Unity Makes Strength discusses how security tools and systems can benefit from sharing information and coordinating responses through open communication. The presentation outlines examples of using common protocols and APIs to integrate firewalls, intrusion detection, malware analysis and other tools. Dynamic integration allows the systems to automatically update configurations and block threats in real-time based on intelligence from multiple sources. While powerful, proper controls and testing are needed to avoid potential risks from increased connectivity.
How AI, OpenAI, and ChatGPT impact business and software.
Unity Makes Strength - An SEO-Optimized Title
1. Unity Makes Strength
“Why keep this valuable information in a corner?”
hashdays 2012 - Xavier Mertens
2. $ whoami
• Xavier Mertens (@xme)
• Consultant @ day
• Blogger @ night
• BruCON co-organizer
2
3. $ cat disclaimer.txt
“The opinions expressed in this presentation
are those of the speaker and do not necessarily
reflect those of past, present employers,
partners or customers.”
3
5. Defense vs. Attack
• Offensive security is funny
(w00t! We break things)
• Defensive security can also
be fun!
(proud to not be pwn3d ;-)
• “Know your enemy!”
5
13. Then Came the god “SIEM”
Malware
Firewall IDS Proxy Analysis
Logs Logs Logs Logs
Centralized Logging Solutions / SIEM
13
14. Weaknesses?
• Independent solutions
• Static configurations
• Only logs are centralized
• No global protection
• Useful data not shared
• Real-time protection not easy
14
15. The Value of Data
• IP addresses
• User names
• URLs
• Domains
• Digests (MD5, SHA1, etc)
15
18. Back to the Roots
• REXX is a scripting language
invented by IBM.
• ARexx was implemented in
AmigaOS in 1987.
• Allow applications having an
ARexx interface to
communicate to exchange
data.
18
19. RTFM!
• Security is a big market ($$$)
• The “Microsoft Office” effect
(<10% of features really used)
• Invest time to learn how your
products work.
• Be a hacker: Learn how it work
and make it work like you want.
19
22. Automation is the Key
• We’re all lazy people!
• Expect!
use Expect;
my $e = Expect->new();
my $c = “ssh $user@$host”;
$e = Expect->spawn($c) or die “No SSH?”;
$e->Expect($timeout,
[
qr’password: $’,
sub {
my $fh = shift;
print $fh $passwordn”;
}
]
22
25. HTTPS
• Generate an API key
https://10.0.0.1/api/?type=keygen&user=foo&password=bar
• Submit XML requests
https://10.0.0.1/api/?type=config&key=xxx&action=set&xpath=/
config/device/entry[@name=localhost]/vsys/
entry[@name=vsys1]/address/
entry[@name=NewHost]&element=<ip-
netmask>192.168.0.1</ip-netmask><description>Test</
description>
25
26. Snort-Rules Generator
• Lot of Security tools accept Snort rules
use Snort::Rule
my $rule = Snort::Rule->new(
-action => ‘alert’,
-proto => ‘tcp’,
-src => ‘10.0.0.1’,
-sport => ‘any’,
-dst => ‘any’,
-dport => ‘any’,
);
$rule->opts(‘msg’, ‘Detect traffic from 10.0.1’);
$rule->opts(‘sid’, ‘666666’);
26
27. IF-MAP
• Open standard to allow authorized devices
to publish/search relevant information
• Information could be
• IP
• Login
• Location (devices)
• Domain
27
28. IF-MAP
use Ifmap;
use Ifmap::Util;
my $r=Ifmap::Request::NewSession->new();
my $ip=Ifmap::Identifier::IpAddress->new(ip_address, ‘10.0.0.1’);
my $mac=Ifmap::Identifier::MacAddress->new(mac_address, ‘aa:bb:cc:dd:ee:ff’);
my $id = Ifmap::Identifier::Identity->new(name=> ‘john’, type=>‘username’);
my $meta=Ifmap::Metadata::Element->new(name=>‘name’, value=‘employee’);
28
29. SNMP
• SNMP can be used to push configuration
changes
• Example:
$ snmpset 10.0.1 Pr1v4t3 .1.3.6.1.4.1.9.2.1.53.10.0.2 acl.tmp
• Router 10.0.0.1 will pull the access-list
“acm.tmp” from TFTP server 10.0.0.2
29
30. TCL
• Cisco devices have a framework called EEM:
“Embedded Event Manager”
• Example:
event manager applet Interface_Event
event syslog pattern “.*UPDOWN.*FastEthernet0/1.*
changed state to .*”
event 1.0 cli command “tclsh flash:notify.tcl”
• The router may communicate information
based on its status
30
34. $ cat disclaimer2.txt
<warning>
Some slides contain examples based
on open source as well as v€ndor$ solutions.
I’m not affiliated with any of them!
</warning>
34
35. Online Resources
• DNS-BH
$ wget -N http://dns-bh.sagadc.org/domains.txt
• Google SafeBrowsing
use Net::Google::SafeBrowsing2;
use Net::Google::SafeBrowsing2:::Sqlite;
my gsb = Net::Google::SafeBrowsing2->new(
key => “xxx”,
storage => Net::Google::SafeBrowsing2::Sqlite->new(file =>
“google.db”)
);
$gsb->update();
my $match = $gsb->lookup(url => “http://evil.com”);
if ($match eq MALWARE) { ... }
35
44. Controls
• Security first!
• Strong controls must be implemented
• Authentication/Authorization
• Could break your compliance
• Use an OoB network
• Risk of DoS!
44
Welcome to my presentation! Let&#x2019;s talk about same ways to improve our daily security. Q: How many of you have responsabilities to maintain security configurations?\n
A few words about me. My name is Xavier Mertens, I&#x2019;m working for a big telco company in .be (Security consultant). My second life (at night) is my blog, some projects like pastemon or give some spare time to the community (BruCON).\n
\n
\n
I consider myself as a defensive security guy. But to defend properly, you need to know how attacks work.\n
I&#x2019;m coming from Belgium. Small country in the heart of Europe.\n
Belgium is well-known for its beers, waffles and &#x201C;moules-frites&#x201D; dishes.\n
Three regions, three official languages (FR, NL, GE), hundreds of ministers.\n
\n
\n
\n
In most networks, security solutions were deployed in &#x201C;silos&#x201D;. Each component (firewall, ids, ...) had a specific job and executed it independently of the others. \n
\n
Something suspicious detected in zone &#x201C;a&#x201D; cannot protect zone &#x201C;b&#x201D; or &#x201C;c&#x201D;.\n
\n
Manual input: it&#x2019;s a pain! Online repositories: Trust?\n\n
In fact, there is nothing new. In IT, everything is based on input/output. We have &#x201C;data&#x201D; (input) which are processed to generate new &#x201C;data&#x201D; (output)\n
\n
Security is a big market. Products are very expensive. You must investigate how to extract as much as possible power from them. Don&#x2019;t be a victim of the Microsoft Office effect. Read manuals and explore!\n
All security solutions have backdoors (in the positive sense ;-).\n
Checkpoint provides a dbedit command line tool to managed the objects DB.\n