Starlink Part I – Introduction

We’ve got a series of articles lined up for you all about the hot topic of Starlink in Ukraine.

According to the latest statistics, there are 18 000 officially registered Starlink terminals in Ukraine, which makes us think that knowledge of this product is becoming a standard requirement for Network Engineers. The trend is quite new in Ukraine and, fun fact, Starlink was not so popular back in June 2022, when Mykhailo Fedorov, vice prime minister and minister of Digital Transformation of Ukraine, tweeted that Starlink Ukraine received an operator license in Ukraine.

To continue, as Starlink’s popularity is expanding rapidly, we decided to prepare an interesting article for you, which will serve as an introduction to Starlink, however, trust us, it is a complex topic to fit into one article, so expect a series of articles about it, rather than only this single one.

To start with, we will go through the topic step by step from the generic information to some specific details about configuration and usage examples of Starlink and will try to understand what Network Engineers can expect and how to deal with the “Internet from the sky”.

Most probably you have already seen a Starlink dish somewhere in the field. This large pizza-sized dish located on the ground or on top of your house does a great job to deliver Internet to your location. Just imagine, a satellite orbiting 550 kilometres outside Earth’s atmosphere and moving around 27000 kilometres per hour. The small dish can continuously steer the beam and switch between satellites in approximately every 4 minutes.

Before we dive into the OSI model let’s take a look at the solution components. The solution can be divided into 3 main components: a ground station, a satellite, and a dish (user terminal).

Ground station

The ground station is the place where the signal received through the fibre converts into a wireless signal and vice versa. Ukraine does not have its Starlink ground station. The nearest one is located in Poland, Lithuania, and Turkey. If you are wondering what it looks like, below you can find a photo of the ground station located in Turkey (40.78883190316096, 29.50935872005835)

A typical ground station right now has nine 2.86m antennas in a 400 sqm fenced-in area. Usually, SpaceX prefers to place them near big data centres, and you can probably guess why.

Satellite

According to the publicly available information, Starlink already passed the number of 2500 satellites. Site n2yo.com shows 2779 active satellites and this number is constantly growing.

There are multiple versions of satellites. From test versions (before v1.0) to some planned ones (v2.0). In the current release (v1.0 and v1.5) Starlink satellites are responsible for the signal retransmission between a user terminal and a ground station. For v2.0 SpaceX is planning to introduce lasers for inter-satellite communication.

Find some technical characteristics below:

Altitude – ~550km

Mass – ~260 kg (for v1.0) and ~295 (for v1.5)

Capacity – ~ 18Gbps

Finally, the cool thing about Starlink is that websites starlink.sx or satellitemap.space enable you to track satellites and their gateways in real time.

Of course, to use Starlink you do not need to know all these details, just unpacking and connecting the dish is enough. However, if you are a true engineer – stay tuned 😊

Network Tshoot with ChatGPT

ChatGPT is getting a lot of attention. Usually, when I hear about ChatGPT, the context is generally around job security. Recently, in one of the team meetings, I got an interesting question: Where can we use ChatGPT to offload some of the Service Desk network troubleshooting tickets? So, I started exploring this subject.

For a simple test, I build a straightforward lab topology with two routers and IPSec VPN with OSPF running between them. Router configuration was implemented using old-style Cisco IPSec VTI syntax with IKEv1, which is currently not widely used. After the lab was built and working, I broke the router configuration to simulate network issues. For that, IKE phase II policies were changed. Performed changes, broke connectivity between routers, OSPF, and IPSec started generating error logs. Those logs were fed into ChatGPT to see how it can help speed up the troubleshooting process and see if it can exactly tell what the reason for the connectivity issue is.

Lab Topology

Interaction with ChatGPT for troubleshooting network issues showed many accuracy complications. Most of them were connected to the problem context having many solutions. Still, those ways are not inter-compared, and you shall choose one or the other. If you started doing feature implementation the first way, you cannot finish or fix it the second way.

For example, on Cisco routers, there are at least ten different ways and syntaxes of IPSec VPN configuration, most of which are incompatible. You shall configure one or another on both ends of the IPSec VPN. Encryption/Authentication/Hashing capabilities at the data plane don’t change, but the implementation and syntax differ. The evolution of Cisco IOS also led to CLI syntax change.

The reason behind the inaccurate mixture of the problem solutions is the unfamiliarity with its contexts and the stochastic nature of the ChatGPT algorithm. Stochastic algorithms are a type of algorithm that use randomness to make decisions or solve problems. When ChatGPT doesn’t know the exact answer to raised questions, it tries to predict the answer pseudo-randomly.

As the issue was with the IPSec VPN configuration error, and ChatGPT did not know the exact answer, it looked at the context, picked up the most widely seen Cisco IPSec VPN configuration syntaxes, and tried to predict a solution with them. Currently most widely used IPSec VPN configuration is based on IKEv2, but I implemented IPSec VPN on lab routers with legacy IKEv1. As IKEv1 and IKEv2 are incompatible, the ChatGPT solution led to increasing problems.

The rest of the dialog with ChatGPT is provided below.


George >

I need your help to fix the issue with my network. I started getting complaints from users. They are unable to access our CRM from one of the branches. On the branch router, I see the following logs. Please provide the exact configuration to fix this issue.

*Jan 6 09:37:15.333: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down *Jan 6 09:37:15.338: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.0 on Tunnel0 from FULL to DOWN, Neighbor Down: Interface down or detached 
*Jan 6 09:37:16.138: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 10.0.0.1 *Jan 6 09:37:17.086: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=10.0.0.2, prot=50, spi=0x814B0503(2169177347), srcaddr=10.0.0.1, input interface=Tunnel0 
*Jan 6 09:38:22.163: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=10.0.0.2, prot=50, spi=0x814B0503(2169177347), srcaddr=10.0.0.1, input interface=Tunnel0 
*Jan 6 09:39:02.155: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 10.0.0.1

ChatGPT >

It looks like there may be an issue with the IPSec tunnel between your branch router and the peer at 10.0.0.1. The log messages indicate that the tunnel interface is down and that there are problems with the IPSec packets, specifically that the packets have an invalid SPI (Security Parameter Index). To troubleshoot this issue, you can try the following steps:

  1. Verify that the tunnel interface is up on both ends of the tunnel. You can do this by checking the status of the tunnel interface using the “show interface” command.
  2. Check the IPSec configuration on both ends of the tunnel to make sure that the IPSec policies match. This includes the transform sets, access lists, and any other configuration related to the IPSec tunnel.
  3. Check the status of the IPSec security associations (SAs) using the “show crypto isakmp sa” and “show crypto ipsec sa” commands. This will show you the current SAs for the tunnel and can help you identify any issues with the SAs.
  4. If the problem persists, you may need to clear the IPSec SAs and try to reestablish the tunnel. You can do this using the “clear crypto isakmp sa” and “clear crypto ipsec sa” commands.

I hope this helps! Let me know if you have any other questions.


George >

Hire is the “show interface” output. What else should I provide to you to determine the root cause of this issue?

R1#show interface
GigabitEthernet1 is up, line protocol is up 
  Hardware is CSR vNIC, address is 5254.0019.ab70 (bia 5254.0019.ab70)
  Internet address is 10.0.0.2/30
  MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full Duplex, 1000Mbps, link type is auto, media type is Virtual
  output flow-control is unsupported, input flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:09, output 00:00:09, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     406 packets input, 70200 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles 
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 0 multicast, 0 pause input
     407 packets output, 70716 bytes, 0 underruns
     Output 0 broadcasts (0 IP multicasts)
     0 output errors, 0 collisions, 2 interface resets
     0 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     1 lost carrier, 0 no carrier, 0 pause output
     0 output buffer failures, 0 output buffers swapped out
Loopback0 is up, line protocol is up 
  Hardware is Loopback
  Internet address is 1.1.1.1/32
  MTU 1514 bytes, BW 8000000 Kbit/sec, DLY 5000 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation LOOPBACK, loopback not set
  Keepalive set (10 sec)
  Last input 00:15:25, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles 
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     56 packets output, 3960 bytes, 0 underruns
     Output 0 broadcasts (0 IP multicasts)
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out
Tunnel0 is up, line protocol is down 
  Hardware is Tunnel
  Internet address is 11.0.0.2/30
  MTU 10000 bytes, BW 100 Kbit/sec, DLY 50000 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel linestate evaluation down - linestate protection reg down
  Tunnel source 10.0.0.2, destination 10.0.0.1
  Tunnel protocol/transport IPSEC/IP
  Tunnel TTL 255
  Tunnel transport MTU 1500 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Tunnel protection via IPSec (profile "AES256-SHA256")
  Last input 00:06:05, output 00:06:06, output hang never
  Last clearing of "show interface" counters 00:49:02
  Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     115 packets input, 11144 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles 
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     115 packets output, 10940 bytes, 0 underruns
     Output 0 broadcasts (0 IP multicasts)
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out
<output was omitted for brevity>

ChatGPT >

Thanks for providing the output of the “show interface” command. From the output, it looks like the Tunnel0 interface is not showing up. This could be the reason why the line protocol is down and why you are seeing the other log messages related to the IPSec tunnel.

To troubleshoot this issue further, it would be helpful to see the configuration of the Tunnel0 interface, as well as the IPSec configuration on the router. You can show these using the following commands:

show run interface Tunnel0
show run crypto

Additionally, it would be helpful to know more about your network topology and the devices that are involved in this IPSec tunnel. Can you provide more information about the devices and the network environment in which this tunnel is being used?


George >

Here is the output of commands you suggested to run:

R1#show run interface Tunnel0
Building configuration...
Current configuration : 186 bytes
!
interface Tunnel0 ip address 11.0.0.2 255.255.255.252
tunnel source 10.0.0.2
tunnel mode ipsec ipv4
tunnel destination 10.0.0.1
tunnel protection ipsec profile AES256-SHA256
end
R1#show run crypto
                ^
% Invalid input detected at '^' marker.
R1#

ChatGPT >

It looks like there may be a problem with the IPSec configuration on your router. The output of the “show run crypto” command indicates that there is an error in the configuration.

To troubleshoot this issue, you can try the following steps:

  1. Check the IPSec configuration for any syntax errors or missing parameters. You can do this by reviewing the output of the “show run crypto” command and looking for any issues.
  2. Verify that the IPSec policy that is being used by the Tunnel0 interface is properly configured. This includes the transform sets, access lists, and any other configuration related to the IPSec tunnel.
  3. Make sure that the IPSec peer (10.0.0.1 in this case) is reachable and that there are no connectivity issues between the two devices. You can do this by pinging the peer from the router or by checking the status of the tunnel interface on the peer device.
  4. If the problem persists, you may need to clear the IPSec SAs and try to reestablish the tunnel. You can do this using the “clear crypto isakmp sa” and “clear crypto ipsec sa” commands.

I hope this helps! Let me know if you have any other questions or if you need further assistance.


George >

It seems the router is not interpreting the “show run crypto” command. Please suggest a solution.

R1#show run crypto
           ^
% Invalid input detected at '^' marker.
R1#

ChatGPT >

I apologize for the oversight. It looks like there is a problem with the “show run crypto” command on your router.

To troubleshoot this issue, you can try the following steps:

  1. Make sure that you are typing the command correctly and that there are no typos in the command.
  2. Check the version of the Cisco IOS software running on your router. Some versions of IOS do not support the “show run crypto” command. If this is the case, you can use the “show run” command to view the entire configuration of the router, and then search for the “crypto” keyword to find the relevant configuration.
  3. If the problem persists, there may be a problem with the Cisco IOS software or the device itself. In this case, you may need to reboot the router or upgrade the IOS software to a newer version.

I hope this helps! Let me know if you have any other questions or if you need further assistance.


George >

“show run” worked. Here is the entire configuration:

R1#show runn
Building configuration...
Current configuration : 4439 bytes
!
! Last configuration change at 09:36:38 UTC Fri Jan 6 2023
!
version 17.3
service timestamps debug datetime msec
service timestamps log datetime msec
! Call-home is enabled by Smart-Licensing.
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform console serial
!
hostname R1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
!
login on-success log
!
subscriber templating
!        
multilink bundle-name authenticated
!
crypto pki trustpoint SLA-TrustPoint
 enrollment pkcs12
 revocation-check crl
!
!
crypto pki certificate chain SLA-TrustPoint
 certificate ca 01
  30820321 30820209 A0030201 02020101 300D0609 2A864886 
!
license udi pid CSR1000V sn XXXXXXXXX
diagnostic bootup level minimal
memory free low-watermark processor 71489
!
!
spanning-tree extend system-id
!
!
redundancy
!
crypto isakmp policy 1
 encryption 3des
 hash sha512
 authentication pre-share
 group 20
crypto isakmp key Cisco123 address 10.0.0.1      
!
!
crypto ipsec transform-set AES256-SHA256 esp-aes 256 esp-sha256-hmac
 mode tunnel
!
crypto ipsec profile AES256-SHA256
 set transform-set AES256-SHA256
!
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Tunnel0
 ip address 11.0.0.2 255.255.255.252
 tunnel source 10.0.0.2
 tunnel mode ipsec ipv4
 tunnel destination 10.0.0.1
 tunnel protection ipsec profile AES256-SHA256
!
interface GigabitEthernet1
 ip address 10.0.0.2 255.255.255.252
 negotiation auto
 no mop enabled
 no mop sysid
!
router ospf 1
 network 11.0.0.0 0.0.0.255 area 1
!        
ip forward-protocol nd
no ip http server
ip http secure-server
!
!
control-plane
!
.
.
.
<output were omitted for brevity>

ChatGPT >

Thanks for providing the complete configuration of your router.

Based on the configuration, it looks like the Tunnel0 interface is being configured with the “tunnel mode ipsec ipv4” command, which indicates that this is an IPSec tunnel. The tunnel is being sourced from the interface with the IP address 10.0.0.2 and is being directed to the peer at 10.0.0.1.

The tunnel is also using an IPSec profile named “AES256-SHA256”, which specifies the transform sets and other parameters for the IPSec connection.

However, there is no explicit “crypto map” configuration in the router’s configuration. A crypto map is used to apply the IPSec policies to an interface, and it is necessary for establishing an IPSec tunnel.

To fix this issue, you will need to add a crypto map to your configuration and apply it to the Tunnel0 interface. Here is an example of how you can do this:

crypto map IPSEC-MAP 10 ipsec-isakmp
 set peer 10.0.0.1
 set transform-set AES256-SHA256
 set security-association lifetime seconds 3600
 match address 100
interface Tunnel0
 crypto map IPSEC-MAP

This configuration creates a crypto map named “IPSEC-MAP” and applies the transform set “AES256-SHA256” to it. The crypto map is then applied to the Tunnel0 interface, which will cause the router to initiate an IPSec tunnel to the peer at 10.0.0.1 using the specified transform set.

I hope this helps! Let me know if you have any other questions or if you need further assistance.


George>

I have implemented the configuration you suggested and received the following note:

R1(config-if)#crypto map 
IPSEC-MAP 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured.
R1(config-crypto-map)# set peer 10.0.0.1
R1(config-crypto-map)# set transform-set AES256-SHA256
R1(config-crypto-map)# set security-association lifetime seconds 3600
R1(config-crypto-map)# match address 100 R1(config-crypto-map)#
R1(config-crypto-map)#interface Tunnel0
R1(config-if)# crypto map 
IPSEC-MAP % NOTE: crypto map is configured on tunnel or port-channel interface. Currently only GDOI crypto map is supported on tunnel or port-channel interface.
R1(config-if)#

ChatGPT>

It looks like there is a problem with the crypto map configuration on your router. The error message “NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured” indicates that the crypto map is not complete and cannot be applied to the interface.

In addition, the error message “NOTE: crypto map is configured on tunnel or port-channel interface. Currently only GDOI crypto map is supported on tunnel or port-channel interface” indicates that the crypto map cannot be applied to the Tunnel0 interface because it is not supported on this type of interface.

To fix this issue, you will need to complete the configuration of the crypto map and make sure that it is applied to a supported interface. Here is an example of how you can do this:

access-list 100 permit ip any any
crypto map IPSEC-MAP 10 ipsec-isakmp
 set peer 10.0.0.1
 set transform-set AES256-SHA256
 set security-association lifetime seconds 3600
 match address 100
interface GigabitEthernet0/0
 crypto map IPSEC-MAP

This configuration creates an access list named “100” that allows all traffic, and then applies it to the crypto map. The crypto map is then applied to the GigabitEthernet0/0 interface, which is a supported interface.

At this point, ChatGPT messed troubleshooting process. I see no reason to continue. This example demonstrates the stochastic nature of the ChatGPT algorithm.

ChatGPT can help to speed up finding problems in a network. It can derive practical high-level recommendations and structure a problem-finding approach. Usually, when you troubleshoot for hours, you think everything was checked and appropriately configured and start blaming software and hardware. ChatGPT can stand and provide recommendations and hints. But you should know how to ask questions, how AI works, and understand technology, at least 70% of it. To fully utilize its potential, it will be essential to develop skills in interacting with ChatGPT.

From the software developers’ point of view, ChatGPT is more robust, as it got more optimizations around software development. Nevertheless, it is a matter of time before ChatGPT can more accurately model Cisco IOS configuration and syntaxes.

Stay tuned!

DAILY LIFE AND REALITIES OF SECURITY OPERATIONS CENTER (SOC). XDR or SOAR?

Our SOC will soon turn 2 years old and, since we have accumulated considerable experience and passed the difficult path of building an SOC almost from scratch, we decided to start publishing a series of articles in which we will share our experience and tell you how we built our SOC and how it currently works.
In these articles, we will talk about technologies, interesting cases of detecting and repelling cyberattacks, the details of individual investigations, the nuances of building the architecture of the technology stack of SOC solutions, and much more. Hope, that our publications will be useful and interesting both for our customers and our business colleagues.

So, let’s begin. Anyone familiar with the topic of SOC knows a simple formula:

SOC = PEOPLE + PROCEDURES + TECHNOLOGIES.

Starting to build an SOC, we understood that there are a lot of technological solutions that use modern SOCs and, that for us an important parameter for a successful SOC organization will be the formation of a balanced and effective stack of these solutions. With the existing temptation to use the largest possible number of different systems, we were faced with the task of reducing this diversity to a set of solutions necessary and sufficient for successful operation.

The question of whether Security Information and Event Management system (SIEM), End-Point Detection and Response system (EDR), Vulnerability Management Platform (VMP), Network Traffic Analyzer (NTA), Incident Response Platform (IRP), Threat Intelligence Platform (TIP) should be part of the solution stack was not raised at all. Of course, they are. Only we have slightly revised the priority of their use. We will talk about this in future articles. But we had to think about using SOAR/XDR. What to choose – SOAR or XDR? Or should we use them together? First, let’s talk a little about what these systems are.

SOAR is the next step in the evolution of SIEM systems. SOAR provides orchestration and automation of processes for managing heterogeneous IT-security and IT- systems from different vendors and responding to cybersecurity incidents through pre-prepared response plans (playbooks). By the way, in order to have a relevant number of playbooks, SOAR requires a lot of involvement of IT-security experts in the work of creating playbooks or modifying them.

XDR is the next step in the development of EDR systems. XDR combines several security products from a single vendor into a single platform for detecting and responding to security incidents (at the level of endpoints, at the level of network, mail traffic, clouds, etc.), provides maximum automation of tasks for collecting data, identifying, prioritizing, investigating and neutralize complex threats from a single tool. In addition, modern XDR systems are able to integrate with security products from different vendors (not only from the vendor of the XDR itself).

After studying several SOAR/XDR systems, we came up with the following comparison results:

  • XDR has built-in detection technologies, while SOAR does not.
  • XDR provides «raw» data correlation, SOAR does not.
  • IOC scanning in SOAR is only possible using SIEM. XDR has no such restrictions.
  • Proactive threat hunting in SOAR (Threat Hunting) is only possible using SIEM. XDR has no such restrictions.
  • XDR does not require additional configuration from the user, but SOAR does.
  • SOAR cannot include XDR functionality.
  • XDR can include SOAR functionality (interaction with third-party systems, work with playbooks).

What conclusion can be drawn from this? SOAR technology will never be able to incorporate XDR functionality unless by merging with XDR from the same vendor or acquiring XDR from another vendor. Plus, the level of native automation of XDR is much higher than SOAR, which allows SOC analysts to focus on analyzing cyber incidents and cyberattacks, rather than constantly modifying or creating playbooks.

XDR automatically correlates security events, prioritizes, and validates alerts, allowing the analytics team to work effectively on the most relevant threats. XDR also offers built-in security investigation workflows and automated scripts to help streamline investigations and speed up responses. XDR is a simpler and more intuitive solution to reduce the burden of manual work and save analysts valuable time so they can work and focus on something more important.

As a result, we chose XDR as one of the main tools for our SOC.

Vulnerability management and it’s role in modern cyber-security

This time we would like to discuss one of the most crucial concepts in every IT environment and as you can guess by this title that is vulnerability management. Based on experience and different ways to approach security matters, we believe that this service is a must in every IT Security (especially in SOC) Environment.

In every organization there are undefined number of vulnerabilities starting from physical security, hardware vulnerabilities that every pc manufacturer faces daily or Operating System vulnerabilities which are often being exploited because of the lack of patch management, or even the most popular software applications that we often use daily (for example WinRAR or Chrome).

Unpatched or legacy level applications often become the first target for hackers and the way they get their foothold on any organization.

A lot of people, even the experienced engineers often say that their infrastructure is secure only because there is no direct connection from the outside, but they do not even consider that the source of the modern attacks mostly come directly from the inside infrastructure devices which have already been compromised. This can happen due to various reasons:

1. The company permits users to work remotely or even use their own devices (BYOD) which obviously lacks the security hardening. Remote storage device management should be a separate topic for discussion.

2. Even if there is no access from the internet. There always is the connection to the internet and outbound firewall filters are less effective or we can even dare say “useless” against constant internet surfing risks.

3. A lot of organizations do not have the policies and the possibility to control the installed applications for every end-user which often results in someone unintentionally installing malicious/suspicious app which later becomes the starting point of the infection.

4. The lack of training on the security awareness topic is the most common thing that makes users click suspicious links, open email attachments from untrusted senders and visit unsecure websites and get their credentials stolen/confidential information leaked and their device unsuspectedly compromised. Even the most qualified person in this field cannot be protected from daily interactions with their devices.

The primal use-case of vulnerability management solutions is to seek, analyze, report, recommend and verify the remediation of such vulnerabilities, which will surely remove extensive risks from any IT environment and make it safer.

In the security field we have 2 approaches, Re-active and Pro-active.

Re-active is when we set up out various detection solutions (SIEM, EDR, IDS etc.) across the company infrastructure and wait for the hacker or any sign of compromise to show up. This is considered the more traditional approach compared to the second one but based on our experience its detection & prevention mechanism is not instant magic and there will surely be a small portion of data leaked/corrupted. We should also consider the amount of time/money/effort it requires in order to set up and get on the production side.

When it comes to Pro-active approach, we have different tools for threat-hunting cyber-attacks, which are conducted based on our theories, risk analysis or the popular cyber threat publishers and of course our vulnerability scanner which will periodically scan the environment (preferably during least production period) for any possible loopholes for the attacker to exploit or take advantage of and help us close it before it causes us any troubles, thus the amount of risk is severely decreasing in constant manner. As the name of this approach implies, we do not have to wait for the attacker to show up, we simply make the odds of this happening become close to zero.

The specifications for the scanner to detect vulnerabilities vary, for example the most basic ones can be directly scanned without giving it any credentials and it will check for the basic things such as weak encryption algorithms, default passwords, open port responses etc.

The most effective way to get the full vulnerability data is to perform this vulnerability assessment with target system’s credentials. In this case during the scan besides basic assessment it will also remotely log in to the system in order to get the full visibility from the inside, thus the amount of information it will generate will also be significantly increased.

Also, a lot of security solution vendors (even the open-source ones) nowadays offer end-user agent solutions which will perform the scan from the inside the system and send the report to the management console without the need to externally give credentials to the scanner node.

One of the important factors for consideration is the location of the vulnerability scanner node. Whether only a specific type of network is permitted on this segment or if it scans through firewall (which is usually not recommended due to significant amount of packet drops) and if you wish to scan the external web application (which also takes a lot of time to scan due to WAF or DDOS protection).

The vulnerability reporting and priority analysis should also require a separate knowledge of the infrastructure because the severity measures are directly taken from the MITRE database or any other external resource which only measure them objectively without considering the client’s internal structure and business impact.

In conclusion we would like to add that even if there are no known publicly available exploits for some vulnerabilities it does not mean that you should ignore it, because there will always be attackers with their zero-day attack exploits lurking in the dark web and waiting for the potential profitable attack.

Have a good vulnerability hunt 😊.

Enhancing Cybersecurity: The Synergy of ChatGPT and Human Expertise

In recent years, cybersecurity has become an increasingly important issue as the internet has become a central part of our lives. Hackers and cybercriminals are constantly finding new ways to breach security measures, and it has become more important than ever to have effective cybersecurity measures in place to protect against these threats. In this context. Consequently, security professionals have to work harder than ever.

Due to the abnormal popularity of ChatGPT, I wanted to write a small article about how it can be used in cyber security and whether it can replace humans in this field. This is due to the fact that representatives of several professions, especially programmers, are afraid of the fact that AI may replace them.

If the article was not only a theoretical part, I would like to see how ChatGPT is able to solve our daily routine based on practical examples.

Okay, let’s start!!!

My day-to-day routine as a SOC analyst involves monitoring various security tools, investigating incidents arising from them, analyzing and responding accordingly. Therefore, I would like to ask for the help of ChatGPT to analyze some of these incidents with me.

Our main tools in SOC for endpoint protection is EDR, I will take one of the incidents and let’s see what ChatGPT will tell us.

ME:

We have an alert in endpoint protection and response tool that someone opened PowerShell and executed the following command: “C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe” -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp ‘HKCU:\Software\Classes\LKgtmNLCTEp’).FKITK)));

what could this command may indicate and is it looks like suspicious?

ChatGPT:

The command you provided appears to be a PowerShell command that runs a script encoded in Base64. Let’s break down the command to understand its functionality:
· C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe: This is the path to the PowerShell executable on a Windows system.
Options:
· -WindowStyle hidden: This option makes the PowerShell window hidden, meaning it will not be visible to the user.
· -NoLogo: This option prevents the PowerShell logo from being displayed in the console.
· -NonInteractive: This option runs PowerShell in non-interactive mode, which means it will not prompt for user input.
· -ep bypass: This option bypasses the execution policy, allowing the execution of scripts.
· -nop: This option stands for “no profile” and prevents the loading of the user’s PowerShell profile scripts.
Command execution:
· iex: This is a built-in alias for the Invoke-Expression cmdlet, which allows executing a string as a PowerShell command.

Script execution:
· ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp ‘HKCU:\Software\Classes\LKgtmNLCTEp’).FKITK))): This part of the command retrieves a value from the Windows registry (HKCU:\Software\Classes\LKgtmNLCTEp), decodes it from Base64, and executes it as a PowerShell command.
Without knowing the content of the registry value, it’s difficult to determine the exact purpose of this command. However, it is worth noting that such obfuscated and encoded commands are often associated with malicious activity and can potentially be used to perform unauthorized or harmful actions on a system.

 

We can say that ChatGPT is quite capable of analyzing complex commands and giving you very useful information. Of course, this is very helpful for analytics not waste amount of time and we can use ChatGPT. But there have been cases in my practice when it was also wrong during the analyzing of the command by ChatGPT, so cybersecurity specialists should at least look carefully so as not to make any serious mistakes during the output of ChatGPT.

 

Without wasting more time on this incident, let’s move on to the next one. This time I want to analyze the incident generated in Siem.

In this case, I’m going to analyze alert, which I specially generated in Siem for testing purpose.

ME:

I have created alert in siem, that if someone opens link which ends with “bin.sh”, siem must detect and generated alert. in this case we got an alert that someone clicked on link “http://117.215.247.180:54974/bin.sh” . based on thish link, can I suppose that this is suspicious link ?

ChatGPT:

based on the link you provided, “http://117.215.247.180:54974/bin.sh,” it is reasonable to consider this as a suspicious link. Here are some reasons:
· Unusual URL: The URL ends with “/bin.sh,” which suggests that it points to a shell script file. Shell scripts can be used for various purposes, including executing commands on a system. In the context of web browsing, it is uncommon to encounter URLs ending with “.sh” unless the intention is to download and run a shell script.
· Non-standard port: The URL includes the port number “54974,” which is not a commonly used port for web browsing. Using non-standard ports can be an attempt to bypass standard network monitoring or firewall rules, making it potentially suspicious.
· Lack of HTTPS: The URL begins with “http” instead of “https.” This indicates that the connection to the website is not encrypted, potentially exposing any data transmitted between the client and the server to interception or modification.
· IP address: The link uses an IP address, “117.215.247.180,” instead of a domain name. While IP addresses can be legitimate, attackers often use IP addresses for hosting malicious content to avoid detection or takedown of a specific domain.

Considering these factors, the link you provided does raise suspicions. However, it is important to conduct further analysis and investigation to determine the true nature of the link and its associated risks. It is recommended to consult with your organization’s IT security team or a cybersecurity professional who can examine the link and assess the potential threat it poses to your systems and network.

 

Here we can say that it gives us very useful information but for full investigation as an AI, ChatGPT does not have access to such known databases where it would search and tells me which malware or even APT groups are using this particular link, as I was able to easily find out in one simple operation both manually and using for instance like “CORTEX”.

Now I want to test how ChatGPT will help me in vulnerability management case. Accordingly, I will take any of the already scanned weaknesses and tell ChatGPT to give me some useful information about what impact it will have, how to solve the mentioned problem and if possible give reference links.

ME:

I have scanned one server in my infrastructure and one of the critical weakness have as a result. this is weakness: “The service is providing / accepting the following deprecated versions of the SSH protocol which have known cryptographic flaws: 1.5”

can you give me reference what is impact of this weakness, what is solution and some reference links ?

ChatGPT:

The weakness you mentioned pertains to a server providing or accepting deprecated versions of the SSH (Secure Shell) protocol, specifically version 1.5. Here’s some information regarding the impact, solution, and relevant reference links:
Impact:
Using deprecated versions of the SSH protocol, such as 1.5, can expose your server to various security vulnerabilities. The SSH protocol version 1.5 is considered outdated and has known cryptographic flaws, making it susceptible to attacks and exploitation by malicious actors. Attackers could potentially intercept, manipulate, or decrypt SSH communications, compromising the confidentiality, integrity, and authenticity of your server’s data and connections.

Solution:
To address this weakness, it is recommended to discontinue the use of SSH protocol version 1.5 and enforce the use of more secure versions, such as SSH protocol version 2. SSH protocol version 2 has significant security improvements and is widely supported by modern SSH implementations.
To resolve the weakness, follow these steps:

  1. Update the SSH configuration on the affected server to disable support for SSH protocol version 1.5.
  2. Enable or enforce SSH protocol version 2.
  3. Ensure that all SSH clients and servers connecting to the affected server also support SSH protocol version 2.
  4. Test the configuration changes thoroughly to ensure proper functionality and compatibility before deploying them to a production environment.

Reference Links:
Here are some reference links that provide more detailed information on the impact of deprecated SSH protocol versions and guidance for securing your SSH implementation:

  1. OpenSSH Security: The official website of OpenSSH, a widely used SSH implementation, provides security-related announcements, advisories, and updates.
  2. NIST Special Publication 800-53: Security and Privacy Controls for Information Systems and Organizations: This NIST publication outlines security controls for information systems, including guidelines for secure SSH configuration.
  3. Secure Secure Shell: This article by Colin Percival offers in-depth explanations and recommendations for securing SSH configurations, including the deprecation of SSH protocol version
    Remember, it is important to apply security best practices and keep your SSH implementation up to date to protect your server and data from potential vulnerabilities and attacks.

 

It can be said that ChatGPT provided us comprehensive information on our question.

To summarize

Based on my practice, I can conclude that ChatGPT can detect suspicious commands, analyze logs, stings, phishing emails, find information about vulnerabilities and etc. but I think that it is not able to fully respond on threats, it hasn’t access on different databases and it is not capable to integrate API’s yet. For instance, we still must manually analyze observables, like ip addresses, hashes, files, domains and etc.

Therefore, it is my opinion that despite the power of ChatGPT in cybersecurity, the human role in this field remains critical. While ChatGPT can help detect and prevent cyber attacks, it is humans who design and implement cybersecurity measures, and humans who must remain vigilant in identifying and responding to cyber threats.

Conclusion

ChatGPT has emerged as a powerful tool in the fight against cyber attacks, but the human role in cybersecurity remains crucial. By working together, humans and ChatGPT can help detect and prevent cyber attacks, protecting sensitive data and ensuring the security of our digital world. By staying vigilant and informed, we can continue to strengthen cybersecurity and protect against the evolving threat of cyber attacks.