Critical Windows Processes - System

This "System" is one of the critical processes to be aware of on Windows systems. Many times, malicious processes will have the same or similar names as legitimate processes, so it's important that we are able to differentiate between what's legit and what's not legit.

- Uses PID 4
- Similarly to "System Idle Process" this is not actually a true process as it is not tied to any user mode application, i.e. there is no "System.exe"

































- Runs only in Kernel mode

Why does this matter? Still Easy! If you see any process on your system running as "System" which is pointed to a specific executable, that should be a clear sign that your system is more than likely infected with malware or is being used for some other malicious activity.

References:
https://msdn.microsoft.com/en-us/library/windows/hardware/ff551063%28v=vs.85%29.aspx
https://technet.microsoft.com/en-us/sysinternals/bb545021.aspx
https://technet.microsoft.com/en-us/sysinternals/bb963901.aspx
https://social.technet.microsoft.com/forums/windows/en-US/3dce3625-2757-43d8-9289-0f5f1f832fad/system-idle-process-and-its-existence
http://en.wikipedia.org/wiki/System_Idle_Process
http://www.tutorialspoint.com/operating_system/os_processes.htm
http://support2.microsoft.com/kb/263201
https://technet.microsoft.com/en-us/magazine/2007.03.vistakernel.aspx
https://sysforensics.org/2014/01/know-your-windows-processes.html

Critical Windows Processes - System Idle process

This "System Idle Process" is one of the critical processes to be aware of on Windows systems. Many times, malicious processes will have the same or similar names as legitimate processes, so it's important that we are able to differentiate between what's legit and what's not legit.

System Idle process

- This is not actually a true process as it is not tied to any user mode application, i.e. there is no "System Idle Process.exe"
    From the image seen above, there is no "path", "command line", "current directory", etc.
- Uses PID 0
- It's primary purpose is to keep the processor busy when no other thread is running
- From the graph below, at the time the snapshot was taken, this system was 21.5% busy as the CPU usage for the System Idle Process is 78.25%
































- Runs completely in kernel mode 
- Below we see that this process spends all its time in kernel mode and none in user mode. While below shows thread 0, this is basically the same for the 3 other threads.



   





























- One thread for each CPU.
- From the image above, we can see this system has 4 CPUs represented by thread 0, 1, 2 & 3Why does this matter? Easy! If you see any process on your system running as "System Idle Process" which is pointed to a specific executable, that should be a clear sign that your system is more than likely infected with malware or is being used for some other malicious activity.

References:
https://msdn.microsoft.com/en-us/library/windows/hardware/ff551063%28v=vs.85%29.aspx
https://technet.microsoft.com/en-us/sysinternals/bb545021.aspx
https://technet.microsoft.com/en-us/sysinternals/bb963901.aspx
https://social.technet.microsoft.com/forums/windows/en-US/3dce3625-2757-43d8-9289-0f5f1f832fad/system-idle-process-and-its-existence
http://en.wikipedia.org/wiki/System_Idle_Process
http://www.tutorialspoint.com/operating_system/os_processes.htm
http://support2.microsoft.com/kb/263201
https://technet.microsoft.com/en-us/magazine/2007.03.vistakernel.aspx
https://sysforensics.org/2014/01/know-your-windows-processes.html

Protecting Our Critical Infrastructures - Canada’s IT infrastructure and it's affect on the US Energy Sector?

How might a significant disruptions to Canada’s IT infrastructure affect the United States (US) Energy Sector? 

Executive Summary

The objective of this discussion is to understand how a significant disruption to the Canadian IT Infrastructure may have an effect on the US Energy Sector. With Canada being responsible for 28% of the US oil and petroleum products (eia.gov, 2013), it is imperative that the US considers this risk and plan the necessary mitigation and or recovery measures for any identified risk.

Understanding the Risk

Canada’s Information and Communication Technology (ICT) sector is considered one of its 10 Critical Infrastructures. The primary responsibility for protecting this sector is shared among the various levels of governments along with critical infrastructure owner and operators (publicsafety.gc.ca, n.d.). 

For this post, threats to this sector can be viewed from 3 perspectives natural, intentional and accidental incidents.

1.       Natural

The ice storm which affected Canada in 1998 is a prime example of how natural disasters may affect the ITC sector. This storm left more than 3 million people without power bringing down hydro poles and telephone lines (Harris, n.d.). 

2.       Intentional

Acts by terrorist, activists, hacktivists, etc., to disrupt ICT can occur either by directly targeting locations hosting these services or via disrupting the power grid, etc. Intentional penetration and intrusion of the ICT sector can have devastating effects as ICT is responsible for operating the Programmable Logic Controllers (PLC) which controls the devices responsible for managing oil refineries, etc.

3.       Accidental

Inadequate operator training has been one of the issues identified for the blackout which affected the eastern seaboard in August 2003 (Final Report on the August 14, 2003 Blackout in the United States and Canada: Causes and Recommendations, 2004)

For each of the threats identified above, the following risk should be considered.

    1.  Loss of Life
        During the winter months when gas is most used for heating purposes, the gas can be cut off. This will more than likely result in deaths.
        Similarly, during the summer months when gas is used for cooling, there can be a loss of life. I don't see this as severe as shutting the gas off in winter.
      
      
    2.    Complete shutdown of SCADA Systems
        With 28% of US Energy coming from Canada, the after effects from a complete shutdown can be devastating, extending beyond the energy sector.
      
      
    3.    Manipulation of the chemicals
        Controlling the type and quantity of the chemicals is another problem which can have an effect on the US Energy Sector as the expected quality may be affected.
  
  
    4.    Manipulate the readings
        Deliberate acts such as breaking into the IT Systems and controlling the SCADA systems can leave a false sense of security by showing incorrect values on the displays when the value is actually different.

Mitigations

Establish working partnerships between key members of Canadian government at the Federal, Provincial, Territorial and or local authorities along with ICT owners and the US Energy Sector.

Work with the Canadian government to perform regular “war games” similar to what was recently done with the United Kingdom (UK) (Kharpal, 2015).

Provide the Canadian Government and its Critical Infrastructure Partners with timely, accurate information about risks and threats

Perform yearly risk management to identify and or address any existing and or new risks

Recovery (if mitigations failed)

Implementing a Business Continuity Plan (BCP)  

Strategic planning

By reducing its dependencies on foreign oil and petroleum products, tapping other sources of energy such as off shore supplies and vast natural gas reserves, doubling efforts on clean energy resources (wind, solar, etc) along with developing new technologies that uses less energy (Slack, 2012), the US Energy Sector will be able to address these risks.

Summary

While it may be possible for the US to reduce it dependency on foreign oil and petroleum products, the probability of eliminating it is practically zero. Therefore, efforts must always be made to mitigate any risks identified within Canada’s IT infrastructure that may have an impact on the US Energy Sector. More importantly, as can be seen from above, there are a number of ways in which ICT within Canada can have an effect on the US Energy Sector as it is not likely to fail by itself but more as a cascading effect of some other event which may be natural, intentional or accidental.

References

(n.d.). Retrieved from publicsafety.gc.ca: https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/srtg-crtcl-nfrstrctr/index-eng.aspx

(2013, May 10). Retrieved from eia.gov: http://www.eia.gov/energy_in_brief/article/foreign_oil_dependence.cfm

(2010). Canada-United States Action Plan for Critical Infrastructure. Homeland Security, Public Safety Canada.

(2004). Final Report on the August 14, 2003 Blackout in the United States and Canada: Causes and Recommendations. U.S.-Canada Power System Outage Task Force.

Harris, E. (n.d.). Retrieved from http://www.canadiangeographic.ca/magazine/ma98/feature_ice_storm.asp

Kharpal, A. (2015, Jan 16). Retrieved from cnbc.com: http://www.cnbc.com/id/102344021#.

Slack, M. (2012, March 01). Retrieved from whitehouse.gov: http://www.whitehouse.gov/blog/2012/03/01/our-dependence-foreign-oil-declining

 

McAfee ESM and Checkpoint Data Source Configuration Guide

This a guest post courtesy of Naomi Rampersad
https://www.linkedin.com/pub/naomi-rampersad/2/2a7/359

LAB Environment Details:-

McAfee SIEM

Using McAfee ENMELM_VM4_250 (VM deployment containing all in one single ESM, Single Receiver – ELM).

Version = 9.4.0

Hostname = McAfee-ENMELM-VM4

IP address = 172.31.254.101/24 (shared by ESM/ELM and Receiver)

Gateway = 172.31.254.1

DNS = 8.8.8.8/4.4.4.4

Checkpoint – GAIA R77.20

MDM – 172.31.254.111

CMA-1 172.31.254.112

CMA-2 172.31.254.113

MLM - 172.31.254.115

CLM11 172.31.254.221

CLM22 172.31.254.222

Gw-1 172.31.254.118

Gw-2 172.31.254.119

Default Gateway - 172.31.254.1

Create an OPSEC Application on CMA-1

1. Log in to the Check Point user interface.

2. Expand the OPSEC Applications tree node and right-click on the OPSEC Application category.

3. Select “New OPSEC Application”.

4. Enter a name for the OPSEC Application. SIEM_East

5. Select a host from the “Host” field and select the network object that represents the McAfee Event

Receiver. If the object does not exist, create one by clicking the “New” button and entering the IP

of the Receiver. 172.31.254.101

6. Leave the “Vendor” field as the default selection “User Defined”.

7. Select the “LEA” checkbox in the “Client Entries” section

8. Click on the “Communication” button, located near the bottom of the dialog.

9. Enter and confirm your one-time password. abc123

10. Click the “Initialize” button. This will initialize the certificate and you will see the message

“Initialized but trust not established.”

11. Close the “Communication” dialog

12. Click “OK” on the OPSEC Application Process dialog.

13. Perform an Install DB on both CMA-1 and CLM11

NO CHANGES WERE MADE TO $FWDIR/CONF/FWOPSEC.CONF OR $CPDIR/CONF/SIC_POLICY.CONF FILES ANYWHERE (MDM/CMA or MLM/CLM)

On CMA-1

On CLM11

On McAfee ESM

Create the Check Point Data sources in a parent child relationship. Create the Primary CMA as the

Parent data source, and then add the CLM as a child to the Primary CMA data source

Data Source Creation

After successfully logging into the McAfee ESM console the data source will need to be added to a

McAfee Receiver in the ESM hierarchy.

1. Select the Receiver you are applying the data source setting to.

2. Select Receiver properties.

3. From the Receiver Properties listing, select “Data Sources”.

4. Select “Add Data Source”.

OR

1. Select the Receiver you are applying the data source setting to.

2. After selecting the Receiver, select the “Add Data Source” icon.

Parent Data Source Screen Settings

1. Data Source Vendor – Check Point

2. Data Source Model – Check Point (ASP)

3. Data Format – Default

4. Data Retrieval – Default

5. Name – user-defined name of the CMA. CMA-1_Managerment_Server

6. IP Address – The IP address of the CMA. 172.31.254.112

7. Event Collection Type – Select Audit and Log events.

8. Port – 18184 (Default)

Steps 9-12 are only needed if authentication and or encryption are being used.

9. Use Authentication – checked

10. Application Name – Name of the OPSEC Application Object created in CP. SIEM_East

11. Activation Key – SIC abc123

12. Use Encryption – checked

13. Options – Advanced settings leave default unless having connection issues. Auto detect

14. Connect – Tests the connection to the OPSEC LEA service and pulls the certificate. Should be successful

After Parent is successfully added create the child data sources CLM.

1. Select the parent data source from the Receiver Properties Data Sources screen

2. Select “Add Child Data Source”.

OR

3. Select the Parent data source from the device Tree.

4. Select the “Add Data Source” icon.

Child Data Source Screen Settings Log server / CLM

1. Name – user-defined name of the CLM. CLM11

2. IP Address – IP address of the CLM. 172.31.254.221

3. Device Type – Log Server / CLM

4. Event Collection Type – Select Audit and Log events.

5. Parent Report Console – The user-defined name of the CMA that the CLM is managed by.

Automatic Selection – CMA-1_Management_Server

6. Distinguished Name – DN of CLM. Found from grep sic_name $FWDIR/conf/objects_5_0.C on the CMA

7. Connect – Tests the connection. Should be successful

Add Checkpoint CMA-1 as a Parent Data Source

Receiving logs from the CMA

SSH to the MDM
Enter expert mode, set the mdsenv
Run “grep sic_name $FWDIR/conf/objects_5_0.C”
This will show all DNs. Find the correct one for the CLM









Add Checkpoint CLM11 as a Child Data Source

Receiving logs from the CLM

COMPLETED THE SAME AS ABOVE FOR CMA-2 AND CLM22 AS DIFFERENT CHECKPOINT DATA SOURCES ON THE SAME RECEIVER

Thanks very much to Naomi for this contribution post.
Hope you enjoyed it!