SecOps Workshop (Gregory Pickett)

SACON

SACONInternational2017

GregoryPickettHellfireSecurity

CybersecurityOperations@shogun7273

India|Bangalore|November10– 11|HotelLalitAshok

OpenSourceSecurityOrchestration

SACON 2017

• HowThisAllBegan• OrchestratingAllTheThings• BeholdSkynet• MakingItBetter• WrappingUp

Overview

SACON 2017

• MultipleCloudServers• AllUsingFail2BantoProtectThemselves• CanIshareFail2BanjailsbetweentheseServers?

OriginalQuestion

SACON 2017

• Howdowegettothreatsintime?• Howdowemakesurethattheevidencegetscaptured?• Howdowemakesurethatthethreatisstoppedbeforeitistoolate?• Howdowedothiswithalimitedstaff?

OtherQuestions

SACON 2017

• SecurityOperations• MonitorTheEnterprise• ProcessAlerts(orCorrelations)• KickOffIncidentResponse

• DespiteMultitudeofSolutions• StillAManualProcess!• EachSolutionKickedOffInSequenceByUs

• ALotofTimeIsWastedBeingABridgeBetweenSystems

ThisIsBecause

SACON 2017

• KeepDoingWhatYourDoing• TalkDirectlyToEachOther• GetWhatYouNeedfromEachOther• LeaveMeOutOfIt

WhatIWant

SACON 2017

HowThisWouldWork

SACON 2017

UseCases

SACON 2017

• ReceivedEventsFromPeers• GenerateABlacklistfromSourceofThreatEvents• UseWithAnythingThatCanConsumeABlacklist• Firewalls• EndpointSolutions• DetectionTools

• ShareTheBlacklistwithVendors,Partners,andColleagues

GenerateThreatIntelligenceFeed

SACON 2017

• ReceivesEventsFromPeers• HostFirewall• NetworkFirewall

• BlocksSourceofThreatEvents• DistributesEventsAmongPeers• HostFirewall• NetworkFirewall

FirewallRulePropagation

SACON 2017

• DropSourceofThreatEvents• DistributesEventsAmongPeers• WebApplicationFirewalls• IntrusionPreventionSystems

DropPropagation

SACON 2017

• ReceivesEventsFromExternalThreatFeeds• HostFirewall• NetworkFirewall

• BlocksSourceofThreatEvents

PreventKnownThreats

SACON 2017


• RedirectsSourceofThreatAwayFromAssets

NATtoHoneypot

SACON 2017


• SlowsDownSourceofThreat

NATtoTarpit

SACON 2017

• ReceivesEventsFromPeers• Switches• Routers• Firewalls

• RunsPacketCaptureonSourceofThreatActivity

CaptureThreatActivity

SACON 2017

• ReceivesEventsFromPeers• FTPServer• FileServers• HoneyPots

• DropsBeaconintoPathofSourceofThreatActivity

InjectBeacon

SACON 2017

• ReceivesEventsFromPeers• Routers• Firewalls

• ChangestheRouteforSourceofThreatActivity• RunTheirTrafficThroughDifferentSegment• SegmentContainsAdditionalInlineSensors• Afterwards,ItProceedstoDestination

RedirectTraffic

SACON 2017

• ReceivesEventsFromPeers• EmailServer

• ReportsSourceofThreattoAbuseAddress

ReportingThreats

SACON 2017

• ReceivesEventsFromPeers• Switches• Routers• Firewalls

• AppliesACLtoTargetofThreatActivity

HostIsolation

SACON 2017

• ReceivesEventsFromPeers• Switch• Router• Firewall• Server• Application

• VerboseLoggingforSourceofThreatActivity• VerboseLoggingforTargetofThreatActivity

AdditionalLogging

SACON 2017

• ReceivesEventsFromPeers• LDAP• ActiveDirectory• Radius• TACACS+

• StartsPasswordResetProcessforTargetofThreat

TriggerPasswordResets

SACON 2017

SecurityOrchestration

SACON 2017

• Swimlane• Hexadite• Siemplify• SecurityOrchestrator• Phantom• Cybersponse

VendorSolutions

SACON 2017

ThisistheWorld

According to Cybersponse

SACON 2017

• ProvideContext(Meta-SIEM)• Importexistingcasesintoplatform• Acquireadditionaldataonadversary,target,orpayload• PushOuttoOtherPlatforms

• WorkflowandReporting• DecisionMakingandExecution• PerformIncidentResponse

• Deletefilesandkillsprocesses• Forcepasswordchangesanddisablesaccounts• Blockaddresses

WhatTheyDo

SACON 2017

• MachinetoController• ConnectedOnlytoController• MessagesOnlytheController• EventsSharedOnlywiththeController

• Nodesexistsinahierarchy• SlavedtoTheController• JustExecuteCommandsGiven

• Centralized,LimitedinScope,andExpensive

HowTheyDoIt

SACON 2017

• StillRequiresIntervention• Insteadofbeingdependentonme• Itisnowdependentonmeandmyexpensivesolution

Doesn’tReallySolveMyProblem

SACON 2017

• ShareFail2BanJails• BanActions,CustomScripts,andCronJobs• Banactions,andsharedfilemount• Vallumd

• ImportKnownThreatsintoFail2Ban• CustomScripts

• NATiptablesthreatstoHoneyPot• psadandCustomScripts

• ReportFail2BanthreattoAbuse• www.blocklist.de

OpenSourceSolutions

SACON 2017

• MachinetoMachine• DirectConnectionstoEachOther• MessagingEachOther• SharingEvents

• NodesRetainsAutonomy• Theykeepdoingtheirjob• Expandtheirvisibility

HowTheyDoIt

SACON 2017

• DoesNotRequireIntervention• LimitedUseCases

• MessagesTooCloselyTiedToSpecificUse• CanOnlyBeUsedForOriginalPurpose• NowDependentOnFunction

WeAreGettingCloser

SACON 2017

• SharesEventsBetweenSystemsInCommonFormat• EventsAreStoredLocally• PeersMakeUseofSharedEventsHowTheySeeFit

• fail2ban• modsecurity• iptables

AdaptiveNetworkProtocol(ANP)

SACON 2017

ServerA

SACON 2017

ServerB

SACON 2017

• Sharing• MulticasttoLocalPeers• UnicasttoRemotePeers

• Messages• AddThreatEvent• RemoveThreatEvent

Protocol

SACON 2017

• Operations• SendsandReceivesfromlocalpeersonUDPPort15000

• ReceivesfromremotepeersonTCPPort15000

• EverymessagesignedwithSHA256

• Rules• TheSignatureMustBeAGoodSignature• IfAlreadyKnown,DoNotShare• DoNotReflectBackToTheSource

Protocol

SACON 2017

• Versionis1Byte• Typeis1Byte• EventisVariable• Signatureis64Bytes

Packet

SACON 2017

Packet

SACON 2017

• AddThreatEvent• Address• Time-To-Live(TTL)

• RemoveThreatEvent• Address• Time-To-Live(TTL)

Messages

SACON 2017

• Local• Remote

• SameNetwork• AcrossSameLocation• AcrossDifferentLocations• Link-upCloudResources

• DifferentNetworks

Peering

SACON 2017

SingleLocation

SACON 2017

MultipleLocations

SACON 2017

TrustedPartnerorVendor

SACON 2017

CloudAssets

SACON 2017

Communities

SACON 2017

Interfaces

SACON 2017

• Purpose• PublishEventstoANP• PullEventsFromANP

• Components• Supporting• Writer• Reader

• Operations• PublishesviaLoopbackinterface• Pullsfromviapublishedlists

WhatTheyDo

SACON 2017

WhatTheyDo

SACON 2017

• IntegratedSolution• ANPinstalledonthesamesystem• ReadandWritesLocally

• Examples• Fail2Ban• Iptables• modsec

Native

SACON 2017

• StandAloneSolution• ANPinstalledonadifferentsystem• ReadandWritestotheRemote(StandAlone)Solution

• Examples• ASA• Switch• Router

Surrogate

SACON 2017

Surrogate

SACON 2017

ExistingInterfaces

SACON 2017

• PullsEvents• ReadsThreatEventsfromANP• AddsThreatstoJail

• PublishesEvents• WritesJailedAddressestoANP

• BecauseofANPAging,thismeansthreatsstayjailedfor24hours• MistakescanbereversedusinganadditionaltooltoinjectaRemoveThreatevent

Fail2Ban

SACON 2017

• PullsEvents• ReadsThreatEventsfromANP• AddsThreatstoBlacklist

• DistributeforInternalorExternalUse• Detecting• Blocking• ThreatIndicator

Blacklist

SACON 2017

• PublishesItsEvents• WritesAttackerAddressestoANP

• Pairwithiptablesinterface• NATattackerstoHoneypot

modsec

SACON 2017

• PullsEvents• ReadsThreatEventsfromANP• NATsThreatsfromLocalWebservertoLocalHoneypot

• HighInteractionHoneypotofYourWebsite?• LogTheirActivity• Includeabeacon?

iptables

SACON 2017

• IncreasedVisibility• Wedon’tchangeourenterprise• EverythingKeepsDoingItsJob• Wearegivingthemgreatervisibilitytodoso

• AbilitytoBeProactive

SharingAlsoProvides

SACON 2017

ExpandedVisibility

SACON 2017

• CooperativeBehavior• AbilityfortheEnterpriseToActOnItsOwn

EmergesWithSharing

SACON 2017

CooperativeBehavior

SACON 2017

BuildingSkynet

SACON 2017

ActingToDefendTheNetwork

SACON 2017

ActingToInvestigateAThreat

SACON 2017

ActingToRespondToAnIncident

SACON 2017

Demonstrations

SACON 2017

OurSystems

SACON 2017

ActingToDefendTheNetwork

SACON 2017

• LocalANPAgent• YourSystemorOtherNetworkAsset• OneWayPeeringtoFederation

• RunTheScript• Shares“RemoveThreat”event• SetstheThreatExpirationToTwoHours

• Don’tForgetToClearAnyLogsThatStartedItAll

RemoveTool

SACON 2017

RemovingThreats

SACON 2017

TechnicalDetails

SACON 2017

• Python• TestedwithPython2.7.x• ShouldworkwithPython3.6.x

• OtherOpenSourceSoftwareAsRequired• iptables• modsec• Fail2ban• Etc.

RequirementsforANPandInterfaces

SACON 2017

1.Downloadpackage2.Unzippackage3.Run“pythonsetup.pyinstall”4.Check“readme.txt”foranyadditionalsteps

InstallationofANPandInterfaces

SACON 2017

ConfigurationforANP

SACON 2017

• DefaultsWillWorkBest• OnlyNeedtoChange

• Group• Salt

• OccasionallyNeedtoSet• Peers• Debug

ConfigurationforANP

SACON 2017

ConfigurationforFail2Ban

SACON 2017


• Jail• Prefix

• OccasionallyNeedtoSet• Debug

ConfigurationforFail2Ban

SACON 2017

ConfigurationforBlacklist

SACON 2017


• Blacklist• OccasionallyNeedtoSet

• Debug

ConfigurationforBlacklist

SACON 2017

Configurationformodsec

SACON 2017


• Log• OccasionallyNeedtoSet

• Debug

Configurationformodsec

SACON 2017

Configurationforiptables

SACON 2017


• Webserver• Honeypot

• OccasionallyNeedtoSet• Debug

Configurationforiptables

SACON 2017

Demonstrations

SACON 2017

• AssociatewithOurWAP(SaconCommunity)• StartYourVM• PeerwithOtherAttendees

• FindYourAddressIntheList• PeerWithTheSystemAboveYou• PeerWithTheSystemBelowYou

• Thiswillbethesalt:SSttczghHYrU5fNE

OurCommunity

SACON 2017

BuildingCommunity

SACON 2017

• ChangeYourRootPasswords• WaitfortheAttacks

• AttemptedLogins• ScannedWebsites

• CheckResponse• CheckBlacklist• Checkiptables• Checkfail2ban

ThreatActor

fail2ban-client status sshdiptables -t nat -L

SACON 2017

IntroduceThreats

SACON 2017

ExtendingANP

SACON 2017

• Purpose• PublishEventstoANP• PullEventsFromANP

• Components• Supporting• Writer• Reader

• Operations• PublishesviaLoopbackinterface• Pullsfromviapublishedlists

RefresheronInterfaces

SACON 2017

Setup

<Supporting>

<Reader>

<Writer>

SACON 2017

Reader

SACON 2017

Reader(Fail2Ban)

SACON 2017

Writer

SACON 2017

Writer(Fail2Ban)

SACON 2017

MakingItBetter

SACON 2017

• AdditionalMessageTypes• AddTargetEvent• RemoveTargetEvent

• MoreInterfaces!• PeerGroups• FiltersforPeersandMessages• InclusionofIPv6Addressing

NeededImprovements

SACON 2017

• InternetofThings• ReportingEvents• ExporttoSTIX/TAXII

FutureDirection

SACON 2017

• MachineToMachineCommunicationSolvesManyProblems• ItDoesn’tHaveToBeTheApocalypse• WithItWeCan• GetToTheThreatOnTime• MakeSureEvidenceisCaptured• MakeSureThatTheThreatIsStopped

• WeCanDoItWithALimitedStaff

MakingTheDifference

SACON 2017

• ItsCommonToKillProblemswithMoneyandPeople• UnderstandingYourProblemMeansBetterResults• EnablingSynergies• SelfDefendingNetworks• SelfInvestigatingNetworks• SelfRespondingNetworks

FinalThoughts

SACON 2017

AdaptiveNetworkProtocol(ANP)

SHA1 hash is 976b9e004641f511c9f3eef770b5426478e8646aUpdates can be found at https://adaptive-network-protocol.sourceforge.io/

SACON 2017

Blacklist

SHA1 hash is 6fdf91572909e97c5f6e005c93da0524a03463c8Updates can be found at https://adaptive-network-protocol.sourceforge.io/

SACON 2017

Fail2Ban

SHA1 hash is 5c210858b5711d326bf1740620df4dedfe7a69c9Updates can be found at https://adaptive-network-protocol.sourceforge.io/

SACON 2017

iptables


SACON 2017

modsec


SACON 2017

• https://cybersponse.com/• https://www.hexadite.com/• https://www.phantom.us/• https://www.siemplify.co/• https://www.fireeye.com/products/security-orchestrator.html• https://swimlane.com/• https://www.saas-secure.com/online-services/fail2ban-ip-sharing.html• http://www.blocklist.de/en/download.html• https://www.blackhillsinfosec.com/configure-distributed-fail2ban/• https://stijn.tintel.eu/blog/2017/01/08/want-to-share-your-fail2ban-ip-blacklists-between-all-your-machines-now-you-can• https://serverfault.com/questions/625656/sharing-of-fail2ban-banned-ips• https://github.com/fail2ban/fail2ban/issues/874

Links

SACON 2017

• https://superuser.com/questions/940600/iptables-redirect-blocked-ips-from-one-chain-to-a-honeypot• http://cipherdyne.org/psad/• https://taxiiproject.github.io/• https://stixproject.github.io/

Links

SACON 2017

Questions

SecOps Workshop (Gregory Pickett)

Technology