[THC19] Certificate Transparency & threats detection, 24 months later

Transcript

1. Certificate Transparency & threats detection 24 months later Christophe Brocas

   Thomas Damonneville Caisse Nationale d’Assurance Maladie – Security Department Toulouse Hacking Convention Toulouse | 08/03/2019

2. 1) Certificate Transparency - Risk / Answer - How Certificate

   Transparency works 2) Benefits for threats monitoring - Usages for blue teams - CertStreamMonitor 3) CT & threats monitoring: a 24 months story Agenda

3. Risk & Answer

4. Attacker Certificate authority www.mydomain.com

5. Attaquant Attacker www.mydomain.com Attacker Certificate authority www.mydomain.com

6. Attacker Abused users www.mydomain.com Attaquant Attacker www.mydomain.com Attacker Certificate authority

   www.mydomain.com

7. And « www.mydomain.com » owner?

8. And « www.mydomain.com » owner?

9. And « www.mydomain.com » owner?

10. Example

11. Public CA have to submit all certificates they signed to

    publicly auditable and accessible, append-only, cryptographically signed logs. Certificate Transparency

12. Public CA have to submit all certificates they signed to

    publicly auditable and accessible, append-only, cryptographically signed logs. Timeline : 2013 : Google (RFC 6962) then IETF (RFC 6962bis) → → 2015 : CT mandatory for EV certificates → 30/04/2018 : CT for all certificates → 24/07/2018 : interstitial blocking page Chrome 68 → 15/10/2018 : CT mandatory for Apple products Certificate Transparency
13. None

14. How CT works

15. Site web CA Logs Monitors Browser Web site

16. 1 Ask for a certificate Site web CA Logs Monitors

    Browser Web site

17. 2 Log pre-certificate 1 Ask for a certificate Site web

    CA Browser Web site Logs Monitors

18. 3 Receive SCT (*) (*) Signed Certificate Timestamp 2 Log

    pre-certificate 1 Ask for a certificate Site web CA Browser Web site Logs Monitors

19. 4 sends certificate+SCT (*) Signed Certificate Timestamp 3 Receive SCT

    (*) (*) Signed Certificate Timestamp 2 Log pre-certificate 1 Ask for a certificate Site web CA Browser Web site Logs Monitors

20. 5 (*) Signed Certificate Timestamp 5 4 sends certificate+SCT 3

    Receive SCT (*) 2 Log pre-certificate 1 Ask for a certificate Site web CA Web site Logs Monitors Browser TLS request

21. (*) Signed Certificate Timestamp 6 TLS answer with cert +

    SCT 5 5 4 sends certificate+SCT 3 Receive SCT (*) 2 Log pre-certificate 1 Ask for a certificate Site web CA Web site Logs Monitors Browser TLS request

22. (*) Signed Certificate Timestamp TLS answer with cert + SCT

    TLS answer with cert + SCT TLS answer with cert + SCT Chrome 68 requires CT for all certificates signed after 30 April 2018. Safari does it since October 2018. 6 TLS answer with cert + SCT 5 5 4 sends certificate+SCT 3 Receive SCT (*) 2 Log pre-certificate 1 Ask for a certificate Site web CA Web site Logs Monitors Browser TLS request

23. Searching for certificates Collecting certificates (*) Signed Certificate Timestamp (*)

    Signed Certificate Timestamp TLS answer with cert + SCT TLS answer with cert + SCT TLS answer with cert + SCT Chrome 68 requires CT for all certificates signed after 30 April 2018. Safari does it since October 2018. 6 TLS answer with cert + SCT 5 5 4 sends certificate+SCT 3 Receive SCT (*) 2 Log pre-certificate 1 Ask for a certificate Site web CA Web site Monitors Browser TLS request Logs

24. … for Blue Teams

25. CT : benefits for Blue Teams FQDN (!= DNS)

26. FQDN (!= DNS) Internet wide logging + Open access to

    the data FQDN (!= DNS) FQDN (!= DNS) CT : benefits for Blue Teams

27. #1 Find certificates for our domains hacked / malicious CA

    → → hacked DNS server (*) → legit web site but not using corporate security best practices (hosting, certificate, DNS etc) * : https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html CT: 2 useful usages (for us)

28. #2 Find certificates for « near » domains → phishing

    campaigns → image damage CT: 2 useful usages (for us)

29. Current choice: → hosted service daily notification → managed by

    our team → dealing with certificates (efficiency) Usage #1: our domains monitoring

30. Code: CertStreamMonitor

31. Usage #2: « near » domains monitoring CertStreamMonitor : use

    CT to monitor threats in « real time » AssuranceMaladieSec

32. CertStreamMonitor.py . works on multi CT logs flow . keywords

    detection with threshold . real time . runs in daemon mode CertStreamMonitor

33. Tailor your configuration file (conf/filename.conf) → Choose your keywords :

    ex: apple|account|login → Set your threshold: ex: 2 (defaut value) CertStreamMonitor.py: how it works

34. Tailor your configuration file (conf/filename.conf) → Choose your keywords :

    ex: apple|account|login → Set your threshold: ex: 2 (defaut value) hostnames with a number of keywords ≥ threshold insert in DB (ex : → login.apple-connect.com) CertStreamMonitor.py: how it works

35. Tailor your configuration file (conf/filename.conf) → Choose your keywords :

    ex: apple|account|login → Set your threshold: ex: 2 (defaut value) hostnames with a number of keywords ≥ threshold insert in DB (ex : → login.apple-connect.com) hostnames with a number of keywords < threshold but >0 write to log file (ex : webmail. → apple-mail.com) CertStreamMonitor.py: how it works

36. → run on demand (ex. : 1/day) → test all

    hostnames not already logged as up if hostname is up: → * update DB * JSON report file (ip, AS, abuse email...) scanhost.py: how it works

37. JSON report file scanhost.py: how it works

38. Screenshots are not a demo <shame/>

39. None
40. None
41. None
42. None
43. None

44. Example #1 : customers abuse cpam-{78,75,13,...}.fr service potentially → abusing

    our customers (over priced phone number, personal data theft) Results

45. Example #1 : customers abuse cpam-{78,75,13,...}.fr service potentially → abusing

    our customers (over priced phone number, personal data theft) → service inactivation Results

46. Example #2 : IT management social-ameli.fr . Legit website .

    Best practices not applied : (domainname, hosting etc) Results

47. TLS, not HTTP – only detect hostnames accessed through TLS

    RegExp – relying on regexp to find hostnames can lead to miss some of them. Wildcard certificates also beat us. Trust- we use tier service to get CT certificates (Calidog Security in our case). Can we trust it? Limits

48. TLS, not HTTP – only detect hostnames accessed through TLS

    RegExp – relying on regexp to find hostnames can lead to miss some of them. Wildcard certificates also beat us. Trust- we use tier service to get CT certificates (Calidog Security in our case). Can we trust it? Limits

49. TLS, not HTTP – only detect hostnames accessed through TLS

    RegExp – relying on regexp to find hostnames can lead to miss some of them. Wildcard certificates also beat us. Trust- we use tier service to get CT certificates (Calidog Security in our case). Can we trust it? But we rely on their code, a potential single point of failure. it is a → call for action to the Infosec community Limits

50. CertStreamMonitor evolution in 9 months

51. None

52. You can now choose your CT logs aggregator service :

    * Calidog Security one * your own using Calidog code

53. Setting the threshold for keywords detection is available in config

    file

54. (optional) check Google SafeBrowsing status of the hostname

55. Name of the alerts directory can be hashed with date

    + hostname (PR of @xme)

56. (optional) notification by mail or instant messaging like Slack or

    Rocket.

57. CT & Threats Monitoring: a 24 months story

58. April 2017 The announcement

59. June 2017 Why CT becomes interesting?

60. 01/2015 : 31 % June 2017

61. 01/2015 : 31 % 06/2017 : 57 % → 83%

    of growth in 2,5 years June 2017

62. Nov. 2017 First tools show up

63. May 2018 More complex tools + CT required for all

    certificates

64. July 2018 Chrome implements CT as a strict requirement

65. Nov. 2018 When CT becomes a DNS hacks detection tool

66. Nov. 2018 When CT becomes a DNS hacks detection tool

67. Jan. 2019 CT appears in Blue Teams best practices

68. Feb. 2019 CT is point out as one of the

    tools able to control TLS grey/dark activities

69. low cost tools and services are there, just use them

    efficiency notified before or soon after the the attacks comes online blind vision at Internet scale + bonus track: compliance CT monitoring is now part of best practices requirements

70. Thanks! Some questions? https://github.com/AssuranceMaladieSec [email protected] [email protected] @cbrocas | @o0tAd0o

71. Photos credits : Images under Creative Commons licence: Clair de

    lune : https://www.flickr.com/photos/cbrocas/4200102493/ danger : https://www.flickr.com/photos/adulau/26003405317/ complexity : https://www.flickr.com/photos/70023venus2009/6032939635 gain : https://www.flickr.com/photos/143106192@N03/29307455407/ book : https://www.flickr.com/photos/thesoulofhope/14545003924/ evolution : https://www.flickr.com/photos/elle_florio/26750479006/ Flaticons : Freepik from https://www.flaticon.com/