SlideShare a Scribd company logo

Defensive information warfare on open platforms

Ben Tullis
Ben Tullis

An examination of some of the freely available tools and techniques, which can help in the task of building highly secure computer networks and systems. Topics include: * Increasing network visibility - e.g. Network intrusion detection, NetFlow * Increasing host visibility - e.g. Host-based intrusion detection, Auditing tools * Wireless network security monitoring * Rigorous log file management * Security information and event management (SIEM) options The presentation was delivered at LinuxCon Europe 2013 in Edinburgh.

Technology
1 of 59
Download to read offline
Conducting Defensive Information Warfare on Open Platforms 23rd October 2013 – LinuxCon Europe Ben Tullis – (formerly of) LinuxIT (Europe) Ltd.
Ben Tullis - Background ● Professional Linux sysadmin (etc.) for 12+ years ● Worked in several markets: – – UK Government Research: (British Antarctic Survey) – Managed Services Providers – ● Independent Software Vendor Specialist Linux Consultancy Broad experience of Linux and IT security: – ...in the SME Sector – ...in the Outsourced Enterprise Sector
Presentation Topics Defensive Information Warfare on Open Platforms ● Definitions, Threats, Targets, The Basics ● Increasing Network Visibility ● Increasing Host Visibility ● Log Management Tools & Techniques ● Collating and Presenting Security Information ● Focused Distributions
What is Information Warfare? It's a model that helps to achieve good security practice. Comprised of four key elements: 1: Information Resources These resource have intrinsic value to someone: ● Exchange value – how much is it worth? ● Operational value – how useful/important is it?
What is Information Warfare? 2: Players of The Game Offence – In this context, the enemy. – Could be anyone with Motive, Means & Opportunity to launch an attack on an Information Resource – One or more of: insiders, hackers, criminals, corporations, governments, and terrorists – Those ever-present “unknown unknowns” Defence – Everyone else, from individuals to governments – Anyone with Information Resources to protect – In this context, us
What is Information Warfare? 3: Offensive Operations Their aim is to: ● Increase the value of an Information Resource to an Offensive player. ● Decrease the value of an Information Resource to a Defensive player. Three classes of attack Increased availability of information for the offence e.g. espionage, identity theft, physical theft Decreased integrity of information e.g. tampering, fabrication, perception management Decreased availability of information for the defence e.g. sabotage, denial of service, physical theft
What is Information Warfare? 4: Defensive Operations Their aim is to: ● Protect Information Resources from these three forms of attack. They must: ● Cost less than the losses that would occur in their absence. Six classes of defensive operation ● Prevention ● Deterrence ● Indications and Warnings ● Detection ● Emergency Preparedness ● Response
Random Threats - Can affect anyone equally Examples: ● Malware distribution: – – ● Removable Media Infected Downloads IP Address scanning: – Brute-force attacks – Zero-day attacks – e.g. Carna Botnet (420k node bot-net created by using default passwords) ● Wardriving ● Session Hijacking
Focused Threats - We are the target ● Traditional Network Penetration: – – ● Dictionary Attacks Off-line Attacks (e.g. Cloudcracker) Known Exploits: – – ● Vulnerable Network Services Privilege Escalation Social Engineering
Focused Threats - We are the target Stealthy Devices: Requiring physical access – Dropboxes e.g. ● ● ● – Pwnie Express MiniPwner Pwn Pi Rogue Access Point e.g. ● WiFi Pineapple – Key Stroke Loggers – Miniature Cameras etc.
Defining the Targets They are/will be everywhere.
Defending Information – The Basics ● Good documentation & communication ● Good passwords & security policies ● Appropriate physical security measures ● Well defined change-management procedures ● Apply security patches promptly ● Standardize where possible/appropriate ● Back it all up
Defending Information – The Basics ● Your Monitoring Solution TM – Monitor everything you can think of – Record as many metrics as possible – Review its configuration periodically and... ● ● – ...in response to change ...in response to significant incidents If appropriate, use multiple/parallel systems. ● ● ● Availability Monitoring Performance Monitoring Network Security Monitoring
Increasing Network Visibility - Overview Making the best possible haystack/needle finding machine: – Capture as much network traffic as possible – Scan captured traffic: NIDS – Consider wireless protocols: WIDS – Profile network traffic: ● ● ● – Record detailed statistical information Visualise normal network behaviour Facilitates filtering-out of legitimate traffic Implement anomaly detection
Capturing Ethernet Traffic Often use Switch Mirror Ports (aka. SPAN or Monitor Port) One port receives all traffic sent to/from the other ports. Most smart/managed switches support this feature. Another technique is to use a Network Tap
Capturing Ethernet Traffic Simplest case: ● ● All traffic passing through the switch is visible at the protective Monitoring Server Do not assign an IP address to the capture interface: # ifconfig eth1 up promisc # ifconfig eth1 up promisc
Capturing Ethernet Traffic Redundant System: ● ● Dual interfaces on all servers: active/active or active/passive One capture interface per switch
Capturing Ethernet Traffic Tree Topology - Option 1 – Remote Port Mirroring ● ● ● ● ● Requires high-end switches. e.g. Cisco, HP, H3C, Alcatel Send all captured traffic to a central location for analysis/profiling. Upgrade interface links as necessary. Uses VLANs to isolate the mirrored traffic. Fairly complex to configure.
Capturing Ethernet Traffic Tree Topology - Option 2 – Distributed Monitoring Requires several capture servers Remote servers send back: ● ● ● Events & Alerts Statistical traffic information System log files
Network Intrusion Detection Systems Snort – Passive mode – Intrusion Detection – Inline mode – Intrusion Prevention – Searches network traffic for pattern matches – Rules files updated daily ● ● ● ● Up-to-date VRT rules available immediately to subscribers VRT rules freely available to registered users after 30 days Community rules under GPL. A subset of the VRT rules Third-party rule sets available. e.g. http://www.emergingthreats.net
Network Intrusion Detection Systems Snort – Update rules daily with one of: ● ● – Oinkmaster Pulled Pork Expect to spend some time tuning: ● ● ● Main config file: snort.conf Rules files Ethernet interface configuration e.g. Disable ”Large Receive Offload” and ”Generic Receive Offload” on the collector: ethtool -K eth1 gro off ethtool -K eth1 gro off ethtool -K eth1 lro off ethtool -K eth1 lro off
Network Intrusion Detection Systems Snort – Each rule has an Action associated, e.g. ● ● ● ● – Send an alert and log traffic. Simply drop the offending packets. (Inline mode) Reject the traffic: TCP reset. UDP unreachable. (Inline mode) Custom actions & custom log types Very flexible alerting and logging methods, e.g. ● ● ● Text → email alert & Pcap log file Syslog alert & logging to database Unified2 (recommended, high-performance format)
Network Intrusion Detection Systems Suricata ● IDS/IPS project started in 2009 – Multi-threaded for greater native performance – Unified2 output by default – Protocol detection. Not based on port number – File identification by md5. Extract and save files from traffic – Can use Snort rules and can co-exist – http://suricata-ids.org/
Network Intrusion Detection Systems Bro ● Passive Network Analysis Platform: – IDS features available – require custom scripting. – Detailed statistical log files created – Application-layer transcripts, e.g. HTTP, SSL etc. – Cluster-aware for high-capacity analysis – Scripting engine : Highly extensible – Match MD5 against Team Cymru malware database
Wireless Intrusion Detection Systems ● Current best practice in IEEE 802.11: – Implement WPA2-Enterprise ● ● ● – Implement IEEE 802.11w ● ● RADIUS – e.g. FreeRADIUS EAP – Strong Authentication hostapd + wpa_supplicant [+ OpenSSL] Management Frames Protected We consider two types of attack: – A Rogue Access Point – A De-Authentication Attack
Wireless Intrusion Detection Systems Kismet ● Monitor 802.11 traffic for known attack patterns: – Use additional wireless radios in monitor mode – (optionally) Channel-hop on the channels that you use – Drones can be distributed network-wide – Suitable for embedded use i.e. OpenWRT, DD-WRT etc. – Client can view real-time client list and traffic – Alerts can be sent via syslog – Tap interface permits full 802.11 capture
Wireless Intrusion Detection Systems Kismet 1: Detecting rogue access points Legitimate Clients
Wireless Intrusion Detection Systems Kismet 1: Detecting rogue access points ● On the server: kismet.conf ncsource=drone1:host=10.10.100.1,port=2502 ncsource=drone1:host=10.10.100.1,port=2502 ncsource=drone2:host=10.10.100.2,port=2502 ncsource=drone2:host=10.10.100.2,port=2502 alert=APSPOOF,10/min,1/sec alert=APSPOOF,10/min,1/sec apspoof=Tullix:ssid="Tullix",validmacs="00:11:22:33:44:55,AA:BB:CC:DD:EE:FF" apspoof=Tullix:ssid="Tullix",validmacs="00:11:22:33:44:55,AA:BB:CC:DD:EE:FF" allowplugins=true allowplugins=true ● On the drones: kismet_drone.conf ncsource=wlan0:drone1:channellist=Tullix ncsource=wlan0:drone1:channellist=Tullix dronelisten=tcp://10.10.100.1:2502 dronelisten=tcp://10.10.100.1:2502 droneallowedhosts=10.10.0.1 droneallowedhosts=10.10.0.1
Wireless Intrusion Detection Systems Kismet 2: Detecting a de-authentication attack
Wireless Intrusion Detection Systems Kismet 2: Detecting a de-authentication attack ● On the server: kismet.conf ncsource=drone1:host=10.10.100.1,port=2502 ncsource=drone1:host=10.10.100.1,port=2502 ncsource=drone2:host=10.10.100.2,port=2502 ncsource=drone2:host=10.10.100.2,port=2502 alert=DEAUTHFLOOD,5/min,2/sec alert=DEAUTHFLOOD,5/min,2/sec alert=BCASTDISCON,5/min,2/sec alert=BCASTDISCON,5/min,2/sec allowplugins=true allowplugins=true
Network Traffic Profiling Ntop and NtopNG ● Near real-time and historical information about: – Hosts observed – Protocol distribution – Multicast/Broadcast frequency – Who's talking to whom? ● Rich graphical interface ● Can also be used as a NetFlow Collector ● PF_RING allows multi-threaded libpcap analysis
Network Traffic Profiling - NtopNG
Network Traffic Profiling - Ntop
NetFlow and friends ● A UDP protocol describing network traffic ● Many proprietary formats: NetFlow, sFlow, jflow, Rflow ● IETF proposed standard: IPFIX (== NetFlow v10)
NetFlow Exporters ● Native support in high-end switches routers ● Open Source exporters based on Libpcap (& PF_RING) – Nprobe - http://www.ntop.org/products/nprobe/ – Fprobe - http://fprobe.sourceforge.net/ – Softflowd - http://code.google.com/p/softflowd/ – Rflow - https://en.wikipedia.org/wiki/DD-WRT#Features ● Also a feature of Open vSwitch - http://openvswitch.org/ ● Netflow v5 and v9 are the most common formats ● Exporters send UDP packets to one or more collectors
NetFlow Collectors Ntop – Historical and statistical analysis Nfdump / NfSen – Long-term NetFlow storage and detailed query – Nfdump tool-set ● ● nfdump – Extract and report information from the stored files ● – nfcapd – Collect netflow streams and save the information nfprofile – Report on a subset of traffic from the stored files NfSen web-interface ● ● Web front-end to analyse and query Nfdump files Dynamic graph generation, based on filters and time periods
NfSen – NetFlow Sensor
Anomaly Detection Tools ● Arpwatch / Arpalert – – ● Maintain a database of authorized MAC addresses Alert on any deviation – syslog or email PRADS - Passive Real-Time Asset Detection System – – Can be used to inform snort configuration – ● Builds a list of hosts/service on the network prads­asset­report - what's been seen on the network? PBNJ – Active Network Asset Detection System – Database of discovered hosts/services (nmap) – Re-scan & diff
Increasing Host Visibility - Overview ● Useful host-based tools ● Host-based Intrusion Detection Systems (HIDS)
Host Visibility Tools ● etckeeper – Keep /etc under version control
Host Visibility Tools ● atop – Retain Historical Process Information
Host Visibility Tools ● auditd – The Linux Audit Daemon – and audispd – The Linux Audit Dispatcher
Host Visibility Tools ● lynis – Security audit script, with hardening suggestions
Host-based Intrusion Detection Systems ● OSSEC – Multi-platform – facilitates distributed security monitoring – File integrity monitoring – Log file monitoring – Rootkit search – Policy audit – Email/syslog alerts – SQL output
Host-based Intrusion Detection Systems ● Samhain - File Integrity Monitor – – Stand-alone mode – Log file monitoring – Hidden processes – Stealth mode – auditd integration – SQL output – ● Client/Server mode Syslog output Beltane - web front-end
Host-based Intrusion Detection Systems ● Tripwire – Lightweight file integrity monitor – Define policy for file monitoring – Create checksum databases of a clean system – Mount /var/lib/tripwire on R/O media or R/O network share – Checked by cron daily – email/syslog alert on change – Update databases and policies as required – Configuration, Policies and Databases digitally signed, requiring pass-phrase to update
Host-based Intrusion Detection Systems ● AIDE – Advanced Intrusion Detection System – – ● Similar in scope and operation to Tripwire Simpler configuration including conf.d snippets Fcheck – Perl based file integrity monitor – ● Older but dependable and useful in certain environments Stealth – Remote file integrity monitor over SSH – http://stealth.sourceforge.net
Log File Management ● syslog – Generally using rsyslog or syslog-ng now – – e.g. Snare or eventlog-to-syslog for Windows – ● Centralize logs – including switches, routers, etc. TCP or RELP (rsyslog) can aid reliable network transfer Cryptographic Log Signing (GPG-13 requirement) – Feature of rsyslog version 7.4+ – rsgutil utility verifies signatures action(type="omfile" file="/var/log/syslog" action(type="omfile" file="/var/log/syslog" sig.provider="gt" sig.provider="gt" sig.keepTreeHashes="on" sig.keepTreeHashes="on" sig.keepRecordHashes="on") sig.keepRecordHashes="on")
Log File Management ● Visualize/Analyse syslog data – e.g. Addiscon Loganalyzer [sic]
Log File Management ● Visualize/search syslog data – alternatives – ElasticSearch – Graylog2 – Logstash – Kibana – ELSA
Log File Management ● Application Logs – e.g. Web server – Google Analytics != Web Log Analysis – Piwik Log Analytics Mode - http://piwik.org/log-analytics/
Active Response – Intrusion Prevention ● Snortsam – Firewall hosts using a Snort plugin – ● Agent runs on/near firewall fail2ban - Firewall hosts from log file matches – Authentication Failures – Repeat Offender Handling
Collating and Presenting Security Information ● Sagan – Scan log files for security related information – Snort-like rules for pattern matching – e.g. Handling our previous WIDS alert alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Spoofed disassociated/deauthenticate packets"; "[KISMET] Spoofed disassociated/deauthenticate packets"; program: kismet_server; pcre: "/DEAUTHFLOOD|BCASTDISCON/"; program: kismet_server; pcre: "/DEAUTHFLOOD|BCASTDISCON/"; classtype: suspicious-traffic;) classtype: suspicious-traffic;) – Incorporate results into an IDS database – Integrates with Snortsam Agent for active firewall response
Collating and Presenting Security Information ● Snorby – Web console collating IDS/IPS and Sagan alerts – ● Integrates with OpenFPC for full packet capture Other consoles available – e.g. Sguil & Squert, BASE
Focused Distributions ● AlienVault OSSIM : (Debian based) – ● ● ● ● ● ● ● ● ● ● Open Core version of their full-featured USM product Nagios NfSen OSSEC Kismet Snort Suricata Ntop Arpwatch PADS OpenVAS – Custom Correlation Engine – Custom web framework
Focused Distributions ● The Security Onion : (Ubuntu based) ● ● ● ● ● ● ● ● ● ● ● ● ● ● Snort Suricata Bro Sguil Squert Snorby ELSA Netsniff-NG OSSEC PRADS Xplico NetworkMiner CapME Argus
Summary Conducting Defensive Information Warfare ● Maximum network visibility ● Maximum host visibility ● Rigorous log file management ● Rapid analysis and response
Fin Thank You Ben Tullis tullis@hypothetical.co.uk @tullis
Image attributions ● http://www.bro.org http://www.flickr.com/photos/pasukaru76/5108255589/ ● http://commons.wikimedia.org http://idle.slashdot.org/story/08/10/01/231247/man-uses-r emote-logon-to-help-find-laptop-thief ● http://www.article-3.com/criminal-law-laptop-theft-prote ction-92052 ● http://nfsen.sourceforge.net/ ● http://www.ossec.net/doc/manual/ossec-architecture.html ● http://logstash.net/images/logstash.png Thanks to Creative Commons: ● ● ● ● ● ● ● ● ● ● http://www.flickr.com/photos/pingdom/5370307776/ http://www.geograph.org.uk/photo/2472373 http://hakshop.myshopify.com/products/wifi-pineapple-ho liday-bundle http://www.cctvcameradvrs.com/4gb-mini-spy-camera-wit h-voice-control http://www.flickr.com/photos/fastjack/282707058/ http://www.insuretrust.com/study-finds-cyber-crime-costl y-ever http://www.telegraph.co.uk/technology/news/8262628/Cybe r-attacks-could-cause-global-catastrophe.html ● http://en.wikipedia.org/wiki/File:Snort_ids_logo.png ● ● ● http://deinoscloud.wordpress.com/2012/11/01/esxigraylog 2-quickstart/ http://www.elasticsearch.org/ http://www.jesuisungeek.net/index.php?post/2013/01/31/I nstaller-Kibana-par-Puppet-partie-1 http://munin.alexdpsg.net/alexdpsg.net/munin.alexdpsg. net/fail2ban-month.png ● http://en.wikipedia.org/wiki/File:Alienvault_capture.png ● http://openclipart.org Explicit Permission Granted: http://mtitechsolutions.com/blog/types-of-attacks.html ● ● https://en.wikipedia.org/wiki/File:NetFlow_Architectur e_2012.png ● Pwnie Express - http://pwnieexpress.com/ ● MiniPwner - http://www.minipwner.com/

Recommended

Security Onion
Security OnionSecurity Onion
Security Onionn|u - The Open Security Community
 
Security Onion: Watching for Leeks
Security Onion: Watching for LeeksSecurity Onion: Watching for Leeks
Security Onion: Watching for LeeksKory Kyzar
 
Security Onion
Security OnionSecurity Onion
Security Onionjohndegruyter
 
Intro to NSM with Security Onion - AusCERT
Intro to NSM with Security Onion - AusCERTIntro to NSM with Security Onion - AusCERT
Intro to NSM with Security Onion - AusCERTAshley Deuble
 
Security Onion - Brief
Security Onion - BriefSecurity Onion - Brief
Security Onion - BriefAshley Deuble
 
Network ssecurity toolkit
Network ssecurity toolkitNetwork ssecurity toolkit
Network ssecurity toolkitأحلام انصارى
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with SnortNarudom Roongsiriwong, CISSP
 
Snort
SnortSnort
SnortStickman Hai
 

Recommended

Security Onion
Security OnionSecurity Onion
Security Onionn|u - The Open Security Community
 
Security Onion: Watching for Leeks
Security Onion: Watching for LeeksSecurity Onion: Watching for Leeks
Security Onion: Watching for LeeksKory Kyzar
 
Security Onion
Security OnionSecurity Onion
Security Onionjohndegruyter
 
Intro to NSM with Security Onion - AusCERT
Intro to NSM with Security Onion - AusCERTIntro to NSM with Security Onion - AusCERT
Intro to NSM with Security Onion - AusCERTAshley Deuble
 
Security Onion - Brief
Security Onion - BriefSecurity Onion - Brief
Security Onion - BriefAshley Deuble
 
Network ssecurity toolkit
Network ssecurity toolkitNetwork ssecurity toolkit
Network ssecurity toolkitأحلام انصارى
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with SnortNarudom Roongsiriwong, CISSP
 
Snort
SnortSnort
SnortStickman Hai
 
Security Onion - Introduction
Security Onion - IntroductionSecurity Onion - Introduction
Security Onion - Introductionn|u - The Open Security Community
 
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...UzairAhmad81
 
Firewall, Trusted Systems,IP Security ,ESP Encryption and Authentication
Firewall, Trusted Systems,IP Security ,ESP Encryption and AuthenticationFirewall, Trusted Systems,IP Security ,ESP Encryption and Authentication
Firewall, Trusted Systems,IP Security ,ESP Encryption and AuthenticationGopal Sakarkar
 
Security Onion: peeling back the layers of your network in minutes
Security Onion: peeling back the layers of your network in minutesSecurity Onion: peeling back the layers of your network in minutes
Security Onion: peeling back the layers of your network in minutesbsidesaugusta
 
First Responders Course - Session 6 - Detection Systems [2004]
First Responders Course - Session 6 - Detection Systems [2004]First Responders Course - Session 6 - Detection Systems [2004]
First Responders Course - Session 6 - Detection Systems [2004]Phil Huggins FBCS CITP
 
Firewall and its purpose
Firewall and its purposeFirewall and its purpose
Firewall and its purposeRohit Phulsunge
 
Application layer Security in IoT: A Survey
Application layer Security in IoT: A SurveyApplication layer Security in IoT: A Survey
Application layer Security in IoT: A SurveyAdeel Ahmed
 
Présentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo WazuhPrésentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo WazuhAurélie Henriot
 
Firewall
FirewallFirewall
FirewallNilkanth Shingala
 
FireWall
FireWallFireWall
FireWallrubal_9
 
Network forensics
Network forensicsNetwork forensics
Network forensicsArthyR3
 
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy BeyondTrust
 
Types Of Firewall Security
Types Of Firewall SecurityTypes Of Firewall Security
Types Of Firewall Securityiberrywifisecurity
 
Firewalls
FirewallsFirewalls
Firewallsvaishnavi
 
Network firewall function & benefits
Network firewall function & benefitsNetwork firewall function & benefits
Network firewall function & benefitsAnthony Daniel
 
Hardware firewall
Hardware firewallHardware firewall
Hardware firewallSubrata Kumer Paul
 
Firewall Basing
Firewall BasingFirewall Basing
Firewall BasingPina Parmar
 
FIREWALL
FIREWALL FIREWALL
FIREWALL Akash R
 
Firewalls
FirewallsFirewalls
Firewallsjunaid15bsse
 
Introduction to Exploitation
Introduction to ExploitationIntroduction to Exploitation
Introduction to ExploitationUTD Computer Security Group
 
Infrastructure Security
Infrastructure SecurityInfrastructure Security
Infrastructure SecurityUTD Computer Security Group
 
640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths640-554 IT Certification and Career Paths
640-554 IT Certification and Career Pathshibaehed
 

More Related Content

What's hot

NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...UzairAhmad81
 
Firewall, Trusted Systems,IP Security ,ESP Encryption and Authentication
Firewall, Trusted Systems,IP Security ,ESP Encryption and AuthenticationFirewall, Trusted Systems,IP Security ,ESP Encryption and Authentication
Firewall, Trusted Systems,IP Security ,ESP Encryption and AuthenticationGopal Sakarkar
 
Security Onion: peeling back the layers of your network in minutes
Security Onion: peeling back the layers of your network in minutesSecurity Onion: peeling back the layers of your network in minutes
Security Onion: peeling back the layers of your network in minutesbsidesaugusta
 
First Responders Course - Session 6 - Detection Systems [2004]
First Responders Course - Session 6 - Detection Systems [2004]First Responders Course - Session 6 - Detection Systems [2004]
First Responders Course - Session 6 - Detection Systems [2004]Phil Huggins FBCS CITP
 
Firewall and its purpose
Firewall and its purposeFirewall and its purpose
Firewall and its purposeRohit Phulsunge
 
Application layer Security in IoT: A Survey
Application layer Security in IoT: A SurveyApplication layer Security in IoT: A Survey
Application layer Security in IoT: A SurveyAdeel Ahmed
 
Présentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo WazuhPrésentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo WazuhAurélie Henriot
 
FireWall
FireWallFireWall
FireWallrubal_9
 
Network forensics
Network forensicsNetwork forensics
Network forensicsArthyR3
 
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy BeyondTrust
 
Network firewall function & benefits
Network firewall function & benefitsNetwork firewall function & benefits
Network firewall function & benefitsAnthony Daniel
 
FIREWALL
FIREWALL FIREWALL
FIREWALL Akash R
 

What's hot (20)

Security Onion - Introduction
Security Onion - IntroductionSecurity Onion - Introduction
Security Onion - Introduction
 
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
 
Firewall, Trusted Systems,IP Security ,ESP Encryption and Authentication
Firewall, Trusted Systems,IP Security ,ESP Encryption and AuthenticationFirewall, Trusted Systems,IP Security ,ESP Encryption and Authentication
Firewall, Trusted Systems,IP Security ,ESP Encryption and Authentication
 
Security Onion: peeling back the layers of your network in minutes
Security Onion: peeling back the layers of your network in minutesSecurity Onion: peeling back the layers of your network in minutes
Security Onion: peeling back the layers of your network in minutes
 
First Responders Course - Session 6 - Detection Systems [2004]
First Responders Course - Session 6 - Detection Systems [2004]First Responders Course - Session 6 - Detection Systems [2004]
First Responders Course - Session 6 - Detection Systems [2004]
 
Firewall and its purpose
Firewall and its purposeFirewall and its purpose
Firewall and its purpose
 
Application layer Security in IoT: A Survey
Application layer Security in IoT: A SurveyApplication layer Security in IoT: A Survey
Application layer Security in IoT: A Survey
 
Présentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo WazuhPrésentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo Wazuh
 
Firewall
FirewallFirewall
Firewall
 
FireWall
FireWallFireWall
FireWall
 
Network forensics
Network forensicsNetwork forensics
Network forensics
 
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
 
Types Of Firewall Security
Types Of Firewall SecurityTypes Of Firewall Security
Types Of Firewall Security
 
Firewalls
FirewallsFirewalls
Firewalls
 
Network firewall function & benefits
Network firewall function & benefitsNetwork firewall function & benefits
Network firewall function & benefits
 
Hardware firewall
Hardware firewallHardware firewall
Hardware firewall
 
Firewall Basing
Firewall BasingFirewall Basing
Firewall Basing
 
FIREWALL
FIREWALL FIREWALL
FIREWALL
 
Firewalls
FirewallsFirewalls
Firewalls
 
Introduction to Exploitation
Introduction to ExploitationIntroduction to Exploitation
Introduction to Exploitation
 

Similar to Defensive information warfare on open platforms

640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths640-554 IT Certification and Career Paths
640-554 IT Certification and Career Pathshibaehed
 
CISSP Week 22
CISSP Week 22CISSP Week 22
CISSP Week 22jemtallon
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009James Morris
 
Multi-Agent System for APT Detection
Multi-Agent System for APT DetectionMulti-Agent System for APT Detection
Multi-Agent System for APT DetectionThibault Debatty
 
CISSP Week 14
CISSP Week 14CISSP Week 14
CISSP Week 14jemtallon
 
Overview of NSA Security Enhanced Linux - FOSS.IN/2005
Overview of NSA Security Enhanced Linux - FOSS.IN/2005Overview of NSA Security Enhanced Linux - FOSS.IN/2005
Overview of NSA Security Enhanced Linux - FOSS.IN/2005James Morris
 
Beyond Cryptojacking: studying contemporary malware in the cloud
Beyond Cryptojacking: studying contemporary malware in the cloudBeyond Cryptojacking: studying contemporary malware in the cloud
Beyond Cryptojacking: studying contemporary malware in the cloudMattMuir5
 
Topics in network security
Topics in network securityTopics in network security
Topics in network securityNasir Bhutta
 
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Rod Soto
 
honeypots.ppt
honeypots.ppthoneypots.ppt
honeypots.pptDetSersi
 
Unix Web servers and FireWall
Unix Web servers and FireWallUnix Web servers and FireWall
Unix Web servers and FireWallwebhostingguy
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention systemNikhil Raj
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityAPNIC
 
Talk28oct14
Talk28oct14Talk28oct14
Talk28oct14mjos
 

Similar to Defensive information warfare on open platforms (20)

Infrastructure Security
Infrastructure SecurityInfrastructure Security
Infrastructure Security
 
640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths
 
CISSP Week 22
CISSP Week 22CISSP Week 22
CISSP Week 22
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009
 
Multi-Agent System for APT Detection
Multi-Agent System for APT DetectionMulti-Agent System for APT Detection
Multi-Agent System for APT Detection
 
CISSP Week 14
CISSP Week 14CISSP Week 14
CISSP Week 14
 
Overview of NSA Security Enhanced Linux - FOSS.IN/2005
Overview of NSA Security Enhanced Linux - FOSS.IN/2005Overview of NSA Security Enhanced Linux - FOSS.IN/2005
Overview of NSA Security Enhanced Linux - FOSS.IN/2005
 
Secured Internet Gateway for ISP with pfsense & FRR
Secured Internet Gateway for ISP with pfsense & FRRSecured Internet Gateway for ISP with pfsense & FRR
Secured Internet Gateway for ISP with pfsense & FRR
 
Beyond Cryptojacking: studying contemporary malware in the cloud
Beyond Cryptojacking: studying contemporary malware in the cloudBeyond Cryptojacking: studying contemporary malware in the cloud
Beyond Cryptojacking: studying contemporary malware in the cloud
 
Topics in network security
Topics in network securityTopics in network security
Topics in network security
 
Securitych1
Securitych1Securitych1
Securitych1
 
Unlock Security Insight from Machine Data
Unlock Security Insight from Machine DataUnlock Security Insight from Machine Data
Unlock Security Insight from Machine Data
 
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
 
honeypots.ppt
honeypots.ppthoneypots.ppt
honeypots.ppt
 
Unix Web servers and FireWall
Unix Web servers and FireWallUnix Web servers and FireWall
Unix Web servers and FireWall
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention system
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
 
Day4
Day4Day4
Day4
 
Talk28oct14
Talk28oct14Talk28oct14
Talk28oct14
 
IoT Security
IoT SecurityIoT Security
IoT Security
 

Recently uploaded

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 

Recently uploaded (20)

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 

Defensive information warfare on open platforms

  • 1. Conducting Defensive Information Warfare on Open Platforms 23rd October 2013 – LinuxCon Europe Ben Tullis – (formerly of) LinuxIT (Europe) Ltd.
  • 2. Ben Tullis - Background ● Professional Linux sysadmin (etc.) for 12+ years ● Worked in several markets: – – UK Government Research: (British Antarctic Survey) – Managed Services Providers – ● Independent Software Vendor Specialist Linux Consultancy Broad experience of Linux and IT security: – ...in the SME Sector – ...in the Outsourced Enterprise Sector
  • 3. Presentation Topics Defensive Information Warfare on Open Platforms ● Definitions, Threats, Targets, The Basics ● Increasing Network Visibility ● Increasing Host Visibility ● Log Management Tools & Techniques ● Collating and Presenting Security Information ● Focused Distributions
  • 4. What is Information Warfare? It's a model that helps to achieve good security practice. Comprised of four key elements: 1: Information Resources These resource have intrinsic value to someone: ● Exchange value – how much is it worth? ● Operational value – how useful/important is it?
  • 5. What is Information Warfare? 2: Players of The Game Offence – In this context, the enemy. – Could be anyone with Motive, Means & Opportunity to launch an attack on an Information Resource – One or more of: insiders, hackers, criminals, corporations, governments, and terrorists – Those ever-present “unknown unknowns” Defence – Everyone else, from individuals to governments – Anyone with Information Resources to protect – In this context, us
  • 6. What is Information Warfare? 3: Offensive Operations Their aim is to: ● Increase the value of an Information Resource to an Offensive player. ● Decrease the value of an Information Resource to a Defensive player. Three classes of attack Increased availability of information for the offence e.g. espionage, identity theft, physical theft Decreased integrity of information e.g. tampering, fabrication, perception management Decreased availability of information for the defence e.g. sabotage, denial of service, physical theft
  • 7. What is Information Warfare? 4: Defensive Operations Their aim is to: ● Protect Information Resources from these three forms of attack. They must: ● Cost less than the losses that would occur in their absence. Six classes of defensive operation ● Prevention ● Deterrence ● Indications and Warnings ● Detection ● Emergency Preparedness ● Response
  • 8. Random Threats - Can affect anyone equally Examples: ● Malware distribution: – – ● Removable Media Infected Downloads IP Address scanning: – Brute-force attacks – Zero-day attacks – e.g. Carna Botnet (420k node bot-net created by using default passwords) ● Wardriving ● Session Hijacking
  • 9. Focused Threats - We are the target ● Traditional Network Penetration: – – ● Dictionary Attacks Off-line Attacks (e.g. Cloudcracker) Known Exploits: – – ● Vulnerable Network Services Privilege Escalation Social Engineering
  • 10. Focused Threats - We are the target Stealthy Devices: Requiring physical access – Dropboxes e.g. ● ● ● – Pwnie Express MiniPwner Pwn Pi Rogue Access Point e.g. ● WiFi Pineapple – Key Stroke Loggers – Miniature Cameras etc.
  • 11. Defining the Targets They are/will be everywhere.
  • 12. Defending Information – The Basics ● Good documentation & communication ● Good passwords & security policies ● Appropriate physical security measures ● Well defined change-management procedures ● Apply security patches promptly ● Standardize where possible/appropriate ● Back it all up
  • 13. Defending Information – The Basics ● Your Monitoring Solution TM – Monitor everything you can think of – Record as many metrics as possible – Review its configuration periodically and... ● ● – ...in response to change ...in response to significant incidents If appropriate, use multiple/parallel systems. ● ● ● Availability Monitoring Performance Monitoring Network Security Monitoring
  • 14. Increasing Network Visibility - Overview Making the best possible haystack/needle finding machine: – Capture as much network traffic as possible – Scan captured traffic: NIDS – Consider wireless protocols: WIDS – Profile network traffic: ● ● ● – Record detailed statistical information Visualise normal network behaviour Facilitates filtering-out of legitimate traffic Implement anomaly detection
  • 15. Capturing Ethernet Traffic Often use Switch Mirror Ports (aka. SPAN or Monitor Port) One port receives all traffic sent to/from the other ports. Most smart/managed switches support this feature. Another technique is to use a Network Tap
  • 16. Capturing Ethernet Traffic Simplest case: ● ● All traffic passing through the switch is visible at the protective Monitoring Server Do not assign an IP address to the capture interface: # ifconfig eth1 up promisc # ifconfig eth1 up promisc
  • 17. Capturing Ethernet Traffic Redundant System: ● ● Dual interfaces on all servers: active/active or active/passive One capture interface per switch
  • 18. Capturing Ethernet Traffic Tree Topology - Option 1 – Remote Port Mirroring ● ● ● ● ● Requires high-end switches. e.g. Cisco, HP, H3C, Alcatel Send all captured traffic to a central location for analysis/profiling. Upgrade interface links as necessary. Uses VLANs to isolate the mirrored traffic. Fairly complex to configure.
  • 19. Capturing Ethernet Traffic Tree Topology - Option 2 – Distributed Monitoring Requires several capture servers Remote servers send back: ● ● ● Events & Alerts Statistical traffic information System log files
  • 20. Network Intrusion Detection Systems Snort – Passive mode – Intrusion Detection – Inline mode – Intrusion Prevention – Searches network traffic for pattern matches – Rules files updated daily ● ● ● ● Up-to-date VRT rules available immediately to subscribers VRT rules freely available to registered users after 30 days Community rules under GPL. A subset of the VRT rules Third-party rule sets available. e.g. http://www.emergingthreats.net
  • 21. Network Intrusion Detection Systems Snort – Update rules daily with one of: ● ● – Oinkmaster Pulled Pork Expect to spend some time tuning: ● ● ● Main config file: snort.conf Rules files Ethernet interface configuration e.g. Disable ”Large Receive Offload” and ”Generic Receive Offload” on the collector: ethtool -K eth1 gro off ethtool -K eth1 gro off ethtool -K eth1 lro off ethtool -K eth1 lro off
  • 22. Network Intrusion Detection Systems Snort – Each rule has an Action associated, e.g. ● ● ● ● – Send an alert and log traffic. Simply drop the offending packets. (Inline mode) Reject the traffic: TCP reset. UDP unreachable. (Inline mode) Custom actions & custom log types Very flexible alerting and logging methods, e.g. ● ● ● Text → email alert & Pcap log file Syslog alert & logging to database Unified2 (recommended, high-performance format)
  • 23. Network Intrusion Detection Systems Suricata ● IDS/IPS project started in 2009 – Multi-threaded for greater native performance – Unified2 output by default – Protocol detection. Not based on port number – File identification by md5. Extract and save files from traffic – Can use Snort rules and can co-exist – http://suricata-ids.org/
  • 24. Network Intrusion Detection Systems Bro ● Passive Network Analysis Platform: – IDS features available – require custom scripting. – Detailed statistical log files created – Application-layer transcripts, e.g. HTTP, SSL etc. – Cluster-aware for high-capacity analysis – Scripting engine : Highly extensible – Match MD5 against Team Cymru malware database
  • 25. Wireless Intrusion Detection Systems ● Current best practice in IEEE 802.11: – Implement WPA2-Enterprise ● ● ● – Implement IEEE 802.11w ● ● RADIUS – e.g. FreeRADIUS EAP – Strong Authentication hostapd + wpa_supplicant [+ OpenSSL] Management Frames Protected We consider two types of attack: – A Rogue Access Point – A De-Authentication Attack
  • 26. Wireless Intrusion Detection Systems Kismet ● Monitor 802.11 traffic for known attack patterns: – Use additional wireless radios in monitor mode – (optionally) Channel-hop on the channels that you use – Drones can be distributed network-wide – Suitable for embedded use i.e. OpenWRT, DD-WRT etc. – Client can view real-time client list and traffic – Alerts can be sent via syslog – Tap interface permits full 802.11 capture
  • 27. Wireless Intrusion Detection Systems Kismet 1: Detecting rogue access points Legitimate Clients
  • 28. Wireless Intrusion Detection Systems Kismet 1: Detecting rogue access points ● On the server: kismet.conf ncsource=drone1:host=10.10.100.1,port=2502 ncsource=drone1:host=10.10.100.1,port=2502 ncsource=drone2:host=10.10.100.2,port=2502 ncsource=drone2:host=10.10.100.2,port=2502 alert=APSPOOF,10/min,1/sec alert=APSPOOF,10/min,1/sec apspoof=Tullix:ssid="Tullix",validmacs="00:11:22:33:44:55,AA:BB:CC:DD:EE:FF" apspoof=Tullix:ssid="Tullix",validmacs="00:11:22:33:44:55,AA:BB:CC:DD:EE:FF" allowplugins=true allowplugins=true ● On the drones: kismet_drone.conf ncsource=wlan0:drone1:channellist=Tullix ncsource=wlan0:drone1:channellist=Tullix dronelisten=tcp://10.10.100.1:2502 dronelisten=tcp://10.10.100.1:2502 droneallowedhosts=10.10.0.1 droneallowedhosts=10.10.0.1
  • 29. Wireless Intrusion Detection Systems Kismet 2: Detecting a de-authentication attack
  • 30. Wireless Intrusion Detection Systems Kismet 2: Detecting a de-authentication attack ● On the server: kismet.conf ncsource=drone1:host=10.10.100.1,port=2502 ncsource=drone1:host=10.10.100.1,port=2502 ncsource=drone2:host=10.10.100.2,port=2502 ncsource=drone2:host=10.10.100.2,port=2502 alert=DEAUTHFLOOD,5/min,2/sec alert=DEAUTHFLOOD,5/min,2/sec alert=BCASTDISCON,5/min,2/sec alert=BCASTDISCON,5/min,2/sec allowplugins=true allowplugins=true
  • 31. Network Traffic Profiling Ntop and NtopNG ● Near real-time and historical information about: – Hosts observed – Protocol distribution – Multicast/Broadcast frequency – Who's talking to whom? ● Rich graphical interface ● Can also be used as a NetFlow Collector ● PF_RING allows multi-threaded libpcap analysis
  • 34. NetFlow and friends ● A UDP protocol describing network traffic ● Many proprietary formats: NetFlow, sFlow, jflow, Rflow ● IETF proposed standard: IPFIX (== NetFlow v10)
  • 35. NetFlow Exporters ● Native support in high-end switches routers ● Open Source exporters based on Libpcap (& PF_RING) – Nprobe - http://www.ntop.org/products/nprobe/ – Fprobe - http://fprobe.sourceforge.net/ – Softflowd - http://code.google.com/p/softflowd/ – Rflow - https://en.wikipedia.org/wiki/DD-WRT#Features ● Also a feature of Open vSwitch - http://openvswitch.org/ ● Netflow v5 and v9 are the most common formats ● Exporters send UDP packets to one or more collectors
  • 36. NetFlow Collectors Ntop – Historical and statistical analysis Nfdump / NfSen – Long-term NetFlow storage and detailed query – Nfdump tool-set ● ● nfdump – Extract and report information from the stored files ● – nfcapd – Collect netflow streams and save the information nfprofile – Report on a subset of traffic from the stored files NfSen web-interface ● ● Web front-end to analyse and query Nfdump files Dynamic graph generation, based on filters and time periods
  • 38. Anomaly Detection Tools ● Arpwatch / Arpalert – – ● Maintain a database of authorized MAC addresses Alert on any deviation – syslog or email PRADS - Passive Real-Time Asset Detection System – – Can be used to inform snort configuration – ● Builds a list of hosts/service on the network prads­asset­report - what's been seen on the network? PBNJ – Active Network Asset Detection System – Database of discovered hosts/services (nmap) – Re-scan & diff
  • 39. Increasing Host Visibility - Overview ● Useful host-based tools ● Host-based Intrusion Detection Systems (HIDS)
  • 40. Host Visibility Tools ● etckeeper – Keep /etc under version control
  • 41. Host Visibility Tools ● atop – Retain Historical Process Information
  • 42. Host Visibility Tools ● auditd – The Linux Audit Daemon – and audispd – The Linux Audit Dispatcher
  • 43. Host Visibility Tools ● lynis – Security audit script, with hardening suggestions
  • 44. Host-based Intrusion Detection Systems ● OSSEC – Multi-platform – facilitates distributed security monitoring – File integrity monitoring – Log file monitoring – Rootkit search – Policy audit – Email/syslog alerts – SQL output
  • 45. Host-based Intrusion Detection Systems ● Samhain - File Integrity Monitor – – Stand-alone mode – Log file monitoring – Hidden processes – Stealth mode – auditd integration – SQL output – ● Client/Server mode Syslog output Beltane - web front-end
  • 46. Host-based Intrusion Detection Systems ● Tripwire – Lightweight file integrity monitor – Define policy for file monitoring – Create checksum databases of a clean system – Mount /var/lib/tripwire on R/O media or R/O network share – Checked by cron daily – email/syslog alert on change – Update databases and policies as required – Configuration, Policies and Databases digitally signed, requiring pass-phrase to update
  • 47. Host-based Intrusion Detection Systems ● AIDE – Advanced Intrusion Detection System – – ● Similar in scope and operation to Tripwire Simpler configuration including conf.d snippets Fcheck – Perl based file integrity monitor – ● Older but dependable and useful in certain environments Stealth – Remote file integrity monitor over SSH – http://stealth.sourceforge.net
  • 48. Log File Management ● syslog – Generally using rsyslog or syslog-ng now – – e.g. Snare or eventlog-to-syslog for Windows – ● Centralize logs – including switches, routers, etc. TCP or RELP (rsyslog) can aid reliable network transfer Cryptographic Log Signing (GPG-13 requirement) – Feature of rsyslog version 7.4+ – rsgutil utility verifies signatures action(type="omfile" file="/var/log/syslog" action(type="omfile" file="/var/log/syslog" sig.provider="gt" sig.provider="gt" sig.keepTreeHashes="on" sig.keepTreeHashes="on" sig.keepRecordHashes="on") sig.keepRecordHashes="on")
  • 49. Log File Management ● Visualize/Analyse syslog data – e.g. Addiscon Loganalyzer [sic]
  • 50. Log File Management ● Visualize/search syslog data – alternatives – ElasticSearch – Graylog2 – Logstash – Kibana – ELSA
  • 51. Log File Management ● Application Logs – e.g. Web server – Google Analytics != Web Log Analysis – Piwik Log Analytics Mode - http://piwik.org/log-analytics/
  • 52. Active Response – Intrusion Prevention ● Snortsam – Firewall hosts using a Snort plugin – ● Agent runs on/near firewall fail2ban - Firewall hosts from log file matches – Authentication Failures – Repeat Offender Handling
  • 53. Collating and Presenting Security Information ● Sagan – Scan log files for security related information – Snort-like rules for pattern matching – e.g. Handling our previous WIDS alert alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Spoofed disassociated/deauthenticate packets"; "[KISMET] Spoofed disassociated/deauthenticate packets"; program: kismet_server; pcre: "/DEAUTHFLOOD|BCASTDISCON/"; program: kismet_server; pcre: "/DEAUTHFLOOD|BCASTDISCON/"; classtype: suspicious-traffic;) classtype: suspicious-traffic;) – Incorporate results into an IDS database – Integrates with Snortsam Agent for active firewall response
  • 54. Collating and Presenting Security Information ● Snorby – Web console collating IDS/IPS and Sagan alerts – ● Integrates with OpenFPC for full packet capture Other consoles available – e.g. Sguil & Squert, BASE
  • 55. Focused Distributions ● AlienVault OSSIM : (Debian based) – ● ● ● ● ● ● ● ● ● ● Open Core version of their full-featured USM product Nagios NfSen OSSEC Kismet Snort Suricata Ntop Arpwatch PADS OpenVAS – Custom Correlation Engine – Custom web framework
  • 56. Focused Distributions ● The Security Onion : (Ubuntu based) ● ● ● ● ● ● ● ● ● ● ● ● ● ● Snort Suricata Bro Sguil Squert Snorby ELSA Netsniff-NG OSSEC PRADS Xplico NetworkMiner CapME Argus
  • 57. Summary Conducting Defensive Information Warfare ● Maximum network visibility ● Maximum host visibility ● Rigorous log file management ● Rapid analysis and response
  • 59. Image attributions ● http://www.bro.org http://www.flickr.com/photos/pasukaru76/5108255589/ ● http://commons.wikimedia.org http://idle.slashdot.org/story/08/10/01/231247/man-uses-r emote-logon-to-help-find-laptop-thief ● http://www.article-3.com/criminal-law-laptop-theft-prote ction-92052 ● http://nfsen.sourceforge.net/ ● http://www.ossec.net/doc/manual/ossec-architecture.html ● http://logstash.net/images/logstash.png Thanks to Creative Commons: ● ● ● ● ● ● ● ● ● ● http://www.flickr.com/photos/pingdom/5370307776/ http://www.geograph.org.uk/photo/2472373 http://hakshop.myshopify.com/products/wifi-pineapple-ho liday-bundle http://www.cctvcameradvrs.com/4gb-mini-spy-camera-wit h-voice-control http://www.flickr.com/photos/fastjack/282707058/ http://www.insuretrust.com/study-finds-cyber-crime-costl y-ever http://www.telegraph.co.uk/technology/news/8262628/Cybe r-attacks-could-cause-global-catastrophe.html ● http://en.wikipedia.org/wiki/File:Snort_ids_logo.png ● ● ● http://deinoscloud.wordpress.com/2012/11/01/esxigraylog 2-quickstart/ http://www.elasticsearch.org/ http://www.jesuisungeek.net/index.php?post/2013/01/31/I nstaller-Kibana-par-Puppet-partie-1 http://munin.alexdpsg.net/alexdpsg.net/munin.alexdpsg. net/fail2ban-month.png ● http://en.wikipedia.org/wiki/File:Alienvault_capture.png ● http://openclipart.org Explicit Permission Granted: http://mtitechsolutions.com/blog/types-of-attacks.html ● ● https://en.wikipedia.org/wiki/File:NetFlow_Architectur e_2012.png ● Pwnie Express - http://pwnieexpress.com/ ● MiniPwner - http://www.minipwner.com/