Defensive Information Warfare on Linux Systems

Transcript

1. Conducting Defensive Information Warfare on Linux Systems Ben Tullis –

   System Administrator 26th April 2014 – South Wales Linux User Group

2. Presentation Topics Defensive Information Warfare on Linux Systems 1. Intro,

   Definitions 2. Increasing Network Visibility 3. Increasing Host Visibility 4. Log Management Tools & Techniques 5. Collating and Presenting Security Information 6. Focused Distributions

3. 1.1 Ben Tullis - Background • Professional Linux sysadmin for

   12+ years uk.linkedin.com/in/bentullis/ [email protected] @tullis

4. 1.2 What is Information Warfare? It's a model used to

   help achieve good infosec practice: Comprised of 4 elements: 1: Information Resources 2: Players of The Game Offence Defence

5. 1.3 What is Information Warfare? 3: Offensive Operations 4: Defensive

   Operations Defensive operations aim to: • Protect Information Resources from attack. They must: • Cost less than the losses that would occur in their absence.

6. 1.4 What is Information Warfare? Six classes of defensive operation

   1. Prevention 2. Deterrence 3. Indications and Warnings 4. Detection 5. Emergency Preparedness 6. Response

7. 2.1 Increasing Network Visibility Making the best possible haystack/needle finding

   machine: 1. Capture all relevant network traffic 2. Scan captured traffic: NIDS 3. Consider wireless protocols: WIDS 4. Profile network traffic • Visualise normal network behaviour • Facilitates filtering-out of legitimate traffic 5. Implement anomaly detection

8. 2.2 Capture Network Traffic Switch Mirror Port # ifconfig eth1

   up promisc # ifconfig eth1 up promisc

9. 2.3 Network Intrusion Detection Systems Snort – Passive mode –

   Intrusion Detection – Inline mode – Intrusion Prevention – Searches network traffic for pattern matches – Rules files updated daily Suricata – IDS/IPS project started in 2009 – Multi-threaded for greater native performance – Protocol detection. Not based on port number – Can use Snort rules and can co-exist

10. 2.4 Network Intrusion Detection Systems Bro • Passive Network Analysis

    Platform: – IDS features available – require custom scripting. – Detailed statistical log files created – Application-layer transcripts, e.g. HTTP, SSL etc. – Cluster-aware for high-capacity analysis – Scripting engine : Highly extensible – e.g. Match file MD5 against Team Cymru malware database

11. 2.5 Wireless Intrusion Detection Systems Kismet • Monitor 802.11 traffic

    for known attack patterns: – Use additional wireless radios in monitor mode – (optionally) Channel-hop on the channels that you use – Kismet Drones can be distributed network-wide – Suitable for embedded use i.e. OpenWRT, DD-WRT etc. – Kismet Clients can view real-time host list and traffic – Alerts sent via syslog – Permits full 802.11 capture

12. 2.6 Wireless Intrusion Detection Systems Kismet e.g. Detecting a de-authentication

    attack

13. 2.7 Wireless Intrusion Detection Systems Kismet Detecting a de-authentication attack

    ncsource=drone1:host=10.10.100.1,port=2502 ncsource=drone2:host=10.10.100.2,port=2502 alert=DEAUTHFLOOD,5/min,2/sec alert=BCASTDISCON,5/min,2/sec allowplugins=true ncsource=drone1:host=10.10.100.1,port=2502 ncsource=drone2:host=10.10.100.2,port=2502 alert=DEAUTHFLOOD,5/min,2/sec alert=BCASTDISCON,5/min,2/sec allowplugins=true • On the server: kismet.conf

14. 2.8 Network Traffic Profiling Ntop and NtopNG • Near real-time

    and historical information about: – Hosts observed – Protocol distribution – Multicast/Broadcast frequency – Who's talking to whom? • Can also be used as a NetFlow Collector

15. 2.9 Network Traffic Profiling - NtopNG

16. 2.10 NetFlow and friends • A UDP protocol describing network

    traffic • Many subtle variations: NetFlow, sFlow, jflow, Rflow • IETF proposed standard: IPFIX (== NetFlow v10)

17. 2.11 NetFlow Sensor System • Nprobe • Fprobe • Softflowd

    • Rflow NetFlow Exporters NetFlow Collectors • Nfdump / NfSen • Ntop

18. 2.12 Anomaly Detection Tools • Arpwatch / Arpalert – Maintain

    a database of authorized MAC addresses – Alert on any deviation – syslog or email • PRADS - Passive Real-Time Asset Detection System – Builds a list of hosts/service on the network – Can be used to inform Snort configuration – prads­asset­report - what's been seen on the network? • PBNJ – Active Network Asset Detection System – Database of discovered hosts/services (nmap) – Re-scan & diff

19. 3.1 Host Visibility Tools - etckeeper • etckeeper – Keep

    /etc under version control

20. 3.2 Host Visibility Tools - atop • atop – Retain

    Historical Process Information

21. 3.3 Host Visibility Tools - auditd • auditd – The

    Linux Audit Daemon – and audispd – The Linux Audit Dispatcher

22. 3.4 Host Visibility Tools - lynis • lynis – Security

    audit script, with hardening suggestions

23. 3.5 Host-based Intrusion Detection Systems • OSSEC – Multi-platform –

    File integrity monitoring – Log file monitoring – Rootkit search – Policy audit – Email/syslog alerts – SQL output

24. 3.6 Host-based Intrusion Detection Systems • Samhain - File Integrity

    Monitor – Client/Server mode – Stand-alone mode – Log file monitoring – Hidden processes – auditd integration – SQL output – Syslog output • Beltane - web front-end

25. 4.1 Log File Collection • syslog – Centralize logs –

    including switches, routers, etc. – e.g. Snare or eventlog-to-syslog for Windows • Cryptographic Log Signing – Feature of rsyslog version 7.4+ – rsgutil utility verifies signatures action(type="omfile" file="/var/log/syslog" sig.provider="gt" sig.keepTreeHashes="on" sig.keepRecordHashes="on") action(type="omfile" file="/var/log/syslog" sig.provider="gt" sig.keepTreeHashes="on" sig.keepRecordHashes="on")

26. 4.2 Log File Presentation Visualize/Analyse syslog data (e.g. Addiscon Loganalyzer)

27. 4.3 Log File Analysis • Sagan – Scan log files

    for security related information – Snort-like rules for pattern matching – e.g. Handling our previous WIDS alert alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Spoofed disassociated/deauthenticate packets"; program: kismet_server; pcre: "/DEAUTHFLOOD|BCASTDISCON/"; classtype: suspicious-traffic;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Spoofed disassociated/deauthenticate packets"; program: kismet_server; pcre: "/DEAUTHFLOOD|BCASTDISCON/"; classtype: suspicious-traffic;) – Incorporate results into an IDS database – Integrates with Snortsam Agent for active firewall response

28. 4.4 Active Response – Intrusion Prevention • Snortsam – Firewall

    hosts using a Snort plugin – Agent runs on/near firewall • fail2ban - Firewall hosts from log file matches – Authentication Failures – Repeat Offender Handling

29. Collating and Presenting Security Information • Snorby – Web console

    collating IDS/IPS and Sagan alerts – Integrates with OpenFPC for full packet capture • Other consoles available – e.g. Sguil & Squert, BASE

30. Focused Distributions • AlienVault OSSIM : (Debian based) – Open

    Core version of their full-featured USM product • Nagios • NfSen • OSSEC • Kismet • Snort • Suricata • Ntop • Arpwatch • PADS • OpenVAS – Custom Correlation Engine – Custom web framework

31. Focused Distributions • The Security Onion : (Ubuntu based) •

    Snort • Suricata • Bro • Sguil • Squert • Snorby • ELSA • Netsniff-NG • OSSEC • PRADS • Xplico • NetworkMiner • CapME • Argus

32. Summary Conducting Defensive Information Warfare • Maximum network visibility •

    Maximum host visibility • Rigorous log file management • Rapid analysis and response

33. Fin Thank You Ben Tullis [email protected] @tullis