Conducting Defensive Information Warfareon

Open Platforms

Ben Tullis – (formerly of) LinuxIT (Europe) Ltd.

23rd October 2013 – LinuxCon Europe

Ben Tullis - Background

● Professional Linux sysadmin (etc.) for 12+ years● Worked in several markets:

– Independent Software Vendor

– UK Government Research: (British Antarctic Survey)

– Managed Services Providers

– Specialist Linux Consultancy

● Broad experience of Linux and IT security:– ...in the SME Sector

– ...in the Outsourced Enterprise Sector

Presentation Topics

Defensive Information Warfare on Open Platforms

● Definitions, Threats, Targets, The Basics

● Increasing Network Visibility

● Increasing Host Visibility

● Log Management Tools & Techniques

● Collating and Presenting Security Information

● Focused Distributions

What is Information Warfare?

It's a model that helps to achieve good security practice.

Comprised of four key elements:

1: Information Resources

These resource have intrinsic value to someone:

● Exchange value – how much is it worth?

● Operational value – how useful/important is it?

What is Information Warfare?

2: Players of The Game

Offence– In this context, the enemy.

– Could be anyone with Motive, Means & Opportunity to launch an attack on an Information Resource

– One or more of: insiders, hackers, criminals, corporations, governments, and terrorists

– Those ever-present “unknown unknowns”

Defence– Everyone else, from individuals to governments

– Anyone with Information Resources to protect

– In this context, us

What is Information Warfare?

3: Offensive OperationsTheir aim is to:

● Increase the value of an Information Resource to an Offensive player.

● Decrease the value of an Information Resource to a Defensive player.

Three classes of attack

Increased availability of information for the offence e.g. espionage, identity theft, physical theft

Decreased integrity of information e.g. tampering, fabrication, perception management

Decreased availability of information for the defence e.g. sabotage, denial of service, physical theft

What is Information Warfare?

4: Defensive OperationsTheir aim is to:

● Protect Information Resources from these three forms of attack.

They must:

● Cost less than the losses that would occur in their absence.

Six classes of defensive operation● Prevention

● Deterrence

● Indications and Warnings

● Detection

● Emergency Preparedness

● Response

Random Threats - Can affect anyone equally

Examples:● Malware distribution:

– Removable Media

– Infected Downloads

● IP Address scanning:– Brute-force attacks

– Zero-day attacks

– e.g. Carna Botnet (420k node bot-net created by using default passwords)

● Wardriving● Session Hijacking

Focused Threats - We are the target

● Traditional Network Penetration:– Dictionary Attacks

– Off-line Attacks (e.g. Cloudcracker)

● Known Exploits:– Vulnerable Network Services

– Privilege Escalation

● Social Engineering

Focused Threats - We are the target

Stealthy Devices: Requiring physical access

– Dropboxes e.g.● Pwnie Express● MiniPwner● Pwn Pi

– Rogue Access Point e.g.● WiFi Pineapple

– Key Stroke Loggers

– Miniature Cameras etc.

Defining the Targets

They are/will beeverywhere.

Defending Information – The Basics

● Good documentation & communication

● Good passwords & security policies

● Appropriate physical security measures

● Well defined change-management procedures

● Apply security patches promptly

● Standardize where possible/appropriate

● Back it all up

Defending Information – The Basics

● Your Monitoring Solution TM – Monitor everything you can think of

– Record as many metrics as possible

– Review its configuration periodically and...● ...in response to change● ...in response to significant incidents

– If appropriate, use multiple/parallel systems.● Availability Monitoring● Performance Monitoring● Network Security Monitoring

Increasing Network Visibility - Overview

Making the best possible haystack/needle finding machine:– Capture as much network traffic as possible

– Scan captured traffic: NIDS

– Consider wireless protocols: WIDS

– Profile network traffic:● Record detailed statistical information● Visualise normal network behaviour● Facilitates filtering-out of legitimate traffic

– Implement anomaly detection

Capturing Ethernet Traffic

Often use Switch Mirror Ports (aka. SPAN or Monitor Port)

One port receives all traffic sent to/from the other ports.

Most smart/managed switches support this feature.

Another technique is to use a Network Tap

# ifconfig eth1 up promisc# ifconfig eth1 up promisc

Capturing Ethernet Traffic

Simplest case:

● All traffic passing through the switch is visible at the protective Monitoring Server

● Do not assign an IP address to the capture interface:

Capturing Ethernet Traffic

Redundant System:

● Dual interfaces on all servers: active/active or active/passive

● One capture interface per switch

Capturing Ethernet Traffic

Tree Topology - Option 1 – Remote Port Mirroring

● Requires high-end switches. e.g. Cisco, HP, H3C, Alcatel● Send all captured traffic to a central location for analysis/profiling.● Upgrade interface links as necessary.● Uses VLANs to isolate the mirrored traffic.● Fairly complex to configure.

Capturing Ethernet Traffic

Tree Topology - Option 2 – Distributed MonitoringRequires several capture servers

Remote servers send back:● Events & Alerts● Statistical traffic information● System log files

Network Intrusion Detection Systems

Snort– Passive mode – Intrusion Detection

– Inline mode – Intrusion Prevention

– Searches network traffic for pattern matches

– Rules files updated daily● Up-to-date VRT rules available immediately to subscribers● VRT rules freely available to registered users after 30 days● Community rules under GPL. A subset of the VRT rules● Third-party rule sets available. e.g.

http://www.emergingthreats.net

Network Intrusion Detection Systems

Snort– Update rules daily with one of:

● Oinkmaster● Pulled Pork

– Expect to spend some time tuning:● Main config file: snort.conf● Rules files● Ethernet interface configuration

e.g. Disable ”Large Receive Offload” and ”Generic Receive Offload” on the collector:

ethtool -K eth1 gro offethtool -K eth1 lro off

ethtool -K eth1 gro offethtool -K eth1 lro off

Network Intrusion Detection Systems

Snort– Each rule has an Action associated, e.g.

● Send an alert and log traffic.● Simply drop the offending packets. (Inline mode)● Reject the traffic: TCP reset. UDP unreachable. (Inline mode)● Custom actions & custom log types

– Very flexible alerting and logging methods, e.g.● Text → email alert & Pcap log file● Syslog alert & logging to database● Unified2 (recommended, high-performance format)

Network Intrusion Detection Systems

Suricata

● IDS/IPS project started in 2009– Multi-threaded for greater native performance

– Unified2 output by default

– Protocol detection. Not based on port number

– File identification by md5. Extract and save files from traffic

– Can use Snort rules and can co-exist

– http://suricata-ids.org/

Network Intrusion Detection Systems

Bro

● Passive Network Analysis Platform:– IDS features available – require custom scripting.

– Detailed statistical log files created

– Application-layer transcripts, e.g. HTTP, SSL etc.

– Cluster-aware for high-capacity analysis

– Scripting engine : Highly extensible

– Match MD5 against Team Cymru malware database

Wireless Intrusion Detection Systems

● Current best practice in IEEE 802.11:– Implement WPA2-Enterprise

● RADIUS – e.g. FreeRADIUS● EAP – Strong Authentication● hostapd + wpa_supplicant [+ OpenSSL]

– Implement IEEE 802.11w

● Management Frames Protected

● We consider two types of attack:– A Rogue Access Point

– A De-Authentication Attack

Wireless Intrusion Detection Systems

Kismet● Monitor 802.11 traffic for known attack patterns:

– Use additional wireless radios in monitor mode

– (optionally) Channel-hop on the channels that you use

– Drones can be distributed network-wide

– Suitable for embedded use i.e. OpenWRT, DD-WRT etc.

– Client can view real-time client list and traffic

– Alerts can be sent via syslog

– Tap interface permits full 802.11 capture

Wireless Intrusion Detection Systems

Kismet1: Detecting rogue access points

Legitimate Clients

Wireless Intrusion Detection Systems

Kismet1: Detecting rogue access points

ncsource=drone1:host=10.10.100.1,port=2502ncsource=drone2:host=10.10.100.2,port=2502

alert=APSPOOF,10/min,1/secapspoof=Tullix:ssid="Tullix",validmacs="00:11:22:33:44:55,AA:BB:CC:DD:EE:FF"

allowplugins=true

ncsource=drone1:host=10.10.100.1,port=2502ncsource=drone2:host=10.10.100.2,port=2502

alert=APSPOOF,10/min,1/secapspoof=Tullix:ssid="Tullix",validmacs="00:11:22:33:44:55,AA:BB:CC:DD:EE:FF"

allowplugins=true

Kismet

● On the server: kismet.conf

● On the drones: kismet_drone.conf

ncsource=wlan0:drone1:channellist=Tullix

dronelisten=tcp://10.10.100.1:2502droneallowedhosts=10.10.0.1

ncsource=wlan0:drone1:channellist=Tullix

dronelisten=tcp://10.10.100.1:2502droneallowedhosts=10.10.0.1

Wireless Intrusion Detection Systems

Kismet2: Detecting a de-authentication attack

Wireless Intrusion Detection Systems

Kismet2: Detecting a de-authentication attack

ncsource=drone1:host=10.10.100.1,port=2502ncsource=drone2:host=10.10.100.2,port=2502

alert=DEAUTHFLOOD,5/min,2/secalert=BCASTDISCON,5/min,2/sec

allowplugins=true

ncsource=drone1:host=10.10.100.1,port=2502ncsource=drone2:host=10.10.100.2,port=2502

alert=DEAUTHFLOOD,5/min,2/secalert=BCASTDISCON,5/min,2/sec

allowplugins=true

● On the server: kismet.conf

Network Traffic Profiling

Ntop and NtopNG● Near real-time and historical information about:

– Hosts observed

– Protocol distribution

– Multicast/Broadcast frequency

– Who's talking to whom?

● Rich graphical interface● Can also be used as a NetFlow Collector● PF_RING allows multi-threaded libpcap analysis

Network Traffic Profiling - NtopNG

Network Traffic Profiling - Ntop

NetFlow and friends

● A UDP protocol describing network traffic● Many proprietary formats: NetFlow, sFlow, jflow, Rflow● IETF proposed standard: IPFIX (== NetFlow v10)

NetFlow Exporters

● Native support in high-end switches routers● Open Source exporters based on Libpcap (& PF_RING)

– Nprobe - http://www.ntop.org/products/nprobe/

– Fprobe - http://fprobe.sourceforge.net/

– Softflowd - http://code.google.com/p/softflowd/

– Rflow - https://en.wikipedia.org/wiki/DD-WRT#Features

● Also a feature of Open vSwitch - http://openvswitch.org/● Netflow v5 and v9 are the most common formats

● Exporters send UDP packets to one or more collectors

NetFlow Collectors

Ntop – Historical and statistical analysis

Nfdump / NfSen – Long-term NetFlow storage and detailed query– Nfdump tool-set

● nfcapd – Collect netflow streams and save the information● nfdump – Extract and report information from the stored files● nfprofile – Report on a subset of traffic from the stored files

– NfSen web-interface● Web front-end to analyse and query Nfdump files● Dynamic graph generation, based on filters and time periods

NfSen – NetFlow Sensor

Anomaly Detection Tools

● Arpwatch / Arpalert– Maintain a database of authorized MAC addresses

– Alert on any deviation – syslog or email

● PRADS - Passive Real-Time Asset Detection System– Builds a list of hosts/service on the network

– Can be used to inform snort configuration

– prads­asset­report - what's been seen on the network?

● PBNJ – Active Network Asset Detection System– Database of discovered hosts/services (nmap)

– Re-scan & diff

Increasing Host Visibility - Overview

● Useful host-based tools

● Host-based Intrusion Detection Systems (HIDS)

Host Visibility Tools

● etckeeper – Keep /etc under version control

Host Visibility Tools

● atop – Retain Historical Process Information

Host Visibility Tools

● auditd – The Linux Audit Daemon

– and audispd – The Linux Audit Dispatcher

Host Visibility Tools

● lynis – Security audit script, with hardening suggestions

Host-based Intrusion Detection Systems

● OSSEC– Multi-platform – facilitates distributed security monitoring

– File integrity monitoring

– Log file monitoring

– Rootkit search

– Policy audit

– Email/syslog alerts

– SQL output

Host-based Intrusion Detection Systems

● Samhain - File Integrity Monitor– Client/Server mode

– Stand-alone mode

– Log file monitoring

– Hidden processes

– Stealth mode

– auditd integration

– SQL output

– Syslog output

● Beltane - web front-end

Host-based Intrusion Detection Systems

● Tripwire – Lightweight file integrity monitor– Define policy for file monitoring

– Create checksum databases of a clean system

– Mount /var/lib/tripwire on R/O media or R/O network share

– Checked by cron daily – email/syslog alert on change

– Update databases and policies as required

– Configuration, Policies and Databases digitally signed, requiring pass-phrase to update

Host-based Intrusion Detection Systems

● AIDE – Advanced Intrusion Detection System– Similar in scope and operation to Tripwire

– Simpler configuration including conf.d snippets

● Fcheck – Perl based file integrity monitor– Older but dependable and useful in certain environments

● Stealth – Remote file integrity monitor over SSH– http://stealth.sourceforge.net

Log File Management

● syslog – Generally using rsyslog or syslog-ng now– Centralize logs – including switches, routers, etc.

– e.g. Snare or eventlog-to-syslog for Windows

– TCP or RELP (rsyslog) can aid reliable network transfer

● Cryptographic Log Signing (GPG-13 requirement)– Feature of rsyslog version 7.4+

– rsgutil utility verifies signaturesaction(type="omfile" file="/var/log/syslog" sig.provider="gt" sig.keepTreeHashes="on" sig.keepRecordHashes="on")

action(type="omfile" file="/var/log/syslog" sig.provider="gt" sig.keepTreeHashes="on" sig.keepRecordHashes="on")

Log File Management

● Visualize/Analyse syslog data– e.g. Addiscon Loganalyzer [sic]

Log File Management

● Visualize/search syslog data – alternatives

– ElasticSearch

– Graylog2

– Logstash

– Kibana

– ELSA

Log File Management

● Application Logs – e.g. Web server– Google Analytics != Web Log Analysis

– Piwik Log Analytics Mode - http://piwik.org/log-analytics/

Active Response – Intrusion Prevention

● Snortsam – Firewall hosts using a Snort plugin– Agent runs on/near firewall

● fail2ban - Firewall hosts from log file matches– Authentication

Failures

– Repeat Offender Handling

Collating and Presenting Security Information

● Sagan – Scan log files for security related information– Snort-like rules for pattern matching

– e.g. Handling our previous WIDS alert

alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Spoofed disassociated/deauthenticate packets"; program: kismet_server; pcre: "/DEAUTHFLOOD|BCASTDISCON/"; classtype: suspicious-traffic;)

alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Spoofed disassociated/deauthenticate packets"; program: kismet_server; pcre: "/DEAUTHFLOOD|BCASTDISCON/"; classtype: suspicious-traffic;)

– Incorporate results into an IDS database

– Integrates with Snortsam Agent for active firewall response

Collating and Presenting Security Information

● Snorby – Web console collating IDS/IPS and Sagan alerts

– Integrates with OpenFPC for full packet capture

● Other consoles available – e.g. Sguil & Squert, BASE

Focused Distributions

● AlienVault OSSIM : (Debian based)

– Open Core version of their full-featured USM product● Nagios● NfSen● OSSEC● Kismet● Snort● Suricata● Ntop● Arpwatch● PADS● OpenVAS

– Custom Correlation Engine

– Custom web framework

Focused Distributions

● The Security Onion : (Ubuntu based)

● Snort● Suricata● Bro● Sguil● Squert● Snorby● ELSA● Netsniff-NG● OSSEC● PRADS● Xplico● NetworkMiner● CapME● Argus

Summary

Conducting Defensive Information Warfare

● Maximum network visibility

● Maximum host visibility

● Rigorous log file management

● Rapid analysis and response

Fin

Thank You

Ben Tullis

tullis@hypothetical.co.uk@tullis

Image attributions

Thanks to Creative Commons:

● http://www.flickr.com/photos/pasukaru76/5108255589/

● http://idle.slashdot.org/story/08/10/01/231247/man-uses-remote-logon-to-help-find-laptop-thief

● http://www.article-3.com/criminal-law-laptop-theft-protection-92052

● http://www.flickr.com/photos/pingdom/5370307776/

● http://www.geograph.org.uk/photo/2472373

● http://hakshop.myshopify.com/products/wifi-pineapple-holiday-bundle

● http://www.cctvcameradvrs.com/4gb-mini-spy-camera-with-voice-control

● http://www.flickr.com/photos/fastjack/282707058/

● http://www.insuretrust.com/study-finds-cyber-crime-costly-ever

● http://www.telegraph.co.uk/technology/news/8262628/Cyber-attacks-could-cause-global-catastrophe.html

● http://mtitechsolutions.com/blog/types-of-attacks.html

● http://en.wikipedia.org/wiki/File:Snort_ids_logo.png

● http://www.bro.org

● http://commons.wikimedia.org

● https://en.wikipedia.org/wiki/File:NetFlow_Architecture_2012.png

● http://nfsen.sourceforge.net/

● http://www.ossec.net/doc/manual/ossec-architecture.html

● http://logstash.net/images/logstash.png

● http://deinoscloud.wordpress.com/2012/11/01/esxigraylog2-quickstart/

● http://www.elasticsearch.org/

● http://www.jesuisungeek.net/index.php?post/2013/01/31/Installer-Kibana-par-Puppet-partie-1

● http://munin.alexdpsg.net/alexdpsg.net/munin.alexdpsg.net/fail2ban-month.png

● http://en.wikipedia.org/wiki/File:Alienvault_capture.png

● http://openclipart.org

Explicit Permission Granted:

● Pwnie Express - http://pwnieexpress.com/

● MiniPwner - http://www.minipwner.com/