Episode336

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here


Episode Media

mp3 pt 1

mp3 pt 2

Announcements

Security Weekly - Episode 336 for Thursday June 20th, 2013

  • The Hills have IPs!! Defensive Intuition (the Consulting arm of Security Weekly Enterprises) and Black Hills Information Security have joined forces to offer all your training, Active Defense and pen test needs! Visit www.blackhillsinfosec.com for more information.
  • We are looking for sponsors for monthly webcasts in conjunction with SANS - contact paul -at- hacknaked.tv for details!
  • The Stogie Geeks Show! - Kick some ash with the Stogie Geeks, Sunday nights at 8:30PM EST. Come have a cigar with us! If you are in the Rhode Island area please visit our sponsor the Havana Cigar Club, its an awesome place to have a drink! Make sure you print out your $5.00 off coupon here!
  • BSides RI recap and wrap-up. We are already actively working on next year, we're looking for sponsors and volunteers, and we have a web site! http://bsidesri.org

Interview: Pete Lindstrom from Spire Security

Pete Lindstrom is Principal and Vice President of Research for Spire Security, an industry analyst firm providing analysis and research in the information security field. Pete operated as the deputy to the Chief Information Security Officer for Wyeth Pharmaceuticals and honed his finance and technology skills in the United States Marine Corps where he was one of two disbursing officers in theater during the First Gulf War.

  1. How did you get your start in information security?
  2. What advice do you have for others just getting their start in information security?
  3. Let's argue on side of the coin, if we are more public about our disclosure, in other words, we tell the world about the vulnerabilities we've discovered, wouldn't that help shape the industry so that vendors would fix software more quickly and/or have a better process for producing better code/product?
  4. What are some of the negative affects of disclosing too early?
  5. You wrote [1] about Google's recently announced seven-day disclosure policy, and raised some interesting issues. What do you think about the policy- good, bad, and/or ugly?
  6. Gartner analyst Jay Heiser spoke about the "Top Ten Security Myths", and Myth #3: "Security risks can be quantified" touches on one of your areas of expertise- risk and metrics. Do you think this is really a myth, or was Jay just pushing back on those who play with numbers for numbers' sake?
  7. Tripwire's recently commissioned Ponemon to do a survey on "Is Risk-Based Security Management an Art or Science?". Is that survey art, science, or something else? Any thoughts on the results?
  8. How do we effectively manage risk in the face of uncertainties? Can we just be compliant and be good, right?
  9. People ask us all the time, so I will ask you :) what are the top 3 metrics you can present to management to get more help implementing security? 
  10. Let's talk broad topics: risk, metrics, quantitative vs. qualitative, ROI, ROSI, art vs. science, product/platform/system "x" is more secure/insecure than product/platform/system "y", unintended consequences,


Five Questions:

  1. Three words to describe yourself
  2. If you were a serial killer, what would be our weapon of choice?
  3. In a game of ass grabby-grabby do you prefer to go first or second?
  4. If you wrote a book about yourself, what would the title be?
  5. Stranded on a desert island, which tablet would you bring with you if you could choose only one: Android, iPad or Surface?

Tech Segment: Liam and Seth on Bro IDS

Bro is a passive, open-source network traffic analyzer and was originally developed by Vern Paxson, who continues to lead the project now jointly with a core team of researchers and developers at the International Computer Science Institute in Berkeley, CA; and the National Center for Supercomputing Applications in Urbana-Champaign, IL. Liam Randall and Seth Hall are on to give us additional insight into how Bro IDS is used.

Intro

Seth Hall (@remor) is the engineering lead developer for Bro; an experienced incident responder he’s has previously worked at Ohio State University, GE, and other high profile locations.


Liam Randall (@Hectaman) is a long time security consultant, trainer, and open source contributor. Our Brovangelist, his talks and training sessions have helped others understand the power and flexiblity of the Bro Platform. Professionally, he’s has brought the Bro Platform to dozens of vertical industry markets and is leading up the product development side for Bro.


History

Bro is a bsd licensed power network analysis Platform (@Bro_IDS) currently under development at the International Computer Science Institute and NCSA. Bro passively understands information on the network in real-time, and provides analysts and operators with an unmatched stateful paradigm for comprehending and interacting with their networks. Bro processes all your network data scalably and efficiently, and supports the most common TCP/IP-based network protocols over both IPv4 and IPv6. Bro’s Turing complete programming language, along with a rich set of cluster safe frameworks, allows you to write sophisticated analysis code once and run it anywhere.


Bro IDS, our first great application written in the Bro Networking Programming Language gives you an in-depth view of your network’s activity, which over and over again has proven an invaluable resource for security monitoring, forensics, and trouble shooting. The Bro IDS security stack is built on a tremendously powerful core set of features that gives you dyanmic protocol detection,


Demonstration

Bro can either be run live on your network traffic attached to a tap or used in stand alone mode to analyze pcaps. For a quick demonstration I have selected some interesting malware sample pcaps gratefully posted by Mila from the Contagio malware dump blog.

Installation

You have three quick and easy options for getting started with Bro:


  1. Our packages: QuickStart & Installation Guides
  2. If you need a little assistance getting Bro up and running simply download the latest revision of Doug Burks amazing SecurityOnion, where Bro is included.
  3. Direct from our github git.bro.org

Confirm Bro is successfully installed with:

liam@osprey:~$ bro -v
bro version 2.1

Downloading Samples

Clone the repository:

git clone https://github.com/LiamRandall/bro-training git clone
cd bro-training/malware-demo/


At this point you may want to enable some extra bro features like file extraction; if you are running Bro 2.1 you can use this helpful video to walk you through the process (it’s only two lines of configuration) : Bro IDS File Extraction using HTTP, FTP, SMTP & IRC

Example: Trojan:Win32/Yayih.A


$ cd mswab_yayih/
$ bro -r Mswab_Yayih_FD1BE09E499E8E380424B3835FC973A8_2012-03.pcap local
$ ls
capture_loss.log conn.log dns.log http.log loaded_scripts.log Mswab_Yayih_FD1BE09E499E8E380424B3835FC973A8_2012-03.pcap notice.log notice_policy.log packet_filter.log reporter.log signatures.log


Bro has done three things for you:


  1. Dynamically detected protocols and created detailed protocol logs for each TCP/IP layer for which it has an analyzer.
  2. Created some interesting “Alert” logs that give you metadata about the sample- the capture_loss.log to let you know if the traffic is clean, weird.log for unusual things, and “notice.log” for detected behavior.
  3. Taken action--> Bro is a programming language; so maybe it reached out to the Team-Cymru malware hash registry, or updated twitter, etc.

Look at these logs now and you should see:

  1. capture_loss.log- no dropped packets
    • counts the tcp sequence numbers to detect dropped packets
  2. conn.log- DNS traffic on 53, http on 443
    • that doesn’t look right does it? you would expect to see SSL on port 443
  3. dns.log
    • Ok, 4 queries documented here
  4. http.log
    • hmmm... a bunch of post requests to /bbs/info.asp
    • important to note- this is VALID http traffic. Our analyzer was able to follow it successfully through state transitions
  5. notice.log
    • There is a lot here but what should jump out is the notice type of “Signatures::Sensitive_Signature--> a cmd.exe banner detected.


Bro is telling you, there is a shell being tunneled through the http traffic!


There are a lot of fun pcaps here; there are many ways to interface with your bro logs- command line, Splunk, Bros native Elastic Search writer, Martin Holste’s https://twitter.com/mcholste @mcholste) ELSA (included in Doug Burks (https://twitter.com/dougburks @dougburks]) SecurityOnion), however here are some tips for working from the command line:


  1. Bro is unixy’ if you are not a sed/awk/grep expert you can use our helpful tool bro-cut to parse up the logs by just specifying the column names you would like to view
  2. Try just summarizing the who of a conversation, the ports & protocols- a lot of malware stand out like a sore thumb:

To just display the SourceIP, DestIP, DestPort & heuristically detected service (http, ssl, etc)


cat conn.log | bro-cut id.orig_h id.resp_h id.resp_p service


So then you can get some quick summary statistics:

cat conn.log | bro-cut id.orig_h id.resp_h id.resp_p service | sort | uniq -c | sort -n


Continue to experiment the other malware pcaps or samples included in securityonion; it’s neat to see Bro dissecting and analyzing the content of various protocol tunnels like teredo, GTP, 6in4, and others.

Conclusion

There is way more to bro than I could demonstrate in one simple blogpost. With the Bro Programming Language you can build a huge variety of network applications- even applications that have nothing to do with network monitoring or security. Immediatley Bro IDS is a compelling reason to get Bro into your network today and in the very short term all of the little pieces of glue to tie your network data to massive troves of intelligence, heuristics, and other integration are very exciting. Over the long term I know that we’ll see other large applications implemented in Bro- thinks like Bro-DLP, compliance scripts and so forth.


References

  1. QuickStart & Installation Guide
  2. Training Material- including video walk throughs
  3. 2013 Bro Shmoocon Presentation- by Liam Randall, currently the best overview of what we are doing
  4. 2013 Bro Exchange- Our National Science Foundation supported upcoming training session at the National Center for Supercomputing Applications
  5. Details of our Current NSF Funding Award: Abstract #1032889 SDCI Sec Improvement: Enhancing Bro for Operational Network Security Monitoring in Scientific Environments
  6. Broala, The new Bro Core Team Consulting Company
  7. Liam Randall’s upcoming book: Applied NSM

Announcement

Stories

Paul's Stories

  • http://www.f-secure.com/weblog/archives/00002570.html">Do you cover up your webcam?
  • http://www.h-online.com/security/news/item/Security-issue-in-iOS-Personal-Hotspot-1892474.html">Security issue in iOS Personal Hotspot
  • http://blog.spiderlabs.com/2013/06/sometimes-the-pentest-gods-shine-on-you.html">Sometimes, The PenTest Gods Shine On You - SpiderLabs Anterior
  • http://krebsonsecurity.com/2013/06/critical-update-plugs-40-security-holes-in-java/">Critical Update Plugs 40 Security Holes in Java
  • http://www.securityorb.com/2013/06/texas-state-ban-warrantless-email-snooping/">Texas becomes first US state to ban warrantless email snooping
  • http://www.darkreading.com/applications/beware-of-html5-development-risks/240156891">Beware Of HTML5 Development Risks
  • http://www.darkreading.com/management/security-needs-more-designers-not-archit/240156950">Security Needs More Designers, Not Architects
  • Larry’s Stories

    Jack’s Stories

    Allison's Stories

    Patrick's Stories