don't have to look at an ugly stump. The downside is that 7-10 years down the road, the stumps begin to rot and you are left with sinkholes in your yard.

Event Analysis: Detecting Compromises, Javascript, Backdoors, and more!

by Paul Asadoorian on March 3, 2011

There are a variety of indicators that a system has been compromised, ranging from the obvious to the very subtle. If your web site looks like the above image, you may have been compromised Less obvious indications of a compromise include increased bandwidth, subtle IDS alerts (such as those indicating anomalous behavior) and mysterious configuration changes on systems. The questions that are typically asked include "How did they get in?" and "What did they do?" Tenable's Passive Vulnerability Scanner (PVS) provides useful information for answering these questions. Following are some of the alerts PVS may generate during an intrusion:

Analyzing the Compromise - without Going Hungry

by Paul Davis on February 21, 2011

It's 4:55 PM on a Friday and you are looking forward to an enjoyable dinner with your family. Your Blackberry starts buzzing from across your desk while your inbox starts filling up with alerts from your SecurityCenter along with frantic emails from Human Resources. It seems a disgruntled employee named Jack Black quit today and nobody remembered to tell the IT group to disable his accounts until after important files started disappearing. Suddenly, you are stuck in Incident Response mode, gathering data on the user's activities. Do you cancel your reservations? Fortunately, you have deployed Tenable Network Security's Unified Security Monitoring products, and have a wide array of resources[1] at hand to streamline the response process. These resources include SecurityCenter, the Passive Vulnerability Scanner (PVS) and Log Correlation Engine (LCE). At a high level, what can these resources do for you? SecurityCenter SecurityCenter provides a unified view of both vulnerability and event data along with the alerting, ticketing and reporting required for thorough user forensics. Passive Vulnerability Scanner PVS not only tracks vulnerabilities, but logs user and network activities detected in real-time on the wire. These activities include:

Log Correlation Engine 3.6 – Now with its own GUI

by Ron Gula on January 5, 2011

Tenable Network Security has released version 3.6 of the Log Correlation Engine . This new version includes many performance enhancements as well as its own web-based user interface. This blog entry describes the new user interface, the increased performance and the new features of LCE 3.6.

Risky Business #173 Interview with Ron Gula - Process Accounting and El Jefe

by Ron Gula on October 25, 2010

I was interviewed for episode # 173 of the Risky Business information security podcast. The previous Risky Business episode that discussed the recent release of the open source El Jefe project by Immunity Inc, focused on how process execution tracking for Windows can be a great source of security data - especially compared to raw network traces. During my interview with Patrick Gray, we covered how many SIEMs already have this sort of capability, but most SIEM users don't enable these features because they are complex. I also covered how Tenable's Log Correlation Engine can collect logs from...

Making Penetration Testers Lives Awful

by Paul Asadoorian on September 9, 2010

Awful, awful, awful.....Magic! It was my wife’s turn to choose a movie the other night, which means there were no kung fu fight scenes, sword fights or car chases. Instead, there was a scene that depicted a father-to-be talking to a father of three children. The father with three children was explaining to the father-to-be what parenthood was really like and stated: "Parenthood is awful... awful… awful... but then there is this magical moment that makes it all worth it… then awful... awful... awful and repeat". Parents reading this, especially ones with small children, are probably laughing. However, I thought that the "awful, awful, awful, magic!" analogy also very accurately described penetration testing. I have a similar reaction both on Christmas morning and when I successfully compromise a system on a penetration test.

Cyberdawn - A Diverse Cyber Exercise - Part II

by Paul Asadoorian on October 9, 2009

Passwords are just so easy to abuse... It was interesting to see that the top scorer in the game (who went by the handle of "ftp", and coincidentally had 21 scores in the first day of game play!) did not use fancy new exploits, 0day attacks or a wide range of open-source or even commercial tools. He was able to gain access to systems because the teams left default or easily guessable passwords set on some of the Linux servers. He used SSH to login to the systems, then SCP to upload some Python code, that was used to update the scoring engine. From there he was able to maintain access, not by rootkit technology or anything sophisticated, but just hiding in plain sight. The Python script makes a TCP connection to the scoring server and sends a message. It was moved into a file called "/dev/vfat", to make it look like a system file. Next, a shell script was written to call the python script every ten minutes. This file was called "getty" and ran in the background, and was also inserted into the startup scripts to ensure it kept running. The teams never found these processes running and "ftp" won the game, no exploits required. Hacker "ftp" at work, winning the game using built-in tools such as bash, python and SSH.