home-grown cyber security€¦ · cyber security framework many/most of the traditional info...
TRANSCRIPT
Home-Grown
Cyber Security
John B. Folkerts, CISSP
https://www.linkedin.com/in/john-b-folkerts
About Me …
20 years doing Information Security, Architecture, and Risk Management in
large enterprise environments
Prior to that, a Communications Officer in the US Air Force
Involved in many incident response efforts and technology deployments,
including Identity Management, Data Loss Protection, Antivirus, Malware
Sandbox technology, Log Management, and Intrusion Detection
Classical music fan, developing jazz aficionado
Disclaimers
My comments reflect my own opinions, and not those of my employers, past, present, or future.
The tools and services mentioned in this presentation are freely available on the internet. They may not be suitable for your specific environment. Think carefully about your support requirements before using free or open source software or services.
Despite being free, most of the tools mentioned have software licensing that governs their use, distribution, etc.... Please read the licenses and check with an attorney as needed to determine whether they are suitable for your environment.
Traditional Approach to Security
(Controls-based: Patching, Antivirus, Firewalls, Complex Passwords … )
The Strengths
Protective – stop what we know is bad
The Weaknesses
Zero Day Exploits
Constantly changing malware signatures
Encryption, Tunneling through and around firewall rules
Passwords attacked at the weakest point – the user
… or worse the password hash database
Enter the Cyber Security Framework …
Cyber Security Framework
Many/most of the traditional Info Security capabilities are included
Threat-centric model which “connects the dots” between security
capabilities
Greater focus on detection and actionable response
Firewall
Printer LaptopLaptop
Internet
Workstation
Wireless Router
Basis for Home-grown Cyber Security
Not Optimal for
Finding the Source
of the Problem
What’s Going On in My Network?
“If you really want to protect your network,
you have to know your network”Rob Joyce, Chief, Tailored Access Operations
National Security Agency
Check out: https://www.youtube.com/watch?v=bDJb8WOJYdA
Monitoring and detection inside your network is just as
important as your network boundary.
Modifications for MonitoringParts List:
Extra PC with (2) NIC
cards and 16Gb RAM
Re-use Wireless Router
Inexpensive 8-port switch
with span port capability
WiFi Access Point
Firewall
Printer
Switch w/ Span Port
LaptopLaptop
WiFi Access Point
Internet
Network Monitor
Wireless Router
Monitor Span Port
Workstation
“To Know Thyself …”
What’s on my Network?
Systems: DHCP assignments, IP
addresses, MAC addresses
“Things” – Xbox, Ecobee, Raspberry Pi
What’s running on my Network?
User Agents: Common (Chrome, IE)
and uncommon (powershell, …)
Executables: capture and hash
OBSERVED assets, executables, etc…
are usually good enough!
“… is the Beginning of
Intelligence” (apologies to Socrates)
Threat Intelligence Types
IP, Domain BlackLists
MD5, SHA256 Hashes
Tactics, tools, shared analysis
Sources
intel.criticalstack.com
otx.alienware.com
threatconnect.com
us-cert.gov
abuse.ch
Many more at https://github.com/hslatman/awesome-threat-intelligence
Ref: Threat Intel Pyramid of Pain courtesy of David Bianco
http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
Basic Protections
On The Network:
Firewall – enable IP blocking
DNS “Firewall” – enable Domain blocking
BIND9: http://www.zytrax.com/books/dns/ch7/rpz.html
DNSMASQ: https://wiki.archlinux.org/index.php/dnsmasq
On The Host:
Current Patches
Current Antivirus
Backup and Recovery
Need Visibility!!
On The Network:
Security Onion – https://securityonion.net/
Bro - https://www.bro.org/
Snort – https://www.snort.org/
Sguil – https://www.sguil.net/
Wireshark – https://www.wireshark.org/
NetworkMiner – http://www.netresec.com/?page=NetworkMiner
ELSA – Enterprise Log Search & Archive - https://github.com/mcholste/elsa
On The Host:
OSSEC – https://ossec.github.io/
Sysmon - https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
Detection Principals
Keep History
Continuous Monitoring of IOCs
Look for Anomalies
Match up Host Monitoring and
Network Monitoring
Host Monitoring
Sysmon 6.10
Brought to you by Microsoft Sysinternals – Windows system monitoring
Install: sysmon.exe –accepteula -i sysmon-config.xml
Update: sysmon.exe -c sysmon-config.xml
Remove: sysmon.exe –u
Features: Windows Log Process creation, File hashes, network connections, remote threads, registry mods, alternate data streams
OSSEC HIDS
Monitoring and Alerting of Unix and Windows systems
Use OSSEC to forward Sysmon logs to a safe place (like SecurityOnion/ELSA)
Resources
Swiftonsecurity Config - https://github.com/SwiftOnSecurity/sysmon-config
ION Storm Threat Intel Config - https://github.com/ion-storm/sysmon-config
Game Show Time!
“Does it Belong?”
(on my network)
Does it Belong? – Long DNS request
DNS query
Request:
tnncuaacaakn433maecaaagsaqaaa2lpfo3ve5lzd7ldo33maeaaaac3aaaabug.scjsaaaata
aiaaa3n4zozkkr23mbxemjxewjevkw5s5zrcfqsbc5njwaqwstwnx.7tyud5d4yh3zsqcdiz6icp
mlqyzfpubuw5ervi3so4q4mdhhxf64ctgre4zxyaa.aaaaaaaaaaa4x3qkm2ettg7a.a.j.e5.sk
Response
TXT 176
ANX8KgACABQAAAAAAAAA0gQAAAAAAAAAAAAAAAAAAAIAAABXAAAAJaPE4QAAEAAAAA
AAAAAAAAAAAACnSdJrgTMO0oGe+2yVIa5YnbWRYq4kTMA6646ejwBHvY4yVgmIg2DMJKMfn
AS1GH5nFGbv3/MjUUxO5U0QDFEPbeZdlQoKAA==
Snort Alert:
MALWARE-OTHER dns request with long host name segment –
possible data exfiltration attempt
Data Enrichment with
domaintools.com
Does it Belong? – TOR Exit Node
Snort Alert:
ET TOR Known Tor Relay/
Router (Not Exit) Node UDP
Traffic group 87
Research using Wireshark
Does it Belong? – Malware IOC
Data Enrichment with
Threat Research Tools
Game: “Does it Belong?”ssl001.insnw.net, *.ewatches.com, *.honestqa.com, *.inscname.net, *.insnw.net, *.instart.co, *.instartlabs.com, *.instartlogic.com, *.onekingslane.com, *.pionline.com, *.smartbargains.com, *.stelladotstg.co.uk,
*.thewatchery.com, *.uniqlo.com, *.v1host.com,adage.com, *.adage.com,airgundepot.com, *.airgundepot.com,airgundepot.net, *.airgundepot.net,allcdn.net, *.allcdn.net,api.m.reebonz.com,
*.api.m.reebonz.com,ashleymadison.com, *.ashleymadison.com,assets.pixlee.com, *.assets.pixlee.com,atlanticmedia.com, *.atlanticmedia.com,auto-insurance-experts.com, *.auto-insurance-experts.com,
barenecessities.com, *.barenecessities.com,bareweb.com, *.bareweb.com,bdcstatic.com, *.bdcstatic.com,bedroomworld.co.uk, *.bedroomworld.co.uk,blair.com, *.blair.com,bookit.com, *.bookit.com,bookitimages.com,
*.bookitimages.com,bookitspeedtest.com, *.bookitspeedtest.com,boutique24.com, *.boutique24.com,business.com, *.business.com,canpages.ca, *.canpages.ca,cdn-api.arcpublishing.com,cdn.cb.pj.ca,cdn.cb.yp.ca,
*.cdn.cb.yp.ca,cdn.circusbysamedelman.com,cdn.mediative.ca,cdn.submissionplatform.com,chess.com, *.chess.com,chesscomfiles.com, *.chesscomfiles.com,ci.pj.ca, *.ci.pj.ca,ci.yp.ca, *.ci.yp.ca,ci1.pj.ca,
*.ci1.pj.ca,ci1.yp.ca, *.ci1.yp.ca,ci2.pj.ca, *.ci2.pj.ca,ci2.yp.ca, *.ci2.yp.ca,ci3.pj.ca, *.ci3.pj.ca,ci3.yp.ca, *.ci3.yp.ca,ci4.pj.ca, *.ci4.pj.ca,ci4.yp.ca, *.ci4.yp.ca,ci5.pj.ca, *.ci5.pj.ca,ci5.yp.ca, *.ci5.yp.ca,ci6.pj.ca,
*.ci6.pj.ca,ci6.yp.ca, *.ci6.yp.ca,ci7.pj.ca, *.ci7.pj.ca,ci7.yp.ca, *.ci7.yp.ca,ci8.pj.ca, *.ci8.pj.ca,ci8.yp.ca, *.ci8.yp.ca,ci9.pj.ca, *.ci9.pj.ca,ci9.yp.ca, *.ci9.yp.ca,citylab.com, *.citylab.com,classesusa.com,
*.classesusa.com,cms.yp.ca, *.cms.yp.ca,columbiaspectator.com, *.columbiaspectator.com,commun.it, *.commun.it,defenseone.com, *.defenseone.com,digital.firstchoice.co.uk,digital.thomson.co.uk,distillery.pixlee.com,
*.distillery.pixlee.com,duolingo.com, *.duolingo.com,ehealthinsurance.com, *.ehealthinsurance.com,ever-skincare.com, *.ever-skincare.com,everskin.com, *.everskin.com,evite.com, *.evite.com,evitecdn.com,
*.evitecdn.com,fasttrack360.com.au, *.fasttrack360.com.au,findfinancialsavings.com, *.findfinancialsavings.com,fivefourclothing.com, *.fivefourclothing.com,flights.thomsonprjuat.co.uk,frankandoak.com,
*.frankandoak.com,g00.ranker.com, *.g00.ranker.com,g00.slickdeals.net, *.g00.slickdeals.net,gbot.me, *.gbot.me,gogobot.com, *.gogobot.com,govexec.com, *.govexec.com,hayneedle.com, *.hayneedle.com,honest.com,
*.honest.com,honeywell.jp, *.honeywell.jp,html5.kongalong.com, *.html5.kongalong.com,html5.kongboat.com, *.html5.kongboat.com,html5.kongbus.com, *.html5.kongbus.com,html5.kongcab.com,
*.html5.kongcab.com,html5.kongdiddy.com, *.html5.kongdiddy.com,html5.konghaul.com, *.html5.konghaul.com,html5.kongice.com, *.html5.kongice.com,html5.kongluge.com, *.html5.kongluge.com,html5.kongregate.com,
*.html5.kongregate.com,html5.kongregatestage.com, *.html5.kongregatestage.com,html5.kongregatetrunk.com, *.html5.kongregatetrunk.com, html5.kongshred.com, *.html5.kongshred.com,html5.kongwater.com,
*.html5.kongwater.com,html5.kongyak.com, *.html5.kongyak.com,html5.kongzep.com, *.html5.kongzep.com,iassets.anki.com,ifttt.com, *.ifttt.com,iggcdn.com, *.iggcdn.com,indiegogo.com,
*.indiegogo.com,ins.cm.ehealthinsurance.com, *.ins.cm.ehealthinsurance.com,insight.com, *.insight.com,instart.co,instartlabs.com,instartlogic.com,int10.newokl.com,integration.modaoperandi.com,
*.integration.modaoperandi.com,internal.instartlogic.com, *.internal.instartlogic.com,jayjays.com.au, *.jayjays.com.au,jdvhotels.com, *.jdvhotels.com,julep.com, *.julep.com,keek.com, *.keek.com,keep-collective.com,
*.keep-collective.com,keepcollective.com, *.keepcollective.com,kongalong.com, *.kongalong.com,kongboat.com, *.kongboat.com,kongbus.com, *.kongbus.com,kongcab.com, *.kongcab.com,kongcdn.com,
*.kongcdn.com,kongdiddy.com, *.kongdiddy.com,konggames.com, *.konggames.com,konghaul.com, *.konghaul.com,kongjunk.com, *.kongjunk.com,kongluge.com, *.kongluge.com,kongregate-games.com, *.kongregate-
games.com,kongregate.com, *.kongregate.com,kongregatestage.com, *.kongregatestage.com,kongregatetrunk.com, *.kongregatetrunk.com,kongshred.com, *.kongshred.com,kongwater.com,
*.kongwater.com,kongyak.com, *.kongyak.com,kongzep.com, *.kongzep.com,lepanierfrancais.com, *.lepanierfrancais.com,lightsworld.co.uk, *.lightsworld.co.uk,lmbautofinance.com,
*.lmbautofinance.com,lmbinsurance.com, *.lmbinsurance.com,lmbpersonalloans.com, *.lmbpersonalloans.com,loomandleaf.com, *.loomandleaf.com,lowermybills.com, *.lowermybills.com,m.jayjays.com.au,
*.m.jayjays.com.au,m.thebump.com,mapmywalk.com, *.mapmywalk.com,mccormick.com, *.mccormick.com,mccormickcms.com, *.mccormickcms.com,media.pj.ca, *.media.pj.ca,media.yp.ca,
*.media.yp.ca,modaoperandi.com, *.modaoperandi.com,nakedwardrobe.com, *.nakedwardrobe.com,nastygal.com, *.nastygal.com,nastygal.com.au, *.nastygal.com.au,nationaljournal.com,
*.nationaljournal.com,newmedia.thomson.co.uk,newokl.com, *.newokl.com,nextgov.com, *.nextgov.com,ngimg.com, *.ngimg.com,njdc.com, *.njdc.com,njour.nl,nmr.allcdn.net, *.nmr.allcdn.net,nsit.com,
*.nsit.com,nyc.opensky.com, *.nyc.opensky.com,omnihotels.com, *.omnihotels.com,onekingslane.com,onlineschoolsearch.com, *.onlineschoolsearch.com,opensesame.com, *.opensesame.com,opensky.com,
*.opensky.com,padlockoutlet.com, *.padlockoutlet.com,peteralexander.co.nz, *.peteralexander.co.nz,peteralexander.com.au, *.peteralexander.com.au,petflow.com, *.petflow.com,picdn.net, *.picdn.net,pixlee.com,
*.pixlee.com,pixlee.gallery, *.pixlee.gallery,pregnant.thebump.com,pt.elo.touraidhotels.com, *.pt.elo.touraidhotels.com,pyramydair.com, *.pyramydair.com,qa.keep-collective.com, *.qa.keep-
collective.com,qa.thrivemarket.com, *.qa.thrivemarket.com,qa01.keepcollective.com, *.qa01.keepcollective.com,quartz.cc, *.quartz.cc,qz.com, *.qz.com,ranker-dev.com, *.ranker-dev.com,ranker-stage.com, *.ranker-
stage.com,ranker.com, *.ranker.com,reskin.thrivemarket.com, *.reskin.thrivemarket.com,revolt.tv, *.revolt.tv,rnkr-static.com, *.rnkr-static.com,routefifty.com, *.routefifty.com,saatvamattress.com,
*.saatvamattress.com,saintsociety.com, *.saintsociety.com,scmedia.thenest.com,sensing.honeywell.com,sensing.honeywell.com.cn,sensing.honeywell.de,sensing.honeywell.es,shoptiques.com,
*.shoptiques.com,shoptiques.net, *.shoptiques.net,shutterstock.com, *.shutterstock.com,slickdeals.net, *.slickdeals.net,slickdealscdn.com, *.slickdealscdn.com,smiggle.co.uk, *.smiggle.co.uk,smiggle.com.au,
*.smiggle.com.au,ssmscdn.qa.yp.ca, *.ssmscdn.qa.yp.ca,stage.classesusa.com, *.stage.classesusa.com,stage.lmbautofinance.com, *.stage.lmbautofinance.com,stage.lmbinsurance.com,
*.stage.lmbinsurance.com,stage.lmbpersonalloans.com, *.stage.lmbpersonalloans.com, stage.lowermybills.com, *.stage.lowermybills.com, stage.onlineschoolsearch.com,
*.stage.onlineschoolsearch.com,staging.modaoperandi.com, *.staging.modaoperandi.com,staging.thrivemarket.com, *.staging.thrivemarket.com,static.classesusa.com,
*.static.classesusa.com,static.firstchoice.co.uk,static.parastorage.com,static.pixlee.com, *.static.pixlee.com,static.thomson.co.uk,static.wix.com,static.wixstatic.com,staticmap.yellowpages.ca,
*.staticmap.yellowpages.ca,stelladot.co.uk, *.stelladot.co.uk,stelladot.com, *.stelladot.com,stelladot.de, *.stelladot.de,stelladot.eu, *.stelladot.eu,stelladot.fr, *.stelladot.fr,stelladotfamily.com,
*.stelladotfamily.com,stelladotstg.co.uk,stelladotstg.com, *.stelladotstg.com,stelladotstg.de, *.stelladotstg.de,stelladotstg.eu, *.stelladotstg.eu,stelladotstg.fr, *.stelladotstg.fr,stg.everskin.com, *.stg.everskin.com,stg.keep-
collective.com, *.stg.keep-ollective.com,stg.keepcollective.com, *.stg.keepcollective.com,stg.yp.ca, *.stg.yp.ca,storkie.com, *.storkie.com,tch1.quora.com, *.tch1.quora.com,telstra.inscname.net,
*.telstra.inscname.net,telstra.insnw.net, *.telstra.insnw.net,testing5.dotti.com.au,tgam.io, *.tgam.io,thcdn.co, *.thcdn.co,theatlantic.com, *.theatlantic.com,theatlas.com, *.theatlas.com,theorchidboutique.com,
*.theorchidboutique.com,thereformation.com, *.thereformation.com,thompsonhotels.com, ….
stage.lowermybills.com, *.stage.lowermybills.com,
RESPONDGetting started with Response
First choice: Antivirus – a time saver
Continue to leverage threat intelligence
Analysis tools
Sysinternals tools* – sysmon, procmon, Process Explorer, autoruns, sigcheck, VMMap, ListDLLs – https://www.sysinternals.com/
VirusTotal (use with care) – https://www.virustotal.com/
Malware Sandboxing
Cuckoo Sandbox – https://www.cuckoosandbox.org/
Malwr – https://malwr.com/
Response Planning / Playbook
Develop Playbook for response consistency
Decisions – Eliminate the threat, or allow the threat to remain temporarily
Response Automation
* See also Troubleshooting with the Windows Sysinternals Tools by M. Russinovich & A. Margosis
Recover left as an “exercise for the reader”
a lot easier if the Identify—Protect—Detect—Respond are in place
Summary
Identify
Assets, Executables
Start with Threat Intelligence
Protect
Standard controls (patching, AV, Firewalls)
Add DNS Blocking
Backup your Data
Detect
Monitor your Networks and Hosts
Use Threat Intel for Research / Validation
Ask Yourself: “Does it Belong?”
Respond and Recover