Thoughts From The Nest

Blog, updates and release notes.

Threat Report Tuesday July 17th 2018

Patrick Snyder on July 17, 2018


In this week’s report we are covering two very malicious programs. If you have a BYOD policy you may want to pay attention to this first piece of research. Security researchers at Check Point have discovered samples of Glancelove, an Android-targeting malware, in a false campaign originated by Hamas that takes advantage of the 2018 World Cup. According to researchers, the group is distributing Glancelovethrough fake Facebook page and profiles with photos of attractive women who promote the malware in the form of a dating app available from the Google Play Store. The 2nd piece of interesting malware we found is related to GPS and vehicle that rely on it for daily transportation. A team composed of researchers from Virginia Tech, the University of Electronic Science and Technology of China, and Microsoft Research recently released their findings on GPS Spoofing Hack, an attack vector that can send Google Maps users the wrong direction. GPS Spoofing involves replacing a user’s intended destination with a “ghost location.” Instead of connecting to legitimate satellite systems, the cyber-criminal behind the attack forces the victim’s software to connect to their own equipment, allowing the hacker to implement false GPS data.

Malware: Glancelove

This Glancelove dating application asks for permission for the device’s network connection, contacts, SMS, camera, and storage. Upon receiving permission, it contacts its command and control (C&C) server to download the final payload. This Glancelove malware is capable of recording calls, track location, open microphone, SMS theft, take photos, storage mapping, steal contacts, and steal images. Researchers mention that these mobile chain attacks are mainly successful because the targets are hand-picked, and the malware can continually install crucial components if needed. Two similar malicious applications used by the Hamas group are Golden Cup and Wink Chat applications.

For more information there are a few links below:

Links:

GlobalSecurityMag
News Observer

Some Mitigation Strategies:

Make sure to monitor your employee and guest wifi networks Intrusion detection systems (IDS) would detect communication C2 for payload download Web Filtration would detect the use of malicious urls or unknown sites 24x7 Security Monitoring for malicious behavior and immediate incident response.

Malware: GPS Spoofing Hack

Researchers used a HackRF One software defined radio, a Raspberry Pi, a portable power source, and an antenna. The attack could be hosted remotely with the spoofing equipment installed under the victim’s car. Researchers concluded that a seasoned and logical driver who is familiar with their route and destination would notice the change in their Google Maps application. However, if the location and route are unfamiliar, a user might not realize that they’ve been deceived. According to researchers, their experiment only failed when they were testing the luxury car Tesla 2014 Model S. They stated that this was because Tesla uses an advanced u-blox navigation chip, which contains an anti-spoofing function.

Links:

Forbes

Some Mitigation Strategies:
u-blox navigation chip, which implements some anti-spoofing function Intrusion detection systems (IDS) to monitor for malicious communication 24x7 Security Monitorings to check for GPS consistency with locations of vehicles.

How to boost your FFIEC CAT score, Part 1: What the CAT dragged in

Mike Riggs on July 11, 2018


Since the Federal Financial Institutions Examination Council (FFIEC) introduced the Cybersecurity Assessment Tool (CAT) a few years ago, financial institutions have finally recommended a prescriptive path to operational cybersecurity maturity.

So what has the CAT brought us?

  • Financial institutions welcomed the CAT. While institutions aren’t required to complete the assessment, examiners use it as their framework when assessing institutions during exams. The CAT was intentionally vague and lacked specific guidance; but it did act as a tool that gave institutions the right amount of autonomy to grow in the areas they saw fit while adhering to the suggested path to maturity. It introduced new concepts, including Domain II, which covered complex topics in Threat Intelligence and Information Sharing.

  • It’s tough to evolve beyond the baseline requirement of “belonging or subscribing to a threat and vulnerability information sharing source that provides information on threats”. At my institution, we were already ahead of the curve by belonging to the FS-ISAC and being active with their various Community Institution and CyberIntel mailing lists, but the volume of information coming through was too much and mostly unactionable at a small institution like ours. There was a struggle to find a product to help cover the information overload and make the information actionable without increasing headcount or level of effort in information security resources.

  • This gap in coverage is where Perch Security has found a niche in financial services. I was a Perch user before I was an employee. I loved the product because Perch boosts an organization’s CAT Domain II maturity level and helps cover many other controls that are part of a well-defined cybersecurity program. From threat intelligence detection and response to participation in threat intelligence communities, Perch helps make up shortfalls in stretched budgets of financial institutions by backfilling with People (managed 24x7 SOC services), Process (helping bring structure around escalation and initiation of incident response and threat intel consumption) and Technology (automating the detection of the threats on your network).

Look for future blog posts From Michael Riggs, CISSP, that will cover achieving maturity in specific CAT domains.

Threat Report Tuesday July 10th 2018

Patrick Snyder on July 10, 2018


In this week’s report we are covering two very malicious programs. Researchers identified a Remote Access Trojan (RAT), dubbed FlawedAmmyy, targeting the Ammyy Admin remote desktop tool. FlawedAmmyy is built on leaked source code of Version 3 of Ammyy Admin and provides unfettered remote access to the target system. This campaign, which the researchers attributed to TA505, includes both a broad spam campaign and more targeted campaigns targeting specific industries, including the Automotive Industry. Since its inception in December 2017, GandCrab ransomware quickly became one of the most significant cyber threats of early 2018. Based on a Ransomware as a Service (RaaS) model and distributed throughout the dark web, the malware targets multiple countries around the world using a sophisticated combination of malicious tools. Despite the recent success of law enforcement authorities and the security community who managed to slow down the proliferation of the first version of GandCrab by releasing a free decryption tool, updated versions of the ransomware continue to attack thousands of victims around the world. GandCrabRaaS is the first ransomware in the world demanding ransoms in DASH cryptocurrency.

Malware: FlawedAmmyy

Though just recently discovered, there is evidence the campaign started as early as 2016. Also worth noting, this campaign utilizes the Server Message Block (SMB) protocol, rather than HTTP, to download the malware to victim machines, which may be a first for this type of malware. Aside from the concerning implication that this trojan has been used undetected since 2016, one of the most interesting aspects of this malware is its combined use of ZIP files containing. URL files (which Windows interprets as Internet Shortcuts) and the SMB protocol to deliver the RAT to the victim.

For more information there are a few links below:

Links:

ZDNet

Hack Dig

PasteBin

Some Mitigation Strategies:

  • File Integrity Management looking for the installation of files associated with the RAT
  • Intrusion detection systems (IDS) would detect communication over SMB and C2
  • Web Filtration would detect the use of malicious urls
  • 24x7 Security Monitoring for malicious behavior and immediate incident response

Malware: GandCrab

According to security analysts’ estimates, the initial version of the malware was poorly developed, which allowed for the development of a decryption tool. However, GandCrab creators quickly corrected flaws, and the integrity of subsequent versions proved to be more reliable.
It is reported that an earlier flawed version of GandCrab had a decryption key stored on victim machines, which in turn was encrypted with the same password. However, the issue was promptly addressed by the GandCrab developers.

In its activities, ransomware operators utilize the decentralized Namecoin DNS with .bit extension.

Links:

Security Affairs

Trend Micro

VirusTotal

Some Mitigation Strategies:

  • Intrusion detection systems (IDS) to monitor for malicious communication to C2
  • File Integrity Management is looking for new files being installed on the system
  • Log Management would collect data on C$ shares and other lateral movement
  • Mail Filtration to capture potential files attached to phishing emails
  • 24x7 Security Monitoring with Focused Security Content for solid threat detection

Threat Report Wednesday July 2nd 2018

Patrick Snyder on July 2, 2018


In this week’s report we are covering two very malicious programs. Security researchers have spotted a new Mac malware family that’s currently being advertised on cryptocurrency-focused Slack and Discord channels. The other is The Nozelesn Ransomware is a crypto- threat that was reported on July 2nd, 2018 with numerous submissions to security platforms. Unfortunately, the Nozelesn Ransomware leaves little or no traces on compromised machines and creating detection rules turned out to be troublesome. The team behind the Nozelesn Ransomware appears to target the users based in Poland judging from the initial submissions and the way it spreads to PC users.

Malware: OSX.Dummy

Security researcher Remco Verhoef recently discovered OSX.Dummy, a new Mac malware family that is currently being spread via cryptocurrency-focused Slack and Discord channels. Cryptocurrency enthusiasts are convinced by attackers to type a long command inside their Mac terminal with the promise that it will resolve various issues. The command downloads a 34 megabyte binary named “script” to the /tmp folder and runs it. The “script” file then sets itself as a launch daemon to maintain persistence. It then creates a Python script that opens a reverse shell to a server, which gives attackers access to infected hosts. The server can be traced back to 185.243.115.230:1337. Additionally after the code is run, the malware requests the user’s root password and saves it un-encrypted in a file located at /Users/Shared/dumpdummy and /tmp/dumpdummy, allowing the attacker ease of access for future malicious operations. Researchers state that the malware is simplistic and easy to detect with standard malware detection tools.

For more information there are a few links below:

Links:

Bleeping Computer

SC Magazine UK

Some Mitigation Strategies:

  • File Integrity Management looking for the installation of python scripts into /tmp and /users/shared
  • Intrusion detection systems (IDS) would detect network communication over port 1337
  • 24x7 Security Monitoring for malicious behavior and immediate incident response

Malware: Nozelesn

Security researchers at MalwareHunterTeam have discovered a new ransomware named Nozelesn. Researchers first noticed chatter regarding the malware from multiple Polish victim submissions to ID ransomware, as well as a newly generated discussion started by victims on BleepingComputer forums. According to a researcher at CERT Polska, the Computer Emergency Response Team for Poland, the malware is being distributed through spam emails imitating a DHL invoice. Upon successful infection, files are encrypted with a “.nozelesn” extension. Following encryption, the malware creates a ransom note offering to fix the computer, labelled HOW_FIX_NOZELESN_FILES.htm. The note contains instructions together with a personal code to login to TOR payment server “lyasuvlsarvrlyxz.onion”. The ransom is currently .10 BTC or roughly $660 USD.

Links:

Cyber Byte

Londrina Security News

Some Mitigation Strategies:

  • Intrusion detection systems (IDS) to monitor for malicious communication
  • File Integrity Management is looking for new files being installed on the system
  • Log Management would collect data on C$ shares and other lateral movement
  • Mail Filtration to capture potential files attached to phishing emails
  • 24x7 Security Monitoring with Focused Security Content for solid threat detection

Threat Report Wednesday June 18th 2018

Patrick Snyder on June 18, 2018


In this week’s report we are covering two very malicious programs. One being a custom remote access trojan (RAT) called UBoatRAT is being distributed via Google Drive links. The malware obtains a command and control (C2) address from GitHub, and uses Microsoft Windows Background Intelligent Transfer Service (BITS) for maintaining persistence. The other is MirageFox, a new tool produced by APT15 that looks to be an upgraded version of a RAT believed to originate in 2012, known as Mirage. The new malware was tracked by the researchers as MirageFox, the name comes from a string found in one of the components that borrows code from both Mirage and Reaver.

The RAT is usually delivered by a ZIP archive hosted on Google Drive containing a malicious executable disguised as a folder or Excel spreadsheet. Once installed, UBoatRAT checks for virtualization software and tries to obtain a domain name from the network. The malware only performs malicious activities on a machine when it is able to join an Active Directory (AD) domain. The malware is also programmed to detect virtualization software (VMWare, VirtualBox or QEmu) that would indicate a research environment. Since June, the GitHub “uuu” repository the C2 links to has been deleted and replaced by “uj”, “hhh” and “enm”, according to researcher Hayashi. The GitHub user name behind the repository is “elsa999”. For more information there are a few links below:

Links:

Tech Target

Threat Post

Some Mitigation Strategies:

  • Mail Filtration to screen for malicious links that relay to Google drive
  • File Integrity Management looking for the installation of malicious zip files that unpack executables
  • Intrusion detection systems (IDS) would detect intrusion and network communication
  • 24x7 Security Monitoring for malicious behavior and immediate incident response

Malware: MirageFox

The China-linked APT15 group (aka Ke3chang, Mirage, Vixen Panda, Royal APT and Playful Dragon) has developed a new strain of malware borrowing the code from one of the tool he used in past operations. APT15 is known for committing cyberespionage against companies and organizations located in many different countries, targeting different sectors such as the oil industry, government contractors, military, and more. The attackers utilizes Windows commands to conduct reconnaissance activities, the lateral movement was conducted by using a combination of net command, mounting the C$ share of hosts and manually copying files to or from compromised hosts.

Links:

Security Affairs

Intezer

Virus Total

Some Mitigation Strategies:

  • Intrusion detection systems (IDS) to monitor for malicious communication
  • File Integrity Management is looking for new filel installation
  • Log Management would collect data on C$ shares and other lateral movement
  • Mail Filtration to capture potential files attached to phishing emails
  • 24x7 Security Monitoring with Focused Security Content for solid threat detection

Threat Report Monday June 11th 2018

Stephen Coty on June 11, 2018


In this week’s report we are covering two vulnerabilities. One being a recent vulnerability that is targeting Triton ICS deployments. The other is a banking trojan that stealthily uses MSSQL database traffic.

Malware: Triton ICS Malware Developed Using Legitimate Code

Triton, also known as Trisis and HatMan, was discovered in August 2017 after a threat group linked by some to Iran used it against a critical infrastructure organization in the Middle East. The malware targets Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers, which use the proprietary TriStation network protocol. The malware leveraged a zero-day vulnerability affecting older versions of the product through a legitimate .dll file. For more information there are a few links below:

Links:

Security Week

Dark reading

Some Mitigation Strategies:

  • Mail Filtration to screen for malicious phishing or targeted email campaigns
  • File Integrity Management looking for the installation of malicious software like Remote Access Trojans (RATS) for functionality and access
  • Intrusion detection systems (IDS) would detect intrusion and network communication
  • Filtering USB ports that are on equipment connected to the ICS systems
  • 24x7 Security Monitoring for malicious behavior and immediate incident response

Malware: MnuBot Banking Trojan Stealthily Uses MSSQL Database Traffic

Security researchers from IBM X-Force Research Team have discovered a new banking Trojan named MnuBot. This Delphi-based malware uses the Microsoft SQL Server to communicate with the C&C Server and send commands to infected machines. This evades regular antivirus and malware detection since it uses SQL traffic, unlike common C&C Server communication that happens through web servers or apps. Researchers also indicate that this might be coded by a seasoned hacker. This MnuBot has a two-stage attack. First, it checks if the system is infected already. Second, it deploys the remote access trojan completely (RAT).

Links:

Security Intelligence

Pastebin

Some Mitigation Strategies:

  • Intrusion detection systems (IDS) to monitor for malicious communication and downloads from port 5003
  • File Integrity Management looking for access to registry keys accessed and new keys created
  • Mail Filtration to capture potential files attached to phishing emails
  • 24x7 Security Monitoring with Focused Security Content for solid threat detection

Threat Report Wednesday June 5th 2018

Stephen Coty on June 5, 2018


In this week’s report we are covering two vulnerabilities. One being a recent Microsoft Windows Jscript vulnerability that has yet to be patched and the other being NavRAT with themes around the upcoming US & North Korean Summit.

Malware: Zero-Day Remote Code Execution Vulnerability Discovered in Microsoft Windows JScript

New Zero-day Remote code execution vulnerability has been discovered in Microsoft Windows JScript that allows an attacker to run the arbitrary code on vulnerable installations of Microsoft Windows. “This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.” To exploit the vulnerability, the attacker has to trick victims into accessing a malicious web page or download and open a malicious JS file on the system. As of June 1st, there has not been a patch released so up to date security content is key for detection until a patch is released.

Links:

Threat Post
Security Boulevard

Some Mitigation Strategies:
- File Integrity Management Solutions for file creation and modification
- Intrusion detection systems (IDS) to monitor for malicious communication and downloads
- 24x7 Security Monitoring with Focused Security Content for solid threat detection
- Web Filtration Technologies to screen incoming web sites
- Mail Filtration to capture potential files attached to phishing emails

Malware: NavRAT Malware Uncovered by Security Researchers

Security researchers at Talos Intelligence have recently uncovered NavRAT, a remote access trojan that has reportedly been quietly active since 2016. NavRAT is distributed through a malicious, decoy Hangul Word Processor (HWP) document named “미북 정상회담 전망 및 대비.hwp”, which translates to “Prospects for US-North Korea Summit.hwp”. The decoy document appears to be referring to the US-North Korea Summit scheduled for June 12, 2018. Known targets reside in South Korea. Researchers note that NavRAT is unique in that it uses Naver, an email platform popular in South Korea, as its command and control (C&C) server. NavRAT can reportedly download, upload, and execute commands, perform keylogging, and avoid detection through process injection, copying itself into an active Internet Explorer process. Researchers assess with a medium degree of confidence that North Korean APT Group 123 threat actor is behind the operation due to the techniques and procedures being of similar nature to those used in previous campaigns.

Links:

Dark Reading
Talos Intelligence

Some Mitigation Strategies:

  • Mail Filtration to screen for malicious phishing or targeted email campaigns
  • File Integrity Management looking for the installation of malicious software like keyloggers
  • Intrusion detection systems (IDS) would detect intrusion and network communication
  • 24x7 Security Monitoring for malicious behavior and immediate incident response

Release Notes for May 18, 2018

May 18, 2018


New
Login and Signup flows have received a facelift and refactoring, to go along with OUR NEW PUBLIC WEBSITE!
New
The punch++ community configuration has been given an additional + and is working once more
New
Pagination and search added to login history views, because some people log in a lot
New
Alert indicator detail and Perchybana buttons now open in new tabs, instead of the current tab. Now feel like a real security pro by having 50 tabs open at once!
New
New alerts list is in beta - we’re trialling it internally with our own SOC team to make sure it has all the bells and whistles that our power users will need to triage their own alerts!
New
Cortex integration is in beta - the moving parts are mostly in place and we’re working out the details about how to handle user configurable settings and API keys. We’re very excited about the potential between a Perch/Cortex integration and have all kinds of cool ideas how to work it into the Perch app, stay tuned!
New
Community sightings public API is in beta - currently testing with some select internal customers!
New
User submission of raw sensor rules is in early functional stages - we’ve have the functional parts in place, but there’s some wrinkles we need to iron out first before we release to the general public.
Bugfix
The group invite process has had a couple minor bugs fixed that was preventing some user’s from using their invite codes.
Bugfix
Invites to existing teams no longer prompt the new user to set up a sensor before using Perch.
Bugfix
Existing Perch users that are already logged into Perch can now use the group invite link from the email
Bugfix
Community suppression view all page rows per page now actually changes the number of rows shown per page.
Bugfix
Group invite modal now clears invite email addresses between openings
Bugfix
The cancel button on the MFA entry page during login works once more
Bugfix
Community file lists now correctly update when switching between communities
Bugfix
Copy to clipboard buttons should no longer force the page to scroll to the top
Bugfix
Login (and other pages) should no longer do the shimmy dance with scrollbars on Windows Chrome
Bugfix
Users on slow connections with access to multiple groups should no longer see weirdness when rapidly switching between groups.
Bugfix
Not officially supported, but we fixed an IE11 white screen error for the dashboard. If you’re using old versions of IE, upgrade!!! Old browsers aren’t secure, don’t use them; we’re security professionals, this is low hanging fruit!

Release Notes For April 20, 2018

April 20, 2018


New
Alerts review first pass: We’re days away from releasing the first part of our alert review project. Most alert panels are being streamlined and we’re introducing the alert details page. This page is similar to the indicator details page, but shows enhanced details about the selected alert instead. The information we’re removing from the alert rows will show up on the new details page, along with additional information about the alert, and details about the intel that triggered the alert.
  • More coming soon:
    • Related alerts - a full breakdown of all of the individual target pairs involved in an aggregate alert.
    • Alert comments - put comments directly on a specific alert instance, instead of on the intel the alert triggered on
    • Additional enrichment - we want to show you more information about the details involved in the alerts
    • After coming soon, next phase:
    • Alert Review page enhancements:
    • multi-select: change status, suppress
    • performance! much, much faster
    • better search, sorting, filtering

Bugfix
Re-opening the ‘Invite user to group’ modal now clears the invite email field.

Bugfix
Dashboard sensor health widgets now use the same rules for status as the other sensor health displays and pages.
Bugfix
We had a performance issue with the generation of the Perchybana links from suppressions, so we had to disable them. We’ve fixed that issue and the links have returned.

Bugfix
On the indicator details page, in the observable panel on the left, observables that are currently triggering alerts will once more be highlighted (and there was much rejoicing, huzzah!)

Note
(In Development) Perchy’s hard at work improving his brain - we’re adding support for TheHive’s powerful Cortex analyzers as part of our alert detail enrichment efforts. There are all kinds of valuable ways to analyze the alerts that we’re detecting, and we want to bring them all together in one easy to use interface. We’re experimenting with adding Cortex analyzer details to the information that you see in the Perch interface. Open up an interesting alert’s details, flip to the Analyze tab, and we’ll have the info you’d normally have to go digging for right there in front of you. Kick back, drink coffee, enjoy the sweet, sweet automation.

Note
Perchy is recently back from down under where he’s been setting up our first non-US regional data center. We’re working through the final stages of configuring our systems to handle the data sovereignty needs of our worldwide customers. Soon you can get flocked up, no matter where in the world you are!

Note
Data migration work - its not sexy, the guys who do it don’t have any cool new widgets to demo, but its gotta get done. We’re continuing our work on internal projects to keep the Perch architecture and data flow well tuned so that the app and Perchybana stay responsive and don’t feel like a chore to use. We’re watching the charts, we see what parts of the app are sluggish, and we’re working on them!

Release Notes For April 6, 2018

April 6, 2018


New
Initial changes for Alert review (on QA) -
  • alert rows shown in panels condensed
  • new alert details page - see more information about what triggered the alert

New
Header update - new navigation, new look.

New
New user onboarding experience, tour replacement.
New
Added reverse DNS names to alert IP addresses, where available.
Bugfix
Arbitrated a disagreement between the actual number of alerts and the number shown on the tab of the review alerts page.
Bugfix
Clicking the link from a Perch team invite email will now pre-populate the email address field, to ensure that the email address used to sign up matches the email address that the invite was sent to.

Bugfix
Invite email invites aren’t quite so particular about the case of the letters in the email addresses matching.

Bugfix
Dashboard true/false positive by community charts were displaying data for all groups in shared communities, they now show just the selected team’s data.
Note
We’ve recently upgraded our core front-end application framework React to version 16. This is a major version update which affected every part of the Perch application, we’ve tested and tested, but if you discover something broken, please let us know!

Release Notes For March 23, 2018

March 23, 2018


New
Perchy has a new place for YOU to land: the new dashboard is live and it is awesome! We want you to have the most valuable info possible dropped right in your lap right away; Perchy prepares it all and brings it right to you, like a faithful hound with the morning paper. Escalations, recent alerts, and suppression information is near the top, scroll down to see info about your communities, your sensors, and get some insight into overall network visibility and ‘noisy’ hosts.

New
‘Since You’ve Been Gone’: you might not miss Perchy while you’re away, but we don’t want you to miss out on the important details about what’s been happening since you’ve been gone. Every time you log in, you’ll be presented with a quick overview of important activity that happened while you were logged out: escalations, alerts closed, comments, new intel, and sightings of your personal indicators. You won’t need to manually log out to take advantage of this new information, just close the Perch app when you’re done using it.

New
We’re adding reverse DNS name information to our alerts, so that its easier to relate a private IP to a named host. Look for this new information in the ‘src_FQDN’ and ‘dest_FQDN’ fields on alerts in Perchybana. In the future, we’ll be incorporating this new data into more elements of the UI, for easier identification everywhere.

Bugfix
Snackbar/toast notifications (the little panels that pop up from the bottom of the window) message color should now be easier to read.

Bugfix
Returned the ‘Select All’ button to its rightful place on the community feed selection modal - no one likes having to click those boxes one by one.

Note
As usual, there’s a bunch of tweaks and performance tuning that we’re doing to keep the app snappy and responsive. If you run into something that’s loading slowly for you, or feels like a chore to use, LET US KNOW! We love the feedback and we’re always on the look out to hear it directly from our users!

Release Notes For March 09, 2018

March 9, 2018


New
New Dashboard: Incorporates feedback that we’ve collected from our users and should put more relevant information directly in front of you as soon as you log in. You can get a preview of the new dashboard here: https://app.perchsecurity.com/dashboard-next (Still a work in progress and you can expect to see more updates in the days to come.)

New
IP suppressions can now be applied to multiple IPs at once. This will create a separate suppression per IP, just as if you’d manually created them one by one.

New
Observable dashboard panels now have a toggle between top 5 and bottom 5.
New
Alert status changes added to indicator detail history tab.
Bugfix
Fixed a bug with the CSV download of community suppressions, CSV should now contain just the data for the current filter settings.
Bugfix
Fixed a significant performance issue in the community suppressions panel, should load much, much faster now.
Bugfix
More minor UI fixes here and there, sorted some lists to make selection easier.
Bugfix
Observable dashboard SSH and SMTP tabs now return all data.
Note
Community latest suppressions now visible to all users, not just community admins.
Note
Internal changes to support more types of external data sources and more use cases for community data sharing.
Note
We’re working on improving our support for MSSPs, allowing users from one group to manage other groups, without actually having to be a member of the group.

Release Notes For Febuary 23, 2018

February 23, 2018


New
We’ve added a new section to the Community Dashboard: anonymized, latest true/false positive detections for members of the community. Now you get a better view of what everyone in your community is seeing and how they’re responding. As a bonus, we’ve made the lists available as a CSV download!

New
On the suppression modals, we’ve moved the contact information to the main view and removed the tabs. This helps make sure our SOC has the info they need to triage your alerts right in front of them when they’re preparing a suppression.

New
Groups on the alerts by host page now start off collapsed
New
Perchybana links slightly adjusted to show more relevant HTTP fields by default
New
We’re adding the raw Emerging Threats (and Pro) Suricata rule to the indicator detail page
Bugfix
Sign up adjusted so that browser password managers don’t try to use your Last Name as your user name
Bugfix
Fixed the comment visibility drop list UI issues and missing descriptions
Bugfix
We’ve crushed a multitude of little bugs that cropped up during our recent UI library upgrade and while polishing up the new observable detail view. Too many to list here, but if you find something we missed, LET US KNOW and we’ll fix it!
Note
Major UI library upgrade: keeping your tech stack up to date is important to continue to develop features using the latest tools and security fixes, and as a security company, that’s especially important to us. We’ve recently focused on upgrading some of our core application libraries to keep things running smoothly and securely.

Note
We’re in the middle of a pretty major intel storage refactoring that should enable us to see some real performance gains, especially for our larger customers and our SOC. It’s still a couple weeks away from being finished, but we’re already excited about the new hotness that it will allow us to build.

Note
Coming soon: XFF on alerts, multi-IP selection for IP suppressions, show all targets on closed alerts, new dashboard, and more!

Release Notes For Febuary 09, 2018

February 9, 2018


New
Observables Dashboard internal release and testing - we’ve wrapped up development and now we’re putting it through the wringer to make sure that everything works and looks great with our production data. There’s still a few small tweaks and adjustments to be made, but it’s really close and the details it exposes are just … wow! We can’t wait to show it to you.

New
Better internal intel curation tools that automatically trim out the obvious stuff to keep the response time better for everyone.

Bugfix
Bits and bobs here and there, mostly on things no one sees directly.

Note
Library updates - we routinely update all of the external code that we use to make sure that everything is staying modern and secure. Recently, some of the core libraries used to make Perch awesome have had major version releases and we’re making sure Perch gets updated with all the performance and security benefits as well.

Note
UI cleanup effort - we’re big proponents of agility here and we frequently favor getting a working feature out over making the experience perfect. We’re taking some time to clean up some of those rough edges and starting a larger scale effort to make the functionality and tools that are core to Perch even better.

Note
Intel Data Refactoring - We’ve learned a lot of things about how the data we have is used and we’re working through some data restructuring to be able to give our users better and faster access to the information they need to make the best decisions.

Release Notes For January 26, 2018

January 26, 2018


New
Scope (w/ IP) added to the suppression list on the indicator detail page

New
Link added from user indicators to group indicators (if you’re the admin or owner of a group) and vice versa

Bugfix
Suppression groups on the indicator detail page are now listed alphabetically, instead of randomly. (Apologies to any SOC who will miss playing ‘Find the Group Name.’)

React in Outlook? How we built the Weekly Indicators Summary

Charles Burgess on January 24, 2018


Email has always lagged behind the browser in terms of features and capabilities. While in the latest version of Chrome or Firefox you can play console-quality games, make music, and share your screen, email is a very different story. Getting a layout to look consistent across devices or sharing the joy of an animated GIF are things we take for granted on the web, but can be frustrating to deliver to your inbox.

Weekly Summary emails

If you use Perch, you’ve probably gotten one of our new Weekly Summary emails by now. For everyone else, they look a little something like this. Our emails have always had a lot of information, but as our customers have had more sightings, alerts, and intel, it can start to feel overwhelming. Chances are pretty good your inbox doesn’t need any heft added to it, so when redesigning the Weekly Summary we wanted to help our customers get as much insight as they could with as succinct an email as possible. By highlighting trends and counts in colorful charts at the top of the email, we think the Weekly Summary gives you more actionable information faster than ever before.

Testing the limits of email

Those charts are a key part of the new design, but charting in email has been avoided by many a dev team. There are some “hacks” you can do to sprinkle some data-viz magic into your emails but often times they aren’t pretty or scalable.

If you have a single chart to send (and time on your hands), you could try making a static copy of the chart in a design program like Sketch or Photoshop and saving it as an image to include in the email. But with a flock of customers and billions of data points that change by the minute, that won’t work here.

In previous Perch emails we have create simple bar charts with css but every email client has slightly different support and the code gets messy fast. No one wants to maintain a Rube Goldberg machine, especially one made of CSS.

With the Perch product, we use React and Recharts to create beautiful, reusable charts with live data for each customer. We can’t use this approach in our emails though because most email programs will not allow us to execute Javascript. This means no React, no Recharts, and no real-time chart goodness.

Leaning on the community

Our dev team did some head-scratching, white-boarding, and forum-surfing before we found repng. Repng is a Javascript library that allows you to convert any React component (like a LineChart from Recharts) into a PNG. So now, we can reuse the same charts we know and love from Perch in our emails with just a dash of CLI magic. Running the process on a Node.js micro-service, we can easily pass all the data we need for the Weekly Summary to the chart-to-png service, generate the email-friendly graphic, and send the email out the door with 100% more visual goodness.

Show me teh codez

Want to add some charts to your emails? Here’s a quick starter that will get you going in the right direction.

Start by grabbing node and npm if you don’t have them already.

We need to install all of our dependencies first:

npm install react react-dom recharts repng express bodyparser

Then we can set up out express server to listen for incoming data:

const bodyParser = require('body-parser');
const express = require('express');
const React = require('react');
const { LineChart } = require('recharts');
const repng = require('repng');

const app = express();
const port = 8080;

// Add middleware for reading JSON bodies
app.use(bodyParser.json());

// <LineChart width={500} height={300} data={data}> ... </LineChart>
// This is the JSX you may be more familiar with,
// but for the sake of not dragging babel into this
// we will use the "vanilla JS" flavor of react in this snippet.

// Note: "data" should be an array of objects that have an:
// amt: Number | name: String | pv: Number | uv: Number

const chart = props => 
  React.createElement(
    LineChart,
    { data: props.data, height: props.height, width: props.width },
    React.createElement(XAxis, { dataKey: "name" }),
    React.createElement(YAxis, null),
    React.createElement(CartesianGrid, { stroke: "#eee", strokeDasharray: "5 5" }),
    React.createElement(Line, { type: "monotone", dataKey: "uv", stroke: "#8884d8" }),
    React.createElement(Line, { type: "monotone", dataKey: "pv", stroke: "#82ca9d" })
  );

// Add routes
app.post('/convert-chart-to-png', (req, res) => {
  repng(chart, {
    width: req.body.width,
    height: req.body.height,
    props: req.body
  })
  .then(streams => {
    const [ pngData ] = streams;
    pngData.pipe(res);
  });
});

// Start the server
app.listen(port, () => console.log(`Running on port ${port}`));

In your terminal of choice, cd your way to the project folder and run node index.js (or whatever you named your file) and your server should echo “Running on port 8080”.

Now you can POST some chart data to localhost:8080/convert-chart-to-png and get base64 image data in the response!

Obviously this code is not production-ready, but hopefully it can inspire you to do something cool with React and repng - it doesn’t even have to be a chart. You could just as easily pass any react component so why limit yourself?

Wrapping up

We hope to use this technique to bring more of what our customers love about the Perch web app directly to their inbox.

You know what they say: an image is worth a thousand words, but a chart is worth a billion data points - or something like that.

Supercharge your SOC: 3 security playbook ideas with the Perch API

Wes Spencer on January 21, 2018


Security automation is all the rage these days, and for good reason. Repetitive, time-consuming tasks are not only a resource drain, but they can cause rather significant security gaps as well. These manual and repetitive tasks are prone to analyst error and carelessness but are also monotonous drudgery that can leave quality talent looking for more interesting jobs.

For most CISOs, turning to security automation and orchestration through the use of playbooks is becoming a step in the right direction. Automation is a powerful strategy to not only eliminate repetitive tasks, but can uncover threats and other issues that no human would have the time to discover manually.

In conversations with our customers, we’re seeing some innovative ideas being discussed. We’re really excited to see our customers leveraging the new Perch API into their automation and orchestration playbooks, due to the depth of community intel we have available. In this article, I wanted to highlight a few ideas to spark your imagination.

Backtesting IoC’s for Deeper Threat Correlation

Security shouldn’t operate in silos any longer. Unfortunately for many organizations, making decisions about threats based upon what others in their threat community are seeing is difficult if not impossible.

However with the power of Perch’s community data, the opportunities are boundless for integration of Perch into a security playbook. Let me illustrate just one single example. Imagine your organization receives an email from an unknown sender. You could build out a playbook that integrates Perch (among other tools!) into a set of actions.

Using the Perch API, a simple query could be made to determine the reputation of the sending IP in the email header. Data can quickly be extracted into metrics such as:

  • Has this IP been reported by other security sharing communities before?
  • How recently has this IP been reported as potentially malicious?
  • Who else has seen this IP? Does it appear to be targeting a specific industry?
  • How many different indicators have been published that contain this IP?

Hopefully by now I have you salivating at the mouth at the potential opportunities afforded by leveraging the Perch API into your playbooks. The results of this deep community data can be used to build out risk scores, response thresholds, and automated actions such as rule blocks and spam tags.

Automate the SOC Workflow

Any CISO worth their salt will tell you they prefer to leverage best of breed security tools as part of an overall security posture. Typically, however, this advantage comes with an agonizing tradeoff. Multiple tools must be individually managed and correlation and integration of data and alerts between tools is a complex challenge.

Perch was created by former security practitioners. We know firsthand that these are challenges Perch should help solve, not contribute to making worse. The Perch API can easily integrate into incident response (IR) systems to enrich its data and fill in gaps with Perch’s threat intelligence. It can help IR be orchestrated from a single unified platform, reducing analyst workload and correlation time.

Indicator Sharing: From Consumer to Producer

At any ISAC or ISAO conference, you’ll hear pleas for organizations of all sizes to begin the process of going from simply consuming threat intel to producing it. We are all in this fight together. When one organization shares intel about a threat they are seeing, countless other organizations may benefit from that intel as well.

While the philosophy is easy to explain, we’ve noticed the most significant challenge to being a producer of threat intel is committing to the time required. This is an element that can easily be automated by the Perch API.

Imagine an end user at your organization visits a compromised website that redirects web traffic to a known malicious host. However, because the website was recently compromised, there is no threat intel about the website itself, but only from the malware redirection. A security playbook could easily be written that uses the Perch API to publish a new indicator to your trusted threat sharing community (ISAC or ISAO) at nearly the same time the attack was detected or blocked. Being able to shut down an attack higher up the kill chain can be an effective way to shift pain back onto the bad guy by disrupting his attack infrastructure and give others an early warning against the threat.

Conclusion

These three ideas are just a few of many new and innovative ideas we’re having in discussions with our customers. To be sure, many more ideas will continue to flow out of these playbooks. What about you? What ideas do you have about leveraging Perch among your other tools and playbooks for security automation and orchestration? I want to hear from you!

Release Notes For January 12, 2018

January 12, 2018


New
App-based Two-Factor Authentication: We’ve added mobile app-based (TOTP) TFA to Perch. Additionally, we’ve improved the experience for changing your credentials and moved it all to a new Account Security page. App-based TFA is really, really easy to set up and adds an additional, strong layer of security to your account.

New
We want to keep the suppression lists focused on the suppressions specific to your group, so we’ve removed global and community suppressions from the dashboard Recent Suppressions panel and have made their display optional (and off by default) on the Alert Suppression management page.

New
Added ‘workstation’ HTTP/TLS traffic tracking to sensor health. We periodically check recent traffic for domains commonly frequented by workstation users (things like Facebook, LinkedIn, news sites, etc). If we’re not seeing this kind of traffic regularly, it’s an additional sign that your sensor may not be configured to capture all of your traffic or there may be other networking issues preventing you from getting full value from your Perch sensor.

Bugfix
Fixed a missing ’s’ in the firewall dynamic list notes on the Firewall management page

Bugfix
Community dashboard main ‘suppression’ graph data is more accurate. We’ve reworked how that data is shaped and fixed this graph to show the actual, discrete counts.

Note
COMING SOON – MOGA: our internal code name for Search 2.0, this takes any search term and sifts through everything Perch knows for matches. We’ll find indicators, observable, sensor traffic, etc. Each type of data has its own set of metrics and graphs, showing important metrics as they relate to your search term.

Note
IN PROGRESS: additional intel platform integrations.

Release Notes For December 29, 2017

December 29, 2017


New
User-created indicator summary emails - you put a lot of work into getting your intel into Perch and we want you to see it getting used! These emails, sent once a week, show any activity that your intel has had.

New
We’ve released our first open-source code: a command-line interface tool that allows you to bulk-upload indicators from a CSV file. Now you can create intel from home, just like the pros. View it here

Bugfix
File observables should show all hashes instead of just the MD5 hash

Bugfix
Indicator detail ‘details’ should load more quickly
Bugfix
New comments no longer always show the ‘There was an error posting your comment’ notification
  • Comments were posted, but the client was encountering an error merging the new comment into the list for display. No comments were lost.

Bugfix
Minor fixes and tweaks to the public API

Note
Coming soon: improvements to account security
  • Change password and two-factor authentication moving to a dedicated page for easier access
  • Require current password when making any account security changes
  • Support for app-based (e.g. Authy, Google Authenticator) two-factor authentication
  • Increased complexity requirements for new passwords, in addition to our current requirements, passwords will be checked against common password lists, sequences of sequential or repeated characters, and common words.

Visa and Perch Security Partner to bring Visa Threat Intelligence to SMB merchants

Wes Spencer on December 12, 2017


Perch has teamed up with Visa in a technology partnership with Perch Security’s Community Defense Platform to expand the reach of Visa Threat Intelligence (VTI) to a broad base of merchants.

Check out the full article here.

Release Notes For December 01, 2017

December 1, 2017


New
Group owners & admins: if you leave a community, all open alerts for that community will now be removed. A warning message to this effect has been added to the ‘Leave Community’ confirmation check.

New
Added scope and reason detail to suppressions display

Bugfix
Dashboard alert panel was trying to load 100 alerts, but only needs to show three - it should load much faster now.

Bugfix
Indicator history tabs - cleaned up display a bit and added missing loading spinners

Note
We’re close to releasing the changes to the public API for Perch alerts and bulk intel creation. We want it to be well documented and usable on release, we’re hoping you’ll think it was worth the wait!

Note
Our work on an internal CSV intel format and loading tool is finished and we’re working with a couple of customers to iterate on it before we release to everyone.

Release Notes For November 20, 2017

November 20, 2017


New
Alert History - alerts come in, get triaged, and closed - then you never see them again… until now! We’ve added a new tab on the Alert Review page where you can review all of your closed alerts. You’ll see additional information about the suppression that closed the alert and can jump to the indicator detail page.

New
Public API improvements: create bulk intel, list alerts, documentation, Python client library. We want people using and sharing our data, we’re listening closely to our users’ requests and are working on providing a simple, clear way to interact with Perch via API.

New
Minor improvement to Search so that it includes indicators that contain observables that contain the search term, instead of just searching the body of the indicator.

Bugfix
Application tour should now skip admin-only steps for non-admin users.

Bugfix
Clicking the comment delete button should now actually delete the comment.
Bugfix
Indicator history event ordering makes more sense now - we have to load the indicator before we can detect on it.
Bugfix
Alerts by Host - columns scroll independently so that picking an host far down the list doesn’t require you to scroll all the way back to the top to see the alerts for that host.

Note
We’re working on a CSV format and Python tool to bulk load intel into Perch

Release Notes For 2017-11-10

November 10, 2017


New
Login History now shows country flag with tooltip next to the IP address - Hey, wait a minute, when did Sally move to China?!?
New
Added company name to sensor health page - it’s not always easy to remember that ‘angry_carrot’ belongs to Acme Bank & Trust.
New
(Very Soon) Indicator detail history - shows a timeline of an indicator’s history, when the intel was produced, when it was first sighted in Perch, and when your group has alerted on and suppressed the indicator. Like a social media timeline, but with less propaganda and more threat intel.

Bugfix
Suppressions that would close multiple alerts now remove all of the affected alerts from the UI, instead of just the alert that the suppression was created from (affects Community/Global suppressions)

Bugfix
Improved but not completely fixed indicator detail page ‘produced’ and ‘first/last sightings’ timestamps not having values.
Bugfix
‘Content’ type observables now display a CSV list of content values instead of an empty value
Bugfix
Community Dashboard latest indicators was not showing the last page of the available indicators
Bugfix
Status update emails now show the name of the user that made the status change instead of always showing it was from Perch SOC.
Note
Indicator detail tabs re-ordered - supplies were running low
Note
We’re making adjustments to remove many of the scrolling panels on some of the pages. This should result in a more natural scrolling experience and improved scrolling navigation throughout the app.

Release Notes For 2017-10-20

October 20, 2017


New
Group users can change status on events, just like SOC - you can now change the status on an event by using a selector where the status appears
  • Remember: when you’re on the alert review page, alerts are grouped per-tab by status. Changing the status on an alert there will automatically move it to the appropriate tab; it’s not gone, just moved to a different tab.

New
Email notifications when someone first sights indicators you create!
  • Only sent the first time the intel is sighted.
  • If you’d prefer not to receive these notifications, you can turn them off in your user profile settings.
  • Periodic email reports about intel you’ve created is coming soon.

New
Indicator detail design pass
  • New graphs
  • Faster loading
  • More coming soon!

Bugfix
Removed SOC logins from team login history - they log in a LOT and it clutters up the view for actual group members

Bugfix
Assorted minor tweaks and fixes

Note
Community Dashboard recent indicators load much faster
Note
Improvements to rule creation monitoring and diagnostics

Release Notes For October 06, 2017

October 6, 2017


New
Palo Alto Firewall AddOn - Found a bad actor with Perch? Want to also block it on your firewall? Just check a box while you’re remediating and Perch will send it to the firewall for you.
  • Manage (including manually adding) firewall blocking through Perch admin panels

New
Perch.help - Having trouble getting around Perch town? We’ve launched a new site to bring together all the best tips and tricks for getting the most out of Perch. Have a topic not covered on the site that you’d love to know more about? Let us know.

New
(Very soon) User login history - Group admins have a menu item to see the login history for the team’s members; users have a new tab on their profile page to see their own login history.

Bugfix
Subnet tags are now displayed on public IPs
Bugfix
Community Dashboard - community files panel now updates correctly when you switch communities; this was purely a visual bug, no files were shared between communities.
Bugfix
Community Dashboard - top analysts panel no longer shows analysts with zero points; if there are no analysts with points, you’ll see a friendly, informative message.
Bugfix
General visual cleanup: aligned some buttons here, tweaked a message there.
Note
Snooze suppressions have been removed. We want to keep Perch simple and easy to use; Snooze suppressions weren’t pulling their weight in the relationship and we decided they needed to go. It’s not you Snooze suppressions, it’s us. We’re sure you’ll find somebody nice.

Note
Port numbers removed from alert Perchybana links: we found that just using the targets and time window gave the best visibility into the traffic relevant to investigating the alert.

Note
Infrastructure upgraded to Python 3.6; other third-party libraries updated to latest and greatest. Keeping Perchy healthy and well preened lets him focus on watching your networks with confidence.

Customer Insights: John Nelson reacts to the HITRUST and American Medical Association Cyber Risk Announcement

Wes Spencer on October 6, 2017


In late September, HITRUST and the American Medical Association announced a partnership
to provide education on cyber risk management to healthcare organizations across the US. Their efforts focus on information security risk management, HIPAA compliance and cyber security; with recommendations specifically tailored for small practices, who often lack the resources and personnel that larger organizations have.

Today I spoke with John Nelson, Systems Administrator / Security Officer for U.S. Expediters, Inc. to discuss the ramifications and opportunities of this partnership.
John is the Security Officer for U.S. Expediters, Inc. He is responsible for policy development and operations related to information security and compliance. Following a career in Fire and Emergency Medical Services, he has been involved with information technology in the healthcare sector since 2000.

Wes:
John, tell us your thoughts on the AMA and HITRUST partnership for security education around cyber risk management.

John:
I am encouraged to see the AMA stepping up and seeking partners to help educate their members about the challenges they face in effectively dealing with a rapidly changing threat landscape. This initiative
seems to fit well within the AMA’s stated mission: “Our mission is to promote the art and science of medicine and the betterment of public health.” The last few decades have seen digital technology bring radical
changes in everything from practice management to the very tools used to diagnose and treat patients. Along with that change, of course, comes new risk. It is well that the AMA is expanding it’s advocate role to
include education about those risks and how to mitigate them.

Wes:
What do you think this means for small and mid-size healthcare organizations in the US?

John:
Honestly, my fear is that the serious gaps I often see in the security posture of smaller organizations (which include, by the way, most hospitals and medical practices) will remain largely unmitigated. So often,
many excellent solutions, designed and marketed to larger enterprises, are unapproachable for most smaller organizations. They’re either too complex, or too expensive, or both. My hope is that, with educational
pushes like this, the great numbers of these smaller organizations will recognize this gap and create demand for effective and more affordable solutions.

Wes:
As we all know, smaller healthcare organizations have their hands full with so many priorities. Cybersecurity is just one challenge among many. In your experience, what should security leaders in small and mid-size
healthcare organizations be thinking about to enhance their cybersecurity posture?

John:
In a word - vigilance. I wish I had a dollar for every time I’ve heard it asserted that, “Our anti-virus software is up to date, so we’re good.” For years, passive defenses like that were usually enough, but the modern
threat landscape demands a more proactive approach. We must continually assess that landscape and our security posture within it. We should be actively identifying and mitigating vulnerabilities within our environments.
We should be actively looking for signs of compromise in our environments. The “2017 Cost of Data Breach” report from The Ponemon Institute puts the “mean time to identify” a breach at 191 days. That’s down significantly
from 229 days in the 2016 report, but it still dramatically underscores the need for more, and better… vigilance.


Thanks for your time, John! We really appreciate you talking to us today.

About U.S. Expediters: U.S. Expediters, Inc. is based in the Houston, TX area. It is a group of companies, each of which is involved in the treatment of sleep apnea. Among those entities is cpap.com, the world’s largest
Internet retailer of CPAP equipment.

About Perch Security: Perch Security offers the first Community Defense Platform. For the first time, even small and midsize businesses can use their sharing community membership (ISACs and ISAOs) to access their relevant
industry-specific threat intelligence and participate within the community – all without purchasing specific tools or increasing staff. www.perchsecurity.com

Release Notes For September 29, 2017

September 29, 2017


New
Added intel produced or loaded time (depending on which is available) to the alert display
New
SOC/MSSP CRM: keep track of group contact info inside Perch, available to staff/MSSPs on the suppression modals, so that it’s handy if you need to escalate to the customer
New
(Very Soon) Palo Alto firewall integration - click a button in Perch to have an IP, url, or domain automatically sent to your firewall.
New
Better default sorting on admin pages - you mean sorting by database ID isn’t useful to users?!?
Bugfix
Added missing port columns to Perchybana links
Bugfix
Fixed dashboard most recent suppressions not always updating when they should
Bugfix
Fixed page styling to get rid of extra, but pointless scrollbars
Bugfix
Group settings should all be editable now
Bugfix
Sensor health detection count graph Y-Axis labels now show ‘file size’ (x.xGB) numbers, instead of raw byte counts
Bugfix
Indicators now show more observables, up to 1000 (up from 200).
Bugfix
API users no longer appear in the group’s user management list (you can still find your API user info on the group settings pages)
Bugfix
Fixed the group setup page in the signup flow showing the “This field is required” error as soon as the page shows, instead of only when the data needed to be validated
Bugfix
Fixed large, fixed size alert panel on the indicator detail page
Bugfix
Added a check and a useful error message when the user’s browser doesn’t support WebGL

Note
Performance pass, improved caching of frequently used data

Note
Sensor health diagnostic commands and raw health removed for non-staff. No one enjoys seeing how the sausage is made!

Note
Improved tracking and logging for failed logins; tweaks to how failed logins are communicated to staff

Note
Alert row visual tweaking: less vertical space between data, more vertical space between rows.

Note
Improved automatic staff notification when new users and groups join

CCleaner: how to use Perch to confirm you weren't compromised

Wes Spencer on September 21, 2017


Cisco’s Talos research team published a blog post Monday covering another supply chain attack involving CCleaner, the well-known and popular system maintenance software.

According to Cisco: For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner.

Attacks like this against a trusted supply chain between the software manufacturer and the customer are a growing attack vector due to its potential effectiveness and impact.
Security controls like firewalls and endpoint protection are often unable to initially detect supply chain attacks due to trust relationships already in place.

In the wake of supply chain attack, you can benefit from reviewing your network traffic for any indicators of compromise (IOC); and access to network traffic history (like Perchybana) lets you analyze and respond immediately.

Perch customers can quickly search for any indications of compromise using Perchybana, Perch’s new network data search and correlation tool. In Cisco’s report, the following observable was published:

  • 216.126.225[.]148

Additionally, Perch analysts were able to add additional observables from Cisco’s report:

  • 52.213.122[.]236
  • ns2.ab1145b758c30[.]com
  • ns1.apavcul[.]ru
  • ns2.februarystorm[.]net
  • ns1.kdcmwuz[.]ru
  • ns2.gdgctwymm[.]net
  • ns1.lutmkwr[.]ru
  • ns2.hideallip[.]net
  • ns1.uvttrpa[.]ru
  • ns2.soyuzinformaciiimexanikiops[.]com

To review for any network traffic with these observables, Perch users can quickly use these search terms within Perchybana to determine if further incident research and response is warranted:

Perchybana Screenshot

As always, Perch’s Security Operations Center team is monitoring for these IOCs and proactively reached out to any customers who may be impacted.

Release Notes For August 11, 2017

August 11, 2017


New
Perchybana per-user saved searches - Decorating her nest with all manner of brightly colored bits of user configuration, now each of our users can have their very own Perchybana configuration - including their own saved searches.
New
Group selection on suppression review
  • Suppressions load slowly, we know; this is the first step in fixing that
  • More coming soon.

New
In this month’s edition of Sensor Health magazine:
  • New health details
  • Graph scales that make sense
  • CPU info display
  • And the displayed detection drop percentage precision increased by 100% (Re: now we show two decimal places instead of one.)

New
New end of signup flair - not so exciting for existing customers, but now every new sign up gets a free puppy! Ok, no free puppy, but there are some digital fireworks. And a sad Perchy if things go wrong.

New
Enhanced sensor health evaluation
  • No one is happy when sensors aren’t able to do their thing. We’re making our sensor reporting more robust and being more aggressive about what conditions we monitor. Our periodic sensor health reports contain more details and warn about more conditions.

New
Indicators you’ve created now link to the object detail page so that you can see all of the details about your creation. You’re proud of what you’ve created, you want to see it out there among all the other wild indicators doing its thing. We want those special moments with your indicator to be easier, so now you can jump right to the details page for indicators you’ve created, by clicking on their title from the Sharing ➔ Your Indicators page.

Bugfix
Improved load performance of object detail page, separated sections to load independently - same bat time, same bat channel, same bat data; just served up differently so that the page loads a little better/faster.

Bugfix
Community tags for the communities you’ve shared an indicator with can be clicked to take you to that community’s dash. Community tags should all work the same, but we keep finding the old ones hiding in corners. If you find one that you click on, but it doesn’t take you to the communtiy dashboard, report it!

Bugfix
Global/Community suppressions no longer appear under the ‘Unknown [null]’ group - As part of our No Suppression Left Behind campaign, we’ve ensured that every suppression gets a proper section title, regardless of socioeconomic background, race, creed, or actual group membership. #EqualityForAllSuppressions

Note
Improved internal tools to ensure our customers are having a positive Perchy experience. We’re looking for patterns that warn us that someone’s having a not-so-great experience with Perch, so that we can proactively reach out, figure out what’s not right, and get it fixed ASAP.

Release Notes For July 28, 2017

July 28, 2017


New
Dashboard: Now you can see both the active alerts and the things that have been suppressed since you were gone.
New
Support for international postal codes in sensor setup - Perch learns to be a more equal opportunity guardian of the galaxy; no matter where your sensor is (as long as it’s not the middle of the desert), Perch can put you on the cyber-security map.

New
Perchybana is live! Impress friends and neighbors with your network traffic insights. Be the life of any party by tracing netflow and diagnosing malware infections.

New
Alert review pagination, improved alert performance throughout Perch - people like books, books have pages, therefore people like pages. Now Perch has pages on its alert panels, therefore people will like Perch’s alert panels.

Bugfix
Sensor config - edge cases: more resiliency and error correction in uncommon install use cases, more ‘self-healing’ functionality to adjust for common problems.

Bugfix
Alert ‘all targets’ now pulls from the right data source - it used to come from column A, now it comes from column B. Same data, but easier/faster to query.
Bugfix
Show error message if user tries to create a subnet with a name that is too long - focus groups seem to indicate that users do not enjoy functionality that silently fails, so we’ve added a meaningful error message. Who would have known?

Bugfix
Backtest now returns group matches.

Note
We love feedback from our users! If you see something that’s not right, or have an idea to make Perch even more awesomer, report it to info@perchsecurity.com

Fishtech Group Announces Strategic Investment and Partnership with Perch Security

Chris Fauerbach on July 19, 2017


Fishtech Group today announced a strategic investment in Perch Security, the information security maverick that combines innovative application design with an in-house security operations center (SOC). This new partnership seeks to expand Perch’s sales and marketing efforts, and to broaden and accelerate product development.”

READ THE PRESS RELEASE

Release Notes for July 14, 2017

July 14, 2017


New
New button next to alert IP addresses to copy to clipboard (without port number)
New
Improved sensor health network host count
  • Shows last 48 hours only (instead of all time)
  • Updates in real-time (instead of once daily)
New
Cisco Talos community created – get an oink code here: https://www.snort.org/ (third party, not affiliated with Perch)
New
Suppress by IP: you can now apply a suppression to a single host. Global, community, team, host; so many yummy suppression flavors to choose from.
New
Replaced Community Dashboard - Trending Indicators data with a top 5 list of indicators in a community with the highest unsuppressed alert counts, over the last 30 days.
New
General stability improvements to our sensors and improvements to health reporting; keeping Perchy’s eyes and ears clean and in top shape so we can See Farther.
New
Community feed list ‘Select All’: we think that having to click 100+ checkboxes is lame, too.
Bugfix
Due to the sheer number of individual sightings associated with some alerts, our ‘alert by host’ functionality on the alert review page had to be disabled temporarily so that we could re-architect some of the data that it used.
Bugfix
Fixed: signup process would allow a new user to skip creating a group, which causes all kinds of paperwork issues for sweet, old Fran in the back office. Per Fran’s rules, all new users must now either create a new group or join an existing one before they’re allowed inside Perchy’s exquisite garden.
Bugfix
Secret communities were re-classified SO secret than even Perchy had no idea which was which and started assigning groups to the wrong secret communities. We’ve given Our Great Leader access to the secret community codes and peace is restored to the galaxy, for now.
Bugfix
Fixed: Existing users that received an email invite to another group should now be able to use the invite link to join the group.
Bugfix
Fixed: Buttons that would allow multiple submissions of an action if the button was clicked rapidly (e.g. double-click). Dr. Perchy, PhB(ird), recommends that users limit coffee intake.
Bugfix
Fixes and tweaks to our sensor network and monitoring configurations
Note
Perchy-bana POC is complete, was successful, and we’re building out the QA infrastructure for its initial internal release and testing.
Note
Perch core relational database infrastructure went through another major upgrade with the addition of a read-replica, multi-db configuration, multi-port fuel injector, and twin-turbo blower. VTEC just kicked in, yo!
Note
Hired custodial cron jobs to vacuum and clean up the database nightly. Tried to get the office custodial staff to do it, but they mumbled something about union regulations and overtime.
Note
Nuked certain parts of our BigData infrastructure from orbit and replaced it with something better. Things work like they did before, but they cost less, run smoother, and allow us to scale better in the future.

Release Notes for June 30, 2017

June 30, 2017


New
Sensor health enhancements and improved monitoring so Perchy’s caretakers can respond quicker to sensors that are having issues.
  • Detection graph to see traffic level trends
  • Warning/down state for unchanging detection counts
  • Private IPs counts: how many unique IPs in each of the private IP blocks has a sensor seen (You have 1000 hosts on your network, but Perch is only seeing 10 of them)

New
Perchy gets better at communicating with users: action notification review and cleanup
  • More notifications, for both success and errors
  • Standard success/error look

New
New suppression scopes:
  • Global: SOC can suppress for all users at once
  • Community: SOC and community admins can suppress an indicator for an entire community
  • (coming soon, work complete, in-review and testing) by-IP: suppress for a single IP

Bugfix
Corrected the Community Dashboard Daily Events indicator counts so that they’re:
  • Storing the indicator counts
  • Computing the count correctly

Bugfix
Sorting by CIDR/subnet now sorts more naturally

Bugfix
Improved handling for observables that are missing intel data
Bugfix
Long comments have had a good talking to and have agreed to stay inside their comment panel better
Bugfix
Several minor bugs and tweaks corrected caused by database migrations & updates
Note
The ’all-natural’ performance enhancing supplements we’ve been feeding Perchy are paying off, his brain is bigger and better than ever!
  • Lots of expensive tech words = faster databases = more responsive Perch = happier users
  • Infrastructure work to ensure that as Perchy’s flock grows (and it is growing!), he can still respond to all of the data as fast as possible!
  • Migration to ElasticSearch 5

Note
Relational DB hardware upgrade and addition of read replica

Note
We’re making strong progress toward Perchy-bana, internal POC and development is promising

Perch partnership program produces practical problem-solving – not panacea – for health care info security challenges

Chris Fauerbach on June 28, 2017


National Health Care Information Sharing and Analysis Community (NH-ISAC) has rolled out an offer for their members that incorporates Perch’s “extremely affordable and simple way to detect and mitigate against threats.”

READ THE PRESS RELEASE

Release Notes for June 2, 2017

June 2, 2017


New
Public Backtest API
  • Manage API token and credentials in Perch
  • Get token, backtest observables, profit!

New
(Soon) Additional suppression scopes:
  • Global: the Perch SOC will be able to suppress false positives for every group in a single action; we’ll be able to clean up the noisy, false positive intel more quickly so that the gems with real value can shine through.
  • Community: community leaders will be able to groom their own intel from within Perch; a community that preens together, stays together, right?
  • Individual Host: have a single host that you know triggers a FP, but you don’t want to completely ignore the indicator for other hosts? Now you can suppress an event for just one of them.

New
Sensor Health Summary:
  • Consolidated view of all of your group’s sensors and their health
  • Warnings for low resources and abnormal conditions:
    • Old rules and low rule counts
    • Sensor not uploading data
    • In the Admin menu: Sensor Summary

New
Emerging Threats (and Pro) selectable feeds

New
Unmonitored network filtering at the sensor
  • Perch takes the list of unmonitored network subnets for your group and sends it to the sensor so that it knows to ignore those networks in its detections.
  • Results in less work for the sensor, allowing us to do more with the hardware; less data sent to Perch, less outgoing network traffic for you, and less to process and store for us! It’s a genuine win-win paradigm-shifting value add, look at all this synergy! Give Canute and Chris a raise, this is amazing!

New
Alert filtering now considers subnet names

New
(Soon) Restart tours: watch them again and again with your friends and family!
New
Touch ups and polish here and there; retry button added to the end of the signup process when there is an error registering.
Bugfix
User group page no longer shows all of the groups from all of your communities, but only those you are actually a member of.
Note
Perch reaches it’s 1000th build and Perchy has his first birthday!

Perch detected Grizzly indicators (before it was cool)

Chris Fauerbach on January 25, 2017


Just like always, Perch detected indicators for the infamous Grizzly Steppe minutes after DHS released them. Read about how we were able to diffuse any panic or confusion for our users before “the Russians are coming” even hit the news that day.

Check out the full article here.

Other People's Analysts

Chris Fauerbach on January 12, 2017


Over the last 6 years, I have been entrenched in Cyber Security.

Packet capture
Network Forensics
Identity and Access Management
Threat Intelligence
During my nPulse Technologies days (acquired by FireEye), I relearned all the network packet stuff that I had been taught in college. The OSI network layers, VLANs, Q-in-Q… oh boy! Reassembling packets (with python no less) was a REALLY fun exercise… never made it into the product, since there were open source tools that did it better (faster?).. but I did it…. then came the challenge of using the reassembled data in an application.

Imagine this now, you’re a cyber analyst. You’ve got some juicy intel from your ISAC (FS-ISAC? NH-ISAC?) … or maybe it’s from your industry buddies that you share intel with. You set up your alerting mechanisms, you set up your SIEM, and you wait.

PING! You get a hit! You know now have an IP address that a machine in your network tried to go to. You start your research, do a little OSINT, do some googling… find out it’s a shared host. Oh well.

False Positive.

You tell your buddies, and that’s it for the day.

Guess what just happened? Your group just got smarter because two of you did some work. The first guy set up the intel, and you validated it as a false positive. Since you both shared within your community, you just got smarter! You leveraged a few members of the community to make you all better!

This is the best scenario we have today. Some communities share data. Not many communities allow for automatic sharing of sightings (did you see that IOC in the wild?). NO communities allow you to share what you did in regards to that IOC. Did you block it in a Firewall? Did you mark it as a False Positive?

There aren’t many tools out there that can help this process.. The more we can share, the more we can attribute, the more we can automatically know what’s going on in the network of our peers, the safer we’ll all be.

Tackling Expensive and Complicated Information Security

Chris Fauerbach on January 11, 2017


Information Security: It doesn’t have to be so expensive (or complicated!)

The Bad News

For Small/Medium Businesses (SMBs), you can’t approach information security the same way your bigger brothers do. Face it, Capital One has a much larger information security (infosec) budget than the Downtown Credit Union in Powhatan, VA. Small companies don’t have the same staffing models, technology expertise or highly specialized analysts that focus solely on protecting data. Sure, there are free and open source tools, for example, but they still require expertise and time to get them up and running, not to mentioned tuned, maintained, updated, etc!

Here’s another challenge. A good information security practice relies on intelligence about threats, attacks, vulnerabilities, etc. There are open source data sets that can help your SMB know what to look for in network scans, packet matching signatures and queries in your SIEM, but that open source data tends to be stale. Don’t get me wrong, it’s table stakes. You NEED to be on the lookout for what Emerging Threats has, but it’s not sufficient. That data will protect you, but it’s a tiny part of the known bad things out there.

Ok, one more ‘bad news’ comment. There are vendors out there that will sell you cyber threat intelligence (CTI) data. Some aggregate data from intelligence providers; they’re called TIPs, Threat Intelligence Platforms. They provide tools and technologies to help you get known intelligence data. Others research, probe and monitor the internet/private networks looking for ‘things’ that are bad. They’ll either sell you the data or sell it to an aggregation company who will sell it to you. They provide a great service, and deserve to be paid for the work they do, but again, this may be pricey and out of your budget.

The Good News!

There is a new reality out there. There are sharing communities being formed to share this threat intelligence data (ISACs and ISAOs). These groups are focused around specific industries (Health Care, Financial Services, Aviation, etc) and allow a platform to share more RELEVANT data. This is data that affects your industry, and therefore has a much higher chance of being relevant to you company. Their cyber intelligence data is target to their industry and typically much more relevant than the data served from large repositories.

Size doesn’t always matter. With finite resources, both technical and human, it’s nearly impossible for SMBs to look out for all the bad things; and why should they? A bank doesn’t care about a command and control channel for a botnet that is targeting manufacturing equipment.

Sharing communities are becoming the KEY source of threat intelligence data for small to mid-size business. It’s putting the control of the infosec spend back into their hands.

By leveraging shared community data as the primary (but still not only!) source of intelligence, we substantially reduce the cost of a comprehensive cyber intelligence and threat mitigation plan. Once we embrace this new world of industry-specific, relevant cyber intel, we’ll have new ways to connect in a USABLE way. What’s “usable”? In order to reap the benefits of your sharing community memberships, you need readily tools that:

Don’t require a skilled analyst behind the dashboard 24x7.
Don’t require a SIEM to use it.
Doesn’t require a knowledge of code.
Doesn’t require more than a basic understanding of CTI (STIX, TAXII) terminology

Now What

Who’s going to provide a tool like this? Ha! I’m not good at keeping secrets, but I’m working on something that will help bring the promise of a sharing community to reality.