Software Infrastructure as a Service

 

One of the advantages that a start-up company has when entering the market is the ability to adapt quickly to perceived market gaps. LimaCharlie’s original hypothesis saw our business built around offering the best endpoint detection and response solution in existence. We envisioned making it available as middleware with a no-strings-attached pricing model that would set it apart from other offerings.

As we started to roll things out - and in the process having a lot of conversations with our customers - we realized that some of the pain people were experiencing was in putting together a complete information security stack, and then keeping it functioning at scale. Managed security providers we spoke with were frustrated with all the busy work involved in keeping the wheels on a series of open source and proprietary products strung together with the digital equivalent of duct tape. It is not that the need for a strong drop-in endpoint detection and response capability does not exist - it most certainly does - but there are many industry-specific problems managing the infrastructure required for a good security posture. As of yet, nobody has tried to address these problems as a whole using a contemporary delivery model.

It was hearing the same problems being described by our customers repeatedly that got us thinking: we have always admired the way Amazon developed their web services. Companies went from racking servers and running cables to spinning up complex cloud-based infrastructure with just a few clicks as a result of their innovation. This transformation of the way computing resources are delivered touches almost every area of the digital economy with their approach being emulated by Google, Microsoft and many others. LimaCharlie is pushing to be at the edge of this type of transformation in information security. Starting with our strong endpoint detection and response offering, we have built out a series of technologies that can be strung together adhoc - at the click of a few buttons - to provide a completely integrated information security stack. LimaCharlie is calling our approach to providing a solution Security Infrastructure as a Service (SIaaS).

Global Coverage

The LimaCharlie global infrastructure is built on the Google Cloud Platform (GCP) and currently has computing resources available in the USA, Canada, Europe, India and the United Kingdom. Choosing a geographical location ensures data will always be processed in this location and never moved outside. New data centres can be spun up anywhere GCP is available upon customer request.

What this means is that you can spin up infrastructure to support security operations anywhere in the world as needed. Paradigms, such as infrastructure-as-code, used by LimaCharlie’s SIaaS allow you to roll out well articulated configurations in minutes and the best part is that everything just works.

Software Infrastructure asa\ a Service

To learn more and read about all the different components of LimaCharlie’s Software Infrastructure as a Service you can visit siaas.limacharlie.io


 

External Log Ingestion

 
Log Listing

Logs are critical in information security but the amount of data they generate is huge and existing solutions for managing them are expensive. LimaCharlie can now automatically collect and store logs with no configuration, without installing another agent, for a full year. And yes, you can even send logs to LimaCharlie manually.

LimaCharlie can consume logs from any OS. Logs can be unstructured (no parsers necessary) and we even support pcap and Windows logs.

With this new capability you can search, visualize and correlate over a full year of log and endpoint data.

Detailed documentation on this new capability can be found here.

Coming soon is the extension of LimaCharlie’s powerful detection and response rules to include logs on top of the EDR data, which will allow you to build detections and automations based on logs.

blog1.png

With the addition of log ingestion and correlation LimaCharlie makes the promise of Security Infrastructure as a Service a reality.

 

Data Visualization

 

They say a picture is worth a thousand words. If that is true, then what is an interactive visualization of a year’s worth of endpoint telemetry across your entire fleet worth? LimaCharlie is proud to be launching a new data visualization console today and we are very excited about what it means for threat hunting on our platform.

Animated Data Light

With this interface users can explore prevalence and timing data for domains, IP addresses, files, file paths, hashes and users across their entire fleet for up to a year’s worth of telemetry. This console also allows users to search for a given sensor ID and deep dive all of the aforementioned data points for a single endpoint over the given time period.

For example, if a client inside of an organization reports an attempted phishing email an analyst can take that domain and search across the entire fleet to see if the indicator of compromise (IOC) has been observed anywhere else.

When searched, instances of this IOC will show up in the graph along with information relating to when it was observed, how often and across how many endpoints. Users can then click on any given graph node to get more information and start to drill down.

Data Visualization

In the example above we can see that the given domain was observed multiple times across a variety of different endpoints. If we click on one of the nodes we can see details for it in the lower data panel. Under the metadata tab we can find the IP address behind the domain and search the fleet to see if it has shown up anywhere else.

Sensor Details

As the investigation progresses and an endpoint of interest is identified we can search for it’s sensor ID and take a closer look at what happened. The graphs for a given endpoint can be quite noisy and using the various filtering options we can start to strip information back. We can reduce the data included in any graph by adjusting parameters around how prevalent the various events are. It is our experience that rare events are of the most interest.

Animated Data

Once the search has been narrowed down to a particular point in time we can launch a link to that moment in the historical telemetry explorer to examine any process attached to the event we are investigating. If we do find something of concern we can immediately isolate that host from the network and start searching across the rest of the fleet for any new IOCs that we come across.

Historical INsight

This article has just scratched the surface if what is possible with this new interface into the LimaCharlie endpoint telemetry. As we continue to build out our Security Infrastructure as a Service (SIaaS) you can expect a lot more. If you have any questions, suggestions for features or just want to say hello, please do not hesitate to contact us.

Happy hunting!

 

Building A Community

 

The best defence that information security professionals have against bad actors is collaboration. The sharing of information around new threats and implementing best practices is the preeminent way to ensure a strong security fabric across cyber space.

LimaCharlie encourages the spirit of information sharing through our User Add-on capability. Any user of LimaCharlie can create their own private Add-ons or choose to make them public and share them with the wider community.

An Add-on can be a detection, a threat feed, DNS lookup, white list, black list, Levenshtein String Distance, check for a known APT or anything in between. It is a powerful entry point into the LimaCharlie endpoint detection and response platform.

Most recently @LoveKebabble from the very capable team at Soteria released two different threat feeds for public consumption on the LimaCharlie platform. Details around these Add-ons are as follows.

scumbots-sha256-malware-hashes

This feed scrapes the @ScumBots twitter feed provided by @pmelson and collects the sha256 hashes. It is common for threat actors to host their malicious code on paste sites so that it can then be pulled down and executed with CLI tools such as powershell. Should this lookup trigger an alert, you can reference either @ScumBots or https://github.com/david-burkett/ScumBots-DataFeed to get more context around the alert itself, such as the C2 channels used and a link to the pastebin with the exact code executed on your organization's system.

tajmahal-apt-framework

Content of the add-on: C&C IP's, DOMAINS, HASHES. Description: ‘TajMahal’ is a previously unknown and technically sophisticated APT framework discovered by Kaspersky Lab in the autumn of 2018. This full-blown spying framework consists of two packages named ‘Tokyo’ and ‘Yokohama’. It includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers, and even its own file indexer for the victim’s machine.

community2.png

LimaCharlie currently offers a multitude of detections and lookups for free, along with providing our users the ability to make as many more as they like. To learn how to create your own User Add-ons you can visit the documentation here.

LimaCharie also has a vibrant Slack community that you can join. The Slack channel is a great place to ask questions, collaborate with other community members and provide feedback to the team behind the product. There is almost always somebody from the LimaCharlie team online and we love to talk endpoint detection and response.

 

Threat Hunting Across Historical Telemetry

 

Recently we announced a new capability that allows MSSPs to perform retroactive hunting on up to a year’s worth of telemetry data. This ability to retroactively apply Detection & Response (D&R) rules to the LimaCharlie telemetry is very powerful and through the use of the API can be used to build Continuous Delivery (CD) / Continuous Integration (CI) into detection systems.

Previously only available through the API, we are now offering this capability through our Replicant platform. Replicants can be thought of as digital automatons: expert driven algorithms which perform tasks normally carried out by humans. Each Replicant has a particular specialization and can be enabled at the click of a button.

replayReplicant.png

The Replay Replicant allows an analyst to select a date range and search an endpoint’s history, or scan across the history of the entire fleet, for indicators of compromise (IOC). Almost any detection that can be written can be applied retroactively against historical telemetry.

Imagine waking up one morning with the details being reported of a new threat actor targeting your industry. You have details on how this new threat can be detected, but how do you know if you have seen it inside your network during the last year? Using LimaCharlie’s Replay Replicant you can retroactively scan all of the historical telemetry across your entire fleet in just a few minutes with a couple of clicks.

The user interface for the Replay Replicant is simple. It requires that a user select a date range for the scan, D&R rule to use and finally an endpoint or set of endpoints to scan. Once this data has been provided the user initiates the process and the results are displayed in an incident card.

detectionResults.png

And that in a nutshell is the new Replay Replicant. You can read the doc for the Replay API here.

We are pretty excited about the direction we are taking with the Replicant platform and see it as an important building block in our quest to build the world’s best system of information security infrastructure on demand.

If you have any questions or ideas for new features we would love to talk. You can get a hold of us on Twitter, join our community slack group or contact us directly.

Happy hunting!

 

Running Detections Against Historical Data

 

LimaCharlie is launching Replay: a powerful new capability that allows organizations to perform retroactive hunting or build Continuous Delivery (CD) / Continuous Integration (CI) into their detection systems.

At its heart , Replay allows you to retroactively apply Detection & Response (D&R) rules to LimaCharlie traffic from any point in time during the last year or whenever the telemetry storage feature, Insight, was turned on.

This ability enables you to look for specific indicators of compromise (IOC) and run complete D&R rules, including threat feeds, APIs or operators against historical telemetry.

Replay is currently available through the LimaCharlie CLI and REST API with a web interface coming soon.

An example of how Replay can add value:

An attacker is found and it is believed that the common technique used is to drop executables in System32 which perform network connections outbound to port 443. These executables are not signed.

 
detect:
  event: NETWORK_SUMMARY
  op: and
  rules:
    - op: is windows
    - op: is
      path: event/PROCESS/FILE_IS_SIGNED
      value: 0
    - op: contains
      path: event/PROCESS/FILE_PATH
      value: system32
      case sensitive: false
    - op: is
      path: event/PROCESS/NETWORK_ACTIVITY/IS_OUTGOING
      value: 1
    - op: is
      path: event/PROCESS/NETWORK_ACTIVITY/DESTINATION/PORT
      value: 443
respond:
- action: report
  name: sys32-outbound-unsigned

And then to launch the query given as an example above you would run the following.

 
limacharlie-replay --entire-org --last-seconds 604800 --rule-content ./rule.yaml

Not only can Replay help LimaCharlie users search their historical telemetry for IOCs and build CD/CI into their detection pipelines, it also speeds up rule creation. New rules can immediately be directed against historical data to test their effectiveness.

The team at LimaCharlie is extremely excited about all the possibilities that this new functionality opens up. If you have any questions regarding Replay - or any other capability - please not hesitate to contact us.

History
 

Getting Started Guide

 

The majority of LimaCharllie users are mature MSSPs and SOCs. As we move forward and bring on more and more customers we have noticed a significant number are technically capable actors looking to expand into new areas of information security coverage for their respective organizations.

That is, we are seeing a lot of CTOs, heads of IT, etc, who are looking to create a better security  posture for their organization and who maybe do not have the budget to hire an MSSP. A lot of people we see trying the product are just curious as well: researchers, students, hackers and tinkerers.

Education is one of our core tenants and to this end we have created a new Getting Started document that outlines setting up a new account with some basic coverage that touches a few main areas. You can download that document here: Getting Started with LimaCharlie

And a reminder that we do offer a free online course that can be accessed at edu.limacharlie.io

Getting Started



 

Dark Theme & White Labelling

 

At its core LimaCharlie is a Security Platform as a Service (SPaaS). You can think of it as the Amazon Web Services of endpoint security. Scalable, on demand security infrastructure that is designed to bolster the capability of MSSPs and SOCs.

darkTheme.gif

The team at LimaCharlie recently refactored our web application to use a templating system in order to create a dark theme for analysts. Our team knows what it is like to work at a computer for long periods of time and we find that dark themes are the easiest on the eyes. Additional motivation for this work was to improve our ability to do deep white labelling for customers that want to integrate the web application into external facing aspects of their pipeline.

dark.png

For customers operating at a certain scale, LimaCharlie now offers white label versions of the web application that are completely branded. Every colour, logo, doc link and URL can be customized with a single configuration file. This was a big project and will be ongoing with localization next on the docket.

whitelabel.png

If you are interested in white labeling - or have any questions about how the LimaCharlie SPaaS bolster your capability - please contact us.