Logtrust &

Heartbleed

WHIT� Real-time security PAPER

and alerting

rr Turning machine data into business insights

logtrust

INDEX

1. Heartbleed’s Description.

2. Heartbleed’s impact.

3. How Logtrust can help to protect you against Heartbleed.

4. Detecting the bug using Logtrust.

5. Using the Apache debug log.

6. Integrating IDS signatures.

7. Detecting user impersonations.

8. Conclusions.

9. References.

INTRO

Hundreds or even thousands of bugs and new threats appear every day. Some of them may have the potential to cause a huge impact in your infrastructure. A significant vulnerability in OpenSSL, which the security community called “Heartbleed”, was publicized last month and according to the researchers who discovered the flaw, the code has been in OpenSSL for about two years without leaving a trace.

0|

HEARTBLEED’S DESCRIPTION

Encryption works in such a way that data being sent looks like nonsense to anyone but the intended recipient. Occasionally, one computer might want to check that there’s still a computer at the end of its secure connection, and it will send out what’s known as a heartbeat, a small packet of data that asks for a response. Because of a programming error in the implementation of OpenSSL, researchers found that it was possible to send a well-disguised packet of data that looked like one of these heartbeats to trick the computer at the other end into sending data stored in its memory. Web servers can keep a lot of information in their active memory, including usernames, passwords, and even credit-card numbers that could be pulled out of the data sitting in memory on the servers that power some services.

HEARTBLEED’S IMPACT

The Heartbleed bug has caused widespread anxiety, sent engineers scrambling into patch-mode, and likely prompted millions of users to re-invent their passwords. Most of them are looking at the problem from the point of view of the secure Web server, and are not actively searching through their infrastructure for vulnerabilities. It is important to check the whole infrastructure because the flaw has made it possible for hackers to steal encryption keys — the codes used to turn gibberish-encrypted data into readable information. All applications and services that allow access from outside your firewall or VPN, for example email servers (SMTP, POP and IMAP protocols), chat servers (XMPP protocol), virtual private networks (SSL VPNs), network appliances and a wide variety of client side software have a high level of exposure, and once they are vulnerable, can expose sensible data. Up to the date of writing this article, the only attack leveraging the bug was reported by Canadian police, who have arrested a man who

1|

2|

allegedly used Heartbleed to steal user data from the government's tax Web site, according to Reuters. The Canada Revenue Agency (CRA) said that about 900 social insurance numbers and possibly other data had been compromised as a result of the attack.

HOW LOGTRUST CAN HELP TO PROTECT YOU AGAINST HEARTBLEED

First of all, due to the variety of applications and technologies in most companies, it becomes difficult to identify which internal apps and assets on the network are accessible to outsiders. Logtrust provides huge visibility over your infrastructure integrating all your data, regardless of where it was generated or its volume, in a single point for analysis. Moreover, when the Heartbleed Bug is exploited, it leads to the leak of memory contents from the server to the client and does not leave traces of any abnormal activity in the logs. Logtrust is a powerful platform that is able to monitor and alert on “normal traffic”, which would mean much larger data sets (terabytes and petabytes) looking at patterns over very long periods of time. So, basically, you just have to enable the built-in alerts or define new rules to detect any threat or vulnerability you may be exposed to.

DETECTING THE BUG USING LOGTRUST

Logtrust has developed new rules to detect heartbleed. Due to the fact that Heartbleed SSL requests do not generally leave traces in logs of affected devices, the use of ids/ips or similar traffic analysis tools is the best way to detect this type of attacks. However, we do have a “limited scenario” that allows us to detect heartbleed requests and infer potential attacks through the log. This scenario can be used as a simple example to demonstrate some logtrust functions.

3|

4|

USING THE APACHE DEBUG LOG

More specifically, an Apache web server with a log debug (LogLevel debug in the setup file) integrated in Logtrust enables us to see heartbeat ssl requests:

The image shows the SSL registration heading indicating: - SSL: TLS1_RT_HEARTBEAT (0x18h) - Protocol version: TLSv1.2 (03, 03) - Heartbeat message length: 0003 The content of the heartbeat message is shown below: Heartbeat message type: HEARTBEAT_REQUEST (01) Heartbeat payload request: 0xffffh This case shows an attempted heartbleed. The following is not shown in the apache log: - Response from the server indicating whether it is vulnerable. - If the heartbeat message is encrypted (once the ssl session has been established), this does not enable us to decipher whether the request is legitimate or malicious.

5|

However, we can filter heartbleed requests by using a regular expression and then group them together to detect a high number: We can then extract the IP address from the message field using a regular expression, change it to an IP address, filter private IP addresses and create new columns to identify countries and ISPs.

We can make a group using the new “Country” column and count the number of countries to identify those from which the most suspicious access attempts were made. We can show the countries and ISP of each one in a graph containing a plot diagram.

We can create a database using the “Dashboard Data Source" option to show this data. The data can be shown in different ways using Logtrust Widgets. We can use the “Comparative Chart” to show the number of suspicious access attempts on a timeline by IP addresses from a specific country and compare their past behavior levels. Finally, we can define a reasonable threshold (number of heartbleed requests per time interval) and change the search into a custom alert. The following alerts have been added to the Webserver library to cover this scenario (for users who have Apache servers with a debug log):

“Apache SSL Heartbleed” notifies you of heartbeat requests and their origin: “Apache Multiple SSL heartbeat requests” notifies you whether multiple heartbeat requests are generated in a specific period of time:

One of the consequences of the successful use of this vulnerability is theft/impersonation of users and even possible extraction or recovery of the private SSL certificate keys. For impersonation of users and whenever application logs are integrated on the platform, some alerts based on irregular standards or blacklists can help to detect:

INTEGRATING IDS SIGNATURES

If IDS devices capable of detecting Heartbleed bugs are supplied and their logs are integrated on the platform, the initial IDS alert may be completed with some of the alerts mentioned above. For example, upon confirming or correlating through the source IP that another activity has been performed on the server, add an intruding ip to blacklists, observe peaks or anomalous events in software connection patterns, etc.

DETECTING USER IMPERSONATIONS

Most of the data generated by systems contains a record of all the user activity, transactions, failures, errors, and so on.

6|

7|

Exploring this data, executing queries and analyzing it will permit you identify patterns and trends, detect security threats, do some troubleshooting, diagnose service problems, etc.

After a short period of time you will have a clear understanding of the behavior of your users, including their usual location, the average time they spend on the different domains or connected through the VPN, the browsers they use, etc.

This will allow you to identify, in minutes, anomalous events and track all the attempts to access your data no matter where they happened. Logtrust will allow you to register the IP addresses that are trying to access and identify their location, ISP, the amount of requests performed, and analyze threat signatures from intrusion detection systems.

Besides, Logtrust provides, by default, a wide range of alert libraries that you can enable including Unusual Connections, …

CONCLUSIONS

Logtrust is a single product, scalable and capable of performing big data analytics that can easily index any data type. It provides many pre-configured alerts that will exceed your ability to mitigate and detect earlier than ever any threat or vulnerability you may have including the Heartbleed bug.

8|

REFERENCES

http://heartbleed.com

http://www.reuters.com/article/2014/04/10/us-cybersecurity-internet-bug-idUSBREA3804U20140410

http://www.reuters.com/article/2014/04/16/us-cybersecurity-heartbleed-arrest-idUSBREA3F1KS20140416

http://www.businessinsider.com/heartbleed-bug-explainer-2014-4#!JvMS0

http://www.cnet.com/news/first-heartbleed-attack-reported-taxpayer-data-stolen/

9|