Securing AWS with HIDS

Gaurav HarsolaMayank Gaikwad

»

IDS

What ?

Why ? How ?

Intrusion Detection System

An IDS is a software application that monitors network or system activities for malicious activities.

An IDS is not a Firewall

NIDS and HIDSHIDS A host-based intrusion detection system (HIDS) is a system that run on individual hosts

and monitors a computer system Detect an intrusion and/or misuse, and responds by logging the activity It is an agent that monitors and analyzes whether anything or anyone, whether internal

or external, has bypass the system’s security policy. Tools like : Samhain, Ossec

NIDS NIDS is placed within the network to monitor traffic to and from all devices on network NIDS scan all inbound and outbound traffic NIDS tools operate by inspecting traffic that occurs between hosts. Various Tools like

Snort, Suricata, Bro, Kismet

Available HIDS

OSSEC: OpenSource Wazuh : OpenSource, Wrapper Over OSSEC with API, ELK, And Signature DBAlianVault: Licenced, USM (Unified Security Management) is based OSSEC

MicroTrend: LicencedAlertLogic: Licenced,

OSSEC ?

OSSEC is an Open Source Host-based Intrusion Detection System.

Key Features: Log analysis File Integrity checking (Unix and Windows) Registry Integrity checking (Windows) Host-based anomaly detection (for Unix – rootkit detection) Active response

Ossec is mainly used for three things: See what is going on Stop brute-force attacks ( ftp, ssh, web )

Ossec Benefits

Open-Source Log Analysis Easy to install Easy to customize (rules and config in XML format) Scalable (client/server architecture) High Availability (Can have multiple OSSEC Server) Multi-Platform Ossec comes with existing standard decoders /rules which analyse our logs

like telnetd, Sudo, SSH, FTP etc PCI DSS Compliance at some extent.

Ossec Agent/Server Flow

Ossec Internal Components

Analysisd – Does all the analysis (main process)

Remoted – Receives remote logs from agents

Logcollector – Reads log files (syslog, Flat files, Windows event log, IIS, etc)

Agentd – Forwards logs to the server

Maild – Sends e-mail alerts

Execd – Executes the active responses

Monitord – Monitors agent status, compresses and signs log files, etc

Integratord - Integrating OSSEC with Slack and PagerDuty

Authd - Daemon will automatically add an agent to an OSSEC manager

Wazuh

Wazuh, A wrapper over OSSEC that provide additonal fucntionality like Restful API, ELK integration.

Ossec Server/Client Installtion

Firstly, Install necessary package required

sudo apt-get install gcc make git sudo apt-get install libssl-dev

After this clone our Github repository

mkdir ossec_tmp && cd ossec_tmp git clone -b stable https://github.com/wazuh/ossec-wazuh.git cd ossec-wazuh sudo ./install.sh

Choose server for server installation and agent for client installation when being asked about the installation type and answer the rest of questions as desired.Once installed, you can start your OSSEC manager running:

sudo /var/ossec/bin/ossec-control start

Check the service : ps aux |grep ossec

Connect Client with Server

After Setting up agent we need to Connect it with OSSEC-Server .

To make life easier, OSSEC added a new daemon on the server, called ossec-authd.

it is a daemon you run on the server when you deploy your agent; it will populate your agents key; when you have finished to deploy, you stop it.

Once the keys are created, you can start the ossec-authd:

/var/ossec/bin/ossec-authd -p 1515 Setting up the agents

On the agents, the work is minimal. All you have to do is to run the following command:

/var/ossec/bin/agent-auth -m <ServerIP> -p 1515 -A <agent-name>

That’s it. The keys are now exchanged and you can start your agent.

sudo /var/ossec/bin/ossec-control start

Sample of Alerts.json

Ossec Integration with ELK

OSSEC HIDS integration with ELK Stack provides a real-time alerts managemnet console, as well as flexible way to store data for as long as needed.

Ossec Directory Structure

Internal log flow

Log pre-Decoding (1)

Decoding of a SSHD message:

After pre-Decoding by OSSEC?

time/date -> Apr 14 17:32:06 hostname -> ubuntu program_name -> sshdlog -> Accepted password for root from 192.168.2.190 port ...

Log Decoding (2)

Process to identify key information from logs

OSSEC comes with hundreds of decoders Generally we want to extract source ip, user name, id

After Decode by OSSEC :

time/date -> Apr 14 17:32:06 hostname -> ubuntuprogram_name -> sshd log -> Accepted password for root from 192.168.2.190 port srcip -> 192.168.2.190user -> root

Writing decoders

Writing a decoder. What it requires?

sshd example:

We want to extract the user name and source ip If program name was pre-decoded as sshd (remember predecoding?), try this regular expression

Log Rules

Next step after decoding is to check the rules User-defined XML Very easy to write!

Allows to match based on decoded information OSSEC comes with more than 400 rules by default!

What it requires?

A Rule id (any integer)A Level - from 0 (lowest) to 15 (highest) Level 0 is ignored, not alerted at allPattern - anything from “regex” , to “srcip” , “id” , “user” , etc

Writing your own rules

PCI DSS

Payment Card industry Data Security Standard . Visa, MasterCard and other card brands create common industry

security requirements Intended to protect cardholders data – wherever it resides compliance is mandated for all organization handling credit card data 12 Steps that we need to take to achieve PCI DSS compliance are

Firewall, password, storage, Encrypt, anti-virus, uniquid, track and monitor etc

OSSEC helps to implement PCI DSS by performing log analysis, file integrity checking, policy monitoring, intrusion detection, real-time alerting and active response.

Monitor AWS logs

Cloudtrail pushes data to s3 bucket and then using python script we store that log on ossec server

Alerting and Notification

Slack Integration:

Integration of logs with slack and set alert level so that only particular message come in slack. <integration> <name>slack</name> <hook_url>https://hooks.slack.com/services/T0EV123BK/B1V3JHzUko97IdmCAl</hook_url> <level>7</level> </integration>

Email Integration: Integration with Email .Send granule email alert based on the level/rulegroups/rule_id to different recipient.

<email_alerts> <email_to>gaurav04@protonmail.com</email_to> <group>sql_injection|authentication_failed|authentication_failures</group> <level>6</level> <format>sms</format> </email_alerts>

HIDS Implementation Testing

Tested FTP, SSH brute force attack using HYDRA as penetration testing tool.

Example:

hydra -L /home/ubuntu/user.txt -P /home/ubuntu/pwd.txt -s 22 <IP> <service-name>

-L file which contain list of userName-P file which contain list of passWordservice-name : it may be ssh,ftp,mysql,telnet-s port Number for service

Elasticsearch UI

Kibana UI

Thanks & Questions ?