LEVERAGING OPEN SOURCE THE ESSENTIAL DETECTIVE SECURITY CONTROLS

The Open and Collaborative Alternative

AGENDA

The Case for Detective Security Controls Leveraging Open Source: The Essential Controls

A Guided Tour/Demo: Asset Discovery: Nmap & PRADS Wireless IDS: Kismet Unified Security Management: OSSIM (OSSEC, SNORT, Ntop,

OpenVAS) Open Source Threat Sharing

MDL (Malware Domain List) & OTX (Open Threat Exchange)

Q&A

Preventative ControlsUsed to Implement C-I-A

Crypto, Firewall, AntivirusPKI, VPN, SSL, DLP, EIEIO

Prevent an incident

Detective ControlsProvide visibility & response

Asset Discovery, VA, IDS/IPS, Log Management,

Analytics

Detect & respond to an incident

2 Types of Security Controls

IF WE ALREADY HAVE PREVENTATIVE CONTROLS…

WHY SHOULD WE CARE ABOUT DETECTIVE CONTROLS?

PREVENTION HAS PROVEN TO BE ELUSIVEExample: 2012 “Cost of Cybercrime Study”, Ponemon Institute

A detailed study of 56 “Large US firms”

Results: 102 successful intrusions between them

EVERY WEEK !

“There are two types of companies that use computers. Victims of crime that know they

are victims of crime and victims of crime that don’t have a clue yet.”

- James Routh, 2007 CISO Depository Trust Clearing Corporation

Some pretty savvy recent victims

“How would you change your strategy if you knew for certain that you were going to

be compromised?”

- Martin Roesch, 2013 Founder & CTO Sourcefire, Author SNORT

Prevent Detect & Respond

GET GOOD AT DETECTION & RESPONSE

The basics are in place. Beyond

that, buyer beware!

New prevention thingy 9.0 with advanced fuzzy logic. Stops 100% of all web-born threats at the perimeter!

New capabilities to develop

GOOD NEWS!

Many professional SOC’s are powered by open sourceTHERE’S AN APP FOR THAT!

PRADS NFSend

P0FOVALdi

MDL

OpenFPC

PADS

Challenge: How do we make sense of all these?

FIRST WE CATEGORIZE THEM!

What is the state of my environment – anything strange?

Put it all together with external intelligence & determine a response!

The 5 essential

capabilities for effective detection &

response

Vulnerability Assessment

Threat Detection

BehavioralMonitoring

Intelligence & Analytics

What am I protecting & what is most valuable?

Asset Discovery

How, when and where am I being attacked?

Where are my assets exposed?

CHALLENGE: NAME THAT TOOL!

Vulnerability Assessment

Threat Detection

BehavioralMonitoring

Analytics & Intelligence

Asset Discovery

THE ESSENTIAL CONTROLS

Vulnerability Assessment

Threat Detection

BehavioralMonitoring

Analytics & Intelligence

Asset Discovery

P0F

OpenFPC

NFSen

OVALdi

PRADSPADS

open source alternatives for each of the 5 categories

LETS SEE THEM IN ACTIONAsset Discovery with Nmap & PRADSWireless IDS with KismetUnified Security Management with OSSIM

includes (OSSEC, SNORT, ntop, opnVAS)

NMAP & PRADSProblem it solves:

I need an inventory of assets on my network (Nmap) and I need to continuously keep it up to date as things change (PRADS).

Pros:Nmap is very mature, robust & feature rich. Both tools produce verbose output.

Cons:Both tools produce extremely very verbose output.PRADS does not have a GUI

Why we like it:These cover both active and passive asset discovery. PRADS is relatively new but it covers the same functionality as two older tools (PADS and p0f).

KISMET

Problem it solves:I need to know how are wireless networks being accessed and if anyone setup a rogue access point in my facility.

Pros:Great command line interface. Outputs log events for WIDS events and a periodic XML report for observed networks.

Cons:Wireless adapter can’t transmit when in monitor mode- need a dedicated adapter

Why we like it:This tool is very versatile. There are plugins for DECT and Ubertooth devices.

OSSIMProblem it solves:

I need all the essential detective controls, but it takes too long to install them and I have way too many dashboards to look at when I am done.

Pros:USM: Unifies management of these tools and offers correlation between event sources.Includes incident response templates & workflows

Cons:Full intelligence feed, log management and management features requires commercial version

Why we like it:The company I work for makes OSSIM and It makes it easy to implement and manage all these tools at once.

(OSSEC, Snort, Ntop, OpenVAS & others)

OPEN SOURCE IS NOT JUST FOR SOFTWARE ANYMORE….

Open Threat Sharing

OPEN SOURCE THREAT INTELLIGENCE

OPEN SOURCE THREAT INTELLIGENCE

Expert SourcedUsed to Implement C-I-A

Crypto, Firewall, AntivirusPKI, VPN, SSL, DLP, EIEIO

Prevent an incident

Crowd SourcedProvide visibility & response

Asset Discovery, VA, IDS/IPS, Log Management,

Analytics

Detect & respond to an incident

OPEN SOURCE THREAT INTELLIGENCE

MDL AND OTXProblem it solves:

My detective controls only show me what’s happening in my environment. What are the experts seeing (MDL), what are my peers seeing (OTX)?

Pros:Allows me to collect threats from security researchers (MDL) and from peers (OTX). Allows me to share threats with my peers (OTX).These add an intelligence layer to traditional tools, like NIDS and SIEM.

Cons:Most feeds are a teaser to a commercial offering.

Why we like it:If we get this right and everyone involved, the bad guys only get one “first attack” for the entire network – attack one and all will detect and respond.

THE PRACTITIONER’S GUIDEOpen Source Asset Discovery Tools

Nmap http://nmap.org The de-facto standard utility for network mapping. Use to scan network on a periodic basis to create and update inventory of assets.

PADS http://passive.sourceforge.net Passive Asset detection system is a network sniffer that detects (infers) assets by monitoring traffic. Use to augment Nmap scans.

P0f http://lcamtuf.coredump.cx/p0f3/ Passive OS fingerprinting tool. Use to identify and profile assets on your network (including that of the attackers).

PRADS http://gamelinux.github.io/prads Passive Real-Time Asset Detection. Alternative to PADS - listens to network and gathers information on hosts and services.

Open Source Threat Detection Tools

Snort http://www.snort.org The world’s most popular network IDS/IPS. Provides signature, protocol, and anomaly-based inspection. Use to identify attacks.

Suricata http://suricata-ids.org “Next Generation” alternative (or not) to SNORT funded by US DHS/DoD. Use to identify attacks and extract malware from network traffic.

Kismet http://www.kismetwireless.net An 802.11 layer 2 wireless IDS. Use to identify and monitor (legitimate and rogue) networks via passively monitoring traffic.

OSSEC http://www.ossec.net Host-based Intrusion Detection System. Use to perform log analysis, file integrity monitoring, policy monitoring and rootkit detection on endpoint assets.

THE PRACTITIONER’S GUIDEOpen Source Behavioral Monitoring Tools

Ntop http://www.ntop.org A Unix tool that shows the network usage, similar to what the popular top Unix command does Use to determine what processes and services are running.

Nfsen http://nfsen.sourceforge.net A web-based GUI for the nfdump netflow tools. Use to monitor netfows.

OpenFPC http://www.openfpc.org A set of tools that combine to provide a lightweight full-packet network traffic recorder & buffering system. Use to monitor network traffic & flows.

Nagios http://www.nagios.org Open source IT monitoring system. Use to monitor activity on servers.

Open Source Vulnerability Assessment Tools

OpenVAS http://openvas.org Framework of services and tools for vulnerability scanning and vulnerability management. The open source fork of Nessus that converted to closed source.

OVALdi http://www.decalage.info/en/ovaldi

An open source reference implementation of a vulnerability scanner based on the OVAL definition. Alternative to OpenVAS.

Open Source Intelligence and Analytics Tools

OSSIM http://www.alienvault.com/ossim

Unified security management & the world’s most popular SIEM. Use to combine essential controls into a single unified system managed from single pane of glass.

Logstash http://http://logstash.net/ A tool for managing events and logs. Use to collect logs, parse them, and store for later use or analysis.

THE PRACTITIONER’S GUIDEOpen Threat Intelligence Feeds & Threat Sharing Communities

MDL http://www.malwaredomainlist.com

A continuously updated list of malware-related sites plus a discussion forum on new threats. Use to tune threat detection tools.

ETO http://www.emergingthreats.net A platform independent (SNORT & Suricata) ruleset for tuning IDS. Us to make your IDS more effective at identifying threats.

OTX http://www.alienvault.com/otxThe world’s largest collaborative threat sharing network. Use to share threat information in real-time with others on the exchange. Several free risk-monitoring tools also available.