[2018 SSTIC] Certificate Transparency when a new standard may improve your threats monitoring

Transcript

1. CERTIFICATE TRANSPARENCY when a new standard can improve your threat

   monitoring Christophe Brocas Thomas Damonneville Caisse Nationale d’Assurance Maladie – Security team

2. 1) Risk / Answer 2) How Certifcate Transparency works 3)

   Benefts for threat monitoring tools, results, limits → AGENDA

3. THE RISK

4. THE RISK

5. A Google initiative launched in 2013 (RFC 6962) then IETF

   Public CA have to submit all certifcates they signed to publicly auditable, append-only, cryptographically signed logs Beneft : capacity for all to see all public signed certifcates Timeline : EV → certifcates: 2015 all certifcates : → April 30, 2018 A full page warning in Chrome 68 : → July 24, 2018 THE ANSWER

6. Site web CA Logs Monitors Browser Web site

7. Site web Autorité de certifcation Journaux Moniteurs Navigateur 1 Site

   web Certifcate request Site web CA Logs Monitors Browser Web site

8. Site web Autorité de certifcation Journaux Moniteurs Navigateur 1 Site

   web 2 Certifcate request Pre-certifcate logging Site web CA Logs Monitors Browser Web site

9. Site web Autorité de certifcation Journaux Moniteurs Navigateur 1 Site

   web 2 3 Certifcate request Pre-certifcate logging SCT (*) providing (*) Signed Certifcate Timestamp Site web CA Logs Monitors Browser Web site

10. Site web Autorité de certifcation Journaux Moniteurs Navigateur 1 Site

    web 2 3 4 Certifcate request Pre-certifcate logging SCT (*) providing Providing of certifcate+SCT (*) Signed Certifcate Timestamp Site web CA Logs Monitors Browser Web site

11. Site web Autorité de certifcation Journaux Moniteurs Navigateur 1 Site

    web 2 3 4 5 Certifcate request Pre-certifcate logging SCT (*) providing Providing of certifcate+SCT TLS request (*) Signed Certifcate Timestamp 5 Site web CA Logs Monitors Browser Web site

12. Site web Autorité de certifcation Journaux Moniteurs Navigateur 1 Site

    web 2 3 4 5 Certifcate request Pre-certifcate logging SCT (*) providing Providing of certifcate+SCT TLS request (*) Signed Certifcate Timestamp 5 6 TLS answer with cert + SCT Site web CA Logs Monitors Browser Web site

13. Chrome 68 requires CT for all certifcates signed after 30

    April 2018. Site web Autorité de certifcation Journaux Moniteurs Navigateur 1 Site web 2 3 4 5 Certifcate request Pre-certifcate logging SCT (*) providing Providing of certifcate+SCT TLS request (*) Signed Certifcate Timestamp 5 6 TLS answer with cert + SCT Site web CA Logs Monitors Browser Web site

14. Looking for certifcates for our domain names Chrome 68 requires

    CT for all certifcates signed after April 30, 2018. Site web Autorité de certifcation Journaux Moniteurs Navigateur 1 Site web 2 3 4 5 Certifcate request Pre-certifcate logging SCT (*) providing Providing of certifcate+SCT TLS request (*) Signed Certifcate Timestamp 5 6 TLS answer with cert + SCT Site web CA Logs Monitors Browser Web site

15. Present choice : → hosted service daily notifcation → handled

    by team buying → our certifcates (efciency) Usage #1 : our domain names monitoring

16. Usage #2 : «near» domains monitoring CertStreamMonitor : « real

    time » threats detection platform through CT AssuranceMaladieSec

17. CertStreamMonitor.py . keywords detection with threashold . real time .

    operates on consolidated CT fow (multi logs) . daemon mode Usage #2 : «near» domains monitoring

18. Future phishing campaigns detection (CertStreamMonitor.py) Usage #2 : «near» domains

    monitoring

19. scanhost.py if the site is online : → DB update

    → JSON report generation (ip, AS, email abuse ...) Usage #2 : «near» domains monitoring

20. Data enrichment (scanhost.py) Usage #2 : «near» domains monitoring

21. JSON report (scanhost.py) Usage #2 : «near» domains monitoring

22. Results Example #1 : our customers abuse cpam-{78,75,13,...}.fr service trying

    to → abuse our customers (surcharged telephone numbers, data theft)

23. Results Example #1 : our customers abuse cpam-{78,75,13,...}.fr service trying

    to → abuse our customers (surcharged telephone numbers, data theft) → service taked down

24. Results Example #2 : IT rules compliance social-ameli.fr . Legitimate

    service . Internal recommandations not applied : (domain name, hosting etc)

25. Limits • TLS, not HTTP - we only detect hostnames

    for whom a certifcate has been signed • RegExp – if the hostname does not have our searched keywords no detection. And → wildcards beat us too. • Trust – the amount of distributed data led us to use an online service (CertStream). May we trust it ?

26. low cost Tools and services are there, just have to

    use them. efciency informed before the attack comes online blind have a vision at Internet scale Conclusion

27. Thanks! Some questions? https://github.com/AssuranceMaladieSec [email protected] [email protected] @cbrocas | @o0tAd0o