Open Source Security Toolsets

Kevin Keeney Cyber Security Advocate @kevinkeeneyjr Open Source Security Tools

RockNSM http://rocknsm.io http://github.com/rocknsm/rock Derek Ditch https://github.com/dcode/ https://twitter.com/dcode Jeff Geiger https://github.com/jeffgeiger
https://twitter.com/jeffgeiger

“So there I was…” ROCK Origin

• Lightweight • Secure from foundation up • As close
to production sensor as possible • Repeatable • Available at home Needs

ROCK 2.0

RockNSM 2.1

• Data transformations • Data enrichment • Data tagging •
Data mapping & storage Data Pipeline

Network conn dhcp dns ftp http kerberos … Log Normalization
Files files pe x509 Detection intel notice notice_alarm signatures traceroute Observations known_certs known_devices known_hosts known_modbus known_services software Diagnostics capture_loss reporter stats

Fieldname Normalization "ssl": { "cipher": "TLS_RSA_WITH_AES_128_GCM_SHA256", "established": true, "id_resp_p": 443, 
… }    "files": { "timedout": false, "local_orig": false, "rx_hosts": [ "192.168.100.103" ],  ...  } "conn": { "resp_pkts": 0, "id_orig_p": 5353, "local_resp": false, "uid": "Ci6Mji4NGqQu538N2a", "orig_asn": 0, …  } "dns": {  "query": "android.local", "answers": [ "android.local", "192.168.100.111" ], },

Scoped Fields

Log Normalization - Example "@timestamp": "2017-04-26T00:19:16.900Z",  "@meta": { "resp_host": "17.167.193.45",
"proc": "enp0s31f6-4", "system": "sensor001-001", "event_type": "network", "stream": "ssl", "related_ids": [ "C6Gg0g1AXxTpLWzYka", "FCGlHcUbM98WHNDY7", "F3h8Ss1sPOTtapGGSa", "FnNRub2EJTB48nuqmc" ], "orig_host": "192.168.100.103", "resp_port": "443", "id": "C6Gg0g1AXxTpLWzYka", "orig_port": "49172" } • Log category • Connection-level metadata • Specific log type • ID of this specific event • All related IDs in this log entry 1 1 3 5 2 3 2 2 2 4 4 2 5

SO WHAT? Clean data drives clean analysis

14 Analysis Walkthrough

Traffic by Geography

IDS Alerts over Time

DNS Logs

Cross-Tab Filtering

VulnWhisperer https://github.com/austin-taylor/VulnWhisperer

27 Austin Taylor Chief Security Research Engineer @ IronNet Cybersecurity
Cyber Warfare Operator @ USAF (MDANG) Security Consultant @ HA Security Solutions

28 VulnWhisperer • Currently supports: Nessus & Qualys Web Applications
• Written in Python • Custom Risk Scores • Asset Tagging • Intended to create actionable data for defenders and metrics for managers (Track risk over time) https://github.com/austin-taylor/VulnWhisperer

29 The Need – Pre Incident • Identify Critical Assets
• Know thyself • Where do I Hunt

30 The Need – Post Incident • What type of
assets by geo / dept. have similar hosts • How many machines of each • Where should we prioritize remediation efforts

31 VulWhisperer - Full Logical Processing Pipeline • Normalize, filter
and enrich Scan Logs • FileBeat: Sends the plaintext files • JSON structured log documents • Prebuilt Dashboards

32 Actionable Vulnerability Scans Invest time up front and save
time when it matters

33 Track Risk Over Time

HELK Overview 34

Roberto Rodriguez “Cyb3rWard0g” https://github.com/Cyb3rWard0g https://cyberwardog.blogspot.com https://twitter.com/Cyb3rWard0g

What HELK stand for? Hunting ELK 37

WINLOGBEAT Collect all the logs from your Windows endpoints

Kafka Distributed publish-subscribe messaging system

LOGSTASH Process, normalization, parse, tag, enrich, transform…data

Company Name // Theme name Normalize - Endpoint Data 41

AlienVault - OTX Open Threat Exchange

ELASTICSEARCH Index on ingest = Pay your taxes up front

KIBANA Visualize, Analyze, Search…data

ES-Hadoop Connector: Apache Spark <-> Elasticsearch

ApacheSpark Graph processing

GraphFrames Highly expressive graph queries

Jupiter Notebook Statistical modeling, numerical simulation, machine learning…

If only we had a hero

Andrew Pease https://github.com/peasead https://github.com/capesstack

Cyber Analytics Platform and Examination System capesstack.io

Why? Had a great hunt platform (RockNSM) No IR platform
No intelligence pipeline capabilities No way to communicate over distance No (real) documentation

requirements Open source (obviously) Self hosted OS/platform agnostic API extensibility
• Secure OS • Operator launch point • IR tracking & management • Documentation • Observation enrichment • Communication over distance • Real-time collaboration

OPERATING SYSTEM RHEL compatible SELinux STIGs out of the Box
CentOS

Operator launch point Low barrier to entry Single page for
operators Reverse proxy

incident response tracking Record observations Scalable Operational metrics TheHive Project

Observation enrichment IR platform compatible Observation enrichment Multiple data points

documentation Markdown / AsciiDoc Accessible 24/7 Git Git with a
cup of tea (Gitea)

Communication Indexed Searchable Tagging File upload Channels & DM Rocketchat

Real-time Collaboration “OneNote / Google Sheets” function Plugins Syntax highlighting
Etherpad

Real-time Monitoring Monitors availability Collects metrics Logging METRICBEAT HEARTBEAT FILEBEAT

Road Ahead Ansible Docker Hardening Pentest Even more Documentation

Cyber Analytics Platform and Examination System capesstack.io

ES-Hadoop Security Analytics Architecture  Web Proxies EDR / EPP IDS
/IPS / NMS Kafka Redis Messaging Queue Logstash Workers (2+) LDAP Authentication AD Notification SSO X-Pack Kibana X-Pack Instances (2+) Custom UI Elasticsearch Clients Elasticsearch X-Pack Master (3) Ingest (X) Data – Hot (X) Data – Warm (X) Machine Learning (2+) Coordinating (X) Alerting (X) HEARTBEAT Beats FILEBEAT METRICBEAT PACKETBEAT WINGLOGBEAT AUDITBEAT SCANS DNS FILE SIEM Vulnerability Data & Threat Intelligence IP

Thank You • Web : www.elastic.co • Products : https://www.elastic.co/products
• Forums : https://discuss.elastic.co/ • Community : https://www.elastic.co/community/meetups • Twitter : @elastic

Open Source Security Toolsets

Open Source Security Toolsets

More Decks by Elastic Co

Other Decks in Technology

Featured

Transcript