Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Unity Makes Strength“Why keep this valuable information in a corner?” hashdays 2012 - Xavier Mertens
$ whoami• Xavier Mertens (@xme)• Consultant @ day• Blogger @ night• BruCON co-organizer 2
$ cat disclaimer.txt“The opinions expressed in this presentationare those of the speaker and do not necessarilyreflect thos...
Agenda• Some facts• Current situation• Toolbox• Examples 4
Defense vs. Attack• Offensive security is funny (w00t! We break things)• Defensive security can also be fun! (proud to ...
Welcome to Belgium! 6
Welcome to Belgium! 7
Belgique, België, Belgien But with a very complicated political landscape! 8
Belgian Motto “L’union fait la force” (“Unity Makes Strength”) 9
And Infosec? Why not apply this to our security infrastructures? 10
Agenda• Some facts• Current situation• Toolbox• Examples 11
Initial Situation Malware Firewall IDS Proxy Analysis Action Action Action ...
Then Came the god “SIEM” Malware Firewall IDS Proxy Analysis Logs ...
Weaknesses?• Independent solutions• Static configurations• Only logs are centralized• No global protection• Useful data not...
The Value of Data• IP addresses• User names• URLs• Domains• Digests (MD5, SHA1, etc) 15
Multiple Sources• Online repositories• Internal resources• Automatic process 16
Nothing New! Input Process Output 17
Back to the Roots• REXX is a scripting language invented by IBM.• ARexx was implemented in AmigaOS in 1987.• Allow appli...
RTFM!• Security is a big market ($$$)• The “Microsoft Office” effect (<10% of features really used)• Invest time to learn ...
Backdoors...• CLI• WebAPI (JSON, XML)• Databases• Scripting languages• Serial console 20
Protocols• HTTP(S)• TFTP• SSH• SNMP• IF-MAP• Proprietary tools (dbedit) 21
Automation is the Key• We’re all lazy people!• Expect! use Expect; my $e = Expect->new(); my $c = “ssh $...
A New Architecture Toolbox Firewall IDS Proxy Malware Analysis A...
Agenda• Some facts• Current situation• Toolbox• Examples 24
HTTPS• Generate an API key https://10.0.0.1/api/?type=keygen&user=foo&password=bar• Submit XML requests https://10.0.0.1...
Snort-Rules Generator• Lot of Security tools accept Snort rules use Snort::Rule my $rule = Snort::Rule->new( ...
IF-MAP• Open standard to allow authorized devices to publish/search relevant information• Information could be • IP • Log...
IF-MAPuse Ifmap;use Ifmap::Util;my $r=Ifmap::Request::NewSession->new();my $ip=Ifmap::Identifier::IpAddress->new(ip_address...
SNMP• SNMP can be used to push configuration changes• Example: $ snmpset 10.0.1 Pr1v4t3 .1.3.6.1.4.1.9.2.1.53.10.0.2 acl...
TCL• Cisco devices have a framework called EEM: “Embedded Event Manager”• Example: event manager applet Interface_Even...
The Conductor• OSSEC• Log Management• Active-Response• Powerful alerts engine 31
Action? Reaction!• Example of OSSEC rule <rule id=”100101” level=”5” frequency=”5” timeframe=”60”> <match>access denie...
Agenda• Some facts• Current situation• Toolbox• Examples 33
$ cat disclaimer2.txt <warning> Some slides contain examples basedon open source as well as v€ndor$ solu...
Online Resources• DNS-BH $ wget -N http://dns-bh.sagadc.org/domains.txt• Google SafeBrowsing use Net::Google::Safe...
Dynamic Firewall Config• FireEye malware analysis box• Firewalls • Checkpoint • PaloAlto • IPtables • <insert your preferre...
Dynamic Firewall Config CheckpointFireEye OSSEC PaloAlto IPtables ...
Dynamic User Blacklist• Syslog Concentrator• OSSEC• SSL VPN• LDAP directory 38
Dynamic User Blacklist sshd sshd OSSEC LDAP $ ldapmodify -D ‘cn=admin’ -w ‘pass’ sshd dn:u...
SMTP Malware Analysis• Postfix MTA• Cuckoo• CuckooMX (Perl) 40
SMTP Malware AnalysisPostfix CuckooMX Cuckoo 41
MySQL Self-Defense• MySQL Server• MySQL Proxy• lib_mysqludf_log 42
MySQL Self-Defense error.logclient mysql-proxy mysqld 43
Controls• Security first!• Strong controls must be implemented• Authentication/Authorization• Could break your compliance• ...
Conclusions• Don’t buy just “a box”• RTFM• Control• It’s up to you! 45
Thank You!Questions?Beers! 46
Upcoming SlideShare
Loading in …5
×
Technology
2,514 views
Nov. 03, 2012

Unity makes strength

Security devices work in silo and do not share useful data. This presentation will propose an architecture which will allow such devices or applications to be dynamically reconfigured to increase the overall security of the assets.

no profile picture user

  • Login to see the comments

Unity makes strength

  1. 1. Unity Makes Strength“Why keep this valuable information in a corner?” hashdays 2012 - Xavier Mertens
  2. 2. $ whoami• Xavier Mertens (@xme)• Consultant @ day• Blogger @ night• BruCON co-organizer 2
  3. 3. $ cat disclaimer.txt“The opinions expressed in this presentationare those of the speaker and do not necessarilyreflect those of past, present employers,partners or customers.” 3
  4. 4. Agenda• Some facts• Current situation• Toolbox• Examples 4
  5. 5. Defense vs. Attack• Offensive security is funny (w00t! We break things)• Defensive security can also be fun! (proud to not be pwn3d ;-)• “Know your enemy!” 5
  6. 6. Welcome to Belgium! 6
  7. 7. Welcome to Belgium! 7
  8. 8. Belgique, België, Belgien But with a very complicated political landscape! 8
  9. 9. Belgian Motto “L’union fait la force” (“Unity Makes Strength”) 9
  10. 10. And Infosec? Why not apply this to our security infrastructures? 10
  11. 11. Agenda• Some facts• Current situation• Toolbox• Examples 11
  12. 12. Initial Situation Malware Firewall IDS Proxy Analysis Action Action Action Action 12
  13. 13. Then Came the god “SIEM” Malware Firewall IDS Proxy Analysis Logs Logs Logs Logs Centralized Logging Solutions / SIEM 13
  14. 14. Weaknesses?• Independent solutions• Static configurations• Only logs are centralized• No global protection• Useful data not shared• Real-time protection not easy 14
  15. 15. The Value of Data• IP addresses• User names• URLs• Domains• Digests (MD5, SHA1, etc) 15
  16. 16. Multiple Sources• Online repositories• Internal resources• Automatic process 16
  17. 17. Nothing New! Input Process Output 17
  18. 18. Back to the Roots• REXX is a scripting language invented by IBM.• ARexx was implemented in AmigaOS in 1987.• Allow applications having an ARexx interface to communicate to exchange data. 18
  19. 19. RTFM!• Security is a big market ($$$)• The “Microsoft Office” effect (<10% of features really used)• Invest time to learn how your products work.• Be a hacker: Learn how it work and make it work like you want. 19
  20. 20. Backdoors...• CLI• WebAPI (JSON, XML)• Databases• Scripting languages• Serial console 20
  21. 21. Protocols• HTTP(S)• TFTP• SSH• SNMP• IF-MAP• Proprietary tools (dbedit) 21
  22. 22. Automation is the Key• We’re all lazy people!• Expect! use Expect; my $e = Expect->new(); my $c = “ssh $user@$host”; $e = Expect->spawn($c) or die “No SSH?”; $e->Expect($timeout, [ qr’password: $’, sub { my $fh = shift; print $fh $passwordn”; } ] 22
  23. 23. A New Architecture Toolbox Firewall IDS Proxy Malware Analysis Action Action Action Action Logs Logs Logs Logs Centralized Logging Solutions / SIEM 23
  24. 24. Agenda• Some facts• Current situation• Toolbox• Examples 24
  25. 25. HTTPS• Generate an API key https://10.0.0.1/api/?type=keygen&user=foo&password=bar• Submit XML requests https://10.0.0.1/api/?type=config&key=xxx&action=set&xpath=/ config/device/entry[@name=localhost]/vsys/ entry[@name=vsys1]/address/ entry[@name=NewHost]&element=<ip- netmask>192.168.0.1</ip-netmask><description>Test</ description> 25
  26. 26. Snort-Rules Generator• Lot of Security tools accept Snort rules use Snort::Rule my $rule = Snort::Rule->new( -action => ‘alert’, -proto => ‘tcp’, -src => ‘10.0.0.1’, -sport => ‘any’, -dst => ‘any’, -dport => ‘any’, ); $rule->opts(‘msg’, ‘Detect traffic from 10.0.1’); $rule->opts(‘sid’, ‘666666’); 26
  27. 27. IF-MAP• Open standard to allow authorized devices to publish/search relevant information• Information could be • IP • Login • Location (devices) • Domain 27
  28. 28. IF-MAPuse Ifmap;use Ifmap::Util;my $r=Ifmap::Request::NewSession->new();my $ip=Ifmap::Identifier::IpAddress->new(ip_address, ‘10.0.0.1’);my $mac=Ifmap::Identifier::MacAddress->new(mac_address, ‘aa:bb:cc:dd:ee:ff’);my $id = Ifmap::Identifier::Identity->new(name=> ‘john’, type=>‘username’);my $meta=Ifmap::Metadata::Element->new(name=>‘name’, value=‘employee’); 28
  29. 29. SNMP• SNMP can be used to push configuration changes• Example: $ snmpset 10.0.1 Pr1v4t3 .1.3.6.1.4.1.9.2.1.53.10.0.2 acl.tmp• Router 10.0.0.1 will pull the access-list “acm.tmp” from TFTP server 10.0.0.2 29
  30. 30. TCL• Cisco devices have a framework called EEM: “Embedded Event Manager”• Example: event manager applet Interface_Event event syslog pattern “.*UPDOWN.*FastEthernet0/1.* changed state to .*” event 1.0 cli command “tclsh flash:notify.tcl”• The router may communicate information based on its status 30
  31. 31. The Conductor• OSSEC• Log Management• Active-Response• Powerful alerts engine 31
  32. 32. Action? Reaction!• Example of OSSEC rule <rule id=”100101” level=”5” frequency=”5” timeframe=”60”> <match>access denied</match> <group>invalid_login,</group> </rule> <active-response> <command>ad-block-user</command> <location>local</location> <rules_id>100101</rules_id> </active-response> 32
  33. 33. Agenda• Some facts• Current situation• Toolbox• Examples 33
  34. 34. $ cat disclaimer2.txt <warning> Some slides contain examples basedon open source as well as v€ndor$ solutions. I’m not affiliated with any of them! </warning> 34
  35. 35. Online Resources• DNS-BH $ wget -N http://dns-bh.sagadc.org/domains.txt• Google SafeBrowsing use Net::Google::SafeBrowsing2; use Net::Google::SafeBrowsing2:::Sqlite; my gsb = Net::Google::SafeBrowsing2->new( key => “xxx”, storage => Net::Google::SafeBrowsing2::Sqlite->new(file => “google.db”) ); $gsb->update(); my $match = $gsb->lookup(url => “http://evil.com”); if ($match eq MALWARE) { ... } 35
  36. 36. Dynamic Firewall Config• FireEye malware analysis box• Firewalls • Checkpoint • PaloAlto • IPtables • <insert your preferred fw $VENDOR here>• OSSEC 36
  37. 37. Dynamic Firewall Config CheckpointFireEye OSSEC PaloAlto IPtables 37
  38. 38. Dynamic User Blacklist• Syslog Concentrator• OSSEC• SSL VPN• LDAP directory 38
  39. 39. Dynamic User Blacklist sshd sshd OSSEC LDAP $ ldapmodify -D ‘cn=admin’ -w ‘pass’ sshd dn:uid=jdoe,o=acme.org changetype: modify replace:userpassword userpassword:newpass 39
  40. 40. SMTP Malware Analysis• Postfix MTA• Cuckoo• CuckooMX (Perl) 40
  41. 41. SMTP Malware AnalysisPostfix CuckooMX Cuckoo 41
  42. 42. MySQL Self-Defense• MySQL Server• MySQL Proxy• lib_mysqludf_log 42
  43. 43. MySQL Self-Defense error.logclient mysql-proxy mysqld 43
  44. 44. Controls• Security first!• Strong controls must be implemented• Authentication/Authorization• Could break your compliance• Use an OoB network• Risk of DoS! 44
  45. 45. Conclusions• Don’t buy just “a box”• RTFM• Control• It’s up to you! 45
  46. 46. Thank You!Questions?Beers! 46

×