Blue Team TLS Hugs

Transcript

1. Blue Team TLS Hugs Lee Brotherston - @synackpse - #TLSHugs

2. SSL TLS does what now? Lee Brotherston - @synackpse -

   #TLSHugs

3. Renegotiation... Encrypted Data Key Exchange Kittens... Unicorn Tears Pixie Dust

   Client Client Hello Server Server Hello Lee Brotherston - @synackpse - #TLSHugs

4. Current State of the Art Lee Brotherston - @synackpse -

   #TLSHugs

5. - Ignore TLS - Break TLS - Embrace TLS Lee

   Brotherston - @synackpse - #TLSHugs

6. Ignore TLS Lee Brotherston - @synackpse - #TLSHugs

7. IDS Rules Protocol ClearText TLS Enabled HTTP(S) 1572 25 IMAP(S)

   34 10 SMTP(S) 73 10 Lee Brotherston - @synackpse - #TLSHugs

8. permit any > any port 443 Universal Firewall Bypass Port!

   Lee Brotherston - @synackpse - #TLSHugs

9. ssh -p443 user@myhost (don’t pretend you don’t) Lee Brotherston -

   @synackpse - #TLSHugs

10. So, what then? Lee Brotherston - @synackpse - #TLSHugs

11. EndMalVirusPointRansomWhitelistWareProtection Lee Brotherston - @synackpse - #TLSHugs

12. Blacklists Lee Brotherston - @synackpse - #TLSHugs

13. Break TLS Lee Brotherston - @synackpse - #TLSHugs

14. Request Request Response Proxy Server Client TLS Handshake TLS Handshake

    Response ClearText Actual Certificate Authority work CA :) Lee Brotherston - @synackpse - #TLSHugs

15. Break The CA Model …. even more Lee Brotherston -

    @synackpse - #TLSHugs

16. Compromised Appliance Lee Brotherston - @synackpse - #TLSHugs

17. Compromised Internal CA/Key Lee Brotherston - @synackpse - #TLSHugs

18. Key Management is Haaarrrddd Lee Brotherston - @synackpse - #TLSHugs

19. Poor Certificate Validation Lee Brotherston - @synackpse - #TLSHugs

20. “Trusted” CA List Lee Brotherston - @synackpse - #TLSHugs

21. Trust What The Appliance Trusts *cough* WoSign *cough* Lee Brotherston

    - @synackpse - #TLSHugs

22. Certificate [un]Pinning Lee Brotherston - @synackpse - #TLSHugs

23. Malicious Insider Lee Brotherston - @synackpse - #TLSHugs

24. Embracing TLS? Lee Brotherston - @synackpse - #TLSHugs

25. Goals Lee Brotherston - @synackpse - #TLSHugs

26. Coarse Content Filtering Application Detection Coarse Logging Granular Logging Certificate

    Checks Cryptographic Checks Granular Content Filtering In-Page Exploits Malware Detection Data Exfiltration DLP Lee Brotherston - @synackpse - #TLSHugs

27. “Perfection is the enemy of good enough” Lee Brotherston -

    @synackpse - #TLSHugs

28. Lee Brotherston - @synackpse - #TLSHugs

29. Lee Brotherston - @synackpse - #TLSHugs

30. Fun with Packet Sniffing Lee Brotherston - @synackpse - #TLSHugs

31. TLS Fingerprinting (I hear someone did a talk on that)

    …. (it was me) Lee Brotherston - @synackpse - #TLSHugs

32. Spotting $bad Lee Brotherston - @synackpse - #TLSHugs

33. None

34. [semi]Automated fingerprinting Lee Brotherston - @synackpse - #TLSHugs

35. Pseudo “anomaly based detection” Lee Brotherston - @synackpse - #TLSHugs

36. Fingerprint Canaries Lee Brotherston - @synackpse - #TLSHugs

37. None

38. Incident Response & Attribution(ish) Lee Brotherston - @synackpse - #TLSHugs

39. Vorführeffekt

40. OK, Enough Fingerprinting Lee Brotherston - @synackpse - #TLSHugs

41. Server Responses Lee Brotherston - @synackpse - #TLSHugs

42. Certificates Lee Brotherston - @synackpse - #TLSHugs

43. Do You Even IDS, Bro? Lee Brotherston - @synackpse -

    #TLSHugs

44. Inline TLS Shenanigans Lee Brotherston - @synackpse - #TLSHugs

45. TLS Handshake Mangling Lee Brotherston - @synackpse - #TLSHugs

46. Request Request Response Proxy Server Client TLS Handshake TLS Handshake

    Response Nope Lee Brotherston - @synackpse - #TLSHugs

47. Proxy Server Client TLS Request Response Request Response TLS Version

    Ciphersuites Hashing Algorithms Hostname (SNI) Curves Server Hello Certificates Lee Brotherston - @synackpse - #TLSHugs

48. Subtractive only Lee Brotherston - @synackpse - #TLSHugs

49. The Compliances Lee Brotherston - @synackpse - #TLSHugs

50. A Remaining Problem Lee Brotherston - @synackpse - #TLSHugs

51. None
52. None
53. None
54. None

55. A Solution…. Kinda Lee Brotherston - @synackpse - #TLSHugs

56. None
57. None
58. None
59. None

60. Coarse Content Filtering Application Detection Coarse Logging Granular Logging Certificate

    Checks In-Page Exploits Malware Detection Data Exfiltration DLP How Did we Do? ✓ ✓ ✓ ✓ ✓ ✓ ✗ …? Lee Brotherston - @synackpse - #TLSHugs ✓

61. One more thing… Lee Brotherston - @synackpse - #TLSHugs

62. 8138561f1c4407e872a729a2d4a8f03d1927a7cd5dc9cb2f4812b50986c386a 116ab557841a5e4c9d80680697fc2c13ef7b01bb5e4e6ae71940e58fa757316 e0ee8ef327d403bba2e1c2bde3ead4166b4e1f93135e3a7acd3cddf3893b349 a120b27ed522d3176d08fc2c0984b911bd09f9601133180702542cb99dea311 0d31a40c75493db1ca59bb5e168df86ccea981f81e0466cc584461eac7dae86 6d3cc0f69e166c7d0a3019f1a163a7ba9273be13e404be0f432b65ea574badd 06a2fcc7ccff992a028c6c40c5de50428af37a1ec8f6db7d1a07af8de1486db c1a69c6bbc734cf17a1f13a48d27a218887b36b1e103964a66b38c74a73c6b9 602da341089709ef7e833e1715fe3bd85151 Lee

    Brotherston - @synackpse - #TLSHugs

63. Host: www.myhost.com User-Agent: MyBrowser/10.4 (Some OS) CoolWebKit/537.36 Accept: text/html,application/xhtml+xml,application/xml Accept-Encoding:

    gzip, deflate, sdch Accept-Language: en-US,en;q=0.8 GET /XXXXXXXXXXX HTTP/1.1 227 206 151 95 58 26 Lee Brotherston - @synackpse - #TLSHugs

64. Conclusion Lee Brotherston - @synackpse - #TLSHugs

65. Stuff … TLS Fingerprinting: https://github.com/LeeBrotherston/tls-fingerprinting https://blog.squarelemon.com/tls-fingerprinting/ TLS Mangler (soon): https://github.com/LeeBrotherston/<somewhere>

    TLS Profiling: https://gist.github.com/wxsBSD/6d5e777afc31b3cf46d0 https://gist.github.com/wxsBSD/0c6584913bcc5e6da31b Slide Deck: https://speakerdeck.com/leebrotherston/ The Twitters (me): @synackpse Lee Brotherston - @synackpse - #TLSHugs

66. Any Questions? Lee Brotherston - @synackpse - #TLSHugs