[2018 SSTIC] Certificate Transparency when a new standard may improve your threats monitoring

[2018 SSTIC] Certificate Transparency when a new standard may improve your threats monitoring

English version of the slides of the talk given at SSTIC 2018.

B75383270a4fc8457ff2a458f4442ede?s=128

Christophe Brocas

June 13, 2018
Tweet

Transcript

  1. CERTIFICATE TRANSPARENCY when a new standard can improve your threat

    monitoring Christophe Brocas Thomas Damonneville Caisse Nationale d’Assurance Maladie – Security team
  2. 1) Risk / Answer 2) How Certifcate Transparency works 3)

    Benefts for threat monitoring tools, results, limits → AGENDA
  3. THE RISK

  4. THE RISK

  5. A Google initiative launched in 2013 (RFC 6962) then IETF

    Public CA have to submit all certifcates they signed to publicly auditable, append-only, cryptographically signed logs Beneft : capacity for all to see all public signed certifcates Timeline : EV → certifcates: 2015 all certifcates : → April 30, 2018 A full page warning in Chrome 68 : → July 24, 2018 THE ANSWER
  6. Site web CA Logs Monitors Browser Web site

  7. Site web Autorité de certifcation Journaux Moniteurs Navigateur 1 Site

    web Certifcate request Site web CA Logs Monitors Browser Web site
  8. Site web Autorité de certifcation Journaux Moniteurs Navigateur 1 Site

    web 2 Certifcate request Pre-certifcate logging Site web CA Logs Monitors Browser Web site
  9. Site web Autorité de certifcation Journaux Moniteurs Navigateur 1 Site

    web 2 3 Certifcate request Pre-certifcate logging SCT (*) providing (*) Signed Certifcate Timestamp Site web CA Logs Monitors Browser Web site
  10. Site web Autorité de certifcation Journaux Moniteurs Navigateur 1 Site

    web 2 3 4 Certifcate request Pre-certifcate logging SCT (*) providing Providing of certifcate+SCT (*) Signed Certifcate Timestamp Site web CA Logs Monitors Browser Web site
  11. Site web Autorité de certifcation Journaux Moniteurs Navigateur 1 Site

    web 2 3 4 5 Certifcate request Pre-certifcate logging SCT (*) providing Providing of certifcate+SCT TLS request (*) Signed Certifcate Timestamp 5 Site web CA Logs Monitors Browser Web site
  12. Site web Autorité de certifcation Journaux Moniteurs Navigateur 1 Site

    web 2 3 4 5 Certifcate request Pre-certifcate logging SCT (*) providing Providing of certifcate+SCT TLS request (*) Signed Certifcate Timestamp 5 6 TLS answer with cert + SCT Site web CA Logs Monitors Browser Web site
  13. Chrome 68 requires CT for all certifcates signed after 30

    April 2018. Site web Autorité de certifcation Journaux Moniteurs Navigateur 1 Site web 2 3 4 5 Certifcate request Pre-certifcate logging SCT (*) providing Providing of certifcate+SCT TLS request (*) Signed Certifcate Timestamp 5 6 TLS answer with cert + SCT Site web CA Logs Monitors Browser Web site
  14. Looking for certifcates for our domain names Chrome 68 requires

    CT for all certifcates signed after April 30, 2018. Site web Autorité de certifcation Journaux Moniteurs Navigateur 1 Site web 2 3 4 5 Certifcate request Pre-certifcate logging SCT (*) providing Providing of certifcate+SCT TLS request (*) Signed Certifcate Timestamp 5 6 TLS answer with cert + SCT Site web CA Logs Monitors Browser Web site
  15. Present choice : → hosted service daily notifcation → handled

    by team buying → our certifcates (efciency) Usage #1 : our domain names monitoring
  16. Usage #2 : «near» domains monitoring CertStreamMonitor : « real

    time » threats detection platform through CT AssuranceMaladieSec
  17. CertStreamMonitor.py . keywords detection with threashold . real time .

    operates on consolidated CT fow (multi logs) . daemon mode Usage #2 : «near» domains monitoring
  18. Future phishing campaigns detection (CertStreamMonitor.py) Usage #2 : «near» domains

    monitoring
  19. scanhost.py if the site is online : → DB update

    → JSON report generation (ip, AS, email abuse ...) Usage #2 : «near» domains monitoring
  20. Data enrichment (scanhost.py) Usage #2 : «near» domains monitoring

  21. JSON report (scanhost.py) Usage #2 : «near» domains monitoring

  22. Results Example #1 : our customers abuse cpam-{78,75,13,...}.fr service trying

    to → abuse our customers (surcharged telephone numbers, data theft)
  23. Results Example #1 : our customers abuse cpam-{78,75,13,...}.fr service trying

    to → abuse our customers (surcharged telephone numbers, data theft) → service taked down
  24. Results Example #2 : IT rules compliance social-ameli.fr . Legitimate

    service . Internal recommandations not applied : (domain name, hosting etc)
  25. Limits • TLS, not HTTP - we only detect hostnames

    for whom a certifcate has been signed • RegExp – if the hostname does not have our searched keywords no detection. And → wildcards beat us too. • Trust – the amount of distributed data led us to use an online service (CertStream). May we trust it ?
  26. low cost Tools and services are there, just have to

    use them. efciency informed before the attack comes online blind have a vision at Internet scale Conclusion
  27. Thanks! Some questions? https://github.com/AssuranceMaladieSec christophe.brocas@assurance-maladie.fr thomas.damonneville@assurance-maladie.fr @cbrocas | @o0tAd0o