Responding to remote service appliance vulnerabilities with Sumo Logic

2023-06-26 Read original →

If it’s not yet another end of the world vulnerability, it’s an SBOM fiasco or a Trojanized 3CX binary going undetected for some time. Indeed, June 2023 was no different with three major remote service appliance vulnerabilities making the rounds on the security feeds.

This article addresses how organizations can detect and respond to threats from vulnerable remote service appliances using Sumo Logic’s Cloud SIEM platform.

Key Vulnerabilities

The article highlights three major threats from June 2023:

  • CVE-2023-27997: Impacts FortiGate/FortiOS devices
  • CVE-2023-35708: Affects MOVEit Transfer software
  • CVE-2023-2868: Barracuda Email Security Gateway devices under active exploitation

Main Challenges

Organizations face several obstacles when addressing appliance vulnerabilities:

  • Many appliances don’t support custom telemetry agents
  • Device logs often lack security-focused data and are non-standard and difficult to parse
  • Network segmentation may restrict data collection
  • Zero-day exploits create detection gaps
  • Appliances may be managed by different teams than those responsible for security operations

Detection Strategy

The recommended approach is to leverage telemetry from corporate firewalls and endpoints rather than relying solely on direct appliance monitoring. This involves several key steps:

Asset Inventory Management

Following NIST SP 1800-5 guidelines for IT asset management, organizations should maintain accurate records of vulnerable devices. This inventory becomes the foundation for systematic tracking and detection.

Match List Creation

Using Sumo Logic’s match list feature, we can catalog vulnerable appliance IP addresses and enable automated enrichment of security records:

Creating a new match list

Populated match list with vulnerable appliance IP

Building Detection Rules

Match Rules for Network Detection

Cloud SIEM records can be filtered to identify network connections from or to vulnerable appliances:

Cloud SIEM records interface

Filtered Cloud SIEM records

When a record matches our vulnerable appliance list, it’s enriched with the match list details:

Enriched record with match list details

Example logic for filtering on match list data:

array_contains(listMatches,"CVEVulnerableAppliance")
and metadata_deviceEventId = "Microsoft-Windows-Sysmon/Operational-3"
and fields["EventData.Initiated"] = true
and dstDevice_ip_isInternal = false

This rule identifies outbound network connections (Sysmon Event ID 3) from vulnerable appliances to external IPs.

Creating a new match rule

Match rule configuration

When triggered, we get a network connection signal:

Triggered network connection signal

Insight Generation

Signals aggregate into Insights for further investigation:

Cloud SIEM insight dashboard

The entity relationship graph helps visualize connections:

Entity relationship graph

UEBA (User and Entity Behavior Analytics) Rules

Beyond static match rules, behavioral analytics provide additional detection capabilities:

First Seen Rules detect novel patterns:

  • New User Agents communicating with vulnerable appliances
  • Unusual protocols or ports
  • Novel destination IPs or ASNs
  • Anomalous temporal patterns

First Seen User Agent rule

Outlier Rules baseline normal behavior and flag statistical deviations:

Outlier rule for data transfer spikes

Outlier trend graph

Domain Entropy Analysis

The platform automatically calculates domain entropy to flag dynamically generated domains. This is particularly relevant for detecting command and control traffic similar to patterns seen in the SUNBURST implant:

Domain entropy calculations

Reporting and Analysis

Using Sumo Search Query Language, we can generate reports on vulnerable appliance connections:

Geographic connection pie chart

World map visualization

These can be scheduled for regular delivery:

Scheduled report configuration

Email report delivery

SIEM as Incident Response Tool

Beyond detection, the platform can assist with incident response by ingesting forensic data from tools like:

  • Hayabusa: Collects Windows event logs and executes Sigma rules
  • Velociraptor: Performs host-based artifact collection
  • Atomic Red Team: Tests detection gaps through controlled atomic tests

Hayabusa collector output

JSON output from these tools can be uploaded via hosted HTTP collectors:

Hosted collector configuration

Forensic data analysis results

MITRE ATT&CK Post-Exploitation Techniques

Even if a zero-day exploit is used for initial access, post-exploitation activities often leave detectable artifacts. Critical techniques to monitor include:

Technique IDName
T1133External Remote Services
T1505.003Server Software Component: Web Shell
T1082System Information Discovery
T1003OS Credential Dumping

Although a particular exploitation attempt may utilize a 0-day, the behavioral artifacts generated by this exploitation may trigger existing rule sets, emphasizing that defenders shouldn’t rely solely on zero-day detection but should monitor post-exploitation activities.

Key Takeaway

Although telemetry may not always be directly available from remote service appliances, organizations should exploit all available telemetry sources and combine network-level visibility with endpoint data. The division of labor between security and engineering teams can be bridged by centralizing vulnerable asset information in match lists, enabling automated detection regardless of which team owns the appliance.