Home-Grown Cyber Security
John B. Folkerts, CISSP https://www.linkedin.com/in/john-b-folkerts About Me …
20 years doing Information Security, Architecture, and Risk Management in large enterprise environments Prior to that, a Communications Officer in the US Air Force Involved in many incident response efforts and technology deployments, including Identity Management, Data Loss Protection, Antivirus, Malware Sandbox technology, Log Management, and Intrusion Detection Classical music fan, developing jazz aficionado Disclaimers
My comments reflect my own opinions, and not those of my employers, past, present, or future.
The tools and services mentioned in this presentation are freely available on the internet. They may not be suitable for your specific environment. Think carefully about your support requirements before using free or open source software or services.
Despite being free, most of the tools mentioned have software licensing that governs their use, distribution, etc.... Please read the licenses and check with an attorney as needed to determine whether they are suitable for your environment. Traditional Approach to Security
(Controls-based: Patching, Antivirus, Firewalls, Complex Passwords … )
The Strengths Protective – stop what we know is bad The Weaknesses Zero Day Exploits Constantly changing malware signatures Encryption, Tunneling through and around firewall rules Passwords attacked at the weakest point – the user … or worse the password hash database
Enter the Cyber Security Framework … Cyber Security Framework
Many/most of the traditional Info Security capabilities are included Threat-centric model which “connects the dots” between security capabilities Greater focus on detection and actionable response Basis for Home-grown Cyber Security
Internet
Firewall Not Optimal for Finding the Source of the Problem Wireless Router
Workstation Printer Laptop Laptop What’s Going On in My Network?
“If you really want to protect your network, you have to know your network” Rob Joyce, Chief, Tailored Access Operations National Security Agency Check out: https://www.youtube.com/watch?v=bDJb8WOJYdA
Monitoring and detection inside your network is just as important as your network boundary. Modifications for Monitoring Internet Parts List: Extra PC with (2) NIC cards and 16Gb RAM Re-use Wireless Router Wireless Router Firewall Inexpensive 8-port switch with span port capability WiFi Access Point Monitor Span Port
Switch w/ Span Port Network Monitor WiFi Access Point
Workstation Printer Laptop Laptop “To Know Thyself …”
What’s on my Network? Systems: DHCP assignments, IP addresses, MAC addresses “Things” – Xbox, Ecobee, Raspberry Pi
What’s running on my Network? User Agents: Common (Chrome, IE) and uncommon (powershell, …) Executables: capture and hash
OBSERVED assets, executables, etc… are usually good enough! “… is the Beginning of Intelligence” (apologies to Socrates)
Threat Intelligence Types IP, Domain BlackLists MD5, SHA256 Hashes Tactics, tools, shared analysis
Sources intel.criticalstack.com otx.alienware.com threatconnect.com us-cert.gov abuse.ch Many more at https://github.com/hslatman/awe Ref: Threat Intel Pyramid of Pain courtesy of David Bianco http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html some-threat-intelligence Basic Protections
On The Network: Firewall – enable IP blocking DNS “Firewall” – enable Domain blocking BIND9: http://www.zytrax.com/books/dns/ch7/rpz.html DNSMASQ: https://wiki.archlinux.org/index.php/dnsmasq
On The Host: Current Patches Current Antivirus Backup and Recovery Need Visibility!!
On The Network: Security Onion – https://securityonion.net/ Bro - https://www.bro.org/ Snort – https://www.snort.org/ Sguil – https://www.sguil.net/ Wireshark – https://www.wireshark.org/ NetworkMiner – http://www.netresec.com/?page=NetworkMiner ELSA – Enterprise Log Search & Archive - https://github.com/mcholste/elsa
On The Host: OSSEC – https://ossec.github.io/ Sysmon - https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon Detection Principals
Keep History Continuous Monitoring of IOCs Look for Anomalies Match up Host Monitoring and Network Monitoring Host Monitoring
Sysmon 6.10 Brought to you by Microsoft Sysinternals – Windows system monitoring Install: sysmon.exe –accepteula -i sysmon-config.xml Update: sysmon.exe -c sysmon-config.xml Remove: sysmon.exe –u Features: Windows Log Process creation, File hashes, network connections, remote threads, registry mods, alternate data streams OSSEC HIDS Monitoring and Alerting of Unix and Windows systems Use OSSEC to forward Sysmon logs to a safe place (like SecurityOnion/ELSA) Resources Swiftonsecurity Config - https://github.com/SwiftOnSecurity/sysmon-config ION Storm Threat Intel Config - https://github.com/ion-storm/sysmon-config Game Show Time! “Does it Belong?” (on my network) Does it Belong? – Long DNS request
Snort Alert: MALWARE-OTHER dns request with long host name segment – possible data exfiltration attempt
DNS query Request: tnncuaacaakn433maecaaagsaqaaa2lpfo3ve5lzd7ldo33maeaaaac3aaaabug.scjsaaaata aiaaa3n4zozkkr23mbxemjxewjevkw5s5zrcfqsbc5njwaqwstwnx.7tyud5d4yh3zsqcdiz6icp mlqyzfpubuw5ervi3so4q4mdhhxf64ctgre4zxyaa.aaaaaaaaaaa4x3qkm2ettg7a.a.j.e5.sk Response TXT 176 ANX8KgACABQAAAAAAAAA0gQAAAAAAAAAAAAAAAAAAAIAAABXAAAAJaPE4QAAEAAAAA AAAAAAAAAAAACnSdJrgTMO0oGe+2yVIa5YnbWRYq4kTMA6646ejwBHvY4yVgmIg2DMJKMfn AS1GH5nFGbv3/MjUUxO5U0QDFEPbeZdlQoKAA== Data Enrichment with domaintools.com Does it Belong? – TOR Exit Node
Snort Alert: ET TOR Known Tor Relay/ Router (Not Exit) Node UDP Traffic group 87 Research using Wireshark Does it Belong? – Malware IOC Data Enrichment with Threat Research Tools Game: “Does it Belong?” ssl001.insnw.net, *.ewatches.com, *.honestqa.com, *.inscname.net, *.insnw.net, *.instart.co, *.instartlabs.com, *.instartlogic.com, *.onekingslane.com, *.pionline.com, *.smartbargains.com, *.stelladotstg.co.uk, *.thewatchery.com, *.uniqlo.com, *.v1host.com,adage.com, *.adage.com,airgundepot.com, *.airgundepot.com,airgundepot.net, *.airgundepot.net,allcdn.net, *.allcdn.net,api.m.reebonz.com, *.api.m.reebonz.com,ashleymadison.com, *.ashleymadison.com,assets.pixlee.com, *.assets.pixlee.com,atlanticmedia.com, *.atlanticmedia.com,auto-insurance-experts.com, *.auto-insurance-experts.com, barenecessities.com, *.barenecessities.com,bareweb.com, *.bareweb.com,bdcstatic.com, *.bdcstatic.com,bedroomworld.co.uk, *.bedroomworld.co.uk,blair.com, *.blair.com,bookit.com, *.bookit.com,bookitimages.com, *.bookitimages.com,bookitspeedtest.com, *.bookitspeedtest.com,boutique24.com, *.boutique24.com,business.com, *.business.com,canpages.ca, *.canpages.ca,cdn-api.arcpublishing.com,cdn.cb.pj.ca,cdn.cb.yp.ca, *.cdn.cb.yp.ca,cdn.circusbysamedelman.com,cdn.mediative.ca,cdn.submissionplatform.com,chess.com, *.chess.com,chesscomfiles.com, *.chesscomfiles.com,ci.pj.ca, *.ci.pj.ca,ci.yp.ca, *.ci.yp.ca,ci1.pj.ca, *.ci1.pj.ca,ci1.yp.ca, *.ci1.yp.ca,ci2.pj.ca, *.ci2.pj.ca,ci2.yp.ca, *.ci2.yp.ca,ci3.pj.ca, *.ci3.pj.ca,ci3.yp.ca, *.ci3.yp.ca,ci4.pj.ca, *.ci4.pj.ca,ci4.yp.ca, *.ci4.yp.ca,ci5.pj.ca, *.ci5.pj.ca,ci5.yp.ca, *.ci5.yp.ca,ci6.pj.ca, *.ci6.pj.ca,ci6.yp.ca, *.ci6.yp.ca,ci7.pj.ca, *.ci7.pj.ca,ci7.yp.ca, *.ci7.yp.ca,ci8.pj.ca, *.ci8.pj.ca,ci8.yp.ca, *.ci8.yp.ca,ci9.pj.ca, *.ci9.pj.ca,ci9.yp.ca, *.ci9.yp.ca,citylab.com, *.citylab.com,classesusa.com, *.classesusa.com,cms.yp.ca, *.cms.yp.ca,columbiaspectator.com, *.columbiaspectator.com,commun.it, *.commun.it,defenseone.com, *.defenseone.com,digital.firstchoice.co.uk,digital.thomson.co.uk,distillery.pixlee.com, *.distillery.pixlee.com,duolingo.com, *.duolingo.com,ehealthinsurance.com, *.ehealthinsurance.com,ever-skincare.com, *.ever-skincare.com,everskin.com, *.everskin.com,evite.com, *.evite.com,evitecdn.com, *.evitecdn.com,fasttrack360.com.au, *.fasttrack360.com.au,findfinancialsavings.com, *.findfinancialsavings.com,fivefourclothing.com, *.fivefourclothing.com,flights.thomsonprjuat.co.uk,frankandoak.com, *.frankandoak.com,g00.ranker.com, *.g00.ranker.com,g00.slickdeals.net, *.g00.slickdeals.net,gbot.me, *.gbot.me,gogobot.com, *.gogobot.com,govexec.com, *.govexec.com,hayneedle.com, *.hayneedle.com,honest.com, *.honest.com,honeywell.jp, *.honeywell.jp,html5.kongalong.com, *.html5.kongalong.com,html5.kongboat.com, *.html5.kongboat.com,html5.kongbus.com, *.html5.kongbus.com,html5.kongcab.com, *.html5.kongcab.com,html5.kongdiddy.com, *.html5.kongdiddy.com,html5.konghaul.com, *.html5.konghaul.com,html5.kongice.com, *.html5.kongice.com,html5.kongluge.com, *.html5.kongluge.com,html5.kongregate.com, *.html5.kongregate.com,html5.kongregatestage.com, *.html5.kongregatestage.com,html5.kongregatetrunk.com, *.html5.kongregatetrunk.com, html5.kongshred.com, *.html5.kongshred.com,html5.kongwater.com, *.html5.kongwater.com,html5.kongyak.com, *.html5.kongyak.com,html5.kongzep.com, *.html5.kongzep.com,iassets.anki.com,ifttt.com, *.ifttt.com,iggcdn.com, *.iggcdn.com,indiegogo.com, *.indiegogo.com,ins.cm.ehealthinsurance.com, *.ins.cm.ehealthinsurance.com,insight.com, *.insight.com,instart.co,instartlabs.com,instartlogic.com,int10.newokl.com,integration.modaoperandi.com, *.integration.modaoperandi.com,internal.instartlogic.com, *.internal.instartlogic.com,jayjays.com.au, *.jayjays.com.au,jdvhotels.com, *.jdvhotels.com,julep.com, *.julep.com,keek.com, *.keek.com,keep-collective.com, *.keep-collective.com,keepcollective.com, *.keepcollective.com,kongalong.com, *.kongalong.com,kongboat.com, *.kongboat.com,kongbus.com, *.kongbus.com,kongcab.com, *.kongcab.com,kongcdn.com, *.kongcdn.com,kongdiddy.com, *.kongdiddy.com,konggames.com, *.konggames.com,konghaul.com, *.konghaul.com,kongjunk.com, *.kongjunk.com,kongluge.com, *.kongluge.com,kongregate-games.com, *.kongregate- games.com,kongregate.com, *.kongregate.com,kongregatestage.com, *.kongregatestage.com,kongregatetrunk.com, *.kongregatetrunk.com,kongshred.com, *.kongshred.com,kongwater.com, *.kongwater.com,kongyak.com, *.kongyak.com,kongzep.com, *.kongzep.com,lepanierfrancais.com, *.lepanierfrancais.com,lightsworld.co.uk, *.lightsworld.co.uk,lmbautofinance.com, *.lmbautofinance.com,lmbinsurance.comstage.lowermybills.com,, *.lmbinsurance.com,lmbpersonalloans.com, *.lmbpersonalloans.com,loomandleaf.com *.stage.lowermybills.com,, *.loomandleaf.com,lowermybills.com, *.lowermybills.com,m.jayjays.com.au, *.m.jayjays.com.au,m.thebump.com,mapmywalk.com, *.mapmywalk.com,mccormick.com, *.mccormick.com,mccormickcms.com, *.mccormickcms.com,media.pj.ca, *.media.pj.ca,media.yp.ca, *.media.yp.ca,modaoperandi.com, *.modaoperandi.com,nakedwardrobe.com, *.nakedwardrobe.com,nastygal.com, *.nastygal.com,nastygal.com.au, *.nastygal.com.au,nationaljournal.com, *.nationaljournal.com,newmedia.thomson.co.uk,newokl.com, *.newokl.com,nextgov.com, *.nextgov.com,ngimg.com, *.ngimg.com,njdc.com, *.njdc.com,njour.nl,nmr.allcdn.net, *.nmr.allcdn.net,nsit.com, *.nsit.com,nyc.opensky.com, *.nyc.opensky.com,omnihotels.com, *.omnihotels.com,onekingslane.com,onlineschoolsearch.com, *.onlineschoolsearch.com,opensesame.com, *.opensesame.com,opensky.com, *.opensky.com,padlockoutlet.com, *.padlockoutlet.com,peteralexander.co.nz, *.peteralexander.co.nz,peteralexander.com.au, *.peteralexander.com.au,petflow.com, *.petflow.com,picdn.net, *.picdn.net,pixlee.com, *.pixlee.com,pixlee.gallery, *.pixlee.gallery,pregnant.thebump.com,pt.elo.touraidhotels.com, *.pt.elo.touraidhotels.com,pyramydair.com, *.pyramydair.com,qa.keep-collective.com, *.qa.keep- collective.com,qa.thrivemarket.com, *.qa.thrivemarket.com,qa01.keepcollective.com, *.qa01.keepcollective.com,quartz.cc, *.quartz.cc,qz.com, *.qz.com,ranker-dev.com, *.ranker-dev.com,ranker-stage.com, *.ranker- stage.com,ranker.com, *.ranker.com,reskin.thrivemarket.com, *.reskin.thrivemarket.com,revolt.tv, *.revolt.tv,rnkr-static.com, *.rnkr-static.com,routefifty.com, *.routefifty.com,saatvamattress.com, *.saatvamattress.com,saintsociety.com, *.saintsociety.com,scmedia.thenest.com,sensing.honeywell.com,sensing.honeywell.com.cn,sensing.honeywell.de,sensing.honeywell.es,shoptiques.com, *.shoptiques.com,shoptiques.net, *.shoptiques.net,shutterstock.com, *.shutterstock.com,slickdeals.net, *.slickdeals.net,slickdealscdn.com, *.slickdealscdn.com,smiggle.co.uk, *.smiggle.co.uk,smiggle.com.au, *.smiggle.com.au,ssmscdn.qa.yp.ca, *.ssmscdn.qa.yp.ca,stage.classesusa.com, *.stage.classesusa.com,stage.lmbautofinance.com, *.stage.lmbautofinance.com,stage.lmbinsurance.com, *.stage.lmbinsurance.com,stage.lmbpersonalloans.com, *.stage.lmbpersonalloans.com, stage.lowermybills.com, *.stage.lowermybills.com, stage.onlineschoolsearch.com, *.stage.onlineschoolsearch.com,staging.modaoperandi.com, *.staging.modaoperandi.com,staging.thrivemarket.com, *.staging.thrivemarket.com,static.classesusa.com, *.static.classesusa.com,static.firstchoice.co.uk,static.parastorage.com,static.pixlee.com, *.static.pixlee.com,static.thomson.co.uk,static.wix.com,static.wixstatic.com,staticmap.yellowpages.ca, *.staticmap.yellowpages.ca,stelladot.co.uk, *.stelladot.co.uk,stelladot.com, *.stelladot.com,stelladot.de, *.stelladot.de,stelladot.eu, *.stelladot.eu,stelladot.fr, *.stelladot.fr,stelladotfamily.com, *.stelladotfamily.com,stelladotstg.co.uk,stelladotstg.com, *.stelladotstg.com,stelladotstg.de, *.stelladotstg.de,stelladotstg.eu, *.stelladotstg.eu,stelladotstg.fr, *.stelladotstg.fr,stg.everskin.com, *.stg.everskin.com,stg.keep- collective.com, *.stg.keep-ollective.com,stg.keepcollective.com, *.stg.keepcollective.com,stg.yp.ca, *.stg.yp.ca,storkie.com, *.storkie.com,tch1.quora.com, *.tch1.quora.com,telstra.inscname.net, *.telstra.inscname.net,telstra.insnw.net, *.telstra.insnw.net,testing5.dotti.com.au,tgam.io, *.tgam.io,thcdn.co, *.thcdn.co,theatlantic.com, *.theatlantic.com,theatlas.com, *.theatlas.com,theorchidboutique.com, *.theorchidboutique.com,thereformation.com, *.thereformation.com,thompsonhotels.com, …. Getting started with Response RESPOND
First choice: Antivirus – a time saver Continue to leverage threat intelligence Analysis tools Sysinternals tools* – sysmon, procmon, Process Explorer, autoruns, sigcheck, VMMap, ListDLLs – https://www.sysinternals.com/ VirusTotal (use with care) – https://www.virustotal.com/ Malware Sandboxing Cuckoo Sandbox – https://www.cuckoosandbox.org/ Malwr – https://malwr.com/ Response Planning / Playbook Develop Playbook for response consistency Decisions – Eliminate the threat, or allow the threat to remain temporarily Response Automation
* See also Troubleshooting with the Windows Sysinternals Tools by M. Russinovich & A. Margosis Recover left as an “exercise for the reader” a lot easier if the Identify—Protect—Detect—Respond are in place Summary
Identify Assets, Executables Start with Threat Intelligence Protect Standard controls (patching, AV, Firewalls) Add DNS Blocking Backup your Data Detect Monitor your Networks and Hosts Use Threat Intel for Research / Validation Ask Yourself: “Does it Belong?” Respond and Recover