Threat Hunting Across Historical Telemetry

 

Recently we announced a new capability that allows MSSPs to perform retroactive hunting on up to a year’s worth of telemetry data. This ability to retroactively apply Detection & Response (D&R) rules to the LimaCharlie telemetry is very powerful and through the use of the API can be used to build Continuous Delivery (CD) / Continuous Integration (CI) into detection systems.

Previously only available through the API, we are now offering this capability through our Replicant platform. Replicants can be thought of as digital automatons: expert driven algorithms which perform tasks normally carried out by humans. Each Replicant has a particular specialization and can be enabled at the click of a button.

replayReplicant.png

The Replay Replicant allows an analyst to select a date range and search an endpoint’s history, or scan across the history of the entire fleet, for indicators of compromise (IOC). Almost any detection that can be written can be applied retroactively against historical telemetry.

Imagine waking up one morning with the details being reported of a new threat actor targeting your industry. You have details on how this new threat can be detected, but how do you know if you have seen it inside your network during the last year? Using LimaCharlie’s Replay Replicant you can retroactively scan all of the historical telemetry across your entire fleet in just a few minutes with a couple of clicks.

The user interface for the Replay Replicant is simple. It requires that a user select a date range for the scan, D&R rule to use and finally an endpoint or set of endpoints to scan. Once this data has been provided the user initiates the process and the results are displayed in an incident card.

detectionResults.png

And that in a nutshell is the new Replay Replicant. You can read the doc for the Replay API here.

We are pretty excited about the direction we are taking with the Replicant platform and see it as an important building block in our quest to build the world’s best system of information security infrastructure on demand.

If you have any questions or ideas for new features we would love to talk. You can get a hold of us on Twitter, join our community slack group or contact us directly.

Happy hunting!

 

Running Detections Against Historical Data

 

LimaCharlie is launching Replay: a powerful new capability that allows organizations to perform retroactive hunting or build Continuous Delivery (CD) / Continuous Integration (CI) into their detection systems.

At its heart , Replay allows you to retroactively apply Detection & Response (D&R) rules to LimaCharlie traffic from any point in time during the last year or whenever the telemetry storage feature, Insight, was turned on.

This ability enables you to look for specific indicators of compromise (IOC) and run complete D&R rules, including threat feeds, APIs or operators against historical telemetry.

Replay is currently available through the LimaCharlie CLI and REST API with a web interface coming soon.

An example of how Replay can add value:

An attacker is found and it is believed that the common technique used is to drop executables in System32 which perform network connections outbound to port 443. These executables are not signed.

 
detect:
  event: NETWORK_SUMMARY
  op: and
  rules:
    - op: is windows
    - op: is
      path: event/PROCESS/FILE_IS_SIGNED
      value: 0
    - op: contains
      path: event/PROCESS/FILE_PATH
      value: system32
      case sensitive: false
    - op: is
      path: event/PROCESS/NETWORK_ACTIVITY/IS_OUTGOING
      value: 1
    - op: is
      path: event/PROCESS/NETWORK_ACTIVITY/DESTINATION/PORT
      value: 443
respond:
- action: report
  name: sys32-outbound-unsigned

And then to launch the query given as an example above you would run the following.

 
limacharlie-replay --entire-org --last-seconds 604800 --rule-content ./rule.yaml

Not only can Replay help LimaCharlie users search their historical telemetry for IOCs and build CD/CI into their detection pipelines, it also speeds up rule creation. New rules can immediately be directed against historical data to test their effectiveness.

The team at LimaCharlie is extremely excited about all the possibilities that this new functionality opens up. If you have any questions regarding Replay - or any other capability - please not hesitate to contact us.

History
 

Getting Started Guide

 

The majority of LimaCharllie users are mature MSSPs and SOCs. As we move forward and bring on more and more customers we have noticed a significant number are technically capable actors looking to expand into new areas of information security coverage for their respective organizations.

That is, we are seeing a lot of CTOs, heads of IT, etc, who are looking to create a better security  posture for their organization and who maybe do not have the budget to hire an MSSP. A lot of people we see trying the product are just curious as well: researchers, students, hackers and tinkerers.

Education is one of our core tenants and to this end we have created a new Getting Started document that outlines setting up a new account with some basic coverage that touches a few main areas. You can download that document here: Getting Started with LimaCharlie

And a reminder that we do offer a free online course that can be accessed at edu.limacharlie.io

Getting Started



 

Dark Theme & White Labelling

 

At its core LimaCharlie is a Security Platform as a Service (SPaaS). You can think of it as the Amazon Web Services of endpoint security. Scalable, on demand security infrastructure that is designed to bolster the capability of MSSPs and SOCs.

darkTheme.gif

The team at LimaCharlie recently refactored our web application to use a templating system in order to create a dark theme for analysts. Our team knows what it is like to work at a computer for long periods of time and we find that dark themes are the easiest on the eyes. Additional motivation for this work was to improve our ability to do deep white labelling for customers that want to integrate the web application into external facing aspects of their pipeline.

dark.png

For customers operating at a certain scale, LimaCharlie now offers white label versions of the web application that are completely branded. Every colour, logo, doc link and URL can be customized with a single configuration file. This was a big project and will be ongoing with localization next on the docket.

whitelabel.png

If you are interested in white labeling - or have any questions about how the LimaCharlie SPaaS bolster your capability - please contact us.

 

Universal Search

 

One of the challenges faced by the team at LimaCharlie is figuring out how to expose the breadth and capability of our technology through the web application. There are many different factors that contribute to the design decisions we make but one of our guiding principles is that we want analysts to be able to get the information they need as quickly and easily as possible.

To this end, we have introduced a universal search bar into the dashboard of the web application. This singe search interface serves as a good starting point for the vast majority of data inquiries.

Search Bar

From this interface users can search using a sensor ID, hostname prefix, IP address, hash, file path and more.

Searching for an IP, file path, hash or user name will bring back stats around the prevalence of the given datapoint. The prevalence is represented by three numbers indicating how many times the data point was seen on the given organization’s hosts over the last day, last week and last month. This data can provide a strong clue about whether or not something has just showed up to the party.

IP Address Search Results

Searching for a sensor ID or hostname prefix will bring back links that lead directly into the live console or historical data explorer for the given sensor. These search results act a shortcut into full access of the endpoint and all of its historical telemetry.

Agent Search Results

It is still early days for this search feature but we are very happy with its performance and the type of agility that it enables. We are always interested in user feedback so if you have any suggestions on how we can improve this, or any feature, please get in touch.

Happy Hunting!

 

Replicants

 

Replicants can be thought of as digital automatons: expert driven algorithms which utilize some basic artificial intelligence to perform tasks that would normally be completed by humans.

Each replicant has a particular specialization and can be enabled at the click of a button in the Add-ons section. Once enabled any given replicant can be configured by interacting with it in the War Room section of the web application.

replicant1.png

YARA Replicant

The YARA Replicant is designed to help you with all aspects of YARA scanning. It takes what is normally a piecewise process, provides a framework and automates scanning.

YARA signatures can be run by the Replicant on demand for a particular endpoint or run continuously in the background across the entire fleet.

There are three main sections to the YARA Replicant, as follows.

Sources

This is where the source for the YARA signatures to be used by the Replicant is defined. Source URLs can be a direct link to a single YARA rule (.yar file) or a link to a folder containing a collection of signatures in multiple files.

In order to use the signatures for Email and General Phishing Exploits that exist in this Github repo we would link the following URL, which is basically just a folder full of .yar files.

https://github.com/Yara-Rules/rules/tree/master/email

Another example would be to link the very popular YARA signatures provided by Florian Roth.

https://github.com/Neo23x0/signature-base/tree/master/yara

yaraSource.png

Rules

Rules define YARA Replicant actions that run in the background across your entire fleet. The following information defines which subset of sensors should be scanned with which YARA signatures on an ongoing basis.

To create a rule you give it a name, choose which platforms you want to investigate and then select the combination of tags that need to be present for a given endpoint to be scanned. To complete the process you select the source of the YARA signatures (as given in the previous section) and click save.

yaraRule.png

Scan

The scan section allows you to select an endpoint and which YARA signatures that you want to run against it. Starting immediately after you click the scan button the YARA Replicant will start generating a report.

yaraScan.png

Responder Replicant

The Responder Replicant performs an in-depth sweep through the state of a given host. The sweep will highlight parts of the activity that are suspicious. This provides you with a good starting position when beginning an investigation and allows you to focus on the important things right away.

The information that is returned by the sweep is continually evolving but you can expect it to return the following:

  • A full list of processes and modules

  • A list of unsigned binary code running in processes

  • Network connections with a list of processes listening and active on the network

  • Hidden modules

  • A list of recently modified files

  • Unique or rare indicators of compromise

responderReport.png

Integrity Replicant

The Integrity Replicant helps manage all aspects of File and Registry integrity monitoring.

Rules define which file path patterns and registry patterns should be monitored for changes on specific sets of hosts. To create a rule you give it a name, select which platforms you want to investigate and then select the combination of tags that needs to be present for a given endpoint to be scanned.

Patterns are file or registry patterns, supporting wildcards (*, ?, +). Windows directory separators (backslash, "\") must be escaped like "\\".

integrityReplicant.png

The team at LimaCharlie is going to continue adding more capability through this Replicant model. If you have any questions - or suggestions for upcoming Replicants - we would love to hear from you.

replicant2.png
 

Managing Multiple Organizations

 

LimaCharlie is multi-tenant because it is designed for managed security service providers (MSSP). This means that you can have as many organizations as you want under one account. Each organization is billed independently and can have any number of users with varying levels of ability assigned using the role-based access control system. White-labeling is available for MSSP's who are leveraging the private cloud option or operating at a certain volume.

In order to make onboarding new organizations as simple as possible LimaCharlie provides a method for setting up an organization using a config file. This 'Infrastructure as Code' approach mitigates human error and allows you to build a robust infrastructure (it will save you time and headaches). Information on how to manage configurations can be found in this blog article.

Most recently we have started to add multi-org functionality to our CLI. Now from the command line you can search for specific indicators of compromise across all of the organizations under your control. You can read more about this new multi-org CLI command here.

To stay up to date with our feature development you can follow LimaCharlie on Twitter or LinkedIn.

multiOrg.jpg
 

Searching Multiple Orgs for IOCs

 

The command line interface (CLI) for LimaCharlie now supports searching for indicators of compromise (IOC) across multiple organizations. Users can use the CLI to search for file hashes, file paths, IP addresses, domains and users across all organizations under their control with a single command.

The new CLI command supports multiple arguments and the output is written human-readable to stdout or to a file as YAML. The following man page outlines all available options and provides an example.

-----------------------------------------------------------------------
It's in limacharlie 2.8.0:
pip install limacharlie --user

Example usage:
$ limacharlie-search --help
usage: limacharlie.io search [-h] -t TYPE -o IOC [-i INFO]
                             [--case-insensitive] [--with-wildcards]
                             [-e ENVIRONMENT] [--output OUTPUT]
optional arguments:
  -h, --help            show this help message and exit
  -t TYPE, --type TYPE  the IOC type to search for, one of: file_hash,
                        file_name, file_path, ip, domain, user.
  -o IOC, --ioc IOC     the valid of the IOC to search for
  -i INFO, --info INFO  the type of information to return, one of "summary" or
                        "locations", "summary" is default.
  --case-insensitive    make the search case insensitive.
  --with-wildcards      make the search using the "%" wildcard.
  -e ENVIRONMENT, --environment ENVIRONMENT
                        the name of the LimaCharlie environment (as defined in
                        ~/.limacharlie) to use, otherwise all environments are
                        used.
  --output OUTPUT       location where to send output, "-" by default outputs
                        human readable to stdout, otherwise it should be a
                        file where YAML will be written to.

Example run:
$ limacharlie-search -t file_path -o %nject% --with-wildcards --case-insensitive -i locations
Querying 2 environments for %nject% (file_path) to -.
Skipping test-lon-1 (95a34ec2-48cd-471c-bc34-cccb0257c16a) as Insight is not enabled.
replicant (c82e5c17-d519-4ef5-a4ac-c454a95d31ca)
=========================================
2ccd01e7-b201-4c3d-9436-25a9bd896e69:
  first_ts: 1549124137
  hostname: win-5kc7e0ng1od
  last_ts: 1549149822
  sid: 2ccd01e7-b201-4c3d-9436-25a9bd896e69
334a15a5-a39d-43d1-b7d5-f7b604db1bc0:
  first_ts: 1549116394
  hostname: win-5kc7e0ng1od
  last_ts: 1549116395
  sid: 334a15a5-a39d-43d1-b7d5-f7b604db1bc0
Done, 2 results.
-----------------------------------------------------------------------
All Eyes