• Like
Unity Makes Strength SOURCE Dublin 2013
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Unity Makes Strength SOURCE Dublin 2013

  • 788 views
Published

This is the talk I gave at SOURCE Dublin in May 2013 about improving information security by dynamically reconfiguring security devices already in place.

This is the talk I gave at SOURCE Dublin in May 2013 about improving information security by dynamically reconfiguring security devices already in place.

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
788
On SlideShare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
19
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Unity Makes Strength“Why keep this valuable information in a corner?”SOURCE Dublin 2013
  • 2. $ whoami• Xavier Mertens (@xme)• Consultant @ day• Blogger @ night• BruCON co-organizer2
  • 3. $ cat disclaimer.txt“The opinions expressed in this presentationare those of the speaker and do not necessarilyreflect those of past, present employers,partners or customers.”3
  • 4. Agenda• Some facts• Current situation• Toolbox• Examples4
  • 5. Defense vs.Attack• Offensive security is funny(w00t! We break things)• Defensive security can alsobe fun!(proud to not be pwn3d ;-)• “Know your enemy!”5
  • 6. Welcome to Belgium!6
  • 7. Welcome to Belgium!7
  • 8. Belgique, België, BelgienBut with a very complicatedpolitical landscape!8
  • 9. Belgian Motto“L’union fait la force”(“Unity Makes Strength”)9
  • 10. And Infosec?Why not apply this to our securityinfrastructures?10
  • 11. Agenda• Some facts• Current situation• Toolbox• Examples11
  • 12. Initial SituationFirewall IDS ProxyMalwareAnalysisAction Action Action Action12
  • 13. Then Came the god “SIEM”Firewall IDS ProxyMalwareAnalysisLogs Logs Logs LogsCentralized Logging Solutions / SIEM13
  • 14. Weaknesses?• Independent solutions• Static configurations• Only logs are centralized• No global protection• Useful data not shared• Real-time protection not easy14
  • 15. TheValue of Data• IP addresses• User names• URLs• Domains• Digests (MD5, SHA1, etc)15
  • 16. Multiple Sources• Online repositories• Internal resources• Automatic process16
  • 17. Nothing New!Input OutputProcess17
  • 18. Back to the Roots• REXX is a scripting languageinvented by IBM.• ARexx was implemented inAmigaOS in 1987.• Allow applications having anARexx interface tocommunicate to exchangedata.18
  • 19. RTFM!• Security is a big market ($$$)• The “Microsoft Office” effect(<10% of features really used)• Invest time to learn how yourproducts work.• Be a hacker: Learn how it workand make it work like you want.19
  • 20. Backdoors...• CLI• WebAPI (JSON, XML)• Databases• Scripting languages• Serial console20
  • 21. Protocols• HTTP(S)• TFTP• SSH• SNMP• IF-MAP• Proprietary tools (dbedit)21
  • 22. Automation is the Key• We’re all lazy people!• Expect!use Expect;my $e = Expect->new();my $c = “ssh $user@$host”;$e = Expect->spawn($c) or die “No SSH?”;$e->Expect($timeout,[qr’password: $’,sub {my $fh = shift;print $fh $passwordn”;}]22
  • 23. A New ArchitectureFirewall IDS Proxy Malware AnalysisLogs Logs Logs LogsCentralized Logging Solutions / SIEM23Action Action Action ActionToolbox
  • 24. Agenda• Some facts• Current situation• Toolbox• Examples24
  • 25. HTTPS• Generate an API keyhttps://10.0.0.1/api/?type=keygen&user=foo&password=bar• Submit XML requestshttps://10.0.0.1/api/?type=config&key=xxx&action=set&xpath=/config/device/entry[@name=localhost]/vsys/entry[@name=vsys1]/address/entry[@name=NewHost]&element=<ip-netmask>192.168.0.1</ip-netmask><description>Test</description>25
  • 26. Snort-Rules Generator• Lot of Security tools accept Snort rulesuse Snort::Rulemy $rule = Snort::Rule->new(-action => ‘alert’,-proto => ‘tcp’,-src => ‘10.0.0.1’,-sport => ‘any’,-dst => ‘any’,-dport => ‘any’,);$rule->opts(‘msg’,‘Detect traffic from 10.0.0.1’);$rule->opts(‘sid’,‘666666’);26
  • 27. IF-MAP• Open standard to allow authorized devicesto publish/search relevant information• Information could be• IP• Login• Location (devices)• Domain27
  • 28. IF-MAPuse Ifmap;use Ifmap::Util;my $r=Ifmap::Request::NewSession->new();my $ip=Ifmap::Identifier::IpAddress->new(ip_address,‘10.0.0.1’);my $mac=Ifmap::Identifier::MacAddress->new(mac_address,‘aa:bb:cc:dd:ee:ff’);my $id = Ifmap::Identifier::Identity->new(name=> ‘john’, type=>‘username’);my $meta=Ifmap::Metadata::Element->new(name=>‘name’, value=‘employee’);28
  • 29. SNMP$ snmpset 10.0.1 Pr1v4t3 .1.3.6.1.4.1.9.2.1.53.10.0.2 acl.tmp29• SNMP can be used to push configurationchanges• Example:• Router 10.0.0.1 will pull the access-list“acl.tmp” from TFTP server 10.0.0.2
  • 30. TCLevent manager applet Interface_Eventevent syslog pattern “.*UPDOWN.*FastEthernet0/1.* changed state to .*”event 1.0 cli command “tclsh flash:notify.tcl”30• Cisco devices have a framework called EEM:“Embedded Event Manager”• Example:• The router may communicate informationbased on its status
  • 31. Puppet31• Configuration Management Software• Deploy security patches• Manage SSH keys• Modify thousands of servers in one shot“DevOps to the rescue”
  • 32. The Conductor• OSSEC• Log Management• Active-Response• Powerful alerts engine32
  • 33. Action? Reaction!• Example of OSSEC rule<rule id=”100101” level=”5” frequency=”5” timeframe=”60”><match>access denied</match><group>invalid_login,</group></rule><active-response><command>ad-block-user</command><location>local</location><rules_id>100101</rules_id></active-response>33
  • 34. Agenda• Some facts• Current situation• Toolbox• Examples34
  • 35. $ cat disclaimer2.txt<warning>Some slides contain examples basedon open source as well as v€ndor$ solutions.I’m not affiliated with any of them!</warning>35
  • 36. Online Resources• DNS-BH$ wget -N http://dns-bh.sagadc.org/domains.txt• Google SafeBrowsinguse Net::Google::SafeBrowsing2;use Net::Google::SafeBrowsing2:::Sqlite;my gsb = Net::Google::SafeBrowsing2->new(key => “xxx”,storage => Net::Google::SafeBrowsing2::Sqlite->new(file =>“google.db”));$gsb->update();my $match = $gsb->lookup(url => “http://evil.com”);if ($match eq MALWARE) { ... }36
  • 37. Dynamic Firewall Config• FireEye malware analysis box• Firewalls• Checkpoint• PaloAlto• IPtables• <insert your preferred fw $VENDOR here>• OSSEC37
  • 38. Dynamic Firewall ConfigFireEye OSSEC PaloAltoCheckpointIPtables38
  • 39. Dynamic User Blacklist• Syslog Concentrator• OSSEC• SSLVPN• LDAP directory39
  • 40. Dynamic User Blacklistsshd OSSEC LDAPsshdsshd$ ldapmodify -D ‘cn=admin’ -w ‘pass’ dn:uid=jdoe,o=acme.org changetype: modify replace:userpassword userpassword:newpass40
  • 41. SMTP Malware Analysis• Postfix MTA• Cuckoo• CuckooMX (Perl)41
  • 42. SMTP Malware AnalysisCuckooMXPostfix Cuckoo42
  • 43. MySQL Self-Defense• MySQL Server• MySQL Proxy• lib_mysqludf_log43
  • 44. MySQL Self-Defensemysql-proxyclient mysqld44error.log
  • 45. Controls• Security first!• Strong controls must be implemented• Authentication/Authorization• Could break your compliance• Use an OoB network• Risk of DoS!45
  • 46. Conclusions• Don’t buy just “a box”• RTFM• Control• It’s up to you!46
  • 47. ThankYou!Questions?No? Beers!47