There are several basic tools for securing network infrastructure that should not be missing from any organization. Let’s take a look at the role of GREYCORTEX Mendel in all those products protecting the data and network in your company.

Antivirus software, firewalls and intrusion prevention systems (IPS) should be an integral part of any organization’s cybersecurity solution. Nowadays, however, they are often not enough. That’s where Mendel steps in.

GREYCORTEX Mendel stands on several levels:

• It is a unique tool that sees, visualizes and analyzes everything in your network – devices, access and all communications.
• It is a great extension to the functionality of standard cybersecurity tools: antivirus, firewalls and network performance monitoring. They are crucial, but there are some threats that even they cannot detect. The reason is simple: attackers are often ready for these standard systems.

Mendel Sees and Visualizes in the Context of Time and Events

Imagine a tool that sees all the devices in your network, how they are communicating together, what protocols they are using and where your data is going. With Mendel, you can see all of that. You can also view the details of a specific device, its communication and where it is connected to at the moment, and also yesterday or a year ago.

With this unique analysis, you can uncover a sophisticated attack on your infrastructure before it really happens. That’s because you can relate current events to events that happened before, even in the more distant past.

Let’s take a look at an example of an attack that may go unnoticed by a standard detection mechanism: Advanced malware is not detected on the end device, but that device shows behavior that could endanger the network – for example, trying to access somewhere it has not accessed before. It could be spyware or an APT in your internal domains that is gradually spreading across your network through a domain, while the infected machines start accessing unusual devices and data sources and performing lateral movement. Mendel can identify and notify you of such unusual behavior.

More Reliable End-Point Security

Because end-points are an easy target, often provide valuable data and are an entry point for gaining deeper access to your network, they are the frequent initial targets of cyber-attacks.

Commonly known end-point attacks include:

• network mapping
• data exfiltration (sending data in non-standard or encrypted channels, communication with control devices)
• Dictionary attacks, password data breaches
• Data mining (reading important information, mining data from a database, mining users from information systems or from a domain controller)

Mendel flags such attacks as dangerous behavior and recognizes the threat that might not have been recognized by endpoint security or that is well hidden by the attacker. Even if antivirus software is deployed, Mendel monitors the communication of your devices and reveals any anomalies in it. All of that using a broad database specializing in network cyber threats that include not only known threats but also signatures of unusual behavior.

A Smarter Firewall

We can understand a few things that fall under the term firewall: standard firewalls and smart solutions known as an IPS.

Traditional firewalls stand first in the line of defense and secure broad traffic filtering. They adjust network transitions and the availability of network services and are mostly used on the external perimeter – in some cases within the internal network. They are often open or insufficiently configured.

In such cases, Mendel plays the role of an auditing tool – controlling the function of the firewall itself and checking its configuration. You can use this feature for verifying and controlling the communication matrix in your internal network and critical systems. It helps you understand who is connecting where, who is using what and who is behaving differently than they should.

Smart solutions such as IPS see more deeply into your network, can detect known threats and block them. Also here, Mendel provides you a double-check by monitoring the operation of web proxies and email gateways. This means no potential threat can pass. Even in this case, Mendel’s advantage is its extensive database of threats, consisting of multiple sources and signatures that verify not only known attacks but also security policies and potentially dangerous access to data sources, such as administrative sharing. This approach is much more effective for the detection of vulnerabilities than just a database of known threats from one vendor.

This way, Mendel shows much more – not only what needs to be blocked but also unwanted or insecure applications and access to risky services. You’ll get a much better overview of what is going on and what is going through your network and how.

The Danger of Unknown Threats

In all mentioned cases, Mendel not only deals better with detecting known threats, its strength lies in also detecting unknown threats. How? Mendel recognizes different types of actions using behavioral analysis.

Right after anomalous behavior or an unknown threat is detected, the system notifies you, for example, by email. It’s then your choice. You can either take the necessary steps or you can connect Mendel to the firewall API and it will block the unwanted communication automatically for you.

A Huge Help for Monitoring Network Performance

At the next level, there are tools for internal system monitoring. In this case, Mendel shows a clear overview of the network – how it is loaded and used, who is accessing it, what services are operating and what the performance of applications and transmission lines is.

Imagine seeing just how loaded your information system, domain controller, Wi-Fi network or data center are!

GREYCORTEX Mendel helps you increase the reliability of your network. Even industrial control systems can get the right amount of control, so any attack or even a major network failure has no catastrophic consequences.

Antivirus software shows you current threats. A firewall displays the current settings and whether it is leaking something or not. But nothing will clearly show you events in your network an hour, a week or a year ago. In a nutshell, Mendel sees, visualizes and (thanks to data storage of up to the last several years) also analyzes current as well as past events.

During the 30-hour NVIDIA DPU virtual hackathon, participating teams worked on technologies for furthering advancements in AI , cloud and accelerated computing. Our GREYCORTEX team was among them, and our solution was awarded third place.

The goal of the hackathon was to validate the potential of using DPU (Data Processing Unit) accelerator cards for AI , networking, security and storage. The teams worked on developing a solution demonstrating the possibilities of using DPU in a data centre infrastructure.

In a competition made up of teams from all over Europe, the jury awarded third place to the project of the GREYCORTEX team, consisting of Petr Chmelař, Marek Brychta, Ondřej Kvasnica, Marina Volkova and Jozef Mlích. Our team used NVIDIA BlueField DPU cards for a DDoS attack detection and mitigation system.

With the DPU , Mendel will be able to process traffic faster, smarter and at a lower cost than before.

“ At GREYCORTEX , we are involved in a number of research projects outside of Mendel product development, trying to anticipate where market and customer needs will go. We are looking for ways to solve these problems and challenges,” says Pavel Jurka, CTO of GREYCORTEX .

One of the topics we have been working on over the past year is the processing of big data streams and their analysis using advanced methods that leverage machine learning and artificial intelligence. At the same time, we are looking at how to actively defend against such advanced attacks, which can be aided by hardware-level acceleration.

Participation in the hackathon followed our testing of the latest generation of NVIDIA BlueField DPU cards, which allowed us to demonstrate our intentions for how to use DPU in practice.

“ We hope that this technology will move into production deployment in the near future and we will be able to use it to provide better security for our customers,” concludes Pavel Jurka.

For more technical information, please contact our research team.

GREYCORTEX has released the latest version of its Mendel Network Detection and Response solution. Version 3.7.0 brings important features and improvements. The main features in Mendel 3.7.0 include CISCO ISE user identity integration and response, CISCO Firepower incident response, SNMP appliance monitoring & SNMP trap, or AWS, MS Azure and Google cloud deployability.

ENHANCED INTEGRATION WITH YOUR INFRASTRUCTURE

Better visibility on user identity

For use cases when Mendel has no direct access to AD/LDAP server or with limited permissions then user identity could be provided via integration with CISCO Identity Service Engine (ISE).

Active response to threats

For situations where it is necessary to respond to emerging threats, we will ensure appropriate steps through integration with CISCO network elements. If this is unavoidable, you can block endpoint communication, isolate part of the network, etc.

SNMP Appliance Monitoring

With incorporation of SNMP agent and trap functionality you are able to oversee MENDEL appliances with your current infrastructure monitoring solution.

MORE EFFICIENT OPERATIONS 

New upgrade management to all your appliances

Upgrade the whole Mendel deployment through a single point  = collector’s UI. Choose either “One click” multi upgrade or upgrade each sensor individually. Upgrade is performed by two step method, to keep sensor running for maximum time and shorten the maintenance time.

Mendel installation on common cloud services 

Amazon Web Services, Microsoft Azure and Google Cloud are now supported for deployment of Collector or Central Event Management (CEM).

Utilization of high-speed disks within MultiTier storage and optimized database queries

Use your fast disks not only for the operation of the system itself, but also for a much faster response of the user interface when displaying the „hot“ data and views of them. If your deployment does not have multi-tier storage with fast disks, we still bring you a faster response in the GUI by optimizing the database queries.

False Positives for limited time period

Hide events only for the time that is relevant and related to the maintenance of your infrastructure, tests, etc. Apply false positives with specific time frame and/or recurrence.

Conditional PCAP recording

Data captures can be triggered on-demand or by specified conditions (user-defined & event-based).

OT/ICS/SCADA

Asset discovery 

Ability to discover devices in network using various OT protocols to get asset details such as firmware versions, and many others.

Policy monitoring

We introduce a new script approach in IDS rules which allows you to define custom policy rules to monitor allowed values and perform whitelists/blacklists operations inside OT protocols like IEC104, MMS and many others.

ALL FEATURES – IT

CISCO ISE user identity integration and response
CISCO Firepower incident response
SNMP appliance monitoring & SNMP trap
Upgrade management over appliances
AWS, MS Azure and Google cloud deployability
High-speed disk utilization within multi-tier storage
False positives for limited time period
Trigger based PCAP recording
Processing netflow data with NAT information
Switch flow errors  from flags to real calculation
Connect Mendel sensor to secondary collector (HA)
Deactivate inactive Sensor on Collector
User Documentation available via GUI
Time validity of false positives
Connect Mendel sensor to secondary collector (HA)
Deactivate inactive Sensor on Collector 

FEATURES – OT / ICS

Asset Discovery
Parsing MQTT, COAP and Profinet protocols
Detection of LoRaWAN protocol

ENHANCEMENTS

Process VMware ESXi NSX-T IPFIX format
Add support for storing Suricata Variables in DB
Enhance update server update data sources
Semi-automated restoration of SMB backup
IDS signatures using the detected application
Display the logged-in user name on all pages
False positive change Priority field Default text
False positive not applicable into past by default
Import new JA3 hash codes from ja3er.com
Add description field into data exports
Hide user from managerial/security reports and email
Added assignee, reporter and date of last updated to Incident exports (PDF)
Reworked Firewall settings with new location in UI
Better explanation over data transfer between hosts in peers graph
Evaluate and add IPv6 multicast address into monitored subnets
System logs in mshell
CAT tool for ME localization 

OFFICIAL MENDEL PRODUCT SUPPORT

With release of version 3.7.0 full-service support will be provided for the versions 3.7.x and 3.6.x. Limited service support is provided for previous version 3.5.x. Versions 3.4.x and older are no longer supported, end-users with valid support and maintenance or active SW subscription can upgrade to the supported version(s).

What a person encrypts, a person can also decrypt. This was true a couple of years ago. Nowadays, cyber-criminals use advanced technologies and their attacks are much more sophisticated and targeted, and consequences are much worse. “Not only the good guys (i.e. cyber protection companies) but also the bad guys are evolving. Attacks are aimed at weak points and human errors,“ says Petr Chaloupka, CEO of GREYCORTEX, a company that focuses on IT and industrial network security. The story of this company that succeeded among the fastest growing tech companies began long before its foundation. It is a story about passion, vision, skills and a ton of humour. And, in a way, it is connected to the beginning of computerisation in Czechoslovakia.

Maybe you too still have a vivid memory of this history chapter and maybe you remember 8-bit computers – or maybe you don’t. Luckily, there is Petr Chaloupka, the founder and CEO of GREYCORTEX, and his memories of a contest from the ’90s, a text game passed around on cassettes and floppy disks that were created very long ago for 8-bit computers. Cassettes and floppy disks were… well, just google it, kids! “This game was protected by a password that was announced on a certain day in the newspaper, on the radio and on TV to give everyone the same fair start. However, my friend and I didn´t feel like waiting and so, after several hours of reverse engineering, we identified the password and came to the conclusion that what a person encrypts, a person can also decrypt. And that is maybe where my lifelong passion for cybersecurity started and this seemingly innocent story signalled my future professional career“.

A STORY OF A COMPANY STANDING ON THE FRONT LINE IN THE BATTLE AGAINST HACKER ATTACKS

The first chapter of the GREYCORTEX story began around 2005. “I was working on an antivirus for Linux, which was a completely insignificant platform for cybercriminals back then and for which there was no malware. There were only a few lab experiments for proving that there could be one. My colleague Michal Drozd used to hack banking systems using social engineering and customised malware“, reminisces Petr Chaloupka about the beginnings with a smile. The group includes another Petr – Petr Chmelař. “Back then, he was working on machine learning principles that would be capable of finding video signal anomalies. A strong technology for which there may have been another use. What about transferring it from the video world into a computer network“? asks Petr Chaloupka rhetorically with a good portion of irony.

However, you are probably more curious about the ending of the first plotline, about Michal Drozd and his bank story. There was no shocker – Michal Drozd stood on the right side and banks paid him to do what he did. We would say today that he was an ethical hacker. “However, if he had decided to become a cybercriminal, he would be very rich by now,“ adds Petr Chaloupka.

But let’s be more serious now. Fast forward fifteen years later. Petr Chaloupka sums up that Linux is a common and widespread platform, interesting enough for cybercriminals to attack. GREYCORTEX is now a well-established company focusing on the development of security products for network protection, machine learning and AI research, and the second fastest growing tech company in the Rising Stars category of the Deloitte Technology Fast 50 competition.

“Were we visionaries back then? I don’t know. Maybe we were just the three right people at the right place, and if we had never met, nothing would have happened. Literally. But we did meet, a couple of good questions were asked and we started to look for answers together.“

THOROUGH AND COMPLETE SECURITY

The second chapter of the GREYCORTEX story was about visionary questions in the end; for example, how can someone manage to break into a bank or any other company without having to leave their home? And how come they don’t get caught? Then the right answers came and with them the first specific solution.

“Somewhere around 2014, things blended really well and when five more friends and colleagues joined us at the end of 2015, everything was ready to establish a company and start our business. It needs to be said that all founders are still with us in different roles in the company, helping it grow.“

Four years later, the company became five times as big. “Our product ‘Mendel’, which can uncover hidden threats in the network, from unknown devices to advanced attacks, has matured. After overcoming some childhood diseases and puberty, it is becoming a model for others – we helped introduce another branch of cyber security into the world! It used to be called NTA (Network Traffic Analysis) in the past; now it is called NDR (Network Detection and Response),“ says Petr Chaloupka.

Don’t worry if you are getting a little lost in all the information, you have a right to that and you deserve an explanation: NDR combines deep visibility into infrastructure with the capability to detect known and unknown attack and malware types and to react to them in real time. So, it is clearer now, isn’t it? Same as the fact that “the world is changing, technologies are changing and we are changing with them. It is important that we have done our bit and continue to give cybercriminals a hard time and ruin their filthy and immoral business,“ remarks Petr Chaloupka.

What was the worst in the beginning? “Even in our case, it holds true that all theory is grey, but the golden tree of life springs ever green, so we do everything in a completely different manner than we used to. However, the most important thing is that we learned to understand what it means not only to have a good product but also to sell it and persuade clients that they need it. You could say that we are selling insurance or that we are like Eastern medicine – we ensure that the client does not become infected and he pays us for not getting ill.“

To sum it up, Petr Chaloupka views success and failure as communicating vessels. “A functioning and growing company is a success, even though it arose from humble financial background and was basically only a dream of a few founders some 6 years ago. From the beginning, we had a vision of building a global company and so our plans now are clear – to strengthen our position in the territories in which we already operate and gradually add other locations to reach our goal. It is definitely important to find balance between this dream goal and the need to have both feet on the ground (or at least one foot).“

This article was originally published here.

Brno, November 19, 2020

GREYCORTEX has won second place in the Rising Stars category in the prestigious ratings organized by Deloitte, where many Czech tech companies strove to be nominated as the fastest-growing tech company in the Deloitte Technology Fast 50 CE. The Tech Stars, Rising Stars, and Impact Stars categories present both the maturest and newest fast-growing companies in the Central European region as well as those companies that have had a revolutionary social or environmental impact on the market.

Petr Chaloupka, CEO at GREYCORTEX, said: “I am very pleased to have achieved international success in the 21st year of the Deloitte Technology Fast 50 CE competition and to have won second place in the Rising Stars category. In this category, seven out of 10 places were occupied by Czech companies, showing that the Czech Republic is still a cradle of technological innovation and that we have a good standing in this international competition. I wish to congratulate all the other companies and wish them success in further building their internationally competitive status”.

In the header of your blog there’s written “In the head of a Network Administrator: Thoughts, ideas, insights” – that brings up a question: what have you been dealing with in terms of security at your clients in the past few months?

That’s a pretty good question. I’ve been thinking about changing the header recently into something in the sense of “IT security lies in thorough and honest work”, which corresponds the most with what we come across during audits in companies.
IT departments often try to do “rocket science”. They consider advanced and expensive technologies, such as sandboxing and SIEM, skipping basic and simple concepts. For instance, they update servers twice a year, they use just a few passwords (as they haven’t adopted a password manager), they administer everything under the domain admin account and they haven’t performed a test disaster recovery from backup yet.
Don’t get me wrong. Sandboxing and SIEM are really useful technologies. It’s just that they belong to “add-on” technologies, and it’s necessary to get the network tidy first – get to know it inside out, be aware of all devices, setup the firewall and antivirus correctly. Basically, it’s important to focus first on activities that will contribute to security the most with the least effort.

You mention sophisticated attacks and chaotic arrangement of the infrastructure – what kind of impact might they have on organizations and companies? And what risks do you as an expert link with them?

When investigating attacks, I’m often taken aback by how fast the attackers manage to perform a “lateral movement”. It’s the stage of attacks in which attackers have a device under control, and they attempt to extend it to as much of the network as possible. In many cases they manage within a few hours. For example, in one case they managed to get a backdoor to a Director’s PA’s computer using spear-phishing. On Friday night they connected to it and within three hours they took over the domain administrator account and took control of the whole network. That’s a very short time and it’s really difficult for a company without 24/7 network security monitoring to react in time.
It’s critical to invest more time in securing the internal network to make “lateral movement” harder for the attackers and get time to detect and stop them.
Most administrators I meet put all their effort into protecting the “perimeter”. They see the security black and white – the Internet’s full of the bad, while the internal network seems safe to them. That’s a pity as the perimeter’s usually very well secured and the extra time invested has little effect. On the other hand, the internal network tends to be neglected security-wise, so every single day spent securing it is noticeable.

I understand there’s not a single correct approach that would protect all users. In your opinion, though, is there a “must” for the companies to protect their data nowadays? Something that’s changed in this respect in the past 10 years, e.g. new technologies or tools?

The thing is that security will probably never be 100 %. There will always be some zero-day vulnerabilities, human errors, and it won’t be possible to apply all security technologies (e.g. they won’t be compatible with business requirements). That’s why every company should have an efficient back-up system, resistant to hacker attacks. Thanks to that they’ll be able to get their data back without having to pay a ransom.
The development of the cloud and fast Internet has helped a lot in this area. It’s possible to make off-site backups in the cloud for a reasonable price, where the backups are protected against deleting (thanks to snapshotting, i.e. preserving a state of the storage where backups are located to a particular point in time) and natural disasters.
That doesn’t mean, though, that it isn’t necessary to deal with security anymore. A successful attack still means a downtime for days or weeks for companies as well as the risk of making their private data public.

So, it’s not just about eliminating the causes, but prevention – it’s clear that as an expert on IT security you often face misunderstanding from budget holders. What arguments or real-life cases do you use at such moments?

Exactly, the prevention is paramount. It’s cheaper to prevent problems than to deal with their consequences. Thanks to the media attention paid to the recent cyber attacks (on hospitals) the budget holders now realize the need to deal with security. The money is there. The issue is its effective allocation. Almost every IT company now “does” security. There’re also a lot of vendors of security SW / HW solutions. Security’s not a commodity, though, and the quality of individual solutions differs diametrically. The price isn’t a reliable indicator, either. Our strategy is to educate the public in the area of security. And we want Czech companies and institutions to have good security.

So far, the year 2020 seems to be a year full of changes and the need to be prepared even for the most unbelievable moments, which applies to cyberattacks, too. After all, some may be considered more likely a target than others. For example, in the USA there’ll be the presidential election, the Olympics in Tokyo (postponed to 2021), the world economics has shaken due to the coronavirus, and a lot of companies “go online”, which poses enormous risk in itself. Are there any other events or circumstances this year that, in your opinion, may carry a higher risk of attack?

Talking about the Olympics, I’ve read an article about a cyberattack on the 2018 Winter Olympics in PyeongChang, South Korea. It was a very interesting and sophisticated attack which didn’t turn into a fiasco only thanks to a coincidence and a bit of luck. I definitely recommend reading “The Untold Story of the 2018 Olympics Cyberattack, the Most Deceptive Hack in History”.
It’s hard to say whether companies “going online” will have any influence on cybercrime. Most companies were already ready for home office and remote work. On the other hand, there are still a lot of companies on the market that are only about to modernize and digitize their processes. Due to the lack of IT people on the market, it’s possible that some implementations of changes won’t be done very thoroughly.

Given the direction hacker attacks have taken recently – where do you see the future of security tools?

Good question. Apart from imposing restrictions, it’s also crucial to have an overview of your network. That’s the only way how to recognize that the “restrictions” have been overcome and there’s an intruder in the network. Systems such as IDS / IPS will help you with that, as well as honeypots, network traffic analyzers, or SIEM systems. The choice of the system depends on the needs and possibilities of each company, though.
Apart from an early warning about a network issue, the systems are also necessary for backward incident investigation. With their help, it’s possible to find out how far the attackers got, which accounts and devices were compromised, which techniques and programs they used during the attack, which data they took out, how long the network was compromised, or the intrusion vector (the route of the attack). Without such systems the investigation of attacks is strenuous and inaccurate. Especially nowadays, when ransomware groups not only encrypt the data, but also steal parts of it and subsequently publish it (unless paid), such systems are needed more than ever before. Without them it’s almost impossible to find out whether any of your data got stolen during the attack, or not. 
Due to the decreasing price of network analyzers, their constant debugging, and the increasing importance of IT, I expect their adoption to grow. These technologies have a very good price / performance ratio. 

Martin Haller is a co-owner of PATRON-IT and a technician with all his heart. He specializes in cyber security and has experience as an ethical hacker. He believes it’s necessary to be able to break the network first in order to secure it well. On his blog martinhaller.cz he shares updates from the field of IT security as well as his own real-life insights. He also runs his own YouTube channel – you’ll find there e.g. what a webcam attack looks like.