Your SlideShare is downloading. ×
Unity Makes Strength SOURCE Dublin 2013
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Unity Makes Strength SOURCE Dublin 2013


Published on

This is the talk I gave at SOURCE Dublin in May 2013 about improving information security by dynamically reconfiguring security devices already in place.

This is the talk I gave at SOURCE Dublin in May 2013 about improving information security by dynamically reconfiguring security devices already in place.

Published in: Technology

1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Unity Makes Strength“Why keep this valuable information in a corner?”SOURCE Dublin 2013
  • 2. $ whoami• Xavier Mertens (@xme)• Consultant @ day• Blogger @ night• BruCON co-organizer2
  • 3. $ cat disclaimer.txt“The opinions expressed in this presentationare those of the speaker and do not necessarilyreflect those of past, present employers,partners or customers.”3
  • 4. Agenda• Some facts• Current situation• Toolbox• Examples4
  • 5. Defense vs.Attack• Offensive security is funny(w00t! We break things)• Defensive security can alsobe fun!(proud to not be pwn3d ;-)• “Know your enemy!”5
  • 6. Welcome to Belgium!6
  • 7. Welcome to Belgium!7
  • 8. Belgique, België, BelgienBut with a very complicatedpolitical landscape!8
  • 9. Belgian Motto“L’union fait la force”(“Unity Makes Strength”)9
  • 10. And Infosec?Why not apply this to our securityinfrastructures?10
  • 11. Agenda• Some facts• Current situation• Toolbox• Examples11
  • 12. Initial SituationFirewall IDS ProxyMalwareAnalysisAction Action Action Action12
  • 13. Then Came the god “SIEM”Firewall IDS ProxyMalwareAnalysisLogs Logs Logs LogsCentralized Logging Solutions / SIEM13
  • 14. Weaknesses?• Independent solutions• Static configurations• Only logs are centralized• No global protection• Useful data not shared• Real-time protection not easy14
  • 15. TheValue of Data• IP addresses• User names• URLs• Domains• Digests (MD5, SHA1, etc)15
  • 16. Multiple Sources• Online repositories• Internal resources• Automatic process16
  • 17. Nothing New!Input OutputProcess17
  • 18. Back to the Roots• REXX is a scripting languageinvented by IBM.• ARexx was implemented inAmigaOS in 1987.• Allow applications having anARexx interface tocommunicate to exchangedata.18
  • 19. RTFM!• Security is a big market ($$$)• The “Microsoft Office” effect(<10% of features really used)• Invest time to learn how yourproducts work.• Be a hacker: Learn how it workand make it work like you want.19
  • 20. Backdoors...• CLI• WebAPI (JSON, XML)• Databases• Scripting languages• Serial console20
  • 21. Protocols• HTTP(S)• TFTP• SSH• SNMP• IF-MAP• Proprietary tools (dbedit)21
  • 22. Automation is the Key• We’re all lazy people!• Expect!use Expect;my $e = Expect->new();my $c = “ssh $user@$host”;$e = Expect->spawn($c) or die “No SSH?”;$e->Expect($timeout,[qr’password: $’,sub {my $fh = shift;print $fh $passwordn”;}]22
  • 23. A New ArchitectureFirewall IDS Proxy Malware AnalysisLogs Logs Logs LogsCentralized Logging Solutions / SIEM23Action Action Action ActionToolbox
  • 24. Agenda• Some facts• Current situation• Toolbox• Examples24
  • 25. HTTPS• Generate an API keyhttps://• Submit XML requestshttps://[@name=localhost]/vsys/entry[@name=vsys1]/address/entry[@name=NewHost]&element=<ip-netmask></ip-netmask><description>Test</description>25
  • 26. Snort-Rules Generator• Lot of Security tools accept Snort rulesuse Snort::Rulemy $rule = Snort::Rule->new(-action => ‘alert’,-proto => ‘tcp’,-src => ‘’,-sport => ‘any’,-dst => ‘any’,-dport => ‘any’,);$rule->opts(‘msg’,‘Detect traffic from’);$rule->opts(‘sid’,‘666666’);26
  • 27. IF-MAP• Open standard to allow authorized devicesto publish/search relevant information• Information could be• IP• Login• Location (devices)• Domain27
  • 28. IF-MAPuse Ifmap;use Ifmap::Util;my $r=Ifmap::Request::NewSession->new();my $ip=Ifmap::Identifier::IpAddress->new(ip_address,‘’);my $mac=Ifmap::Identifier::MacAddress->new(mac_address,‘aa:bb:cc:dd:ee:ff’);my $id = Ifmap::Identifier::Identity->new(name=> ‘john’, type=>‘username’);my $meta=Ifmap::Metadata::Element->new(name=>‘name’, value=‘employee’);28
  • 29. SNMP$ snmpset 10.0.1 Pr1v4t3 . acl.tmp29• SNMP can be used to push configurationchanges• Example:• Router will pull the access-list“acl.tmp” from TFTP server
  • 30. TCLevent manager applet Interface_Eventevent syslog pattern “.*UPDOWN.*FastEthernet0/1.* changed state to .*”event 1.0 cli command “tclsh flash:notify.tcl”30• Cisco devices have a framework called EEM:“Embedded Event Manager”• Example:• The router may communicate informationbased on its status
  • 31. Puppet31• Configuration Management Software• Deploy security patches• Manage SSH keys• Modify thousands of servers in one shot“DevOps to the rescue”
  • 32. The Conductor• OSSEC• Log Management• Active-Response• Powerful alerts engine32
  • 33. Action? Reaction!• Example of OSSEC rule<rule id=”100101” level=”5” frequency=”5” timeframe=”60”><match>access denied</match><group>invalid_login,</group></rule><active-response><command>ad-block-user</command><location>local</location><rules_id>100101</rules_id></active-response>33
  • 34. Agenda• Some facts• Current situation• Toolbox• Examples34
  • 35. $ cat disclaimer2.txt<warning>Some slides contain examples basedon open source as well as v€ndor$ solutions.I’m not affiliated with any of them!</warning>35
  • 36. Online Resources• DNS-BH$ wget -N• Google SafeBrowsinguse Net::Google::SafeBrowsing2;use Net::Google::SafeBrowsing2:::Sqlite;my gsb = Net::Google::SafeBrowsing2->new(key => “xxx”,storage => Net::Google::SafeBrowsing2::Sqlite->new(file =>“google.db”));$gsb->update();my $match = $gsb->lookup(url => “”);if ($match eq MALWARE) { ... }36
  • 37. Dynamic Firewall Config• FireEye malware analysis box• Firewalls• Checkpoint• PaloAlto• IPtables• <insert your preferred fw $VENDOR here>• OSSEC37
  • 38. Dynamic Firewall ConfigFireEye OSSEC PaloAltoCheckpointIPtables38
  • 39. Dynamic User Blacklist• Syslog Concentrator• OSSEC• SSLVPN• LDAP directory39
  • 40. Dynamic User Blacklistsshd OSSEC LDAPsshdsshd$ ldapmodify -D ‘cn=admin’ -w ‘pass’ dn:uid=jdoe, changetype: modify replace:userpassword userpassword:newpass40
  • 41. SMTP Malware Analysis• Postfix MTA• Cuckoo• CuckooMX (Perl)41
  • 42. SMTP Malware AnalysisCuckooMXPostfix Cuckoo42
  • 43. MySQL Self-Defense• MySQL Server• MySQL Proxy• lib_mysqludf_log43
  • 44. MySQL Self-Defensemysql-proxyclient mysqld44error.log
  • 45. Controls• Security first!• Strong controls must be implemented• Authentication/Authorization• Could break your compliance• Use an OoB network• Risk of DoS!45
  • 46. Conclusions• Don’t buy just “a box”• RTFM• Control• It’s up to you!46
  • 47. ThankYou!Questions?No? Beers!47