Elasticsearch: incident detection use-cases and security best practices

Transcript

1. Elasticsearch Use cases and security best practices OWASP Geneva meeting

   - 16.11.15 Julien Bachmann / julien /dot/ bachmann /at/ nagra /dot/ com @milkmix_

2. map | you are here Introduction me disclaimer Data is

   the new bacon Platform presentation Security best practices for Elasticsearch

3. intro | who am I 7 years performing pentests and

   incident response Since 1.5 year playing on the defensive side within Kudelski Security Security Architect in the Technology Team “Full stack security architect : from assembly to Gartner reports and beyond”

4. intro | disclaimer Use cases presented here are far from

   complete Many types of attacks many ways to detect them manually or automatically through logs IDS are another way, have a look at https://speakerdeck.com/milkmix/clusis-campus-2015-introduction-to- suricata-ids Windows logs https://speakerdeck.com/milkmix/import-module-incidentresponse

5. map | you are here Introduction Data is the new

   bacon use-cases for incidents detection suspicious connections sql injections webshell Platform presentation Security best practices for Elasticsearch

6. part 1 | data is the new bacon Admin got

   a new idea “why not leverage logs and detect attacks with them?” need to define use-cases before jumping straight into the technology

7. use-cases | suspicious connections Bob (our admin) is administering his

   servers using SSH default port is changed in order to remove brute-force attempt by kiddies SSH generates events in /var/log/auth.log

8. use-cases | suspicious connections date host ps user ingress IP

9. use-cases | suspicious connections Facts Bob is always administering his

   servers from Switzerland IP could be matched against GeoIP database to retrieve country of origin Example of use-case detect fraudulent connections coming from a different country match source IP against known malicious hosts

10. use-cases | suspicious connections Note administering servers over the Internet

    is not common even on AWS you might have a VPN as an enterprise or a single IP to connect from generate your own GeoIP.dat for internal addressing: https://github.com/mteodoro/mmutils

11. use-cases | sql injection Bob servers are running PHP scripts

    some querying MySQL database (not even NoSQL, lame… ;)) Apache logs are located in /var/apache2/access.log

12. use-cases | sql injection date source IP URI bytes-sent user-agent

13. use-cases | sql injection Facts Apache access.log contains number of

    bytes sent exploiting SQL injection should generate a bigger request/response exploiting a blind SQL injection requires more requests/responses Example of use-case detect SQL injection exploitation by detecting higher bytes-sent value detect blind SQL injection exploitation using queries frequency

14. use-cases | webshell Still on the PHP scripts some pages

    allow to upload documents Bob fears the following two vulnerabilities: 1. unrestricted upload of file with dangerous type 2. improper control of filename for include/require statement in PHP Apache logs are located in /var/apache2/access.log

15. use-cases | webshell date source IP URI return code user-agent

16. use-cases | webshell Facts Apache access.log contains names of PHP

    scripts if an attacker exploits the two vulnerabilities to upload a remote shell his accesses will be there Example of use-case using the URI, detect PHP script which was not requested in the last 30 days (or shorter if you are in agile mode)

17. map | you are here Introduction Data is the new

    bacon Platform presentation logstash elasticsearch kibana elastalert Security best practices for Elasticsearch

18. part 2 | platform presentation Although having a strong grep-fu

    he is willing to try the 2015 way “I should have a look at those search database everyone has been talking about…” Elasticsearch for example ! Wait… how do I ship logs to this Elasticsearch thing?

19. elk | the stack Stands for Elasticsearch, Logstash and Kibana

    not really used in that particular order it includes: a log collector with enrichment capabilities : Logstash a search database based on Lucene : Elasticsearch an interface to keep management happy : Kibana

20. elk | logstash Credits: elastic.co

21. elk | logstash Logs collector, enrichment and shipper unifies data

    from disparate sources and normalise the data into destinations of your choice filters input using Grok language enriches data using plugins …

22. elk | logstash Credits: elastic.co

23. elk | logstash Standard configuration file

24. elk | logstash Inputs file, tcp/udp, syslog, twitter, sqlite, irc,

    kafka, … codecs to automatically parse known file types Filters grok, mutate, ruby, geoip, … Output debug, elasticsearch, file, …

25. elk | logstash Plugins easily develop plugin in Ruby (uh…)

    ex: enrich logs with data from an external database to map user’s identity

26. elk | logstash Example with auth.log input: file tips :

    don’t forget about the .sincedb file filters: need to extract relevant info and enrich ingress IP with GeoIP data output : debug for the moment

27. elk | logstash

28. elk | logstash

29. elk | logstash

30. elk | logstash Example with access.log input: file filters use

    Grok patterns to speed-up the configuration separate script name from his arguments output : debug for the moment

31. elk | logstash Grok patterns COMMONAPACHELOG %{IPORHOST:clientip} %{HTTPDUSER:ident} % {USER:auth}

    \[%{HTTPDATE:timestamp}\] "(?:%{WORD:verb} % {NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|% {DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-) COMBINEDAPACHELOG %{COMMONAPACHELOG} %{QS:referrer} % {QS:agent}

32. elk | logstash

33. elk | logstash

34. elk | logstash In real life, some additional actions are

    required verify that all servers are time synchronised and/or timezone correctly set which fields should be kept? what information should be added to the events? … Events parsing is one of the pain-point when doing logs management/SIEM same applies for AlienVault, Splunk, …

35. elk | logstash Does it scale? if you really need

    it, it can yes use Apache Kafka nodes to collect logs forward from them to logstash to enrich/forward And for Windows events? use NXLog to ship events from Windows hosts

36. elk | elasticsearch Search database “schema-free” full text search thanks

    to Lucene backend distributed and scalable replication of your data across nodes easy to use REST-API

37. elk | elasticsearch Configuration config/elasticsearch.yaml quite easy to create a

    cluster set cluster.name to desired value allow nodes to communicate together on unicast load balancer nodes node.data: false node.master: false

38. elk | elasticsearch Configuration not all of the configuration is

    easy ES_HEAP_SIZE number_of_{shards, replicas} for indexes manage logs rotation using curator …

39. elk | elasticsearch Structure documents have an _id automatically generated

    but can be forced if needed by use-case documents are regrouped in _type an index regroups several types {index}/{type}/{id}

40. elk | elasticsearch Schema-free technically yes since you can throw

    in a json file and have it indexed in the background ES is creating the schema for you ! in order to have correct and faster results in search mode, a correct mapping is required default one might not be optimal or functional for you ex: hosts name with . which is also a separator for default indexer

41. elk | elasticsearch Mapping defines type, indexer and other properties

    of document’s fields type can be string, integer, IP, date, boolean, binary, array, geopoint, … format is for date fields index is defined to analysed by default, other value is not_analyzed

42. elk | elasticsearch Important point on mappings ! once defined

    a mapping cannot be changed for an index need to re-index all of it yep, this could be quite bad if you just discovered it after indexing 1TB you can use aliases on indexes to create new mapping faster think about your use-cases and perform tests gradually

43. elk | elasticsearch Put mapping curl -XPUT 'http://localhost:9200/sshd/' - [email protected]

    Retrieving index mapping curl -XGET ‘http://localhost:9200/sshd/_mapping?pretty'

44. elk | elasticsearch

45. elk | elasticsearch Wait, go back one slide! How did

    you send the sshd logs into ES ? using the elasticsearch output in logstash :)

46. elk | kibana Graphical interface to Elasticsearch really easy to

    set-up might be limited for specific use-cases : increase your es-query-fu

47. elk | kibana Sample dashboard for sshd logs

48. elk | kibana Sample dashboard for apache logs

49. elk | summary Apache logstash ES ES ES Kibana bob

50. alerting | elastalert Open source project by Yelp made to

    answer to the : how do I watch over thousand of servers? https://github.com/Yelp/elastalert

51. alerting | elastalert Concept use events stored in Elasticsearch simple

    rules written in yaml files generate alerts to several providers conventionals : email, Jira or for the more hipsters of you : Slack, HipChat, PagerDuty

52. alerting | elastalert Types of alerts blacklist / whitelist value

    change new term cardinality frequency spike flatline

53. alerting | elastalert Back to our use-cases ingress ssh connection

    from a different country: new term or change high number of queries : frequency webshell deployed by attacker : new term

54. alerting | elastalert Ingress ssh countries

55. alerting | elastalert High number of HTTP queries

56. alerting | elastalert

57. alerting | elastalert Limitations not possible to correlate between multiple

    indexes no rules on term values could be circumvented using filters but not all features will work But elastalert is designed to be extensible new rule types can be developed

58. map | you are here Introduction Data is the new

    bacon Platform presentation Security best practices for Elasticsearch default behaviour network / transport authentication / authorisation hardening shield

59. part 3 | wait, where is my data?!? Admin got

    back to work but ES cluster looks down service not running anymore after rebooting it, it appears that all data has been deleted

60. concept | elasticsearch

61. concept | elasticsearch REST API get index delete update

62. concept | elasticsearch Based on two parts HTTP verbs GET,

    PUT, DELETE URL action : _search, _mapping, _update, _shutdown, _snapshot/ _restore, … path : index or alias (transparent)

63. concept | elasticsearch On the network side cleartext protocol cluster

    nodes discovery using unicast

64. concept | elasticsearch At the application level possibility to perform

    dynamic scripting plugins mechanism secure development CVE-2015-5531 : directory traversal allowing to read arbitrary files CVE-2015-4093 : XSS CVE-2015-1427 : sandbox bypass, execute arbitrary shell commands …

65. protection | plan Several factors on which to operate network

    segmentation transport security authentication / authorisation hardening

66. protection | network segmentation Separate Elasticsearch cluster from the rest

    of the network dedicated VLAN + firewall setup a load-balancing node and make it the only network-reachable endpoint also applicable to Hadoop and the like, …

67. protection | transport security Could be difficult to set proper

    SSL tunnels between nodes need a PKI (but who doesn't in 2015? ;)) wrap Elasticsearch in stunnel or similar solution Easier network segmentation so inter-nodes communications are not accessible Kibana/querying host behind a jump host access through SSH tunnelling

68. protection | transport security Ok, but when I have X

    writers and not only consumers for ES ? set-up a reverse proxy with SSL connections only Nginx for example ssl on; ssl_certificate /etc/ssl/cacert.pem; ssl_certificate_key /etc/ssl/privkey.pem;

69. protection | authentication Set-up a reverse proxy nginx again auth_basic

    / auth_basic_user_file options in the configuration file do not forget to also add transport security for the credentials security Kibana and ElastAlert are compatible

70. protection | authorization Set-up a reverse proxy nginx again filter

    by location and HTTP verb limit_except GET { … }

71. protection | hardening Beware if you are using packaged solutions

    didn’t specifically look at them could be bundled with unnecessary (vulnerable) services Disable dynamic scripting now the default setting

72. protection | monitoring Do not forget to monitor your cluster

    status elastic.co Marvel elastichq

73. protection | not that easy This seems cool, but not

    really simple to set-up many points to cover probably why elastic.co released a product to circumvent this Shield please note the references to Marvel comics :)

74. protection | shield Functionalities authentication (local, LDAP, AD, PKI) role

    based access control granular level of security at the document and field level inter-nodes transport security auditing

75. protection | shield This is unfortunately not a freeware require

    to have a subscription based license this is highly recommended as soon as you step out of the POC garden expertise on ES could save you quite some time

76. protection | shield Demo version for 60 days

77. protection | shield

78. protection | shield Local configuration not centralised: configuration files to

    be pushed to each member/node highly recommend to use Ansible or other automation solution simple yaml file roles.yaml

79. protection | shield Roles Apache servers : write in apache

    index Linux servers accessed through ssh : write in sshd index Kibana : read both indexes (and the one for itself) ElastAlert : read both indexes, write in elastalert_status

80. conclusion | wrap-up Elasticsearch is not a SIEM by itself

    log management : OK events correlation : not automated Need some external development and administration compared to COTS solutions Or choose the “buy way” instead of the “make-way”

81. conclusion | wrap-up Full open source solution might rather look

    like the following logs, context, pcap, … storage : HDFS some use-cases : Elasticsearch some others: Cassandra and others: Neo4J Add some machine learning and shake hard… ;)

82. conclusion | wrap-up Credits: raffy.ch

83. conclusion | wrap-up Important points before going into a SIEM/SOC

    project state your current security maturity level list your assets, associated risks, threat models, … think about your use-cases ex: work with results from pentests list external sources that should be accessible from the SIEM ex: threat intelligence feeds

84. conclusion | readings Raffy blog SIEM use-cases http://raffy.ch/blog/2015/05/07/security-monitoring-siem-use-cases/ Big data

    lake http://pixlcloud.com/security-big-data-lake/

85. conclusion | readings Florent blog serie on log management http://www.ikangae.net/category/log-management/

86. conclusion | questions ? Julien Bachmann @milkmix_