Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[2018bis Hack-it-n] CertStreamMonitor: use Certificate Transparency to improve your threats detection

[2018bis Hack-it-n] CertStreamMonitor: use Certificate Transparency to improve your threats detection

Talk written by myself and Thomas Damonneville. Given by myself during the 2018bis edition of the Hack-it-n conference.

Christophe Brocas

December 11, 2018
Tweet

More Decks by Christophe Brocas

Other Decks in Technology

Transcript

  1. CertStreamMonitor
    use Certificate Transparency to improve your threats detection
    Christophe Brocas
    Thomas Damonneville
    Caisse Nationale d’Assurance Maladie – Security team
    hack-it-n 2018 bis
    Bordeaux, 12/11/2018

    View Slide

  2. 1) Risk / Answer
    2) How Certificate Transparency works
    3) Benefits for threats monitoring
    4) CertStreamMonitor :
    usage, results, limits

    Agenda

    View Slide

  3. #1 Risk & Answer

    View Slide

  4. Attacker
    Certificate
    authority
    www.mydomain.com

    View Slide

  5. Attaquant
    Attacker
    www.mydomain.com
    Attacker
    Certificate
    authority
    www.mydomain.com

    View Slide

  6. Attacker
    Abused users
    www.mydomain.com
    Attaquant
    Attacker
    www.mydomain.com
    Attacker
    Certificate
    authority
    www.mydomain.com

    View Slide

  7. And « www.mydomain.com » owner?

    View Slide

  8. And « www.mydomain.com » owner?

    View Slide

  9. And « www.mydomain.com » owner?

    View Slide

  10. Example

    View Slide

  11. Public CA have to submit all certificates they signed to
    publicly auditable and accessible, append-only,
    cryptographically signed logs.
    Certificate Transparency

    View Slide

  12. Public CA have to submit all certificates they signed to
    publicly auditable and accessible, append-only,
    cryptographically signed logs.
    Timeline :
    2013 : Google (RFC 6962) then IETF (RFC 6962bis)

    → 2015 : CT mandatory for EV certificates
    → 30/04/2018 : CT for all certificates
    → 24/07/2018 : interstitial blocking page Chrome 68
    → 15/10/2018 : CT mandatory for Apple products
    Certificate Transparency

    View Slide

  13. View Slide

  14. #2 How CT works

    View Slide

  15. Site web
    CA Logs
    Monitors
    Browser
    Web site

    View Slide

  16. 1
    Ask for a
    certificate
    Site web
    CA Logs
    Monitors
    Browser
    Web site

    View Slide

  17. 2
    Log pre-certificate
    1
    Ask for a
    certificate
    Site web
    CA
    Browser
    Web site
    Logs
    Monitors

    View Slide

  18. 3
    Receive SCT (*)
    (*) Signed Certificate Timestamp
    2
    Log pre-certificate
    1
    Ask for a
    certificate
    Site web
    CA
    Browser
    Web site
    Logs
    Monitors

    View Slide

  19. 4
    sends certificate+SCT
    (*) Signed Certificate Timestamp
    3
    Receive SCT (*)
    (*) Signed Certificate Timestamp
    2
    Log pre-certificate
    1
    Ask for a
    certificate
    Site web
    CA
    Browser
    Web site
    Logs
    Monitors

    View Slide

  20. 5
    (*) Signed Certificate Timestamp
    5
    4
    sends certificate+SCT
    3
    Receive SCT (*)
    2
    Log pre-certificate
    1
    Ask for a
    certificate
    Site web
    CA
    Web site
    Logs
    Monitors
    Browser
    TLS request

    View Slide

  21. (*) Signed Certificate Timestamp
    6 TLS answer with cert + SCT
    5
    (*) Signed Certificate Timestamp
    5
    4
    sends certificate+SCT
    3
    Receive SCT (*)
    2
    Log pre-certificate
    1
    Ask for a
    certificate
    Site web
    CA
    Web site
    Logs
    Monitors
    Browser
    TLS request

    View Slide

  22. (*) Signed Certificate Timestamp
    TLS answer with cert + SCT
    TLS answer with cert + SCT
    TLS answer with cert + SCT
    Chrome 68 requires CT for all certificates signed after 30 April 2018.
    Safari does it since October 2018.
    6 TLS answer with cert + SCT
    5
    5
    4
    sends certificate+SCT
    3
    Receive SCT (*)
    2
    Log pre-certificate
    1
    Ask for a
    certificate
    Site web
    CA
    Web site
    Logs
    Monitors
    Browser
    TLS request

    View Slide

  23. Rechercher des certificats
    Collecte des certificats
    (*) Signed Certificate Timestamp
    (*) Signed Certificate Timestamp
    TLS answer with cert + SCT
    TLS answer with cert + SCT
    TLS answer with cert + SCT
    Chrome 68 requires CT for all certificates signed after 30 April 2018.
    Safari does it since October 2018.
    6 TLS answer with cert + SCT
    5
    5
    4
    sends certificate+SCT
    3
    Receive SCT (*)
    2
    Log pre-certificate
    1
    Ask for a
    certificate
    Site web
    CA
    Web site
    Logs
    Monitors
    Browser
    TLS request

    View Slide

  24. #3
    … for Blue Teams

    View Slide

  25. CT : benefits for Blue Teams
    FQDN (!= DNS)

    View Slide

  26. FQDN (!= DNS)
    Internet wide logging
    +
    Opened to all « database »
    FQDN (!= DNS)
    FQDN (!= DNS)
    CT : benefits for Blue Teams

    View Slide

  27. #1 Find certificates for our domains
    hacked / malicious CA

    → hacked DNS server (*)
    → legit web site but not using corporate security best
    practices (hosting, certificate, DNS etc)
    * : https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html
    CT : 2 useful (for us) usages

    View Slide

  28. #2 Find certificates for « near » domains
    → phishing campaigns
    → image damage
    CT : 2 useful (for us) usages

    View Slide

  29. Current choice:
    → hosted service
    daily notification

    managed by our team

    dealing with certificates
    (efficiency)
    Our domains monitoring

    View Slide

  30. #4 code : CertStreamMonitor

    View Slide

  31. Usage #2 : « near » domains monitoring
    CertStreamMonitor :
    use CT to monitor threats
    in « real time »
    AssuranceMaladieSec

    View Slide

  32. CertStreamMonitor.py
    . works on multi CT logs flow
    . keywords detection with
    threshold
    . real time
    . runs in daemon mode
    CertStreamMonitor

    View Slide

  33. Tailor your configuration file (conf/filename.conf)
    → Choose your keywords : ex: apple|account|login
    → Set your threshold: ex: 2 (defaut value)
    CertStreamMonitor.py : how it works

    View Slide

  34. Tailor your configuration file (conf/filename.conf)
    → Choose your keywords : ex: apple|account|login
    → Set your threshold: ex: 2 (defaut value)
    hostnames with a number of keywords ≥ threshold
    insert in DB (ex :
    → login.apple-connect.com)
    CertStreamMonitor.py : how it works

    View Slide

  35. Tailor your configuration file (conf/filename.conf)
    → Choose your keywords : ex: apple|account|login
    → Set your threshold: ex: 2 (defaut value)
    hostnames with a number of keywords ≥ threshold
    insert in DB (ex :
    → login.apple-connect.com)
    hostnames with a number of keywords < threshold but >0
    write to log file (ex : webmail.
    → apple-mail.com)
    CertStreamMonitor.py : how it works

    View Slide

  36. → run on demand (ex. : 1/day)
    → test all hostnames not already
    logged as up
    if hostname is up:

    * update DB
    * JSON report file
    (ip, AS, abuse email...)
    scanhost.py : how it works

    View Slide

  37. JSON report file
    scanhost.py : how it works

    View Slide

  38. DEMO TIME !

    View Slide

  39. View Slide

  40. View Slide

  41. View Slide

  42. View Slide

  43. View Slide

  44. Stats : « near » domains monitoring

    View Slide

  45. Example #1 :
    customers abuse
    cpam-{78,75,13,...}.fr
    service potentially

    abusing our customers
    (over priced phone
    number, personal data
    theft)
    Results

    View Slide

  46. Example #1 :
    customers abuse
    cpam-{78,75,13,...}.fr
    service potentially

    abusing our customers
    (over priced phone
    number, personal data
    theft)
    → service inactivation
    Results

    View Slide

  47. Example #2 : IT management
    social-ameli.fr
    . Legit website
    . Best practices not applied :
    (domainname, hosting etc)
    Results

    View Slide

  48. TLS, not HTTP – only detect hostnames accessed through TLS
    RegExp – relying on regexp to find hostnames can lead to
    miss some of them. Wildcard certificates also beat us.
    Trust- we use tier service to get CT certificates (Calidog
    Security in our case). Can we trust it?
    Limits

    View Slide

  49. TLS, not HTTP – only detect hostnames accessed through TLS
    RegExp – relying on regexp to find hostnames can lead to
    miss some of them. Wildcard certificates also beat us.
    Trust- we use tier service to get CT certificates (Calidog
    Security in our case). Can we trust it?
    Limits

    View Slide

  50. TLS, pas HTTP - détection uniquement des hostnames
    protégés par TLS
    RegExp - si le hostname n’a pas de chaînes de caractères
    contenues dans vos mots clefs pas de détection.

    Les certificats wildcards nous mettent aussi en échec.
    Confiance - le volume de données engendré oblige à passer
    par des intermédiaires (moniteurs). A qui peut-on faire
    confiance ?
    Limites de l'approche

    View Slide

  51. low cost
    tools and services
    are there, just use
    them
    efficiency
    notified before
    or soon after the
    the attacks comes
    online
    blind
    vision at Internet
    scale
    Benefits

    View Slide

  52. Project: evolution (06/2018 )

    View Slide

  53. Can choose your CT logs
    aggregator service
    end of the dependency

    to Calidog Security infra
    using open source code
    libre from … Calidog
    Security <3
    Project: evolution (06/2018 )

    View Slide

  54. Can use a HTTP proxy to
    connect to the websocket
    of CT logs aggregator
    server
    Project: evolution (06/2018 )

    View Slide

  55. Setting the threshold for
    keywords detection is now
    available in config file
    Project: evolution (06/2018 )

    View Slide

  56. Répertoire d’alertes
    pouvant être
    hashés date + hostname
    (PR X. Mertens aka @xme)
    Project: evolution (06/2018 )

    View Slide

  57. Thanks!
    Some questions?
    https://github.com/AssuranceMaladieSec
    [email protected]
    [email protected]
    @cbrocas | @o0tAd0o

    View Slide

  58. Photos credits :
    Images under Creative Commons licence:
    danger : https://www.flickr.com/photos/adulau/26003405317/
    complexity : https://www.flickr.com/photos/70023venus2009/6032939635
    gain : https://www.flickr.com/photos/143106192@N03/29307455407/

    View Slide