Passive Network Monitoring

Preventing & Detecting Malware: A Multifaceted Approach

by Paul Asadoorian on April 5, 2011

Successful Attacks from Automated Malware Recently, malware dubbed "LizaMoon" (named after the first web site found distributing it) has been popping up in the news: Dubbed LizaMoon, unidentified perpetrators of the scareware campaign inject script into legitimate URLs, so when people try to access the website, they get redirected to a page warning them that their PCs are infected with malware that can be removed by downloading a free AV application called Windows Stability Center. From LizaMoon SQL Injection Attack Hits Websites LizaMoon scans web sites for easily exploitable SQL injection vulnerabilities, then uses that to put redirects on the web site that take users to a site which installs malware. This is not a new form of attack, however the "Lizamoon" malware has been surprisingly successful. Google searches for infected sites report that over 1.5 million pages have been infected. The important thing to not about the numbers of infection is "pages" does not refer to sites, as a site can have multiple infected pages. This type of attack typically works as follows:

Event Analysis: Detecting Compromises, Javascript, Backdoors, and more!

by Paul Asadoorian on March 3, 2011

There are a variety of indicators that a system has been compromised, ranging from the obvious to the very subtle. If your web site looks like the above image, you may have been compromised Less obvious indications of a compromise include increased bandwidth, subtle IDS alerts (such as those indicating anomalous behavior) and mysterious configuration changes on systems. The questions that are typically asked include "How did they get in?" and "What did they do?" Tenable's Passive Vulnerability Scanner (PVS) provides useful information for answering these questions. Following are some of the alerts PVS may generate during an intrusion:

Analyzing the Compromise - without Going Hungry

by Paul Davis on February 21, 2011

It's 4:55 PM on a Friday and you are looking forward to an enjoyable dinner with your family. Your Blackberry starts buzzing from across your desk while your inbox starts filling up with alerts from your SecurityCenter along with frantic emails from Human Resources. It seems a disgruntled employee named Jack Black quit today and nobody remembered to tell the IT group to disable his accounts until after important files started disappearing. Suddenly, you are stuck in Incident Response mode, gathering data on the user's activities. Do you cancel your reservations? Fortunately, you have deployed Tenable Network Security's Unified Security Monitoring products, and have a wide array of resources[1] at hand to streamline the response process. These resources include SecurityCenter, the Passive Vulnerability Scanner (PVS) and Log Correlation Engine (LCE). At a high level, what can these resources do for you? SecurityCenter SecurityCenter provides a unified view of both vulnerability and event data along with the alerting, ticketing and reporting required for thorough user forensics. Passive Vulnerability Scanner PVS not only tracks vulnerabilities, but logs user and network activities detected in real-time on the wire. These activities include:

Tenable Receives Passive Network Monitoring Patent

by Ron Gula on September 1, 2010

Tenable Network Security recently received a patent for monitoring network traffic and analyzing it to perform discovery of systems, applications and vulnerabilities. This is the core function of Tenable's Passive Vulnerability Scanner and also a core component of our Unified Security Monitoring strategy.

Detecting ALL of Your Websites Passively and Continuously

by Ron Gula on July 19, 2010

Web application auditing is really difficult if you don’t know about the presence of a website or specific application. You may not know about a web server. You may not know what applications run on that single web server. You may even have malicious websites installed on your network by malware or Trojans. Nessus is great for scanning and finding web servers, even on uncommon ports, but you need to scan often to get the most benefit. Fortunately, Tenable’s Passive Vulnerability Scanner (PVS) can discover new web servers and all of their active web sites in real-time and without any impact to your network. This blog discusses how the PVS can be used to audit networks to find all authorized and malicious websites in use.

PVS 3.2 Released – Enhanced vulnerability discovery, real-time forensics and file share and database activity monitoring

by Ron Gula on April 21, 2010

Tenable Network Security is proud to announce the release of version 3.2 of the Passive Vulnerability Scanner ( PVS ). This product is a network sniffer that scans for real-time vulnerability data and transmits it to Tenable’s Security Center management console along with real-time user and forensic activity transmitted to Tenable’s Log Correlation Engine ( LCE ). This blog entry describes many of the new features and enhancements in this release.

Airport Security: Don't Make The Same Mistakes

by Paul Asadoorian on January 7, 2010

Airport "Security" Those of us who travel through any U.S. airport are used to the inconvenience of airport security - the long lines, metal detectors, having to take off your shoes, belts, earrings, and of course the ominous "liquids and gels" inspection. While most people accept these inconveniences as an unfortunate necessity, much of what has been implemented shares some of the common pitfalls found in many computer and network security programs. Using the U.S. airport security model as an example, let’s take a look at some of the security being implemented and relate it to security gone wrong in the enterprise: Throwing Technology at the Problem - Airports are equipped with some of the latest technology to provide security, such as full body scanners and x-ray machines, yet breaches still happen . Most of us who have served in a security role in an organization are all too familiar with this problem. The typical knee-jerk reaction from management to a security problem is to buy a product, such as a firewall, and install it on the network. Technology is important, but the process and people that surround it are what really makes it work. Training people to administer the firewall, and other security measures, to ensure they are being used properly is the key to success. Policy also needs to exist and be enforced, allowing businesses to operate securely. The dreaded long lines at airport security are a by-product of the current security model at U.S. airports.

Defeating Zombies: Five Ways To Improve Defenses

by Paul Asadoorian on October 30, 2009

Defeating Zombies Attackers have a number of avenues leading directly into your network, and more importantly, into your data. Each week I read about new data losses , phishing scams and the release of hundreds of new vulnerabilities and exploits . Organizations are employing a rear guard action that is not necessarily tuned to today's attack techniques. Tried and true defensive measures such as firewalls, anti-virus software, Intrusion Detection Systems provide "operational security", but even if this is running flawlessly, it is typically not enough. Security programs need to evolve with the latest attack trends and Internet technologies. A great blog post by Tim Mugherini titled, " Don't be the Smelly Kid " sums this up nicely. This defines a shift from attackers targeting network services, and moving towards attacking web application and client software. These new methods require updated education for management and the implemention of new and different security projects to protect your infrastructure. Considering Halloween is around the corner, your security strategy can be compared to the situations in typical horror movies. When the defenseless victims are under attack from whatever threat is posed (zombies, Jason, Freddy, Michael Meyers, etc.), they often make common mistakes such as taking all of the furniture in the room and piling it in front of the door and leaving the windows unsecured. Shooting zombies in any other location other than the head is another good example (those who have read " The Zombie Survival Guide: Complete Protection from the Living Dead " know that the only way to destroy a zombie is to destroy the brain!).

Analyzing Network Metadata

by Paul Asadoorian on October 1, 2009

When analyzing network traffic it’s typically not as important to look at the contents of the packets; rather the information about them, where they are going and how they got there. This “network metadata” (often referred to as NetFlow data) can reveal interesting information about your network and often uncover misconfigurations, policy abuses and security incidents. I relate it to the movie "The Matrix". In the movie there is a scene where the characters are looking at computer screens displaying “the matrix”. Those who are not accustomed to looking at the matrix will not see "The Blonde" or the "Brunette", but will just see a bunch of green characters. What do you see?

Passively Detecting SQL Injection

by Paul Asadoorian on June 8, 2009

SQL injection is a class of vulnerabilities that can plague web applications in your environment, often with devastating consequences. They can be difficult to detect and validate and are sometimes the cause of major data breaches . This is a deadly combination. Databases contain the information that attackers are after, including SSN, credit card numbers and other information associated with an individual’s identity such as name, address, phone number, mother's maiden name and more.