unity makes strength source dublin 2013
DESCRIPTION
This is the talk I gave at SOURCE Dublin in May 2013 about improving information security by dynamically reconfiguring security devices already in place.TRANSCRIPT
Unity Makes Strength“Why keep this valuable information in a corner?”
SOURCE Dublin 2013
$ whoami
• Xavier Mertens (@xme)
• Consultant @ day
• Blogger @ night
• BruCON co-organizer2
$ cat disclaimer.txt
“The opinions expressed in this presentation are those of the speaker and do not necessarily reflect those of past, present employers, partners or customers.”
3
Agenda
• Some facts
• Current situation
• Toolbox
• Examples
4
Defense vs. Attack• Offensive security is funny
(w00t! We break things)
• Defensive security can alsobe fun!(proud to not be pwn3d ;-)
• “Know your enemy!”
5
Welcome to Belgium!
6
Welcome to Belgium!
7
Belgique, België, Belgien
But with a very complicated political landscape!
8
Belgian Motto
“L’union fait la force”
(“Unity Makes Strength”)
9
And Infosec?
Why not apply this to our security infrastructures?
10
Agenda
• Some facts
• Current situation
• Toolbox
• Examples
11
Initial Situation
Firewall IDS Proxy MalwareAnalysis
Action Action Action Action
12
Then Came the god “SIEM”
Firewall IDS Proxy MalwareAnalysis
Logs Logs Logs Logs
Centralized Logging Solutions / SIEM13
Weaknesses?
• Independent solutions
• Static configurations
• Only logs are centralized
• No global protection
• Useful data not shared
• Real-time protection not easy
14
The Value of Data
• IP addresses
• User names
• URLs
• Domains
• Digests (MD5, SHA1, etc)
15
Multiple Sources
• Online repositories
• Internal resources
• Automatic process
16
Nothing New!
Input OutputProcess
17
Back to the Roots
• REXX is a scripting languageinvented by IBM.
• ARexx was implemented inAmigaOS in 1987.
• Allow applications having anARexx interface tocommunicate to exchangedata.
18
RTFM!
• Security is a big market ($$$)
• The “Microsoft Office” effect(<10% of features really used)
• Invest time to learn how yourproducts work.
• Be a hacker: Learn how it workand make it work like you want.
19
Backdoors...
• CLI
• WebAPI (JSON, XML)
• Databases
• Scripting languages
• Serial console
20
Protocols
• HTTP(S)
• TFTP
• SSH
• SNMP
• IF-MAP
• Proprietary tools (dbedit)
21
Automation is the Key
• We’re all lazy people!
• Expect!use Expect;my $e = Expect->new();my $c = “ssh $user\@$host”;$e = Expect->spawn($c) or die “No SSH?”;$e->Expect($timeout, [
qr’password: $’,sub {
my $fh = shift;print $fh $password\n”;
}]
22
A New Architecture
Firewall IDS Proxy Malware Analysis
Logs Logs Logs Logs
Centralized Logging Solutions / SIEM23
Action Action Action Action
Toolbox
Agenda
• Some facts
• Current situation
• Toolbox
• Examples
24
HTTPS
• Generate an API key
https://10.0.0.1/api/?type=keygen&user=foo&password=bar
• Submit XML requests
https://10.0.0.1/api/?type=config&key=xxx&action=set&xpath=/config/device/entry[@name=localhost]/vsys/entry[@name=vsys1]/address/entry[@name=NewHost]&element=<ip-netmask>192.168.0.1</ip-netmask><description>Test</description>
25
Snort-Rules Generator
• Lot of Security tools accept Snort rules
use Snort::Rulemy $rule = Snort::Rule->new(
-action => ‘alert’,-proto => ‘tcp’,-src => ‘10.0.0.1’,-sport => ‘any’,-dst => ‘any’,-dport => ‘any’,
);$rule->opts(‘msg’, ‘Detect traffic from 10.0.0.1’);$rule->opts(‘sid’, ‘666666’);
26
IF-MAP• Open standard to allow authorized devices
to publish/search relevant information
• Information could be
• IP
• Login
• Location (devices)
• Domain
27
IF-MAP
use Ifmap;use Ifmap::Util;my $r=Ifmap::Request::NewSession->new();my $ip=Ifmap::Identifier::IpAddress->new(ip_address, ‘10.0.0.1’);my $mac=Ifmap::Identifier::MacAddress->new(mac_address, ‘aa:bb:cc:dd:ee:ff ’);my $id = Ifmap::Identifier::Identity->new(name=> ‘john’, type=>‘username’);my $meta=Ifmap::Metadata::Element->new(name=>‘name’, value=‘employee’);
28
SNMP
$ snmpset 10.0.1 Pr1v4t3 .1.3.6.1.4.1.9.2.1.53.10.0.2 acl.tmp
29
• SNMP can be used to push configuration changes
• Example:
• Router 10.0.0.1 will pull the access-list “acl.tmp” from TFTP server 10.0.0.2
TCL
event manager applet Interface_Eventevent syslog pattern “.*UPDOWN.*FastEthernet0/1.* \ changed state to .*”event 1.0 cli command “tclsh flash:notify.tcl”
30
• Cisco devices have a framework called EEM: “Embedded Event Manager”
• Example:
• The router may communicate information based on its status
Puppet
31
• Configuration Management Software
• Deploy security patches
• Manage SSH keys
• Modify thousands of servers in one shot
“DevOps to the rescue”
The Conductor
• OSSEC
• Log Management
• Active-Response
• Powerful alerts engine
32
Action? Reaction!
• Example of OSSEC rule<rule id=”100101” level=”5” frequency=”5” timeframe=”60”>
<match>access denied</match><group>invalid_login,</group>
</rule>
<active-response><command>ad-block-user</command><location>local</location><rules_id>100101</rules_id>
</active-response>
33
Agenda
• Some facts
• Current situation
• Toolbox
• Examples
34
$ cat disclaimer2.txt
<warning>Some slides contain examples based
on open source as well as v€ndor$ solutions.I’m not affiliated with any of them!
</warning>
35
Online Resources
• DNS-BH$ wget -N http://dns-bh.sagadc.org/domains.txt
• Google SafeBrowsinguse Net::Google::SafeBrowsing2;use Net::Google::SafeBrowsing2:::Sqlite;my gsb = Net::Google::SafeBrowsing2->new(key => “xxx”,storage => Net::Google::SafeBrowsing2::Sqlite->new(file => “google.db”));$gsb->update();my $match = $gsb->lookup(url => “http://evil.com”);if ($match eq MALWARE) { ... }
36
Dynamic Firewall Config• FireEye malware analysis box
• Firewalls
• Checkpoint
• PaloAlto
• IPtables
• <insert your preferred fw $VENDOR here>
• OSSEC
37
Dynamic Firewall Config
FireEye OSSEC PaloAlto
Checkpoint
IPtables
38
Dynamic User Blacklist
• Syslog Concentrator
• OSSEC
• SSL VPN
• LDAP directory
39
Dynamic User Blacklist
sshd OSSEC LDAP
sshd
sshd$ ldapmodify -D ‘cn=admin’ -w ‘pass’ \dn:uid=jdoe,o=acme.org \changetype: modify \replace:userpassword \userpassword:newpass
40
SMTP Malware Analysis
• Postfix MTA
• Cuckoo
• CuckooMX (Perl)
41
SMTP Malware Analysis
CuckooMXPostfix Cuckoo
42
MySQL Self-Defense
• MySQL Server
• MySQL Proxy
• lib_mysqludf_log
43
MySQL Self-Defense
mysql-proxyclient mysqld
44
error.log
Controls
• Security first!
• Strong controls must be implemented
• Authentication/Authorization
• Could break your compliance
• Use an OoB network
• Risk of DoS!
45
Conclusions
• Don’t buy just “a box”
• RTFM
• Control
• It’s up to you!
46
Thank You!
Questions?
No? Beers!
47