Open Source Security Toolsets

Transcript

1. Kevin Keeney Cyber Security Advocate @kevinkeeneyjr Open Source Security Tools

2. None

3. RockNSM http://rocknsm.io http://github.com/rocknsm/rock Derek Ditch https://github.com/dcode/ https://twitter.com/dcode Jeff Geiger https://github.com/jeffgeiger

   https://twitter.com/jeffgeiger

4. “So there I was…” ROCK Origin

5. • Lightweight • Secure from foundation up • As close

   to production sensor as possible • Repeatable • Available at home Needs

6. ROCK 2.0

7. RockNSM 2.1

8. • Data transformations • Data enrichment • Data tagging •

   Data mapping & storage Data Pipeline

9. Network conn dhcp dns ftp http kerberos … Log Normalization

   Files files pe x509 Detection intel notice notice_alarm signatures traceroute Observations known_certs known_devices known_hosts known_modbus known_services software Diagnostics capture_loss reporter stats

10. Fieldname Normalization "ssl": { "cipher": "TLS_RSA_WITH_AES_128_GCM_SHA256", "established": true, "id_resp_p": 443,


    … }
 
 "files": { "timedout": false, "local_orig": false, "rx_hosts": [ "192.168.100.103" ],
 ...
 } "conn": { "resp_pkts": 0, "id_orig_p": 5353, "local_resp": false, "uid": "Ci6Mji4NGqQu538N2a", "orig_asn": 0, …
 } "dns": {
 "query": "android.local", "answers": [ "android.local", "192.168.100.111" ], },

11. Scoped Fields

12. Log Normalization - Example "@timestamp": "2017-04-26T00:19:16.900Z",
 "@meta": { "resp_host": "17.167.193.45",

    "proc": "enp0s31f6-4", "system": "sensor001-001", "event_type": "network", "stream": "ssl", "related_ids": [ "C6Gg0g1AXxTpLWzYka", "FCGlHcUbM98WHNDY7", "F3h8Ss1sPOTtapGGSa", "FnNRub2EJTB48nuqmc" ], "orig_host": "192.168.100.103", "resp_port": "443", "id": "C6Gg0g1AXxTpLWzYka", "orig_port": "49172" } • Log category • Connection-level metadata • Specific log type • ID of this specific event • All related IDs in this log entry 1 1 3 5 2 3 2 2 2 4 4 2 5

13. SO WHAT? Clean data drives clean analysis

14. 14 Analysis Walkthrough

15. 15

16. 16 Analysis Walkthrough

17. 17 Analysis Walkthrough

18. 18 Analysis Walkthrough

19. 19 Analysis Walkthrough

20. 20 Analysis Walkthrough

21. 21 Analysis Walkthrough

22. Traffic by Geography

23. IDS Alerts over Time

24. DNS Logs

25. Cross-Tab Filtering

26. VulnWhisperer https://github.com/austin-taylor/VulnWhisperer

27. 27 Austin Taylor Chief Security Research Engineer @ IronNet Cybersecurity

    Cyber Warfare Operator @ USAF (MDANG) Security Consultant @ HA Security Solutions

28. 28 VulnWhisperer • Currently supports: Nessus & Qualys Web Applications

    • Written in Python • Custom Risk Scores • Asset Tagging • Intended to create actionable data for defenders and metrics for managers (Track risk over time) https://github.com/austin-taylor/VulnWhisperer

29. 29 The Need – Pre Incident • Identify Critical Assets

    • Know thyself • Where do I Hunt

30. 30 The Need – Post Incident • What type of

    assets by geo / dept. have similar hosts • How many machines of each • Where should we prioritize remediation efforts

31. 31 VulWhisperer - Full Logical Processing Pipeline • Normalize, filter

    and enrich Scan Logs • FileBeat: Sends the plaintext files • JSON structured log documents • Prebuilt Dashboards

32. 32 Actionable Vulnerability Scans Invest time up front and save

    time when it matters

33. 33 Track Risk Over Time

34. HELK Overview 34

35. None

36. Roberto Rodriguez “Cyb3rWard0g” https://github.com/Cyb3rWard0g https://cyberwardog.blogspot.com https://twitter.com/Cyb3rWard0g

37. What HELK stand for? Hunting ELK 37

38. WINLOGBEAT Collect all the logs from your Windows endpoints

39. Kafka Distributed publish-subscribe messaging system

40. LOGSTASH Process, normalization, parse, tag, enrich, transform…data

41. Company Name // Theme name Normalize - Endpoint Data 41

42. AlienVault - OTX Open Threat Exchange

43. ELASTICSEARCH Index on ingest = Pay your taxes up front

44. KIBANA Visualize, Analyze, Search…data

45. ES-Hadoop Connector: Apache Spark <-> Elasticsearch

46. ApacheSpark Graph processing

47. GraphFrames Highly expressive graph queries

48. Jupiter Notebook Statistical modeling, numerical simulation, machine learning…

49. None

50. If only we had a hero

51. Andrew Pease https://github.com/peasead https://github.com/capesstack

52. Cyber Analytics Platform and Examination System capesstack.io

53. Why? Had a great hunt platform (RockNSM) No IR platform

    No intelligence pipeline capabilities No way to communicate over distance No (real) documentation

54. requirements Open source (obviously) Self hosted OS/platform agnostic API extensibility

    • Secure OS • Operator launch point • IR tracking & management • Documentation • Observation enrichment • Communication over distance • Real-time collaboration
55. None

56. OPERATING SYSTEM RHEL compatible SELinux STIGs out of the Box

    CentOS

57. Operator launch point Low barrier to entry Single page for

    operators Reverse proxy

58. incident response tracking Record observations Scalable Operational metrics TheHive Project

59. Observation enrichment IR platform compatible Observation enrichment Multiple data points

60. documentation Markdown / AsciiDoc Accessible 24/7 Git Git with a

    cup of tea (Gitea)

61. Communication Indexed Searchable Tagging File upload Channels & DM Rocketchat

62. Real-time Collaboration “OneNote / Google Sheets” function Plugins Syntax highlighting

    Etherpad

63. Real-time Monitoring Monitors availability Collects metrics Logging METRICBEAT HEARTBEAT FILEBEAT

64. None

65. Road Ahead Ansible Docker Hardening Pentest Even more Documentation

66. Cyber Analytics Platform and Examination System capesstack.io

67. ES-Hadoop Security Analytics Architecture
 Web Proxies EDR / EPP IDS

    /IPS / NMS Kafka Redis Messaging Queue Logstash Workers (2+) LDAP Authentication AD Notification SSO X-Pack Kibana X-Pack Instances (2+) Custom UI Elasticsearch Clients Elasticsearch X-Pack Master (3) Ingest (X) Data – Hot (X) Data – Warm (X) Machine Learning (2+) Coordinating (X) Alerting (X) HEARTBEAT Beats FILEBEAT METRICBEAT PACKETBEAT WINGLOGBEAT AUDITBEAT SCANS DNS FILE SIEM Vulnerability Data & Threat Intelligence IP

68. Thank You • Web : www.elastic.co • Products : https://www.elastic.co/products

    • Forums : https://discuss.elastic.co/ • Community : https://www.elastic.co/community/meetups • Twitter : @elastic