Perception Cyber

Perception praised in Network Computing Magazine's review

Perception Cyber Security was the latest product to be reviewed in Network Computing Magazine this month. The magazine is the UK's longest established magazine dedicated to network management, and regularly investigates new and innovative products in the network security space. You can read the full review here.

sg7yw_6K_400x400.jpeg

The review concedes that whilst complete network visibility would be ideal, the mess of data it creates is a curse rather than a blessing. Perception, of course, is designed to declutter this mess automatically, providing the user with actionable intelligence they can use, rather than an overwhelming pool of data they will be forced to ignore.

The reviewer notes the “impressive scope” of Perception, being able to accurately and reliably pick up on the presence of malicious actors, as well as subtle indicators that might show weaknesses in the network before they are exploited.

Also noted by the article is the forensic capability of Perception, describing it as a must for risk mitigation. This feature, “helps by concatenating otherwise isolated events. It could, for example, conclusively prove how a lost laptop was ultimately the source of attack.” It is key features like this that really demonstrate the overall value in Perception, and the benefit that can be gained from complete network visibility.

The article concludes that the mindset that Perception encourages is a requirement for organisations that are ready to engage with the cyber war, “that has only just started”. The final line is particularly glowing, noting (quite rightly) that most cyber attacks are merely grabbing low-hanging fruit, and that Perception, “moves the network away from this category and beyond”.

The full review contains impressive insights into the benefits of proactive security, and is definitely worth a read if you have the time.

Perception Update - Version 2.5.9

Version 2.5.9 adds a number of new features to Perception, including features to increase security, system performance, and usability issues.

Perception update blog header.png

To start, Perception now supports communicating over HTTPS with the UI, and allows the import of certificates.  Although communication over a secure VPN was already fully encrypted, the addition of standard web-security measures increases the security of the system as a whole.

Performance is always a priority for us at Perception, and in this update we continue to improve system performance.  We’ve changed the way our databases are structured, which means queries run faster and less disk space is required, we’ve also squashed a bug where very large databases were causing system performance issues.  Likewise, the cache of SMB data was causing some sensors to use too much memory, and this issue has been resolved with no effect on the detection performance of SMB-based behavioural identification.

Self-managed users will also benefit from the latest improvements to the user interface, including a number of smaller fixes that should improve usability.  You can now delete swimlanes in KnowledgeBase if they are no longer needed, and some ForensicAI alerts have been provided with more detailed microcontrol information, meaning the alert can be triaged better without even opening the alert at all.

 

A full list of updates are below:

  • Added support for HTTPS connections to the UI including certificate import.

  • Significantly enhanced database format giving improvements in query performance and disk space requirements.

  • Fixes for database performance issues when accessing very large databases.

  • Added ability to delete swimlanes from KnowledgeBase Incident Builder.

  • Improvements to SMB memory use to address issues with overloaded sensors.

  • Various UI fixes and improvements.

  • Enhancements to ForensicAI Alerts to give more detailed Microcontrol information and more accurate scoring.

  • Fix for Exceptions not matching on hostnames correctly.

 

This update will be pushed to all managed customers at the pre-agreed upgrade time.  Self-monitored customers can update their own systems using the software upgrade processes.  If you have any further questions about this upgrade please contact us at info@perceptioncybersecurity.com

Perception Update - Version 2.5.7

A number of features have been improved in version 2.5.7, including small changes to the KnowledgeBase feature.  

Perception update blog header.png

You can now annotate each event in KnowledgeBase so it’s clear what each connection means without just relying on the automatically generated metadata. We’ve also listened to your feedback and changed the way the column headers display so they look a little bit clearer.  Two more useful changes in KnowledgeBase include a reordering of events based on sample time, so they should be in a more intuitive order, and indicators for the direction of the connection too, so you can see which host initiated each connection.

There’s also some bug fixes and user enhancements, including refining the behaviours introduced in version 2.5.3, fixing issues with rendering some ForensicAI alerts, and protecting system stability with disk capacity protection.

 

A full list of updates are below:

  • Added support for text-based annotations to be included against KnowledgeBase events. This enables the user to add free text notes describing each event.

  • Fixed header position in KnowledgeBase swimlane diagram.

  • KnowledgeBase events now show direction of connection in swimlane diagram.

  • Updated KnowledgeBase to use sample time when ordering events in swimlane diagram.

  • Fix issue where behaviours were not loaded under HLC if the number of these exceeded a certain limit.

  • Added disk capacity protection to address issue seen on busier systems.

  • Enhanced metadata included in Host Activity classifier.

  • Added ability apply exceptions to Host Activity classifier.

  • Added an ability to purge all data from CCS and sensor should equipment need to be re-deployed or have all prior data removed

 

This update will be pushed to all managed customers at the pre-agreed upgrade time.  Self-monitored customers can update their own systems using the software upgrade processes.  If you have any further questions about this upgrade please contact us at info@perceptioncybersecurity.com

Perception Update - Version 2.5.3

Huge steps forward have been taken in version 2.5.3 of Perception, including the long-awaited open Beta of the KnowledgeBase function, and several new hugely powerful behavioural identification techniques.

Perception update blog header.png

KnowledgeBase sits at the top menu bar alongside ForensicAI and is a function that allows the user to dive deep into a full record of every connection that’s happened on the network. This has been trialled extensively and has quickly become one of the analyst’s favourite features, as it allows them to quickly confirm a suspicion by searching for specific connections made using its great filtering capability.  KnowledgeBase is now open to all users, and will continue to be developed over the coming months.

New behavioural logics have also been developed to identify specific behaviours at play on the network. The Suspected New Host Online behaviour has the capability to detect hosts not seen before on the network. This behaviour can be indicative of a planned system installation or an unauthorised device being connected to the network. This enables security teams to quickly identify the introduction of potentially vulnerable devices to the network.  This information may then be correlated with subsequent suspicious behaviour in the event that the newly introduced device presents a threat to the network.

The New Service Activity Detected Behaviour identifies when a host starts a new service resulting in network activity on a previously closed port.  Under normal operation a given host will run a particular set of services.  In the event that a new service is started, this may typically result in network activity on a previously closed port.  This behaviour can be indicative of a new application being installed on a host or an existing application suddenly going live.  A new service/port coming online can be due to either a planned configuration change, and configuration error, or an unauthorised application or user modification.  This activity may be of interest to a security team who expected a defined set of services to be running on the machine present on the network.  The network activity as a result of the new service may be benign or may be indicative of malicious software now running on the host, unknown to the user.

Finally, the Loss of Service Activity Detected Behaviour detects when a host ceases to run a service. This behaviour can be indicative of a system or hardware failure or a planned outage. This can help security teams to identify potential issues in the network in particular where a failed service related to a security incident.

 

A full list of updates are below:

  • Introduction of KnowledgeBase (beta). This is a new tool available on Perception to enable users to perform in depth analysis on host statistics collected by the system. Data selection can be achieved through filtering and grouping where filtering options are by time, by sensor and by grammar-based metadata selection. The result of the selections can be plotted on a timeline diagram for reporting and review purposes.

  • Three new behavioural classifiers have been added to the system. These are: Suspected New Host Online, New Service Activity Detected and Loss of Service Activity Detected.

  • Improved loading time of behaviours and Forensic AI views.

 

This update will be pushed to all managed customers at the pre-agreed upgrade time.  Self-monitored customers can update their own systems using the software upgrade processes.  If you have any further questions about this upgrade please contact us at info@perceptioncybersecurity.com

INTERNET OF THINGS - ARE YOU VULNERABLE?

OVERVIEW

One of the latest trends to hit the cyber security landscape is that of the Internet-of-Things (IoT) device. We take a look at what IoT really means, why it matters to us, and what can be done to protect against the new threat that it presents. 

Data waves.jpeg

WHAT IS IOT, WHY DO I CARE?

In short, IoT refers to the many different types of ‘Smart’ devices that surround us in our daily lives. Figuratively, ‘smart’ means they are likely to be innovative and somehow make our lives easier than they were with the incumbent ‘dumb’ devices. Literally, ‘smart’ means the device has a computer in it.  Typical IoT devices that we are likely to see in our daily lives are:

  • Home Automation Systems - such as Wireless Thermostats and Intelligent Light bulbs

  • Wearable Devices - Wearable Devices such as watches and health monitors

  • Internet Connected Electronics - Smart TV's, speakers, and virtual assistants like Amazon’s Alexa.

What these devices all have in common is that they all need to use software written by humans, and since to err is human, this means that that they will have vulnerabilities that can be exploited. Further, to make the situation even more problematic, these devices are connected to the internet, don’t have the capacity to run anti-virus software, and function, rather than security, is the priority in their development. This means that these devices usually offer a better opportunity for malicious actors to exploit the device and get a foothold into your private world.  Additionally, IoT devices are often not centrally managed and/or monitored and this often means that software security updates are rarely applied - that is of course if they are made available at all by the vendors.

Facilities Management.jpeg

“Connected devices will have vulnerabilities that can be exploited”

DO I HAVE ANY IOT DEVICES IN MY BUSINESS?

There are billions of IoT devices that are assisting businesses in doing their day to day activities. Many businesses are embracing the new opportunities that these devices bring, for example road haulage companies can use IoT to track driver’s locations and reduce insurance premiums. Other companies are utilising IoT devices in the domain of Building Management Systems, which includes control of heating/ventilation, and site security (video cameras and door access systems for example). There is also a plethora of devices that you may not think are Smart devices that exist within the enterprise. For example, Video Projectors and TV’s often have a network connection that could provide a malicious actor with the perfect backdoor and pivot point to move around your network environment.

Line of data.jpeg

“There are a plethora of devices you may not realise are ‘smart’ in the enterprise”

AN IOT ATTACK SCENARIO

It is useful to outline a typical attack vector to demonstrate the vulnerabilities that exist within many businesses as a result of their IoT devices. For some background, most modern meeting rooms either have a high-end projector or a TV to enable the traditional PowerPoint presentations to be shown in all their glory. As such, companies have been moving to using high-end consumer devices so their 60 inch displays and vibrant colours will wow customers and colleagues alike. However, many of these high-end devices are ‘Smart’ TV’s whose software was developed to allow home users to stream video from the internet or catch-up on the latest box sets. This means that they are running a full operating system that has been developed with consumer features in mind, and enterprise security is a secondary concern.  

In this scenario, let’s imagine that a smart TV has been installed in a board room for a year now and it has been disconnected from the internet. Within the last few weeks the TV has been showing on the display that the on-board software is out of date and it urgently needs an update to improve security. Helpfully a member of staff has realised that this message was getting on the nerves of the presenters and thought the easiest way to solve the issue is to plug the TV in to the spare network connection that is sitting right beside the TV. This in itself is not an issue as of course patching to the latest software is a great security feature, or is it? 

Loose cable.jpeg

“Plugging the smart TV into the network allowed it to install important security updates”

Behind the scenes the Smart TV now happily goes off to the internet and downloads a new software update that enables a new feature of the device, voice recognition to enable hands free control of the TV. Voice recognition works by sending a stream of audio from microphone on the TV to the internet (typically a server that is geographically different from where the TV is located) where the number crunching for the recognition is actually done and the results are streamed back to the TV to decide on what operation to perform (change Channel/Volume Up Down etc). Interestingly, the loss of control of data may be considered a breach (under GDPR for example) depending on the data, its classification and the regulations a company may need to comply with.

In effect what you now have is a spy in the board room. Every conversation that you have in that room is now streamed to another company in potentially another country for detailed analysis, this seems to be a great way to lose important intellectual property or business confidential information. But the risk does not diminish over time as unfortunately there is also the potential now for malicious software to identify this device and exploit any vulnerabilities that are present and then pivot in to the connected network opening up a whole other set of risks.

This scenario outlines just a single case of how the advent of smart devices can open up a new attack vector within your business and additionally how hard it is to prevent this sort of threat being realised.  Before you think, “that will never happen to us,” we’ve seen this happen on more than one occasion.

HOW TO PROTECT YOUR BUSINESS AGAINST THE IOT ATTACK VECTOR

Whilst we cannot cover all of the different IoT attack vectors (there are likely to be thousands) there are some steps that your business can take to reduce the risks associated with the rise of IoT devices.

Here are our top five things to think about when you are looking at protecting yourself from the IoT based threats:

  1.   Know what devices you have in your business – at the end of the day you cannot protect what you do not understand. This means that you should be keeping an Asset Register/Inventory and network diagram of all devices in your company so you can look for vulnerable devices and weaknesses that present themselves.

  2. Training and Policy Definition – work with your team to recognise where the risks of smart devices lie. Specifically telling users to check with IT before connecting new devices to networks or using company credentials to create accounts on IoT portals. Users should be trained and policies should be in place to stop unauthorised connecting of devices to the network.

  3. Invest in understanding your network and protecting it – a simple penetration test on the inside of your network can tell you a lot about what IoT devices you have, but this is fairly limited, really you want to be monitoring the network continuously to look for threatening behaviours of new devices and unusual device behaviour so you can assess the risk quickly and mitigate where necessary.

  4. Isolation of devices – design security in from the outset. Talk to your own departments and also subcontractors about whether they need to use smart devices and if so how they manage the security of the devices. Consider implementing network segmentation and multi-layered network protection, ideally by investing in a separate network that is dedicated to these types of device where they can be easily monitored and contained if required.

  5. Create policies that can be adhered to - don’t just ban IoT devices! The prevalence of IoT will mean that you will encounter them at some point and if you have not thought about risk mitigation then you will have an unpleasant surprise. Create some simple guidelines that users can follow to assist them in adding and managing IoT devices on the network.

While not an exhaustive list, these simple points can significantly assist you in identifying and protecting yourself against new and emerging threats.

Networks.jpeg

IoT Devices need to be embraced, that way they can be managed. Managing the implementation of IoT devices securely from the outset can save a lot of headaches down the line.

THE FUTURE OF IOT AND SECURITY OF CONNECTED DEVICES

Predicting the future is difficult,however some common near-term trends in IoT are:

  • Automation – devices interacting with each other to provide autonomous services. For example, your car will tell your home heating to turn up more when the driver is close to home and they have the cars heating on high. These features are likely to be enabled out of the box, so it will be important to know what communications devices will carry out automatically before bringing them into a network.

  • Smaller and smarter – devices are likely to get smaller and more disposable and existing devices will become more powerful. Networks of devices will ‘mesh’ to provide more advanced computing power.  This will likely mean devices will become harder to track, and harder to discover on a network.

  • More vulnerabilities and exploits – as the complexity and prevalence of IoTdevices increase so will the ability to exploit the devices. As devices become more prevalent, this in-turn will incentivise hackers to create more targeted malware to take advantage of this new generation of exploitable computers.

Innovate UK Turn to Perception for Their Essential Tips for Cyber Security

Innovate UK, the UK Government’s innovation agency, have curated a list of essential tips for cyber security for small businesses.

Innovate UK Logo.jpg

Innovate UK work with people, companies, and partner organisations to find and drive the science and technology innovations that will grow the UK economy.  Over the last 11 years they have invested £1.5 billion in innovation, working to determine which science and technology developments will drive future economic growth.  Alongside this investment work, they work closely with innovative companies to advise on how to improve their business.  With the growing threat of cyber-crime and intellectual property theft, the organisation decided to create a short list of easy to follow guidance on how to protect themselves from this threat.

To create their shortlist, Innovate UK contacted the cyber industry, thought leaders, and heads of digital risk.  After this process, they developed 4 key points for innovative companies to adhere to in order to improve their security:

  • Identify all possible threats
  • Make cyber security a business priority
  • Leverage existing schemes
  • Assume you’ll be hacked

Along with an in-depth article, which can be read here they created a short form animated video that’s simple to understand without requiring a detailed understanding of the cyber threat.

Perception’s team lead, Dan Driver, was contacted by Innovate UK in the preparation of developing this advice and was quoted in the explanation of the second point, “make cyber security a business priority.”

The point in question recommends that action is taken in advance of any attack, simple steps can be taken to reduce the chance of an attack taking place, or data mistakenly leaving a network.  Furthermore, this proactive approach to network security can reduce the impact in the unlikely event that an incident does occur.

In the article, Driver said, “Don't wait for an incident to occur, act now to protect the network and assets within it.  Failure to do so can have significant impacts financially and impact the reputation of an organisation to a degree which they may not recover from.”

Both the article and the video are well worth a look and the advice, although seemingly basic, can go a long way to protecting a network.  Perception itself helps organisations move to a more secure and proactive network security model by informing the user not only of in progress attacks, but also points of weakness and poor internal user behaviour, to minimise the risks at their source.

Perception Update - Version 2.5.2

Multiple improvements have been made to Perception in version 2.5.2, from increasing system performance to more advanced detection techniques.

Perception update blog header.png

The largest improvement is largely invisible, but makes the system configurable to allow processing limits to be applied to traffic received from the network, this increases stability of the system as a whole as it protects against bursts of network traffic.  There have been more under the hood changes as we have also upgraded the underlying operating system to the latest version.

More user facing changes include updates to some ForensicAI alerts to include scoring and suppression, further increasing confidence of a detection all while reducing any false alerts. This is part of ongoing work to bring all ForensicAI capability up to the same standard. 

 

A full list of updates are below:

  • Patch release to address issue with Nginx package install.
  • Added configuration options to allow processing limits to be applied to traffic received from the network.
  • Improved log file management.
  • Patch release to address installation issues observed during upgrade from previous operating system.
  • System fully upgraded to run on latest version of operating system.
  • Updates to lateral and egress HLCs to include scores and suppression.
  • Addition to ransomware extension list.

 

This update will be pushed to all managed customers at the pre-agreed upgrade time.  Self-monitored customers can update their own systems using the software upgrade processes.  If you have any further questions about this upgrade please contact us at info@perceptioncybersecurity.com

There’s a good chance you or someone you know has mined cryptocurrency, and you may not have even been aware of it.

There are thousands of Cryptocurrencies around today, following in the footsteps of the hugely successful Bitcoin, but they have really risen to prominence over the last 5 years.  Cryptocurrencies are, with few exceptions, decentralised digital currencies that don’t rely on a central administrator, where transactions take place directly between users.  Their prospect of being a worldwide currency with freedom of exchange and no control from governments or banks has made them massively popular as they are theoretically immune from the instability of fractional reserve banking.

Bitcoin, the largest and most popular cryptocurrency has rapidly grown in value over the last few years, making mining more and more popular

Bitcoin, the largest and most popular cryptocurrency has rapidly grown in value over the last few years, making mining more and more popular

Cryptocurrencies generally all function in the same way, a finite number of coins are ‘mined’ using computers solving difficult equations that get incrementally more difficult as the number of remaining coins reduce.  As a result, most mature cryptocurrencies like Bitcoin, Ethereum, Ripple, and Litecoin, take an enormous amount of computing power to mine new coins.  For a typical person attempting to make money by creating new coins using a home PC, the cost of power is far greater than the value of coins created.  However, utilising tools such as free sustainable energy powering advanced graphic cards or custom built ASICs can make this a profitable activity.

Which brings us onto the first example of mining cryptocurrencies you may have carried out.

Mining cryptocurrencies with proper authorisation.

There are a number of businesses that mine cryptocurrencies on an industrial scale, using custom built hardware and cheap or free energy.  They could try to find the most economical way of mining coins for profit in established cryptocurrencies, or they may be speculating and looking at the new and latest cryptocurrencies being released and estimating which ones will grow, and mine those while they are computationally cheap.

It’s not just dedicated businesses that do this, anyone can mine any cryptocurrency.  A single user may look to become part of a mining pool, where hundreds or thousands of different users share the computational effort of mining, and then share the spoils when a new coin is mined.  They could even single-handedly try to find a way to mine coins using power cheap enough that it’s profitable without the help of a mining pool.  Which brings us onto the next method of mining cryptocurrency that you may have encountered (but hopefully not)

Mining cryptocurrencies without proper authorisation.

Another way of reducing the personal cost of mining is to use power that you do not pay for.  This makes it free for the user in the most unethical sense of the word.

When Bitcoin first grew quickly in late 2013, it caught the eye of a large number of speculative miners.  In November 2013 one Bitcoin was worth $200, within a month it had surged to over $1000.  This was the start of a large amount of mining, as people scrabbled to find cheap ways to mine Bitcoin fast (incidentally this rush reduced the price, it didn’t return to $1000 until another large spike in early 2017).

It was at this time that people started using hardware or power they didn’t own to mine Bitcoin.  This is at best unethical and at worst illegal.  Last year Vladimir Ilyayev, a computer-systems manager for the New York City Department of Education, was fined for using his work computer to mine Bitcoins in 2014.  Users with access to large cloud computing platforms have also been using spare computational resources to do the same.  Even here at Perception we see cryptocurrency mining on corporate networks that should have nothing to do with cryptocurrencies or even finance.

In this example, cryptocurrency mining is a policy violation on networks, but since early last year the growth of malicious use of mining has been massive.

There are a large number of cryptocurrencies available today, and people have used machines they don't own to mine them

There are a large number of cryptocurrencies available today, and people have used machines they don't own to mine them

Mining cryptocurrencies using malware.

Typically, malicious hackers make their living by holding organisations or individuals to ransom, stealing and selling data, or just buying easily liquidated goods using stolen information.

With the rise of cryptocurrencies however, one fact has opened up a new way for malicious hackers to make money: computational power can be directly exchanged for something of monetary value.  As a result, if hackers can create malware to leverage computing power, they can make money.

Although it had happened in minor cases earlier, this started in earnest in early 2017.  The most common examples use a tool called Coin Hive, a script which was originally designed for people to run on their own machines in order to become part of a mining pool as described above.  What malicious users do is hack into websites, install this script, and then any visitor to that site will be inadvertently mining cryptocurrencies.

Multiple websites have fallen victim to this, in October 2017 the BBC reported that websites of schools, charities, and file sharing sites were running the script.  Even the Information Commissioners Office (ICO) had their website affected by it in February, somewhat ironically being that they are the bastion of data control in the UK.

As cryptocurrencies gain in value, the use of this type of attack will grow since the rewards become greater, another massive spike in cryptocurrency value in December 2017 (Bitcoin rose to over $20,000 per coin at one point), only increased the number of cryptocurrency mining attacks that have been observed. 

But there could be a good reason to use these scripts on websites legitimately.

Mining cryptocurrencies on other users machines with their permission.

The internet is a colossal pool of information and content, but in the majority of cases, those who generate the content need to be compensate for their efforts.  Since the birth of websites the way to do this has been via advertising.  However, advertisements on the web have their drawbacks, not only can they be distracting for the user, but they are also the most common method of web-based cyber-attacks.  In many cases, ads being served on websites can be used to execute malicious code on the viewer’s machine without their knowledge.  The consequence of these drawbacks has been the rise in use of ad-blocking software in browsers.  Due to the security concerns, many IT teams mandate the use of up to date ad-blockers on their organisation’s devices.

So where does the money come from when all the ads are being blocked?  Cryptocurrency mining could, oddly, be the answer.  Websites can ask users that have ad-blockers to run cryptocurrency mining scripts on their machines while they browse as a way to bring in income to the website.  This has been in use for a while by cryptocurrency focussed sites using tools specifically designed for this purpose such as JSEcoin.  In February this year however, the US news website Salon.com implemented a feature where they asked users to either deactivate their adblockers or mine cryptocurrency to access their content.  A site with approximately one million viewers a month can make approximately £75-100 per month using these tools, putting them behind traditional advertising by a factor of between 2 and 10 in terms of profitability, but these tools use lesser known cryptocurrencies such as Monero, and the value could change very rapidly.

US news website Salon.com briefly gave visitors the option to allow Salon to use their machines to mine cryptocurrencies in lieu of seeing advertisements on the site

US news website Salon.com briefly gave visitors the option to allow Salon to use their machines to mine cryptocurrencies in lieu of seeing advertisements on the site

It’s not just websites that are looking towards mining cryptocurrency with the users permission.  This month, popular 3rd-party Mac Calendar app ‘Calendar 2’ gave users the option to unlock premium features (worth around £15) by allowing the app to mine cryptocurrency.  Unfortunately, the execution didn’t go entirely to plan and the app mined cryptocurrency even when the users opted out.  The developers, Qbix, have since removed this version of the app, but it does give us a look into a possible future where users are selling their unused processing power for software.

 

So in conclusion, someone on your network may be intentionally mining cryptocurrencies, inadvertently mining cryptocurrencies, or permitting a third party to use their machine to mine cryptocurrencies.  This isn’t likely to stop anytime soon, so it may be worth finding a way to detect when it’s happening.

Frost & Sullivan Recognises Perception as Most Innovative New Cyber Security Software

Frost & Sullivan has recognised Perception Cyber Security with its 2017 New Product Innovation Award, describing it as a "game-changing cyber security solution."

Perception was originally developed by Chemring Technology Solutions for the UK Ministry of Defence. Complementing existing computer network security systems, such as firewalls, intrusion detection systems, and antivirus software, Perception is a behavioural analysis system with no rigid rules-based architecture.

The award was presented at a banquet in London's Royal Garden Hotel

The award was presented at a banquet in London's Royal Garden Hotel

Dhiraj Badgujar, Analyst at Frost & Sullivan, said: "The increasing complexity of network security is becoming difficult for businesses to manage, leading to mistakes or gaps for attackers to exploit. With its deep learning capability and the ability to adapt based on changing network behaviours, Perception will enable enterprises to identify future advanced threats before they emerge."

The major differentiating factors of Perception are its ability to identify malicious activity without requiring prior knowledge of the threat, as well as alerting the user to potential vulnerabilities so they can be resolved before an attacker exploits them. This makes it more difficult for malware to evade detection and easier for analysts to proactively detect network vulnerabilities and user error.

As well as detecting threats and vulnerabilities as they happen, Perception uses artificial intelligence (AI) to intelligently interlink network events across months, weeks, and minutes, enabling large-volume data pattern analysis. This significantly improves "low and slow" threat detection capabilities, in addition to providing a low false alarm rate. Perception also detects the slow, unauthorised external extraction of information from the network, even when sophisticated obfuscation techniques are used.

Daniel Driver, Head of Perception Cyber Security, said: "Based on declassified work for national security agencies, Perception takes the fight against cybercrime to a new level. An award from the respected international analyst firm Frost & Sullivan's gives us an unbiased, third-party stamp of approval. The Perception development team truly deserved to be recognised in this way as it proves to us that we have created something truly unique in identifying advanced cyber threats."

For the New Product Innovation Award, Frost & Sullivan analysts followed a 10-step evaluation process to assess Perception's fit against best practice criteria, focusing on two key factors - New Product Attributes and Customer Impact.

About Frost & Sullivan 

Frost & Sullivan, the Growth Partnership Company, works in collaboration with clients to leverage visionary innovation that addresses the global challenges and related growth opportunities that will make or break today's market participants. For more than 50 years, we have been developing growth strategies for the global 1000, emerging businesses, the public sector, and the investment community.

Perception and the Cyber Security Challenge Face to Face, Roke Manor, 7th July 2017

This post was originally created for assessors, organisers, and participants of the challenge.  If you'd like to be sent an electronic copy containing full size images please contact us

Overview

Roke Manor Research Limited hosted a Cyber Security Challenge event on Friday 7th July 2017 in which a scenario was created for teams of participants to understand the vulnerabilities in a fictional company’s internet-of-things products.  In order to understand the events of the day, the Perception Cyber Security team were asked to deploy a Perception sensor to the challenge network to record all network activity that occurred during the challenge, both live as it happened as well as for later analysis.

The purpose of this document is to describe the activities seen by Perception throughout the course of the challenge, as a way of demonstrating the simplicity and coverage of a Perception deployment.

About Perception

System

Perception is a network security tool designed to give an analyst complete visibility of their network and potential threats that they may face.  Perception was initially designed by Roke Manor Research Limited (Roke) for the Defence Science and Technology Laboratory (Dstl), part of the UK Ministry of Defence (MOD), in order to detect anomalies on a network.  After successfully trialling the prototype systems, Perception was developed into a full product that combines multiple cutting edge technologies with the original anomaly detection system to provide one of the most advanced network security capabilities in the world.

Perception can be broken down into 3 distinct parts:

Data Collection

Using data collection technology initially developed by Roke for Lawful Intercept (LI) purposes for law enforcement agencies, Perception collects and analyses all network traffic at the core of the network at very high speeds.  This ensures the system has the best data pool to work from in order to make logical decisions later on.  Although an analyst is unlikely to pore over this low level information, this information is available to the user for analysis and incident response activities.

Behavioural Classification

By using Roke's expertise in cyber research for national security agencies worldwide, behavioural classifiers were developed that would understand the context of communications passing over the core of the network.  This is done by using a combination of anomaly detection, deep packet inspection, and database querying, rather than a single technology.  Looking at traffic behaviourally, rather than using signatures of known threats, is useful because it allows the system to identify threats without any prior knowledge of how they work.  The user is able to see a complete list of behaviours on the network in order to understand what may be threat like, indicative of misconfigurations, or indicative of vulnerabilities.

Artificial Intelligence

The final part of Perception is an Artificial Intelligence (AI) that constantly looks for correlations between the behaviours being stored on the system.  This AI is constantly being updated to mimic the activities of an analyst, in order to automatically and immediately identify links between multiple behaviours in order to detect vulnerabilities and threats.  This AI vastly reduces the time burden on analysts who would normally have to manually find linked behaviours, and allows Perception to alert with a very high detection rate and an incredibly low false alarm rate.

By combining these key technologies, Perception can rapidly draw a user's attention to indicators of threats, compromise, and vulnerabilities so that network security issues can be addressed before they become a serious problem.  The behavioural nature of the system allows Perception to detect zero-day threats without any prior knowledge of the malware, as well as detecting user error or malicious user behaviour that provide significant detection problems for firewalls and antivirus systems.  The ability for an analyst to identify misconfigurations or vulnerabilities represents a general theme within the network security industry to move towards a more proactive approach to the problem of protecting networks, closing vulnerabilities before they are exploited by an attacker, rather than just responding to threats as they happen. 

Perception sensors are easily deployed, consisting of a 1U rack mounted device.

Perception and the Cyber Security Challenge

The Challenge itself is one of many events set up by the Cyber Security Challenge UK organisation (www.cybersecuritychallenge.org.uk/), a not-for-profit organisation with the aim of bolstering the national pool of cyber skills.  As sponsors of the event, Roke agreed to host this particular event, testing 42 participants from around the UK.  Challengers were selected from a larger group of applicants who successfully completed some pre-event challenges, and none were currently working in the network security industry.

The Roke organisers of the Cyber Security Challenge Face to Face (F2F) event contacted the Perception team to discuss the use of Perception as a solution to be the “all seeing eye”, overseeing the challenge as it took place. With the high volume of hacking activities taking place on the day, it was vital for the assessors to have a tool that could quickly identify and hone in on participants actions.  The assessors were tasked with ensuring the rules of engagement were adhered to and the claimed courses of action could be validated, and Perception was used to carry out this task.

The Perception team were keen to exercise Perception on a network with such a high volume of potentially malicious activity.  They were also interested in better understanding which behaviours would be triggered where Internet of Things (IoT) devices were deployed.  Based on the brief provided by the Cyber Security Challenge team, the Perception team’s main objective was to be able to alert the assessors to any rule breaking as it happened and therefore demonstrate Perception's ability to proactively detect.  In addition to that the Perception team sought to provide detailed post-analysis of events carried out during the day, to provide the assessors with the necessary evidence to back up claims made by the participants.

Differences from a Real-World Deployment

The Cyber Security Challenge was an unusual deployment for Perception, which is typically deployed within the networks of commercial organisations.  Whereas normally Perception would be deployed to the core of a network with multiple normal users carrying out their normal day to day business, in this scenario it was deployed on a tiny network which hosted a large number of hackers, a number of IoT devices, no normal user traffic, and active malware.  Although there is value in noting the difference between this scenario and a standard Perception deployment, there are salient commonalities and threat scenarios that are present in both Perception's natural habitat on a network for a commercial network, and the Cyber Security Challenge F2F's infected, hacker-dense, IoT-focussed network.

Firstly, the activity of a large number of hackers allowed Perception to prove that it would handle detecting all of the activities of the attackers and active malware, rather than a single attacker or piece of malware.  Although Perception is well-suited to networks of all sizes, it is very seldom deployed on networks with the presence of multiple malicious actors simultaneously and this gave it the opportunity to demonstrate that even in extreme circumstances Perception could still handle the accurate detection of multiple threat sources.  In real networks there have been instances of an attacker infecting a high number of devices simultaneously in order to cause maximum damage or to hide their true intentions, and it is important to the Perception team as designers of network security systems to demonstrate they have a tool that can handle these types of scenarios.

Secondly, IoT devices are usually thought of as being used in homes, rather than businesses.  This is only partly true, a huge number of businesses deploy network attached devices such as smart TVs, IP cameras, and access control systems in their offices.  The management of these devices is usually seen as the responsibility of a facilities department within a business, which typically means they aren't subject to the same security and software update controls that would be enforced by an IT team.  Even amongst Perception’s current customers it has detected the use of IoT devices running old software that could be vulnerable, and as IoT devices become more and more mainstream, this is only going to become more of an issue.  It is a very common occurrence in today’s security landscape for an IoT device to be a first point of infection within a network due to their poor design, relative lack of security updates, and the inability to install anti-virus software on them.  The Cyber Security Challenge F2F event is a perfect opportunity to show Perception can identify these types of threats where other protections aren’t suitable.

The logistics of running a challenge of this type also raised some minor differences, for example the networks themselves were not connected to the internet, providing a safe environment for the event.  Participants were only allowed to use the provided Internet laptop for research on a separate Internet connected network outside of the challenge network.

About the Cyber Security Challenge Face to Face Event

Setup

The Cyber Security Challenge F2F event was a day-long event based around a smart home.  A fictional IoT device manufacturer, EKOR, had heard reports that some of its devices were less secure than initially thought.  During the course of the day somebody malicious would exploit a home network and was going to use these exploits to physically break into the home by hacking a smart lock on a front door.  The attacker would achieve this by exploiting a vulnerable server and then using a separate vulnerability in the update mechanism to deploy malware to the IoT devices in the victim’s home.

7 teams of 6 participants each were ‘hired’ by EKOR to try and find system vulnerabilities and give feedback to EKOR of what they should do to solve the issues, preferably before the attacker gains access to the home. The participants were briefed that EKOR suspected there were vulnerabilities in their products, but had no information on what activity was to happen on the day.  Their activity would include looking at the EKOR network and how the smart devices worked in order to gain an understanding of what the vulnerabilities may be. The teams were against the clock to get the information to EKOR as there was a set time for when the attacker was going to break into the home.

Perception Deployment on the Cyber Security Challenge Network

Each of the 7 teams had 6 laptops to work on (one for each participant) and a scaled down version of EKOR’s smart home products, a hub, a light, a door lock, and a camera.  All of these devices were connected to a switch specific to that team.  Finally, the teams were given an internet connected laptop which was separate from their switch so they could look up anything they needed to.  The seven team switches then fed into an 8th ‘core’ switch.

Simulated EKOR internal servers and other simulated external servers were also connected to each team switch to give the illusion of a real world network, as well as to facilitate the activity planned for the day.  This gave the teams a realistic environment to work with while ensuring isolation of all the teams.  Other than the separate internet connected laptops, the challenge was conducted on a standalone network with no connection to the Internet.  Any IP addresses/domain names/etc. used for the ‘external’ devices are purely fictional. 

The Perception sensor took a SPAN feed from the core switch, meaning it could monitor all activity on the network.  The Perception sensor then used a virtual private network (VPN) to communicate with the Perception Central Correlation Server (CCS) which aggregated behaviours and displayed them in the UI for the Perception team to view.  The CCS can be hosted locally or remotely, however in the interest of keeping the challenge network as simple as possible, it was decided to deploy remotely and communicate via a VPN in this instance.

A live stream of the Perception UI was in the lobby of the event location alongside the assessors, this allowed rapid communication between the Perception team and the assessors about breaches of the event’s rules and the teams’ progress during the day.

As it Happened

Morning

Stage 1

During the first stage, teams were asked to use provided tools and documentation to gain an understanding of the EKOR network. They needed to request access to certain compressed (.zip) files and packet capture (.pcap) files which gave vital information about their network. Using these files they should have gained a good understanding of the devices as well as how the network behaves. The packet captures provided were designed to give the teams an indication of which servers might be vulnerable.

Perception Analysis

During this stage Perception discovered data being transferred from EKOR servers to team’s devices as the teams downloaded the packet captures and the .zip files. By analysing this data the Perception team could see which teams were further ahead and which teams needed further guidance. The judges also used this information to understand who had broken rules of engagement by downloading information prior to being granted permission. Data was being transferred from EKOR servers to the teams via an unencrypted service, HTTP over port 80.  Since Perception captures a sample of the packets passing across the sensor it was possible for the analyst to view the actual file details and confirm their contents.

Figure 1: This screenshot of Perception’s UI shows .zip files and packet captures being downloaded by one of the teams

1) These micro-controls in the header provide a quick reference to the key metrics for the event such as source and destination of the data transfer, the number of sessions over which the transfer was made and the data volumes in both directions.  The button on the far right downloads the actual packet captures so they can be viewed in a packet analysis tool such as Wireshark.

2) This Data Transfer diagram shows the direction of the connection, the service used for the transfer (HTTP port 80) and the number of sessions used between the source machine (left green box) and the destination machine (right green box).  The larger orange bar shows the high volume of data downloaded relative to the low upload volume indicated by the thin blue bar.

3&4) These bar charts show the volumes and duration metrics of the transfer.  These charts are particularly useful when analysing data transfers over multiple sessions.

Stage 2

Teams were then given disk images that they could run, only some of which had been infected with malware. This should have given the teams some idea as to what the malware does as it becomes active on the network. The teams were then allowed access to EKOR’s software code base, allowing for manual code review to look for vulnerabilities in the systems. The malware would connect out to an external Command and Control (CnC) server to receive instructions on what to do.  Over a half-hour period the malware began to turn the lights of each team’s scaled-down EKOR products on and off.  This should have indicated to the teams that the malware was present on the network as well as indicating which devices were infected.

Perception Analysis

Once the malware became active on the network Perception saw connections to the CnC server. This allowed the Perception team to get an understanding as to which devices were infected.  On a real world network this information would be an indicator of compromise, enabling the analyst to gain an understanding of which other devices were connecting out to the malicious server, and therefore which devices had been infected.

Figure 2: This screenshot of Perception’s UI shows a behaviour that indicates an internal device has connected to an external device, in this case a compromised device connecting to the malicious CnC server.

1)  From these micro-controls in the top bar it is easy to identify the source and destination IP addresses, device hostnames, the service (port) being communicated with, and the number of other hosts talking to that same service.

2) This network diagram shows a source host (black circle) on the internal (trusted) network communicating with a destination host (red dot) on the external (untrusted) network.  This diagram also shows a number of other hosts on the internal network, (green dots) also communicating with this external device.  This is useful for quickly identifying which other devices have connected to this external host.

3) This summary information here identifies the key attributes for the main communication between the internal and external hosts, namely the IP addresses, hostnames, number of sessions and number of other hosts connected to the same destination.

Afternoon

Stage 3

The first task of the afternoon was to begin penetration testing. Penetration testing is the name given to the process of actively testing devices for potential vulnerabilities.  Teams were supplied with rules of engagement and were expected to ask for permission before actively communicating with the devices under assessment.  This is typical in a penetration test to ensure there is no unwanted impact on service.  Permission was granted, providing a narrow subnet of 10.31.0.0/26 to test against.  This stage consisted of a lot of information gathering from the teams using techniques such as port scans to identify active systems within that subnet and also what services they may be running.

Perception Analysis

From this stage Perception reported, somewhat unsurprisingly, a large number of scanning activities within the specified subnet.  In addition to this Perception was able to spot teams scanning wider than the subnet specified by EKOR, along with any teams scanning before EKOR had given permission for the penetration testing to begin.

Figure 3: This screenshot from the Perception UI shows a behaviour that indicates a port scan has occurred.

1) These micro-controls in the top bar show the key information about this behaviour, the source, number of destinations – separated by the defined network range, and data volumes.

2) This network diagram shows an internal host (black circle) communicating with one other internal host (green dot) on 503 unique sockets (number on the green line) using over 500 ports (number in the green dot).

3) This summary information shows the overall number of sessions generated by this host is 999, all of which were reset by the server.

4) This details table shows each scanned port as a separate row as the source device cycles through the available port range on the destination.  The analyst can easily use this table to identify any ports that elicit a response by sorting the table by TCP Flags B>A.

Stage 4

EKOR released more packet captures to participants that displayed activity from the malware allowing the teams to gain more information about the malware and the CnC server. Some of the teams may have already been aware that there were more systems in the upper parts of the subnet range from looking at some captures. Teams were expected at this point to request authorisation to start penetration testing on the wider subnet having discovered that there may be a vulnerable server outside of the allowed scanned subnet. Once requested, EKOR gave permission to scan the 10.31.0.0/25 subnet. If teams had not found these vulnerable devices then EKOR eventually requested for a wider subnet to be penetration tested. On the wider subnet there was a legacy server that had not been disconnected from the network when a replacement server had been commissioned. The legacy server contained some vulnerabilities that allowed it to be exploited, allowing an attacker to steal the password database for offline brute forcing.  EKOR had used the same administrator password on both servers so by gaining access to the legacy server, the attacker could use information learned to access the new server.

Perception Analysis

Perception observed the data transfer of the .pcap files being downloaded from EKOR’s file share at the point these were released by EKOR. Perception then raised similar events to the last stage indicating scanning activities but this time on the wider subnet. These events were used to verify with the judges if teams had prior permission to run the scans on the wider subnet.

End of the Challenge

The last stage of the challenge was for the participants to verbally present their findings to EKOR.  These would have included information about the vulnerable server, the malware deployed, and urgent remediation activity required to solve the issue.

Rule-breaking

Throughout the day monitoring by Perception was taking place to ensure that all teams followed the rules and also to help with the scoring of teams. Examples of some behaviours spotted included port scans before permission was given to the teams, scanning of systems that did not belong to EKOR, and not asking for passwords for downloaded files.

-          Each team was required to gain permission from EKOR before scanning any device on the network.  During the morning it was not expected for any team to be scanning the network, their aim was to gain information from the documentation provided by EKOR. Throughout the day there were a lot of scanning activities taking place that were captured by Perception. This allowed for checking that the teams generating these behaviours had asked for relevant permissions. Some teams had asked EKOR’s permission to run some scans but were only given permission to a small subnet of IP addresses. This meant Perception saw two types of rule breaking, scanning without permission and also scanning a wider subnet than permitted.

-          Teams were allowed to download documents from the EKOR file server to help them throughout the task, however these documents were password protected and access to them required asking EKOR for the passwords. This allowed the Perception team to check with the judges whether teams had asked for the passwords once they had downloaded the files. If these passwords had not been requested it may be assumed the teams used different means to open the document and thus broke the rules of engagement.

-          Some teams also began to scan a domain name service (DNS) server that did not belong to EKOR. This would have broken the penetration testing rules of engagement. Perception raised this event which was then forwarded to the judges giving them valuable information that they may not have had access to otherwise.  The participants of this event were not working full time in network security roles at the time, and perhaps would not have been used to the stringent rules network security professionals are subject to in the real world.  Actively trying to detect vulnerabilities in devices where the owner has not granted permission (such as this DNS server) is an offence under the Computer Misuse Act.

Figure 4: This screenshot from the Perception UI shows a behaviour that was generated when a team started port scanning an external DNS server

1) This behaviour is almost identical to the other port scan shown in Figure 3, however the IP address here shows that this port scan was carried out on a device outside of EKOR’s network range.

Actions of malicious third parties on the network

Behaviours from third party hosts were identified by Perception early on in the task. One of the behaviours included CnC connections from the infected IoT devices once the malware became active on the network. Perception raised events which indicated which IoT devices connected to the third party CnC server. These events from Perception showed that at least one device from each team connected out to the CnC server. If the participants had access to a Perception device they would have been able to verify instantly which devices were connecting to the CnC server and therefore understand which devices were compromised, substantially reducing the time taken to investigate the problem.  Likewise, if Perception was used as a vulnerability detector by EKOR, it is unlikely these issues would have been open for very long at all since Perception is designed to draw attention to vulnerabilities prior to them being breached.

Conclusion

The Cyber Security Challenge as a whole was a huge success.  The organisers were pleasantly surprised by the outstanding capabilities of the participants and the event as a whole represents a bright future for network security professionals within the UK.  The format of the event, one based around the growing threat of IoT devices was a welcome change to similar events held in the past and tested aspects of the participant’s capabilities that perhaps haven’t been scrutinised before.  Although some rules were broken along the way, the event gave the participants an opportunity to make these sorts of mistakes in a ‘safe’ environment while they hone their skills as security professionals.

Teams were scored accurately based on good behaviours shown and marked down where necessary when rules of engagement were broken. Perception assisted the judges in making these decisions by providing them with definitive proof of an activity that occurred and identifying the teams involved. In cases where teams denied any rule breaking, Perception was able to provide a record, often in the form of actual packets collected from the network, showing that they had done.  Perception observed a huge amount of behaviours on the network and correlated these behaviours into an actionable format to ensure the users of Perception could work efficiently. Perception performed very well in this environment due to its ability to begin identifying behaviours and generating alerts almost immediately with little or no configuration, this was vital given the short duration of the event.

Alex Collins, who helped organise the event for Roke, commented, “Perception provided excellent network visibility throughout Roke’s Cyber Security Challenge. Perception discovered the malware on the compromised devices and enabled us to quickly detect, investigate, and understand the activities of contestants throughout the day, as they tried to assess the security of our fictional Internet of Things product line and services.“

To learn more about Perception, please contact us.

Collated and written by:

James Crawford, Perception Analyst

Glynn Barrett, Perception Software Engineering Team Lead

Dan Driver, Head of Perception

 

The Perception team would like to extend their sincerest thanks to the Cyber Security Challenge for the event itself and the provision of assessors, as well as to Roke Manor Research Limited for putting the F2F event together, we know how much of an epic task this was.  They’d also like to give their utmost congratulations to all participants that took part in the event, their skillset was truly incredible, even more so given a relative lack of experience in the field, and it was an absolute pleasure to spy on you all for the day.