Searching Multiple Orgs for IOCs

 

The command line interface (CLI) for LimaCharlie now supports searching for indicators of compromise (IOC) across multiple organizations. Users can use the CLI to search for file hashes, file paths, IP addresses, domains and users across all organizations under their control with a single command.

The new CLI command supports multiple arguments and the output is written human-readable to stdout or to a file as YAML. The following man page outlines all available options and provides an example.

-----------------------------------------------------------------------
It's in limacharlie 2.8.0:
pip install limacharlie --user

Example usage:
$ limacharlie-search --help
usage: limacharlie.io search [-h] -t TYPE -o IOC [-i INFO]
                             [--case-insensitive] [--with-wildcards]
                             [-e ENVIRONMENT] [--output OUTPUT]
optional arguments:
  -h, --help            show this help message and exit
  -t TYPE, --type TYPE  the IOC type to search for, one of: file_hash,
                        file_name, file_path, ip, domain, user.
  -o IOC, --ioc IOC     the valid of the IOC to search for
  -i INFO, --info INFO  the type of information to return, one of "summary" or
                        "locations", "summary" is default.
  --case-insensitive    make the search case insensitive.
  --with-wildcards      make the search using the "%" wildcard.
  -e ENVIRONMENT, --environment ENVIRONMENT
                        the name of the LimaCharlie environment (as defined in
                        ~/.limacharlie) to use, otherwise all environments are
                        used.
  --output OUTPUT       location where to send output, "-" by default outputs
                        human readable to stdout, otherwise it should be a
                        file where YAML will be written to.

Example run:
$ limacharlie-search -t file_path -o %nject% --with-wildcards --case-insensitive -i locations
Querying 2 environments for %nject% (file_path) to -.
Skipping test-lon-1 (95a34ec2-48cd-471c-bc34-cccb0257c16a) as Insight is not enabled.
replicant (c82e5c17-d519-4ef5-a4ac-c454a95d31ca)
=========================================
2ccd01e7-b201-4c3d-9436-25a9bd896e69:
  first_ts: 1549124137
  hostname: win-5kc7e0ng1od
  last_ts: 1549149822
  sid: 2ccd01e7-b201-4c3d-9436-25a9bd896e69
334a15a5-a39d-43d1-b7d5-f7b604db1bc0:
  first_ts: 1549116394
  hostname: win-5kc7e0ng1od
  last_ts: 1549116395
  sid: 334a15a5-a39d-43d1-b7d5-f7b604db1bc0
Done, 2 results.
-----------------------------------------------------------------------
All Eyes
 

Role-Based Access Control

 

LimaCharlie has always supported fine-grained permissions for the API keys that are generated to access the platform; however, this kind of control has been missing for user accounts. Not anymore.

LimaCharlie now supports role-based access control (RBAC) for user accounts. Through the web interface you can now create additional users while controlling what it is they are able to see and do. Use pre-built template designed for account owners, administrators, operators, view-only or create your own.

The ramifications of this update are many and broaden the type of commercial deployment scenarios that are possible. Our private cloud option combined with RBAC, telemetry storage and white-labelling is a very powerful offering.

To learn more please visit our website. To stay up to date with feature development follow us on Twitter or join our community Slack group.

rbac.png
 

Basic Training Course

 

The team at LimaCharlie has always been passionate about education. We believe that the more people know about their tools and the way that they work the more successful they will be with their security posture. To this end, we have created a basic training course that will help new users get up to speed with the underlying technology and how to use the web application.

LimaCharlie’s Basic Training program is built using an instance of the Google Course Builder. This course represents the first iteration of what we hope will become a comprehensive training platform enabling new users and junior analysts get up to speed with our endpoint security solution.

This particular course is not graded and should be fairly easy to complete. Our approach to education using this platform is a work in progress and with it we hope to engage in the same feedback cycles with users that has helped drive our product development. More advanced topics - and possibly certificates - will be added as this process unfolds.

If you are interested in learning more about the LimaCharlie platform and how to make effective use of the web application please sign up for the course.



 

Don't race a cheetah. Don't box a kangaroo.

 

When we set out to create an endpoint detection and response solution we did so with the intent of being the best in the space. We did not want to take the same approach as so many others do and cram everything into the offering we could. This kind of feature madness is something we affectionately refer to as the kitchen sink approach. Our vision has always been along the lines of the samurai sword - thousands of iterations folded on top of each other to create the sharpest and strongest edge possible.

In order to stay focused on our mission and to enable our customers to build the security pipelines they want we have designed every aspect of LimaCharlie to be integration friendly. It is to this end that we are happy to announce an integration partnership with Humio, a company that we believe shares these values.

Humio is a solution built specifically for aggregating, exploring, reporting and analyzing data in real-time. It gathers log data from a range of sources - including telemetry data from LimaCharlie - and can be deployed in both cloud and on-premise environments. Humio’s innovative data storage and in-memory search/query engine technologies provide a cost-competitive log management and analysis solution that requires significantly less hardware, engineering resources and licensing costs vs. competing solutions.

Unique capabilities of Humio include:

  • Scalable to handle multiple TB/day volumes (handles 1 TB/day ingest on a single instance) • Live and instant dashboard and search capabilities

  • Real-time alerting

  • Ad-hoc search capabilities using a simple unix pipe query language

  • Available on-premise or in the cloud

  • Low TCO - significantly lower license and resource cost vs. competitive solutions

To see how easy it is to get data flowing from LimaCharlie into Humio watch the video below.

 

Levenshtein Distance as a Defence Against Spear Phishing

 

When an advanced persistent threat (APT) targets an organization they will relentlessly work to find a way into the network . Once inside they can take any number of actions all of which are specific to their goals. These attackers are determined and have unlimited resources and will eventually find a way in.

Infiltration is often achieved by compromising the people within the organization. Why fight your way past state-of-the-art technology when you can just get somebody to click on a link?

By using publicly available open source intelligence (OSINT) tools an APT can construct a list of emails of people that work in the target organization and then build profiles on each. With a name and an email as a starting point very detailed profiles can be constructed with little effort.

Using these detailed personal profiles the APT can then construct a sophisticated email campaign targeting specific employees. Emails can be constructed to appear like they are coming from fellow employees or specific organizations using a homograph attack.

Using this method a fake email or domain can appear to be genuine even to a technically savvy and vigilant user.

To combat this LimaCharlie has added support for 'string distance'  to its detection and response rules. This feature is based on the Levenshtein distance and can alert analysts to the existing of phishing domains  or executables masquerading as well known ones.

The Levenshtein distance, in layman's terms, is the number of character that must change in a bit of text to become equal to another bit of text. For example, the Levenshtein distance between “hello” and “hallo” is 1.

This simple concept allows you to simply quantify possible phishing domains since those often try to mimic legitimate corporate domains. In these cases, we want to look for a distance that is not 0 (since this is the legitimate domain), but with a distance lower than 2 or 3. This would catch a phishing attack attempting to redirect you to “c0rp.mydomain.com” instead of “corp.mydomain.com” (notice the zero instead of “o”).

Getting alerts while monitoring internal domains using this method can serve as an early indicator of a sophisticated campaign against the organization. Using this information the security team can raise the level of vigilance at every level of the organization and prevent a breach.

pic235.jpg
 

Internet of Things and LimaCharlie

 

We have known LimaCharlie is the best incident response platform out there for a while. We also knew the extreme flexibility and scalability of the platform - not to mention the multiple platforms supported - made it ideal to manage large numbers endpoints in a "headless" fashion. This combination of characteristics is a great match for the Internet of Things. The missing item was support for the ARM architecture used by most IoT devices…

LimaCharlie now supports ARM architectures opening the door to a multitude of IoT use cases from embedded devices to phones, and all through the same middleware, white-labeling and multi-tenant friendly platform.

We have been experimenting, deploying LimaCharlie on routers, Raspberry Pi as well as Android phones with great success.

If you are an IoT developer or integrator looking for a security solution, get in touch, we can get you up and running quicker than anyone else.

Raspberry Pi
 

Live Sweep

 

The Live View in LimaCharlie provides you with a great interface to perform incident response by enabling the execution of real-time investigation and mitigation commands on the hosts. As the product has developed we have built out a user friendly interface to the Live View that allows you to see with better context the current activity on the host. For example, by overlaying the file signing status as well as network activity against the process list you could see at a glance processes of higher interest.

Today we are taking another step in the direction of active investigation and introducing a new Sweep feature. We wanted to go beyond the static display of context and move into active investigation of anomalies. This new feature is designed to streamline investigation of a host that is suspected of being compromised.

Most security responders have a list of things they look for when investigating a host. It is often a manual process that relies on expert knowledge. The Sweep allows you to automate and standardize this process. The exact behaviour of the Sweep will continue to evolve over time but its mission is to highlight to an analyst the various bits of activity on the host that are suspicious.

At the moment of writing this blog article, clicking the Sweep button will perform the following logic:

  • Highlight all unsigned binaries running (processes, services, drivers, autoruns).

  • Highlight all the processes listening on the network or with active network connections.

  • Scan the memory of processes looking for hidden code modules and highlight them.

    Highlight all code modules and autoruns that have been modified in the last week.

Combined with the ability LimaCharlie has to perform advanced operations in real-time like YARA signature scanning and memory operations, the Sweep functionality will continue to evolve providing responders a faster, repeatable process that junior analysts can also leverage.

Is there specific logic you would like included in a Sweep? Get in touch with us via our Slack community or say hello on Twitter @limacharlieio.

Automated Threat Scanning
 

Getting Critical Answers

 

LimaCharlie is a platform designed for building security solutions. Endpoint detection and response (EDR) capability is the cornerstone of the platform, which also provides access to a plethora of raw telemetry. The EDR capability is powerful but the bigger prize are the “critical answers” we can gain my making use of the telemetry.

These critical answers are the specific pieces of information that will allow you make important security decisions, and you need the ability to get to these answers in the most straight forward way possible.

LimaCharlie Insight provides you with one year of built-in retention and search capability. The retention allows you to get answers like “what EXACTLY happened on this host 7 months ago at 3AM” in a few seconds.

The indicator (domain name, hash, file name, IP address etc) search allows you to get a succinct set of answers

Is this indicator common?

Imagine that you are investigating a possible intrusion when you spot a suspicious looking executable that you don’t recall ever seeing before. Is it a case of bad memory or is this part of the malware dropped by the attacker?

You can start to paint a picture by examining how prevalent the given indicator is. Using the web interface (or API) you can ask this question and get an answer immediately.

Screenshot 2018-11-27 at 06.08.15.png

This tells you how many hosts have seen this file today, this week or this month. An indicator seen for the first time today and not in the past month is highly suspicious.

We make getting these 3 numbers easy. The data can be pulled either through a search or while visualizing activity from a host.

Where has this indicator been seen?

Now imagine that you have been made aware of a specific indicator related to malicious activity. This can come up in many ways: A report is published on the web detailing a new threat actor, a law enforcement tip-off, MISP or as a result of an internal security investigation.

Given this information you would need to scope the possible threat right away: “where has this been seen”?

Screenshot 2018-11-27 at 06.18.36.png

Through the user interface you can see the list of all hosts that have ever made a request to this specific domain name over the last year, the first and last time they did and get shortcut links to the fully detailed exploration view of the specific activity. This is powerful.

More Critical Answers?

Do you have other ideas of critical answers you would like to see? Let us know, LimaCharlie is quickly becoming a core part of the security tool set and it is thanks to your feedback!