SecOps Workshop (Gregory Pickett)

  • View
    1.306

  • Download
    0

Embed Size (px)

Text of SecOps Workshop (Gregory Pickett)

  1. 1. SACON SACONInternational2017 GregoryPickett HellfireSecurity CybersecurityOperations @shogun7273 India|Bangalore|November10 11|HotelLalitAshok OpenSourceSecurityOrchestration
  2. 2. SACON 2017 HowThisAllBegan OrchestratingAllTheThings BeholdSkynet MakingItBetter WrappingUp Overview
  3. 3. SACON 2017 MultipleCloudServers AllUsingFail2BantoProtectThemselves CanIshareFail2Banjailsbetweenthese Servers? OriginalQuestion
  4. 4. SACON 2017 Howdowegettothreatsintime? Howdowemakesurethattheevidencegetscaptured? Howdowemakesurethatthethreat isstoppedbeforeitistoolate? Howdowedothiswithalimitedstaff? OtherQuestions
  5. 5. SACON 2017 SecurityOperations MonitorTheEnterprise ProcessAlerts(orCorrelations) KickOffIncidentResponse DespiteMultitudeofSolutions StillAManualProcess! EachSolutionKickedOffInSequenceByUs ALotofTimeIsWastedBeingABridgeBetweenSystems ThisIsBecause
  6. 6. SACON 2017 KeepDoingWhatYourDoing TalkDirectlyToEachOther GetWhatYouNeedfromEachOther LeaveMeOutOfIt WhatIWant
  7. 7. SACON 2017 HowThisWouldWork
  8. 8. SACON 2017 UseCases
  9. 9. SACON 2017 ReceivedEventsFromPeers GenerateABlacklistfromSourceofThreatEvents UseWithAnythingThatCanConsumeABlacklist Firewalls EndpointSolutions DetectionTools ShareTheBlacklistwithVendors,Partners,andColleagues GenerateThreatIntelligenceFeed
  10. 10. SACON 2017 ReceivesEventsFromPeers HostFirewall NetworkFirewall BlocksSourceofThreatEvents DistributesEventsAmongPeers HostFirewall NetworkFirewall FirewallRulePropagation
  11. 11. SACON 2017 DropSourceofThreatEvents DistributesEventsAmongPeers WebApplicationFirewalls IntrusionPreventionSystems DropPropagation
  12. 12. SACON 2017 ReceivesEventsFromExternalThreatFeeds HostFirewall NetworkFirewall BlocksSourceofThreatEvents PreventKnownThreats
  13. 13. SACON 2017 ReceivesEventsFromPeers HostFirewall NetworkFirewall RedirectsSourceofThreatAwayFromAssets NATtoHoneypot
  14. 14. SACON 2017 ReceivesEventsFromPeers HostFirewall NetworkFirewall SlowsDownSourceofThreat NATtoTarpit
  15. 15. SACON 2017 ReceivesEventsFromPeers Switches Routers Firewalls RunsPacketCaptureonSourceofThreatActivity CaptureThreatActivity
  16. 16. SACON 2017 ReceivesEventsFromPeers FTPServer FileServers HoneyPots DropsBeaconintoPathofSourceofThreatActivity InjectBeacon
  17. 17. SACON 2017 ReceivesEventsFromPeers Routers Firewalls ChangestheRouteforSourceofThreatActivity RunTheirTrafficThroughDifferentSegment SegmentContainsAdditionalInlineSensors Afterwards,ItProceedstoDestination RedirectTraffic
  18. 18. SACON 2017 ReceivesEventsFromPeers EmailServer ReportsSourceofThreattoAbuseAddress ReportingThreats
  19. 19. SACON 2017 ReceivesEventsFromPeers Switches Routers Firewalls AppliesACLtoTargetofThreatActivity HostIsolation
  20. 20. SACON 2017 ReceivesEventsFromPeers Switch Router Firewall Server Application VerboseLoggingforSourceofThreatActivity VerboseLoggingforTargetofThreatActivity AdditionalLogging
  21. 21. SACON 2017 ReceivesEventsFromPeers LDAP ActiveDirectory Radius TACACS+ StartsPasswordResetProcessforTargetofThreat TriggerPasswordResets
  22. 22. SACON 2017 SecurityOrchestration
  23. 23. SACON 2017 Swimlane Hexadite Siemplify SecurityOrchestrator Phantom Cybersponse VendorSolutions
  24. 24. SACON 2017 ThisistheWorld According to Cybersponse
  25. 25. SACON 2017 ProvideContext(Meta-SIEM) Importexistingcasesintoplatform Acquireadditionaldataonadversary,target,orpayload PushOuttoOtherPlatforms WorkflowandReporting DecisionMakingandExecution PerformIncidentResponse Deletefilesandkillsprocesses Forcepasswordchangesanddisablesaccounts Blockaddresses WhatTheyDo
  26. 26. SACON 2017 MachinetoController ConnectedOnlytoController MessagesOnlytheController EventsSharedOnlywiththeController Nodesexistsinahierarchy SlavedtoTheController JustExecuteCommandsGiven Centralized,LimitedinScope,andExpensive HowTheyDoIt
  27. 27. SACON 2017 StillRequiresIntervention Insteadofbeingdependentonme Itisnowdependentonmeandmyexpensivesolution DoesntReallySolveMyProblem
  28. 28. SACON 2017 ShareFail2BanJails BanActions,CustomScripts,andCronJobs Banactions,andsharedfilemount Vallumd ImportKnownThreatsintoFail2Ban CustomScripts NATiptablesthreatstoHoneyPot psadandCustomScripts ReportFail2BanthreattoAbuse www.blocklist.de OpenSourceSolutions
  29. 29. SACON 2017 MachinetoMachine DirectConnectionstoEachOther MessagingEachOther SharingEvents NodesRetainsAutonomy Theykeepdoingtheirjob Expandtheirvisibility HowTheyDoIt
  30. 30. SACON 2017 DoesNotRequireIntervention LimitedUseCases MessagesTooCloselyTiedToSpecificUse CanOnlyBeUsedForOriginalPurpose NowDependentOnFunction WeAreGettingCloser
  31. 31. SACON 2017 SharesEventsBetweenSystemsInCommonFormat EventsAreStoredLocally PeersMakeUseofSharedEventsHowTheySeeFit fail2ban modsecurity iptables AdaptiveNetworkProtocol(ANP)
  32. 32. SACON 2017 ServerA
  33. 33. SACON 2017 ServerB
  34. 34. SACON 2017 Sharing MulticasttoLocalPeers UnicasttoRemotePeers Messages AddThreatEvent RemoveThreatEvent Protocol
  35. 35. SACON 2017 Operations SendsandReceivesfromlocalpeers onUDPPort15000 Receivesfromremotepeers onTCPPort15000 EverymessagesignedwithSHA256 Rules TheSignatureMustBeAGoodSignature IfAlreadyKnown,DoNotShare DoNotReflectBackToTheSource Protocol
  36. 36. SACON 2017 Versionis1Byte Typeis1Byte EventisVariable Signatureis64Bytes Packet
  37. 37. SACON 2017 Packet
  38. 38. SACON 2017 AddThreatEvent Address Time-To-Live(TTL) RemoveThreatEvent Address Time-To-Live(TTL) Messages
  39. 39. SACON 2017 Local Remote SameNetwork AcrossSameLocation AcrossDifferentLocations Link-upCloudResources DifferentNetworks Peering
  40. 40. SACON 2017 SingleLocation
  41. 41. SACON 2017 MultipleLocations
  42. 42. SACON 2017 TrustedPartnerorVendor
  43. 43. SACON 2017 CloudAssets
  44. 44. SACON 2017 Communities
  45. 45. SACON 2017 Interfaces
  46. 46. SACON 2017 Purpose PublishEventstoANP PullEventsFromANP Components Supporting Writer Reader Operations PublishesviaLoopbackinterface Pullsfromviapublishedlists WhatTheyDo
  47. 47. SACON 2017 WhatTheyDo
  48. 48. SACON 2017 IntegratedSolution ANPinstalledonthesamesystem ReadandWritesLocally Examples Fail2Ban Iptables modsec Native
  49. 49. SACON 2017 StandAloneSolution ANPinstalledonadifferentsystem ReadandWritestotheRemote(StandAlone)Solution Examples ASA Switch Router Surrogate
  50. 50. SACON 2017 Surrogate
  51. 51. SACON 2017 ExistingInterfaces
  52. 52. SACON 2017 PullsEvents ReadsThreatEventsfromANP AddsThreatstoJail PublishesEvents WritesJailedAddressestoANP BecauseofANPAging,thismeansthreatsstayjailedfor24hours MistakescanbereversedusinganadditionaltooltoinjectaRemove Threatevent Fail2Ban
  53. 53. SACON 2017 PullsEvents ReadsThreatEventsfromANP AddsThreatstoBlacklist DistributeforInternalorExternalUse Detecting Blocking ThreatIndicator Blacklist
  54. 54. SACON 2017 PublishesItsEvents WritesAttackerAddressestoANP Pairwithiptablesinterface NATattackerstoHoneypot modsec
  55. 55. SACON 2017 PullsEvents ReadsThreatEventsfromANP NATsThreatsfromLocalWebservertoLocalHoneypot HighInteractionHoneypotofYourWebsite? LogTheirActivity Includeabeacon? iptables
  56. 56. SACON 2017 IncreasedVisibility Wedontchangeourenterprise EverythingKeepsDoingItsJob Wearegivingthemgreatervisibilitytodoso AbilitytoBeProactive SharingAlsoProvides
  57. 57. SACON 2017 ExpandedVisibility
  58. 58. SACON 2017 CooperativeBehavior AbilityfortheEnterpriseToActOnItsOwn EmergesWithSharing
  59. 59. SACON 2017 CooperativeBehavior
  60. 60. SACON 2017 BuildingSkynet
  61. 61. SACON 2017 ActingToDefendTheNetwork
  62. 62. SACON 2017 ActingToInvestigateAThreat
  63. 63. SACON 2017 ActingToRespondToAnIncident
  64. 64. SACON 2017 Demonstrations
  65. 65. SACON 2017 OurSystems
  66. 66. SACON 2017 ActingToDefendTheNetwork
  67. 67. SACON 2017 LocalANPAgent YourSystemorOtherNetworkAsset OneWayPeeringtoFederation RunTheScript SharesRemoveThreatevent SetstheThreatExpirationToTwoHours DontForgetToClearAnyLogsThatStartedItAll RemoveTool
  68. 68. SACON 2017 RemovingThreats
  69. 69. SACON 2017 TechnicalDetails
  70. 70. SACON 2017 Python TestedwithPython2.7.x ShouldworkwithPython3.6.x OtherOpenSourceSoftwareAsRequired iptables modsec Fail2ban Etc. RequirementsforANPandInterfaces
  71. 71. SACON 2017 1.Downloadpackage 2.Unzippackage 3.Runpythonsetup.pyinstall 4.Checkreadme.txtforanyadditionalsteps InstallationofANPandInterfaces
  72. 72. SACON 2017 ConfigurationforANP
  73. 73. SACON 2017 DefaultsWillWorkBest OnlyNeedtoChange Group Salt OccasionallyNeedtoSet Peers Debug ConfigurationforANP
  74. 74. SACON 2017 ConfigurationforFail2Ban
  75. 75. SACON 2017 DefaultsWillWorkBest OnlyNeedtoChange Jail Prefix OccasionallyNeedtoSet Debug ConfigurationforFail2Ban
  76. 76. SACON 2017 ConfigurationforBlacklist
  77. 77. SACON 2017 DefaultsWillWorkBest OnlyNeedtoChange Blacklist OccasionallyNeedtoSet Debug ConfigurationforBlacklist
  78. 78. SACON 2017 Configurationformodsec
  79. 79. SACON 2017 DefaultsWillWorkBest OnlyNeedtoChange Log OccasionallyNeedtoSet Debug Configurationformodsec
  80. 80. SACON 2017 Configurationforiptables
  81. 81. SACON 2017 DefaultsWillWorkBest OnlyNeedtoChange Webserver H