Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Open Source IDS - How to use them as a powerful fee Defensive and Offensive tool

156 views

Published on

What is an IDS? What is required for a successful implementation and utilisation? IDS can also be used for penetration testing activities, not just for defence purposes. See how!

This was presented as part of the FIRST Technical Colloquium 2017 Conference in Mauritius on the 30th of November 2017.

Feel free to contact us for more information.
If you are reusing some of the slides or their content, can you please reference our website as the source: https://www.elysiumsecurity.com

Published in: Technology
  • Be the first to comment

Open Source IDS - How to use them as a powerful fee Defensive and Offensive tool

  1. 1. {elysiumsecurity} Open Source IDS How to use them as a powerful free Defensive and Offensive tool Version: 1.2w Author: Sylvain Martinez cyber protection & response Classification: Public
  2. 2. {elysiumsecurity} Agenda • Introduction; • Cyber Security Context; • IDS Concept; • Requirements for success; • IDS Benefits; • Something different…
  3. 3. {elysiumsecurity} Who Am I? https://www.elysiumsecurity.com
  4. 4. {elysiumsecurity} Why Listen? * If you already have a TAP setup • Understand why you need an IDS; • How everyone can get started with a free IDS; • This dashboard in your home/company in less than 2h!*
  5. 5. {elysiumsecurity} Today’s Cyber Security Risk Context Cyber Security Risks’ probability and impact are increasing. Their ability to disrupt companies business operation have growing financial, reputational and legal negative consequences; This overall diagram is copyright Elysiumsecurity LTD and can only be re-used if the source is referenced as: Sylvain Martinez, https://www.elysiumsecurity.com Yesterday Tomorrow 100% 0% TIME GROWTH Yesterday Tomorrow 100% 0% TIME GROWTH Yesterday Tomorrow 100% 0% TIME GROWTH
  6. 6. {elysiumsecurity} Cyber Security Puzzle PREVENT DETECT RESPOND • End Point Protection • Policies • DLP • DRM • SOC • F/W • IPS • IDS • Incident Response • Forensics • DLP • SIEM • CERT • Incident Management
  7. 7. {elysiumsecurity} Importance of Detection PREVENT DETECT RESPOND DETECTION allows you to know there is a problem, and that you need to do something!
  8. 8. {elysiumsecurity} IDS? What IDS? IDS NIDS HIDS IPS Signature Based Behaviour Based Pattern Based Passive Active
  9. 9. {elysiumsecurity} FREE IDS • Snort based engine; • Suricata based engine; • Suites of software available as VM: - Security Onion (SO): https://securityonion.net/ - SELKS: https://www.stamus-networks.com/open-source/ • Great community is here to help; • Authors are very active; • Professional support available from them too; • Various install guide available: https://www.elysiumsecurity.com/blog/Guides/post7.html
  10. 10. {elysiumsecurity} cyber protection & response DEFENSIVE IDS
  11. 11. {elysiumsecurity} Simplistic NIDS Concept Guest WIFI Users Servers DMZ IDS Duplicated Traffic Duplicated Traffic INTERNET Traffic Analysis Signatures Patterns/ Behaviours Security Alerts Icons from VMWARE
  12. 12. {elysiumsecurity} IDS Requirements for success 1. Traffic Visibility 2. Asset Inventory 3. Context COVERAGE TRACKING TUNING
  13. 13. {elysiumsecurity} Traffic Visibility • TAP/Span port on key egress points • Corporate Solutions - Dedicated hardware - Soft Config in most switch (Ubiquity Networks, CISCO...) • Home Solutions: - Netgear GS105E - Mikrotik Router NATting
  14. 14. {elysiumsecurity} Asset Inventory • IP/Asset inventory software • - Network dedicated • - Part of wider asset inventory • Mac Address Fingerprinting • Fixed IP • Reserved DHCP NATting
  15. 15. {elysiumsecurity} Context QUESTIONS • Is that a false positive? • Is that normal behaviour? • Is the end point targeted critical? • Is this a configuration issue? • Have we seen this before? • … ANSWERS • Network Topology knowledge; • Asset owner knowledge; • Application owner knowledge; • Business analyst contact; • Cyber Security knowledge. • …
  16. 16. {elysiumsecurity} IDS Defensive Benefits • Alerts you of Cyber Security attacks; • Alerts you of Cyber Security issues; • Finds vulnerable hosts on your network; • Finds vulnerable applications on your network; • Monitors network flow behaviours; • Monitors network ports activity; • Monitors network traffic; • Monitors file transfers; • Establish network entity relationships; • …
  17. 17. {elysiumsecurity} IDS Actionable Information
  18. 18. {elysiumsecurity} IDS Defensive Benefits - revisited • Alerts you of Cyber Security attacks; • Alerts you of Cyber Security issues; • Finds vulnerable hosts on your network; • Finds vulnerable applications on your network; • Monitors network flow behaviours; • Monitors network ports activity; • Monitors network traffic; • Monitors file transfers; • Establish network entity relationships; • …
  19. 19. {elysiumsecurity} cyber protection & response OFFENSIVE IDS
  20. 20. {elysiumsecurity} Simplistic NIDS Concept - Revisited Guest WIFI Users Servers DMZ IDS Duplicated Traffic Duplicated Traffic INTERNET Traffic Analysis Signatures Patterns/ Behaviours Security Alerts Files Passwords,… Files Extraction PCAP Files PCAP Files PCAP Files Icons from VMWARE
  21. 21. {elysiumsecurity} IDS Requirements - Offensive 1. Traffic Capture REPLAY & ANALYSIS 2. Asset Inventory 3. Context TARGETING PRIORITISATION
  22. 22. {elysiumsecurity} Traffic Capture • Physical Access required in most cases • TAP traffic against key targets • Powered/Unpowered solutions • Dummy Capture Devices: • - Small Router; • - Throwing Star LAN; • Intelligent Capture Devices: • - Raspberry Pi; • - Hak5 Packet Squirrel. NO IMPACT
  23. 23. {elysiumsecurity} IDS Offensive Benefits • Speed up Network Traffic Analysis; • Identify interesting timelines; • Identify targets of interest; • Identify vulnerabilities to exploit; • Extract sensitive information; • Profile users and applications; • …
  24. 24. {elysiumsecurity} Takeaway • Free IDS available; • Pre-configured and easy to deploy; • Provide good defensive visibility and alerts; • Provide good offensive capabilities; • Instant returned value; • Try one today!
  25. 25. {elysiumsecurity} cyber protection & response emailus@elysiumsecurity.com THANK YOU https://www.elysiumsecurity.com

×