Tweet
Tweet

Slide 1

Slide 1 text

CERTIFICATE TRANSPARENCY when a new standard can improve your threat monitoring Christophe Brocas Thomas Damonneville Caisse Nationale d’Assurance Maladie – Security team

Slide 2

Slide 2 text

1) Risk / Answer 2) How Certifcate Transparency works 3) Benefts for threat monitoring tools, results, limits → AGENDA

Slide 3

Slide 3 text

THE RISK

Slide 4

Slide 4 text

THE RISK

Slide 5

Slide 5 text

A Google initiative launched in 2013 (RFC 6962) then IETF Public CA have to submit all certifcates they signed to publicly auditable, append-only, cryptographically signed logs Beneft : capacity for all to see all public signed certifcates Timeline : EV → certifcates: 2015 all certifcates : → April 30, 2018 A full page warning in Chrome 68 : → July 24, 2018 THE ANSWER

Slide 6

Slide 6 text

Site web CA Logs Monitors Browser Web site

Slide 7

Slide 7 text

Site web Autorité de certifcation Journaux Moniteurs Navigateur 1 Site web Certifcate request Site web CA Logs Monitors Browser Web site

Slide 8

Slide 8 text

Site web Autorité de certifcation Journaux Moniteurs Navigateur 1 Site web 2 Certifcate request Pre-certifcate logging Site web CA Logs Monitors Browser Web site

Slide 9

Slide 9 text

Site web Autorité de certifcation Journaux Moniteurs Navigateur 1 Site web 2 3 Certifcate request Pre-certifcate logging SCT (*) providing (*) Signed Certifcate Timestamp Site web CA Logs Monitors Browser Web site

Slide 10

Slide 10 text

Site web Autorité de certifcation Journaux Moniteurs Navigateur 1 Site web 2 3 4 Certifcate request Pre-certifcate logging SCT (*) providing Providing of certifcate+SCT (*) Signed Certifcate Timestamp Site web CA Logs Monitors Browser Web site

Slide 11

Slide 11 text

Site web Autorité de certifcation Journaux Moniteurs Navigateur 1 Site web 2 3 4 5 Certifcate request Pre-certifcate logging SCT (*) providing Providing of certifcate+SCT TLS request (*) Signed Certifcate Timestamp 5 Site web CA Logs Monitors Browser Web site

Slide 12

Slide 12 text

Site web Autorité de certifcation Journaux Moniteurs Navigateur 1 Site web 2 3 4 5 Certifcate request Pre-certifcate logging SCT (*) providing Providing of certifcate+SCT TLS request (*) Signed Certifcate Timestamp 5 6 TLS answer with cert + SCT Site web CA Logs Monitors Browser Web site

Slide 13

Slide 13 text

Chrome 68 requires CT for all certifcates signed after 30 April 2018. Site web Autorité de certifcation Journaux Moniteurs Navigateur 1 Site web 2 3 4 5 Certifcate request Pre-certifcate logging SCT (*) providing Providing of certifcate+SCT TLS request (*) Signed Certifcate Timestamp 5 6 TLS answer with cert + SCT Site web CA Logs Monitors Browser Web site

Slide 14

Slide 14 text

Looking for certifcates for our domain names Chrome 68 requires CT for all certifcates signed after April 30, 2018. Site web Autorité de certifcation Journaux Moniteurs Navigateur 1 Site web 2 3 4 5 Certifcate request Pre-certifcate logging SCT (*) providing Providing of certifcate+SCT TLS request (*) Signed Certifcate Timestamp 5 6 TLS answer with cert + SCT Site web CA Logs Monitors Browser Web site

Slide 15

Slide 15 text

Present choice : → hosted service daily notifcation → handled by team buying → our certifcates (efciency) Usage #1 : our domain names monitoring

Slide 16

Slide 16 text

Usage #2 : «near» domains monitoring CertStreamMonitor : « real time » threats detection platform through CT AssuranceMaladieSec

Slide 17

Slide 17 text

CertStreamMonitor.py . keywords detection with threashold . real time . operates on consolidated CT fow (multi logs) . daemon mode Usage #2 : «near» domains monitoring

Slide 18

Slide 18 text

Future phishing campaigns detection (CertStreamMonitor.py) Usage #2 : «near» domains monitoring

Slide 19

Slide 19 text

scanhost.py if the site is online : → DB update → JSON report generation (ip, AS, email abuse ...) Usage #2 : «near» domains monitoring

Slide 20

Slide 20 text

Data enrichment (scanhost.py) Usage #2 : «near» domains monitoring

Slide 21

Slide 21 text

JSON report (scanhost.py) Usage #2 : «near» domains monitoring

Slide 22

Slide 22 text

Results Example #1 : our customers abuse cpam-{78,75,13,...}.fr service trying to → abuse our customers (surcharged telephone numbers, data theft)

Slide 23

Slide 23 text

Results Example #1 : our customers abuse cpam-{78,75,13,...}.fr service trying to → abuse our customers (surcharged telephone numbers, data theft) → service taked down

Slide 24

Slide 24 text

Results Example #2 : IT rules compliance social-ameli.fr . Legitimate service . Internal recommandations not applied : (domain name, hosting etc)

Slide 25

Slide 25 text

Limits ● TLS, not HTTP - we only detect hostnames for whom a certifcate has been signed ● RegExp – if the hostname does not have our searched keywords no detection. And → wildcards beat us too. ● Trust – the amount of distributed data led us to use an online service (CertStream). May we trust it ?

Slide 26

Slide 26 text

low cost Tools and services are there, just have to use them. efciency informed before the attack comes online blind have a vision at Internet scale Conclusion

Slide 27

Slide 27 text

Thanks! Some questions? https://github.com/AssuranceMaladieSec [email protected] [email protected] @cbrocas | @o0tAd0o