Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Open Source Security Toolsets

Elastic Co
February 18, 2018

Open Source Security Toolsets

RockNSM, VulnWhisperer, HELK and CAPESstack are next generation, open source security toolsets built on top of the Elastic Stack.

Kevin Keeney, Cyber Security Advocate at Elastic, gives us an overview of each of these tools and the different functionalities they provide.

Elastic Co

February 18, 2018
Tweet

More Decks by Elastic Co

Other Decks in Technology

Transcript

  1. Kevin Keeney Cyber Security Advocate @kevinkeeneyjr Open Source Security Tools

  2. None
  3. RockNSM http://rocknsm.io http://github.com/rocknsm/rock Derek Ditch https://github.com/dcode/ https://twitter.com/dcode Jeff Geiger https://github.com/jeffgeiger

    https://twitter.com/jeffgeiger
  4. “So there I was…” ROCK Origin

  5. • Lightweight • Secure from foundation up • As close

    to production sensor as possible • Repeatable • Available at home Needs
  6. ROCK 2.0

  7. RockNSM 2.1

  8. • Data transformations • Data enrichment • Data tagging •

    Data mapping & storage Data Pipeline
  9. Network conn dhcp dns ftp http kerberos … Log Normalization

    Files files pe x509 Detection intel notice notice_alarm signatures traceroute Observations known_certs known_devices known_hosts known_modbus known_services software Diagnostics capture_loss reporter stats
  10. Fieldname Normalization "ssl": { "cipher": "TLS_RSA_WITH_AES_128_GCM_SHA256", "established": true, "id_resp_p": 443,


    … }
 
 "files": { "timedout": false, "local_orig": false, "rx_hosts": [ "192.168.100.103" ],
 ...
 } "conn": { "resp_pkts": 0, "id_orig_p": 5353, "local_resp": false, "uid": "Ci6Mji4NGqQu538N2a", "orig_asn": 0, …
 } "dns": {
 "query": "android.local", "answers": [ "android.local", "192.168.100.111" ], },
  11. Scoped Fields

  12. Log Normalization - Example "@timestamp": "2017-04-26T00:19:16.900Z",
 "@meta": { "resp_host": "17.167.193.45",

    "proc": "enp0s31f6-4", "system": "sensor001-001", "event_type": "network", "stream": "ssl", "related_ids": [ "C6Gg0g1AXxTpLWzYka", "FCGlHcUbM98WHNDY7", "F3h8Ss1sPOTtapGGSa", "FnNRub2EJTB48nuqmc" ], "orig_host": "192.168.100.103", "resp_port": "443", "id": "C6Gg0g1AXxTpLWzYka", "orig_port": "49172" } • Log category • Connection-level metadata • Specific log type • ID of this specific event • All related IDs in this log entry 1 1 3 5 2 3 2 2 2 4 4 2 5
  13. SO WHAT? Clean data drives clean analysis

  14. 14 Analysis Walkthrough

  15. 15

  16. 16 Analysis Walkthrough

  17. 17 Analysis Walkthrough

  18. 18 Analysis Walkthrough

  19. 19 Analysis Walkthrough

  20. 20 Analysis Walkthrough

  21. 21 Analysis Walkthrough

  22. Traffic by Geography

  23. IDS Alerts over Time

  24. DNS Logs

  25. Cross-Tab Filtering

  26. VulnWhisperer https://github.com/austin-taylor/VulnWhisperer

  27. 27 Austin Taylor Chief Security Research Engineer @ IronNet Cybersecurity

    Cyber Warfare Operator @ USAF (MDANG) Security Consultant @ HA Security Solutions
  28. 28 VulnWhisperer • Currently supports: Nessus & Qualys Web Applications

    • Written in Python • Custom Risk Scores • Asset Tagging • Intended to create actionable data for defenders and metrics for managers (Track risk over time) https://github.com/austin-taylor/VulnWhisperer
  29. 29 The Need – Pre Incident • Identify Critical Assets

    • Know thyself • Where do I Hunt
  30. 30 The Need – Post Incident • What type of

    assets by geo / dept. have similar hosts • How many machines of each • Where should we prioritize remediation efforts
  31. 31 VulWhisperer - Full Logical Processing Pipeline • Normalize, filter

    and enrich Scan Logs • FileBeat: Sends the plaintext files • JSON structured log documents • Prebuilt Dashboards
  32. 32 Actionable Vulnerability Scans Invest time up front and save

    time when it matters
  33. 33 Track Risk Over Time

  34. HELK Overview 34

  35. None
  36. Roberto Rodriguez “Cyb3rWard0g” https://github.com/Cyb3rWard0g https://cyberwardog.blogspot.com https://twitter.com/Cyb3rWard0g

  37. What HELK stand for? Hunting ELK 37

  38. WINLOGBEAT Collect all the logs from your Windows endpoints

  39. Kafka Distributed publish-subscribe messaging system

  40. LOGSTASH Process, normalization, parse, tag, enrich, transform…data

  41. Company Name // Theme name Normalize - Endpoint Data 41

  42. AlienVault - OTX Open Threat Exchange

  43. ELASTICSEARCH Index on ingest = Pay your taxes up front

  44. KIBANA Visualize, Analyze, Search…data

  45. ES-Hadoop Connector: Apache Spark <-> Elasticsearch

  46. ApacheSpark Graph processing

  47. GraphFrames Highly expressive graph queries

  48. Jupiter Notebook Statistical modeling, numerical simulation, machine learning…

  49. None
  50. If only we had a hero

  51. Andrew Pease https://github.com/peasead https://github.com/capesstack

  52. Cyber Analytics Platform and Examination System capesstack.io

  53. Why? Had a great hunt platform (RockNSM) No IR platform

    No intelligence pipeline capabilities No way to communicate over distance No (real) documentation
  54. requirements Open source (obviously) Self hosted OS/platform agnostic API extensibility

    • Secure OS • Operator launch point • IR tracking & management • Documentation • Observation enrichment • Communication over distance • Real-time collaboration
  55. None
  56. OPERATING SYSTEM RHEL compatible SELinux STIGs out of the Box

    CentOS
  57. Operator launch point Low barrier to entry Single page for

    operators Reverse proxy
  58. incident response tracking Record observations Scalable Operational metrics TheHive Project

  59. Observation enrichment IR platform compatible Observation enrichment Multiple data points

  60. documentation Markdown / AsciiDoc Accessible 24/7 Git Git with a

    cup of tea (Gitea)
  61. Communication Indexed Searchable Tagging File upload Channels & DM Rocketchat

  62. Real-time Collaboration “OneNote / Google Sheets” function Plugins Syntax highlighting

    Etherpad
  63. Real-time Monitoring Monitors availability Collects metrics Logging METRICBEAT HEARTBEAT FILEBEAT

  64. None
  65. Road Ahead Ansible Docker Hardening Pentest Even more Documentation

  66. Cyber Analytics Platform and Examination System capesstack.io

  67. ES-Hadoop Security Analytics Architecture
 Web Proxies EDR / EPP IDS

    /IPS / NMS Kafka Redis Messaging Queue Logstash Workers (2+) LDAP Authentication AD Notification SSO X-Pack Kibana X-Pack Instances (2+) Custom UI Elasticsearch Clients Elasticsearch X-Pack Master (3) Ingest (X) Data – Hot (X) Data – Warm (X) Machine Learning (2+) Coordinating (X) Alerting (X) HEARTBEAT Beats FILEBEAT METRICBEAT PACKETBEAT WINGLOGBEAT AUDITBEAT SCANS DNS FILE SIEM Vulnerability Data & Threat Intelligence IP
  68. Thank You • Web : www.elastic.co • Products : https://www.elastic.co/products

    • Forums : https://discuss.elastic.co/ • Community : https://www.elastic.co/community/meetups • Twitter : @elastic