[2018bis Hack-it-n] CertStreamMonitor: use Certificate Transparency to improve your threats detection

CertStreamMonitor use Certificate Transparency to improve your threats detection Christophe
Brocas Thomas Damonneville Caisse Nationale d’Assurance Maladie – Security team hack-it-n 2018 bis Bordeaux, 12/11/2018

1) Risk / Answer 2) How Certificate Transparency works 3)
Benefits for threats monitoring 4) CertStreamMonitor : usage, results, limits → Agenda

#1 Risk & Answer

Attacker Certificate authority www.mydomain.com

Attaquant Attacker www.mydomain.com Attacker Certificate authority www.mydomain.com

Attacker Abused users www.mydomain.com Attaquant Attacker www.mydomain.com Attacker Certificate authority
www.mydomain.com

And « www.mydomain.com » owner?

Example

Public CA have to submit all certificates they signed to
publicly auditable and accessible, append-only, cryptographically signed logs. Certificate Transparency

Public CA have to submit all certificates they signed to
publicly auditable and accessible, append-only, cryptographically signed logs. Timeline : 2013 : Google (RFC 6962) then IETF (RFC 6962bis) → → 2015 : CT mandatory for EV certificates → 30/04/2018 : CT for all certificates → 24/07/2018 : interstitial blocking page Chrome 68 → 15/10/2018 : CT mandatory for Apple products Certificate Transparency

#2 How CT works

Site web CA Logs Monitors Browser Web site

1 Ask for a certificate Site web CA Logs Monitors
Browser Web site

2 Log pre-certificate 1 Ask for a certificate Site web
CA Browser Web site Logs Monitors

3 Receive SCT (*) (*) Signed Certificate Timestamp 2 Log
pre-certificate 1 Ask for a certificate Site web CA Browser Web site Logs Monitors

4 sends certificate+SCT (*) Signed Certificate Timestamp 3 Receive SCT
(*) (*) Signed Certificate Timestamp 2 Log pre-certificate 1 Ask for a certificate Site web CA Browser Web site Logs Monitors

5 (*) Signed Certificate Timestamp 5 4 sends certificate+SCT 3
Receive SCT (*) 2 Log pre-certificate 1 Ask for a certificate Site web CA Web site Logs Monitors Browser TLS request

(*) Signed Certificate Timestamp 6 TLS answer with cert +
SCT 5 (*) Signed Certificate Timestamp 5 4 sends certificate+SCT 3 Receive SCT (*) 2 Log pre-certificate 1 Ask for a certificate Site web CA Web site Logs Monitors Browser TLS request

(*) Signed Certificate Timestamp TLS answer with cert + SCT
TLS answer with cert + SCT TLS answer with cert + SCT Chrome 68 requires CT for all certificates signed after 30 April 2018. Safari does it since October 2018. 6 TLS answer with cert + SCT 5 5 4 sends certificate+SCT 3 Receive SCT (*) 2 Log pre-certificate 1 Ask for a certificate Site web CA Web site Logs Monitors Browser TLS request

Rechercher des certificats Collecte des certificats (*) Signed Certificate Timestamp
(*) Signed Certificate Timestamp TLS answer with cert + SCT TLS answer with cert + SCT TLS answer with cert + SCT Chrome 68 requires CT for all certificates signed after 30 April 2018. Safari does it since October 2018. 6 TLS answer with cert + SCT 5 5 4 sends certificate+SCT 3 Receive SCT (*) 2 Log pre-certificate 1 Ask for a certificate Site web CA Web site Logs Monitors Browser TLS request

#3 … for Blue Teams

CT : benefits for Blue Teams FQDN (!= DNS)

FQDN (!= DNS) Internet wide logging + Opened to all
« database » FQDN (!= DNS) FQDN (!= DNS) CT : benefits for Blue Teams

#1 Find certificates for our domains hacked / malicious CA
→ → hacked DNS server (*) → legit web site but not using corporate security best practices (hosting, certificate, DNS etc) * : https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html CT : 2 useful (for us) usages

#2 Find certificates for « near » domains → phishing
campaigns → image damage CT : 2 useful (for us) usages

Current choice: → hosted service daily notification → managed by
our team → dealing with certificates (efficiency) Our domains monitoring

#4 code : CertStreamMonitor

Usage #2 : « near » domains monitoring CertStreamMonitor :
use CT to monitor threats in « real time » AssuranceMaladieSec

CertStreamMonitor.py . works on multi CT logs flow . keywords
detection with threshold . real time . runs in daemon mode CertStreamMonitor

Tailor your configuration file (conf/filename.conf) → Choose your keywords :
ex: apple|account|login → Set your threshold: ex: 2 (defaut value) CertStreamMonitor.py : how it works

ex: apple|account|login → Set your threshold: ex: 2 (defaut value) hostnames with a number of keywords ≥ threshold insert in DB (ex : → login.apple-connect.com) CertStreamMonitor.py : how it works

ex: apple|account|login → Set your threshold: ex: 2 (defaut value) hostnames with a number of keywords ≥ threshold insert in DB (ex : → login.apple-connect.com) hostnames with a number of keywords < threshold but >0 write to log file (ex : webmail. → apple-mail.com) CertStreamMonitor.py : how it works

→ run on demand (ex. : 1/day) → test all
hostnames not already logged as up if hostname is up: → * update DB * JSON report file (ip, AS, abuse email...) scanhost.py : how it works

JSON report file scanhost.py : how it works

DEMO TIME !

Stats : « near » domains monitoring

Example #1 : customers abuse cpam-{78,75,13,...}.fr service potentially → abusing
our customers (over priced phone number, personal data theft) Results

Example #1 : customers abuse cpam-{78,75,13,...}.fr service potentially → abusing
our customers (over priced phone number, personal data theft) → service inactivation Results

Example #2 : IT management social-ameli.fr . Legit website .
Best practices not applied : (domainname, hosting etc) Results

TLS, not HTTP – only detect hostnames accessed through TLS
RegExp – relying on regexp to find hostnames can lead to miss some of them. Wildcard certificates also beat us. Trust- we use tier service to get CT certificates (Calidog Security in our case). Can we trust it? Limits

TLS, pas HTTP - détection uniquement des hostnames protégés par
TLS RegExp - si le hostname n’a pas de chaînes de caractères contenues dans vos mots clefs pas de détection. → Les certificats wildcards nous mettent aussi en échec. Confiance - le volume de données engendré oblige à passer par des intermédiaires (moniteurs). A qui peut-on faire confiance ? Limites de l'approche

low cost tools and services are there, just use them
efficiency notified before or soon after the the attacks comes online blind vision at Internet scale Benefits

Project: evolution (06/2018 ) →

Can choose your CT logs aggregator service end of the
dependency → to Calidog Security infra using open source code libre from … Calidog Security <3 Project: evolution (06/2018 ) →

Can use a HTTP proxy to connect to the websocket
of CT logs aggregator server Project: evolution (06/2018 ) →

Setting the threshold for keywords detection is now available in
config file Project: evolution (06/2018 ) →

Répertoire d’alertes pouvant être hashés date + hostname (PR X.
Mertens aka @xme) Project: evolution (06/2018 ) →

Thanks! Some questions? https://github.com/AssuranceMaladieSec [email protected] [email protected] @cbrocas | @o0tAd0o

Photos credits : Images under Creative Commons licence: danger :
https://www.flickr.com/photos/adulau/26003405317/ complexity : https://www.flickr.com/photos/70023venus2009/6032939635 gain : https://www.flickr.com/photos/143106192@N03/29307455407/

[2018bis Hack-it-n] CertStreamMonitor: use Certificate Transparency to improve your threats detection

[2018bis Hack-it-n] CertStreamMonitor: use Certificate Transparency to improve your threats detection

More Decks by Christophe Brocas

Other Decks in Technology

Featured

Transcript