Search results

AlgoSec - Case for Convergence Download PDF Schedule time with one of our experts Schedule time with one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Continue

As 2022 comes to a close, Professor Avishai Wool, AlgoSec Co-Founder and CTO, provides his top 5 issues organizations will need to be... IaC 2023 Cybersecurity Predictions and Best Practices Prof. Avishai Wool 2 min read Prof. Avishai Wool Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 12/6/22 Published As 2022 comes to a close, Professor Avishai Wool, AlgoSec Co-Founder and CTO, provides his top 5 issues organizations will need to be aware in 2023 that will also dominate the cyber community conversation. 1) Application centric approach to network security will supersede basic NSPM I think the market has matured to the point where the NSPM approach has reached a tipping point and I see the shift to an application perspective becoming the de facto approach in network security policy management as there are better and more robust technologies in the market that can help organizations get there faster. I see this shift becoming even more viable in 2023 based on recent market trends in which organizations are opting for downsizing and trying to do more with the smaller staff at the expense of losing tribal knowledge. As a result, I see organizations shifting more towards adopting a holistic approach to network security that are more application centric in which they can retain critical knowledge, such as application traffic intent and application policy rules, so that the new generations can step in and pick up where the previous predecessors left off. 2) Containerization will enhance layered security I expect container security to be increasingly popular in the future, as companies understand that their existing network security mechanisms are not enough for the communication networks of today. Containers are seen as a cost-effective light-weight solution for deployment – and deploying them introduces another inner layer where security policies can be applied: behind the perimeter filters, the internal zoning, and the micro-segmentation, organizations can now also consider nano-segmentation at the container level. Vulnerability testing is another dimension of the container platform especially within cloud applications and SaaS products. The common Kubernetes platform offers both opportunities and challenges for vulnerability scanners. Beyond 2023 , businesses will need to enhance both their visibility and management capabilities of security within their containerized applications 3) Security driven IaaS ecosystems to improve network security I expect the popularity of Infrastructure as a service (IaaS) to continue to soar, making it difficult for security teams to keep up with the associated risks and vulnerabilities. Pre-set security settings may not meet the needs of the organization and customizing these settings can prove to be difficult. The customizability of IaaS offers great potential for productivity, but it also makes it complicated to secure. The bottom line is that companies can no longer depend on their network perimeter to guard sensitive data. In response, I anticipate organizations that begin utilizing an “Always-on Security” approach such as Infrastructure as Code (IaC) which would permit them to construct personalized policies to control the development environments during each phase of the software development life cycle (SDLC) and recognize potential risks, security flaws, and compliance issues on a what-if basis, before deploying flawed settings into production. 4) Cloud-native security tools will reign supreme I expect that cloud-based security systems will become more commonplace: these security solutions offer a wide range of abilities, such as secure access, identity and access management, data loss prevention, application security, automation of security, detection and prevention of intrusions, security information and event management, and encryption. With companies transitioning more workloads to the cloud, they will want to make use of many of these features. These tools make it possible for remote teams to manage a greater public cloud presence: comfortably configuring services and automating processes, to identify and preemptively tackle any kind of threats. To bridge the gap in cloud data security, I anticipate the emergence of data safeguarding systems that are designed specifically for cloud usage and are able to link up with public cloud systems in an advanced, agentless manner. This has been classified in the market as Cloud Native Application Protection Platform (CNAPP) . These platforms must be able to detect where the data is stored and what sorts of data are stored in the cloud, so that corporations can prioritize on what is most important – defending their most sensitive data and cloud-based applications without interfering with their normal operations. 5) Expect ransomware not to go away and get even more sophisticated Organizations in 2022 saw no let-up from ransomware threats, some of whom were attacked multiple times and I do not see any reason why this trend will change in 2023. Cyber criminals are getting more resourceful and savvier in their attempts to stay ahead of law enforcement, and I anticipate these attacks will only become more frequent as their perpetrators are proving more capable of infiltrating many organizations’ cyber defenses. In response, organizations will have to seek more technology solutions to protect data at the source. But that would not suffice. I think organizations will need to look beyond technological solutions and apply better preparedness strategies. Whether it be Zero Trust or something less overarching but more practical for an organization’s business needs, such as Micro-segmentation , it would ensure that threat-actors would not be able to access the data residing inside the security perimeter. Schedule a demo Related Articles 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read 5 Multi-Cloud Environments Cloud Security Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

AlgoSec & Check Point AlgoSec seamlessly integrates with Check Points NGFWs to automate application and user aware security policy management and ensure that Check Points’ devices are properly configured. AlgoSec supports the entire security policy management lifecycle — from application connectivity discovery, through ongoing management and compliance, to rule recertification and secure decommissioning. Solution brief Cloudguard datasheet How to Check Point Regulatory compliance Learn how to prepare your Check Point devices for a regulatory audit Check Point Risk Assessment Learn how assess risk on your Check Point devices with AlgoSec Mapping your Network Visualize your complex network, including your Check Point devices, with a dynamic network topology map See how Check Point Users Can Benefit from AlgoSec Schedule time with one of our experts

Discover how micro-segmentation can help you reduce the surface of your network attacks and protect your organization from cyber-attacks. Webinars CTO Round Table: Fighting Ransomware with Micro-segmentation In the past few months, we’ve witnessed a steep rise in ransomware attacks targeting anyone from small companies to large, global enterprises. It seems like no organization is immune to ransomware. So how do you protect your network from such attacks? Join our discussion with AlgoSec CTO Prof. Avishai Wool and Guardicore CTO Ariel Zeitlin, and discover how micro-segmentation can help you reduce your network attack surface and protect your organization from cyber-attacks. Learn: Why micro-segmentation is critical to fighting ransomware and other cyber threats. Common pitfalls organizations face when implementing a micro-segmentation project How to discover applications and their connectivity requirements across complex network environments. How to write micro-segmentation filtering policy within and outside the data center November 17, 2020 Ariel Zeitlin CTO Guardicore Prof. Avishai Wool CTO & Co Founder AlgoSec Relevant resources Defining & Enforcing a Micro-segmentation Strategy Read Document Building a Blueprint for a Successful Micro-segmentation Implementation Keep Reading Ransomware Attack: Best practices to help organizations proactively prevent, contain and respond Keep Reading Choose a better way to manage your network Choose a better way to manage your network Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Continue

Previous Part of the analysis is available here. Next Part of the analysis is available here. Update from 19 December 2020: ‍Prevasio... Cloud Security Sunburst Backdoor, Part II: DGA & The List of Victims Rony Moshkovich 2 min read Rony Moshkovich Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 12/17/20 Published Previous Part of the analysis is available here . Next Part of the analysis is available here . Update from 19 December 2020: Prevasio would like to thank Zetalytics for providing us with an updated (larger) list of passive (historic) DNS queries for the domains generated by the malware. As described in the first part of our analysis, the DGA (Domain Generation Algorithm) of the Sunburst backdoor produces a domain name that may look like: fivu4vjamve5vfrtn2huov[.]appsync-api.us-west-2[.]avsvmcloud[.]com The first part of the domain name (before the first dot) consists of a 16-character random string, appended with an encoded computer’s domain name. This is the domain in which the local computer is registered. From the example string above, we can conclude that the encoded computer’s domain starts from the 17th character and up until the dot (highlighted in yellow): fivu4vjamve5vfrt n2huov In order to encode a local computer’s domain name, the malware uses one of 2 simple methods: Method 1 : a substitution table, if the domain name consists of small letters, digits, or special characters ‘-‘, ‘_’, ‘.’ Method 2 : base64 with a custom alphabet, in case of capital letters present in the domain name Method 1 In our example, the encoded domain name is “n2huov” . As it does not have any capital letters, the malware encodes it with a substitution table “rq3gsalt6u1iyfzop572d49bnx8cvmkewhj” . For each character in the domain name, the encoder replaces it with a character located in the substitution table four characters right from the original character. In order to decode the name back, all we have to do is to replace each encoded character with another character, located in the substitution table four characters left from the original character. To illustrate this method, imagine that the original substitution table is printed on a paper strip and then covered with a card with 6 perforated windows. Above each window, there is a sticker note with a number on it, to reflect the order of characters in the word “n2huov” , where ‘n’ is #1, ‘2’ is #2, ‘h’ is #3 and so on: Once the paper strip is pulled by 4 characters right, the perforated windows will reveal a different word underneath the card: “domain” , where ‘d’ is #1, ‘o’ is #2, ‘m’ is #3, etc.: A special case is reserved for such characters as ‘0’ , ‘-‘ , ‘_’ , ‘.’ . These characters are encoded with ‘0’ , followed with a character from the substitution table. An index of that character in the substitution table, divided by 4, provides an index within the string “0_-.” . The following snippet in C# illustrates how an encoded string can be decoded: static string decode_domain( string s) { string table = "rq3gsalt6u1iyfzop572d49bnx8cvmkewhj" ; string result = "" ; for ( int i = 0 ; i < s.Length; i++) { if (s[i] != '0' ) { result += table[(table.IndexOf(s[i]) + table.Length - 4 ) % table.Length]; } else { if (i < s.Length - 1 ) { if (table.Contains(s[i + 1 ])) { result += "0_-." [table.IndexOf(s[i + 1 ]) % 4 ]; } else { break ; } } i++; } } return result; } Method 2 This method is a standard base64 encoder with a custom alphabet “ph2eifo3n5utg1j8d94qrvbmk0sal76c” . Here is a snippet in C# that provides a decoder: public static string FromBase32String( string str) { string table = "ph2eifo3n5utg1j8d94qrvbmk0sal76c" ; int numBytes = str.Length * 5 / 8 ; byte [] bytes = new Byte[numBytes]; int bit_buffer; int currentCharIndex; int bits_in_buffer; if (str.Length < 3 ) { bytes[ 0 ] = ( byte )(table.IndexOf(str[ 0 ]) | table.IndexOf(str[ 1 ]) << 5 ); return System.Text.Encoding.UTF8.GetString(bytes); } bit_buffer = (table.IndexOf(str[ 0 ]) | table.IndexOf(str[ 1 ]) << 5 ); bits_in_buffer = 10 ; currentCharIndex = 2 ; for ( int i = 0 ; i < bytes.Length; i++) { bytes[i] = ( byte )bit_buffer; bit_buffer >>= 8 ; bits_in_buffer -= 8 ; while (bits_in_buffer < 8 && currentCharIndex < str.Length) { bit_buffer |= table.IndexOf(str[currentCharIndex++]) << bits_in_buffer; bits_in_buffer += 5 ; } } return System.Text.Encoding.UTF8.GetString(bytes); } When the malware encodes a domain using Method 2, it prepends the encrypted string with a double zero character: “00” . Following that, extracting a domain part of an encoded domain name (long form) is as simple as: static string get_domain_part( string s) { int i = s.IndexOf( ".appsync-api" ); if (i > 0 ) { s = s.Substring( 0 , i); if (s.Length > 16 ) { return s.Substring( 16 ); } } return "" ; } Once the domain part is extracted, the decoded domain name can be obtained by using Method 1 or Method 2, as explained above: if (domain.StartsWith( "00" )) { decoded = FromBase32String(domain.Substring( 2 )); } else { decoded = decode_domain(domain); } Decrypting the Victims’ Domain Names To see the decoder in action, let’s select 2 lists: List #1 Bambenek Consulting has provided a list of observed hostnames for the DGA domain. List #2 The second list has surfaced in a Paste bin paste , allegedly sourced from Zetalytics / Zonecruncher . NOTE: This list is fairly ‘noisy’, as it has non-decodable domain names. By feeding both lists to our decoder, we can now obtain a list of decoded domains, that could have been generated by the victims of the Sunburst backdoor. DISCLAIMER: It is not clear if the provided lists contain valid domain names that indeed belong to the victims. It is quite possible that the encoded domain names were produced by third-party tools, sandboxes, or by researchers that investigated and analysed the backdoor. The decoded domain names are provided purely as a reverse engineering exercise. The resulting list was manually processed to eliminate noise, and to exclude duplicate entries. Following that, we have made an attempt to map the obtained domain names to the company names, using Google search. Reader’s discretion is advised as such mappings could be inaccurate. Decoded Domain Mapping (Could Be Inaccurate) hgvc.com Hilton Grand Vacations Amerisaf AMERISAFE, Inc. kcpl.com Kansas City Power and Light Company SFBALLET San Francisco Ballet scif.com State Compensation Insurance Fund LOGOSTEC Logostec Ventilação Industrial ARYZTA.C ARYZTA Food Solutions bmrn.com BioMarin Pharmaceutical Inc. AHCCCS.S Arizona Health Care Cost Containment System nnge.org Next Generation Global Education cree.com Cree, Inc (semiconductor products) calsb.org The State Bar of California rbe.sk.ca Regina Public Schools cisco.com Cisco Systems pcsco.com Professional Computer Systems barrie.ca City of Barrie ripta.com Rhode Island Public Transit Authority uncity.dk UN City (Building in Denmark) bisco.int Boambee Industrial Supplies (Bisco) haifa.edu University of Haifa smsnet.pl SMSNET, Poland fcmat.org Fiscal Crisis and Management Assistance Team wiley.com Wiley (publishing) ciena.com Ciena (networking systems) belkin.com Belkin spsd.sk.ca Saskatoon Public Schools pqcorp.com PQ Corporation ftfcu.corp First Tech Federal Credit Union bop.com.pk The Bank of Punjab nvidia.com NVidia insead.org INSEAD (non-profit, private university) usd373.org Newton Public Schools agloan.ads American AgCredit pageaz.gov City of Page jarvis.lab Erich Jarvis Lab ch2news.tv Channel 2 (Israeli TV channel) bgeltd.com Bradford / Hammacher Remote Support Software dsh.ca.gov California Department of State Hospitals dotcomm.org Douglas Omaha Technology Commission sc.pima.gov Arizona Superior Court in Pima County itps.uk.net IT Professional Services, UK moncton.loc City of Moncton acmedctr.ad Alameda Health System csci-va.com Computer Systems Center Incorporated keyano.local Keyano College uis.kent.edu Kent State University alm.brand.dk Sydbank Group (Banking, Denmark) ironform.com Ironform (metal fabrication) corp.ncr.com NCR Corporation ap.serco.com Serco Asia Pacific int.sap.corp SAP mmhs-fla.org Cleveland Clinic Martin Health nswhealth.net NSW Health mixonhill.com Mixon Hill (intelligent transportation systems) bcofsa.com.ar Banco de Formosa ci.dublin.ca. Dublin, City in California siskiyous.edu College of the Siskiyous weioffice.com Walton Family Foundation ecobank.group Ecobank Group (Africa) corp.sana.com Sana Biotechnology med.ds.osd.mi US Gov Information System wz.hasbro.com Hasbro (Toy company) its.iastate.ed Iowa State University amr.corp.intel Intel cds.capilanou. Capilano University e-idsolutions. IDSolutions (video conferencing) helixwater.org Helix Water District detmir-group.r Detsky Mir (Russian children’s retailer) int.lukoil-int LUKOIL (Oil and gas company, Russia) ad.azarthritis Arizona Arthritis and Rheumatology Associates net.vestfor.dk Vestforbrænding allegronet.co. Allegronet (Cloud based services, Israel) us.deloitte.co Deloitte central.pima.g Pima County Government city.kingston. City of Kingston staff.technion Technion – Israel Institute of Technology airquality.org Sacramento Metropolitan Air Quality Management District phabahamas.org Public Hospitals Authority, Caribbean parametrix.com Parametrix (Engineering) ad.checkpoint. Check Point corp.riotinto. Rio Tinto (Mining company, Australia) intra.rakuten. Rakuten us.rwbaird.com Robert W. Baird & Co. (Financial services) ville.terrebonn Ville de Terrebonne woodruff-sawyer Woodruff-Sawyer & Co., Inc. fisherbartoninc Fisher Barton Group banccentral.com BancCentral Financial Services Corp. taylorfarms.com Taylor Fresh Foods neophotonics.co NeoPhotonics (optoelectronic devices) gloucesterva.ne Gloucester County magnoliaisd.loc Magnolia Independent School District zippertubing.co Zippertubing (Manufacturing) milledgeville.l Milledgeville (City in Georgia) digitalreachinc Digital Reach, Inc. deniz.denizbank DenizBank thoughtspot.int ThoughtSpot (Business intelligence) lufkintexas.net Lufkin (City in Texas) digitalsense.co Digital Sense (Cloud Services) wrbaustralia.ad W. R. Berkley Insurance Australia christieclinic. Christie Clinic Telehealth signaturebank.l Signature Bank dufferincounty. Dufferin County mountsinai.hosp Mount Sinai Hospital securview.local Securview Victory (Video Interface technology) weber-kunststof Weber Kunststoftechniek parentpay.local ParentPay (Cashless Payments) europapier.inte Europapier International AG molsoncoors.com Molson Coors Beverage Company fujitsugeneral. Fujitsu General cityofsacramento City of Sacramento ninewellshospita Ninewells Hospital fortsmithlibrary Fort Smith Public Library dokkenengineerin Dokken Engineering vantagedatacente Vantage Data Centers friendshipstateb Friendship State Bank clinicasierravis Clinica Sierra Vista ftsillapachecasi Apache Casino Hotel voceracommunicat Vocera (clinical communications) mutualofomahabanMutual of Omaha Bank Schedule a demo Related Articles 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read 5 Multi-Cloud Environments Cloud Security Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

Security policy management for the hybrid cloud environment Download PDF Schedule time with one of our experts Schedule time with one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Continue

What you do Matters Where your voice will always be heard and your opinion will always count Join our awesome team Our Values Teamwork and great work environment Customer satisfaction Excellence Accountability and execution Thorough decision-making process 540+ employees Diversity Equity Inclusion & Belonging Personal Coaching Mentoring Day in a life Diversity Equity Inclusion & Belonging We are passionate about People, Culture, Growth, Collaboration Our Vision: Secure Application Connectivity, Anywhere. 25 Location Worldwide

In the previous parts of our blog ( part I and part II ), we have described the most important parts of the Sunburst backdoor... Cloud Security Sunburst Backdoor, Part III: DGA & Security Software Rony Moshkovich 2 min read Rony Moshkovich Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 12/22/20 Published In the previous parts of our blog ( part I and part II ), we have described the most important parts of the Sunburst backdoor functionality and its Domain Generation Algorithm (DGA). This time, let’s have a deeper look into the passive DNS requests reported by Open-Source Context and Zetalytics . The valid DNS requests generated by the malware fall into 2 groups: DNS requests that encode a local domain name DNS requests that encode data The first type of DNS requests allows splitting long domain names into separate requests. These requests are generated by the malware’s functions GetPreviousString() and GetCurrentString() . In general, the format of a DNS request that encodes a domain name may look like: USER_ID.NUM.COMPUTER_DOMAIN[.]appsync-api.us-west-2[.]avsvmcloud[.]com where: USER_ID is an 8-byte user ID that uniquely identifies a compromised host, encoded as a 15-character string NUM is a number of a domain name – either 0 or 1, encoded as a character COMPUTER_DOMAIN is an encoded local computer domain Let’s try decoding the following 3 DNS requests: olc62cocacn7u2q22v02eu.appsync-api.us-west-2.avsvmcloud.com r1qshoj05ji05ac6eoip02jovt6i2v0c.appsync-api.us-west-2.avsvmcloud.com lt5ai41qh5d53qoti3mkmc0.appsync-api.us-west-2.avsvmcloud.com String 1 Let’s start from the 1st string in the list: olc62cocacn7u2q22v02eu.appsync-api.us-west-2.avsvmcloud.com. In this string, the first 15-character string is an encoded USER_ID : “olc62cocacn7u2q” . Once it is base-64 decoded, as explained in the previous post, it becomes a 9-byte byte array: 86 7f 2f be f9 fb a3 ae c4 The first byte in this byte array is a XOR key: 0x86 . Once applied to the 8 bytes that follow it, we get the 8-byte user ID – let’s take a note and write it down, we will need it later: f9 a9 38 7f 7d 25 28 42 Next, let’s take the NUM part of the encoded domain: it’s a character “2” located at the position #15 (starting from 0) of the encrypted domain. In order to decode the NUM number, we have to take the first character of the encrypted domain, take the reminder of its division by 36 , and subtract the NUM ‘s position in the string “0123456789abcdefghijklmnopqrstuvwxyz” : num = domain[0] % 36 – “0123456789abcdefghijklmnopqrstuvwxyz”.IndexOf(domain.Substring(15, 1)); The result is 1 . That means the decrypted domain will be the 2nd part of a full domain name. The first part must have its NUM decoded as 0. The COMPUTER_DOMAIN part of the encrypted domain is “2v02eu” . Once decoded, using the previously explained method, the decoded computer domain name becomes “on.ca” . String 2 Let’s decode the second passive DNS request from our list: r1qshoj05ji05ac6eoip02jovt6i2v0c.appsync-api.us-west-2.avsvmcloud.com Just as before, the decoded 8-byte user ID becomes: f9 a9 38 7f 7d 25 28 42 The NUM part of the encoded domain, located at the position #15 (starting from 0), is a character “6” . Let’s decode it, by taking the first character ( “r” = 114 ), take the reminder of its division by 36 ( 114 % 36 = 6 ), and subtracting the position of the character “6” in the “0123456789abcdefghijklmnopqrstuvwxyz” , which is 6 . The result is 0 . That means the decrypted domain will be the 1st part of the full domain name. The COMPUTER_DOMAIN part of the encrypted domain is “eoip02jovt6i2v0c” . Once decoded, it becomes “city.kingston.” Next, we need to match 2 decrypted domains by the user ID, which is f9 a9 38 7f 7d 25 28 42 in both cases, and concatenate the first and the second parts of the domain. The result will be “city.kingston.on.ca” . String 3 Here comes the most interesting part. Lets try to decrypt the string #3 from our list of passive DNS requests: lt5ai41qh5d53qoti3mkmc0.appsync-api.us-west-2.avsvmcloud.com The decoded user ID is not relevant, as the decoded NUM part is a number -29 . It’s neither 0 nor 1 , so what kind of domain name that is? If we ignore the NUM part and decode the domain name, using the old method, we will get “thx8xb” , which does not look like a valid domain name. Cases like that are not the noise, and are not some artificially encrypted artifacts that showed up among the DNS requests. This is a different type of DNS requests. Instead of encoding local domain names, these types of requests contain data. They are generated by the malware’s function GetNextStringEx() . The encryption method is different as well. Let’s decrypt this request. First, we can decode the encrypted domain, using the same base-64 method, as before . The string will be decoded into 14 bytes: 7c a5 4d 64 9b 21 c1 74 a6 59 e4 5c 7c 7f Let’s decode these bytes, starting from the 2nd byte, and using the first byte as a XOR key. We will get: 7c d9 31 18 e7 5d bd 08 da 25 98 20 00 03 In this array, the bytes marked in yellow are an 8-byte User ID, encoded with a XOR key that is selected from 2 bytes marked in red. Let’s decode User ID: for ( int i = 0 ; i < 8 ; i++) { bytes[i + 1 ] ^= bytes[ 11 - i % 2 ]; } The decoded byte array becomes: 7c f9 a9 38 7f 7d 25 28 42 25 98 20 00 03 The User ID part in marked in yellow. Does it look familiar? Indeed, it’s the same User ID we’ve seen before, when we decoded “city.kingston.on.ca” . The next 3 bytes marked in red are: 25 98 20 . 2 0x59820 The first number 2 stands for the size of data that follows – this data is 00 03 (selected in green). The number 0x59820 , or 366,624 in decimal, is a timestamp. It’s a number of 4-second periods of time since 1 January 2010. To obtain the real time stamp, we need to multiple it by 15 to get minutes, then add those minutes to 1 January 2010: var date = ( new DateTime( 2010 , 1 , 1 , 0 , 0 , 0 , DateTimeKind.Utc)).AddMinutes(timestamp * 15 ); For the number 0x59820 , the time stamp becomes 16 July 2020 12:00:00 AM – that’s the day when the DNS request was made. The remaining 2 bytes, 00 03 , encrypt the state of 8 security products, to indicate whether each one of them is running or whether it is stopped. The 8 security products are: Windows Live OneCare / Windows Defender Windows Defender Advanced Threat Protection Microsoft Defender for Identity Carbon Black CrowdStrike FireEye ESET F-Secure 2 states for 8 products require 2 * 8 = 16 bits = 2 bytes. The 2 bytes 00 03 in binary form are: 00 00 00 00 00 00 00 11 Here, the least-significant bits 11 identify that the first product in the list, Windows Live OneCare / Windows Defender, is reported as ‘running’ ( 1 ) and as ‘stopped’ ( 1 ). Now we know that apart from the local domain, the trojanised SolarWinds software running on the same compromised host on “city.kingston.on.ca” domain has also reported the status of the Windows Defender software. What Does it Mean? As explained in the first part of our description, the malware is capable of stopping the services of security products, be manipulating registry service keys under Administrator account. It’s likely that the attackers are using DNS queries as a C2 channel to first understand what security products are present. Next, the same channel is used to instruct the malware to stop/deactivate these services, before the 2nd stage payload, TearDrop Backdoor, is deployed. Armed with this knowledge, let’s decode other passive DNS requests, printing the cases when the compromised host reports a running security software. NOTES: As a private case, if the data size field is 0 or 1 , the timestamp field is not followed with any data. Such type of DNS request is generated by the malware’s function GetNextString() . It is called ‘a ping’ in the listing below. If the first part of the domain name is missing, the recovered domain name is pre-pended with ‘*’ . The malware takes the time difference in minutes, then divides it by 30 and then converts the result from double type to int type; as a result of such conversion, the time stamps are truncated to the earliest half hour. 2D82B037C060515C SFBALLET Data: Windows Live OneCare / Windows Defender [running] 11/07/2020 12:00:00 AM Pings: 12/07/2020 12:30:00 AM 70DEE5C062CFEE53 ccscurriculum.c Data: ESET [running] 17/04/2020 4:00:00 PM Pings: 20/04/2020 5:00:00 PM AB902A323B541775 mountsinai.hospital Pings: 4/07/2020 12:30:00 AM 9ACC3A3067DC7FD5 *ripta.com Data: ESET [running] 12/09/2020 6:30:00 AM Pings: 13/09/2020 7:30:00 AM 14/09/2020 9:00:00 AM CB34C4EBCB12AF88 DPCITY.I7a Data: ESET [running] 26/06/2020 5:00:00 PM Pings: 27/06/2020 6:30:00 PM 28/06/2020 7:30:00 PM 29/06/2020 8:30:00 PM 29/06/2020 8:30:00 PM E5FAFE265E86088E *scroot.com Data: CrowdStrike [running] 25/07/2020 2:00:00 PM Pings: 26/07/2020 2:30:00 PM 26/07/2020 2:30:00 PM 27/07/2020 3:00:00 PM 27/07/2020 3:00:00 PM 426030B2ED480DED *kcpl.com Data: Windows Live OneCare / Windows Defender [running] 8/07/2020 12:00:00 AM Carbon Black [running] 8/07/2020 12:00:00 AM Full list of decoded pDNS requests can be found here . An example of a working implementation is available at this repo. Schedule a demo Related Articles 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read 5 Multi-Cloud Environments Cloud Security Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

Understand how to achieve and maintain firewall compliance with ISO/IEC 27001. Learn key requirements, best practices, and how to strengthen your overall security posture. Firewall ISO compliance: ISO/IEC 27001 explained Introductory prologue IT organizations and those dealing with digital assets often face many information security challenges. They must protect sensitive data from unauthorized access, as a crack in security can result in unimaginable losses. To keep information security risks minimal and optimize protection for organizations, ISO/IEC 27001 compliance was designed. What is ISO/IEC 27001 compliance? How does it work, and why does it matter? Read on to uncover answers to all your questions and more in this guide. Schedule a Demo What Is ISO/IEC 27001? ISO/IEC 27001 is an internationally accepted standard for data security. It is one of the standards jointly published by the ISO (International Standardization Organization) and IEC (International Electrotechnical Commission) in 2015. ISO/IEC 27001 aims to provide organizations with a framework for information security management, thereby protecting digital assets. Implementing the standard helps organizations minimize and effectively manage information security risks, such as hacks, data leaks or theft, and cyber attacks. Digital assets like intellectual property, software, employee information, and personal data are often a target for malicious actors. And that’s why asset management is crucial to companies and digital service providers. It demonstrates that the certified organization’s information security system is efficient as it follows the best practice. Any ISO/IEC 27001-certified organization can display its certification online (e.g., on its website, social media platforms, etc.) and offline. As a result, they get the trust and respect they deserve from partners, investors, customers, and other organizations. Schedule a Demo Evolution of ISO/IEC 27001 The International Standardization Organization (ISO) is a global federation of national standards bodies established in 1947. It is a leading organization that develops standards for ensuring the security of business systems. Since its emergence, ISO has published several standards, such as: ISO 27000 – Information Security Management Systems ISO 22301 – Business Continuity ISO 14000 – Environmental Management System ISO 45001 – Occupational Health and Safety ISO 9000 – Quality Management System etc. Although ISO/IEC 27001 was officially published in 2005, ISO had been providing measures for protecting digital systems and information before then. The rapid spread of the internet in the 1990s gave rise to the need for data security to prevent sensitive data from getting into the wrong hands. ISO 27001 was the first standard among the ISO 27000 series of standards for cybersecurity. Since its release, the standard has undergone revisions to tackle new and evolving cyber threats in the industry. The first revision took place in October 2013, when new controls were introduced, and the total controls numbered up to 114. This version is referred to as ISO/IEC 27001:2013 version. The second and latest revision of ISO/ICE 27001 was published in 2022 and enumerates 93 controls grouped into four sections. This revision was initially referred to as ISO/IEC 27001:2022 but is now known as ISO 27001. Another notable development in the latest version is the change in title. The new version’s complete title is – ISO 27001 (i.e., ISO/IEC 27001:2022) Information Security, Cybersecurity and Privacy Protection. Schedule a Demo Business Benefits of ISO/IEC 27001 Achieving ISO/IEC 27001 certification offers organizations several business benefits, especially for service providers handling people’s sensitive financial and personal data. Examples of such organizations are insurance companies, banks, health organizations, and financial institutions. Some of the business benefits of ISO 27001 are: 1. It prevents financial penalties and losses from data breaches Organizations that do not comply with the global security standard are at great risk of a data breach. Data breaches often attract financial penalties and cause companies to lose significant amounts. By implementing the best network security practices, organizations can prevent unnecessary financial losses and record more significant revenue in the long run. 2. It protects and enhances a company’s reputation. Partners, investors, and customers often prefer companies with a good reputation for handling data. In fact, the World Economic Forum states that reputation affects a quarter of a company’s market value. ISO/IEC 27001 certification can help businesses with an existing reputation to preserve their image. Companies with a previous record of security challenges can enhance their reputation and earn the trust and respect of others by becoming certified too. 3. Wins new business and sharpens competitive edge Certified companies stand a better chance of winning new businesses and recording more sales and profits than their competitors. That’s because clients want to feel safe knowing their data enjoy maximum protection. Also, certain organizations must attain other certifications like GDPR, HIPAA, NIST, etc., before commencing operation. And having ISO certification makes it easier to achieve such requirements. One major indicator that an organization can be trusted for security management is acquiring a worldwide certification. It sharpens its competitive advantage and propels the brand way ahead of others. 4. Improves structure and focus As businesses expand, new responsibilities arise, and it can be challenging to determine who should be responsible for what. But with ISO 27001 compliance, companies will have a clear structure to mirror. From authentication to network traffic management, the standard has an outlined structure that companies can apply to establish robust operations security. As a result, they can tackle rising needs while staying focused and productive. 5. It reduces the need for frequent audits. Organizations usually spend heavily performing frequent internal and external audits to generate valuable data about the state of their security. The data is deployed to improve cybersecurity so that threat intelligence and other security aspects are optimized. And even though it costs more and wastes more time, it doesn’t guarantee as much protection as implementing ISO 27001 standard. By becoming a certified name, companies can rest assured that the best cybersecurity practices protect them against attacks. Plus, frequent audits won’t be needed, thus saving cost and time. Schedule a Demo ISO/IEC 27001 Compliance Organizations looking to achieve ISO/IEC 27001 compliance must ensure the following: 1. Clearly Outline the Risk Assessment Process Develop your risk assessment process to detect vulnerabilities. State the categories of risks your organization is facing Outline your approach to tackle vulnerabilities. 2. Make Sure Executives Set the Tone Top management must be involved in the information security program. They should show financial support and be available to make strategic decisions that will help build robust security. Senior management should also conduct frequent assessments of the company’s ISMS to ensure it’s in sync with the globally agreed security standard. 3. Design an Information Security Policy (ISP) An ISP essentially functions to ensure that all the users and networks of your organization’s IT structure stick with the standard practices of digital data storage. You must design an effective ISP to achieve compliance as it governs information protection. Your ISP should encompass the A to Z of your organization’s IT security, including cloud security. You need to state who will be responsible for implementing the designed policy. 4. Write Out Your Statement of Applicability (SoA) Your SoA should carry core information about your ISMS. It should state the controls that your organization regards necessary to combat information security risks. It should document the controls that were not applied The SoA should only be shared with the certification body. 5. Create Your Risk Management Strategy Develop an effective risk management plan to address the possible risks of your chosen security controls. Ensure there’s an efficient security operations center (soc) to help detect cyber threats and forward notifications to the right systems. Design an information security incident management strategy to respond during threat detection. State who will implement specific security controls, how, and when they will deploy them. Schedule a Demo FAQs What does ISO/IEC 27001 stand for? ISO stands for International Standardization Organization, while IEC represents International Electrotechnical Commission. ISO/IEC 27001 is an internationally accepted standard for information security management, which ISO and IEC first created. What are the ISO 27001 Requirements? Every organization looking to apply for certification must prepare themselves and ensure to meet the requirements. These requirements are summarized in Clauses 4.1 to 10.2 below: 4.1 Understanding the organization and its context 4.2 Understanding the needs and expectations of interested parties 4.3 Determining the scope of the ISMS 4.4 Information security management system (ISMS) 5.1 Leadership and commitment 5.2 Information Security Policy 5.3 Organisational roles, responsibilities, and authorities 6.1 Actions to address risks and opportunities 6.2 Information security objectives and planning to achieve them 7.1 Resources 7.2 Competence 7.3 Awareness 7.4 Communication 7.5 Documented information 8.1 Operational planning and control 8.2 Information security risk assessment 8.3 Information security risk treatment 9.1 Monitoring, measurement, analysis, and evaluation 9.2 Internal audit 9.3 Management review 10.1 Nonconformity and corrective action 10.2 Continual improvement What are the ISO/IEC 27001 controls? The latest version of ISO 27001 Annex A enumerates 93 security controls divided into four sections or themes. The ISO 27001 controls are designed to simplify information security management such that digital assets get the best protection against security threats. These 4 sections are labelled A5 to A8 and are as follows: A.5 Organizational controls – containing 37 controls A.6 People controls – containing 8 controls A.7 Physical controls – containing 14 controls A.8 Technological controls – containing 34 controls How Does ISO/IEC 27001 ensure data protection? ISO/IEC 27001 ensures data protection by providing a framework through which companies can store sensitive data and have full access control. This standard can be adapted to suit each organization’s specific needs and structure, thereby offering optimized protection. ISO/IEC 27001 aims to ascertain that three core information security aspects are taken care of, which are: Confidentiality: this guarantees that only authorized individuals can access information. Also, because organizations deal with different categories of data, each employee must only be given the degree of access required to execute their tasks efficiently. Integrity: this ensures that only authorized individuals can change information on the system. So even in the event of a security breach, the risks are minimal. This is due to the change management plan that ensures unauthorized persons can not alter information. Availability: information security becomes a problem if the secured information isn’t accessible when needed. ISO 27001 enables authorized persons to have access to information whenever required to ensure that business operations are uninterrupted. By maintaining these guidelines, companies can put in place an effective information security system and risk management plan to prevent data leaks, theft, or hacks. How does my firewall management help with ISO 27001? Firewalls are the software in your organization’s IT structure managing the connection between different networks. Effective firewall management can help in designing the right Information Security Policy (ISP). In turn, your organization will be able to achieve ISO 27001 compliance. Thus, your firewall policies can help with ISO 27001 by enabling organizations to design an Information Security Policy that agrees with the standard required for compliance. What is the Importance of ISO 27001 Certification, and how can I gain it? ISO 27001 certification offers several advantages to businesses and organizations. It demonstrates to partners, investors, and customers that the certified business has a reliable information security management system, thus winning their trust. Also, it enhances communications security so that third parties do not interfere with your company’s operating system. You also get to reduce the risk of security failure, saving you from financial losses and penalties. Once you’ve met the compliance requirements, you may gain an ISO 27001 certification by registering with an accredited certification body Schedule a Demo How can AlgoSec Help with ISO 27001 Compliance? Organizations must regularly conduct audits and prepare compliance reports to attain and maintain ISO 27001 certification. The data generated from event logs are equally helpful in enhancing threat intelligence and overall operations security. This process is often time-consuming and cost-demanding, and that’s where AlgoSec comes in. Being an ISO 27001-certified vendor, AlgoSec understands the challenges of ISO 27001 compliance and is dedicated to providing affordable and effective solutions. AlgoSec automatically generates pre-populated, audit-ready compliance reports for ISO 27001 and other leading industry regulations like SOX, BASEL II, GLBA, PCI DSS, and FISMA. This technique helps companies reduce audit preparation efforts and costs and uncovers loopholes in their ISMS. As a result, businesses can take proper measures to ensure full ISO 27001 compliance, thus becoming worthy of the certification. Schedule a Demo Select a size Introductory prologue What Is ISO/IEC 27001? Evolution of ISO/IEC 27001 Business Benefits of ISO/IEC 27001 ISO/IEC 27001 Compliance FAQs How can AlgoSec Help with ISO 27001 Compliance? Get the latest insights from the experts Use these six best practices to simplify compliance and risk mitigation with the AlgoSec platform White paper Learn how AlgoSec can help you pass PCI-DSS Audits and ensure continuous compliance Solution overview See how this customer improved compliance readiness and risk management with AlgoSec Case study Choose a better way to manage your network

Product Marketing Manager AlgoSec Cloud Navigating Compliance in the Cloud Iris Stein 2 min read Iris Stein Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 6/29/25 Published Cloud adoption isn't just soaring; it's practically stratospheric. Businesses of all sizes are leveraging the agility, scalability, and innovation that cloud environments offer. Yet, hand-in-hand with this incredible growth comes an often-overlooked challenge: the increasing complexities of maintaining compliance. Whether your organization grapples with industry-specific regulations like HIPAA for healthcare, PCI DSS for payment processing, SOC 2 for service organizations, or simply adheres to stringent internal governance policies, navigating the ever-shifting landscape of cloud compliance can feel incredibly daunting. It's akin to staring at a giant, knotted ball of spaghetti, unsure where to even begin untangling. But here’s the good news: while it demands attention and a strategic approach, staying compliant in the cloud is far from an impossible feat. This article aims to be your friendly guide through the compliance labyrinth, offering practical insights and key considerations to help you maintain order and assurance in your cloud environments. The foundation: Understanding the Shared Responsibility Model Before you even think about specific regulations, you must grasp the Shared Responsibility Model . This is the bedrock of cloud compliance, and misunderstanding it is a common pitfall that can lead to critical security and compliance gaps. In essence, your cloud provider (AWS, Azure, Google Cloud, etc.) is responsible for the security of the cloud – that means the underlying infrastructure, the physical security of data centers, the global network, and the hypervisors. However, you are responsible for the security in the cloud . This includes your data, your configurations, network traffic protection, identity and access management, and the applications you deploy. Think of it like a house: the cloud provider builds and secures the house (foundation, walls, roof), but you’re responsible for what you put inside it, how you lock the doors and windows, and who you let in. A clear understanding of this division is paramount for effective cloud security and compliance. Simplify to conquer: Centralize your compliance efforts Imagine trying to enforce different rules for different teams using separate playbooks – it's inefficient and riddled with potential for error. The same applies to cloud compliance, especially in multi-cloud environments. Juggling disparate compliance requirements across multiple cloud providers manually is not just time-consuming; it's a recipe for errors, missed deadlines, and a constant state of anxiety. The solution? Aim for a unified, centralized approach to policy enforcement and auditing across your entire multi-cloud footprint. This means establishing consistent security policies and compliance controls that can be applied and monitored seamlessly, regardless of which cloud platform your assets reside on. A unified strategy streamlines management, reduces complexity, and significantly lowers the risk of non-compliance. The power of automation: Your compliance superpower Manual compliance checks are, to put it mildly, an Achilles' heel in today's dynamic cloud environments. They are incredibly time-consuming, prone to human error, and simply cannot keep pace with the continuous changes in cloud configurations and evolving threats. This is where automation becomes your most potent compliance superpower. Leveraging automation for continuous monitoring of configurations, access controls, and network flows ensures ongoing adherence to compliance standards. Automated tools can flag deviations from policies in real-time, identify misconfigurations before they become vulnerabilities, and provide instant insights into your compliance posture. Think of it as having an always-on, hyper-vigilant auditor embedded directly within your cloud infrastructure. It frees up your security teams to focus on more strategic initiatives, rather than endless manual checks. Prove it: Maintain comprehensive audit trails Compliance isn't just about being compliant; it's about proving you're compliant. When an auditor comes knocking – and they will – you need to provide clear, irrefutable, and easily accessible evidence of your compliance posture. This means maintaining comprehensive, immutable audit trails . Ensure that all security events, configuration changes, network access attempts, and policy modifications are meticulously logged and retained. These logs serve as your digital paper trail, demonstrating due diligence and adherence to regulatory requirements. The ability to quickly retrieve specific audit data is critical during assessments, turning what could be a stressful scramble into a smooth, evidence-based conversation. The dynamic duo: Regular review and adaptation Cloud environments are not static. Regulations evolve, new services emerge, and your own business needs change. Therefore, compliance in the cloud is never a "set it and forget it" task. It requires a dynamic approach: regular review and adaptation . Implement a robust process for periodically reviewing your compliance controls. Are they still relevant? Are there new regulations or updates you need to account for? Are your existing controls still effective against emerging threats? Adapt your policies and controls as needed to ensure continuous alignment with both external regulatory demands and your internal security posture. This proactive stance keeps you ahead of potential issues rather than constantly playing catch-up. Simplify Your Journey with the Right Tools Ultimately, staying compliant in the cloud boils down to three core pillars: clear visibility into your cloud environment, consistent and automated policy enforcement, and the demonstrable ability to prove adherence. This is where specialized tools can be invaluable. Solutions like AlgoSec Cloud Enterprise can truly be your trusted co-pilot in this intricate journey. It's designed to help you discover all your cloud assets across multiple providers, proactively identify compliance risks and misconfigurations, and automate policy enforcement. By providing a unified view and control plane, it gives you the confidence that your multi-cloud environment not only meets but also continuously maintains the strictest regulatory requirements. Don't let the complexities of cloud compliance slow your innovation or introduce unnecessary risk. Embrace strategic approaches, leverage automation, and choose the right partners to keep those clouds compliant and your business secure. Schedule a demo Related Articles 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read 5 Multi-Cloud Environments Cloud Security Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

The new product version release provides extended multi-cloud hybrid network visibility, reduces risk exposure and addresses new compliance regulations in a unified platform AlgoSec Security Management solution A33.10 delivers new compliance reporting and precise discovery of application connectivity The new product version release provides extended multi-cloud hybrid network visibility, reduces risk exposure and addresses new compliance regulations in a unified platform May 20, 2025 Speak to one of our experts RIDGEFIELD PARK, NJ, May 20, 2025 – Global cybersecurity leader AlgoSec has launched its new Security Management solution version A33.10, as a part of its AlgoSec Horizon platform. The new release provides better visibility across multi-cloud hybrid network environments, prioritizes risks more easily, reduces compliance effort and cuts down on manual processes by automating policy changes. As network environments grow more distributed, visibility becomes harder to maintain. The 2025 State of Network Security Report found that 71% of security teams struggle with visibility, which is delaying threat detection and response. Without comprehensive network visibility, security teams lack a clear understanding of application behavior to protect, detect, and prevent vulnerabilities. “AlgoSec is committed to updating its products to solve everyday problems that security teams face,” said Eran Shiff , VP Product of AlgoSec. “The A33.10 release ensures that our customers have clear and unified visibility into their complex hybrid network environment to reduce manual processes and ensure proper compliance reporting.” Highlights from the AlgoSec Horizon product update include: ● Visibility continues at the application level. Application security management is now faster and smarter with AlgoSec Firewall Analyzer and AlgoSec ACE ’s cloud application discovery as a datasource, allowing the creation of an application library fast. ● Security and compliance go hand in hand. To prepare security teams for audits and identify risks earlier, the new update includes a dedicated DORA and SOC2 compliance reporting, as well as built-in MITRE ATT&CK mapping. ● Streamlined application traffic view. This release introduces early availability support for AWS Load Balancer and Cisco Catalyst SD-WAN (Viptela), helping teams clearly see how traffic traverses across hybrid infrastructure and make more informed decisions. To learn more about the new A33.10 product release, click here . About AlgoSec AlgoSec, a global cybersecurity leader, empowers organizations to securely accelerate application delivery up to 10 times faster by automating application connectivity and security policy across the hybrid network environment. With two decades of expertise securing hybrid networks, over 2200 of the world's most complex organizations trust AlgoSec to help secure their most critical workloads. AlgoSec Horizon platform utilizes advanced AI capabilities, enabling users to automatically discover and identify their business applications across multi-clouds, and remediate risks more effectively. It serves as a single source for visibility into security and compliance issues across the hybrid network environment, to ensure ongoing adherence to internet security standards, industry, and internal regulations. Additionally, organizations can leverage intelligent change automation to streamline security change processes, thus improving security and agility. Learn how AlgoSec enables application owners, information security experts, SecOps and cloud security teams to deploy business applications faster while maintaining security at www.algosec.com . MEDIA CONTACT: Megan Davis Alloy, on behalf of AlgoSec [email protected]

CISCO ACI & ALGOSEC Holistic policy management for ACI and the hybrid network Download PDF Schedule time with one of our experts Schedule time with one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Continue