Ending the Tyranny of Expensive Security Tools: A New Hope
-
Upload
michele-chubirka -
Category
Technology
-
view
132 -
download
2
Transcript of Ending the Tyranny of Expensive Security Tools: A New Hope
![Page 1: Ending the Tyranny of Expensive Security Tools: A New Hope](https://reader031.fdocuments.us/reader031/viewer/2022032022/55a815191a28ab74508b4596/html5/thumbnails/1.jpg)
Ending the Tyranny of Expensive
Security Tools:A New Hope
![Page 2: Ending the Tyranny of Expensive Security Tools: A New Hope](https://reader031.fdocuments.us/reader031/viewer/2022032022/55a815191a28ab74508b4596/html5/thumbnails/2.jpg)
Who Am I?• Michele Chubirka, aka "Mrs. Y.,” Security Architect
and professional contrarian. • Analyst, blogger, B2B writer, podcaster.• Researches and pontificates on topics such as
security architecture and best practices.
[email protected]://postmodernsecurity.comhttps://www.novainfosec.com/author/mrsy/@MrsYisWhy www.linkedin.com/in/mchubirka/
![Page 3: Ending the Tyranny of Expensive Security Tools: A New Hope](https://reader031.fdocuments.us/reader031/viewer/2022032022/55a815191a28ab74508b4596/html5/thumbnails/3.jpg)
So Many Tools….
![Page 4: Ending the Tyranny of Expensive Security Tools: A New Hope](https://reader031.fdocuments.us/reader031/viewer/2022032022/55a815191a28ab74508b4596/html5/thumbnails/4.jpg)
So Little Budget
![Page 5: Ending the Tyranny of Expensive Security Tools: A New Hope](https://reader031.fdocuments.us/reader031/viewer/2022032022/55a815191a28ab74508b4596/html5/thumbnails/5.jpg)
You Probably Already Have More Than You Need
• Many products have functionality that can be leveraged for security purposes.
• It’s not about the best tool, but the one that gets the job done.
• Ignore the siren song of the shiny new toy.• Expensive tools aren’t a quick fix.
![Page 6: Ending the Tyranny of Expensive Security Tools: A New Hope](https://reader031.fdocuments.us/reader031/viewer/2022032022/55a815191a28ab74508b4596/html5/thumbnails/6.jpg)
Explore Open SourceMany commercial products developed out of open source projects:
– Nmap– Tripwire– Sendmail– ISC Bind/DHCP– OpenSSL
![Page 7: Ending the Tyranny of Expensive Security Tools: A New Hope](https://reader031.fdocuments.us/reader031/viewer/2022032022/55a815191a28ab74508b4596/html5/thumbnails/7.jpg)
Monitoring Tools• Helpful in identifying anomalies.• Can detect signs of malicious activity.• Some provide canned compliance and security reports.• Information can be correlated with data from security
tools for better intrusion detection and incident response.
• Some have historical data useful during and post breach.
![Page 8: Ending the Tyranny of Expensive Security Tools: A New Hope](https://reader031.fdocuments.us/reader031/viewer/2022032022/55a815191a28ab74508b4596/html5/thumbnails/8.jpg)
Monitoring Tool Examples
• MRTG• Solarwinds Orion• Nagios• Netdisco • Wireless Management
Systems (WMS)
![Page 9: Ending the Tyranny of Expensive Security Tools: A New Hope](https://reader031.fdocuments.us/reader031/viewer/2022032022/55a815191a28ab74508b4596/html5/thumbnails/9.jpg)
MRTG – Multi Router Traffic Grapher
Can detect anomalies in link usage, indicating possible data exfiltration or DDoS.
![Page 10: Ending the Tyranny of Expensive Security Tools: A New Hope](https://reader031.fdocuments.us/reader031/viewer/2022032022/55a815191a28ab74508b4596/html5/thumbnails/10.jpg)
Solarwinds Orion: Netflow
Can detect anomalies, indicating unusual patterns of traffic and “top talkers.” Useful for incident response.
![Page 11: Ending the Tyranny of Expensive Security Tools: A New Hope](https://reader031.fdocuments.us/reader031/viewer/2022032022/55a815191a28ab74508b4596/html5/thumbnails/11.jpg)
Nagios
Is it a security incident or just an outage?
![Page 12: Ending the Tyranny of Expensive Security Tools: A New Hope](https://reader031.fdocuments.us/reader031/viewer/2022032022/55a815191a28ab74508b4596/html5/thumbnails/12.jpg)
NetdiscoOpen source network management tool that keeps a history of MAC to IP address. Useful in identifying hosts for malware remediation and other incident response. Uses SNMP to collect ARP and MAC tables, then stores in a database.
![Page 13: Ending the Tyranny of Expensive Security Tools: A New Hope](https://reader031.fdocuments.us/reader031/viewer/2022032022/55a815191a28ab74508b4596/html5/thumbnails/13.jpg)
Compliance Initiatives?
• PCI DSS• SOX• HIPAA
Make existing tools work for you.
![Page 14: Ending the Tyranny of Expensive Security Tools: A New Hope](https://reader031.fdocuments.us/reader031/viewer/2022032022/55a815191a28ab74508b4596/html5/thumbnails/14.jpg)
Solarwinds Orion: Compliance Reporting
![Page 15: Ending the Tyranny of Expensive Security Tools: A New Hope](https://reader031.fdocuments.us/reader031/viewer/2022032022/55a815191a28ab74508b4596/html5/thumbnails/15.jpg)
Cisco Prime Network Control System
![Page 16: Ending the Tyranny of Expensive Security Tools: A New Hope](https://reader031.fdocuments.us/reader031/viewer/2022032022/55a815191a28ab74508b4596/html5/thumbnails/16.jpg)
Cisco Prime NCS Reporting
![Page 17: Ending the Tyranny of Expensive Security Tools: A New Hope](https://reader031.fdocuments.us/reader031/viewer/2022032022/55a815191a28ab74508b4596/html5/thumbnails/17.jpg)
Aerohive Hive Manager
![Page 18: Ending the Tyranny of Expensive Security Tools: A New Hope](https://reader031.fdocuments.us/reader031/viewer/2022032022/55a815191a28ab74508b4596/html5/thumbnails/18.jpg)
Aerohive Reporting
![Page 19: Ending the Tyranny of Expensive Security Tools: A New Hope](https://reader031.fdocuments.us/reader031/viewer/2022032022/55a815191a28ab74508b4596/html5/thumbnails/19.jpg)
System Tools• Cron and Logcheck alerting• Configuration management tools for automated
patching, tracking and reporting: – Puppet– Chef– Microsoft System Center Configuration Manager (SCCM)
• Asset Management, HIDS, File Integrity Tools– Eracent– OSSEC
![Page 20: Ending the Tyranny of Expensive Security Tools: A New Hope](https://reader031.fdocuments.us/reader031/viewer/2022032022/55a815191a28ab74508b4596/html5/thumbnails/20.jpg)
What changed? Was it authorized?When is an error an incident?
![Page 21: Ending the Tyranny of Expensive Security Tools: A New Hope](https://reader031.fdocuments.us/reader031/viewer/2022032022/55a815191a28ab74508b4596/html5/thumbnails/21.jpg)
OSSEC: an open source Host Intrusion Detection tool – can also be used as a file integrity monitoring tool to meet PCI DSS requirements.
![Page 22: Ending the Tyranny of Expensive Security Tools: A New Hope](https://reader031.fdocuments.us/reader031/viewer/2022032022/55a815191a28ab74508b4596/html5/thumbnails/22.jpg)
Network Controls and Tools• ACLs and Route Maps
– AOL’s Trigger: open source network automation toolkit used for pushing out configs and security policies, turns L3 devices into firewalls.
• Load Balancers (aka Application Delivery Controllers)– SYN Cookies: prevent SYN flood attacks– DDoS protection– Protocol checks
• Wireshark and NetworkMiner protocol analysis tools• RADIUS: provides authentication, authorization and accounting• 802.1X: port-based network access control
![Page 23: Ending the Tyranny of Expensive Security Tools: A New Hope](https://reader031.fdocuments.us/reader031/viewer/2022032022/55a815191a28ab74508b4596/html5/thumbnails/23.jpg)
SYN Cookie• Server receives SYN.• Sends SYN+ACK, but discards the original SYN. • If server receives ACK, server reconstructs SYN entry
using information encoded in the TCP sequence number.
![Page 24: Ending the Tyranny of Expensive Security Tools: A New Hope](https://reader031.fdocuments.us/reader031/viewer/2022032022/55a815191a28ab74508b4596/html5/thumbnails/24.jpg)
NetworkMiner Network Forensic Analysis Tool
Free and professional editions – can be used live or to parse PCAP files. Focuses on collecting data about hosts.
![Page 25: Ending the Tyranny of Expensive Security Tools: A New Hope](https://reader031.fdocuments.us/reader031/viewer/2022032022/55a815191a28ab74508b4596/html5/thumbnails/25.jpg)
Your Web Browser Is a Security ToolBoth Firefox and Chrome have free add-ons for application security inspection, testing and fuzzing.•Groundspeed: application pentesting•HttpFox: analyzer•Live HTTP headers: analyzer•HackBar: application pentesting•Wappalyzer: application reconnaissance •PassiveRecon: web site reconnaissance•Shodan web site and plugin: reconnaissance
![Page 26: Ending the Tyranny of Expensive Security Tools: A New Hope](https://reader031.fdocuments.us/reader031/viewer/2022032022/55a815191a28ab74508b4596/html5/thumbnails/26.jpg)
Shodan
Search engine of insecure devices and systems available on the Internet. Is your network in Shodan?
![Page 27: Ending the Tyranny of Expensive Security Tools: A New Hope](https://reader031.fdocuments.us/reader031/viewer/2022032022/55a815191a28ab74508b4596/html5/thumbnails/27.jpg)
DNS Sinkholes and RPZ• DNS servers can be effective tools for blocking
malware, phishing and spam.• Support for Response Policy Zones (RPZ) introduced
with ISC BIND 9.8.• An RBL for DNS, makes it into a “DNS firewall” by
leveraging reputation feeds.• Can block or redirect internal traffic associated with
malicious activity (yes, just like OpenDNS).https://dnsrpz.info/
![Page 28: Ending the Tyranny of Expensive Security Tools: A New Hope](https://reader031.fdocuments.us/reader031/viewer/2022032022/55a815191a28ab74508b4596/html5/thumbnails/28.jpg)
Fun with Wifi• Kismet
– An open source WIDS that works with any wireless devices supporting monitor-mode.
• Aircrack-NG– An open source reconnaissance, key-cracking and testing
tool.
![Page 29: Ending the Tyranny of Expensive Security Tools: A New Hope](https://reader031.fdocuments.us/reader031/viewer/2022032022/55a815191a28ab74508b4596/html5/thumbnails/29.jpg)
Aircrack-NG
![Page 30: Ending the Tyranny of Expensive Security Tools: A New Hope](https://reader031.fdocuments.us/reader031/viewer/2022032022/55a815191a28ab74508b4596/html5/thumbnails/30.jpg)
Kismet
![Page 31: Ending the Tyranny of Expensive Security Tools: A New Hope](https://reader031.fdocuments.us/reader031/viewer/2022032022/55a815191a28ab74508b4596/html5/thumbnails/31.jpg)
inSSIDer – notice any similarities
?
![Page 32: Ending the Tyranny of Expensive Security Tools: A New Hope](https://reader031.fdocuments.us/reader031/viewer/2022032022/55a815191a28ab74508b4596/html5/thumbnails/32.jpg)
Network Security Monitor: Security Onion
![Page 33: Ending the Tyranny of Expensive Security Tools: A New Hope](https://reader031.fdocuments.us/reader031/viewer/2022032022/55a815191a28ab74508b4596/html5/thumbnails/33.jpg)
What’s Inside?• Snort • Suricata• Bro Network Security Monitor• Argus and Ra• Xplico• Network Miner• Squil and Snorby• ELSA
![Page 34: Ending the Tyranny of Expensive Security Tools: A New Hope](https://reader031.fdocuments.us/reader031/viewer/2022032022/55a815191a28ab74508b4596/html5/thumbnails/34.jpg)
Kali Linux: the Kitchen Sink for Pentesters
![Page 35: Ending the Tyranny of Expensive Security Tools: A New Hope](https://reader031.fdocuments.us/reader031/viewer/2022032022/55a815191a28ab74508b4596/html5/thumbnails/35.jpg)
Threat and Vulnerability
Management with Zenmap – a GUI
front-end to Nmap
![Page 36: Ending the Tyranny of Expensive Security Tools: A New Hope](https://reader031.fdocuments.us/reader031/viewer/2022032022/55a815191a28ab74508b4596/html5/thumbnails/36.jpg)
Pentest Dropboxes aka “Creepers”
• Unobtrusive, form factor device used by pentesters to gain a backdoor into a target network.
• Can be used to perform a security profile of your own infrastructure.
• Also used as an inexpensive monitoring tool.
![Page 37: Ending the Tyranny of Expensive Security Tools: A New Hope](https://reader031.fdocuments.us/reader031/viewer/2022032022/55a815191a28ab74508b4596/html5/thumbnails/37.jpg)
Where You Can Find One
• Minipwner• OG150• PwnPi
Low cost open source alternatives to Pwnie Express.
![Page 38: Ending the Tyranny of Expensive Security Tools: A New Hope](https://reader031.fdocuments.us/reader031/viewer/2022032022/55a815191a28ab74508b4596/html5/thumbnails/38.jpg)
![Page 39: Ending the Tyranny of Expensive Security Tools: A New Hope](https://reader031.fdocuments.us/reader031/viewer/2022032022/55a815191a28ab74508b4596/html5/thumbnails/39.jpg)
Roll Your Own
• Raspberry Pi• Intel NUC• TP-Link portable routers running Open-Wrt.• Pwnie Express even has a community edition you can
build yourself.
![Page 40: Ending the Tyranny of Expensive Security Tools: A New Hope](https://reader031.fdocuments.us/reader031/viewer/2022032022/55a815191a28ab74508b4596/html5/thumbnails/40.jpg)
Available Tools
• Aircrack-NG• Iperf• OpenVPN• SSLStrip• Tor• TTCP• Kismet
![Page 41: Ending the Tyranny of Expensive Security Tools: A New Hope](https://reader031.fdocuments.us/reader031/viewer/2022032022/55a815191a28ab74508b4596/html5/thumbnails/41.jpg)
Get A Pineapple
A wireless network auditing tool. Highly customizable Wifi router, based on Open-Wrt and Jasager.
![Page 42: Ending the Tyranny of Expensive Security Tools: A New Hope](https://reader031.fdocuments.us/reader031/viewer/2022032022/55a815191a28ab74508b4596/html5/thumbnails/42.jpg)
Do You Always Need the Commercial Product?• Suricata vs. Sourcefire • Bro-NSM vs. FireEye• Security Onion or OSSIM vs. commercial SIEMs• SANS Investigative Forensic Toolkit (SIFT) vs. EnCase• Armitage or OG150 vs. Metasploit Pro• FreeRADIUS vs. Cisco ISE• OSSEC vs. Symantec Critical System Protection• ELSA, Graylog, Logstash/Kibana vs. Splunk• Nmap or Zenmap vs. Qualys
![Page 43: Ending the Tyranny of Expensive Security Tools: A New Hope](https://reader031.fdocuments.us/reader031/viewer/2022032022/55a815191a28ab74508b4596/html5/thumbnails/43.jpg)
Security Isn’t About Managing Tools
• Good information security (and engineering) is about solving problems.
• You don’t always need to buy a product.
• Be Creative.
![Page 44: Ending the Tyranny of Expensive Security Tools: A New Hope](https://reader031.fdocuments.us/reader031/viewer/2022032022/55a815191a28ab74508b4596/html5/thumbnails/44.jpg)
Resources• Securitytube.net• Hak5.org• Metasploit Minute with @mubix• OWASP• Offensive Security
![Page 45: Ending the Tyranny of Expensive Security Tools: A New Hope](https://reader031.fdocuments.us/reader031/viewer/2022032022/55a815191a28ab74508b4596/html5/thumbnails/45.jpg)
Questions?
![Page 46: Ending the Tyranny of Expensive Security Tools: A New Hope](https://reader031.fdocuments.us/reader031/viewer/2022032022/55a815191a28ab74508b4596/html5/thumbnails/46.jpg)
Where Can You Find Me?
Michele Chubirka
Spending quality time in kernel mode.
Prefers Star Wars original trilogy.
http://postmodernsecurity.com
Twitter @MrsYisWhy
Google+ MrsYisWhy