Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[THC19] Certificate Transparency & threats detection, 24 months later

[THC19] Certificate Transparency & threats detection, 24 months later

Talk written by /me & Thomas Damonneville. Given by /me at Toulouse Hacking Convention (@ToulouseHacking), March, 8 2019. It is the last iteration of our talk (with @o0tAd0o ) about Certificate Transparency & Threats detection. It gives a specific focus on the 24 months journey of CT, coming from an niche technology to become a global TLS users protection and a blueteam tool.

Christophe Brocas

March 08, 2019
Tweet

More Decks by Christophe Brocas

Other Decks in Technology

Transcript

  1. Certificate Transparency & threats detection 24 months later Christophe Brocas

    Thomas Damonneville Caisse Nationale d’Assurance Maladie – Security Department Toulouse Hacking Convention Toulouse | 08/03/2019
  2. 1) Certificate Transparency - Risk / Answer - How Certificate

    Transparency works 2) Benefits for threats monitoring - Usages for blue teams - CertStreamMonitor 3) CT & threats monitoring: a 24 months story Agenda
  3. Public CA have to submit all certificates they signed to

    publicly auditable and accessible, append-only, cryptographically signed logs. Certificate Transparency
  4. Public CA have to submit all certificates they signed to

    publicly auditable and accessible, append-only, cryptographically signed logs. Timeline : 2013 : Google (RFC 6962) then IETF (RFC 6962bis) → → 2015 : CT mandatory for EV certificates → 30/04/2018 : CT for all certificates → 24/07/2018 : interstitial blocking page Chrome 68 → 15/10/2018 : CT mandatory for Apple products Certificate Transparency
  5. 2 Log pre-certificate 1 Ask for a certificate Site web

    CA Browser Web site Logs Monitors
  6. 3 Receive SCT (*) (*) Signed Certificate Timestamp 2 Log

    pre-certificate 1 Ask for a certificate Site web CA Browser Web site Logs Monitors
  7. 4 sends certificate+SCT (*) Signed Certificate Timestamp 3 Receive SCT

    (*) (*) Signed Certificate Timestamp 2 Log pre-certificate 1 Ask for a certificate Site web CA Browser Web site Logs Monitors
  8. 5 (*) Signed Certificate Timestamp 5 4 sends certificate+SCT 3

    Receive SCT (*) 2 Log pre-certificate 1 Ask for a certificate Site web CA Web site Logs Monitors Browser TLS request
  9. (*) Signed Certificate Timestamp 6 TLS answer with cert +

    SCT 5 5 4 sends certificate+SCT 3 Receive SCT (*) 2 Log pre-certificate 1 Ask for a certificate Site web CA Web site Logs Monitors Browser TLS request
  10. (*) Signed Certificate Timestamp TLS answer with cert + SCT

    TLS answer with cert + SCT TLS answer with cert + SCT Chrome 68 requires CT for all certificates signed after 30 April 2018. Safari does it since October 2018. 6 TLS answer with cert + SCT 5 5 4 sends certificate+SCT 3 Receive SCT (*) 2 Log pre-certificate 1 Ask for a certificate Site web CA Web site Logs Monitors Browser TLS request
  11. Searching for certificates Collecting certificates (*) Signed Certificate Timestamp (*)

    Signed Certificate Timestamp TLS answer with cert + SCT TLS answer with cert + SCT TLS answer with cert + SCT Chrome 68 requires CT for all certificates signed after 30 April 2018. Safari does it since October 2018. 6 TLS answer with cert + SCT 5 5 4 sends certificate+SCT 3 Receive SCT (*) 2 Log pre-certificate 1 Ask for a certificate Site web CA Web site Monitors Browser TLS request Logs
  12. FQDN (!= DNS) Internet wide logging + Open access to

    the data FQDN (!= DNS) FQDN (!= DNS) CT : benefits for Blue Teams
  13. #1 Find certificates for our domains hacked / malicious CA

    → → hacked DNS server (*) → legit web site but not using corporate security best practices (hosting, certificate, DNS etc) * : https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html CT: 2 useful usages (for us)
  14. #2 Find certificates for « near » domains → phishing

    campaigns → image damage CT: 2 useful usages (for us)
  15. Current choice: → hosted service daily notification → managed by

    our team → dealing with certificates (efficiency) Usage #1: our domains monitoring
  16. Usage #2: « near » domains monitoring CertStreamMonitor : use

    CT to monitor threats in « real time » AssuranceMaladieSec
  17. CertStreamMonitor.py . works on multi CT logs flow . keywords

    detection with threshold . real time . runs in daemon mode CertStreamMonitor
  18. Tailor your configuration file (conf/filename.conf) → Choose your keywords :

    ex: apple|account|login → Set your threshold: ex: 2 (defaut value) CertStreamMonitor.py: how it works
  19. Tailor your configuration file (conf/filename.conf) → Choose your keywords :

    ex: apple|account|login → Set your threshold: ex: 2 (defaut value) hostnames with a number of keywords ≥ threshold insert in DB (ex : → login.apple-connect.com) CertStreamMonitor.py: how it works
  20. Tailor your configuration file (conf/filename.conf) → Choose your keywords :

    ex: apple|account|login → Set your threshold: ex: 2 (defaut value) hostnames with a number of keywords ≥ threshold insert in DB (ex : → login.apple-connect.com) hostnames with a number of keywords < threshold but >0 write to log file (ex : webmail. → apple-mail.com) CertStreamMonitor.py: how it works
  21. → run on demand (ex. : 1/day) → test all

    hostnames not already logged as up if hostname is up: → * update DB * JSON report file (ip, AS, abuse email...) scanhost.py: how it works
  22. Example #1 : customers abuse cpam-{78,75,13,...}.fr service potentially → abusing

    our customers (over priced phone number, personal data theft) Results
  23. Example #1 : customers abuse cpam-{78,75,13,...}.fr service potentially → abusing

    our customers (over priced phone number, personal data theft) → service inactivation Results
  24. Example #2 : IT management social-ameli.fr . Legit website .

    Best practices not applied : (domainname, hosting etc) Results
  25. TLS, not HTTP – only detect hostnames accessed through TLS

    RegExp – relying on regexp to find hostnames can lead to miss some of them. Wildcard certificates also beat us. Trust- we use tier service to get CT certificates (Calidog Security in our case). Can we trust it? Limits
  26. TLS, not HTTP – only detect hostnames accessed through TLS

    RegExp – relying on regexp to find hostnames can lead to miss some of them. Wildcard certificates also beat us. Trust- we use tier service to get CT certificates (Calidog Security in our case). Can we trust it? Limits
  27. TLS, not HTTP – only detect hostnames accessed through TLS

    RegExp – relying on regexp to find hostnames can lead to miss some of them. Wildcard certificates also beat us. Trust- we use tier service to get CT certificates (Calidog Security in our case). Can we trust it? But we rely on their code, a potential single point of failure. it is a → call for action to the Infosec community Limits
  28. You can now choose your CT logs aggregator service :

    * Calidog Security one * your own using Calidog code
  29. 01/2015 : 31 % 06/2017 : 57 % → 83%

    of growth in 2,5 years June 2017
  30. Feb. 2019 CT is point out as one of the

    tools able to control TLS grey/dark activities
  31. low cost tools and services are there, just use them

    efficiency notified before or soon after the the attacks comes online blind vision at Internet scale + bonus track: compliance CT monitoring is now part of best practices requirements
  32. Photos credits : Images under Creative Commons licence: Clair de

    lune : https://www.flickr.com/photos/cbrocas/4200102493/ danger : https://www.flickr.com/photos/adulau/26003405317/ complexity : https://www.flickr.com/photos/70023venus2009/6032939635 gain : https://www.flickr.com/photos/143106192@N03/29307455407/ book : https://www.flickr.com/photos/thesoulofhope/14545003924/ evolution : https://www.flickr.com/photos/elle_florio/26750479006/ Flaticons : Freepik from https://www.flaticon.com/