Echidna Framework NSM/IR Open Source System
Jan 17, 2015
Echidna Framework
NSM/IR Open Source System
whoami
Eduardo Urias (larsx2) OSCP, OSWP, Security+
SoGware Engineer at:
Security Consultant at:
So, What is NSM?
Network Security Monitoring
“It’s the collecMon, analysis and escalaMon of indicaMons and warnings to respond to
intrusions”
Let me repeat that CollecMon This is where you do data adquisiMon Analysis This require correlaMon and human analysis EscalaMon An authority decides how to proceed = This shit is a methodology, NOT a product IDS != NSM != SIEM != Log Management
NSM Process • Products perform collec%on – A piece of soGware or appliance whose purpose is to analyze packets on the network.
• People perform analysis – While products can perform conclusions of what they see, only people can provide context.
• Processes guides escala%on – EscalaMon is the act of bringing informaMon to the a[enMon of decision makers.
NSM Principles • Some intruders are smarter than you • Many intruders are unpredictable • PrevenMon eventually fails
• Intruders who can communicate with vicMms can be detected
• DetecMon through sampling is be[er than no detecMon
• DetecMon through traffic analysis is be[er than no detecMon at all
(SIEM) Alert-‐centric soluMons rely on..
• A[acks can be understood prior execuMon • Methods to detect or prevent a[acks can be encapsulated in programming logic
• Customers will purchase, properly configure, and effecMvely deploy products offering sufficient defensive logic
• The customer’s environment will behave as anMcipated by the developers and vendors
(NSM) Traffic-‐centric approach
• NSM Analysts treat ALL data as indicators, not “false posiMves” or “false negaMves”
• Relies in at least 4 types of data: ü StaMsMcal ü Session ü Full Content ü Alert
• NSM uses a “dumb is be[er” approach relying on traffic to verify the context of indicaMons and warnings as part of an invesMgaMon.
NSM Model
Alert – “Snort fires an alert related to an FTP bounce a[ack”
Session – “We request the session/nealow acMvity in the past 4 hours of src/dst ip”
Full Content – “We request the full packet capture of one of the sessions to see the FTP commands sent in the control channel”
StaMsMcal Data
Alert
Session
Full Packet Capture
In other words….
Just Kidding….
SIEM’s are part of the tools used in the process, just not the end.
Sguil by Bamm Vischer
Snorby by DusMn Webber
Snorby Cloud (now Threat Stack)
Squert by Paul Halliday
Cool Bro.
Why don’t we use one of those fancy tools as well and forget about this
talk.
Why do we subscribe to this?
Because…..
We want to offer something cool too
ü Open Source SoGware ü Easy to Maintain ü That can be extended using other awesome OSS tools
ü Scalable and easy to integrate ü Nice API please?
Enter Echidna
Echidna Architecture
Echidna Server: ü Perl-‐based ü Server/Node CnC communicaMon is done through WebSockets (near-‐realMme).
ü Retrieval and Submission of data is done through a REST interface
ü Modular architecture (use what you need) ü It can be used for RelaMonal DBs and NoSQL
Server: Fetch some records URI: h[p://inspectlabs.com:6970 Controller: /api/pdns Parameters:
? fields = client,server,answer & query_type = A & query = nsm.metaflows.com.
& from = 2012-‐07-‐09 10:21:27 & to = 2012-‐07-‐09 10:21:27
Which means: Give me the client ip, server ip and query answer of all DNS peMMons that returned an address record at 10:21:27AM of 2012-‐07-‐09
Server REST API Response
Echidna Architecture
Echidna UI: ü 100% JavaScript ü Client-‐side MVC using Google’s AngularJS ü HTML5 Stuff ü Focus on usability without compromising aestheMcs
Login
PassiveDNS View
Session (cxtracker) View
Event (alert) View
Echidna as an API
Open Source GPLv2
Turns out, this is Alpha stage
• Not Feature Complete • Not ProducMon Ready • Frequent updates • Features are being added • Focused on NSM for Analysts
We expect an evoluMon to Beta in about 2 weeks
Development
Server/Agents – Perl / Mojolicious
Low Level Components – C/C++
User Interface – JavaScript / AngularJS
Protocol – REST / WebSockets
Team
Edward Fjellskal (ebf0) – Analyst
Ian Firns (firnsy) – Coder Eduardo Urias (larsx2) – Coder
Future (not too far away)
ü OISF -‐ Open InformaMon Security FoundaMon Suricata’s next big friend! ü Bro IDS Engine IntegraMon Cool tools should hang together! ü Cassandra/Hadoop Support SomeMmes things get out of control. ü Full Text Search Support I am looking at you ElasMcSearch ಠ_ಠ!
Wanted!
JavaScript Hackers! – Jump in for the development of a fully featured client side UI for security analysis
Perl/Python Hackers! – Help us creaMng components/plugins for our framework to support more services!
C/C++ Hackers! – Want to build new specialized components for network analysis on extremely fast networks?
Props to: ü Richard Bejtlich ü Bamm Vischer ü Ma[ Jonkman ü David McNelis ü Ian Firns ü Edward Bjarte ü DusMn Webber Because in some way or another all helped in that I could do this talk
Contact Me
ü @larsx2 ü edw.urias [at] gmail.com ü IRC -‐> #snort-‐gui and #nsmframework ü Cel. +521 6621 <deadbeef> ü github.com/firnsy/echidna-‐refresh