Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > Author: Ioana Sundius

RSA NetWitness Platform

2 Posts authored by: Ioana Sundius Employee

Years ago, when the ECAT team was all of a handful of Canadians, I saw my first ECAT demo. Look Ma, no feeds, no signatures, no scans. It will still tell you what’s wrong, before your highly paid consultant can. At that moment, I was sitting in a demo room, surrounded some by exactly such highly paid consultants, eyes wide as onions! Wait, how?!!!


With STIX still a few years away, OpenIOC seemed poised for greatness at the time.  With roughly 2500 terms to describe conditions on the ground, a standard-based design leveraging XML and LUA parsers, and with thousands of attacks already described in the language, it looked like the best direction moving forward.


The catch, however: where do you start? Some private data showed up on a public server somewhere and now you’re staring at 50,000 endpoints with no clue where the culprit might be hiding. Until that demo, it was still a matter of intuition, discrimination, trial-and-error, as well as hiring the best minds for the job.  They looked for malware, relying on their thousands of ”secret sauce” indicators, a measure of their experience. They took the weekend, scanning. But the first question in anyone’s mind was still: “Am I targeted?” – which roughly (still!) translates into: “Will my intel help me this time?” (Fingers quietly crossed...)


Which is why seeing ECAT in action seemed so implausible. It did not just scan for sophisticated malware and their variants. It actually detected new malware.


Let me let that sink in: Without a feed, without a smart analyst, without any external support, IT FOUND NEW MALWARE.


Again... how?


Besides, it did so with little delays, no enterprise-wide down time dedicated to scanning and in seconds. The demo was only 10 minutes long. When I left that meeting, I started to question the direction the entire industry was taking.


You see, searching for specific malware is not only hard – but also fruitless. It’s a Sisyphus task: after all the work done in capturing, describing and sharing your opponent technique, a simple change can bring you back to square 1. Write to this directory, not that. What ECAT did radically differently was look for canonical behaviors. You can spend hours looking for all known variants of Zeus in on your endpoint, or you can simply look for generic capabilities shared across all malware, and maybe back it up with some data analytics to decide whether that behavior, in context, is likely to be bad.


ECAT won’t name it Zeus, but beside your Zeus, it will also find any other malware that shares behaviors like Zeus. How about all Zeus variants and then some?


Instead of shepherding thousands of IOCs, it had its detection engine built right under its hood. It was not trying to detect things on the endpoint itself. Instead it bagged-and-tagged relevant information and brought it to the server for analysis. Fast, flexible and smart.


When RSA decided to purchase ECAT, I felt a little bit jealous.


Fast forward a few years, and I do find myself with the opportunity to work directly with ECAT, and shape its path forward.


What has changed since then? One big visible difference, certainly, are the Instant IOCs (IIOC), which at first sight, seems to contradict the claim of signature-less prowess. So let’s look a bit closer to this feature.


ECAT continues to look for all malware, new and old, alike. Its Instant IOCs (IIOCs) describe the behaviors it’s looking for, and they enable workflow integration with other modules: things like Alerts, Syslog and so on. But at their core, it’s essentially still the same detection engine that took everyone by surprise. We simply let you see the queries.


Managing a library of thousands of known threats is hard. New variants are issued, scanning software changes, bugs are found (but fixes are rarely propagated). The authors move on to greener pastures – “how did this old indicator work?”. The fact is, while many superheroes find new and exciting malware and might even jot down the indicator to look for it elsewhere, as an industry, we find ourselves in a great dearth of doctors to maintain that treasure throve of thousands of entries in threat intelligence. In essence, that is the “Indicator Challenge”.


With ECAT, the list is small, and it comes right out of the box. Nothing to refresh, and for a product with a few years under its belt, that set of canonical searches have withstood the test of time with remarkable aplomb.  Even as new malware is created, the mechanisms of attack are curiously constant! IIOC maintenance is part of every ECAT release.


And therein lies the magic!


Next installments: When to create new IIOCs and a side-by-side dissection showing OpenIOC / STIX and IIOC triggering on the same malware. Known malware, to give them a chance!

On April 12, Microsoft issued a vulnerability update, to inform its customers that a vulnerability has been found in its software, which would allow a man-in-the-middle attack on software that leverages SAM and LSAD implementations  on most Microsoft Windows operating systems. This issue has important consequences, and it currently (time of this writing) tops security concerns on the Windows operating system groups. It even has its own collection of logos in the Twiterverse! So our team of engineers investigated.


Summary (from the NIST National Vulnerability Database):


The SAM and LSAD protocol implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1 , and Windows 10 Gold and 1511 do nopt properly establish an RPC channel, which allows man-in-the-middle attackers to perform protocol-downgrade attacks and impersonate users by modifying the client-server data stream, aka "windows SAM and LSAD Downgrade Vulnerability", or "BADLOCK".


RSA ECAT Engineering has researched the issue and reports that none of the RSA ECAT versions supported are affected by this vulnerability.



Microsoft has issued a patch to address this vulnerability, as documented in the Microsoft Security Bulletin MS16-047.



This issue does not affect RSA ECAT. As usual, we do recommend that all underlying infrastructure should always be kept fully patched.



Microsoft Announcement: Security Update for SAM and LSAD Remote Protocols (3148527)

NIST CVE: Vulnerability Summary for CVE-2016-0128 (Microsoft products)

Samba report: SAMR and LSA man in the middle attacks possible (CVE-2016-2118)

NIST CVE: Vulnerability Summary for CVE-2016-2118 (Samba products)



Filter Blog

By date: By tag: