Unity Makes Strength SOURCE Dublin 2013
Upcoming SlideShare
Loading in...5
×
 

Unity Makes Strength SOURCE Dublin 2013

on

  • 1,003 views

This is the talk I gave at SOURCE Dublin in May 2013 about improving information security by dynamically reconfiguring security devices already in place.

This is the talk I gave at SOURCE Dublin in May 2013 about improving information security by dynamically reconfiguring security devices already in place.

Statistics

Views

Total Views
1,003
Slideshare-icon Views on SlideShare
987
Embed Views
16

Actions

Likes
1
Downloads
17
Comments
0

2 Embeds 16

http://blog.rootshell.be 15
http://rootshell.be 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Unity Makes Strength SOURCE Dublin 2013 Unity Makes Strength SOURCE Dublin 2013 Presentation Transcript

    • Unity Makes Strength“Why keep this valuable information in a corner?”SOURCE Dublin 2013
    • $ whoami• Xavier Mertens (@xme)• Consultant @ day• Blogger @ night• BruCON co-organizer2
    • $ cat disclaimer.txt“The opinions expressed in this presentationare those of the speaker and do not necessarilyreflect those of past, present employers,partners or customers.”3
    • Agenda• Some facts• Current situation• Toolbox• Examples4
    • Defense vs.Attack• Offensive security is funny(w00t! We break things)• Defensive security can alsobe fun!(proud to not be pwn3d ;-)• “Know your enemy!”5
    • Welcome to Belgium!6
    • Welcome to Belgium!7
    • Belgique, België, BelgienBut with a very complicatedpolitical landscape!8
    • Belgian Motto“L’union fait la force”(“Unity Makes Strength”)9
    • And Infosec?Why not apply this to our securityinfrastructures?10
    • Agenda• Some facts• Current situation• Toolbox• Examples11
    • Initial SituationFirewall IDS ProxyMalwareAnalysisAction Action Action Action12
    • Then Came the god “SIEM”Firewall IDS ProxyMalwareAnalysisLogs Logs Logs LogsCentralized Logging Solutions / SIEM13
    • Weaknesses?• Independent solutions• Static configurations• Only logs are centralized• No global protection• Useful data not shared• Real-time protection not easy14
    • TheValue of Data• IP addresses• User names• URLs• Domains• Digests (MD5, SHA1, etc)15
    • Multiple Sources• Online repositories• Internal resources• Automatic process16
    • Nothing New!Input OutputProcess17
    • Back to the Roots• REXX is a scripting languageinvented by IBM.• ARexx was implemented inAmigaOS in 1987.• Allow applications having anARexx interface tocommunicate to exchangedata.18
    • RTFM!• Security is a big market ($$$)• The “Microsoft Office” effect(<10% of features really used)• Invest time to learn how yourproducts work.• Be a hacker: Learn how it workand make it work like you want.19
    • Backdoors...• CLI• WebAPI (JSON, XML)• Databases• Scripting languages• Serial console20
    • Protocols• HTTP(S)• TFTP• SSH• SNMP• IF-MAP• Proprietary tools (dbedit)21
    • Automation is the Key• We’re all lazy people!• Expect!use Expect;my $e = Expect->new();my $c = “ssh $user@$host”;$e = Expect->spawn($c) or die “No SSH?”;$e->Expect($timeout,[qr’password: $’,sub {my $fh = shift;print $fh $passwordn”;}]22
    • A New ArchitectureFirewall IDS Proxy Malware AnalysisLogs Logs Logs LogsCentralized Logging Solutions / SIEM23Action Action Action ActionToolbox
    • Agenda• Some facts• Current situation• Toolbox• Examples24
    • HTTPS• Generate an API keyhttps://10.0.0.1/api/?type=keygen&user=foo&password=bar• Submit XML requestshttps://10.0.0.1/api/?type=config&key=xxx&action=set&xpath=/config/device/entry[@name=localhost]/vsys/entry[@name=vsys1]/address/entry[@name=NewHost]&element=<ip-netmask>192.168.0.1</ip-netmask><description>Test</description>25
    • Snort-Rules Generator• Lot of Security tools accept Snort rulesuse Snort::Rulemy $rule = Snort::Rule->new(-action => ‘alert’,-proto => ‘tcp’,-src => ‘10.0.0.1’,-sport => ‘any’,-dst => ‘any’,-dport => ‘any’,);$rule->opts(‘msg’,‘Detect traffic from 10.0.0.1’);$rule->opts(‘sid’,‘666666’);26
    • IF-MAP• Open standard to allow authorized devicesto publish/search relevant information• Information could be• IP• Login• Location (devices)• Domain27
    • IF-MAPuse Ifmap;use Ifmap::Util;my $r=Ifmap::Request::NewSession->new();my $ip=Ifmap::Identifier::IpAddress->new(ip_address,‘10.0.0.1’);my $mac=Ifmap::Identifier::MacAddress->new(mac_address,‘aa:bb:cc:dd:ee:ff’);my $id = Ifmap::Identifier::Identity->new(name=> ‘john’, type=>‘username’);my $meta=Ifmap::Metadata::Element->new(name=>‘name’, value=‘employee’);28
    • SNMP$ snmpset 10.0.1 Pr1v4t3 .1.3.6.1.4.1.9.2.1.53.10.0.2 acl.tmp29• SNMP can be used to push configurationchanges• Example:• Router 10.0.0.1 will pull the access-list“acl.tmp” from TFTP server 10.0.0.2
    • TCLevent manager applet Interface_Eventevent syslog pattern “.*UPDOWN.*FastEthernet0/1.* changed state to .*”event 1.0 cli command “tclsh flash:notify.tcl”30• Cisco devices have a framework called EEM:“Embedded Event Manager”• Example:• The router may communicate informationbased on its status
    • Puppet31• Configuration Management Software• Deploy security patches• Manage SSH keys• Modify thousands of servers in one shot“DevOps to the rescue”
    • The Conductor• OSSEC• Log Management• Active-Response• Powerful alerts engine32
    • Action? Reaction!• Example of OSSEC rule<rule id=”100101” level=”5” frequency=”5” timeframe=”60”><match>access denied</match><group>invalid_login,</group></rule><active-response><command>ad-block-user</command><location>local</location><rules_id>100101</rules_id></active-response>33
    • Agenda• Some facts• Current situation• Toolbox• Examples34
    • $ cat disclaimer2.txt<warning>Some slides contain examples basedon open source as well as v€ndor$ solutions.I’m not affiliated with any of them!</warning>35
    • Online Resources• DNS-BH$ wget -N http://dns-bh.sagadc.org/domains.txt• Google SafeBrowsinguse Net::Google::SafeBrowsing2;use Net::Google::SafeBrowsing2:::Sqlite;my gsb = Net::Google::SafeBrowsing2->new(key => “xxx”,storage => Net::Google::SafeBrowsing2::Sqlite->new(file =>“google.db”));$gsb->update();my $match = $gsb->lookup(url => “http://evil.com”);if ($match eq MALWARE) { ... }36
    • Dynamic Firewall Config• FireEye malware analysis box• Firewalls• Checkpoint• PaloAlto• IPtables• <insert your preferred fw $VENDOR here>• OSSEC37
    • Dynamic Firewall ConfigFireEye OSSEC PaloAltoCheckpointIPtables38
    • Dynamic User Blacklist• Syslog Concentrator• OSSEC• SSLVPN• LDAP directory39
    • Dynamic User Blacklistsshd OSSEC LDAPsshdsshd$ ldapmodify -D ‘cn=admin’ -w ‘pass’ dn:uid=jdoe,o=acme.org changetype: modify replace:userpassword userpassword:newpass40
    • SMTP Malware Analysis• Postfix MTA• Cuckoo• CuckooMX (Perl)41
    • SMTP Malware AnalysisCuckooMXPostfix Cuckoo42
    • MySQL Self-Defense• MySQL Server• MySQL Proxy• lib_mysqludf_log43
    • MySQL Self-Defensemysql-proxyclient mysqld44error.log
    • Controls• Security first!• Strong controls must be implemented• Authentication/Authorization• Could break your compliance• Use an OoB network• Risk of DoS!45
    • Conclusions• Don’t buy just “a box”• RTFM• Control• It’s up to you!46
    • ThankYou!Questions?No? Beers!47