Even though large breaches have hit headline news in years past, some companies are still on the fence about investing in cybersecurity. As a security practitioner (or jack of all trades) how can you be expected to cover your assets with zero budget? Thankfully, there are plenty of open-source tools out there that will allow you to secure your organization. Come join me as I discuss how you can track your network assets, perform vulnerability assessments, prevent attacks with intrusion prevention systems, and even deploy HIDS. We will also jump into finding sensitive data and PII in your network, as well as incident response tools and automation. All it costs is your time (and maybe a VM or two). You really can drastically improve the security posture of your network with little to no budget, and you’ll have fun doing it! OK, maybe it won’t be fun, but at least you’ll learn something, right?

1. Open Source Defense
Building a Security Program with Zero Budget

2. NOTE: Special awkward standalone edition
I use a lot of humor in my talks and I often try to avoid throwing too
much text or explanation on slides. The resulting slides aren’t very
useful without my voice overlaying them.
Since many people ask for my slides following my talks, I do my
best to modify the slide deck so that the bulk of the information is
still useful, even without me.
I still highly recommend the live edition. You can’t ask this one any
questions ;)

3. Agenda
•Budget challenges beyond CapEx/OpEx
•Foundations: The big picture and where to start
•Specific free & open-source tools to help at each step
•Real-World Experiences and Fun Stories*
*Randomly dispersed throughout

4. whoami – Adrian Sanabria
IT Practitioner
Security Practitioner
Security Consultant
Industry Analyst
Business Owner
$

5. Savage Security
Applied
Research
Community
Projects
Market
Research
and
Services
Enterprise
Services
https://savagesec.cominfo@savagesec.com
(also, we’re good listeners)

7. What do we mean when we say “zero budget”?
What do we mean when we say “zero budget”?
We’re talking having little to no CapEx budget. There’s no getting
around needing people. The more smart and creative your people,
the more likely you will be to succeed with what we’re talking about
today.

8. Security: What’s the “True Cost”?
• Security = People + Processes + Products
People
• Salary
• Training
• Personal Dev
• Management
Processes
• Plan (policy)
• Build (controls)
• Test (controls)
• Improvement
Products
• CapEx/OpEx
• Support
• Time to Value
• Labor:Value

9. Why FOSS?
Because Richard Stallman, of
course!
Ha…
No, that was a joke.
I’m sorry.
There are better reasons.

10. Why FOSS?
Not just for people with budget constraints!
It’s about time and control.

11. Commercial
1. Google search
2. Choose three
3. Contact vendors
4. Proof of concept
5. Wine & dine
6. Procurement
7. Implementation
Elapsed time: weeks/months
FOSS
1. Google search
2. Download
3. Configure
Elapsed time: minutes/hours
Why FOSS?

12. Shelfware
Products that are purchased, but never get used or never
fully achieve their intended value

13. What ends up on the Shelf?
What would keep them off the shelf?

14. Build versus Buy?

15. Start with a solid foundation.

16. Foundational Blueprints and Frameworks
• NIST Standards and Frameworks
• CIS Critical Security Controls
• ISO 27000
• MITRE @ttack

18. Document everything!
A core documentation repository is critical
• Policy, procedure, how-tos, etc:
MediaWiki
Atlassian Confluence ($10 for up to 10 users)
• Incident Response Ticketing/Documentation:
RTIR (https://bestpractical.com/download-page)
The Hive (https://thehive-project.org/)

19. Build from the ground up
1. Identify
2. Protect and Harden
3. Detect
4. Respond
5. Recover

20. Map your network

21. The Asset Discovery Dilemma
Active Scanning? Nmap? Vuln Scanner? No. Ask your network!
NetDB https://netdbtracking.sourceforge.net/
.ova available at https://www.kylebubp.com/files/netdb.ova

22. Other network mapping approaches
• nmap + ndiff/yandiff
Not just for red teams.
Export results, diff for changes.
Alert if something changed.
• Netdisco
https://sourceforge.net/projects/netdisco
Uses SNMP to inventory your network devices

23. Data Discovery
• Users are good at putting sensitive data on the network.
• Find it with OpenDLP

24. OpenVAS
• Fork of Nessus
• Still maintained
• Default vuln scanner in AlienVault
• Does a great job in comparison w/ commercial products

25. Web Apps too!
• Arachni Framework (arachni-scanner.com)
• OWASP ZAP (Zed Attack Proxy)
• Nikto2 (more of a server config scanner)
• Portswigger Burp Suite (not free - $350)
• For a comparison – sectoolmarket.com

26. In addition to fixing vulnerabilities…
• Build in some additional security on your web servers.
(also part of a secure configuration)
• Fail2ban
Python-based IPS that runs off of Apache Logs
• Modsecurity
Open source WAF for Apache & IIS

27. Build from the ground up
1. Identify
2. Protect and Harden
3. Detect
4. Respond
5. Recover

28. Protect

29. Intrusion Detection/Prevention

30. Host-based IDS
• Monitor Critical and Sensitive Files via Integrity Checks
• Detects Rootkits
• Can monitor Windows Registry
• Alert on Changes

31. Windows 10 – Out of the box – CIS Benchmark
22%The goal shouldn’t be 100%, but we can do better than 22%! Also, you should probably
try some basic Windows hardening best practices before spending $75 per endpoint on
the latest next gen AI super-APT defenderer anti-badware silver bullet.

32. Secure Configuration
• CIS Benchmarks / DISA Stigs
• Configuration Management, while not exciting, is important
• Deploy configs across your enterprise using tools like GPO, Chef, Puppet,
or Ansible
• Change Management is also important
• Use git repo for tracking changes to your config scripts

33. Explaining the next slide: Patch it all! (kinda)
The general idea here is that whenever someone gets breached, we hear the
industry’s brightest loudest stars lob criticisms at the victims about ‘patching’
and ‘doing the basics’. In most cases, the critics have never had to install a
patch across 35,000 endpoints running 27 distinct gold images across three
major operating system versions. They’ve never had to deal with a vendor
that had to ‘certify’ a patch before it is allowed to be installed.
They don’t appreciate the fact that patching is singlehandedly the most
disruptive thing that happens to an IT environment… on purpose.

34. PATCH IT ALL (kinda)

35. Patching Windows
+

36. Patching Linux
+

37. Build from the ground up
1. Identify
2. Protect and Harden
3. Detect
4. Respond
5. Recover

38. What’s happening on the endpoint?
• Facebook-developed osquery is effectively free EDR
• Agents for MacOS, Windows, Linux
• Deploy across your enterprise w/ Chef, Puppet, Ansible, or SCCM
• Do fun things like, search for IoCs (hashes, processes, etc.)
• Pipe the data into ElasticStack for visibility & searchability
• If you only need Windows, check out Microsoft Sysinternals Sysmon

39. What’s happening on the network?
• Elkstack
• Suricata
• Bro
• Snort
• SecurityOnion: put it all together

40. Logging and Monitoring
• Central logging makes detection and analysis easier
• Many options here, such as Windows Event Subscription, rsyslog
• Can also pipe to one central location with dashboards, such as ElasticStack
• Good idea to include DNS logs!

41. Education

42. Phishing Education Phishing Frenzy
Social Engineering Toolkit (SET)
GoPhish

43. Parting thoughts…
• Build versus Buy
• Security Requirements don’t change, regardless of budget.
• Build a strong foundation and branch out.
• Consider scenarios – solve one scenario at a time, NOT all at once!
• Stay curious and contribute to projects you like.
• Community! Share ideas – learn from others
• DOCUMENT EVERYTHING

44. Adrian Sanabria
adrian@savagesec.com
@sawaba
@savagesec