Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Threat Hunting with a Raspberry Pi


Published on

Jamie Murdock

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Threat Hunting with a Raspberry Pi

  2. 2. ABOUT ME • One of the CISO’s for MRK Technologies • 20 Years experience • Career focused on defense and response (blue team) • Father, husband, Marine, and gamer • @b0dach
  3. 3. AGENDA • Overview of how a Raspberry Pi can be used in Threat Hunting • Tools installed and Sensor placement in the Network • Automation of tools Integration with threat intel feeds • Utilizing custom IoC’s • Summary
  4. 4. RASPBERRY PI IN THREAT HUNTING • Since building a sensor is (relatively) cheap and easy, this is a great way to get more visibility into your network • It’s a great way to start threat hunting without expensive products • Utilizing the Pi as a sensor, you can place multiple sensors that report back to a server • This is intended to be used in conjunction with your skillset, not the entire hunt
  5. 5. RASPBERRY PI IN THREAT HUNTING •Inexpensive •Can be deployed quickly (plug and play) •Automation and integration with threat feeds •Sensor offloads the data to an ELK cluster Pros: •It’s a Raspberry Pi •It could be used in a large enterprise, but not recommended •ARM architecture Cons:
  6. 6. THE HARDWARE • Raspberry Pi 3 model B • 32GB micro SD card • Smraza Raspberry Pi 3 B+ Case • HausBell H7 keyboard • Total investment: $84.00
  7. 7. KREEPY PI • There are a number of Raspian ports that have been compiled that can be utilized • Sweet Security – Threat hunting tools with ELK • BriarIDS – A Raspberry Pi IDS • RaspberryPi NSM – Network Secutity Monitor • OTX API – Alienvault threat intelligence feed • All utilize open source IDS tools like Bro and Suricata • (I chose a hybrid of these three)
  8. 8. BASIC CONFIGURATION: KREEPY PI • Raspbian (Built off NOOBS 2.8.2) • Setup to run in command line mode • Set video memory to 0 • Configure tools per instructions • Be prepared to work! • Install Filebeats, configure to ship logs to your ELK instance
  9. 9. DEPLOYMENT • Kreepy Pi sensor • eth0 in promisc mode • USB Ethernet dongle – eth1 management interface • (Or use the WLAN chip and an off network router) • Security Onion/ELK Server on a different system (VM/Server/Etc.)
  10. 10. HUNTING • Monitoring and baselining • If possible • Bro and OTX • Suricata for additional analysis
  11. 11. CUSTOM IOC’S • Bro and Suricata have the capability to have custom IoC’s • Export from MISP • Created by you
  12. 12. SUMMARY • Easy(ish) and inexpensive way to utilize bro, suricata, and ELK to automate network threat hunting • PoC of Kreppy Pi will be uploaded to github • This is the beginning, more tool integration and tuning will follow • Contribute!!
  13. 13. QUESTIONS • @b0dach •