Thursday, August 31, 2023

Top 5 Reasons to Sign Up for our 4-day Security Onion Training

Security Onion Solutions has been teaching Security Onion classes since 2014. Since that time, we've taught students around the globe to help them peel back the layers of their enterprise and make their adversaries cry.

Our next class is in October. Why should you sign up? Here are the top 5 reasons!

1. Amazing instructors

Our instructors are not like other instructors that just read from a slide deck. Security Onion Solutions instructors have years of experience in threat hunting, enterprise security monitoring, and log management. They have worked in real-world operational security roles, engineered monitoring strategies and solutions, and handled real-world incidents. They bring their practical experience to the classroom, enabling students in both theory and hands-on application to hunt adversaries in environments large and small.

2. Comprehensive course material and labs

As a student, you will receive over 300 pages of course material filled with tips and tricks to help you peel back the layers of your enterprise and make your adversaries cry. That amazing content is reinforced by the immersive real-world case studies.

3. First public training for 2.4

We recently released Security Onion 2.4 and it has lots of new features and improvements! This class will help you take advantage of all those new features.


4. We teach the only OFFICIAL training for Security Onion

Security Onion Solutions is the only official provider of Security Onion training. If you want the best training, get it from the company that developed the platform!

5. FREE ticket for both Security Onion Conference and BSidesAugusta

As a student, you will receive a FREE non-transferable ticket to both our 10th annual Security Onion Conference and the 10th annual BSidesAugusta!

 

BONUS reason - Support development of the free and open platform!

Security Onion has been a free and open platform since 2008. We've invested many years of development into making Security Onion even better at helping you peel back the layers of your enterprise and making your adversaries cry. If you purchase training from us, you are helping to cover the cost of developing and maintaining the Security Onion platform, now and in the future.

BONUS BONUS reason - Compete in the CTF for a cool prize!

As a student, you get to compete in the class CTF (Capture The Flag) event to show off your new skills. If you win, you get a limited edition t-shirt and bragging rights!

Sign up today

There are a limited number of seats for this amazing class and the registration deadline is 9/22/2023. Don't delay, reserve your seat today!

https://bsidesaugusta.org/training/#so

Wednesday, August 30, 2023

Top 5 Reasons to Purchase Security Onion Solutions Appliances


In 2018, we announced Security Onion Solutions (SOS) appliances. Since that time, we've shipped appliances to customers around the globe to help them peel back the layers of their enterprise and make their adversaries cry.

Why should you purchase hardware appliances from Security Onion Solutions? Here are the top 5 reasons!

  1. Eliminate the guesswork of buying the right hardware
    You can run Security Onion on your own hardware, but you'll have to determine the answers to the following questions:
    How many CPU cores?
    How much RAM?
    What kind of storage?
    How much storage?
    What kind of NIC?

    Security Onion Solutions hardware is configured and built for specific roles and workloads. We know Security Onion's hardware needs, and our appliances are the perfect match for the platform. Leave the hardware research, testing, and support to us, so you can focus on what's important for your organization.


  2. Save time for you and your server team
    If you run Security Onion on your own hardware, then you may need to configure your storage correctly and then you'll have to manually install Security Onion.

    Security Onion Solutions appliances come with storage pre-configured and the Security Onion platform pre-loaded so that you can focus on your real job of monitoring and defending your enterprise.

  3. Enhanced integration
    Security Onion's SOC interface provides appliance-specific information directly in the user-interface. Use this information to monitor the appliance's health in real time. Also view the appliance front and rear panels, useful for walking through connectivity discussions with personnel in the data center. Only official Security Onion Solutions appliances are supported with this integration.

  4. Get FULL support from ONE vendor
    If you experience problems, it may be challenging in some cases to determine if the problem is due to hardware or software especially if hardware support is from one vendor and software support is from a different vendor.

    Security Onion Solutions supports both the hardware and software components of our branded appliances. Security Onion software support includes configuration, deployment, tuning, and break fix support delivered remotely via email, phone, or video conference.  Hardware support includes defective media retention (you keep and destroy bad hard drives) with next business day shipping on parts within the continental United States. On-site technicians can be coordinated for complex part repairs. We can quote 1-5 years of support, with higher discounts for longer support terms.

  5. BY defenders FOR defenders
    The Security Onion software platform is developed by defenders for defenders and our hardware appliances are no exception. We've designed the appliances that we would want to use in the trenches and we support you as fellow defenders.

Bonus reason - Support development of the free and open platform!

Security Onion has been a free and open platform since 2008. We've invested many years of development into making Security Onion even better at helping you peel back the layers of your enterprise and making your adversaries cry. If you purchase appliances from us, you are helping to cover the cost of developing and maintaining the Security Onion platform, now and in the future.

Don't delay, reserve your SOS appliances today!


https://securityonionsolutions.com/hardware


Tuesday, August 29, 2023

Quick Malware Analysis: 2023-05-24 OBAMA264 QAKBOT

Today, the FBI and DOJ announced an operation to dismantle Qakbot infrastructure:
https://www.fbi.gov/news/stories/fbi-partners-dismantle-qakbot-infrastructure-in-multinational-cyber-takedown
https://www.justice.gov/usao-cdca/pr/qakbot-malware-disrupted-international-cyber-takedown

Let's take a look at a recent Qakbot sample. Thanks to Brad Duncan for sharing this pcap:
https://www.malware-traffic-analysis.net/2023/05/24/index.html

We did a quick analysis of this pcap on the NEW Security Onion 2.4. If you'd like to follow along, you can install Security Onion 2.4 in a VM and import the pcap using so-import-pcap:
https://docs.securityonion.net/en/2.4/first-time-users.html
https://docs.securityonion.net/en/2.4/so-import-pcap.html#so-import-pcap

The screenshots at the bottom of this post show some of the interesting NIDS alerts, metadata logs, and session transcripts. Want more practice? Check out our other Quick Malware posts at:
https://blog.securityonion.net/search/label/quick%20malware%20analysis

About Security Onion

Security Onion is a versatile and scalable platform that can run on small virtual machines and can also scale up to the opposite end of the hardware spectrum to take advantage of extremely powerful server-class machines.  Security Onion can also scale horizontally, growing from a standalone single-machine deployment to a full distributed deployment with tens or hundreds of machines as dictated by your enterprise visibility needs. To learn more about Security Onion, please see https://securityonion.net.

Our 10th Annual Security Onion Conference is coming up soon! Reserve your seat today! Last day to register is September 29! For more details, please see https://socaugusta2023.eventbrite.com/.

Do you want to deploy the new Security Onion 2.4 to your enterprise but need training? Our first 4-day public training class on Security Onion 2.4 will be in beautiful Augusta GA as part of Augusta Cyber Week! The class is at a very special price AND you get a free ticket to BOTH Security Onion Conference AND BSidesAugusta! For more information, please see https://blog.securityonion.net/2023/07/registration-now-open-for-augusta-cyber.html.

Do you want to deploy Security Onion to your enterprise and want the best enterprise hardware? We know Security Onion's hardware needs, and our appliances are the perfect match for the platform. Leave the hardware research, testing, and support to us, so you can focus on what's important for your organization. Not only will you have confidence that your Security Onion deployment is running on the best-suited hardware, you will also be supporting future development and maintenance of the Security Onion project! For more information, please see https://securityonionsolutions.com/hardware.

Screenshots

First, we start with the overview of all alerts and logs:


Next, let's review the alerts:


When we pivot from the EXE alert to the PCAP transcript, we notice that the HTTP request is to a bare IP address instead of a fully qualified domain name, the file requested is a .dat file, and the file returned has the standard MZ file header of an EXE:


Next, let's review all of the network protocol metadata:


Drilling into the Zeek Notices, we see an interesting connection on port 2222:


Here are the SSL/TLS logs including that port 2222 connection noted in the previous screenshot:


Here is an overview of all connections:


Drilling into HTTP logs we notice that, in addition to the EXE that we looked at earlier, there was a ZIP download:


Pivoting on that file transfer, we see the PK file header and that the embedded file appears to be called Claim_A615.wsf:


From there, we pivot to CyberChef and carve the WSF (Windows Script File):


The top of the file seemed innocent enough, but as we scroll down we see something more nefarious:



Wednesday, August 23, 2023

Quick Malware Analysis: 2023-07-11 Loader-based Formbook Infection

Thanks to Brad Duncan for sharing this pcap!
https://www.malware-traffic-analysis.net/2023/07/11/index.html

We did a quick analysis of this pcap on the NEW Security Onion 2.4. If you'd like to follow along, you can install Security Onion 2.4 in a VM and import the pcap as shown here:
https://docs.securityonion.net/en/2.4/first-time-users.html

The screenshots at the bottom of this post show some of the interesting NIDS alerts, metadata logs, and session transcripts.

About Security Onion

Security Onion is a versatile and scalable platform that can run on small virtual machines and can also scale up to the opposite end of the hardware spectrum to take advantage of extremely powerful server-class machines.  Security Onion can also scale horizontally, growing from a standalone single-machine deployment to a full distributed deployment with tens or hundreds of machines as dictated by your enterprise visibility needs.

To learn more about Security Onion, please see:
https://securityonion.net
https://docs.securityonion.net/en/2.4/

Security Onion Conference

Our 10th Annual Security Onion Conference is coming up soon! Reserve your seat today! Last day to register is September 29!

https://socaugusta2023.eventbrite.com/

Training

Do you want to deploy the new Security Onion 2.4 to your enterprise but need training? Our first 4-day public training class on Security Onion 2.4 will be in beautiful Augusta GA as part of Augusta Cyber Week! The class is at a very special price AND you get a free ticket to BOTH Security Onion Conference AND BSidesAugusta! For more information, please see:

https://blog.securityonion.net/2023/07/registration-now-open-for-augusta-cyber.html

Security Onion Solutions Hardware Appliances

We know Security Onion's hardware needs, and our appliances are the perfect match for the platform. Leave the hardware research, testing, and support to us, so you can focus on what's important for your organization. Not only will you have confidence that your Security Onion deployment is running on the best-suited hardware, you will also be supporting future development and maintenance of the Security Onion project!

https://securityonionsolutions.com/hardware

More Samples

Find all of our Quick Malware posts at:
https://blog.securityonion.net/search/label/quick%20malware%20analysis

Screenshots

Overview Dashboard:


NIDS alerts:


Drilling into the "ET USER_AGENTS Microsoft Office Existence Discovery User-Agent" alert at the bottom, we choose the Correlate menu option to see all correlated alerts and logs:


Pivot to PCAP:


Switch to ASCII transcript:


Going back to Alerts and correlating based on the "ET POLICY Possible HTA Application Download" alert we see:


Pivot to transcript:


Going back to Alerts and correlating based on the "ET POLICY PE EXE or DLL Windows file download HTTP" alert we see:


Pivot to transcript:


Example transcript for "ET MALWARE FormBook CnC Checkin (POST) M2" alerts:


Example transcript for "ET MALWARE FormBook CnC Checking (GET)" alerts:


Metadata overview:


HTTP GET and POST requests:


DNS lookups:


Interesting file transfers:


SSL/TLS logs:


Connection overview:



Monday, August 21, 2023

Security Onion 2.4.10 Hotfix 20230821 Now Available!

We recently released Security Onion 2.4.10 (2.4 GA):
https://blog.securityonion.net/2023/08/security-onion-24-has-reached-general.html

Today, we are releasing a hotfix which resolves a few issues:
https://docs.securityonion.net/en/2.4/release-notes.html

New Installations

If you want to perform a new installation, please review the documentation and then you can find instructions here:
https://docs.securityonion.net/en/2.4/download.html

Existing 2.4 Installations

If you have an existing installation of 2.4, then you should update to this hotfix. If your 2.4 installation is RC or GA (not Beta), then you can run soup to update.

If you are upgrading an Import node and have already imported a pcap or evtx file, then you may need to delete the import data stream for all imports to work correctly. You can either run the following command:
sudo so-elasticsearch-query _data_stream/logs-import-so -XDELETE

OR you can clear Elastic altogether with the following command:
sudo so-elastic-clear -d -y

In many cases, Import nodes are only temporary anyway, so you may just want to perform a fresh installation.

For more information about the update process, please see:
https://docs.securityonion.net/en/2.4/soup.html

Known Issues

Here are some known issues that should be resolved in later releases:

  • You cannot do an in-place upgrade from 2.3 to 2.4. We are still investigating data migration.
  • Security Onion Desktop is still considered experimental. It should work when installing from our ISO image but will not work for network installations currently.
  • so-ip-update, while not an officially supported tool to begin with, has not been given any attention for 2.4 and may not work at all.
  • SOC Grid is unable to display EPS production values for sensors.
  • ISO install does not remove NOPASSWD option from sudo configuration.

Questions, Problems, and Feedback

If you have any questions or problems relating to Security Onion 2.4, please use the new 2.4 category at our Discussions site:
https://github.com/Security-Onion-Solutions/securityonion/discussions/categories/2-4

Conference

Our 10th Annual Security Onion Conference is coming up soon! You don't want to miss great speakers like:

  • Dave Kennedy
  • Wes Lambert
  • Josh Kamdjou
  • Scott Hall
  • Pete Di Giorgio
  • Josh Brower
  • David Bianco
  • Doug Burks

Reserve your seat today! Last day to register is September 29!

https://socaugusta2023.eventbrite.com/

Training

Do you want to deploy the new Security Onion 2.4 to your enterprise but need training? 

Our first 4-day public training class on Security Onion 2.4 will be in beautiful Augusta GA as part of Augusta Cyber Week! 

The class is at a very special price AND you get a free ticket to BOTH Security Onion Conference AND BSidesAugusta!

For more information, please see:
https://blog.securityonion.net/2023/07/registration-now-open-for-augusta-cyber.html

Security Onion Solutions Hardware Appliances

We know Security Onion's hardware needs, and our appliances are the perfect match for the platform. Leave the hardware research, testing, and support to us, so you can focus on what's important for your organization. Not only will you have confidence that your Security Onion deployment is running on the best-suited hardware, you will also be supporting future development and maintenance of the Security Onion project!

https://securityonionsolutions.com/hardware

Tuesday, August 15, 2023

Security Onion 2.4 Has Reached General Availability (GA)!

After more than 12 months of development, 3 Beta releases, and 2 Release Candidates, we are thrilled to announce that Security Onion 2.4 has now reached General Availability (GA)!

About Security Onion

Security Onion is a free and open platform built by defenders for defenders. It includes network visibility, host visibility, intrusion detection honeypots, log management, and case management. 

For network visibility, we offer signature based detection via Suricata, rich protocol metadata and file extraction using your choice of either Zeek or Suricata, full packet capture via Stenographer, and file analysis via Strelka. For host visibility, we offer the Elastic Agent which provides data collection, live queries via osquery, and centralized management using Elastic Fleet. Intrusion detection honeypots based on OpenCanary can be added to your deployment for even more enterprise visibility. All of these logs flow into Elasticsearch and we’ve built our own user interfaces for alerts, dashboards, threat hunting, case management, and grid management. 

Security Onion has been downloaded over 2 million times and is being used by security teams around the world to monitor and defend their enterprises. Our easy-to-use Setup wizard allows you to build a distributed grid for your enterprise in minutes!

Changes from Security Onion 2.3

Over the past year of developing Security Onion 2.4, we've added lots of new features to give you a better experience and make you more efficient and effective!

Changes from Security Onion 2.4 RC2

We recently released Security Onion 2.4 RC2:
https://blog.securityonion.net/2023/08/security-onion-24-release-candidate-2.html

We've resolved several issues from 2.4 RC2. To see all changes in this release, please review the Release Notes:
https://docs.securityonion.net/en/2.4/release-notes.html

Base OS

If you haven't already, please review our recent blog post on our 2.4 base OS changes:
https://blog.securityonion.net/2023/07/security-onion-24-base-os.html

Known Issues

Here are some known issues that should be resolved in later releases:

  • You cannot do an in-place upgrade from 2.3 to 2.4. We are still investigating data migration.
  • Security Onion Desktop is still considered experimental. It should work when installing from our ISO image but will not work for network installations currently.
  • Importing a PCAP file followed by an EVTX file (or vice versa) fails to ingest logs into Elastic.
  • Heavy Nodes will not ingest Suricata logs due to a permissions issue.
  • so-ip-update, while not an officially supported tool to begin with, has not been given any attention for 2.4 and may not work at all.
  • Some system/OS logs (for example /var/log/secure) logs may not fully ingest, resulting in a pipeline with id [logs-system.syslog-1.6.4] does not exist error.
  • SOC Grid is unable to display EPS production values for sensors.
  • ISO install does not remove NOPASSWD option from sudo configuration.

In-place Upgrades

If you have an existing installation of 2.4 RC1 or RC2 (not Beta), then you should be able to update to GA via soup. You may be prompted to re-run soup multiple times so that it gets fully updated. 

For more information about soup, please see:
https://docs.securityonion.net/en/2.4/soup.html

Security Onion 2.3 Maintenance Mode and EOL

Since Security Onion 2.4 GA has been released, 2.3 is now officially in maintenance mode. No new features will be added to 2.3. Security Onion 2.3 will only receive security patches and priority bug fixes until it reaches EOL. We will announce Security Onion 2.3 End Of Life (EOL) date soon.

Documentation

You can find 2.4 documentation at:
https://docs.securityonion.net/en/2.4/

Documentation is always a work in progress. If you find documentation that needs to be updated, please let us know as described in the Feedback section below.

License Reminder

Please be reminded of the license change we posted last year:
https://blog.securityonion.net/2022/08/security-onion-enterprise-features-and.html

Installation

We highly recommend starting with an IMPORT installation as shown at:
https://docs.securityonion.net/en/2.4/first-time-users.html

Once you’re comfortable with your IMPORT installation, then you can move on to more advanced installations as shown at:
https://docs.securityonion.net/en/2.4/architecture.html

Thanks

Lots of love went into this release!

Special thanks to all our folks working so hard to make this release happen!

  • Josh Brower
  • Jason Ertel
  • Wes Lambert
  • Corey Ogburn
  • Josh Patterson
  • Mike Reeves

Questions, Problems, and Feedback

If you have any questions or problems relating to Security Onion 2.4, please use the new 2.4 category at our Discussions site:
https://github.com/Security-Onion-Solutions/securityonion/discussions/categories/2-4

Conference

Our 10th Annual Security Onion Conference is coming up soon! You don't want to miss great speakers like:

  • Dave Kennedy
  • Wes Lambert
  • Josh Kamdjou
  • Scott Hall
  • Pete Di Giorgio
  • Josh Brower
  • David Bianco
  • Doug Burks

Reserve your seat today! Last day to register is September 29!

https://socaugusta2023.eventbrite.com/

Training

Need training? Start with our free Security Onion Essentials training and then take a look at some of our other official Security Onion training including a 4-day class in Augusta GA leading up to Security Onion Conference and BSidesAugusta!

https://securityonion.net/training

Security Onion Solutions Hardware Appliances

We know Security Onion's hardware needs, and our appliances are the perfect match for the platform. Leave the hardware research, testing, and support to us, so you can focus on what's important for your organization. Not only will you have confidence that your Security Onion deployment is running on the best-suited hardware, you will also be supporting future development and maintenance of the Security Onion project!

https://securityonionsolutions.com/hardware

Cloud Installations

For new Security Onion 2 installations in the cloud, Security Onion 2.4 will soon be available on the AWS, Azure, and GCP marketplaces!

AWS Marketplace and Documentation:
https://securityonion.net/aws/?ref=_ptnr_soc_blog_230815
https://docs.securityonion.net/en/2.4/cloud-amazon.html

Azure Marketplace and documentation:
https://securityonion.net/azure
https://docs.securityonion.net/en/2.4/cloud-azure.html

GCP Marketplace and documentation:
https://securityonion.net/gcp
https://docs.securityonion.net/en/2.4/cloud-google.html

Screenshot Tour

If you want the quickest and easiest way to try out Security Onion 2.4, just follow the screenshots below to install an Import node. This can be done in a minimal VM with only 4GB RAM! For more information, please see:

https://docs.securityonion.net/en/2.4/first-time-users.html