SACON SACON International 2017 Gregory Pickett Hellfire Security Cybersecurity Operations @shogun7273 India | Bangalore | November 10 – 11 | Hotel Lalit Ashok Open Source Security Orchestration
SACON
SACONInternational2017
GregoryPickettHellfireSecurity
CybersecurityOperations@shogun7273
India|Bangalore|November10– 11|HotelLalitAshok
OpenSourceSecurityOrchestration
SACON 2017
• HowThisAllBegan• OrchestratingAllTheThings• BeholdSkynet• MakingItBetter• WrappingUp
Overview
SACON 2017
• MultipleCloudServers• AllUsingFail2BantoProtectThemselves• CanIshareFail2BanjailsbetweentheseServers?
OriginalQuestion
SACON 2017
• Howdowegettothreatsintime?• Howdowemakesurethattheevidencegetscaptured?• Howdowemakesurethatthethreatisstoppedbeforeitistoolate?• Howdowedothiswithalimitedstaff?
OtherQuestions
SACON 2017
• SecurityOperations• MonitorTheEnterprise• ProcessAlerts(orCorrelations)• KickOffIncidentResponse
• DespiteMultitudeofSolutions• StillAManualProcess!• EachSolutionKickedOffInSequenceByUs
• ALotofTimeIsWastedBeingABridgeBetweenSystems
ThisIsBecause
SACON 2017
• KeepDoingWhatYourDoing• TalkDirectlyToEachOther• GetWhatYouNeedfromEachOther• LeaveMeOutOfIt
WhatIWant
SACON 2017
HowThisWouldWork
SACON 2017
UseCases
SACON 2017
• ReceivedEventsFromPeers• GenerateABlacklistfromSourceofThreatEvents• UseWithAnythingThatCanConsumeABlacklist• Firewalls• EndpointSolutions• DetectionTools
• ShareTheBlacklistwithVendors,Partners,andColleagues
GenerateThreatIntelligenceFeed
SACON 2017
• ReceivesEventsFromPeers• HostFirewall• NetworkFirewall
• BlocksSourceofThreatEvents• DistributesEventsAmongPeers• HostFirewall• NetworkFirewall
FirewallRulePropagation
SACON 2017
• DropSourceofThreatEvents• DistributesEventsAmongPeers• WebApplicationFirewalls• IntrusionPreventionSystems
DropPropagation
SACON 2017
• ReceivesEventsFromExternalThreatFeeds• HostFirewall• NetworkFirewall
• BlocksSourceofThreatEvents
PreventKnownThreats
SACON 2017
• ReceivesEventsFromPeers• HostFirewall• NetworkFirewall
• RedirectsSourceofThreatAwayFromAssets
NATtoHoneypot
SACON 2017
• ReceivesEventsFromPeers• HostFirewall• NetworkFirewall
• SlowsDownSourceofThreat
NATtoTarpit
SACON 2017
• ReceivesEventsFromPeers• Switches• Routers• Firewalls
• RunsPacketCaptureonSourceofThreatActivity
CaptureThreatActivity
SACON 2017
• ReceivesEventsFromPeers• FTPServer• FileServers• HoneyPots
• DropsBeaconintoPathofSourceofThreatActivity
InjectBeacon
SACON 2017
• ReceivesEventsFromPeers• Routers• Firewalls
• ChangestheRouteforSourceofThreatActivity• RunTheirTrafficThroughDifferentSegment• SegmentContainsAdditionalInlineSensors• Afterwards,ItProceedstoDestination
RedirectTraffic
SACON 2017
• ReceivesEventsFromPeers• EmailServer
• ReportsSourceofThreattoAbuseAddress
ReportingThreats
SACON 2017
• ReceivesEventsFromPeers• Switches• Routers• Firewalls
• AppliesACLtoTargetofThreatActivity
HostIsolation
SACON 2017
• ReceivesEventsFromPeers• Switch• Router• Firewall• Server• Application
• VerboseLoggingforSourceofThreatActivity• VerboseLoggingforTargetofThreatActivity
AdditionalLogging
SACON 2017
• ReceivesEventsFromPeers• LDAP• ActiveDirectory• Radius• TACACS+
• StartsPasswordResetProcessforTargetofThreat
TriggerPasswordResets
SACON 2017
SecurityOrchestration
SACON 2017
• Swimlane• Hexadite• Siemplify• SecurityOrchestrator• Phantom• Cybersponse
VendorSolutions
SACON 2017
ThisistheWorld
According to Cybersponse
SACON 2017
• ProvideContext(Meta-SIEM)• Importexistingcasesintoplatform• Acquireadditionaldataonadversary,target,orpayload• PushOuttoOtherPlatforms
• WorkflowandReporting• DecisionMakingandExecution• PerformIncidentResponse
• Deletefilesandkillsprocesses• Forcepasswordchangesanddisablesaccounts• Blockaddresses
WhatTheyDo
SACON 2017
• MachinetoController• ConnectedOnlytoController• MessagesOnlytheController• EventsSharedOnlywiththeController
• Nodesexistsinahierarchy• SlavedtoTheController• JustExecuteCommandsGiven
• Centralized,LimitedinScope,andExpensive
HowTheyDoIt
SACON 2017
• StillRequiresIntervention• Insteadofbeingdependentonme• Itisnowdependentonmeandmyexpensivesolution
Doesn’tReallySolveMyProblem
SACON 2017
• ShareFail2BanJails• BanActions,CustomScripts,andCronJobs• Banactions,andsharedfilemount• Vallumd
• ImportKnownThreatsintoFail2Ban• CustomScripts
• NATiptablesthreatstoHoneyPot• psadandCustomScripts
• ReportFail2BanthreattoAbuse• www.blocklist.de
OpenSourceSolutions
SACON 2017
• MachinetoMachine• DirectConnectionstoEachOther• MessagingEachOther• SharingEvents
• NodesRetainsAutonomy• Theykeepdoingtheirjob• Expandtheirvisibility
HowTheyDoIt
SACON 2017
• DoesNotRequireIntervention• LimitedUseCases
• MessagesTooCloselyTiedToSpecificUse• CanOnlyBeUsedForOriginalPurpose• NowDependentOnFunction
WeAreGettingCloser
SACON 2017
• SharesEventsBetweenSystemsInCommonFormat• EventsAreStoredLocally• PeersMakeUseofSharedEventsHowTheySeeFit
• fail2ban• modsecurity• iptables
AdaptiveNetworkProtocol(ANP)
SACON 2017
ServerA
SACON 2017
ServerB
SACON 2017
• Sharing• MulticasttoLocalPeers• UnicasttoRemotePeers
• Messages• AddThreatEvent• RemoveThreatEvent
Protocol
SACON 2017
• Operations• SendsandReceivesfromlocalpeersonUDPPort15000
• ReceivesfromremotepeersonTCPPort15000
• EverymessagesignedwithSHA256
• Rules• TheSignatureMustBeAGoodSignature• IfAlreadyKnown,DoNotShare• DoNotReflectBackToTheSource
Protocol
SACON 2017
• Versionis1Byte• Typeis1Byte• EventisVariable• Signatureis64Bytes
Packet
SACON 2017
Packet
SACON 2017
• AddThreatEvent• Address• Time-To-Live(TTL)
• RemoveThreatEvent• Address• Time-To-Live(TTL)
Messages
SACON 2017
• Local• Remote
• SameNetwork• AcrossSameLocation• AcrossDifferentLocations• Link-upCloudResources
• DifferentNetworks
Peering
SACON 2017
SingleLocation
SACON 2017
MultipleLocations
SACON 2017
TrustedPartnerorVendor
SACON 2017
CloudAssets
SACON 2017
Communities
SACON 2017
Interfaces
SACON 2017
• Purpose• PublishEventstoANP• PullEventsFromANP
• Components• Supporting• Writer• Reader
• Operations• PublishesviaLoopbackinterface• Pullsfromviapublishedlists
WhatTheyDo
SACON 2017
WhatTheyDo
SACON 2017
• IntegratedSolution• ANPinstalledonthesamesystem• ReadandWritesLocally
• Examples• Fail2Ban• Iptables• modsec
Native
SACON 2017
• StandAloneSolution• ANPinstalledonadifferentsystem• ReadandWritestotheRemote(StandAlone)Solution
• Examples• ASA• Switch• Router
Surrogate
SACON 2017
Surrogate
SACON 2017
ExistingInterfaces
SACON 2017
• PullsEvents• ReadsThreatEventsfromANP• AddsThreatstoJail
• PublishesEvents• WritesJailedAddressestoANP
• BecauseofANPAging,thismeansthreatsstayjailedfor24hours• MistakescanbereversedusinganadditionaltooltoinjectaRemoveThreatevent
Fail2Ban
SACON 2017
• PullsEvents• ReadsThreatEventsfromANP• AddsThreatstoBlacklist
• DistributeforInternalorExternalUse• Detecting• Blocking• ThreatIndicator
Blacklist
SACON 2017
• PublishesItsEvents• WritesAttackerAddressestoANP
• Pairwithiptablesinterface• NATattackerstoHoneypot
modsec
SACON 2017
• PullsEvents• ReadsThreatEventsfromANP• NATsThreatsfromLocalWebservertoLocalHoneypot
• HighInteractionHoneypotofYourWebsite?• LogTheirActivity• Includeabeacon?
iptables
SACON 2017
• IncreasedVisibility• Wedon’tchangeourenterprise• EverythingKeepsDoingItsJob• Wearegivingthemgreatervisibilitytodoso
• AbilitytoBeProactive
SharingAlsoProvides
SACON 2017
ExpandedVisibility
SACON 2017
• CooperativeBehavior• AbilityfortheEnterpriseToActOnItsOwn
EmergesWithSharing
SACON 2017
CooperativeBehavior
SACON 2017
BuildingSkynet
SACON 2017
ActingToDefendTheNetwork
SACON 2017
ActingToInvestigateAThreat
SACON 2017
ActingToRespondToAnIncident
SACON 2017
Demonstrations
SACON 2017
OurSystems
SACON 2017
ActingToDefendTheNetwork
SACON 2017
• LocalANPAgent• YourSystemorOtherNetworkAsset• OneWayPeeringtoFederation
• RunTheScript• Shares“RemoveThreat”event• SetstheThreatExpirationToTwoHours
• Don’tForgetToClearAnyLogsThatStartedItAll
RemoveTool
SACON 2017
RemovingThreats
SACON 2017
TechnicalDetails
SACON 2017
• Python• TestedwithPython2.7.x• ShouldworkwithPython3.6.x
• OtherOpenSourceSoftwareAsRequired• iptables• modsec• Fail2ban• Etc.
RequirementsforANPandInterfaces
SACON 2017
1.Downloadpackage2.Unzippackage3.Run“pythonsetup.pyinstall”4.Check“readme.txt”foranyadditionalsteps
InstallationofANPandInterfaces
SACON 2017
ConfigurationforANP
SACON 2017
• DefaultsWillWorkBest• OnlyNeedtoChange
• Group• Salt
• OccasionallyNeedtoSet• Peers• Debug
ConfigurationforANP
SACON 2017
ConfigurationforFail2Ban
SACON 2017
• DefaultsWillWorkBest• OnlyNeedtoChange
• Jail• Prefix
• OccasionallyNeedtoSet• Debug
ConfigurationforFail2Ban
SACON 2017
ConfigurationforBlacklist
SACON 2017
• DefaultsWillWorkBest• OnlyNeedtoChange
• Blacklist• OccasionallyNeedtoSet
• Debug
ConfigurationforBlacklist
SACON 2017
Configurationformodsec
SACON 2017
• DefaultsWillWorkBest• OnlyNeedtoChange
• Log• OccasionallyNeedtoSet
• Debug
Configurationformodsec
SACON 2017
Configurationforiptables
SACON 2017
• DefaultsWillWorkBest• OnlyNeedtoChange
• Webserver• Honeypot
• OccasionallyNeedtoSet• Debug
Configurationforiptables
SACON 2017
Demonstrations
SACON 2017
• AssociatewithOurWAP(SaconCommunity)• StartYourVM• PeerwithOtherAttendees
• FindYourAddressIntheList• PeerWithTheSystemAboveYou• PeerWithTheSystemBelowYou
• Thiswillbethesalt:SSttczghHYrU5fNE
OurCommunity
SACON 2017
BuildingCommunity
SACON 2017
• ChangeYourRootPasswords• WaitfortheAttacks
• AttemptedLogins• ScannedWebsites
• CheckResponse• CheckBlacklist• Checkiptables• Checkfail2ban
ThreatActor
fail2ban-client status sshdiptables -t nat -L
SACON 2017
IntroduceThreats
SACON 2017
ExtendingANP
SACON 2017
• Purpose• PublishEventstoANP• PullEventsFromANP
• Components• Supporting• Writer• Reader
• Operations• PublishesviaLoopbackinterface• Pullsfromviapublishedlists
RefresheronInterfaces
SACON 2017
Setup
<Supporting>
<Reader>
<Writer>
SACON 2017
Reader
SACON 2017
Reader(Fail2Ban)
SACON 2017
Writer
SACON 2017
Writer(Fail2Ban)
SACON 2017
MakingItBetter
SACON 2017
• AdditionalMessageTypes• AddTargetEvent• RemoveTargetEvent
• MoreInterfaces!• PeerGroups• FiltersforPeersandMessages• InclusionofIPv6Addressing
NeededImprovements
SACON 2017
• InternetofThings• ReportingEvents• ExporttoSTIX/TAXII
FutureDirection
SACON 2017
• MachineToMachineCommunicationSolvesManyProblems• ItDoesn’tHaveToBeTheApocalypse• WithItWeCan• GetToTheThreatOnTime• MakeSureEvidenceisCaptured• MakeSureThatTheThreatIsStopped
• WeCanDoItWithALimitedStaff
MakingTheDifference
SACON 2017
• ItsCommonToKillProblemswithMoneyandPeople• UnderstandingYourProblemMeansBetterResults• EnablingSynergies• SelfDefendingNetworks• SelfInvestigatingNetworks• SelfRespondingNetworks
FinalThoughts
SACON 2017
AdaptiveNetworkProtocol(ANP)
SHA1 hash is 976b9e004641f511c9f3eef770b5426478e8646aUpdates can be found at https://adaptive-network-protocol.sourceforge.io/
SACON 2017
Blacklist
SHA1 hash is 6fdf91572909e97c5f6e005c93da0524a03463c8Updates can be found at https://adaptive-network-protocol.sourceforge.io/
SACON 2017
Fail2Ban
SHA1 hash is 5c210858b5711d326bf1740620df4dedfe7a69c9Updates can be found at https://adaptive-network-protocol.sourceforge.io/
SACON 2017
iptables
SHA1 hash is 5c210858b5711d326bf1740620df4dedfe7a69c9Updates can be found at https://adaptive-network-protocol.sourceforge.io/
SACON 2017
modsec
SHA1 hash is 5c210858b5711d326bf1740620df4dedfe7a69c9Updates can be found at https://adaptive-network-protocol.sourceforge.io/
SACON 2017
• https://cybersponse.com/• https://www.hexadite.com/• https://www.phantom.us/• https://www.siemplify.co/• https://www.fireeye.com/products/security-orchestrator.html• https://swimlane.com/• https://www.saas-secure.com/online-services/fail2ban-ip-sharing.html• http://www.blocklist.de/en/download.html• https://www.blackhillsinfosec.com/configure-distributed-fail2ban/• https://stijn.tintel.eu/blog/2017/01/08/want-to-share-your-fail2ban-ip-blacklists-between-all-your-machines-now-you-can• https://serverfault.com/questions/625656/sharing-of-fail2ban-banned-ips• https://github.com/fail2ban/fail2ban/issues/874
Links
SACON 2017
• https://superuser.com/questions/940600/iptables-redirect-blocked-ips-from-one-chain-to-a-honeypot• http://cipherdyne.org/psad/• https://taxiiproject.github.io/• https://stixproject.github.io/
Links
SACON 2017
Questions