Guardicore Labs Launches Botnet Encyclopedia to Aid in Global Fight Against Cybercrime

Open Knowledge Base of Persistent Botnet Threats Helps Security Teams Turn Intelligence Into Action; Unknown Decentralized Worm Discovered Upon Launch

Boston, Mass. and Tel Aviv, Israel – June 30, 2020 – Guardicore, a leader in data center and cloud security, today announced that its global research division, Guardicore Labs, has launched the Botnet Encyclopedia. Guardicore’s Botnet Encyclopedia provides a continuously updated universal knowledge base of past and present botnet campaigns researched by the Labs team – many of which previously unknown to the cybersecurity community – showcasing the greatest threats to enterprise security in a single, open location.

The Botnet Encyclopedia is powered by the Guardicore Global Sensors Network (GGSN), a network of detection sensors deployed in data centers and cloud environments around the world, capable of capturing and recording complete attack flows to the highest resolution. The Botnet Encyclopedia is designed to allow security teams, IT teams, researchers and the cybersecurity community at large to better understand and protect themselves from persistent and advanced threats, identified as campaigns.

FritzFrog, a mass-scale attack campaign active since January 2020 in which a sophisticated Golang binary is deployed on brute-forced SSH servers, is one of the first Botnet Encyclopedia campaign entries. Research identifies FritzFrog as a highly concerning peer-to-peer botnet with no centralized infrastructure, rather one whose control is distributed among its nodes. Its discovery as a decentralized worm makes it particularly unusual and dangerous. In addition, the research team identified racist terminology hard coded in the malware.

“FritzFrog is the type of threat that must be recognized as a campaign due to its operational longevity and danger it presents, particularly as a previously unknown threat,” said Ophir Harpaz, security researcher, Guardicore. “It’s our mission to bring these campaigns to light on a rolling basis and provide a level of context unavailable in any other public knowledge base in order to equip the cybersecurity community with the required information to defend itself and mitigate risk. Our research and analysis of FritzFrog is ongoing. We’ve been unearthing new findings into its enterprise impact and attacker attribution on a daily basis. We encourage all contributions, questions and suggestions from the community to enhance our findings into FritzFrog and the entire Botnet Encyclopedia.”

Botnets can be found within the encyclopedia using free-text search, allowing users to search all entries using any type of indicator of compromise (IOC) – IP addresses, domains, file names, names of services and scheduled tasks, and more. Extending beyond common cyber threat intelligence feeds and services, the Botnet Encyclopedia contextualizes advanced threats with tiered analysis including:

Campaign information including name, variants, time frame of identification within the GGSN and links to external resources detailing the campaign.
IOCs associated with the campaign including IP addresses from which attacks originate, IPs and domains holding outgoing attack connections, and files dropped or created as part of the attack.
Full attack flow as it was captured and saved by the GGSN, accompanied by detailed analysis from Guardicore Labs’ global team consisting of hackers, researchers and industry experts.

“Winning the war against cybercrime cannot be achieved by any one individual or organization, it must be a collaborative global effort,” said Harpaz. “Threat intelligence and knowledge sharing has long been the cornerstone of such efforts. With the Botnet Encyclopedia, we are enhancing the ability for teams and organizations to turn intelligence into action with publicly accessible, deep context into the most dangerous campaigns targeting enterprises around the world; past, present and future.”

To learn more about the Botnet Encyclopedia, please visit: https://www.guardicore.com/botnet-encyclopedia/

About Guardicore
Guardicore is a data center and cloud security company that protects your organization’s core assets using flexible, quickly deployed, and easy to understand micro-segmentation controls. Our solutions provide a simpler, faster way to guarantee persistent and consistent security — for any application, in any IT environment. For more information, visit www.guardicore.com.

The Minimum Viable Controls (MVC) to Secure IaaS and PaaS

The mass move to the cloud over the last few months has been good for digital transformation, but challenging for security. While many companies have successfully transitioned to a more remote-friendly environment, there is still a lack of clarity around the minimum viable controls (MVC) needed to secure IaaS and PaaS.

Speeding the Move to the Cloud

In “ancient” days – as in a couple of months ago – it was obvious that the adoption of public clouds was inevitable. However, it seemed that it would take some time until every organization had a significant presence there. Then came COVID-19.

Even during a disaster, there are winners. Many organizations followed Winston Churchill’s famous quote “don’t waste a good crisis” and accelerated their journey to the cloud on a mission to transform their IT environment.

It was great that they could speed the migration process. It was not so great that many did so without paying enough attention to security requirements and risk mitigation.

Understanding Cloud Security Requirements

According to Gartner analyst Tom Croll, enterprises trying to implement on-premises data center security processes and tools for the cloud are actually inhibiting cloud adoption, slowing their own progress and increasing risk. Using yesterday’s tools to protect today’s cloud infrastructure is risky and creates more damage than benefits. It will not get you the desired results and may even risk your organization.

IaaS and PaaS are provided by the Cloud Service Providers, which have to assure and secure the infrastructure of the cloud itself. We wrote a lot about it in the past, for example here and here. This “shared responsibility model” still leaves your data and critical application exposed and unprotected.

Luckily, modern security solutions – such as Guardicore Centra – are capable of providing the necessary controls required to protect the cloud. Micro-segmentation and zero trust network access (ZTNA) should be implemented when configuring cloud infrastructure, combined with strong IAM, robust encryption, and constant posture management.

The Five Most Important Security Controls You Need to Implement Today

Wondering how to put together an actionable plan for securing your infrastructure? Together with our ecosystem partner SecuPi, Guardicore has created a webinar sharing the five most important security controls that organizations should take in order to ensure that the IaaS and PaaS infrastructure they are using is secure and solid.

View the webinar today and you’ll be on your way to lowering risk and tightening security across your entire environment.

How to Do Micro-Segmentation the Right Way

The evolution of network segmentation and application segmentation has brought about the movement to micro-segmentation. Micro-segmentation adds flexibility and granularity to access control processes. This detail-oriented viewpoint is key, especially as businesses adopt cloud services and new deployment options like containers that make firewalls and other traditional perimeter security less relevant.

Infrastructure visualization plays an essential role in the development of a sound micro-segmentation strategy. When it’s done well, visualization makes both sanctioned and unsanctioned activity in the environment easier for IT teams to identify and understand.

In case you didn’t catch it, the key phrase there was, “when it’s done well.” That’s important, because many businesses don’t know where to start.

What we often hear is:

“We want to better secure our infrastructure by defining tight security policies  – but where do we even start? How can we build policies at the application level for thousands of existing machines, each one developed and deployed by a different person?”

This confusion is understandable in today’s complex environments! Let’s dive into the details and gain some clarity into how to do micro-segmentation the right way.

What is Micro-Segmentation?

Using legacy tools like VLANs for separation is no longer enough in today’s network environments. Every machine – virtual or physical – in every location – cloud or not – must have incoming and outgoing traffic limits. Otherwise, bad actors can easily take advantage of loose policies to move undetected between machines.

Micro-segmentation is the central IT security best practice response to overly-permissive policies. Software-defined segmentation allows companies to apply workload and process-level security controls to data center and cloud assets that have an explicit business purpose for communicating with each other. It is extremely effective at detecting and blocking lateral movement in data center, cloud, and hybrid-cloud environments.

Some solutions facilitate segmentation across physical and virtual data centers by doing distributed enforcement on all east-west traffic. Public cloud offerings also provide limited abilities, and other products fully integrate with these frameworks, moving existing firewall technologies into the data center.

Then there are solutions like Guardicore Centra, which was purpose-built to simplify micro-segmentation and increase agility, while simultaneously increasing security. Centra creates human-readable views of your complete infrastructure – from the data center to the cloud – with fast and intuitive workflows for segmentation policy creation.

So the technology is there, but the question of how to set these policies up remains. How can administrators tell the role of thousands of machines in their data center and decide which specific ports to open to what other machines?

The Old-Fashioned Way to Build Policies

This is how the usual process for building application-specific policies works:

  1. Discover a specific application and the machines it’s running on.
  2. Build security groups for each of the different application tiers (i.e., web/application/logging/DB servers).
  3. Define a tight policy between the different security groups, so only the ports necessary for the application’s proper functioning are open.
  4. Rinse and repeat.

This can be a long and burdensome process, especially without deep visibility into data centers – all the way down to the process level. Administrators and security teams are required to browse endless logs or chase app developers. Obviously, not the ideal way to do things.

A (tiny bit of a) typical firewall log. How easy is it to build a security policy using these?

How to Do Micro-Segmentation Right

Guardicore decided that there had to be a better way to simplify segmentation. That’s why we built a wonderful feature into Centra: Reveal. This feature enables teams to avoid the above-mentioned pain.

Guardicore Reveal provides a full visual map of the entire data center, all the way down to the process level. By using Reveal to focus on specific parts of the data center and identify relations between different servers, admins and security teams can easily discover the running applications, one by one.

A typical 3-tiered application. Note the process information which shows the underlying Tomcat->MongoDB traffic.

Process-level visibility allows users to do a number of things, including:

  • Identify servers with similar roles (which belong to the same tier).
  • Group them together.
  • Push the resulting security groups to a micro-segmentation framework.

The same application — grouped.

Once the users create policy rules tying the discovered applications and security groups, they can see these policies overlaid on Reveal’s visual map. This allows users to test, monitor and optimize their created policies.

Watch the video below to see how it works.

The Easy Way to Achieve First-Class Protection

Micro-segmentation is an essential building block for data center security. By using Guardicore Reveal along with the real-time threat detection provided by the Guardicore Centra platform, data centers can now do micro-segmentation the right way. The result: first class protection, without the hassle.

Cogna Group Migrates Data Center in Record Time With Guardicore

Guardicore technology improves group security both in on-premise and cloud environments; Helps compliance with the Brazilian General Personal Data Protection Act

Boston, Mass. and Tel Aviv, Israel – June 10, 2020 – Guardicore, a leader in data center and cloud security, today announced that Cogna, a leading Brazilian educational group, has chosen the Guardicore Centra Security Platform as the tool to help perform a data center migration for one of its companies. Committed to keeping safe a tremendous amount of information related to students, proprietary materials, teaching systems, services, and application microservices, the Cogna IT team managed to successfully complete the migration in just two weeks.

Alex Amorim, the information security manager at Cogna Group, has embraced the Zero Trust concept as the most efficient way to protect the group’s IT infrastructure, applications, data, and third-party information it holds. To achieve this goal, he needed the detailed workflow segmentation that Guardicore provides, defending Cogna against external threats and from lateral threat movements inside the company’s technology environment.

Growth Challenges and Achieving Compliance
In December 2019, Cogna Group completed the acquisition of Somos, a company devoted to primary and secondary education. The contract with the datacenter provider hosting Somos would expire in one month, creating a short time span for Cogna to integrate all of the Somos data and infrastructure to the Group’s environment, which already hosted three other Cogna Group companies.

As the Guardicore Centra Security Platform had already been implemented to protect Cogna’s companies, the solution was to install the platform in the environment in which the Somos infrastructure was located before migration. Successfully carried out in two-weeks, the migration allowed for Cogna Group’s on-premise equipment to be gathered together in just one location and for the Group’s private cloud to be unified.

To mitigate risk and preserve the organization’s reputation, Cogna is committed to creating a security framework based on the principles of confidentiality, integrity and availability. These principles extend to compliance with the Brazilian General Personal Data Protection Act, ensuring the Cogna Group is ready for its full implementation when it comes into effect. The Cogna Group has been preparing to deploy LGPD since 2018 and see Guardicore’s micro-segmentation capabilities as a great ally in the protection of company data.

Protecting Cloud Managed IT Services
To ensure security against all possible threats, the Cogna Group’s plan is to extend the Guardicore Centra Security Platform to public cloud services. The Group uses multiple public clouds, in addition to its private cloud. As the responsibility for management of cloud IT solutions shifts from the company that provides colocation services to a new service provider, the Group will take the opportunity to increase its security level.

Alex Amorim counts on the Guardicore technology to achieve this goal: “Nano-segmentation is about monitoring access in order to allow only authorized users to access each server and each communication channel between machines. This is the kind of control we must have today.”

“At Guardicore, we strive to make security effective in the easiest and quickest way. Our ability to show how all systems interact allows our customers to make faster and more accurate decisions,” said Fernando Ceolin, Director Sales Engineering, Brazil – LATAM, Guardicore. “In addition, with our ability to control interactions no matter where the workloads are, they can safely make any move they need. These features have proven to be instrumental for customers all over the world who want to develop new zero trust security projects. We are proud and honored to be chosen as Cogna’s preferred security partner.”

To watch the video on how Alex Amorim used Guardicore Centra to rapidly enforce micro-segementation policies on multiple environments, please visit: https://www.guardicore.com/resources/cogna-group-leader-in-education-guardicore-centra-customer-spotlight/

About Cogna
Over 50 years of tradition and pioneering spirit make Brazil’s Cogna Educação a leading global educational organization. Operating under four brands – Kroton, Platos, Saber and Vasta Educação / Somos Educação – the Group provides educational solutions and services for both the B2C and B2B markets. Guided by an innovative educational strategy, Cogna aims at transforming people’s lives through quality education and serves more than 2.2 million students from all over Brazil, from Basic to Higher Education, with over 900,000 students taught directly and 1.3 million students through partner schools and educational institutions. Cogna’s social activities and programs benefit more than 3.07 million people and generate a socio-economic impact of R$ 12.5 billion, helping to transform the communities where it operates.

About Guardicore
Guardicore is a data center and cloud security company that protects your organization’s core assets using flexible, quickly deployed, and easy to understand micro-segmentation controls. Our solutions provide a simpler, faster way to guarantee persistent and consistent security — for any application, in any IT environment. For
more information, visit www.guardicore.com.