Copyright Justin C. Klein Keane <jukeane@sas.upenn.edu> @madirish2600

HECTORSecurity Intelligence Platform

Developed for:

University of PennsylvaniaSchool of Arts & Science

Copyright Justin C. Klein Keane <jukeane@sas.upenn.edu> @madirish2600

What is Security Intelligence

Business intelligence principles applied to security data Security intelligence supports strategic infosec decision

making based on metrics Target resource allocation to quantified threats

Security data abounds, but making useful decisions based on that data is tough

HECTOR is a repository for security data that allows for analysis

HECTOR brings together disparate data sources to find trends and relationships

Copyright Justin C. Klein Keane <jukeane@sas.upenn.edu> @madirish2600

Sample Sources of Data

Host based intrusion detection alerts Darknet data (network traffic) Port scans Honeypots (attempted logins, attack toolkits, etc.) Vulnerability scans Public vulnerability alerts and disclosures System event logs Incident response reports Etc.

Copyright Justin C. Klein Keane <jukeane@sas.upenn.edu> @madirish2600

Open Source

HECTOR is based entirely on open source technologies

Runs best on a LAMP stack Uses structured data (MySQL) Uses PHP, Perl, Python, iptables, Kojoney,

OSSEC, NMAP, and more... More info and download at:

https://sites.sas.upenn.edu/kleinkeane/software/hector

Copyright Justin C. Klein Keane <jukeane@sas.upenn.edu> @madirish2600

Issues with Security Intelligence

Problems of big data will crop up quickly Scale complicated development, deployment and

debugging Much of the effort of SI will be spent on middleware Interesting data only emerges when all data is

aggregated Getting access to other folks' data will be challenging Deliberate initial planning pays off – altering a table of

80 million rows is painful!

Copyright Justin C. Klein Keane <jukeane@sas.upenn.edu> @madirish2600

Principles Guiding Development

SAS has no access to network data for NIDS Over 15,000 internet addressable IP's Asset management was a huge challenge Vulnerability disclosure mitigation was ad-hoc Multiple different security data sources (darknet,

honeypots, HIDS logs, etc.) were scattered over different systems

Needed a way to query data across sources and guide intelligent security decision making

Copyright Justin C. Klein Keane <jukeane@sas.upenn.edu> @madirish2600

How It Works (Basics)

MySQL database aggregates data sources Web front end for querying and reporting Access control via CoSign (or fallback) Hosts are assigned to support groups, support

groups assigned a contact e-mail address Nightly NMAP scans updates host profiles Vulnerability scan data added to the database HECTOR is extensible – add your own scans

Copyright Justin C. Klein Keane <jukeane@sas.upenn.edu> @madirish2600

Currently Supports Data Sources

OSSEC host based intrusion detection logs Kojoney based SSH honeypots Iptables based darknet sensors NMAP port scans Vulnerability scans (Nikto, Nessus, etc.) Security news outlets (RSS feeds, vulnerability

announcements, etc.)

Copyright Justin C. Klein Keane <jukeane@sas.upenn.edu> @madirish2600

Use Case #1

THREAT IDENTIFIED

Vulnerability disclosed in a well known service

EVIDENCE OF INTENT

Look for spikes in scanning for that service on darknet sensors

REMEDIATION PLANNING

Quickly identify all machines in the environment running that service

REMEDIATION LOGISTICS

Build a contact list and alert admins to patch. Track admins that legitimately don't patch

TRACK EFFECTIVENESS

Implement targeted vulnerability scanning to track remediation

Copyright Justin C. Klein Keane <jukeane@sas.upenn.edu> @madirish2600

Use Case #2 – IR & Detection

Attacker observed (malicious IP identified) Query all data sources for other evidence of

activity from that IP Darknet probes, honeypot data, IDS logs, etc.

Look for attack profile from data sources Alert admins of machines that fit the particular

profile Identify vulnerable machines Potentially uncover compromises

Copyright Justin C. Klein Keane <jukeane@sas.upenn.edu> @madirish2600

Summary Screen

Copyright Justin C. Klein Keane <jukeane@sas.upenn.edu> @madirish2600

Intrusion Detection Summary

Copyright Justin C. Klein Keane <jukeane@sas.upenn.edu> @madirish2600

Alerts Summary

Copyright Justin C. Klein Keane <jukeane@sas.upenn.edu> @madirish2600

Host Summary

Copyright Justin C. Klein Keane <jukeane@sas.upenn.edu> @madirish2600

Search for Malicious IP

Copyright Justin C. Klein Keane <jukeane@sas.upenn.edu> @madirish2600

Sample Report

Copyright Justin C. Klein Keane <jukeane@sas.upenn.edu> @madirish2600

Scan Schedule

Copyright Justin C. Klein Keane <jukeane@sas.upenn.edu> @madirish2600

Asset Management

Copyright Justin C. Klein Keane <jukeane@sas.upenn.edu> @madirish2600

System Configuration

Copyright Justin C. Klein Keane <jukeane@sas.upenn.edu> @madirish2600

Thank You

jukeane@sas.upenn.edu@madirish2600

http://www.MadIrish.net

Copyright Justin C. Klein Keane <jukeane@sas.upenn.edu> @madirish2600

Links to Resources

HECTOR download - https://sites.sas.upenn.edu/kleinkeane/software/hector

NMAP - http://nmap.org/ OSSEC - http://www.ossec.net/ Kojoney - http://kojoney.sourceforge.net/ Kippo - https://code.google.com/p/kippo/ Rsyslog - http://www.rsyslog.com/ Much of my inspiration from Ed Bellis –

https://www.risk.io/