IDS+Honeypots Making Security Simple

Gregory HanisCyber Security Specialisthttps://www.linkedin.com/in/gregtampa

About the Author: Gregory Hanis has been an extraordinary individual who has done invaluable research in the field of Cyber Security. From a young kid at the age of 13 he has wrote software which is still used today in cyber security. He has owned a computer repair company for over three years. Has a 4 year bachelor’s degree in Information Security Systems. Greg has also been featured in the Rolling Stones magazine and has been on CBS news numerous times, along with other publications. He gives talks and trainings around the country sharing his knowledge with the public and private sectors. He sits on the board of directors of SFISSA (South Florida Information Systems Security Association).

Preventative ControlsUsed to Implement C-I-A

Crypto, Firewall, Antivirus

PKI, VPN, SSL, DLP, EIEIO

Prevent an incident

Detective ControlsProvide visibility & response

Asset Discovery, VA, IDS/IPS,

Log Management, Analytics

Detect & respond to an incident

2 Types of Security Controls

IF WE ALREADY HAVE PREVENTATIVE

CONTROLS…

WHY SHOULD WE CARE ABOUT

DETECTIVE CONTROLS?

Firewalls/Antivirus are not enough

• Firewalls are usually not the target – too difficult to effectively penetrate

• Endpoints are the target, usually via email, url redirects, misc malicious

files, etc.

• With 160,000 new malware

samples seen every day,

antivirus apps will not find

every threat

• Needs to be bolstered by

regular and comprehensive

monitoring

“There are two types of companies that use computers. Victims of crime that know they are victims of crime and victims of crime that don’t

have a clue yet.”

- James Routh, 2007 CISO Depository Trust Clearing Corporation

Prevention is elusive

• More and more organizations are finding themselves in the crosshairs of various bad actors for a variety of reasons.

• The number of organizations experiencing high profile breaches is unprecedented.

• The “security arms race” cannot continue indefinitely as the economics of securing your organization is stacked so heavily in favor of those launching attacks that incremental security investments are seen as impractical.

Threat landscape: Our new reality

84%of organizations breached

had evidence of the

breach in their log files…

Source: Verizon Data Breach Report, 2014

Prevent Detect & Respond

Get good at detection & response

The basics are in place. Beyond

that, buyer beware!

New prevention thingy

9.0 with advanced

fuzzy logic. Stops 100%

of all web-born threats

at the perimeter!

New capabilities to develop

“How would you change your strategy if you knew for certain that you were going to be

compromised?”

- Martin Roesch, 2013 Founder & CTO Sourcefire, Author SNORT

GOOD NEWS!

Many professional SOC’s are powered by open source

THERE’S AN APP FOR THAT!

PRADS NFSend

P0FOVALdi

MDL

OpenFPC

PADS

Challenge: Name that tool!

Vulnerability Assessment

Threat Detection

BehavioralMonitoring

Analytics & Intelligence

Asset Discovery

open source alternatives for

each of the 5 categories

LETS TALK ABOUT SOME OF THE TOOLS

Asset Discovery with Nmap & PRADS

Wireless IDS with Kismet

Unified Security Management with OSSIM includes (OSSEC, SNORT, ntop, opnVAS)

NMAP & PRADS

Problem it solves:I need an inventory of assets on my network (Nmap) and I need to continuously keep it up to

date as things change (PRADS).

Pros:Nmap is very mature, robust & feature rich.

Both tools produce verbose output.

Cons:Both tools produce extremely very verbose output.

PRADS does not have a GUI

Why we like it:These cover both active and passive asset discovery. PRADS is relatively new but it covers

the same functionality as two older tools (PADS and p0f).

KISMET

Problem it solves:I need to know how are wireless networks being accessed and if anyone setup a rogue access

point in my facility.

Pros:Great command line interface.

Outputs log events for WIDS events and a periodic XML report for observed networks.

Cons:Wireless adapter can’t transmit when in monitor mode- need a dedicated adapter

Why we like it:This tool is very versatile. There are plugins for DECT and Ubertooth devices.

OSSIM

Problem it solves:I need all the essential detective controls, but it takes too long to install them and I have way

too many dashboards to look at when I am done.

Pros:USM: Unifies management of these tools and offers correlation between event sources.

Includes incident response templates & workflows

Cons:Full intelligence feed, log management and management features requires commercial

version

Why we like it:It makes it easy to implement and manage all these tools at once.

(OSSEC, Snort, Ntop, OpenVAS & others)

Open Source Asset Discovery Tools

Nmap http://nmap.orgThe de-facto standard utility for network mapping. Use to scan network on a periodic basis to create and update inventory of assets.

PADShttp://passive.sourceforge.net

Passive Asset detection system is a network sniffer that detects (infers) assets by monitoring traffic. Use to augment Nmap scans.

P0fhttp://lcamtuf.coredump.cx/p0f3/

Passive OS fingerprinting tool. Use to identify and profile assets on your network (including that of the attackers).

PRADShttp://gamelinux.github.io/prads

Passive Real-Time Asset Detection. Alternative to PADS - listens to network and gathers information on hosts and services.

Open Source Threat Detection Tools

Snort http://www.snort.orgThe world’s most popular network IDS/IPS. Provides signature, protocol, and anomaly-based inspection. Use to identify attacks.

Suricata http://suricata-ids.org“Next Generation” alternative (or not) to SNORT funded by US DHS/DoD. Use to identify attacks and extract malware from network traffic.

Kismet http://www.kismetwireless.net

An 802.11 layer 2 wireless IDS. Use to identify and monitor (legitimate and rogue) networks via passively monitoring traffic.

OSSEC http://www.ossec.netHost-based Intrusion Detection System. Use to perform log analysis, file integrity monitoring, policy monitoring and rootkit detection on endpoint assets.

Open Source Behavioral Monitoring Tools

Ntop http://www.ntop.orgA Unix tool that shows the network usage, similar to what the popular top Unix command does Use to determine what processes and services are running.

Nfsenhttp://nfsen.sourceforge.n

et

A web-based GUI for the nfdump netflow tools. Use to monitor netfows.

OpenFPC http://www.openfpc.orgA set of tools that combine to provide a lightweight full-packet network traffic recorder & buffering system. Use to monitor network traffic & flows.

Nagios http://www.nagios.orgOpen source IT monitoring system. Use to monitor activity on servers.

Open Source Vulnerability Assessment Tools

OpenVAS http://openvas.orgFramework of services and tools for vulnerability scanning and vulnerability management. The open source fork of Nessus that converted to closed source.

OVALdihttp://www.decalage.info/

en/ovaldi

An open source reference implementation of a vulnerability scanner based on the OVAL definition. Alternative to OpenVAS.

Open Source Intelligence and Analytics Tools

OSSIMhttp://www.alienvault.com

/ossim

Unified security management & the world’s most popular SIEM. Use to combine essential controls into a single unified system managed from single pane of glass.

Logstash http://http://logstash.net/A tool for managing events and logs. Use to collect logs, parse them, and store for later use or analysis.

What is a HoneyPot? A honeypot is a machine placed on the network for the purpose of

posing as an enticing target but triggers alarms when it is attacked.

Drawbacks:Benefits:

High detection accuracy

Consume large amounts of

attackers time.

Highly effective if properly

employed.

Difficult to manage

Experienced attackers have learned

to ignore targets that are too good to

be true.

Leaves a vulnerable system on your

network

The Modern Honey Network project:

Makes deploying and managing secure honeypots extremely

simple.

From the secure deployment to the aggregation of thousands of

events MHN provides enterprise grade management of the most

current open source honeypot software.

MHN is completely free open source software which supports

external and internal honeypot deployments at a large and

distributed scale.

MHN uses the HPFeeds standard and low-interaction

honeypots to keep effectiveness and security at enterprise grade

levels. MHN provides full REST API out of the box and are

making CEF and STIX support available now for direct SIEM

integration.

Open-Source honeypotsSnort – Network Listener- https://www.snort.org/

Suricata – 64bit multicore version of Snort - http://suricata-ids.org/

Dionaea – Malware Capture and dissection - http://dionaea.carnivore.it/

Conpot – SCADA network Emulation - http://conpot.org/

Kippo – Brute force attack logging - https://github.com/desaster/kippo

Amun – Malware Capture - http://amunhoney.sourceforge.net/

Glastopf – Vulnerability emulation- http://glastopf.org/

Wordpot – Wordpress emulation honeypot - http://brindi.si/g/projects/wordpot.html

ShockPot – Shell Shock honeypot - https://github.com/threatstream/shockpot

*For More information visit The honeynet project @ http://www.honeynet.org/

What’s going to happen?

https://flic.kr/p/gMhZLV

MORE in 2015

• More breaches

• More noise

• More “silver bullets”

• More complexity

https://flic.kr/p/9FGgsK

And LESS…

• Less time

• Less Available People with Proper Skills

• Less margin for error

https://flic.kr/p/hndeH

Bad Year. For Retail!

• Breach-O-Rams

• What did we learn?

• Attack surface

• POS devices

• The value of alerts

Increasingly Advanced Attacks

• More sophisticated malware

• Better C&C

• Shorter window to mass distribution

Benefiting from the Misfortune of

Others

• You can’t “get ahead of the threat”

• But you can learn from high profile folks

• Threat intelligence broke out in 2014

• How can you use it?

• Changing market dynamics

https://flic.kr/p/82JDK8

We haven’t addressed the security skills

gap

http://www.flickr.com/photos/morton/2305095296/

Complexity Ahead• Hybrid Cloud

• DevOps

• Increased Attack Surface

https://flic.kr/p/ahKnn1

On the Horizon

Mobile Everything. Cloud Everything. Connected Everything (IoT)

http://www.flickr.com/photos/52859023@N00/644335254 https://flic.kr/p/aGWfWB

Shopping List 2015

Network Security

• NGFW vs. UTM vs. IPS

• Sandbox for the masses

• SDN emerging? (and how do you secure it?)

• Consistency of Policy is Paramount

https://flic.kr/p/4pK11q

Endpoint Security

• Lots of new “solutions” that are shiny.

• Advanced Malware Protection

• Bundled with Network Security?

• Whither traditional AV? (Finally)

https://flic.kr/p/4Weo8G

Security Management

• Threat Intelligence hits the mainstream

• Forensics and IR to the forefront

• Monitoring the Hybrid Cloud

The Evolution of IDS

Introduction

• How has IDS/IPS changed in the past 10 years?

• First, there’s been more of a move to prevention vs. just passive detection

• Second, IDS really doesn’t function as a “standalone” tool anymore (for most)

• The context of what is happening in and around the environment is key

Packets? What packets?

• Getting access to network traffic was one of the first goals of intrusion detection platforms

• Classic sniffers like TCPdump led to the creation of Snort and Bro, as well as commercial options

• Gaining access to the network traffic itself was a challenge

– Promiscuous mode interfaces

– Dual-homed configs

– Finally, SPAN ports or taps

Aha. Now we’ve got packets!

• Packets! We have them!

• But…now what?

• For most, setting up IDS sensors led to the realization that we needed better knowledge of the environment

Patterns of packets make more sense.

• We now can start to analyze patterns of behavior

– Who is talking to who

– Types of traffic

– Source/destination ports

– Protocols

• Patterns of traffic ebbs and flows are useful for volume analysis and troubleshooting, too

Sif SrcIPaddress Dif DstIPaddress Pr SrcP DstP Pkts Octets StartTime EndTime Active B/Pk Ts Fl

0059 127.0.0.1 005b 219.140.194.174 06 50 4f3 1 40 0721.21:58:00.593 0721.21:58:00.593 0.000 40 00 14

0059 127.0.0.1 005b 219.148.205.228 06 50 6ef 1 40 0721.21:57:56.533 0721.21:57:56.533 0.000 40 00 14

Patterns -> Blocking.

• Intrusion detection gave way to blocking with intrusion prevention systems

– This was driven by better understanding of traffic patterns and signature sets

• Most IDS and IPS platforms, even in blocking mode, did not have much understanding of context

– Most blocks were “point in time” matches based on packet attributes

What do the patterns MEAN?

• IDS and IPS needed to evolve to make better sense of what was happening in the environment

• To that end, more data is needed

– Events from other network devices

– Events from scans and user information

– Data from vulnerability scanners and monitoring tools

• This is how we can start to build context of what’s happening in the environment.

Event Data, and Lots of It

[**] SQL Injection [**]

10/30-20:38:56.753145 192.168.1.52:2360 -> 192.168.1.61:80

TCP TTL:128 TOS:0x0 ID:22376 IpLen:20 DgmLen:809 DF

***AP*** Seq: 0xF69FDBE3 Ack: 0x3D5C8C4 Win: 0xF991 TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

Traditional IDS and IPS alerts

are

often overwhelming

Event Data, and Lots of It (2)

Firewalls and routers are simple,

static filtering devices with no

understanding of context

Context + Alerting

• With event data from numerous sources, you can start to build context in the environment

– What systems communicate in a given subnet?

– What known vulnerabilities are there in the environment?

– What network devices does the traffic pass through?

• The IDS/IPS by itself, however, will still only report what it “sees”

Visibility: What IDS “Sees”

• Only traffic that passes by or through the IDS/IPS is analyzed

– Subnets? Check.

– Source/Destination ports? Check.

– Applications or platforms in use? Nope.

Visibility: More Data = Better

• Attacks are no longer viewed as discrete events at a “point in time”

• More data adds context and tells a better “security story”

– Passive scan data on OS, applications

– Active scan data on vulnerabilities

– Behavioral trend data

– System logs and endpoint security

– User directory data

Hmmm. Too many alerts?

• Now we have to start paring down alerts to get to *better* data

– Are there false positives we’ve discovered?

– Can we prioritize some data?

– Can we start combining data types into unique alert models?

• Data overload is a very common problem with IDS/IPS sensors

Correlation -> BETTER alerts.

• Correlation makes a big difference in how events are reported

• Not every unique event makes sense to alert on

– Combinations of events

– Quantity of events

– Times of day or location (source/destination)

• Having some context and behavioral baseline can help

Which of my vulnerable assets are under attack?

Live Demo: Get Complete Security Visibility in Under 1 Hour

@AlienVault

The breach – common ways attackers get in

What they do next to infiltrate the network

Why detecting their movements is tricky

Demo: How to detect attackers moving stealthily around

your network

Agenda

@AlienVault

Client-side vulnerabilities exploited by:

• Malicious website, i.e. watering hole attacks

• Malicious email attachment

Gives attackers access to the local system with

privileges of the local user

The Breach

@AlienVault

Grab credentials of cached users

Browse the domain

Exfiltrate data

What happens next

@AlienVault

Windows Credentials Editor

Allows an attacker to list Windows logon sessions and add, change, list

and delete associated credentials

• Pass-The-Hash on Windows machines

• Grab NTLM credentials from cached memory

• Grab Kerberos tickets from Windows machines

• Dump cleartext passwords stored by Windows authentication

packages

But how is this possible?

@AlienVault

Pass the Hash for using credentials in crafty ways• WMIC (Windows Management Instrumentation Command-line)

- Used to issue queries like running processes

- wmic -U demo/administrator%hash //172.16.1.1 "select csname,name,processid,sessionid from

win32_process”

But how is this possible?

@AlienVault

Pass the Hash - using credentials in crafty ways (WMIS)• WMIS (Windows Metadata and Internet Services)

- Can be used to create processes, sky is the limit with this attack vector

- wmis -U demo/administrator%hash //172.16.1.1 'cmd.exe /c dir c:\ > c:\windows\temp\blog.txt’

But how is this possible?

@AlienVault

Pass the Hash - using credentials in crafty ways (SMBGET)• SMBGET can pull files from Windows using a hash for the password

- smbget -w demo -u demo\\administrator -O -p <hash> smb://172.16.1.1/c$/windows/temp/blog.txt

But how is this possible?

@AlienVault

CURL

• Pass the hash and we can view a default sharepoint page, logged in as john.smith

• curl --ntlm -u john.smith:<hash> http://intranet.demo.local/Pages/Default.aspx

But how is this possible?

@AlienVault

Pass the Hash Toolkit

• There is also a toolkit for Windows with several pass the hash utilities

But how is this possible?

@AlienVault

Tricky to detect because…

Firewall won’t catch it

• Exploiting client side vulnerabilities causes the victim’s machine to

initiate a connection back to the attacker’s server

• Attacker’s domain browsing activities are also originating from the

victim’s machine inside the network

Anti-virus is unlikely to catch it

• 82,000 new malware variants released every day*

No suspicious authentication failures

• Cached credentials are used to browse the domain so the attacker

doesn’t need to guess passwords

So, what will catch it?

Network Intrusion Detection and effective correlation

How do you detect this?

*http://www.pcworld.com/article/2109210/report-average-of-82-000-new-malware-threats-per-day-in-2013.html