GREYCORTEX BECAME A MEMBER OF EUCYBSEC

GREYCORTEX became a new member of the non-profit Association, EUCYBSEC (European Cyber Security Excellence Center). Interests of the Association are cybersecurity and protection of SCADA systems. EUCYBSEC is aiming to create a communication space, where commercial, state and academic specialists can freely interact and share their knowledge. Thanks to EUCYBSEC membership, GREYCORTEX gets an opportunity to participate in professional events organized by the Association.

About Version 2 Limited

Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About GREYCORTEX

Founded in 2016 in Brno, Czech Republic, GREYCORTEX helps organizations make their IT and OT operations secure and reliable with uses advanced artificial intelligence, machine learning, and data mining methods which detect advanced threats to security and risks to reliability that other solutions miss.

智慧分析,打造2018年企業資安防禦黃金陣線

 
隨著資料科技(Data Technology)年代的到來,資料不只是企業營運的關鍵,也是駭客最主要的生財工具。
 
今(2017)年5月,勒索軟體WannaCry快速且大規模地入侵全球各產業,包含醫療、製造、教育、能源、高科技…等,總計超過104個國家共23萬台主機受到攻擊,台灣也在受害國家之中。8月,美國消費者信用報告業者Equifax因為駭客入侵網站上的應用程式漏洞,導致1.43億筆個資外洩,占將近美國人口的一半,這批外洩資料包括姓名、社會安全號碼、生日及住家地址,及若干駕照資料。10月,台灣遠東商銀發生SWIFT(環球銀行間金融電訊網路)系統遭駭客入侵,駭客利用惡意軟體進行虛擬交易,將6000萬美元(約18億元)匯到美國、柬埔寨、斯里蘭卡等國的指定帳戶中。
 
@:回顧2017三大資安攻擊型態  全球各產業無一倖免
由此來看,資安攻擊已經遍及全球各國各個產業,很難有企業可以倖免於難。ESET亞太區總代理台灣二版高級產品經理盧惠光認為,在2017年資安攻擊事件中,WannaCry可說最具代表性,在此之前的勒索軟體攻擊,駭客大多利用網站漏洞來進行,當使用者瀏覽網站或點選網址連結時,勒索軟體就會自動植入電腦中,而WannaCry是第一個利用Windows系統中SMB漏洞進行攻擊的勒索軟體,直到現在都還有很多駭客利用SMB漏洞發動資安攻擊。
 
不過,勒索軟體攻擊雖然近年來發生頻率頗為密集,但攻擊對象以一般中小企業為主,至於銀行、政府等比較知名的大型企業,目標式攻擊仍是比較常見的手法,而且越來越嚴重。
 
駭客利用Email插入夾帶病毒的Word或Excel檔,進入企業內網後,再逐步進攻核心資料庫,而且駭客攻擊目的不像勒索軟體那樣只是為了賺取贖金,而是把資料庫偷走後再拿到黑市上去拍賣,甚至直接將機密資料公佈在網路上,造成企業商譽大幅受損,嚴重一點的甚至會直接衝擊到企業營運,在這個網路世代,消費者有太多選擇,當他對企業感到不信任時,就會選擇其他競爭者的產品或服務。
 
除了勒索軟體和目標式攻擊外,盧惠光指出,在2017年資安攻擊事件中還有蠻高的比例是DDoS攻擊,對於依賴網路接單下單的企業來說,例如:電子商務、線上遊戲…等,DDoS攻擊影響很大,只要網站中斷服務、營運就會跟著停擺,有時可能會造成上百、上千萬元的損失,「DDoS攻擊出現時間很早,即便近年來討論聲浪比較小,但它一直沒有停止過,」盧惠光強調。
 
@:2018資案關鍵:佈建層層防禦網  避免駭客直搗核心
盧惠光進一步指出,這三種攻擊形式雖然不一樣,但都和僵屍網路(Botnet)有密切關係,由於現在有越來越多可以連網的設備,個人電腦、智慧型手機、平板電腦…等,連帶讓僵屍網路變得更活躍,駭客在攻擊成本越來越低的情況下,發動攻擊的機率也跟著提高。
 
面對日趨頻繁的資安攻擊,盧惠光認為,最好的方式就是建構多層防禦機制,畢竟沒有一個解決方案可以百分之百地解決問題,企業只能建構一層又一層的防護網,避免駭客直搗核心資料庫,因此,除了基本的防毒軟體、資料備份、防垃圾郵件、防火牆等資安解決方案外,最好還要建立一套智慧化的預警機制,才能在駭客層層進攻、試著突破資安防禦網的同時,及早發現、將損失控制在可以承受的範圍內。
 
舉例來說,ESET技術聯盟的新成員GREYCORTEX,便是一個智慧化網路封包監控解決方案,其運用目前最熱門的人工智慧、機器學習技術,不斷學習哪些網路封包是正常流量,再據此判斷哪些是異常網路行為,如此不僅能降低誤判機率,還能及早發現潛在威脅並提出預警。例如企業FTP伺服器平常下載檔案的IP位址都是在美國,某天卻突然出現來自俄羅斯IP位址的請求,這就有可能是駭客所為。
 
此外,ESET還有一套基於雲端技術的全球早期預警系統(ESET Threat Intelligence Service),也能及早發現可能的資安風險。盧惠光解釋,ESET全球早期預警系統蒐集全球使用者的病毒樣本,並監控各地僵屍網路的活動狀況,當駭客向僵屍網路發佈攻擊訊息時,系統可以從訊息中得知企業是否即將成為僵屍網路的攻擊目標時,並在攻擊發動前向企業發出預警。
 
最後,盧惠光特別提出防範勒索軟體攻擊的重要性,未來類似的攻擊只會越來越多,2018企業必須落實以下四大重點,才能避免自身成為駭客眼中的金主:
1. 確實做好資料備份工作,理想的備份方式是透過專業備份軟體進行,且不能把備份資料放在同一個網域,同步到雲端或分公司,是比較安全的做法。
2. 落實垃圾郵件過濾機制,很多勒索軟體使用的Email信箱都是已經被認證過的惡意電子郵件地址。
3. 透過VPN開啟ODP(Open Data Port)遠端控制協議,且VPN登入必須結合一次性密碼(OTP)機制,才能確保登入帳號的是使用者本人。
4. 也是最重要一點: 無論產業別與企業規模大小,皆應配置合於自身所需之資安預算,並選擇知名品牌之資安廠商來作第一道防護網,才能讓企業安全有所屏障。
 
 
*原文轉貼於數位時代 

NEW VERSION 2.3 RELEASED

GREYCORTEX launched a new 2.3 version MENDEL Analyst. It added standardized support of NetFlow and IPFIX, new ways of data presentation and several performance improvements and more.
New features

  • New tool in GUI “Network Analysis” – user defined aggregated statistics for better analysis of network traffic and security incidents
  • Standardized NetFlow with IPFIX fully supported
  • New user account administration page
  • Changelog page with history and enhanced updating using RPM packaging system

Improvements

  • Major performance improvements of signature-based detection engine
  • Improved DNS cache with TTL support for better hostname resolution
  • Improved algorithm for matching hosts with Active Directory users
  • Inserted GUI URLs kept after login
  • Improved export of charts
  • Enhanced system log management with filtering by time and a system component

REVIEW OF GREYCORTEX MENDEL

A USEFUL SECURITY PRODUCT THAT OFFERS A WIDE VARIETY OF INTERESTING POSSIBILITIES

GREYCORTEX MENDEL is a solution for detection, monitoring and analysis of advanced security incidents in network traffic. This solution is based on a combination of various types of detection technologies:

  • Intrusion Detection System (IDS), including Deep Packet Inspection (DPI)
  • Network Behavior Analysis (NBA); the analysis is based on the principles of artificial intelligence
  • Network Performance Monitoring (NPM) and Application Performance Monitoring (APM)
  • A tool for event correlation and risk assessment

During the initial design, the focus was on custom Advanced Security Network Metric (ASNM), large scale data mining based on artificial intelligence, and unique specialized algorithms providing detection of the entire scale of threats and anomalies. Immediate outcomes can be obtained via an intuitive user interface and user-defined reports. GREYCORTEX also brings a whole lot of other interesting options, e.g. for forensic purposes, it provides a complex and detailed overview and history of network traffic, behavior of users, network hosts, applications and services.

DATA SOURCES

The main input is a network data from a mirror port on a backbone switch or a network tap. The NBA detectors are able to accept summarized data in the format of custom ASNM metrics or according to NetFlow v5/9 and IPFIX for IPv4 and IPv6. In addition to the network traffic, the product is able to identify identity context using the company’s LDAP or the Active Directory services. These technologies can also be used for user management and authentication.
Detection signatures dataset containing over 30,000 rules is obtained from external sources. IP address blacklists and their reputation (trustworthiness) are also obtained. These lists are regularly updated on an hourly or on a daily basis. This enables the tool to obtain information about generally known malware and about Command and Control (C&C) attack servers, sources of attack, and known botnets. Moreover, uses a list of known sources of spam, information about Tor[1] networks and about proxy servers as well as information about ownership and geographic position of the communicating hosts and domains.

ASNM PROTOCOL

The ASNM protocol is used to track over 70 attributes of each individual flow in the network. For each flow, it generates information about the source and the target, its duration, size of the data portion and packet counters. MENDEL also retrieves information about frequency spectrum and performance such as Application Response Time (ART), Round Trip Time (RTT), Jitter, and other.
The functions enabling the detection of anomalous and potentially undesirable behavior work similarly in NetFlow protocol; however, thanks to ANSM, they are more detailed and therefore more effective. Another difference consists in the ability to identify consistent bidirectional flows in the network. For application detection, a custom application protocol recognition mechanism similar to NBAR (Network-Based Application Recognition) standard used in Cisco devices is employed; the mechanism can recognize hundreds of protocols. The DPI technology enables extraction of metadata for almost 30 application protocols, even in tunneled traffic.

DETECTION MECHANISMS

The incident detection is based on two methods, first based on signatures (IDS) and anomaly detection (NBA) based on machine learning and artificial intelligence. The whole mechanism of learning consists in detailed modelling of the whole network on various levels. From models of the entire network to models of individual services of individual hosts and devices.
The application is continuously learning to distinguish characteristics of anomalous flows from the normal ones based on probability and statistical models without the need for decoding or decrypting the data. After installation into a network, it is necessary to let the application train itself in a new environment for at least a couple of hours. It gains the complete knowledge after approximately one week.
The following algorithms of machine learning are based on the ASNM protocol:

  • Selection of relevant individual metrics
  • Bayesian analysis based on learned probability of events
  • GMM/EM (Gaussian Mixture Models/Expectation-Maximisation) probability models

Probability based (Bayesian) modelling provides almost 1,000 parameters divided for each flow of a host in a network or subnetwork and its services provided locally or remotely. A separate model is created for each service of the host, network device, services aggregated on the network, subnetwork mask, state and ASN (Autonomous System Number).

OUTPUTS

GREYCORTEX MENDEL enables the user to export the created events in various formats and send them via e-mail or to remote SIEM (Security Information and Event Management) servers for archiving or further processing. This makes it possible to generate alerts based on defined conditions and notifications about the detected anomalies. In this way, it is possible to create user configured reports containing text or graphic visualization of the detected events, network performance or applications and other data in the system. The messages can include a variety of adjustable elements including tables and graphs. The messages can be exported to standard document formats such as DOCX or PDF.
The e-mail system supports connection to standard e-mail servers with SMTP protocol and encrypted communication based on PGP (Pretty Good Privacy). The data exports can also be performed in preset intervals or during detection of a particularly important event. The tool also supports export to SIEM systems using Syslog, CEF format (Common Event Format) or IDEA (Intrusion Detection Extensible Alert). These messages can be previously configured and filtered according to the requirements of system integration.
It is possible to detect:

  • RAT Trojan horses (Remote Access Trojan) including C&C system activities
  • Zero-day type of vulnerabilities and exploitation of services
  • Malware on mobile and embedded devices
  • Long-term APT attacks (Advanced Persistent Threats)
  • Data leaks with DNS, SSH, HTTP(S), etc.
  • Tunneled traffic
  • Protocol anomalies indicating a long-term port scanning and other attacker activities
  • Masquerade attacks (the attacker pretends to be someone else), dictionary attacks and brute force attacks
  • Spam detection
  • Preparation for data theft and exfiltration (e.g. by employees)
  • Automated data harvesting
  • Data theft (e.g. from web applications)
  • Phishing attacks
  • Violation of internal security rules and policies
  • Faulty network settings
  • Network and application performance issues
  • Dos and DDoS attacks
  • New or unknown devices, e.g., of the BYOD type (Bring Your Own Device)

Data fusion and correlation techniques enable the detection of a wide spectrum of threats and activities. These techniques analyze the most interesting information about a particular network obtained through various detection mechanisms. It is possible to find event correlations, eliminate false positives and perform risk estimates. The system is also compatible with systems for risk categorization such as CVSS (Common Vulnerability Scoring System) or NIST Critical Infrastructure Cybersecurity Framework, etc.

INSTALLATION PROCESS

The application is supplied as a hardware appliance or as an installation ISO file for a virtual hypervisor. Depending on the mode of deployment, the appliance is supplied with 2, 4 or 8 network interfaces enabling the monitoring of the required number of source lines. The solution can be installed in a probe/collector configuration that enables monitoring geographically remote networks or as a cloud.
We tested the version 2.2.0 of the product at Karel Engliš College (VŠKE). For testing purposes, we selected the virtual deployment on the base of a fully functional 30-day demo. To ensure that the application runs correctly, it is necessary that the server includes a processor with at least 8 virtual cores, 32 GB of RAM, disk capacity of 500 GB and two network interfaces; VM-ESXi virtualization system was used. The installation went smoothly, without any issues.
Tabs for the individual configuration areas are placed well, they enable a quick transition to settings of monitored networks and policies (Policies tab), Detection mechanisms (Detection tab), notifications and exports (Exports tab), and authenticating mechanisms, users and their rights (Users tab). In the Network tab, there is a practical priority setting.

USE OF THE TOOL

At first glance, working with GREYCORTEX is very pleasant, mainly thanks to the elaborate filtering options and user-configurable overview dashboards. The possibility of a quick display of the communication of each device and all its services was interesting for me. In particular, it is the security visibility and transparency network that the applications brings. The overview of incidents detected at the level of detection patterns is ideally complemented by incidents identified by NBA methods.
In the Detection tab, it is possible to display the defined blacklists and false alarms, set the NBA detection mechanisms and policies for IDS rules, create the necessary correlation rules, also capture and save network traffic on the basis of a defined filter into PCAP format files.
The Export tab allows to define exports; we at VŠKE use SIEM; therefore, the possibility of exporting the data into this system was interesting for us. However, we encountered an issue particularly relevant for schools; instead of one application we now need two: SIEM and GREYCORTEX.

CONCLUDING REMARKS

What particularly excites me about this product is the possibility to analyze incidents (we have quite a few of them in the student subnetwork) both from the point of view of their progress in time and in the smallest details. I also appreciate the elaborate elimination of false alarms. The documentation fulfills the basic criteria, but I believe it would be convenient to add some examples of typical settings. The product is still being developed and I am curious about what next the producer will come up with.
Doc. Ing. Jaroslav Dočkal, CSc.
Graduate of VDU Martin and VAAZ, currently the vice-dean of science and creative development at Karel Engliš College. He gives lectures at Masaryk University and University of Defence. He’ is also a lecturer at Cisco Academy, a tutor of HP and a member of DSM magazine editorial board.

MENDEL TECHNOLOGY MAXIMIZES SECURITY FOR COST

Cybercrime is evolving at drammatic speed and at every moment, hackers and attackers are figuring out new strategies to compromise organizations and industries. The cybersecurity sector must not fall behind these attackers.
But the number of technologies claiming to create cybersecurity is vast. Organizational spending and reallocating investments to the right network security sector can help reduce cost of cyber breaches. A recent report produced by Accenture, with an independent survey by the Ponemon Institute indicates that among the higher-valued security technologies per cost; machine learning tools and extensive use of cyber analytics and user behavior analytics, have a high return on investment – in other words, they can bring a greater security benefit for a lower cost. Yet, conversely, Accenture reports that these high value technologies are under-deployed compared to other tools in the marketplace.

MENDEL, from GREYCORTEX makes extensive use of machine learning and behavior analytics to identify cyber threats, protecting the network from attacks which would be unknown and unseen by other security tools.

To find out more about MENDEL’s machine learning technology can help you, or to schedule a demonstration, contact your local GREYCORTEX partner, or GREYCORTEX directly.
With this findings comes opportunity to focus on the right technology to protect a company’s assets.

Study and images are found in the following study: https://www.accenture.com/t20170926T072837Z__w__/us-en/_acnmedia/PDF-61/Accenture-2017-CostCyberCrimeStudy.pdf

GREYCORTEX RELEASES MENDEL 2.9

GREYCORTEX is happy to announce the latest version of GREYCORTEX MENDEL; Version 2.9.0. This version includes several new important features: the first is the Flow Exporter, which gives you the possibility to export flows from MENDEL to your SIEM solution. The second important feature is the ability to execute script commands to other devices e.g. a firewall systems in order to block communications. SCADA network protocols Modbus and DNP3 L7 visibility have also been added, as has the ability to audit commands executed from ssh connections.
New Features

  • Added a Flow Export feature, which allows you to export flows from MENDEL to your favorite SIEM tool. This allows you to have the same data detail of a much more expensive SIEM-specific flow export tool, at a fraction of the cost.
  • Added ability to execute and send scripts, e.g. to a firewall – which means you can identify and stop incoming malware at the firewall, without ever leaving MENDEL.
  • Added integrated Modbus and DNP3 SCADA protocol visibility. Think of it as MENDEL for the industrial control systems. GREYCORTEX takes its next steps into protecting not just “traditional” networks, but also SCADA systems as well with these protocols.
  • Added SSH auditing (turn on the SSH audit signature in status monitor signatures)
  • Added possibility to filter by group of entities (subnet, host, mac, user) to extend filtering options using comma “,”, e.g. src:172.16.9.20,172.16.9.21 & dst:1.2.3.4 which shows communication between source IPs 172.16.9.20 or 172.16.9.21 and destination IP 8.8.8.8. In a nutshell: much more efficient filtering capabilities are now yours. Identify communication from not just one source and destination, but several hosts to a single destination, so complicated attacks are now clear.
  • MENDEL is powerful and detailed, but now it works just as well for the T1 Security Analyst. New installations and newly created users will see new default dashboards with Overview, Performance, and Security tabs included, for ease of use by everyone.

Improvements
Several different features of MENDEL were improved. These included improvements to the installation and update process, optimization of flows, and detection features – including the ability to choose your favorite IDS ruleset, or better L7 application service recognition.
Bug Fixes
In general, our development team focused on repairing inconsistencies in user experience and connectivity.

PETR CHALOUPKA NAMED TO NE100

GREYCORTEX is happy to announce that CEO and Co-Owner Petr Chaloupka was named to the New Europe 100 (NE100). The list is made up of individuals selected by the Financial Times, Google, the Visegrad Fund, and Res Publica.

Now in it’s fourth year, the 2017 New Europe 100 “is a list of central and eastern Europe’s brightest and best citizens who are changing the region’s societies, politics, or business environments and displaying fresh approaches to prevailing problems. The aim is to raise the profile of changemakers in emerging Europe and to build connection among those in the vanguard.”
Previous editions of the NE100 have included such well-known business leaders as Vaclav Muchna, CEO of Y Soft.
You can read more about the NE100 here: http://ne100.org/news/show/new-europe-100-challengers-2017,5a166ff03228719568984a76