We designed, developed and patented an embedded device, (deception platform), which detects an unauthorized connection/cyber attack or malicious activity utilizing legitimate communications, extracts the communications' payload out of the active process buffers (memory/sockets), converts the payload to a benign hexadecimal (harmless) format, then transmits the cyber data to a defined (customer) device at the time the cyber attack/malicious activity BEGINS.
Cyber Detection Services Inc.
Edit to add your HTML.
Taiwan - Attacking SSH 22
Russia/Korea - Attacking ICS 2222
Taiwan - Attacking WSD 5358
U.S. - Attacking VNC 5900
Spain - Attacking SSH 22
Japan - Attacking Post Office Protocol (PoP) Email 110
Columbia - Attacking WSD 5358
Spain - Attacking VNC 5900
The flow diagram above leads to the following question:
But what about malicious activities that utilize legitimate forms of communications to target a network and attempt to penetrate the targeted network without leaving any physical trace of a cyber attack?
The first question we hear from those corporations and governments who DO NOT CONSISTENTLY detect and/or track these types of malicious activities that leave no type of signature is the following:
How do you know it's bad?
CDS has developed a patent pending process/method that automatically determines an unauthorized/malicious connection and instantly captures the payload then transmits all data to the customer at the time the source IP address attempts a connection.
The CDS embedded device has numerous software modules. Three of these modules are 1) The Port/Connection Monitor (shown below), 2) The patent pending TCP and UDP Process Emulators (not shown), and 3) The Firewall Communications Analyzer (not shown).
The CDS embedded device functions in "headless mode" with no mouse, keyboard or monitor. However, for diagnostic purposes several critical modules are displayed within a Graphic User Interface (GUI) Window when connected to a mouse, keyboard and monitor.
Displayed below is the Port/Connection Monitor Rel 4.0.
Virtually everyone is aware of trojans, phishing attacks and browser attacks which are being tracked by worldwide threat intelligence services - these attacks have a physical file (CVE, etc) associated with the attack.
However, anyone who is in the cybersecurity industry that keeps up with the latest attack methods is aware of "The Equation Group", which is the name given to the offensive department/subdivision of the NSA, who was successfully penetrated and their offensive malware stolen and published by "The Shadow Brokers".
The website thoughtsandstuff.net/equation is a great place to obtain detailed information on the malware technology obtained by the Shadow Brokers from the NSA department/subdivision "The Equation Group".
We (CDS) were so impressed with the research performed at thoughtsandstuff.net/equation that we contacted Mr. Karan Varindani and personally asked him via email if we could republish/prepost their work/flow diagram on our website? We would like to thank Alexander Olenik, Brian Roach, Jennifer Tsui and Karan Varindani for the work they performed for Boston University on the malware released by the Shadow Brokers, and giving us permission to republish their work/flow diagram on our website.
We (CDS) believe that Mr. Varindani & Co have taken complex malware and explained the mechanics in simple terms, along with a providing a simple visual flow diagram (below), which explains how vulnerable systems are to this new form of cyber attack.
There are numerous reasons why their research is extremely important. CDS is interested in republishing their work and flow diagram to emphasize one major issue, which is the following:
Over the past 18+ months the industry has been in a "great debate" as to what is a cyber attack, what isn't a cyber attack, what is passive intelligence gathering, etc?
While the industry "debates" the intellictual mechanics of the methods utilized by the "bad actors", more and more networks (targets) are penetrated, more and more of the methods being utilized by the "bad actors" are deemed NOT a cyber attack by the industry.
The one agency, who particpates greatly in defining these terms is the National Security Agency (NSA).
We (CDS) find it very interesting that two of the top methods published by The Shadow Brokers to successfully target and penetrate networks, are technically NOT cyber attacks!
Based on the flow diagram below from thoughtsandstuff.net/equation the port 161 SNMP method transmits to the target via UDP ("connectionless protocol") and delivers it's communications payload, which causes a buffer overflow and disables authentication.
The TCP port 22 Secure Shell method (below) establishes a connection to the target without entering a password.
Based on the ongoing industry "debate" on what is a cyber attack and what isn't a cyber attack, both of these methods would NOT be classified as a cyber attack.
The UDP port 161 SNMP methods simply transmits to the target, and the TCP port 22 SSH methods simply connects to the target.
........But according to the "powers at be" they are NOT cyber attacks.
Isn't is amazing that the NSA would create methods to target and successfully penetrate networks utilizing methods that are NOT considered to be a cyber attack?
We at CDS, anticipated unathorized "connections"/unauthorized communications would become a very severe problem, which MUST be instantly detected , reported and termined, which is one of the major reasons WHY we designed, developed and patented the CDS embedded device technology.
The flow digram explaining The Equation Group attack methods utilizing UDP port 161 SNMP and TCP port 22 SSH is the following:
The Port/Connection Monitor shown above works in conjunction with the TCP and UDP Process Emulators (not shown). The Firewall Communications Analyzer (not shown) inspects and analyzes all communications packets transmitted to/from the CDS embedded device.
Within the Port/Connection Monitor shown above, several malicious IP addresses are attempting to breach/access the CDS embedded device on five separate and simultaneous attacks.
Starting from the bottom and moving upwards, Taiwan is attacking SSH 22, sites in Russia/Korea are attacking Rockwell Industrial Control Systems 2222, a site in Taiwan is attacking Web Services For Devices (WSD) 5358, a U.S. site is attacking Virtual Network Computing 5900, Spain is attacking SSH 22, a site in Japan is attacking Post office Protocol (PoP) 110, a site in Columbia is attacking WSD 5358 and a site in Spain is attacking Virtual Network Computing 5900.
The CDS patent pending process/methods are comprised of the Port/Connection Monitor working in conjunction with the TCP and UDP Process Emulators. When the malicious source IP address connects to the embedded device, the Process Emulators instantly terminate the connection (UDP is assisted by the Firewall Communications Analyzer).
The Port/Connection monitor is interlinked into the embedded operating system (O/S) sockets management system and the "connection states" are internally managed and eventually "dropped" and cleared from the O/S sockets manager. The operative words are the "connection states". The source connection (IP address) is instantly detected and is disconnected by the CDS Process Emulators.
The source connection (IP address) responds and attempts to reconnect to the CDS embedded device. The CDS Process Emulators continue to perform their designed function and disconnects the source IP address - which also verifies the source IP address is executing malicious activity by attempting unauthorized access to the CDS embedded device.
The CDS Firewall Communications Analyzer is monitoring all attempted connections/events. Patent pending process/methods are monitoring each connection and will determine a maximum number of times a source IP address can attempt a connection to the CDS embedded device. If the maximum number of connection attempts is exceeded, the CDS Firewall Communications Analyzer creates an instantaneous policy to block the source IP addresses for a variable length of time (time = var x), based on the overall number of source IP addresses attempting to connect to the CDS embedded device. Once the time period (time = var x) has elapsed the source IP address is free to (again) attempt connections to the CDS embedded device.
When the CDS Firewall Communications Analyzer issues an automated policy to block a connection from a malicious source IP address, the CDS Communications Monitor may display any number of connection states, which consist of ESTABLISHED, FIN_WAIT1, FIN_WAIT2, TIME_WAIT, CLOSE_WAIT, etc. Depending when the CDS Firewall Communications Analyzer blocks the malicious source IP address during the transmissions to/from the source, the Port/Connection Monitor may interpret the connection terminated from the server or client.
The screen shot of the CDS Port/Connection Monitor above was taken on April 17, 2017.
The IP addresses executing malicious activity targeting the CDS embedded device have 1) Never been detected by the millions of sensors reporting to the SANS Internet Storm Center (ISC), or 2) The IP addresses executing malicious activity have not been detected by the SANS ISC over the past two weeks.
What does this mean?
The source IP addresses targeting the CDS embedded device have refined/revised their methods to successfully avoid the millions of sensors reporting to the SANS ISC - they are continuing their malicious activity unknown/undetected by the millions of sensors reporting to the SANS ISC.
An analogy of this malicious activity is the following:
You live in a neighborhood with many homes on your street. You happen to notice early one morning at approximately 2 AM that a group of criminals are going from home to home on your street, attempting to break into each house through the front door of each home. These criminals get to your home and attempt to break through your front door. They are NOT successful. Do you forget about these criminals and go back to sleep, or do you call the police and report the incident to have them arrested to insure this never happens again?
You report this criminal activity to the police to have them arrested.
It is the same with malicious activity utilizing legitimate communications - it must be detected and blocked to insure it can never happen.
Next "Wave" in Technology - Post Cloud Computing - IoT intelligent devices that can reside on "The Edge" of networks, which can also seamlessly integrate into existing cloud and traditional networks.