Upload
gregory-hanis
View
239
Download
0
Tags:
Embed Size (px)
Citation preview
IDS+Honeypots Making Security Simple
Gregory HanisCyber Security Specialisthttps://www.linkedin.com/in/gregtampa
About the Author: Gregory Hanis has been an extraordinary individual who has done invaluable research in the field of Cyber Security. From a young kid at the age of 13 he has wrote software which is still used today in cyber security. He has owned a computer repair company for over three years. Has a 4 year bachelor’s degree in Information Security Systems. Greg has also been featured in the Rolling Stones magazine and has been on CBS news numerous times, along with other publications. He gives talks and trainings around the country sharing his knowledge with the public and private sectors. He sits on the board of directors of SFISSA (South Florida Information Systems Security Association).
Preventative ControlsUsed to Implement C-I-A
Crypto, Firewall, Antivirus
PKI, VPN, SSL, DLP, EIEIO
Prevent an incident
Detective ControlsProvide visibility & response
Asset Discovery, VA, IDS/IPS,
Log Management, Analytics
Detect & respond to an incident
2 Types of Security Controls
IF WE ALREADY HAVE PREVENTATIVE
CONTROLS…
WHY SHOULD WE CARE ABOUT
DETECTIVE CONTROLS?
Firewalls/Antivirus are not enough
• Firewalls are usually not the target – too difficult to effectively penetrate
• Endpoints are the target, usually via email, url redirects, misc malicious
files, etc.
• With 160,000 new malware
samples seen every day,
antivirus apps will not find
every threat
• Needs to be bolstered by
regular and comprehensive
monitoring
“There are two types of companies that use computers. Victims of crime that know they are victims of crime and victims of crime that don’t
have a clue yet.”
- James Routh, 2007 CISO Depository Trust Clearing Corporation
Prevention is elusive
• More and more organizations are finding themselves in the crosshairs of various bad actors for a variety of reasons.
• The number of organizations experiencing high profile breaches is unprecedented.
• The “security arms race” cannot continue indefinitely as the economics of securing your organization is stacked so heavily in favor of those launching attacks that incremental security investments are seen as impractical.
Threat landscape: Our new reality
84%of organizations breached
had evidence of the
breach in their log files…
Source: Verizon Data Breach Report, 2014
Prevent Detect & Respond
Get good at detection & response
The basics are in place. Beyond
that, buyer beware!
New prevention thingy
9.0 with advanced
fuzzy logic. Stops 100%
of all web-born threats
at the perimeter!
New capabilities to develop
“How would you change your strategy if you knew for certain that you were going to be
compromised?”
- Martin Roesch, 2013 Founder & CTO Sourcefire, Author SNORT
GOOD NEWS!
Many professional SOC’s are powered by open source
THERE’S AN APP FOR THAT!
PRADS NFSend
P0FOVALdi
MDL
OpenFPC
PADS
Challenge: Name that tool!
Vulnerability Assessment
Threat Detection
BehavioralMonitoring
Analytics & Intelligence
Asset Discovery
open source alternatives for
each of the 5 categories
LETS TALK ABOUT SOME OF THE TOOLS
Asset Discovery with Nmap & PRADS
Wireless IDS with Kismet
Unified Security Management with OSSIM includes (OSSEC, SNORT, ntop, opnVAS)
NMAP & PRADS
Problem it solves:I need an inventory of assets on my network (Nmap) and I need to continuously keep it up to
date as things change (PRADS).
Pros:Nmap is very mature, robust & feature rich.
Both tools produce verbose output.
Cons:Both tools produce extremely very verbose output.
PRADS does not have a GUI
Why we like it:These cover both active and passive asset discovery. PRADS is relatively new but it covers
the same functionality as two older tools (PADS and p0f).
KISMET
Problem it solves:I need to know how are wireless networks being accessed and if anyone setup a rogue access
point in my facility.
Pros:Great command line interface.
Outputs log events for WIDS events and a periodic XML report for observed networks.
Cons:Wireless adapter can’t transmit when in monitor mode- need a dedicated adapter
Why we like it:This tool is very versatile. There are plugins for DECT and Ubertooth devices.
OSSIM
Problem it solves:I need all the essential detective controls, but it takes too long to install them and I have way
too many dashboards to look at when I am done.
Pros:USM: Unifies management of these tools and offers correlation between event sources.
Includes incident response templates & workflows
Cons:Full intelligence feed, log management and management features requires commercial
version
Why we like it:It makes it easy to implement and manage all these tools at once.
(OSSEC, Snort, Ntop, OpenVAS & others)
Open Source Asset Discovery Tools
Nmap http://nmap.orgThe de-facto standard utility for network mapping. Use to scan network on a periodic basis to create and update inventory of assets.
PADShttp://passive.sourceforge.net
Passive Asset detection system is a network sniffer that detects (infers) assets by monitoring traffic. Use to augment Nmap scans.
P0fhttp://lcamtuf.coredump.cx/p0f3/
Passive OS fingerprinting tool. Use to identify and profile assets on your network (including that of the attackers).
PRADShttp://gamelinux.github.io/prads
Passive Real-Time Asset Detection. Alternative to PADS - listens to network and gathers information on hosts and services.
Open Source Threat Detection Tools
Snort http://www.snort.orgThe world’s most popular network IDS/IPS. Provides signature, protocol, and anomaly-based inspection. Use to identify attacks.
Suricata http://suricata-ids.org“Next Generation” alternative (or not) to SNORT funded by US DHS/DoD. Use to identify attacks and extract malware from network traffic.
Kismet http://www.kismetwireless.net
An 802.11 layer 2 wireless IDS. Use to identify and monitor (legitimate and rogue) networks via passively monitoring traffic.
OSSEC http://www.ossec.netHost-based Intrusion Detection System. Use to perform log analysis, file integrity monitoring, policy monitoring and rootkit detection on endpoint assets.
Open Source Behavioral Monitoring Tools
Ntop http://www.ntop.orgA Unix tool that shows the network usage, similar to what the popular top Unix command does Use to determine what processes and services are running.
Nfsenhttp://nfsen.sourceforge.n
et
A web-based GUI for the nfdump netflow tools. Use to monitor netfows.
OpenFPC http://www.openfpc.orgA set of tools that combine to provide a lightweight full-packet network traffic recorder & buffering system. Use to monitor network traffic & flows.
Nagios http://www.nagios.orgOpen source IT monitoring system. Use to monitor activity on servers.
Open Source Vulnerability Assessment Tools
OpenVAS http://openvas.orgFramework of services and tools for vulnerability scanning and vulnerability management. The open source fork of Nessus that converted to closed source.
OVALdihttp://www.decalage.info/
en/ovaldi
An open source reference implementation of a vulnerability scanner based on the OVAL definition. Alternative to OpenVAS.
Open Source Intelligence and Analytics Tools
OSSIMhttp://www.alienvault.com
/ossim
Unified security management & the world’s most popular SIEM. Use to combine essential controls into a single unified system managed from single pane of glass.
Logstash http://http://logstash.net/A tool for managing events and logs. Use to collect logs, parse them, and store for later use or analysis.
What is a HoneyPot? A honeypot is a machine placed on the network for the purpose of
posing as an enticing target but triggers alarms when it is attacked.
Drawbacks:Benefits:
High detection accuracy
Consume large amounts of
attackers time.
Highly effective if properly
employed.
Difficult to manage
Experienced attackers have learned
to ignore targets that are too good to
be true.
Leaves a vulnerable system on your
network
The Modern Honey Network project:
Makes deploying and managing secure honeypots extremely
simple.
From the secure deployment to the aggregation of thousands of
events MHN provides enterprise grade management of the most
current open source honeypot software.
MHN is completely free open source software which supports
external and internal honeypot deployments at a large and
distributed scale.
MHN uses the HPFeeds standard and low-interaction
honeypots to keep effectiveness and security at enterprise grade
levels. MHN provides full REST API out of the box and are
making CEF and STIX support available now for direct SIEM
integration.
Open-Source honeypotsSnort – Network Listener- https://www.snort.org/
Suricata – 64bit multicore version of Snort - http://suricata-ids.org/
Dionaea – Malware Capture and dissection - http://dionaea.carnivore.it/
Conpot – SCADA network Emulation - http://conpot.org/
Kippo – Brute force attack logging - https://github.com/desaster/kippo
Amun – Malware Capture - http://amunhoney.sourceforge.net/
Glastopf – Vulnerability emulation- http://glastopf.org/
Wordpot – Wordpress emulation honeypot - http://brindi.si/g/projects/wordpot.html
ShockPot – Shell Shock honeypot - https://github.com/threatstream/shockpot
*For More information visit The honeynet project @ http://www.honeynet.org/
What’s going to happen?
https://flic.kr/p/gMhZLV
MORE in 2015
• More breaches
• More noise
• More “silver bullets”
• More complexity
https://flic.kr/p/9FGgsK
And LESS…
• Less time
• Less Available People with Proper Skills
• Less margin for error
https://flic.kr/p/hndeH
Bad Year. For Retail!
• Breach-O-Rams
• What did we learn?
• Attack surface
• POS devices
• The value of alerts
Increasingly Advanced Attacks
• More sophisticated malware
• Better C&C
• Shorter window to mass distribution
Benefiting from the Misfortune of
Others
• You can’t “get ahead of the threat”
• But you can learn from high profile folks
• Threat intelligence broke out in 2014
• How can you use it?
• Changing market dynamics
https://flic.kr/p/82JDK8
We haven’t addressed the security skills
gap
http://www.flickr.com/photos/morton/2305095296/
Complexity Ahead• Hybrid Cloud
• DevOps
• Increased Attack Surface
https://flic.kr/p/ahKnn1
On the Horizon
Mobile Everything. Cloud Everything. Connected Everything (IoT)
http://www.flickr.com/photos/52859023@N00/644335254 https://flic.kr/p/aGWfWB
Shopping List 2015
Network Security
• NGFW vs. UTM vs. IPS
• Sandbox for the masses
• SDN emerging? (and how do you secure it?)
• Consistency of Policy is Paramount
https://flic.kr/p/4pK11q
Endpoint Security
• Lots of new “solutions” that are shiny.
• Advanced Malware Protection
• Bundled with Network Security?
• Whither traditional AV? (Finally)
https://flic.kr/p/4Weo8G
Security Management
• Threat Intelligence hits the mainstream
• Forensics and IR to the forefront
• Monitoring the Hybrid Cloud
The Evolution of IDS
Introduction
• How has IDS/IPS changed in the past 10 years?
• First, there’s been more of a move to prevention vs. just passive detection
• Second, IDS really doesn’t function as a “standalone” tool anymore (for most)
• The context of what is happening in and around the environment is key
Packets? What packets?
• Getting access to network traffic was one of the first goals of intrusion detection platforms
• Classic sniffers like TCPdump led to the creation of Snort and Bro, as well as commercial options
• Gaining access to the network traffic itself was a challenge
– Promiscuous mode interfaces
– Dual-homed configs
– Finally, SPAN ports or taps
Aha. Now we’ve got packets!
• Packets! We have them!
• But…now what?
• For most, setting up IDS sensors led to the realization that we needed better knowledge of the environment
Patterns of packets make more sense.
• We now can start to analyze patterns of behavior
– Who is talking to who
– Types of traffic
– Source/destination ports
– Protocols
• Patterns of traffic ebbs and flows are useful for volume analysis and troubleshooting, too
Sif SrcIPaddress Dif DstIPaddress Pr SrcP DstP Pkts Octets StartTime EndTime Active B/Pk Ts Fl
0059 127.0.0.1 005b 219.140.194.174 06 50 4f3 1 40 0721.21:58:00.593 0721.21:58:00.593 0.000 40 00 14
0059 127.0.0.1 005b 219.148.205.228 06 50 6ef 1 40 0721.21:57:56.533 0721.21:57:56.533 0.000 40 00 14
Patterns -> Blocking.
• Intrusion detection gave way to blocking with intrusion prevention systems
– This was driven by better understanding of traffic patterns and signature sets
• Most IDS and IPS platforms, even in blocking mode, did not have much understanding of context
– Most blocks were “point in time” matches based on packet attributes
What do the patterns MEAN?
• IDS and IPS needed to evolve to make better sense of what was happening in the environment
• To that end, more data is needed
– Events from other network devices
– Events from scans and user information
– Data from vulnerability scanners and monitoring tools
• This is how we can start to build context of what’s happening in the environment.
Event Data, and Lots of It
[**] SQL Injection [**]
10/30-20:38:56.753145 192.168.1.52:2360 -> 192.168.1.61:80
TCP TTL:128 TOS:0x0 ID:22376 IpLen:20 DgmLen:809 DF
***AP*** Seq: 0xF69FDBE3 Ack: 0x3D5C8C4 Win: 0xF991 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Traditional IDS and IPS alerts
are
often overwhelming
Event Data, and Lots of It (2)
Firewalls and routers are simple,
static filtering devices with no
understanding of context
Context + Alerting
• With event data from numerous sources, you can start to build context in the environment
– What systems communicate in a given subnet?
– What known vulnerabilities are there in the environment?
– What network devices does the traffic pass through?
• The IDS/IPS by itself, however, will still only report what it “sees”
Visibility: What IDS “Sees”
• Only traffic that passes by or through the IDS/IPS is analyzed
– Subnets? Check.
– Source/Destination ports? Check.
– Applications or platforms in use? Nope.
Visibility: More Data = Better
• Attacks are no longer viewed as discrete events at a “point in time”
• More data adds context and tells a better “security story”
– Passive scan data on OS, applications
– Active scan data on vulnerabilities
– Behavioral trend data
– System logs and endpoint security
– User directory data
Hmmm. Too many alerts?
• Now we have to start paring down alerts to get to *better* data
– Are there false positives we’ve discovered?
– Can we prioritize some data?
– Can we start combining data types into unique alert models?
• Data overload is a very common problem with IDS/IPS sensors
Correlation -> BETTER alerts.
• Correlation makes a big difference in how events are reported
• Not every unique event makes sense to alert on
– Combinations of events
– Quantity of events
– Times of day or location (source/destination)
• Having some context and behavioral baseline can help
Which of my vulnerable assets are under attack?
Live Demo: Get Complete Security Visibility in Under 1 Hour
@AlienVault
The breach – common ways attackers get in
What they do next to infiltrate the network
Why detecting their movements is tricky
Demo: How to detect attackers moving stealthily around
your network
Agenda
@AlienVault
Client-side vulnerabilities exploited by:
• Malicious website, i.e. watering hole attacks
• Malicious email attachment
Gives attackers access to the local system with
privileges of the local user
The Breach
@AlienVault
Grab credentials of cached users
Browse the domain
Exfiltrate data
What happens next
@AlienVault
Windows Credentials Editor
Allows an attacker to list Windows logon sessions and add, change, list
and delete associated credentials
• Pass-The-Hash on Windows machines
• Grab NTLM credentials from cached memory
• Grab Kerberos tickets from Windows machines
• Dump cleartext passwords stored by Windows authentication
packages
But how is this possible?
@AlienVault
Pass the Hash for using credentials in crafty ways• WMIC (Windows Management Instrumentation Command-line)
- Used to issue queries like running processes
- wmic -U demo/administrator%hash //172.16.1.1 "select csname,name,processid,sessionid from
win32_process”
But how is this possible?
@AlienVault
Pass the Hash - using credentials in crafty ways (WMIS)• WMIS (Windows Metadata and Internet Services)
- Can be used to create processes, sky is the limit with this attack vector
- wmis -U demo/administrator%hash //172.16.1.1 'cmd.exe /c dir c:\ > c:\windows\temp\blog.txt’
But how is this possible?
@AlienVault
Pass the Hash - using credentials in crafty ways (SMBGET)• SMBGET can pull files from Windows using a hash for the password
- smbget -w demo -u demo\\administrator -O -p <hash> smb://172.16.1.1/c$/windows/temp/blog.txt
But how is this possible?
@AlienVault
CURL
• Pass the hash and we can view a default sharepoint page, logged in as john.smith
• curl --ntlm -u john.smith:<hash> http://intranet.demo.local/Pages/Default.aspx
But how is this possible?
@AlienVault
Pass the Hash Toolkit
• There is also a toolkit for Windows with several pass the hash utilities
But how is this possible?
@AlienVault
Tricky to detect because…
Firewall won’t catch it
• Exploiting client side vulnerabilities causes the victim’s machine to
initiate a connection back to the attacker’s server
• Attacker’s domain browsing activities are also originating from the
victim’s machine inside the network
Anti-virus is unlikely to catch it
• 82,000 new malware variants released every day*
No suspicious authentication failures
• Cached credentials are used to browse the domain so the attacker
doesn’t need to guess passwords
So, what will catch it?
Network Intrusion Detection and effective correlation
How do you detect this?
*http://www.pcworld.com/article/2109210/report-average-of-82-000-new-malware-threats-per-day-in-2013.html