Eating an Elephant: How the ESM 10 UX Team Reenergized SecOps (Part 2)

The second of a two-part series.

In the previous post in this series, we described how re-creating the user experience for overburdened SOC analysts was a task like “eating an elephant.” To help analysts who are constrained by time and cognitive overload, we needed a vision, a strategy and a plan to “save time and save mental energy.”

After extensive, in-depth interviews with users, we realized that the majority of user time is spent in analysis and research. This finding drove our plan. We focused first on the analysts and the workflows and workspaces where they spend the majority of their time.

Now you can see the results in ESM 10.0. The user experience team recommends these 3 things to appreciate first:

  • Quick start: you will find that the organization simplifies building and navigating relationships, so you can create views and get started without reading manuals (although we still recommend looking at the ESM expert center!). The most commonly used views appear together by default, and help you make use of associated content packs and their views, dashboards, rules, and alerts (including correct placement of related updates to keep you organized). While the donut visualizations will help you identify trends and pursue relationships, the right clicks help you navigate to next steps. And, if you are a current user, you can import existing views from within the console to bring forward your preferred processes and organizational knowledge.
Analysts can manage several tabs active at once, enabling them to toggle back and forth to pursue different tasks. This means less holding of information in your memory and less repetition, including defining complex searches.
  • Centralized, dynamic workspaces: Multiple tabs within the same dashboard pane organize parallel exploration of ideas. The analyst can simultaneously drill down and filter through different lenses of the data without losing context and state or re-applying searches and filters. With several tabs active at once, you can toggle back and forth to pursue different tasks, or within a task, collect and guide analysis or research hypotheses. This means less holding of information in your memory and less repetition, including defining complex searches. Further, a majority of our configuration, advanced settings, and set up tools now live in panels that slide in to the side of the dashboard instead of popping up in a window in front of the dashboard. This allows users to stay in context with their current investigation (stay in the same mental “room”) while they adjust settings in the various tools. In addition, the context menus mean that right clicking on a specific item—such as a field on a record within a table chart—will provide the user with quick access to actions specific to that field.
ESM 10.0 features directed search to help users quickly navigate to desired content without remembering folder structures or even the exact names of things.
  • Directed search: Detecting signal from the noise means filtering and searching through alerts and events, and avoiding the distraction of unneeded data. The new advanced search and filter organization includes auto-complete to help guide users to find or choose from relevant associations quickly, rather than needing to know what choices are appropriate to the data or investigation type. Auto-complete simplifies device selection, view management, queries, and filters, to name a few, as the user quickly navigates to the content they desire, without having to remember exactly where it resides within the folder structure of these tools. For example, we prompt for the best visualization options for each search result type to quickly filter and customize data. As you navigate, the process creates bindings that you can save for later. You can then take quick actions on data points, such as creating watchlists and case management, by accessing right-click contextual menus. Synthesizing all these workflow steps into a single place helps the right thing happen, consistently, with less effort, repetition, and time. Our improved search also means you do not need to be a software developer to extract insights quickly.

Each of the above examples reduces clock time and conserves mental energy. They are small steps in our larger plan to help you conquer that other elephant, the elephant in the room: security operations efficiency. See for yourself by downloading the new version now.

The post Eating an Elephant: How the ESM 10 UX Team Reenergized SecOps (Part 2) appeared first on McAfee Blogs.

Spora Ransomware Infects ‘Offline’—Without Talking to Control Server

Spora is a ransomware family that encrypts victims’ files and demands money to decrypt the files. It has infected many computers in a short time due to a huge spam campaign. It has a very special feature—to work offline.

Propagation vector

The spam campaign carries a .zip file, which contains an HTA (HTML Application) file to evade detection from some email scanners and maximize its outreach. The contents of the email are carefully crafted to lure victims using social engineering techniques. This HTA file also tricks users by using the double extensions rtf.hta and doc.hta. If file extensions are hidden on victim’s machines, then they will see only the first extension and might be fooled into opening the file.

The spam email looks like this:

The contents of HTA file:

At runtime the HTA file drops a JavaScript file in the %Temp% folder. Further JavaScript extracts an executable with a random name (in this case: goodtdeaasdbg54.exe) in %TEMP% and executes.

The HTA file also extracts and executes a .docx file that is corrupted and returns an error to distract the victims:


Goodtdeaasdbg54.exe is packed using the UPX packer and contains the payload (Spora). It first checks whether a copy of this file is running in memory. If not, it creates a mutex. Spora uses mutex objects to avoid infecting the system more than once.

Spora checks for the logical drives available in the system:

Once a resource is available, Spora searches for files to encrypt but avoids “windows,” “Program files,” and “games.”

Spora removes the volume shadow copies from the target’s system, thereby preventing the user from restoring the encrypted files. (A shadow copy is a Windows feature that helps users make backup copies (snapshots) of computer files or volumes.) To delete the shadow volume copies, Spora uses the command “vssadmin.exe Delete Shadows /All /Quiet.” This ransomware uses the vssadmin.exe utility to quietly delete all the shadow volume copies on the computer.

It also creates .lnk files along with .key and .lst files in the root drive.

Spora also deletes the registry value to remove the shortcut icons.

Encryption process

Step 1: It generates a random “per file AES” symmetric key for each file.

Step 2: Spora generates a local public-private key pair.

Step 3: The public key generated from Step 2 will encrypt the “per file AES” key and append it to the encrypted file.

Step 4: After encrypting all the files, Spora generates a unique AES symmetric key.

Step 5: The private key generated in Step 2 is copied into the .key file and encrypted by the unique AES key generated in Step 4.

Step 6: Finally the unique AES key is encrypted by decrypting the public key (explained below) and appending it to the .key file.

The malware author’s public key is embedded in the malware executable using a hardcoded AES key. The decrypted public key:

The decryption is possible only by the private key held by the malware author. Once the payment is done, the author may provide victims with the private RSA key to decrypt the encrypted AES key appended in the .key file. The decrypted AES key will decrypt the remaining .key file, which contains the user’s private RSA key.

The whole process is bit complex and lengthy but using this scheme Spora successfully avoids the dependency of obtaining a key from a control server and can work offline.

Key file

Spora encrypts six types of file extensions:

The .key filename contains information in the following format:

And encodes all this information with a substitution method.

In our case US736-C9XZT-RTZTZ-TRHTX-HYYYY.KEY translates to:

  • USA as locale.
  • The characters “736C9” for the beginning of the MD5 hash.
  • 10 encrypted office documents (Type 1).
  • Two encrypted PDF (Type 2).
  • Zero encrypted CorelDraw/AutoCAD/Photoshop files (Type 3).
  • Zero encrypted database files (Type 4).
  • 25 encrypted images (Type 5).
  • 15 encrypted archives (Type 6).

The decoding mechanism of .key file:

Ransom message

The ransom note is written in Russian, here with our translation:

The Spora payment site provides several packages for victims with different prices with a deadline.

The hashes used in the analysis:

  • a159ef758075c9fb64d3f06ff4b40a72e1be3061
  • 0c1007ba3ef9255c004ea1ef983e02efe918ee59

Intel Security advises users to keep their antimalware signatures up to date at all times. Intel Security products detect the malicious HTA file and Spora binary as JS/Spora.a and Ransom-Spora! [Partial hash], respectively, with DAT Versions 8435 and later.

This post was prepared with the invaluable assistance of Sourabh Kadam. 


The post Spora Ransomware Infects ‘Offline’—Without Talking to Control Server appeared first on McAfee Blogs.

Eating an Elephant: How the ESM 10 UX Team Reenergized SecOps (Part 1)

The first of a two-part series

For some reason, elephants figure frequently in our conversations – “seeing different parts of the elephant”, “memory like an elephant,” and now, “eating an elephant.” This phrase, definitely meant as an analogy, expresses the lengthy, enormous, and daunting task that our development team faced in reimagining the user experience in our McAfee Enterprise Security Manager (ESM) SIEM solution. To succeed, they needed a vision, strategy, and plan.

The new ESM 10.0 user interface has been designed to reduce cognitive strain – providing content in context as the user goes about tasks

First, a vision. In the last few years, driven by increasingly complex incidents, the security operations mantra has shifted to real-time analysis coupled with individual and team efficiency. Countless research studies document the shortage of skilled security analysts and researchers. Time clearly needed to be a part of the vision.

But for the user experience team, productivity isn’t just about elapsed time. It also includes the cognitive workload that can subtly wear down and exhaust the analyst. You probably experience cognitive overload today. You walk from the kitchen into the bedroom and stand there wondering why you came in. This is true when we move between physical rooms, and it’s true when we move between virtual rooms, such as in a video game or user interface. In this context switch, it turns out we are 2-3 times more likely to forget! And it gets worse. This memory lapse is aggravated if you are sleep deprived or over-stressed, like new parents, air traffic controllers, and security analysts.

Once we hit our cognitive threshold, we have only emotion to fall back on. So the typical analyst has faulty memory plus frustration. This combination makes for poor security decisions. It is why we design for “high context” UIs. We are striving for one room with all the relevant data so the analyst can focus on making good decisions.

From a design perspective, here are some specific cognitive workload tests:

  • The “data fragmentation” load: How much data does the user have to keep in his memory as he changes screens, modes, and tasks, or retain over a series of tasks?
  • The “navigation” burden: How many times does the user traverse up and down task flows and screens in pursuit of a task?
  • The “mind-numbing” factor: How many times does that task need to be repeated per hour/day/week?
  • The “clutter” factor: How much data is displayed all at once? How hard is it to identify and navigate relationships?

Instead of simply looking at faster functioning of the same processes, we wanted to reduce the cognitive burden of the user – to keep them as effective as possible for as many hours of their day as possible. This “save time, save mental energy” approach formed the core of our vision. Our logic was this: Anything we could do to improve their productivity and enhance concentration would pay off in speed of results, capacity of analysts, and quality of life for them and their management team.

This illustrates the complexity of SIEM, showing first and second level nodes in the ESM 9.X user interface.

Next, a strategy. As the epicenter of security operations, a SIEM is a complex animal, and the UI and user design can mask or multiply this complexity. The graphic gives you an idea of the scope of this effort, the first and second level nodes in the ESM 9.X user interface. Every node has multiple screens under it.

Lots to do, clearly, but where could we best affect time spent? After dozens of site visits and in-depth, interactive usage interviews, we discovered more than half of the users were security operations, and another 29% were Infrastructure Operations. Given these day-to-day jobs, the majority of user time is spent in analysis and research.

In the second part of this series, we’ll continue the user experience journey with the ESM 10.0 UX design team as they build out the plan for the new ESM 10.0 solution.

The post Eating an Elephant: How the ESM 10 UX Team Reenergized SecOps (Part 1) appeared first on McAfee Blogs.