Ending the Tyranny of Expensive Security Tools: A New Hope

Ending the Tyranny of Expensive

Security Tools:A New Hope

Who Am I?• Michele Chubirka, aka "Mrs. Y.,” Security Architect

and professional contrarian. • Analyst, blogger, B2B writer, podcaster.• Researches and pontificates on topics such as

security architecture and best practices.

chubirka@postmodernsecurity.comhttp://postmodernsecurity.comhttps://www.novainfosec.com/author/mrsy/@MrsYisWhy www.linkedin.com/in/mchubirka/

So Many Tools….

So Little Budget

You Probably Already Have More Than You Need

• Many products have functionality that can be leveraged for security purposes.

• It’s not about the best tool, but the one that gets the job done.

• Ignore the siren song of the shiny new toy.• Expensive tools aren’t a quick fix.

Explore Open SourceMany commercial products developed out of open source projects:

– Nmap– Tripwire– Sendmail– ISC Bind/DHCP– OpenSSL

Monitoring Tools• Helpful in identifying anomalies.• Can detect signs of malicious activity.• Some provide canned compliance and security reports.• Information can be correlated with data from security

tools for better intrusion detection and incident response.

• Some have historical data useful during and post breach.

Monitoring Tool Examples

• MRTG• Solarwinds Orion• Nagios• Netdisco • Wireless Management

Systems (WMS)

MRTG – Multi Router Traffic Grapher

Can detect anomalies in link usage, indicating possible data exfiltration or DDoS.

Solarwinds Orion: Netflow

Can detect anomalies, indicating unusual patterns of traffic and “top talkers.” Useful for incident response.

Nagios

Is it a security incident or just an outage?

NetdiscoOpen source network management tool that keeps a history of MAC to IP address. Useful in identifying hosts for malware remediation and other incident response. Uses SNMP to collect ARP and MAC tables, then stores in a database.

Compliance Initiatives?

• PCI DSS• SOX• HIPAA

Make existing tools work for you.

Solarwinds Orion: Compliance Reporting

Cisco Prime Network Control System

Cisco Prime NCS Reporting

Aerohive Hive Manager

Aerohive Reporting

System Tools• Cron and Logcheck alerting• Configuration management tools for automated

patching, tracking and reporting: – Puppet– Chef– Microsoft System Center Configuration Manager (SCCM)

• Asset Management, HIDS, File Integrity Tools– Eracent– OSSEC

What changed? Was it authorized?When is an error an incident?

OSSEC: an open source Host Intrusion Detection tool – can also be used as a file integrity monitoring tool to meet PCI DSS requirements.

Network Controls and Tools• ACLs and Route Maps

– AOL’s Trigger: open source network automation toolkit used for pushing out configs and security policies, turns L3 devices into firewalls.

• Load Balancers (aka Application Delivery Controllers)– SYN Cookies: prevent SYN flood attacks– DDoS protection– Protocol checks

• Wireshark and NetworkMiner protocol analysis tools• RADIUS: provides authentication, authorization and accounting• 802.1X: port-based network access control

SYN Cookie• Server receives SYN.• Sends SYN+ACK, but discards the original SYN. • If server receives ACK, server reconstructs SYN entry

using information encoded in the TCP sequence number.

NetworkMiner Network Forensic Analysis Tool

Free and professional editions – can be used live or to parse PCAP files. Focuses on collecting data about hosts.

Your Web Browser Is a Security ToolBoth Firefox and Chrome have free add-ons for application security inspection, testing and fuzzing.•Groundspeed: application pentesting•HttpFox: analyzer•Live HTTP headers: analyzer•HackBar: application pentesting•Wappalyzer: application reconnaissance •PassiveRecon: web site reconnaissance•Shodan web site and plugin: reconnaissance

Shodan

Search engine of insecure devices and systems available on the Internet. Is your network in Shodan?

DNS Sinkholes and RPZ• DNS servers can be effective tools for blocking

malware, phishing and spam.• Support for Response Policy Zones (RPZ) introduced

with ISC BIND 9.8.• An RBL for DNS, makes it into a “DNS firewall” by

leveraging reputation feeds.• Can block or redirect internal traffic associated with

malicious activity (yes, just like OpenDNS).https://dnsrpz.info/

Fun with Wifi• Kismet

– An open source WIDS that works with any wireless devices supporting monitor-mode.

• Aircrack-NG– An open source reconnaissance, key-cracking and testing

tool.

Aircrack-NG

Kismet

inSSIDer – notice any similarities

?

Network Security Monitor: Security Onion

What’s Inside?• Snort • Suricata• Bro Network Security Monitor• Argus and Ra• Xplico• Network Miner• Squil and Snorby• ELSA

Kali Linux: the Kitchen Sink for Pentesters

Threat and Vulnerability

Management with Zenmap – a GUI

front-end to Nmap

Pentest Dropboxes aka “Creepers”

• Unobtrusive, form factor device used by pentesters to gain a backdoor into a target network.

• Can be used to perform a security profile of your own infrastructure.

• Also used as an inexpensive monitoring tool.

Where You Can Find One

• Minipwner• OG150• PwnPi

Low cost open source alternatives to Pwnie Express.

Roll Your Own

• Raspberry Pi• Intel NUC• TP-Link portable routers running Open-Wrt.• Pwnie Express even has a community edition you can

build yourself.

Available Tools

• Aircrack-NG• Iperf• OpenVPN• SSLStrip• Tor• TTCP• Kismet

Get A Pineapple

A wireless network auditing tool. Highly customizable Wifi router, based on Open-Wrt and Jasager.

Do You Always Need the Commercial Product?• Suricata vs. Sourcefire • Bro-NSM vs. FireEye• Security Onion or OSSIM vs. commercial SIEMs• SANS Investigative Forensic Toolkit (SIFT) vs. EnCase• Armitage or OG150 vs. Metasploit Pro• FreeRADIUS vs. Cisco ISE• OSSEC vs. Symantec Critical System Protection• ELSA, Graylog, Logstash/Kibana vs. Splunk• Nmap or Zenmap vs. Qualys

Security Isn’t About Managing Tools

• Good information security (and engineering) is about solving problems.

• You don’t always need to buy a product.

• Be Creative.

Resources• Securitytube.net• Hak5.org• Metasploit Minute with @mubix• OWASP• Offensive Security

Questions?

Where Can You Find Me?

Michele Chubirka

Spending quality time in kernel mode.

Prefers Star Wars original trilogy.

http://postmodernsecurity.com

Twitter @MrsYisWhy

Google+ MrsYisWhy

chubirka@postmodernsecurity.com