Universal Search

 

One of the challenges faced by the team at LimaCharlie is figuring out how to expose the breadth and capability of our technology through the web application. There are many different factors that contribute to the design decisions we make but one of our guiding principles is that we want analysts to be able to get the information they need as quickly and easily as possible.

To this end, we have introduced a universal search bar into the dashboard of the web application. This singe search interface serves as a good starting point for the vast majority of data inquiries.

Search Bar

From this interface users can search using a sensor ID, hostname prefix, IP address, hash, file path and more.

Searching for an IP, file path, hash or user name will bring back stats around the prevalence of the given datapoint. The prevalence is represented by three numbers indicating how many times the data point was seen on the given organization’s hosts over the last day, last week and last month. This data can provide a strong clue about whether or not something has just showed up to the party.

IP Address Search Results

Searching for a sensor ID or hostname prefix will bring back links that lead directly into the live console or historical data explorer for the given sensor. These search results act a shortcut into full access of the endpoint and all of its historical telemetry.

Agent Search Results

It is still early days for this search feature but we are very happy with its performance and the type of agility that it enables. We are always interested in user feedback so if you have any suggestions on how we can improve this, or any feature, please get in touch.

Happy Hunting!

 

Replicants

 

Replicants can be thought of as digital automatons: expert driven algorithms which utilize some basic artificial intelligence to perform tasks that would normally be completed by humans.

Each replicant has a particular specialization and can be enabled at the click of a button in the Add-ons section. Once enabled any given replicant can be configured by interacting with it in the War Room section of the web application.

replicant1.png

YARA Replicant

The YARA Replicant is designed to help you with all aspects of YARA scanning. It takes what is normally a piecewise process, provides a framework and automates scanning.

YARA signatures can be run by the Replicant on demand for a particular endpoint or run continuously in the background across the entire fleet.

There are three main sections to the YARA Replicant, as follows.

Sources

This is where the source for the YARA signatures to be used by the Replicant is defined. Source URLs can be a direct link to a single YARA rule (.yar file) or a link to a folder containing a collection of signatures in multiple files.

In order to use the signatures for Email and General Phishing Exploits that exist in this Github repo we would link the following URL, which is basically just a folder full of .yar files.

https://github.com/Yara-Rules/rules/tree/master/email

Another example would be to link the very popular YARA signatures provided by Florian Roth.

https://github.com/Neo23x0/signature-base/tree/master/yara

yaraSource.png

Rules

Rules define YARA Replicant actions that run in the background across your entire fleet. The following information defines which subset of sensors should be scanned with which YARA signatures on an ongoing basis.

To create a rule you give it a name, choose which platforms you want to investigate and then select the combination of tags that need to be present for a given endpoint to be scanned. To complete the process you select the source of the YARA signatures (as given in the previous section) and click save.

yaraRule.png

Scan

The scan section allows you to select an endpoint and which YARA signatures that you want to run against it. Starting immediately after you click the scan button the YARA Replicant will start generating a report.

yaraScan.png

Responder Replicant

The Responder Replicant performs an in-depth sweep through the state of a given host. The sweep will highlight parts of the activity that are suspicious. This provides you with a good starting position when beginning an investigation and allows you to focus on the important things right away.

The information that is returned by the sweep is continually evolving but you can expect it to return the following:

  • A full list of processes and modules

  • A list of unsigned binary code running in processes

  • Network connections with a list of processes listening and active on the network

  • Hidden modules

  • A list of recently modified files

  • Unique or rare indicators of compromise

responderReport.png

Integrity Replicant

The Integrity Replicant helps manage all aspects of File and Registry integrity monitoring.

Rules define which file path patterns and registry patterns should be monitored for changes on specific sets of hosts. To create a rule you give it a name, select which platforms you want to investigate and then select the combination of tags that needs to be present for a given endpoint to be scanned.

Patterns are file or registry patterns, supporting wildcards (*, ?, +). Windows directory separators (backslash, "\") must be escaped like "\\".

integrityReplicant.png

The team at LimaCharlie is going to continue adding more capability through this Replicant model. If you have any questions - or suggestions for upcoming Replicants - we would love to hear from you.

replicant2.png
 

Managing Multiple Organizations

 

LimaCharlie is multi-tenant because it is designed for managed security service providers (MSSP). This means that you can have as many organizations as you want under one account. Each organization is billed independently and can have any number of users with varying levels of ability assigned using the role-based access control system. White-labeling is available for MSSP's who are leveraging the private cloud option or operating at a certain volume.

In order to make onboarding new organizations as simple as possible LimaCharlie provides a method for setting up an organization using a config file. This 'Infrastructure as Code' approach mitigates human error and allows you to build a robust infrastructure (it will save you time and headaches). Information on how to manage configurations can be found in this blog article.

Most recently we have started to add multi-org functionality to our CLI. Now from the command line you can search for specific indicators of compromise across all of the organizations under your control. You can read more about this new multi-org CLI command here.

To stay up to date with our feature development you can follow LimaCharlie on Twitter or LinkedIn.

multiOrg.jpg
 

Searching Multiple Orgs for IOCs

 

The command line interface (CLI) for LimaCharlie now supports searching for indicators of compromise (IOC) across multiple organizations. Users can use the CLI to search for file hashes, file paths, IP addresses, domains and users across all organizations under their control with a single command.

The new CLI command supports multiple arguments and the output is written human-readable to stdout or to a file as YAML. The following man page outlines all available options and provides an example.

-----------------------------------------------------------------------
It's in limacharlie 2.8.0:
pip install limacharlie --user

Example usage:
$ limacharlie-search --help
usage: limacharlie.io search [-h] -t TYPE -o IOC [-i INFO]
                             [--case-insensitive] [--with-wildcards]
                             [-e ENVIRONMENT] [--output OUTPUT]
optional arguments:
  -h, --help            show this help message and exit
  -t TYPE, --type TYPE  the IOC type to search for, one of: file_hash,
                        file_name, file_path, ip, domain, user.
  -o IOC, --ioc IOC     the valid of the IOC to search for
  -i INFO, --info INFO  the type of information to return, one of "summary" or
                        "locations", "summary" is default.
  --case-insensitive    make the search case insensitive.
  --with-wildcards      make the search using the "%" wildcard.
  -e ENVIRONMENT, --environment ENVIRONMENT
                        the name of the LimaCharlie environment (as defined in
                        ~/.limacharlie) to use, otherwise all environments are
                        used.
  --output OUTPUT       location where to send output, "-" by default outputs
                        human readable to stdout, otherwise it should be a
                        file where YAML will be written to.

Example run:
$ limacharlie-search -t file_path -o %nject% --with-wildcards --case-insensitive -i locations
Querying 2 environments for %nject% (file_path) to -.
Skipping test-lon-1 (95a34ec2-48cd-471c-bc34-cccb0257c16a) as Insight is not enabled.
replicant (c82e5c17-d519-4ef5-a4ac-c454a95d31ca)
=========================================
2ccd01e7-b201-4c3d-9436-25a9bd896e69:
  first_ts: 1549124137
  hostname: win-5kc7e0ng1od
  last_ts: 1549149822
  sid: 2ccd01e7-b201-4c3d-9436-25a9bd896e69
334a15a5-a39d-43d1-b7d5-f7b604db1bc0:
  first_ts: 1549116394
  hostname: win-5kc7e0ng1od
  last_ts: 1549116395
  sid: 334a15a5-a39d-43d1-b7d5-f7b604db1bc0
Done, 2 results.
-----------------------------------------------------------------------
All Eyes
 

Role-Based Access Control

 

LimaCharlie has always supported fine-grained permissions for the API keys that are generated to access the platform; however, this kind of control has been missing for user accounts. Not anymore.

LimaCharlie now supports role-based access control (RBAC) for user accounts. Through the web interface you can now create additional users while controlling what it is they are able to see and do. Use pre-built template designed for account owners, administrators, operators, view-only or create your own.

The ramifications of this update are many and broaden the type of commercial deployment scenarios that are possible. Our private cloud option combined with RBAC, telemetry storage and white-labelling is a very powerful offering.

To learn more please visit our website. To stay up to date with feature development follow us on Twitter or join our community Slack group.

rbac.png
 

Basic Training Course

 

The team at LimaCharlie has always been passionate about education. We believe that the more people know about their tools and the way that they work the more successful they will be with their security posture. To this end, we have created a basic training course that will help new users get up to speed with the underlying technology and how to use the web application.

LimaCharlie’s Basic Training program is built using an instance of the Google Course Builder. This course represents the first iteration of what we hope will become a comprehensive training platform enabling new users and junior analysts get up to speed with our endpoint security solution.

This particular course is not graded and should be fairly easy to complete. Our approach to education using this platform is a work in progress and with it we hope to engage in the same feedback cycles with users that has helped drive our product development. More advanced topics - and possibly certificates - will be added as this process unfolds.

If you are interested in learning more about the LimaCharlie platform and how to make effective use of the web application please sign up for the course.



 

Don't race a cheetah. Don't box a kangaroo.

 

When we set out to create an endpoint detection and response solution we did so with the intent of being the best in the space. We did not want to take the same approach as so many others do and cram everything into the offering we could. This kind of feature madness is something we affectionately refer to as the kitchen sink approach. Our vision has always been along the lines of the samurai sword - thousands of iterations folded on top of each other to create the sharpest and strongest edge possible.

In order to stay focused on our mission and to enable our customers to build the security pipelines they want we have designed every aspect of LimaCharlie to be integration friendly. It is to this end that we are happy to announce an integration partnership with Humio, a company that we believe shares these values.

Humio is a solution built specifically for aggregating, exploring, reporting and analyzing data in real-time. It gathers log data from a range of sources - including telemetry data from LimaCharlie - and can be deployed in both cloud and on-premise environments. Humio’s innovative data storage and in-memory search/query engine technologies provide a cost-competitive log management and analysis solution that requires significantly less hardware, engineering resources and licensing costs vs. competing solutions.

Unique capabilities of Humio include:

  • Scalable to handle multiple TB/day volumes (handles 1 TB/day ingest on a single instance) • Live and instant dashboard and search capabilities

  • Real-time alerting

  • Ad-hoc search capabilities using a simple unix pipe query language

  • Available on-premise or in the cloud

  • Low TCO - significantly lower license and resource cost vs. competitive solutions

To see how easy it is to get data flowing from LimaCharlie into Humio watch the video below.

 

Levenshtein Distance as a Defence Against Spear Phishing

 

When an advanced persistent threat (APT) targets an organization they will relentlessly work to find a way into the network . Once inside they can take any number of actions all of which are specific to their goals. These attackers are determined and have unlimited resources and will eventually find a way in.

Infiltration is often achieved by compromising the people within the organization. Why fight your way past state-of-the-art technology when you can just get somebody to click on a link?

By using publicly available open source intelligence (OSINT) tools an APT can construct a list of emails of people that work in the target organization and then build profiles on each. With a name and an email as a starting point very detailed profiles can be constructed with little effort.

Using these detailed personal profiles the APT can then construct a sophisticated email campaign targeting specific employees. Emails can be constructed to appear like they are coming from fellow employees or specific organizations using a homograph attack.

Using this method a fake email or domain can appear to be genuine even to a technically savvy and vigilant user.

To combat this LimaCharlie has added support for 'string distance'  to it's detection and response rules. This feature is based on the Levenshtein distance and can alert analysts to the existing of phishing domains  or executables masquerading as well known ones.

The Levenshtein distance, in layman's terms, is the number of character that must change in a bit of text to become equal to another bit of text. For example, the Levenshtein distance between “hello” and “hallo” is 1.

This simple concept allows you to simply quantify possible phishing domains since those often try to mimic legitimate corporate domains. In these cases, we want to look for a distance that is not 0 (since this is the legitimate domain), but with a distance lower than 2 or 3. This would catch a phishing attack attempting to redirect you to “c0rp.mydomain.com” instead of “corp.mydomain.com” (notice the zero instead of “o”).

Getting alerts while monitoring internal domains using this method can serve as an early indicator of a sophisticated campaign against the organization. Using this information the security team can raise the level of vigilance at every level of the organization and prevent a breach.

pic235.jpg