Transcript Security Onion - WordPress.com

about us
 I’ve been involved in IT for 19yrs
 GSEC, GMON and Security+
 Contact info:
 Email: [email protected]
 LinkedIn: https://www.linkedin.com/in/natesykes
 Twitter - @n8sec
 Grant has been involved in IT for 9yrs
 CCNA-Voice, CCDP, CCNP, Security+, GPEN
 Contact info:
 Email: [email protected]
 Twitter: @ChiefriverSims
 Youtube Channel, ChiefRiver: https://www.youtube.com/channel/UClBQQRzLNKt9XSMe_GrVMEQ
 Work at a R&K < 100 employees




Work with DoD, Healthcare and Higher-Ed clients
Host our SaaS Application
Manage ~50 servers and ~100 VMs
Network includes remote offices as well as remote users
topics
 How we used network architecture and open source sensors to
successfully transform our security posture from static defense to
prevent/detect/respond
 Why we chose to go the open source route
 The capabilities of Security Onion (https://security-onionsolutions.github.io/security-onion/ )
 The pros v. cons of open source and what to watch out for
 Using Security Onion to handle an incident
Along time ago in a galaxy far,
far away…
Strictly a Prevent Defense
Will inevitably FAIL
2.5 years ago we…
• Relied mainly on Antivirus for detection
• Had a SIEM but didn’t get much use out of it
• Incident response consisted of wipe/reimage, no real way to determine
how something got in, what it did, or how to prevent it from reoccurring
No real visibility into the network
Some of you might be in the same boat…
Whose Incident Response process consists
of “Wipe the machine”?
Defeat is a state of mind;
no one is ever defeated
until defeat has been
accepted as a reality.
- Bruce Lee
How do we
defend our
Network?
 Network Architecture
 Distributed Army of
Security Onion
Sensors
Network
Architecture
Battle Prep: Read This!
• The Practice of Network
Security Monitoring, Richard
Bejtlich
"Verizon consultants were able to …
communicate directly with cash registers in [Target]
checkout lanes after compromising a deli meat scale
located in a different store."
http://krebsonsecurity.com/2015/09/inside-target-corpdays-after-2013-breach/
Why Segment?
Attackers get a foothold and then
PIVOT MERCILESSLY
Sniffing Traffic
 TAP
 Most business switches have the ability to create span ports to
mirror traffic.
 Should handle most traffic loads on a normal gigabit network
 If you need a cheap solution Dualcomm and Mikrotik make 5
port switches that have span ports.
 Great for small office/home use
Decryption?
Restrict Movement & Increase Visibility
You Shall Not Pass!
Distributed Army of Sensors
Why do I need sensors?
In the last 6 months how
many of our incidents did
those detect?
 I’ve got Antivirus…
 I’ve got a web filter…
 I’ve got an email filter…
What is it?
Security Onion is a free Linux distro for IDS, NSM and log management.
www.securityonion.net
 Based on Ubuntu, it links a variety of tools together in one convenient package:
Snort
Suricata
Bro
Squert
Open Source Threat Intel
OSSEC
ELSA
Squil
NetworkMiner
Other security tools
 Developed by Doug Burks in 2008.
 Can install and setup a sensor in demo mode (all features enabled) in
*Excellent for monitoring your home network. Especially if you
15 min or less*
have teenagers. Not just for security, you see all web traffic.
Why did we choose Security
Onion?
 Needed to implement NSM on a budget
 Minimal hardware/software investment
 Able to start small to prove the concept, then scale
 Needed to be able to operate with minimal staff
 After deployment, 1 Security Analyst 20-50% of their time on a
given day
 Good community support
RAM Requirements
Use Case
Quickly demo in a VM
Production sensor on small network
(50Mbps or less)
Production sensor on medium
network
(50Mbps – 500Mbps)
Production sensor on large network
(500Mbps – 1000Mbps)
Minimum RAM Required
(More is always better)
3GB
8GB
16GB – 128GB
128GB – 256GB
Src: https://github.com/Security-Onion-Solutions/security-onion/wiki/Hardware
Storage Requirements
 If you are monitoring a 50 Mb/s link, here are some quick
calculations: 50Mb/s = 6.25 MB/s = 375 MB/minute = 22,500
MB/hour = 540,000 MB/day.
 Translation 1 day = 540GB of pcaps
 Multiply that by the number of days you want to keep on disk
for investigative/forensic purposes.
 Note that this is just pcaps (other logs will take up additional
storage), so you may want to round up to the next terabyte to
ensure sufficient storage.
 As an example one of our sensors monitoring about 45
employees, email, file and web traffic uses about 1TB/day.
 Pick and choose what is important for you to capture. You can
expand later by adding space or sensors over time.
Src: https://github.com/Security-Onion-Solutions/security-onion/wiki/Hardware
Centralized Management
You can use SALT to manage all of your sensors.
Then they become SALT minions.
Open Source Threat Intel
 Security Onion can use threat intelligence feeds from Critical Stack: www.criticalstack.com
 Includes DShield feeds. DShield is the data collected by the SANS Internet Storm Center (ISC)
Indicators of Compromise (IOCs)
 Load IOCs into Bro Intel
 Grant developed an import
script for the DSS format
 Posted on github:
https://github.com/ChiefRiver/
DSS-to-Bro-Intel
Squil
 Lot of info
 Alert severity
 Src/Dest
 Reverse DNS
 BotHunter
reputation
 Packet data
 Pivot to other
tools
Squert
Squert
Bro – Powerful Network Analysis Framework
Bro
ELSA
ELSA
Very quickly determine all IPs a suspected machine talked to:
Sort by http site. Easily get full pcap.
ELSA
 You can write your own custom parsers
 Grant developed custom Palo Alto class and parsers for Threats and
Traffic & Url categories
 Posted for community use:
 Threats: https://groups.google.com/forum/#!searchin/enterprise-log-searchand-archive/palo$20alto/enterprise-log-search-andarchive/a02W1GDIqnc/T-lVRm9k4ZMJ
 Traffic & Url: https://groups.google.com/forum/#!searchin/enterprise-logsearch-and-archive/palo$20alto/enterprise-log-search-andarchive/SJwOY7N2A60/rlK4WkdVyyMJ
Go Hunting!
What countries is your network is talking to?
ELSA
Any RDP sessions with non-English keyboard layouts?
How many successful SSH sessions have I had?
Are any to IPs that shouldn’t be using SSH?
How many SSH sessions (or attempts) have I had by country?
Who are they coming from? Were any successful?
Only inbound traffic
Network Miner
 Extract files – executables, flash
files, web pages, etc.
 Get MD5 sums
Get host info
Data Sent/Received
Blends together aspects of HIDS, log monitoring and SIEM
 Compliance Requirements (PCI,
HIPAA, etc.)
 Real-time Configurable Alerts
 Multi-platform (Linux, Solaris,
Windows, Mac, VMWare ESX)
 Integration with Current
Infrastructure
 Centralized Management
Source: http://www.ossec.net/?page_id=165





File Integrity Checking
Log Monitoring
Rootkit Detection
Active Response
Agents or Agentless
EXCELLENT!
Workflow allows
quick pivoting
between tools
Bro
Network
Miner
ELSA
Wireshark
Hmm. What’s
this?
Same EXE is going to a lot of different IPs…
Mass infection or just a software update?
Quickly pivot to the
transcript to see that
its just an update
from the great
Googly Moogly
How Effective is it During a Real
Incident?
Snort IDS sends alerts to the Squil console. Also sends email alerts to security analyst.
?
IP of web filter we
had at that time 
How Effective is it During a Real
Incident?
Quickly pull transcript
from Squil.
Name of the Flash file
Quickly extracted Flash
file using NetworkMiner.
Ran through VirusTotal a
few days later for grins.
Once again, poor
detection ratio.
Timeline
 Incident occurred on
10/17/14
 New version of Flash
was released on 10/14
 Previous patch
had been applied
 New Vuln notice
released on 10/15
 Why did we get
burned?
 Because we were 3
days behind on
patching
No need to cry.
Why?
Time from notification until machine was isolated was 9 min.
Is life always that good? No.
 This was a best case scenario.
 Extremely happy with any detection/response within
an hour. Goal is less than 24hrs.
 Sometimes things will sit and wait.
 Often don’t make enough noise to detect until they phone
home. Or try to cross a network segment.
 Will it always find everything? Nope.
 Will you have full pcaps and logs so you (or an
outside expert) can determine what really
happened?
Thanks to Security Onion, what
bugs have we successfully
exterminated over the past year?
 Fiesta EK
 InstallRex
 Angler EK
 Cool EK
 Styx EK
Baby steps
Lessons Learned
Network Architecture
 Use small test cases when implementing network segmentation
 Put ACLs in Audit mode if possible
 There will be required business traffic that you did not anticipate a need for
 Be responsive to users during implementation
 Communicate about the changes you are making and why
Lessons Learned
 Take Doug Burk’s Security Onion 101,201 and/or
SO 301 – Best Practices for Distributed Deployments
 Will save you a ton of time
 Tune, Tune, Tune
 Review Snort rule sets, over 15K by default
 15K will bog yo shiznit down
 Disable/Threshold (Suppress)/Autocat
 Monitor Squil alerts EVERYDAY
 Otherwise you might find it gets a bit disoriented
 Always run updates using soup
 DO NOT update Security Onion using normal Ubuntu update procedures or it will
make you cry
 If you’re in a Windows Env. use a SO VM to manage your deployment.
Keep an Eye on the Health of Your
Sensors
• Sostat – security onion status of each sensor
• Keep an eye on Squil uncategorized events
• ELSA log node ssh tunnels: which sensors have made a
successful connection back to the master server
• Log archive: how many days of pcaps do you have stored
• Bro netstats: Health of Bro and if it is missing or
overlooking any data
• IDS Engine packet drops: are you dropping packets/alerts
– can the sensor keep up with the traffic?
• SALT
• Always update the master first.
• Always run a SALT ping to test connectivity of all sensors
before issuing commands
Pros
• Easy to try before you buy
• Minimal initial investment
• Easy to roll out in a staged approach
• Reasonable hardware costs
• No software costs
• Good community support
• Centralized Management
• Threat intelligence
• Excellent workflow
Cons
• Learning curve
• Especially if you’re a Windows shop
• No major company behind it
• When we first started there was no
commercial support available
• There are now options:
http://www.securityonionsolutions.com/p/welco
me-to-security-onion-solutions.html
• It needs daily love and care
• Shouldn’t you be looking at your detection
system daily anyway?
PEOPLE & PROCESS are the keys to long term
success. NOT the latest gadget.
Questions?
Incident Response Using Security Onion
Grant’s Presentation: https://youtu.be/1qUF3Bv7dIQ
Where to start?
Just download Security Onion and tinker with it. Takes minutes to
install in a VM or an old workstation:
https://security-onion-solutions.github.io/security-onion/
Use pcaps from http://www.malware-traffic-analysis.net/trainingexercises.html to learn how an incident looks and how to go about
investigating it.
If you’re thinking about deploying it at work, this will be the best $99
you ever spent:
https://attendee.gototraining.com/9z73w/catalog/81190625041584
70144?tz=America/New_York
It will save you time (therefore money) and some headaches