Unity Makes Strength“Why keep this valuable information in a corner?”

SOURCE Dublin 2013

$ whoami

• Xavier Mertens (@xme)

• Consultant @ day

• Blogger @ night

• BruCON co-organizer2

$ cat disclaimer.txt

“The opinions expressed in this presentation are those of the speaker and do not necessarily reflect those of past, present employers, partners or customers.”

3

Agenda

• Some facts

• Current situation

• Toolbox

• Examples

4

Defense vs. Attack• Offensive security is funny

(w00t! We break things)

• Defensive security can alsobe fun!(proud to not be pwn3d ;-)

• “Know your enemy!”

5

Welcome to Belgium!

6

Welcome to Belgium!

7

Belgique, België, Belgien

But with a very complicated political landscape!

8

Belgian Motto

“L’union fait la force”

(“Unity Makes Strength”)

9

And Infosec?

Why not apply this to our security infrastructures?

10

Agenda

• Some facts

• Current situation

• Toolbox

• Examples

11

Initial Situation

Firewall IDS Proxy MalwareAnalysis

Action Action Action Action

12

Then Came the god “SIEM”

Firewall IDS Proxy MalwareAnalysis

Logs Logs Logs Logs

Centralized Logging Solutions / SIEM13

Weaknesses?

• Independent solutions

• Static configurations

• Only logs are centralized

• No global protection

• Useful data not shared

• Real-time protection not easy

14

The Value of Data

• IP addresses

• User names

• URLs

• Domains

• Digests (MD5, SHA1, etc)

15

Multiple Sources

• Online repositories

• Internal resources

• Automatic process

16

Nothing New!

Input OutputProcess

17

Back to the Roots

• REXX is a scripting languageinvented by IBM.

• ARexx was implemented inAmigaOS in 1987.

• Allow applications having anARexx interface tocommunicate to exchangedata.

18

RTFM!

• Security is a big market ($$$)

• The “Microsoft Office” effect(<10% of features really used)

• Invest time to learn how yourproducts work.

• Be a hacker: Learn how it workand make it work like you want.

19

Backdoors...

• CLI

• WebAPI (JSON, XML)

• Databases

• Scripting languages

• Serial console

20

Protocols

• HTTP(S)

• TFTP

• SSH

• SNMP

• IF-MAP

• Proprietary tools (dbedit)

21

Automation is the Key

• We’re all lazy people!

• Expect!use Expect;my $e = Expect->new();my $c = “ssh $user\@$host”;$e = Expect->spawn($c) or die “No SSH?”;$e->Expect($timeout, [

qr’password: $’,sub {

my $fh = shift;print $fh $password\n”;

}]

22

A New Architecture

Firewall IDS Proxy Malware Analysis

Logs Logs Logs Logs

Centralized Logging Solutions / SIEM23

Action Action Action Action

Toolbox

Agenda

• Some facts

• Current situation

• Toolbox

• Examples

24

HTTPS

• Generate an API key

https://10.0.0.1/api/?type=keygen&user=foo&password=bar

• Submit XML requests

https://10.0.0.1/api/?type=config&key=xxx&action=set&xpath=/config/device/entry[@name=localhost]/vsys/entry[@name=vsys1]/address/entry[@name=NewHost]&element=<ip-netmask>192.168.0.1</ip-netmask><description>Test</description>

25

Snort-Rules Generator

• Lot of Security tools accept Snort rules

use Snort::Rulemy $rule = Snort::Rule->new(

-action => ‘alert’,-proto => ‘tcp’,-src => ‘10.0.0.1’,-sport => ‘any’,-dst => ‘any’,-dport => ‘any’,

);$rule->opts(‘msg’, ‘Detect traffic from 10.0.0.1’);$rule->opts(‘sid’, ‘666666’);

26

IF-MAP• Open standard to allow authorized devices

to publish/search relevant information

• Information could be

• IP

• Login

• Location (devices)

• Domain

27

IF-MAP

use Ifmap;use Ifmap::Util;my $r=Ifmap::Request::NewSession->new();my $ip=Ifmap::Identifier::IpAddress->new(ip_address, ‘10.0.0.1’);my $mac=Ifmap::Identifier::MacAddress->new(mac_address, ‘aa:bb:cc:dd:ee:ff ’);my $id = Ifmap::Identifier::Identity->new(name=> ‘john’, type=>‘username’);my $meta=Ifmap::Metadata::Element->new(name=>‘name’, value=‘employee’);

28

SNMP

$ snmpset 10.0.1 Pr1v4t3 .1.3.6.1.4.1.9.2.1.53.10.0.2 acl.tmp

29

• SNMP can be used to push configuration changes

• Example:

• Router 10.0.0.1 will pull the access-list “acl.tmp” from TFTP server 10.0.0.2

TCL

event manager applet Interface_Eventevent syslog pattern “.*UPDOWN.*FastEthernet0/1.* \ changed state to .*”event 1.0 cli command “tclsh flash:notify.tcl”

30

• Cisco devices have a framework called EEM: “Embedded Event Manager”

• Example:

• The router may communicate information based on its status

Puppet

31

• Configuration Management Software

• Deploy security patches

• Manage SSH keys

• Modify thousands of servers in one shot

“DevOps to the rescue”

The Conductor

• OSSEC

• Log Management

• Active-Response

• Powerful alerts engine

32

Action? Reaction!

• Example of OSSEC rule<rule id=”100101” level=”5” frequency=”5” timeframe=”60”>

<match>access denied</match><group>invalid_login,</group>

</rule>

<active-response><command>ad-block-user</command><location>local</location><rules_id>100101</rules_id>

</active-response>

33

Agenda

• Some facts

• Current situation

• Toolbox

• Examples

34

$ cat disclaimer2.txt

<warning>Some slides contain examples based

on open source as well as v€ndor$ solutions.I’m not affiliated with any of them!

</warning>

35

Online Resources

• DNS-BH$ wget -N http://dns-bh.sagadc.org/domains.txt

• Google SafeBrowsinguse Net::Google::SafeBrowsing2;use Net::Google::SafeBrowsing2:::Sqlite;my gsb = Net::Google::SafeBrowsing2->new(key => “xxx”,storage => Net::Google::SafeBrowsing2::Sqlite->new(file => “google.db”));$gsb->update();my $match = $gsb->lookup(url => “http://evil.com”);if ($match eq MALWARE) { ... }

36

Dynamic Firewall Config• FireEye malware analysis box

• Firewalls

• Checkpoint

• PaloAlto

• IPtables

• <insert your preferred fw $VENDOR here>

• OSSEC

37

Dynamic Firewall Config

FireEye OSSEC PaloAlto

Checkpoint

IPtables

38

Dynamic User Blacklist

• Syslog Concentrator

• OSSEC

• SSL VPN

• LDAP directory

39

Dynamic User Blacklist

sshd OSSEC LDAP

sshd

sshd$ ldapmodify -D ‘cn=admin’ -w ‘pass’ \dn:uid=jdoe,o=acme.org \changetype: modify \replace:userpassword \userpassword:newpass

40

SMTP Malware Analysis

• Postfix MTA

• Cuckoo

• CuckooMX (Perl)

41

SMTP Malware Analysis

CuckooMXPostfix Cuckoo

42

MySQL Self-Defense

• MySQL Server

• MySQL Proxy

• lib_mysqludf_log

43

MySQL Self-Defense

mysql-proxyclient mysqld

44

error.log

Controls

• Security first!

• Strong controls must be implemented

• Authentication/Authorization

• Could break your compliance

• Use an OoB network

• Risk of DoS!

45

Conclusions

• Don’t buy just “a box”

• RTFM

• Control

• It’s up to you!

46

Thank You!

Questions?

No? Beers!

47