Tweet
Tweet

Slide 1

Slide 1 text

Kevin Keeney Cyber Security Advocate @kevinkeeneyjr Open Source Security Tools

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

RockNSM http://rocknsm.io http://github.com/rocknsm/rock Derek Ditch https://github.com/dcode/ https://twitter.com/dcode Jeff Geiger https://github.com/jeffgeiger https://twitter.com/jeffgeiger

Slide 4

Slide 4 text

“So there I was…” ROCK Origin

Slide 5

Slide 5 text

• Lightweight • Secure from foundation up • As close to production sensor as possible • Repeatable • Available at home Needs

Slide 6

Slide 6 text

ROCK 2.0

Slide 7

Slide 7 text

RockNSM 2.1

Slide 8

Slide 8 text

• Data transformations • Data enrichment • Data tagging • Data mapping & storage Data Pipeline

Slide 9

Slide 9 text

Network conn dhcp dns ftp http kerberos … Log Normalization Files files pe x509 Detection intel notice notice_alarm signatures traceroute Observations known_certs known_devices known_hosts known_modbus known_services software Diagnostics capture_loss reporter stats

Slide 10

Slide 10 text

Fieldname Normalization "ssl": { "cipher": "TLS_RSA_WITH_AES_128_GCM_SHA256", "established": true, "id_resp_p": 443,
 … }
 
 "files": { "timedout": false, "local_orig": false, "rx_hosts": [ "192.168.100.103" ],
 ...
 } "conn": { "resp_pkts": 0, "id_orig_p": 5353, "local_resp": false, "uid": "Ci6Mji4NGqQu538N2a", "orig_asn": 0, …
 } "dns": {
 "query": "android.local", "answers": [ "android.local", "192.168.100.111" ], },

Slide 11

Slide 11 text

Scoped Fields

Slide 12

Slide 12 text

Log Normalization - Example "@timestamp": "2017-04-26T00:19:16.900Z",
 "@meta": { "resp_host": "17.167.193.45", "proc": "enp0s31f6-4", "system": "sensor001-001", "event_type": "network", "stream": "ssl", "related_ids": [ "C6Gg0g1AXxTpLWzYka", "FCGlHcUbM98WHNDY7", "F3h8Ss1sPOTtapGGSa", "FnNRub2EJTB48nuqmc" ], "orig_host": "192.168.100.103", "resp_port": "443", "id": "C6Gg0g1AXxTpLWzYka", "orig_port": "49172" } • Log category • Connection-level metadata • Specific log type • ID of this specific event • All related IDs in this log entry 1 1 3 5 2 3 2 2 2 4 4 2 5

Slide 13

Slide 13 text

SO WHAT? Clean data drives clean analysis

Slide 14

Slide 14 text

14 Analysis Walkthrough

Slide 15

Slide 15 text

15

Slide 16

Slide 16 text

16 Analysis Walkthrough

Slide 17

Slide 17 text

17 Analysis Walkthrough

Slide 18

Slide 18 text

18 Analysis Walkthrough

Slide 19

Slide 19 text

19 Analysis Walkthrough

Slide 20

Slide 20 text

20 Analysis Walkthrough

Slide 21

Slide 21 text

21 Analysis Walkthrough

Slide 22

Slide 22 text

Traffic by Geography

Slide 23

Slide 23 text

IDS Alerts over Time

Slide 24

Slide 24 text

DNS Logs

Slide 25

Slide 25 text

Cross-Tab Filtering

Slide 26

Slide 26 text

VulnWhisperer https://github.com/austin-taylor/VulnWhisperer

Slide 27

Slide 27 text

27 Austin Taylor Chief Security Research Engineer @ IronNet Cybersecurity Cyber Warfare Operator @ USAF (MDANG) Security Consultant @ HA Security Solutions

Slide 28

Slide 28 text

28 VulnWhisperer • Currently supports: Nessus & Qualys Web Applications • Written in Python • Custom Risk Scores • Asset Tagging • Intended to create actionable data for defenders and metrics for managers (Track risk over time) https://github.com/austin-taylor/VulnWhisperer

Slide 29

Slide 29 text

29 The Need – Pre Incident • Identify Critical Assets • Know thyself • Where do I Hunt

Slide 30

Slide 30 text

30 The Need – Post Incident • What type of assets by geo / dept. have similar hosts • How many machines of each • Where should we prioritize remediation efforts

Slide 31

Slide 31 text

31 VulWhisperer - Full Logical Processing Pipeline • Normalize, filter and enrich Scan Logs • FileBeat: Sends the plaintext files • JSON structured log documents • Prebuilt Dashboards

Slide 32

Slide 32 text

32 Actionable Vulnerability Scans Invest time up front and save time when it matters

Slide 33

Slide 33 text

33 Track Risk Over Time

Slide 34

Slide 34 text

HELK Overview 34

Slide 35

Slide 35 text

No content

Slide 36

Slide 36 text

Roberto Rodriguez “Cyb3rWard0g” https://github.com/Cyb3rWard0g https://cyberwardog.blogspot.com https://twitter.com/Cyb3rWard0g

Slide 37

Slide 37 text

What HELK stand for? Hunting ELK 37

Slide 38

Slide 38 text

WINLOGBEAT Collect all the logs from your Windows endpoints

Slide 39

Slide 39 text

Kafka Distributed publish-subscribe messaging system

Slide 40

Slide 40 text

LOGSTASH Process, normalization, parse, tag, enrich, transform…data

Slide 41

Slide 41 text

Company Name // Theme name Normalize - Endpoint Data 41

Slide 42

Slide 42 text

AlienVault - OTX Open Threat Exchange

Slide 43

Slide 43 text

ELASTICSEARCH Index on ingest = Pay your taxes up front

Slide 44

Slide 44 text

KIBANA Visualize, Analyze, Search…data

Slide 45

Slide 45 text

ES-Hadoop Connector: Apache Spark <-> Elasticsearch

Slide 46

Slide 46 text

ApacheSpark Graph processing

Slide 47

Slide 47 text

GraphFrames Highly expressive graph queries

Slide 48

Slide 48 text

Jupiter Notebook Statistical modeling, numerical simulation, machine learning…

Slide 49

Slide 49 text

No content

Slide 50

Slide 50 text

If only we had a hero

Slide 51

Slide 51 text

Andrew Pease https://github.com/peasead https://github.com/capesstack

Slide 52

Slide 52 text

Cyber Analytics Platform and Examination System capesstack.io

Slide 53

Slide 53 text

Why? Had a great hunt platform (RockNSM) No IR platform No intelligence pipeline capabilities No way to communicate over distance No (real) documentation

Slide 54

Slide 54 text

requirements Open source (obviously) Self hosted OS/platform agnostic API extensibility • Secure OS • Operator launch point • IR tracking & management • Documentation • Observation enrichment • Communication over distance • Real-time collaboration

Slide 55

Slide 55 text

No content

Slide 56

Slide 56 text

OPERATING SYSTEM RHEL compatible SELinux STIGs out of the Box CentOS

Slide 57

Slide 57 text

Operator launch point Low barrier to entry Single page for operators Reverse proxy

Slide 58

Slide 58 text

incident response tracking Record observations Scalable Operational metrics TheHive Project

Slide 59

Slide 59 text

Observation enrichment IR platform compatible Observation enrichment Multiple data points

Slide 60

Slide 60 text

documentation Markdown / AsciiDoc Accessible 24/7 Git Git with a cup of tea (Gitea)

Slide 61

Slide 61 text

Communication Indexed Searchable Tagging File upload Channels & DM Rocketchat

Slide 62

Slide 62 text

Real-time Collaboration “OneNote / Google Sheets” function Plugins Syntax highlighting Etherpad

Slide 63

Slide 63 text

Real-time Monitoring Monitors availability Collects metrics Logging METRICBEAT HEARTBEAT FILEBEAT

Slide 64

Slide 64 text

No content

Slide 65

Slide 65 text

Road Ahead Ansible Docker Hardening Pentest Even more Documentation

Slide 66

Slide 66 text

Cyber Analytics Platform and Examination System capesstack.io

Slide 67

Slide 67 text

ES-Hadoop Security Analytics Architecture
 Web Proxies EDR / EPP IDS /IPS / NMS Kafka Redis Messaging Queue Logstash Workers (2+) LDAP Authentication AD Notification SSO X-Pack Kibana X-Pack Instances (2+) Custom UI Elasticsearch Clients Elasticsearch X-Pack Master (3) Ingest (X) Data – Hot (X) Data – Warm (X) Machine Learning (2+) Coordinating (X) Alerting (X) HEARTBEAT Beats FILEBEAT METRICBEAT PACKETBEAT WINGLOGBEAT AUDITBEAT SCANS DNS FILE SIEM Vulnerability Data & Threat Intelligence IP

Slide 68

Slide 68 text

Thank You ● Web : www.elastic.co ● Products : https://www.elastic.co/products ● Forums : https://discuss.elastic.co/ ● Community : https://www.elastic.co/community/meetups ● Twitter : @elastic