Unity Makes Strength SOURCE Dublin 2013


Published on

This is the talk I gave at SOURCE Dublin in May 2013 about improving information security by dynamically reconfiguring security devices already in place.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Unity Makes Strength SOURCE Dublin 2013

  1. 1. Unity Makes Strength“Why keep this valuable information in a corner?”SOURCE Dublin 2013
  2. 2. $ whoami• Xavier Mertens (@xme)• Consultant @ day• Blogger @ night• BruCON co-organizer2
  3. 3. $ cat disclaimer.txt“The opinions expressed in this presentationare those of the speaker and do not necessarilyreflect those of past, present employers,partners or customers.”3
  4. 4. Agenda• Some facts• Current situation• Toolbox• Examples4
  5. 5. Defense vs.Attack• Offensive security is funny(w00t! We break things)• Defensive security can alsobe fun!(proud to not be pwn3d ;-)• “Know your enemy!”5
  6. 6. Welcome to Belgium!6
  7. 7. Welcome to Belgium!7
  8. 8. Belgique, België, BelgienBut with a very complicatedpolitical landscape!8
  9. 9. Belgian Motto“L’union fait la force”(“Unity Makes Strength”)9
  10. 10. And Infosec?Why not apply this to our securityinfrastructures?10
  11. 11. Agenda• Some facts• Current situation• Toolbox• Examples11
  12. 12. Initial SituationFirewall IDS ProxyMalwareAnalysisAction Action Action Action12
  13. 13. Then Came the god “SIEM”Firewall IDS ProxyMalwareAnalysisLogs Logs Logs LogsCentralized Logging Solutions / SIEM13
  14. 14. Weaknesses?• Independent solutions• Static configurations• Only logs are centralized• No global protection• Useful data not shared• Real-time protection not easy14
  15. 15. TheValue of Data• IP addresses• User names• URLs• Domains• Digests (MD5, SHA1, etc)15
  16. 16. Multiple Sources• Online repositories• Internal resources• Automatic process16
  17. 17. Nothing New!Input OutputProcess17
  18. 18. Back to the Roots• REXX is a scripting languageinvented by IBM.• ARexx was implemented inAmigaOS in 1987.• Allow applications having anARexx interface tocommunicate to exchangedata.18
  19. 19. RTFM!• Security is a big market ($$$)• The “Microsoft Office” effect(<10% of features really used)• Invest time to learn how yourproducts work.• Be a hacker: Learn how it workand make it work like you want.19
  20. 20. Backdoors...• CLI• WebAPI (JSON, XML)• Databases• Scripting languages• Serial console20
  21. 21. Protocols• HTTP(S)• TFTP• SSH• SNMP• IF-MAP• Proprietary tools (dbedit)21
  22. 22. Automation is the Key• We’re all lazy people!• Expect!use Expect;my $e = Expect->new();my $c = “ssh $user@$host”;$e = Expect->spawn($c) or die “No SSH?”;$e->Expect($timeout,[qr’password: $’,sub {my $fh = shift;print $fh $passwordn”;}]22
  23. 23. A New ArchitectureFirewall IDS Proxy Malware AnalysisLogs Logs Logs LogsCentralized Logging Solutions / SIEM23Action Action Action ActionToolbox
  24. 24. Agenda• Some facts• Current situation• Toolbox• Examples24
  25. 25. HTTPS• Generate an API keyhttps://• Submit XML requestshttps://[@name=localhost]/vsys/entry[@name=vsys1]/address/entry[@name=NewHost]&element=<ip-netmask></ip-netmask><description>Test</description>25
  26. 26. Snort-Rules Generator• Lot of Security tools accept Snort rulesuse Snort::Rulemy $rule = Snort::Rule->new(-action => ‘alert’,-proto => ‘tcp’,-src => ‘’,-sport => ‘any’,-dst => ‘any’,-dport => ‘any’,);$rule->opts(‘msg’,‘Detect traffic from’);$rule->opts(‘sid’,‘666666’);26
  27. 27. IF-MAP• Open standard to allow authorized devicesto publish/search relevant information• Information could be• IP• Login• Location (devices)• Domain27
  28. 28. IF-MAPuse Ifmap;use Ifmap::Util;my $r=Ifmap::Request::NewSession->new();my $ip=Ifmap::Identifier::IpAddress->new(ip_address,‘’);my $mac=Ifmap::Identifier::MacAddress->new(mac_address,‘aa:bb:cc:dd:ee:ff’);my $id = Ifmap::Identifier::Identity->new(name=> ‘john’, type=>‘username’);my $meta=Ifmap::Metadata::Element->new(name=>‘name’, value=‘employee’);28
  29. 29. SNMP$ snmpset 10.0.1 Pr1v4t3 . acl.tmp29• SNMP can be used to push configurationchanges• Example:• Router will pull the access-list“acl.tmp” from TFTP server
  30. 30. TCLevent manager applet Interface_Eventevent syslog pattern “.*UPDOWN.*FastEthernet0/1.* changed state to .*”event 1.0 cli command “tclsh flash:notify.tcl”30• Cisco devices have a framework called EEM:“Embedded Event Manager”• Example:• The router may communicate informationbased on its status
  31. 31. Puppet31• Configuration Management Software• Deploy security patches• Manage SSH keys• Modify thousands of servers in one shot“DevOps to the rescue”
  32. 32. The Conductor• OSSEC• Log Management• Active-Response• Powerful alerts engine32
  33. 33. Action? Reaction!• Example of OSSEC rule<rule id=”100101” level=”5” frequency=”5” timeframe=”60”><match>access denied</match><group>invalid_login,</group></rule><active-response><command>ad-block-user</command><location>local</location><rules_id>100101</rules_id></active-response>33
  34. 34. Agenda• Some facts• Current situation• Toolbox• Examples34
  35. 35. $ cat disclaimer2.txt<warning>Some slides contain examples basedon open source as well as v€ndor$ solutions.I’m not affiliated with any of them!</warning>35
  36. 36. Online Resources• DNS-BH$ wget -N http://dns-bh.sagadc.org/domains.txt• Google SafeBrowsinguse Net::Google::SafeBrowsing2;use Net::Google::SafeBrowsing2:::Sqlite;my gsb = Net::Google::SafeBrowsing2->new(key => “xxx”,storage => Net::Google::SafeBrowsing2::Sqlite->new(file =>“google.db”));$gsb->update();my $match = $gsb->lookup(url => “http://evil.com”);if ($match eq MALWARE) { ... }36
  37. 37. Dynamic Firewall Config• FireEye malware analysis box• Firewalls• Checkpoint• PaloAlto• IPtables• <insert your preferred fw $VENDOR here>• OSSEC37
  38. 38. Dynamic Firewall ConfigFireEye OSSEC PaloAltoCheckpointIPtables38
  39. 39. Dynamic User Blacklist• Syslog Concentrator• OSSEC• SSLVPN• LDAP directory39
  40. 40. Dynamic User Blacklistsshd OSSEC LDAPsshdsshd$ ldapmodify -D ‘cn=admin’ -w ‘pass’ dn:uid=jdoe,o=acme.org changetype: modify replace:userpassword userpassword:newpass40
  41. 41. SMTP Malware Analysis• Postfix MTA• Cuckoo• CuckooMX (Perl)41
  42. 42. SMTP Malware AnalysisCuckooMXPostfix Cuckoo42
  43. 43. MySQL Self-Defense• MySQL Server• MySQL Proxy• lib_mysqludf_log43
  44. 44. MySQL Self-Defensemysql-proxyclient mysqld44error.log
  45. 45. Controls• Security first!• Strong controls must be implemented• Authentication/Authorization• Could break your compliance• Use an OoB network• Risk of DoS!45
  46. 46. Conclusions• Don’t buy just “a box”• RTFM• Control• It’s up to you!46
  47. 47. ThankYou!Questions?No? Beers!47