Unity Makes Strength“Why keep this valuable information in a corner?”SOURCE Dublin 2013
$ whoami• Xavier Mertens (@xme)• Consultant @ day• Blogger @ night• BruCON co-organizer2
$ cat disclaimer.txt“The opinions expressed in this presentationare those of the speaker and do not necessarilyreflect thos...
Agenda• Some facts• Current situation• Toolbox• Examples4
Defense vs.Attack• Offensive security is funny(w00t! We break things)• Defensive security can alsobe fun!(proud to not be ...
Welcome to Belgium!6
Welcome to Belgium!7
Belgique, België, BelgienBut with a very complicatedpolitical landscape!8
Belgian Motto“L’union fait la force”(“Unity Makes Strength”)9
And Infosec?Why not apply this to our securityinfrastructures?10
Agenda• Some facts• Current situation• Toolbox• Examples11
Initial SituationFirewall IDS ProxyMalwareAnalysisAction Action Action Action12
Then Came the god “SIEM”Firewall IDS ProxyMalwareAnalysisLogs Logs Logs LogsCentralized Logging Solutions / SIEM13
Weaknesses?• Independent solutions• Static configurations• Only logs are centralized• No global protection• Useful data not...
TheValue of Data• IP addresses• User names• URLs• Domains• Digests (MD5, SHA1, etc)15
Multiple Sources• Online repositories• Internal resources• Automatic process16
Nothing New!Input OutputProcess17
Back to the Roots• REXX is a scripting languageinvented by IBM.• ARexx was implemented inAmigaOS in 1987.• Allow applicati...
RTFM!• Security is a big market ($$$)• The “Microsoft Office” effect(<10% of features really used)• Invest time to learn ho...
Backdoors...• CLI• WebAPI (JSON, XML)• Databases• Scripting languages• Serial console20
Protocols• HTTP(S)• TFTP• SSH• SNMP• IF-MAP• Proprietary tools (dbedit)21
Automation is the Key• We’re all lazy people!• Expect!use Expect;my $e = Expect->new();my $c = “ssh $user@$host”;$e = Expe...
A New ArchitectureFirewall IDS Proxy Malware AnalysisLogs Logs Logs LogsCentralized Logging Solutions / SIEM23Action Actio...
Agenda• Some facts• Current situation• Toolbox• Examples24
HTTPS• Generate an API keyhttps://10.0.0.1/api/?type=keygen&user=foo&password=bar• Submit XML requestshttps://10.0.0.1/api...
Snort-Rules Generator• Lot of Security tools accept Snort rulesuse Snort::Rulemy $rule = Snort::Rule->new(-action => ‘aler...
IF-MAP• Open standard to allow authorized devicesto publish/search relevant information• Information could be• IP• Login• ...
IF-MAPuse Ifmap;use Ifmap::Util;my $r=Ifmap::Request::NewSession->new();my $ip=Ifmap::Identifier::IpAddress->new(ip_address...
SNMP$ snmpset 10.0.1 Pr1v4t3 .1.3.6.1.4.1.9.2.1.53.10.0.2 acl.tmp29• SNMP can be used to push configurationchanges• Example...
TCLevent manager applet Interface_Eventevent syslog pattern “.*UPDOWN.*FastEthernet0/1.* changed state to .*”event 1.0 cli...
Puppet31• Configuration Management Software• Deploy security patches• Manage SSH keys• Modify thousands of servers in one s...
The Conductor• OSSEC• Log Management• Active-Response• Powerful alerts engine32
Action? Reaction!• Example of OSSEC rule<rule id=”100101” level=”5” frequency=”5” timeframe=”60”><match>access denied</mat...
Agenda• Some facts• Current situation• Toolbox• Examples34
$ cat disclaimer2.txt<warning>Some slides contain examples basedon open source as well as v€ndor$ solutions.I’m not affilia...
Online Resources• DNS-BH$ wget -N http://dns-bh.sagadc.org/domains.txt• Google SafeBrowsinguse Net::Google::SafeBrowsing2;...
Dynamic Firewall Config• FireEye malware analysis box• Firewalls• Checkpoint• PaloAlto• IPtables• <insert your preferred fw...
Dynamic Firewall ConfigFireEye OSSEC PaloAltoCheckpointIPtables38
Dynamic User Blacklist• Syslog Concentrator• OSSEC• SSLVPN• LDAP directory39
Dynamic User Blacklistsshd OSSEC LDAPsshdsshd$ ldapmodify -D ‘cn=admin’ -w ‘pass’ dn:uid=jdoe,o=acme.org changetype: modif...
SMTP Malware Analysis• Postfix MTA• Cuckoo• CuckooMX (Perl)41
SMTP Malware AnalysisCuckooMXPostfix Cuckoo42
MySQL Self-Defense• MySQL Server• MySQL Proxy• lib_mysqludf_log43
MySQL Self-Defensemysql-proxyclient mysqld44error.log
Controls• Security first!• Strong controls must be implemented• Authentication/Authorization• Could break your compliance• ...
Conclusions• Don’t buy just “a box”• RTFM• Control• It’s up to you!46
ThankYou!Questions?No? Beers!47
Upcoming SlideShare
Loading in...5
×

Unity Makes Strength SOURCE Dublin 2013

932

Published on

This is the talk I gave at SOURCE Dublin in May 2013 about improving information security by dynamically reconfiguring security devices already in place.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
932
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
26
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Unity Makes Strength SOURCE Dublin 2013

  1. 1. Unity Makes Strength“Why keep this valuable information in a corner?”SOURCE Dublin 2013
  2. 2. $ whoami• Xavier Mertens (@xme)• Consultant @ day• Blogger @ night• BruCON co-organizer2
  3. 3. $ cat disclaimer.txt“The opinions expressed in this presentationare those of the speaker and do not necessarilyreflect those of past, present employers,partners or customers.”3
  4. 4. Agenda• Some facts• Current situation• Toolbox• Examples4
  5. 5. Defense vs.Attack• Offensive security is funny(w00t! We break things)• Defensive security can alsobe fun!(proud to not be pwn3d ;-)• “Know your enemy!”5
  6. 6. Welcome to Belgium!6
  7. 7. Welcome to Belgium!7
  8. 8. Belgique, België, BelgienBut with a very complicatedpolitical landscape!8
  9. 9. Belgian Motto“L’union fait la force”(“Unity Makes Strength”)9
  10. 10. And Infosec?Why not apply this to our securityinfrastructures?10
  11. 11. Agenda• Some facts• Current situation• Toolbox• Examples11
  12. 12. Initial SituationFirewall IDS ProxyMalwareAnalysisAction Action Action Action12
  13. 13. Then Came the god “SIEM”Firewall IDS ProxyMalwareAnalysisLogs Logs Logs LogsCentralized Logging Solutions / SIEM13
  14. 14. Weaknesses?• Independent solutions• Static configurations• Only logs are centralized• No global protection• Useful data not shared• Real-time protection not easy14
  15. 15. TheValue of Data• IP addresses• User names• URLs• Domains• Digests (MD5, SHA1, etc)15
  16. 16. Multiple Sources• Online repositories• Internal resources• Automatic process16
  17. 17. Nothing New!Input OutputProcess17
  18. 18. Back to the Roots• REXX is a scripting languageinvented by IBM.• ARexx was implemented inAmigaOS in 1987.• Allow applications having anARexx interface tocommunicate to exchangedata.18
  19. 19. RTFM!• Security is a big market ($$$)• The “Microsoft Office” effect(<10% of features really used)• Invest time to learn how yourproducts work.• Be a hacker: Learn how it workand make it work like you want.19
  20. 20. Backdoors...• CLI• WebAPI (JSON, XML)• Databases• Scripting languages• Serial console20
  21. 21. Protocols• HTTP(S)• TFTP• SSH• SNMP• IF-MAP• Proprietary tools (dbedit)21
  22. 22. Automation is the Key• We’re all lazy people!• Expect!use Expect;my $e = Expect->new();my $c = “ssh $user@$host”;$e = Expect->spawn($c) or die “No SSH?”;$e->Expect($timeout,[qr’password: $’,sub {my $fh = shift;print $fh $passwordn”;}]22
  23. 23. A New ArchitectureFirewall IDS Proxy Malware AnalysisLogs Logs Logs LogsCentralized Logging Solutions / SIEM23Action Action Action ActionToolbox
  24. 24. Agenda• Some facts• Current situation• Toolbox• Examples24
  25. 25. HTTPS• Generate an API keyhttps://10.0.0.1/api/?type=keygen&user=foo&password=bar• Submit XML requestshttps://10.0.0.1/api/?type=config&key=xxx&action=set&xpath=/config/device/entry[@name=localhost]/vsys/entry[@name=vsys1]/address/entry[@name=NewHost]&element=<ip-netmask>192.168.0.1</ip-netmask><description>Test</description>25
  26. 26. Snort-Rules Generator• Lot of Security tools accept Snort rulesuse Snort::Rulemy $rule = Snort::Rule->new(-action => ‘alert’,-proto => ‘tcp’,-src => ‘10.0.0.1’,-sport => ‘any’,-dst => ‘any’,-dport => ‘any’,);$rule->opts(‘msg’,‘Detect traffic from 10.0.0.1’);$rule->opts(‘sid’,‘666666’);26
  27. 27. IF-MAP• Open standard to allow authorized devicesto publish/search relevant information• Information could be• IP• Login• Location (devices)• Domain27
  28. 28. IF-MAPuse Ifmap;use Ifmap::Util;my $r=Ifmap::Request::NewSession->new();my $ip=Ifmap::Identifier::IpAddress->new(ip_address,‘10.0.0.1’);my $mac=Ifmap::Identifier::MacAddress->new(mac_address,‘aa:bb:cc:dd:ee:ff’);my $id = Ifmap::Identifier::Identity->new(name=> ‘john’, type=>‘username’);my $meta=Ifmap::Metadata::Element->new(name=>‘name’, value=‘employee’);28
  29. 29. SNMP$ snmpset 10.0.1 Pr1v4t3 .1.3.6.1.4.1.9.2.1.53.10.0.2 acl.tmp29• SNMP can be used to push configurationchanges• Example:• Router 10.0.0.1 will pull the access-list“acl.tmp” from TFTP server 10.0.0.2
  30. 30. TCLevent manager applet Interface_Eventevent syslog pattern “.*UPDOWN.*FastEthernet0/1.* changed state to .*”event 1.0 cli command “tclsh flash:notify.tcl”30• Cisco devices have a framework called EEM:“Embedded Event Manager”• Example:• The router may communicate informationbased on its status
  31. 31. Puppet31• Configuration Management Software• Deploy security patches• Manage SSH keys• Modify thousands of servers in one shot“DevOps to the rescue”
  32. 32. The Conductor• OSSEC• Log Management• Active-Response• Powerful alerts engine32
  33. 33. Action? Reaction!• Example of OSSEC rule<rule id=”100101” level=”5” frequency=”5” timeframe=”60”><match>access denied</match><group>invalid_login,</group></rule><active-response><command>ad-block-user</command><location>local</location><rules_id>100101</rules_id></active-response>33
  34. 34. Agenda• Some facts• Current situation• Toolbox• Examples34
  35. 35. $ cat disclaimer2.txt<warning>Some slides contain examples basedon open source as well as v€ndor$ solutions.I’m not affiliated with any of them!</warning>35
  36. 36. Online Resources• DNS-BH$ wget -N http://dns-bh.sagadc.org/domains.txt• Google SafeBrowsinguse Net::Google::SafeBrowsing2;use Net::Google::SafeBrowsing2:::Sqlite;my gsb = Net::Google::SafeBrowsing2->new(key => “xxx”,storage => Net::Google::SafeBrowsing2::Sqlite->new(file =>“google.db”));$gsb->update();my $match = $gsb->lookup(url => “http://evil.com”);if ($match eq MALWARE) { ... }36
  37. 37. Dynamic Firewall Config• FireEye malware analysis box• Firewalls• Checkpoint• PaloAlto• IPtables• <insert your preferred fw $VENDOR here>• OSSEC37
  38. 38. Dynamic Firewall ConfigFireEye OSSEC PaloAltoCheckpointIPtables38
  39. 39. Dynamic User Blacklist• Syslog Concentrator• OSSEC• SSLVPN• LDAP directory39
  40. 40. Dynamic User Blacklistsshd OSSEC LDAPsshdsshd$ ldapmodify -D ‘cn=admin’ -w ‘pass’ dn:uid=jdoe,o=acme.org changetype: modify replace:userpassword userpassword:newpass40
  41. 41. SMTP Malware Analysis• Postfix MTA• Cuckoo• CuckooMX (Perl)41
  42. 42. SMTP Malware AnalysisCuckooMXPostfix Cuckoo42
  43. 43. MySQL Self-Defense• MySQL Server• MySQL Proxy• lib_mysqludf_log43
  44. 44. MySQL Self-Defensemysql-proxyclient mysqld44error.log
  45. 45. Controls• Security first!• Strong controls must be implemented• Authentication/Authorization• Could break your compliance• Use an OoB network• Risk of DoS!45
  46. 46. Conclusions• Don’t buy just “a box”• RTFM• Control• It’s up to you!46
  47. 47. ThankYou!Questions?No? Beers!47
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×