Security monitoring - Penetration testing meets monitoring

Slide 1

Slide 1 text

Security Monitoring Penetration testing meet monitoring Gareth Rushgrove

Slide 2

Slide 2 text

Who (Who is this person?)

Slide 3

Slide 3 text

@garethr

Slide 4

Slide 4 text

UK Government Digital Service

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

How did it come to this, that the government has one of the most exciting start-ups in the UK?!

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

No content

Slide 9

Slide 9 text

Last code I wrote

Slide 10

Slide 10 text

No content

Slide 11

Slide 11 text

The Problem (Why talk about security monitoring)

Slide 12

Slide 12 text

The continuous delivery argument Gareth Rushgrove

Slide 13

Slide 13 text

How often do you change your applications? Gareth Rushgrove

Slide 14

Slide 14 text

Gareth Rushgrove How often do you conduct penetration tests?

Slide 15

Slide 15 text

The security is part of quality assurance argument Gareth Rushgrove

Slide 16

Slide 16 text

Testing used to be manual, slow and expensive Gareth Rushgrove

Slide 17

Slide 17 text

Testing is now automated, fast and done on every commit Gareth Rushgrove

Slide 18

Slide 18 text

Security testing is still mainly manual, slow and expensive Gareth Rushgrove

Slide 19

Slide 19 text

This presentation (What to expect from this talk)

Slide 20

Slide 20 text

Reactive security monitoring Gareth Rushgrove 1

Slide 21

Slide 21 text

Proactive security testing Gareth Rushgrove 2

Slide 22

Slide 22 text

Gareth Rushgrove 3 Community efforts

Slide 23

Slide 23 text

Reactive monitoring (Mitigate attacks)

Slide 24

Slide 24 text

rkhunter Gareth Rushgrove

Slide 25

Slide 25 text

Gareth Rushgrove

Slide 26

Slide 26 text

rkhunter \ --check \ --no-mail-on-warning \ --skip-keypress Gareth Rushgrove

Slide 27

Slide 27 text

Tuxtendo Rootkit [ Not found ] URK Rootkit [ Not found ] Vampire Rootkit [ Not found ] VcKit Rootkit [ Not found ] Volc Rootkit [ Found ] Xzibit Rootkit [ Not found ] X-Org SunOS Rootkit [ Not found ] zaRwT.KiT Rootkit [ Not found ] ZK Rootkit [ Not found ] Performing additional rootkit checks Suckit Rookit additional checks [ OK ] Checking for possible rootkit files and directories [ None found ] Checking for possible rootkit strings [ None found ] Gareth Rushgrove

Slide 28

Slide 28 text

No content

Slide 29

Slide 29 text

Gareth Rushgrove

Slide 30

Slide 30 text

rkhunter \ --check \ --nocolors \ --no-mail-on-warning \ --skip-keypress \ --no-summary | rkhunter-librato.py Gareth Rushgrove

Slide 31

Slide 31 text

Gareth Rushgrove

Slide 32

Slide 32 text

Gareth Rushgrove

Slide 33

Slide 33 text

def test_beastkit_not_installed(): assert (metric("beastkit_rootkit") == 0) Gareth Rushgrove

Slide 34

Slide 34 text

>> nosetests -v rkhunter-librato-test.py rkhunter-libratoo-test.test_beastkit_not_installed ... ok --------------------------------------------------------- Ran 1 test in 1.585s OK Gareth Rushgrove

Slide 35

Slide 35 text

Nginx Naxsi Gareth Rushgrove

Slide 36

Slide 36 text

Web Application Firewall Gareth Rushgrove

Slide 37

Slide 37 text

Gareth Rushgrove

Slide 38

Slide 38 text

SecRulesEnabled; DeniedUrl "/RequestDenied"; CheckRule "$SQL >= 8" BLOCK; CheckRule "$RFI >= 8" BLOCK; CheckRule "$TRAVERSAL >= 4" BLOCK; CheckRule "$EVADE >= 4" BLOCK; CheckRule "$XSS >= 8" BLOCK; Gareth Rushgrove

Slide 39

Slide 39 text

2013/09/18 08:59:57 [error] 891#0: *6 NAXSI_FMT: ip=192.168.50.20&server=victim&uri=/pictures/ search.php&total_processed=14&total_blocked=7&zo ne0=ARGS&id0=1007&var_name0=query, client: 192.168.50.20, server: localhost, request: "GET /pictures/search.php?query=--%3E+ %3Csome_dangerous_input_a1056fd2f0ffbb7f18fec9bd 33257e12ab5e0494b33011967bcbcbc5699408eb%2F%3E+ %3C%21-- HTTP/1.1", host: "victim" Gareth Rushgrove

Slide 40

Slide 40 text

id0=1007 Gareth Rushgrove

Slide 41

Slide 41 text

SQL Injection Gareth Rushgrove

Slide 42

Slide 42 text

Gareth Rushgrove

Slide 43

Slide 43 text

grok { type => "nginx_error" match => ["message", " ip=%{IP:client_ip}& server=%{IP:server_ip}& uri=%{PATH:uri}& total_processed=%{NUMBER:total_processed}& total_blocked=%{NUMBER:total_blocked}& zone0=%{WORD:zone}& id0=%{NUMBER:id}"] } Gareth Rushgrove

Slide 44

Slide 44 text

Gareth Rushgrove

Slide 45

Slide 45 text

Fail2Ban Gareth Rushgrove

Slide 46

Slide 46 text

Gareth Rushgrove

Slide 47

Slide 47 text

[ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 [ssh-ddos] enabled = true port = ssh filter = sshd-ddos logpath = /var/log/auth.log maxretry = 6 Gareth Rushgrove

Slide 48

Slide 48 text

[ssh-ddos] Ban 192.168.50.20 Gareth Rushgrove

Slide 49

Slide 49 text

[nginx-naxsi] enabled = true port = http,https filter = nginx-naxsi logpath = /var/log/nginx/*error.log maxretry = 2 Gareth Rushgrove

Slide 50

Slide 50 text

grok { type => "naxsi_fail2ban" match => ["message", " WARNING \[nginx-naxsi\] %{WORD:action} %{IP:ip}" ] } Gareth Rushgrove

Slide 51

Slide 51 text

Auditd Gareth Rushgrove

Slide 52

Slide 52 text

Auditd in less than 2 minutes. Maybe. Gareth Rushgrove

Slide 53

Slide 53 text

-a exit,always -S mkdir Gareth Rushgrove

Slide 54

Slide 54 text

type=CWD msg=audit(1379493067.779:57): cwd="/tmp" type=PATH msg=audit(1379493067.779:57): item=0 name="vagrant-puppet" inode=20 dev=fc:00 mode=041777 ouid=0 ogid=0 rdev=00:00 type=SYSCALL msg=audit(1379493067.779:58): arch=c000003e syscall=83 success=yes exit=0 a0=7fff172d0e5e a1=1ed a2=1ed a3=7fff172cf910 items=2 ppid=1239 pid=1241 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=21 comm="mkdir" exe="/bin/mkdir" key=(null) type=CWD msg=audit(1379493067.779:58): cwd="/tmp/ vagrant-puppet" Gareth Rushgrove

Slide 55

Slide 55 text

cwd="/tmp" Gareth Rushgrove

Slide 56

Slide 56 text

syscall=83 Gareth Rushgrove

Slide 57

Slide 57 text

sys_symlink Gareth Rushgrove

Slide 58

Slide 58 text

Gareth Rushgrove

Slide 59

Slide 59 text

comm="mkdir" Gareth Rushgrove

Slide 60

Slide 60 text

cwd="/tmp/vagrant-puppet" Gareth Rushgrove

Slide 61

Slide 61 text

Aside: penetration testing tools (State of open source)

Slide 62

Slide 62 text

Skipﬁsh, nikto, w3af, garmr, sslyze, owasp zap, arachni, sqlmap, sslscan, TLSSLed, slowhttptest, DIRB, SQLiBF Gareth Rushgrove

Slide 63

Slide 63 text

BackTrack Gareth Rushgrove

Slide 64

Slide 64 text

The problem with distributing software as a Linux distribution Gareth Rushgrove

Slide 65

Slide 65 text

Conﬁguration management + Vagrant Gareth Rushgrove

Slide 66

Slide 66 text

Penetration testing tools

Slide 67

Slide 67 text

Vulnerable web apps

Slide 68

Slide 68 text

Source code

Slide 69

Slide 69 text

Puppet module

Slide 70

Slide 70 text

Proactive monitoring (Attack yourself)

Slide 71

Slide 71 text

Gareth Rushgrove

Slide 72

Slide 72 text

nmap monitorama.eu Gareth Rushgrove

Slide 73

Slide 73 text

Starting Nmap 5.21 ( http://nmap.org ) at 2013-09-18 15:09 BST Nmap scan report for monitorama.eu (141.101.116.49) Host is up (0.17s latency). Hostname monitorama.eu resolves to 2 IPs. Only scanned 141.101.116.49 Not shown: 998 filtered ports PORT STATE SERVICE 80/tcp open http 8080/tcp open http-proxy Nmap done: 1 IP address (1 host up) scanned in 24.18 seconds Gareth Rushgrove

Slide 74

Slide 74 text

Gareth Rushgrove

Slide 75

Slide 75 text

it "should have one port open" do @host.open_ports.should have(1).items end Gareth Rushgrove

Slide 76

Slide 76 text

Gareth Rushgrove

Slide 77

Slide 77 text

1) the monitorama.eu website should have one port open Failure/Error: @host.open_ports.should have(1).items expected 1 items, got 2 Finished in 8.99 seconds 1 example, 1 failure Gareth Rushgrove

Slide 78

Slide 78 text

Arachni Gareth Rushgrove

Slide 79

Slide 79 text

Gareth Rushgrove

Slide 80

Slide 80 text

Web application security scanner Gareth Rushgrove

Slide 81

Slide 81 text

arachni http://monitorama.eu --modules=xss Gareth Rushgrove

Slide 82

Slide 82 text

+ +[+] 2 issues were detected. + +[+] [1] Trusted -- Cross-Site Scripting (XSS) +[~] ~~~~~~~~~~~~~~~~~~~~ +[~] ID Hash: +[~] Severity: High +[~] URL: http://victim/pictures/search.php +[~] Element: form +[~] Method: GET +[~] Tags: xss, regexp, injection, script +[~] Variable: query +[~] Description: +[~] Client-side code (like JavaScript) can be injected + into the web application which is then returned to + the user's browser. This can lead to a compromise + of the client's system or serve as a pivoting + point for other attacks. + Gareth Rushgrove

Slide 83

Slide 83 text

Gauntlt Gareth Rushgrove

Slide 84

Slide 84 text

Gareth Rushgrove

Slide 85

Slide 85 text

Cucumber + security tool integrations Gareth Rushgrove

Slide 86

Slide 86 text

Ofﬁcially supports curl, nmap, sslyze, sqlmap, garmr Gareth Rushgrove

Slide 87

Slide 87 text

Gareth Rushgrove

Slide 88

Slide 88 text

$ gauntlt methods.attack Gareth Rushgrove

Slide 89

Slide 89 text

Gareth Rushgrove

Slide 90

Slide 90 text

Support in master dirb, arachni Gareth Rushgrove

Slide 91

Slide 91 text

Gareth Rushgrove

Slide 92

Slide 92 text

$ gauntlt xss.attack Gareth Rushgrove

Slide 93

Slide 93 text

Conclusions (You convinced me, now what?)

Slide 94

Slide 94 text

Gareth Rushgrove Use penetration tests to discover how attackers work 1

Slide 95

Slide 95 text

Gareth Rushgrove Use security monitoring to build and maintain checklists 2

Slide 96

Slide 96 text

Share common conﬁguration patterns Gareth Rushgrove 3

Slide 97

Slide 97 text

Gareth Rushgrove Help with packaging and conﬁguration management 4

Slide 98

Slide 98 text

Gareth Rushgrove 5 Help integrate security tools with monitoring systems

Slide 99

Slide 99 text

Gareth Rushgrove Get security together with developers and operations 6

Slide 100

Slide 100 text

Questions? (And thanks for listening)