Added new LiveFlow alerts for issues around TLS, Certificates, and Authentication
Several LiveFlow security alerts have been added that are primarily focused around TLS, Certificates, and Authentication. Here’s the list of the new alerts:
|
|
LiveFlow Alert
|
Notes
|
|---|---|---|
|
1
|
Cleartext Credentials Detected
|
Description: Detection of user credentials (usernames, passwords, API tokens) transmitted in plain text, which is a major security risk.
Cause: Allowed ciphers policy is not in place or not enforced.
Remedy: Implement and enforce allowed ciphers policy.
|
|
2
|
Kerberos Detected
|
Description: The Kerberos protocol has been detected. If all machines are running an up-to-date version of Kerberos, this may not be an issue unless Kerberos is disallowed by policy.
Cause: Kerberos protocol detected in network traffic.
Remedy: If Kerberos is disallowed by policy, update affected machines. Otherwise, verify all machines are running an up-to-date version of Kerberos.
|
|
3
|
Kerberos RC4 Detected
|
Description: The Kerberos protocol has been detected, and the ticket key is encrypted using insecure RC4 cipher.
Cause: Kerberos officially deprecated RC4 long ago. Affected machines are overdue for a Kerberos update.
Remedy: If Kerberos is disallowed by policy, update all affected machines. Otherwise, update all affected machines to a new version of Kerberos, and disallow RC4.
|
|
4
|
Malicious IP or Domain Detected
|
Description: Detection of encrypted traffic to known blacklisted or suspicious IPs/domains.
Cause: Newly detected or unblocked known malicious IP/domain.
Remedy: Block known malicious IPs/domains.
Note: If enabled, the security configuration should be modified as specified in KB #000001409.
|
|
5
|
Microsoft IP Detected
|
Description: Network traffic to Microsoft domains normally used only by computers running Windows has been detected. For example, "phone home" to telemetry.microsoft.com.
Cause: Passive scanning has detected traffic possibly indicating computers running Windows on the network.
|
|
6
|
NTLM Protocol Detected
|
Description: Network traffic utilizing NTLM may be a security risk due to known vulnerabilities in NTLM. Microsoft has announced NTLM will be phased out after Windows 11 version 24H2.
Cause: Passive scanning has detected traffic utilizing the NTLM protocol.
Remedy: Microsoft recommends replacing NTLM with the latest Kerberos.
|
|
7
|
TLS Certificate Anomalies Detected
|
Description: Untrusted or self-signed certificates, expired, or mismatched certificates suggest potential MITM attacks or misconfigurations.
Cause: Newly detected or unblocked known issues in Server Certificate.
Remedy: Block identified Server Certificate anomalies.
Note: If enabled, the security configuration should be modified as specified in KB #000001409.
|
|
8
|
TLS Client Excessive Handshakes
|
Description: A client machine has attempted an unusually high number of TLS connections (client hello messages).
Cause: Possibly comprised machine is attempting to infect other machines.
Remedy: The client machine should be thoroughly examined for malware, and any infection mitigated.
|
|
9
|
TLS Long Lived Connection
|
Description: Long-lived sessions, especially to external destinations, may be indicative of compromised hosts or ongoing data exfiltration.
Cause: Possibly compromised machine has a long duration TLS connection to another machine.
Remedy: The client and server machines should be thoroughly examined for malware, and any infection removed.
|
|
10
|
Weak TLS Cipher Suite
|
Description: Detection of TLS encrypted traffic using known weak cipher suites.
Cause: Minimum TLS cipher strength not monitored and enforced.
Remedy: Analyze SSL/TLS handshakes for the negotiated cipher suites. Identify connections that use outdated or weak ciphers. Use network security tools to enforce minimum cipher standards and monitor for any deviations, especially in encrypted traffic between internal systems and external hosts.
|