4. SACON 2017
• How do we get to threats in time?
• How do we make sure that the evidence gets captured?
• How do we make sure that the threat
is stopped before it is too late?
• How do we do this with a limited staff?
Other Questions
5. SACON 2017
• Security Operations
• Monitor The Enterprise
• Process Alerts (or Correlations)
• Kick Off Incident Response
• Despite Multitude of Solutions
• Still A Manual Process!
• Each Solution Kicked Off In Sequence By Us
• A Lot of Time Is Wasted Being A Bridge Between Systems
This Is Because
9. SACON 2017
• Received Events From Peers
• Generate A Blacklist from Source of Threat Events
• Use With Anything That Can Consume A Blacklist
• Firewalls
• Endpoint Solutions
• Detection Tools
• Share The Blacklist with Vendors, Partners, and Colleagues
Generate Threat Intelligence Feed
17. SACON 2017
• Receives Events From Peers
• Routers
• Firewalls
• Changes the Route for Source of Threat Activity
• Run Their Traffic Through Different Segment
• Segment Contains Additional Inline Sensors
• Afterwards, It Proceeds to Destination
Redirect Traffic
25. SACON 2017
• Provide Context (Meta-SIEM)
• Import existing cases into platform
• Acquire additional data on adversary, target, or payload
• Push Out to Other Platforms
• Workflow and Reporting
• Decision Making and Execution
• Perform Incident Response
• Delete files and kills processes
• Force password changes and disables accounts
• Block addresses
What They Do
26. SACON 2017
• Machine to Controller
• Connected Only to Controller
• Messages Only the Controller
• Events Shared Only with the Controller
• Nodes exists in a hierarchy
• Slaved to The Controller
• Just Execute Commands Given
• Centralized, Limited in Scope, and Expensive
How They Do It
28. SACON 2017
• Share Fail2Ban Jails
• Ban Actions, Custom Scripts, and Cron Jobs
• Ban actions, and shared file mount
• Vallumd
• Import Known Threats into Fail2Ban
• Custom Scripts
• NAT iptables threats to Honey Pot
• psad and Custom Scripts
• Report Fail2Ban threat to Abuse
• www.blocklist.de
Open Source Solutions
29. SACON 2017
• Machine to Machine
• Direct Connections to Each Other
• Messaging Each Other
• Sharing Events
• Nodes Retains Autonomy
• They keep doing their job
• Expand their visibility
How They Do It
30. SACON 2017
• Does Not Require Intervention
• Limited Use Cases
• Messages Too Closely Tied To Specific Use
• Can Only Be Used For Original Purpose
• Now Dependent On Function
We Are Getting Closer
34. SACON 2017
• Sharing
• Multicast to Local Peers
• Unicast to Remote Peers
• Messages
• Add Threat Event
• Remove Threat Event
Protocol
35. SACON 2017
• Operations
• Sends and Receives from local peers
on UDP Port 15000
• Receives from remote peers
on TCP Port 15000
• Every message signed with SHA256
• Rules
• The Signature Must Be A Good Signature
• If Already Known, Do Not Share
• Do Not Reflect Back To The Source
Protocol
39. SACON 2017
• Local
• Remote
• Same Network
• Across Same Location
• Across Different Locations
• Link-up Cloud Resources
• Different Networks
Peering
46. SACON 2017
• Purpose
• Publish Events to ANP
• Pull Events From ANP
• Components
• Supporting
• Writer
• Reader
• Operations
• Publishes via Loopback interface
• Pulls from via published lists
What They Do
48. SACON 2017
• Integrated Solution
• ANP installed on the same system
• Read and Writes Locally
• Examples
• Fail2Ban
• Iptables
• modsec
Native
49. SACON 2017
• Stand Alone Solution
• ANP installed on a different system
• Read and Writes to the Remote (Stand Alone) Solution
• Examples
• ASA
• Switch
• Router
Surrogate
52. SACON 2017
• Pulls Events
• Reads Threat Events from ANP
• Adds Threats to Jail
• Publishes Events
• Writes Jailed Addresses to ANP
• Because of ANP Aging, this means threats stay jailed for 24 hours
• Mistakes can be reversed using an additional tool to inject a Remove
Threat event
Fail2Ban
53. SACON 2017
• Pulls Events
• Reads Threat Events from ANP
• Adds Threats to Blacklist
• Distribute for Internal or External Use
• Detecting
• Blocking
• Threat Indicator
Blacklist
55. SACON 2017
• Pulls Events
• Reads Threat Events from ANP
• NATs Threats from Local Webserver to Local Honeypot
• High Interaction Honeypot of Your Website?
• Log Their Activity
• Include a beacon?
iptables
56. SACON 2017
• Increased Visibility
• We don’t change our enterprise
• Everything Keeps Doing Its Job
• We are giving them greater visibility to do so
• Ability to Be Proactive
Sharing Also Provides
67. SACON 2017
• Local ANP Agent
• Your System or Other Network Asset
• One Way Peering to Federation
• Run The Script
• Shares “Remove Threat” event
• Sets the Threat Expiration To Two Hours
• Don’t Forget To Clear Any Logs That Started It All
Remove Tool
70. SACON 2017
• Python
• Tested with Python 2.7.x
• Should work with Python 3.6.x
• Other Open Source Software As Required
• iptables
• modsec
• Fail2ban
• Etc.
Requirements for ANP and Interfaces
83. SACON 2017
• Associate with Our WAP (SaconCommunity)
• Start Your VM
• Peer with Other Attendees
• Find Your Address In the List
• Peer With The System Above You
• Peer With The System Below You
• This will be the salt: SSttczghHYrU5fNE
Our Community
97. SACON 2017
• Machine To Machine Communication Solves Many Problems
• It Doesn’t Have To Be The Apocalypse
• With It We Can
• Get To The Threat On Time
• Make Sure Evidence is Captured
• Make Sure That The Threat Is Stopped
• We Can Do It With A Limited Staff
Making The Difference
100. SACON 2017
Blacklist
SHA1 hash is 6fdf91572909e97c5f6e005c93da0524a03463c8
Updates can be found at https://adaptive-network-
protocol.sourceforge.io/
101. SACON 2017
Fail2Ban
SHA1 hash is 5c210858b5711d326bf1740620df4dedfe7a69c9
Updates can be found at https://adaptive-network-
protocol.sourceforge.io/
102. SACON 2017
iptables
SHA1 hash is 5c210858b5711d326bf1740620df4dedfe7a69c9
Updates can be found at https://adaptive-network-
protocol.sourceforge.io/
103. SACON 2017
modsec
SHA1 hash is 5c210858b5711d326bf1740620df4dedfe7a69c9
Updates can be found at https://adaptive-network-
protocol.sourceforge.io/