[THC19] Certificate Transparency & threats detection, 24 months later

[THC19] Certificate Transparency & threats detection, 24 months later

Talk written by /me & Thomas Damonneville. Given by /me at Toulouse Hacking Convention (@ToulouseHacking), March, 8 2019. It is the last iteration of our talk (with @o0tAd0o ) about Certificate Transparency & Threats detection. It gives a specific focus on the 24 months journey of CT, coming from an niche technology to become a global TLS users protection and a blueteam tool.

B75383270a4fc8457ff2a458f4442ede?s=128

Christophe Brocas

March 08, 2019
Tweet

Transcript

  1. Certificate Transparency & threats detection 24 months later Christophe Brocas

    Thomas Damonneville Caisse Nationale d’Assurance Maladie – Security Department Toulouse Hacking Convention Toulouse | 08/03/2019
  2. 1) Certificate Transparency - Risk / Answer - How Certificate

    Transparency works 2) Benefits for threats monitoring - Usages for blue teams - CertStreamMonitor 3) CT & threats monitoring: a 24 months story Agenda
  3. Risk & Answer

  4. Attacker Certificate authority www.mydomain.com

  5. Attaquant Attacker www.mydomain.com Attacker Certificate authority www.mydomain.com

  6. Attacker Abused users www.mydomain.com Attaquant Attacker www.mydomain.com Attacker Certificate authority

    www.mydomain.com
  7. And « www.mydomain.com » owner?

  8. And « www.mydomain.com » owner?

  9. And « www.mydomain.com » owner?

  10. Example

  11. Public CA have to submit all certificates they signed to

    publicly auditable and accessible, append-only, cryptographically signed logs. Certificate Transparency
  12. Public CA have to submit all certificates they signed to

    publicly auditable and accessible, append-only, cryptographically signed logs. Timeline : 2013 : Google (RFC 6962) then IETF (RFC 6962bis) → → 2015 : CT mandatory for EV certificates → 30/04/2018 : CT for all certificates → 24/07/2018 : interstitial blocking page Chrome 68 → 15/10/2018 : CT mandatory for Apple products Certificate Transparency
  13. None
  14. How CT works

  15. Site web CA Logs Monitors Browser Web site

  16. 1 Ask for a certificate Site web CA Logs Monitors

    Browser Web site
  17. 2 Log pre-certificate 1 Ask for a certificate Site web

    CA Browser Web site Logs Monitors
  18. 3 Receive SCT (*) (*) Signed Certificate Timestamp 2 Log

    pre-certificate 1 Ask for a certificate Site web CA Browser Web site Logs Monitors
  19. 4 sends certificate+SCT (*) Signed Certificate Timestamp 3 Receive SCT

    (*) (*) Signed Certificate Timestamp 2 Log pre-certificate 1 Ask for a certificate Site web CA Browser Web site Logs Monitors
  20. 5 (*) Signed Certificate Timestamp 5 4 sends certificate+SCT 3

    Receive SCT (*) 2 Log pre-certificate 1 Ask for a certificate Site web CA Web site Logs Monitors Browser TLS request
  21. (*) Signed Certificate Timestamp 6 TLS answer with cert +

    SCT 5 5 4 sends certificate+SCT 3 Receive SCT (*) 2 Log pre-certificate 1 Ask for a certificate Site web CA Web site Logs Monitors Browser TLS request
  22. (*) Signed Certificate Timestamp TLS answer with cert + SCT

    TLS answer with cert + SCT TLS answer with cert + SCT Chrome 68 requires CT for all certificates signed after 30 April 2018. Safari does it since October 2018. 6 TLS answer with cert + SCT 5 5 4 sends certificate+SCT 3 Receive SCT (*) 2 Log pre-certificate 1 Ask for a certificate Site web CA Web site Logs Monitors Browser TLS request
  23. Searching for certificates Collecting certificates (*) Signed Certificate Timestamp (*)

    Signed Certificate Timestamp TLS answer with cert + SCT TLS answer with cert + SCT TLS answer with cert + SCT Chrome 68 requires CT for all certificates signed after 30 April 2018. Safari does it since October 2018. 6 TLS answer with cert + SCT 5 5 4 sends certificate+SCT 3 Receive SCT (*) 2 Log pre-certificate 1 Ask for a certificate Site web CA Web site Monitors Browser TLS request Logs
  24. … for Blue Teams

  25. CT : benefits for Blue Teams FQDN (!= DNS)

  26. FQDN (!= DNS) Internet wide logging + Open access to

    the data FQDN (!= DNS) FQDN (!= DNS) CT : benefits for Blue Teams
  27. #1 Find certificates for our domains hacked / malicious CA

    → → hacked DNS server (*) → legit web site but not using corporate security best practices (hosting, certificate, DNS etc) * : https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html CT: 2 useful usages (for us)
  28. #2 Find certificates for « near » domains → phishing

    campaigns → image damage CT: 2 useful usages (for us)
  29. Current choice: → hosted service daily notification → managed by

    our team → dealing with certificates (efficiency) Usage #1: our domains monitoring
  30. Code: CertStreamMonitor

  31. Usage #2: « near » domains monitoring CertStreamMonitor : use

    CT to monitor threats in « real time » AssuranceMaladieSec
  32. CertStreamMonitor.py . works on multi CT logs flow . keywords

    detection with threshold . real time . runs in daemon mode CertStreamMonitor
  33. Tailor your configuration file (conf/filename.conf) → Choose your keywords :

    ex: apple|account|login → Set your threshold: ex: 2 (defaut value) CertStreamMonitor.py: how it works
  34. Tailor your configuration file (conf/filename.conf) → Choose your keywords :

    ex: apple|account|login → Set your threshold: ex: 2 (defaut value) hostnames with a number of keywords ≥ threshold insert in DB (ex : → login.apple-connect.com) CertStreamMonitor.py: how it works
  35. Tailor your configuration file (conf/filename.conf) → Choose your keywords :

    ex: apple|account|login → Set your threshold: ex: 2 (defaut value) hostnames with a number of keywords ≥ threshold insert in DB (ex : → login.apple-connect.com) hostnames with a number of keywords < threshold but >0 write to log file (ex : webmail. → apple-mail.com) CertStreamMonitor.py: how it works
  36. → run on demand (ex. : 1/day) → test all

    hostnames not already logged as up if hostname is up: → * update DB * JSON report file (ip, AS, abuse email...) scanhost.py: how it works
  37. JSON report file scanhost.py: how it works

  38. Screenshots are not a demo <shame/>

  39. None
  40. None
  41. None
  42. None
  43. None
  44. Example #1 : customers abuse cpam-{78,75,13,...}.fr service potentially → abusing

    our customers (over priced phone number, personal data theft) Results
  45. Example #1 : customers abuse cpam-{78,75,13,...}.fr service potentially → abusing

    our customers (over priced phone number, personal data theft) → service inactivation Results
  46. Example #2 : IT management social-ameli.fr . Legit website .

    Best practices not applied : (domainname, hosting etc) Results
  47. TLS, not HTTP – only detect hostnames accessed through TLS

    RegExp – relying on regexp to find hostnames can lead to miss some of them. Wildcard certificates also beat us. Trust- we use tier service to get CT certificates (Calidog Security in our case). Can we trust it? Limits
  48. TLS, not HTTP – only detect hostnames accessed through TLS

    RegExp – relying on regexp to find hostnames can lead to miss some of them. Wildcard certificates also beat us. Trust- we use tier service to get CT certificates (Calidog Security in our case). Can we trust it? Limits
  49. TLS, not HTTP – only detect hostnames accessed through TLS

    RegExp – relying on regexp to find hostnames can lead to miss some of them. Wildcard certificates also beat us. Trust- we use tier service to get CT certificates (Calidog Security in our case). Can we trust it? But we rely on their code, a potential single point of failure. it is a → call for action to the Infosec community Limits
  50. CertStreamMonitor evolution in 9 months

  51. None
  52. You can now choose your CT logs aggregator service :

    * Calidog Security one * your own using Calidog code
  53. Setting the threshold for keywords detection is available in config

    file
  54. (optional) check Google SafeBrowsing status of the hostname

  55. Name of the alerts directory can be hashed with date

    + hostname (PR of @xme)
  56. (optional) notification by mail or instant messaging like Slack or

    Rocket.
  57. CT & Threats Monitoring: a 24 months story

  58. April 2017 The announcement

  59. June 2017 Why CT becomes interesting?

  60. 01/2015 : 31 % June 2017

  61. 01/2015 : 31 % 06/2017 : 57 % → 83%

    of growth in 2,5 years June 2017
  62. Nov. 2017 First tools show up

  63. May 2018 More complex tools + CT required for all

    certificates
  64. July 2018 Chrome implements CT as a strict requirement

  65. Nov. 2018 When CT becomes a DNS hacks detection tool

  66. Nov. 2018 When CT becomes a DNS hacks detection tool

  67. Jan. 2019 CT appears in Blue Teams best practices

  68. Feb. 2019 CT is point out as one of the

    tools able to control TLS grey/dark activities
  69. low cost tools and services are there, just use them

    efficiency notified before or soon after the the attacks comes online blind vision at Internet scale + bonus track: compliance CT monitoring is now part of best practices requirements
  70. Thanks! Some questions? https://github.com/AssuranceMaladieSec christophe.brocas@assurance-maladie.fr thomas.damonneville@assurance-maladie.fr @cbrocas | @o0tAd0o

  71. Photos credits : Images under Creative Commons licence: Clair de

    lune : https://www.flickr.com/photos/cbrocas/4200102493/ danger : https://www.flickr.com/photos/adulau/26003405317/ complexity : https://www.flickr.com/photos/70023venus2009/6032939635 gain : https://www.flickr.com/photos/143106192@N03/29307455407/ book : https://www.flickr.com/photos/thesoulofhope/14545003924/ evolution : https://www.flickr.com/photos/elle_florio/26750479006/ Flaticons : Freepik from https://www.flaticon.com/