over 8 years ago

And the winner is...

Rule Your Network Winners!

It is with great pleasure that we announce the winners of LogRhythm's Rule Your Network contest. We received numerous entries and our judges invested many hours into evaluating each and every one. Per the official rules, our judging team:

Determined if the entry was complete, eligible, and followed the rules. We also assigned the entries to the proper contest categories.
Scored the entry on real world relevance in the target category. Relevance counted for 45% of the total score.
Scored the entry on technical merit, including testing out the solution. Technical merit counted for 35% of the total score.
Scored the entry on novelty and uniqueness. Novelty counted for the last 20% of the score.

Once we had the scores from all judges, we did the math, re-confirmed eligibility, and ultimately determined the winners!

Without further ado, here they are!!!

Best Novel Threat Detection

The winner in the Best Novel Threat Detection category is Jotam Jr Trejo with "Meterpreter HTTPS reverse shell".

Jotam explored the JA3 algorithm for fingerprinting SSL sessions and adapted it into a DPA rule. The JA3 algorithm leverages the un-encrypted metadata associated with establishing SSL/TLS communication in order to create unique hash based fingerprints. JA3 is highly specific and can be used to create white lists for "known safe" secure traffic and black lists for "known unsafe" SSL/TLS traffic. Using a rule based on JA3, Jotam applied a black list fingerprint for the Metasploit Meterpreter reverse shell.

This entry caught our interest given its technical complexity (it requires a packet rule for packet payload analysis at the byte level!) and the really cool passive detection method for identifying pen testers (and bad actors).

Congratulations Jotam and thank you for the outstanding work with NetMon!

Best Hunting Use Case or Dashboard

The winner in the Best Hunting Use Case or Dashboard category is Adam Austin with "DNS Domains Queried Dashboard".

The runner up prize goes to Jotam Jr Trejo for "DNS Exfiltration/Infiltration Hunting Dashboard".

Both our Hunting Use case winners put considerable effort into analyzing DNS as a threat indicator. We've seen DNS abuse on a regular basis as part of many "in the wild" incidents. As shown in the OilRig Attack earlier this year, DNS can be used for command and control.. Another recent piece of malware, DNSMessenger, used the DNS TXT record to receive payloads and instructions. Since DNS is a fundamental protocol necessary for normal operations, hunting in DNS traffic is a critical part of a strong security posture.

Adam, in his winning entry, created custom DPA rules that enriched DPA traffic by looking up the host name and adding in "whois" information, including how long the domain had been registered. Combining this enrichment rule with a new dashboard led to a hunting dashboard that maps nicely to SANS best practices. Using the rule and dashboard combination, it is trivially easy to identify new domains that haven't been seen before, recently created domains, and other indicators that provide a rich hunting environment!

Jotam, the runner up, took a different approach to look at enriching base DPA data by creating a custom rule looking at the length of the query. Longer DNS queries are usually more suspicious and thus can be a "look here" indicator in a hunting scenario. Jotam posted his entry on github and you can see it here: https://github.com/jotamjr/netmon-db-dns-hunting.

Congratulations Adam and Jotam and thank you for your amazing threat hunting work with NetMon!

Best IT Operations Use Case

The winner in the IT Operations Use Case category is Brian Cottrell with two entries that combine to provide operational insight and general security for Crypto Currency mining. Brian posted both of his entries to GitHub and they can be seen here:

BitSecure - https://github.com/BrianCottrell/bitsecure
MinerNetwork - https://github.com/BrianCottrell/Miner-Network

Brian's crypto currency entries were interesting for their novelty and timeliness. As we see an explosion of new crypto currencies, the art of "mining" is back in play. If you are mining new currencies, you definitely want to know your systems are working and secure!

Brian made a set of dashboards to look at "expected" vs abnormal traffic, creating a mixed IT operations and threat hunting dashboard. We liked this entry for its great parallels to the way you would protect an ICS or IoT environment where you don't have deep control over the technologies or protocols. In essence, the operations dashboard showed:

Filters for "known good" traffic, including some aggregations on unique crypto currency metadata like wallet and transaction IDs.
Filters for "unexpected" traffic, such as well-known protocols (HTTPS, FTP, SMB) going off the mining rigs. This type of traffic was analyzed to be either misconfiguration, possible vulnerabilities, or specific malware!

Using this type of dashboard, you can determine at a glance whether your systems are active and working. You also get an immediate view into abnormal function and suspicious traffic.

Congratulations Brian and thank you for your interesting application of NetMon Freemium to monitoring a crypto-currency mining rig!

Wrap Up and Next Steps

We would like to thank everyone who entered the contest, our judges, and the LogRhythm staff who made the contest happen! We hope those of you that entered (or thought about entering) learned something about LogRhythm, Network Monitor, or network security analysis.

When possible, we'll cross-post rule and dashboard content into either the LogRhythm Community or as system rules and built in dashboards in a future release of Network Monitor!

If you missed out on the contest, and are interested in what you can do with NetMon, don't forget to:

Download Freemium!
Join the LogRhythm Community, download some new rules, post your questions, or post your ideas, rules, and dashboards!

Even though this contest is over, we're looking forward to seeing what you can do with NetMon!