Good Read: Domain Generating Algorithm (DGA)

Abstract

A Domain Generating Algorithm (DGA) is a program or subroutine that provides malware with new domains on demand or on the fly.

History

Kraken was the first malware family to use a DGA (in 2008) that we could find. Later that year, Conficker made DGA a lot more famous.

What’s the use?

The DGA technique is in use because malware that depends on a fixed domain or IP address is quickly blocked, which then hinders operations. So, rather than bringing out a new version of the malware or setting everything up again at a new server, the malware switches to a new domain at regular intervals.

An example of DGA in practice is C&C servers for botnets and ransomware. If we were able to block these or take them down, we would cut the link between the victims and the threat actor. Bots would no longer be able to fetch new instructions and machines infected with ransomware would be unable to request encryption keys and send user data.

The constant changing of the domain for the C&C server is also sometimes called “Domain Fluxing” or “Fast Fluxing”, which actually is a reference to an older technique based on abusing the DNS load balancing system.

Read more in

https://blog.malwarebytes.com/security-world/2016/12/explained-domain-generating-algorithm/

Good Read: What Is SAML and How Does It Work? Oauth vs SAML

Abstract

SAML stands for Security Assertion Markup Language, an open standard that passes authorization credentials from identity providers (IdPs) to service providers (SPs). Put simply, it enables secure communication between applications and allows users to gain access with a single set of credentials.

Types of SAML providers

In order for SAML to work, there needs to be an identity provider and a service provider: 

  • Identity providers authenticate users: These systems are responsible for confirming that a user is who they say are, and then sending that data (and the user’s access rights) to a service provider. Okta, Microsoft Active Directory (AD), and Microsoft Azure are all examples of identity providers.
  • Service providers authorize users: These systems use the authentication data from an identity provider to grant access to a service. Examples include Salesforce, Box, and other best-of-breed technology. 

To Read about Oauth2 vs SAML

https://www.ubisecure.com/uncategorized/difference-between-saml-and-oauth/

Read more in

https://www.okta.com/blog/2020/09/what-is-saml/

How to implement activeMQ JMS Producer in Spring-boot application?

Let’s consider a scenario where your application is deployed in clustering environment and application handles thousands of email request to handle it. To solve this problem, You could simple trigger an API endpoints and post the message to the process which sends email. This could solve the problem however when an application received 100’s message per seconds, You have to handle concurrency. You got to have a queue to handle these messages and that’s where you need JMS & ActiveMQ. ActiveMQ is implementation of JMS like any other JMS implementation (RabbitMQ, AmazonMQ etc).

As you know, Spring boot controllers do not provide concurrency.

In this post, I would like to put details how you can implement producer job to sent JMS messages. If you wish to know how to implement JMS Listener.. Read my previous post Follow below each step to implement ActiveMQ Producer JOB in your Spring boot application.

NOTES: In below code, There are a lots of ActiveMQ policies which are configured in the code listed below. These configurations are varies based on your requirement. And, Recommendation is to read actual document to understand more on these configurations.

Sample Configurations: Session.CLIENT_ACKNOWLEDGE and DeliveryMode.PERSISTENT

Maven POM.XML Dependencies

<dependency>
   <groupId>org.springframework.boot</groupId>
   <artifactId>spring-boot-starter-activemq</artifactId>
</dependency>
#Add dependencies if you have producer too in same environment.
<dependency>
   <groupId>org.apache.activemq</groupId>
   <artifactId>activemq-client</artifactId>
   <version>5.15.8</version>
</dependency>
<dependency>
	<groupId>org.apache.activemq</groupId>
	<artifactId>activemq-pool</artifactId>
	<version>5.15.8</version>
</dependency>

ActiveMQ Configuration: application.properties

activemq.packages.trusted=<Optional but for security you can configure package name where the listener is>
activemq.brokerUrl=<brokenURL>
activemq.connection.pool=5
activemq.prefetch.limit=50
#consumer
producer.user=<userName>
producer.password=<Password>
producer.queues=<Queue Name>

ActiveMQ Java Configuration File mapped with application.properties file.

import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration;
import org.springframework.stereotype.Service;

@Service
@Configuration
public class AMQConfig {

    @Value("${activemq.packages.trusted}")
    private String trustedPackages;

    @Value("${activemq.connection.pool}")
    private String noOfConnections;

    @Value("${activemq.brokerUrl}")
    private String brokerUrl;

    @Value("${producer.user}")
    private String consumerUser;

    @Value("${producer.password}")
    private String consumerPassword;

    @Value("${producer.queues}")
    private String queues;

    @Value("${activemq.prefetch.limit}")
    private int prefetchLimit=50;

Springboot Java JMS Listener Service

import org.apache.activemq.ActiveMQConnectionFactory;
import org.apache.activemq.pool.PooledConnectionFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.scheduling.annotation.Scheduled;
import org.springframework.stereotype.Component;

import javax.jms.Connection;
import javax.jms.JMSException;
import javax.jms.Session;

@Component
public class ProducerJob {

    @Autowired
    AMQConfig amqConfig;

    private final Logger LOGGER = LoggerFactory.getLogger(ProducerJob.class);
  // replace with your own producer cron
    @Scheduled(cron = "${PRODUCER_JOB_CRON}")
    public void run(){
            Session producerSession = null;
            try {
                Connection producerConnection = AMQProducer.getActiveMQProducerConnection(amqConfig);
                if (producerConnection != null) {
                    producerSession = producerConnection.createSession(false, Session.CLIENT_ACKNOWLEDGE);
                    LOGGER.info(" Producer Job Starts. sending sample message ");
                    for (int index = 0; index < 10; index++) {
                        AMQProducer.sendMessage(producerSession, amqConfig, "{'orderno': index*100, 'type':'order', 'amount':'202'}");
                    }
                    LOGGER.info(" Job ran and queue size is: {} ",  count * 50);
                }
            } catch (Exception e) {
                e.printStackTrace();
            } finally {
                if (producerSession != null) {
                    try {
                        producerSession.close();
                    } catch (JMSException e) {
                        e.printStackTrace();
                    }
                }
            }
    }
}

AMQProducer.java: This file contains the code which sends message in activeMQ.

import org.apache.activemq.ActiveMQConnectionFactory;
import org.apache.activemq.pool.PooledConnectionFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.jms.*;

public final class AMQProducer {
    private AMQProducer(){ }

    private static final Logger LOGGER = LoggerFactory.getLogger(AMQProducer.class);

    static PooledConnectionFactory pooledConnectionFactory = null;
    static Connection producerConnection = null;

    private static PooledConnectionFactory getPooledConnectionFactory(final String brokenUrl, String userName, String password, String noOfConnections){
        final ActiveMQConnectionFactory connectionFactory = new ActiveMQConnectionFactory(brokenUrl);
        // Pass the username and password.
        connectionFactory.setUserName(userName);
        connectionFactory.setPassword(password);
        // Create a pooled connection factory.
        final PooledConnectionFactory pooledConnectionFactory = new PooledConnectionFactory();
        pooledConnectionFactory.setConnectionFactory(connectionFactory);      pooledConnectionFactory.setMaxConnections(Integer.parseInt(noOfConnections));
        return pooledConnectionFactory;
    }
    public static Connection  getActiveMQProducerConnection(AMQConfig amqConfig) {
        if (pooledConnectionFactory == null) {
            LOGGER.info(" pooledConnectionFactory is null ");
            pooledConnectionFactory = getPooledConnectionFactory(amqConfig.getBrokerUrl(), amqConfig.getProducerUser(),
                    amqConfig.getProducerPassword(), amqConfig.getNoOfPooledConnections());
        }
        if (producerConnection == null){
            try {
                LOGGER.info(" producerConnection is null ");
                producerConnection = pooledConnectionFactory.createConnection();
                producerConnection.start();
            } catch (JMSException e) {
                e.printStackTrace();
            }
        }
        return producerConnection;
    }

    public static void sendMessage(Session producerSession, AMQConfig amqConfig, final String message) throws Exception{
        if (producerSession != null) {
            final Destination producerDestination = producerSession.createTopic(amqConfig.getTopics());
            final MessageProducer producer = producerSession.createProducer(producerDestination);
            producer.setDeliveryMode(DeliveryMode.PERSISTENT);
            try {
                TextMessage producerMessage = producerSession.createTextMessage(message);
                producer.send(producerMessage);
                LOGGER.info(" ******************* message sent  ******************* ");
            } catch (Exception e) {
                e.printStackTrace();
            }
        }
    }
}

Note: This is a working solution however there is a chance that code could throw error due to typing mistake. Reach out to me, will do my best to help you out.

References

https://activemq.apache.org/

https://activemq.apache.org/what-is-the-prefetch-limit-for

https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/getting-started-activemq.html

https://activemq.apache.org/using-apache-activemq

WHAT TO DO BEFORE AND AFTER A CYBERSECURITY BREACH?

How to respond when a breach occurs?

As discussed above, managers and organizations should take preventative steps to avoid the risk of a breach occurring. After spending time planning, spending money, and training employees, someone still manages to break through the organization’s security measures? What do you do now?! Once a breach has been discovered, the organization should take the following immediate steps to limit the breach.

Step 1: Survey the damage

Following the discovery of the breach the designated information security team members need to perform an internal investigation to determine the impact on critical business functions. This deep investigation will allow the company to identify the attacker, discover unknown security vulnerabilities, and determine what improvements need to be made to the company’s computer systems.

Step 2: Attempt to limit additional damage

The organization should take steps to keep an attack from spreading. Some preventative strategies include:

  • • Re-routing network traffic
  • • Filtering or blocking traffic
  • • Isolating all or parts of the compromised network

Step 3: Record the details

The information security team should keep a written log of what actions were taken to respond to the breach. The information that should be collected include:

  • • Affected systems
  • • Compromised accounts
  • • Disrupted services
  • • Data and network affected by the incident
  • • Amount and type of damage done to the systems

Step 4: Engage law enforcement

A major breach should always be reported to law enforcement. The law enforcement agencies that should be contacted are: • The Federal Bureau of Investigation (FBI) • The U.S. Secret Service (USSS) • The U.S. Immigration and Customs Enforcement (ICE) • The District Attorney • State and Local law enforcement

Step 5: Notify those affected

If a breach puts an individual’s information at risk, they need to be notified. This quick response can help them to take immediate steps to protect themselves. However, if law enforcement is involved, they should direct the company as to whether or not the notification should be delayed to make sure that the investigation is not compromised. The individuals are usually notified via letter, phone, email, or in person. To avoid further unauthorized disclosure, the notification should not include unnecessary personal information. 

Step 6: Learn from the breach

Since cybersecurity breaches are becoming a way of life, it is important to develop organizational processes to learn from breaches. This enables better incident handling, should a company be effected by a breach in the future. Some learning issues include:

  • Document all mistakes
  • Assess how the mistakes could have been avoided •
  • Ensure training programs incorporate lessons learnt

Must Do’s

  • Organizations must put the proper resources in place to ensure that any form of cybersecurity breach is dealt with swiftly and efficiently. 
  • There should be an effective Incident Response Plan.
  • Thoroughly check all monitoring systems for accuracy to ensure a comprehensive understanding of the threat. 
  • Engage in continuous monitoring of their networks after a breach for any abnormal activity and make sure intruders have been inhibited thoroughly. 
  • It is important to perform a postincident review to identify planning shortfalls as well as the success in execution of the incident response plan. 
  • Be sure to engage with Law Enforcement, and any other remediation support entity, soon after the threat assessment is made to allow for containment of the breach and to inform any future victims.
  • Documentation is paramount. Thorough documentation from the onset of the breach through the clean-up must be a priority to ensure continual improvement of the Incident Response Plan. 
  • It is critical to the success of a business to integrate cybersecurity into its strategic objectives and to ensure that cyber security roles are defined in its organizational structure.

References

How to write custom ifequal helper function in handlebars.js?

Handlebar Html Template: Put this template in any html page source.

<script id="handlebarHtml" type="text/handlebar-template">{{firstname}}{{lastname}}
{{#ifequal "a" "b"}} 
	if block
{{else}}
	Else block
{{/ifequal}}
</script>
#Put this code in any global javascript files and make sure function is available to the caller function.
Handlebars.registerHelper('ifequal', function(v1, v2, options) {
    if (v1==v2) return options.fn(this);
    else  return options.inverse(this);
 });

Handlebars javascript compilation code.

var json = {firstname: "Follow", lastname: "cybersecurity"}
var output = Handlebars.compile($("#handlebarHtml").html());
output(json);

Output of above code is:

Followcybersecurity
Else block