The NIS2 Directive not only expands the scope of cybersecurity regulations but also introduces stricter penalties for non-compliance, including fines and liability risks for management. Unlike its predecessor, NIS2 mandates clear accountability and requires organizations to demonstrate ongoing risk assessments, incident reporting, and security improvements. Failing to prepare in time could lead to operational disruptions and legal consequences. How can businesses efficiently meet these new obligations while enhancing their cyber resilience?

We are excited to announce the release of ASGARD Analysis Cockpit v4.1, a substantial upgrade from version 4.0. This latest version introduces significant improvements and new features designed to enhance performance, usability, and stability. 
ASGARD Analysis Cockpit v4.1 strives to provide a more efficient and robust user experience, addressing the evolving technical requirements of our users. Read on for detailed information about the latest updates learn how these changes can enhance your workflow.

Major Changes

• Custom Event Dashboards: Create personalized dashboards in the Baselining and All Events sections.  

• Event Insights by ChatGPT: Automatically analyze THOR events with assessments and recommendations and ask ChatGPT to explain THOR events or terms within an event.  

• Matched Signatures Section: View all matched signatures chronologically in the new ‘Matched Signatures’ section.  

• File Collection via Management Center: Collect files from an asset through the Management Center.  

• Data Retention Policy: Retain events for a specified period and automatically delete them afterwards.  

• Graphs and Statistics: Added to the Overview Dashboard for enhanced data visualization.  

Improvements

• Bug Fixes
  Addressed and resolved various bugs to improve overall system performance. 

• UI Enhancements
  A fresh, improved look and feel, making the UI more intuitive and user-friendly. 

• Elastic search Indexing Overhaul
  The indexing structure for events in Elasticsearch has been completely revamped, significantly improving performance.  

• Case Sensitivity Adjustment
  Conditions in cases are now case-insensitive, and existing conditions will be converted automatically. 

Stability in Key Areas

• API Communication
  The API interface remains unchanged for seamless integration. 

Elasticsearch: Enhanced Performance and New Indexing Structure

We have changed the way events are indexed in Elasticsearch. The new index structure significantly improves performance but increases disk space usage by 30%-40%.
After the upgrade, all events will be reindexed, which can take several hours depending on the number of events in your system. The system remains usable during this process, but we recommend performing the upgrade during off-peak hours.
If the Analysis Cockpit reaches its disk space limit during reindexing, the process will pause until more disk space is available. The Analysis Cockpit will guide you on how to free up or increase disk space, and the reindexing process will automatically resume once enough disk space is available.

FAQs

How long does the update take? 

The update itself only takes a few minutes. The analytics cockpit needs additional time to re-index the events, which can take hours to days depending on the number of events. We recommend performing the upgrade outside of peak business hours. 

Will the system restart during the update process?  

The system does not restart during the update. Once the first update is complete, you will need to log in again. 

Can I continue to work during the restructuring? 

Yes, you can continue to work during this time, as the latest events will be re-indexed first and will be available immediately. The status of the re-indexing can be tracked on the system status page. Re-indexing gives the ASGARD Analysis Cockpit an immense performance boost. This speeds up queries and makes work more efficient. 

Further Information

For more details, please refer to our manual or our ASGARD Analysis Cockpit Youtube-Playlist, which provides comprehensive guidance on all the new features and changes. You can also contact our support for further assistance.

If you cannot see the embedded video, here is a direct link. 

Nextron announces the end-of-sale and end-of-life dates for the ASGARD Analysis Cockpit version 3. Customers with active service contracts will continue to receive support until September 30, 2024, as shown in the table below.

We are pleased to announce the release of Analysis Cockpit v4.0, marking a significant update from version 3.10. This latest version introduces key improvements, including restructured database indices for enhanced performance, an upgraded operating system, and advancements in time synchronization and user interface.

Aimed at delivering a more stable and efficient experience, v4.0 is built to better meet the technical needs of our users. Read on for details about what’s new and how these changes can benefit you. 

Improvements

• Elastic Database Index Revamp
  We’ve restructured the index of our elastic database for enhanced stability.
• Bug Fixes
  Addressed and resolved various bugs to improve overall system performance.
• UI Enhancements
  A fresh, improved look and feel, making the UI more intuitive and user-friendly.
• Sync Performance Boost
  We’ve enhanced the synchronization between the Management Center and Analysis Cockpit for quicker and more reliable data transfer.

Major Changes

• Update Server Switch
  The new version uses update-301.nextron-systems.com instead of update3.nextron-systems.com. Please adjust your firewalls to allow connections to the new server.
• Operating System Upgrade
  We’ve upgraded the underlying Debian operating system, ensuring a more robust and secure environment.
• Time Service Transition
  Switching from Ntp to timesyncd for time synchronization. It’s simpler to set up and manage.

Stability in Key Areas

• API Communication
  The API interface remains unchanged for seamless integration.
• Compatibility with ASGARD Systems
  Fully compatible with existing ASGARD setups, ensuring a smooth transition.

FAQs

How long will you support version 3?

We will provide bug fixes and security updates for version 3 until June 2024.

Is the upgrade to version 4.0 an in-place upgrade?

Yes, the upgrade to version 4.0 doesn’t require a new system. It can be completed in-place by running the upgrade utility from an elevated command line.

How long does the upgrade take?

The upgrade typically takes between 15 to 30 minutes. This duration depends on the number of scan reports and cases you have created. Post-upgrade, the Analysis Cockpit will require additional time to synchronize with the Management Center and may display a “red” status temporarily. This is normal and indicates ongoing synchronization. If this status persists for more than 2 hours, please contact support@nextron-systems.com for assistance.

Will the system reboot during the upgrade process?

Yes, the system will reboot multiple times during the upgrade process. No additional action is required after a reboot; the update will automatically continue until it is complete.

Are there other things to consider before performing the upgrade?

Ensure that there is at least 20% free disk space on your device. For instructions on freeing up space on your Analysis Cockpit, please refer to this link. The upgrade requires connections to both the old and the new update server. 

Further Information

For more details, please refer to our manual, which provides comprehensive guidance on all the new features and changes.

Enhance your cybersecurity skills by learning how to craft precise YARA rules. Witness the full prowess of the THOR scanner in action, integrated seamlessly with the ASGARD Management Center – our flagship centralized management platform designed for effortless scan management, advanced incident response capabilities, and much more. Plus, experience firsthand how our Analysis Cockpit can dissect and interpret findings, offering invaluable insights.

Discover the synergy of our enterprise-grade tools and visualize what a comprehensive deployment looks like in real-world scenarios. It’s a hands-on experience not to be missed!

Exclusive Discounts for Our Community:

• THOR Lite Subscribers: Enjoy a whopping 30% off on the training fees. Just apply the discount code NextronThorLite at checkout or click here for direct access.
• Existing Nextron Customers: We value your trust! Contact us and avail an exclusive 50% discount on the training.
• Law Enforcement and Government Agencies: In our commitment to fortifying cybersecurity defenses at all levels, this training is absolutely free for you. Please reach out to us directly for details on how to avail of this offer.

New Baselining Views

Over the course of the last 18 months we reviewed most of our detections regarding their success in real world scenarios. In this context “success” means, that the detection uncovered malicious activity in the wild and at the same time had a low anomaly and false positive rate. Additionally we also consider a detection to be successful that caused little or no false positives or anomalies.

All this lead to two new views within the Cockpit’s Baselining section: “Compromise Assessment Mode” and “Deep Inspection Mode”.

“Compromise Assessment Mode” includes only matches of the highly successful rules. The second mode is the “Deep Inspection Mode”. This view is basically how it used to be (the old default view). It shows all Alerts and Warnings unless they are already part of an existing case.

This new “Compromise Assessment Mode” dramatically reduces our customer’s baselining effort.

In our tests we noticed a decrease of events in the Baselining section of more than 90%. We believe that especially entities that follow our “Continuous Compromise Assessment” approach should switch into this new mode. We’ve also challenged the new mode with the post exploitation tools and techniques found in the context of HAFNIUM / Exchange exploitations in March 2021 and covered almost every aspect of the attacks in the new view.

Asset Labels

Another exciting new feature that comes with Analysis Cockpit version 3.5 is an event filter based on asset labels. This was requested by many of our customers and partners, but until now we never found a way to deliver this feature without negatively affecting the Cockpit’s performance. We solved this now by allowing two limitations to this feature. It doesn’t work for events that existed prior to the update. Secondly an event always remains linked to the asset label it had at the time the event occurred. Changing an assets label will only affect events from scans that take place after the label change.

Other Changes

• Hidden static filters in certain views
• Minor bugfixes and stability improvements

Release

The new Analysis Cockpit will be released in the 2nd half of August. Interested customers can get a guide to use the “preprod” version of Analysis Cockpit 3.5. 

We’d like to know your opinion on our products and therefore ask you to participate in our product surveys. Each of them takes between 2 and 5 minutes of your time, depending on how much you’d like to tell us.

Nextron announces the end-of-sale and end-of-life dates for the ASGARD Analysis Cockpit version 2. Customers with active service contracts will continue to receive support until June 30, 2022, as shown in the table below.

ASGARD Analysis Cockpit is our on-premise soft-appliance that helps you analyze large amounts of THOR log data. The new version 3, which has just been released, adds many new usability features and views. This blog post lists some of the changes. 

Other improvements:

• Massive performance improvements
• Improved API for SOAR, Sandbox, SIEM integration
• Views for real-time events generated by ASGARD’s 2.10 new Eventlog watcher with Sigma rules
• Provides additional endpoint related information like installed software and list of local users (Windows only)
• Improved flexibility in case management section 
• Sidebar with context information
• CSV exports from almost any view
• Direct Virustotal & Valhalla lookups from the event details

ASGARD Analysis Cockpit version 3 has been released this month. An upgrade from Analysis Cockpit version 2 is possible and includes an export of the case data and re-import of all previously indexed log data with the help of a guide that is part of the new online manual. New customers find the installer ISO in the “Downloads” section of the customer portal.

Why Integrate THOR into Microsoft Defender ATP

While Microsoft Defender ATP fully plays off its strength in detecting live attacks, suspicious process starts and network connections, THOR shines as a live forensic scanner that scans the local filesystem, registry, logs and other elements for traces of hacking activity.

While Microsoft Defender ATP features a forensic package collection that retrieves elements from a remote system, THOR scans these elements on the remote system, applying more than 10,000 hand-written YARA rules and thousands of filename, C2, hash, mutex and named pipe IOCs to them. This live forensic scan reduces the work of your forensic analysts to a minimum and generates results as fast as possible for you to react in a timely manner. 

THOR extends Microsoft Defender ATP’s real-time monitoring by intense local scans to allow a full on-demand compromise assessment.

Deployment Options

Due to the fact that both Microsoft Defender ATP and THOR are very flexible and open products, the integration is no one-lane road with a single possible solution. Depending on the network size, segmentation and available 3rd party solutions like a SIEM the integration allows and requires different setups.

This blog post starts with an example use case and then outlines many of these setup options.

Live Response Scripts

The Microsoft Defender Security Center allows us to upload PowerShell scripts into a so called “live response library”, which is available on the endpoint during “live response” sessions.

These scripts allow us to facilitate the download and execution of THOR on the endpoint.

There are two ways to implement different scan modes and parameters. THOR has numerous command line options, which can be passed either as parameters of the PowerShell scripts or predefined in YAML config files.

Example: Turla Malware

We’ll use a simple demo script that contains a path to a file share providing the THOR package. 

It uses a config file named “rootkit-check.yml”, which is located in the program folder on the file share. It activates 3 rootkit related modules, sets the path for all output files as rebase-dir and deactivates some features. 

We upload that script into a live response session to investigate suspicious behaviour of a workstation that showed several alerts regarding a malware and the use of a “living-off-the-land” binary to run malicious code. 

The details reveal that the use of certutil.exe triggered the alert.

We can see other commands like tasklist, net and netstat, which are often used in reconnaissance scripts, executed in the context of a user named “admin”. 

We start a “Live Response Session” for further live forensic investigations with the help of THOR. 

Since this is our first investigation with that specific script, we have to upload it to the live response library. 

We can then verify the upload using the “library” command and run the script from the command line. 

It takes about a minute to complete the Rootkit check.

THOR recognized a malicious mutex used by Turla malware and gives further information on the related process and process binary, which can be used for additional verification of the threat. 

The HTML report and text log file have been saved back to the file share.

Other Setup Options

Scanner Provisioning

In this chapter we describe different methods to provide a THOR package to an end system during live response investigations.

Option A: File Share

The complete THOR package including binaries and signatures can be provided on a network share. This network share should be read-only to avoid that attackers notice the activity and manipulate the program or signatures on the file share.

Advantages:

• Quick setup
• Only a file server is needed

Disadvantages:

• Requires SMB/CIFS connection from end system to file share
• Scanner / signature updates must be scripted (thor-util.exe)
• Manual license generation (in Nextron’s customer portal) or expensive IR license (not host-based)

Option B: ASGARD Management Center

The central management platform ASGARD Management Center is hardened Debian-based soft appliance that serves as software repository and licensing server in our use case.

The PowerShell scripts in the script library can retrieve THOR packages via HTTPS from the ASGARD Management Center.

Advantages:

• HTTPS download of THOR packages
• Integrated licensing
• Automatic scanner and signature updates

Disadvantages:

• Additional server system (VM; maintenance)

Option C: THOR via Script Library as SFX

The complete THOR program folder can be packaged into a self-extracting & executing archive (SFX), which could then be uploaded into the “live response library”. It could then be executed right from the script library (run) or uploaded to the end system (put).

Advantages:

• No servers needed
• Microsoft Defender ATP native solution

Disadvantages:

• Scanner / signature updates and SFX creation must be scripted on an analyst system (thor-util.exe)
• Manual license generation (in Nextron’s customer portal) or expensive IR license (not host-based)

Output Options

The results of the scans can be stored and transmitted to different locations.

Option A: Log and Report on File Share

THOR writes a log file in real-time during the scan and renders an HTML report at the end of the scan. Users can set an output directory other than the working directory for all output files with the “–rebase-dir” parameter.

This output folder can be a file share, e.g. “\\server\share”.

Analysts can check the log file during the scan, which takes between minutes and hours to complete.

Advantages:

• Only a file server required

Disadvantages:

• Requires access to file share from the end system (SMB/CIFS)
• File share must be writable (possible manipulation by the attackers)

Option B: SYSLOG, JSON or CEF to SIEM

THOR can send the logs via SYSLOG (UDP, TCP, TCP+SSL, CEF) or in JSON (UDP, TCP, TCP+SSL) to a remote SIEM or log management system.

Advantages:

• Integrates into existing solution and processes

Disadvantages:

• Requires SIEM system and some base-lining
• Requires connection to port 514 from end system to SIEM system

Option C: SYSLOG, JSON or CEF to ASGARD Analysis Cockpit

ASGARD Analysis Cockpit is the optimized log analysis platform (soft appliance) to process, baseline and forward THOR logs.

It most relevant features in this use case are:

• Base-lining and central false positive filtering
• Event forwarding of filtered events

ASGARD Analysis Cockpit already has several options to create alerts for incoming logs.

Advantages:

• Optimal THOR log base-lining and forwarding of relevant events only

Disadvantages:

• Additional server system (VM; maintenance)
• Requires connection to port 514 from end system to Analysis Cockpit

Option D: Local Eventlog

THOR can be instructed to log to the local Windows Eventlog with the “—eventlog” command line parameter. Customers that already forward their Windows Application Eventlog to a central SIEM could then use the existing integration and analyze the THOR events in their SIEM.

Advantages:

• Integrates into existing security monitoring
• No additional open port needed

Disadvantages:

• Requires SIEM system and some base-lining

Option E: Live Response – “getfile”

Local log files that were written to the working directory can be retrieved with the “getfile” command.

Advantages:

• Integrates into analyst workflow
• No additional open port needed

Disadvantages:

• Files could be left on the end system
  (causing false positives in other products; in plain sight for attackers)

Future Integrations

This chapter contains an outlook on expected future integrations based on upcoming features and APIs. 

Sample Collection

The Microsoft Defender ATP API allows to fetch a certain file from a remote system. Similar to the alerting mechanisms via Webhooks in ASGARD Analysis Cockpit, users will be able to fetch any suspicious or malicious file reported by THOR with a given minimum threat score using the Microsoft Defender ATP API. 

THOR Cloud

The upcoming cloud based version of our licensing and download server, which is currently integrated into our customer portal, will be able to serve THOR packages that contain an integrated license for the host which is supposed to be scanned. 

This way, you will we be able to run a PowerShell script from the live response library that downloads an up-to-date THOR package with a valid license file right from the new online service and don’t need a local ASGARD server that provides the THOR packages and licenses.