Arkitektur for nyportefølje avsikkerhetsverktøyIRT fagsamling, 20. november 2017
Arne Øslebø, [email protected]
27. November 2017 SLIDE 2
“We are drowning in information butstarved for knowledge.”
John Naisbitt
Basic requirements
Modular
Scalable
Full auditing
Access control
27. November 2017 SLIDE 3
Insert everything into Elastic Stack or Splunk?
27. November 2017 SLIDE 4
Commercial SIEM?
27. November 2017 SLIDE 5
ArcSight
LogRhythm
Splunk Enterprise Security
Open source SIEM?
27. November 2017 SLIDE 6
OSSIM
Apache Metron
27. November 2017 SLIDE 7
High level architecture
27. November 2017 SLIDE 8
Data transport: Apache NiFi
27. November 2017 SLIDE 9
Data transport: Apache MiNiFi
27. November 2017 SLIDE 10
Storage: Elasticsearch withSiren Plugin
27. November 2017 SLIDE 11
Vanguard Siren platform
Manual analysis: Kibi
27. November 2017 SLIDE 12
27. November 2017 SLIDE 13
Threat analysis/sharing: MISP
27. November 2017 SLIDE 14
Detailed architecture
27. November 2017 SLIDE 15
Siren platform
Wazuh
27. November 2017 SLIDE 16
Wazuh: rulebased
27. November 2017 SLIDE 17
<rule id="5700" level="0" noalert="1”><decoded_as>sshd</decoded_as><description>SSHD messages grouped.</description>
</rule>
<rule id="5710" level="5"><if_sid>5700</if_sid><match>illegal user|invalid user</match><description>sshd: Attempt to login using a non-
existent user</description></rule>
OpenSCAPOpenSCAP is a tool designed to check the security compliance and hardening of the systems using industry standard security baselines for enterprise environments.
Security Content Automation Protocol (SCAP)
�OVAL (Open Vulnerability Assessment Language)
�XCCDF (Extensible Configuration Checklist Description Format)
�ASR (Asset Reporting Format)
�CPE (Common Platform Enumeration)
�CVE (Common Vulnerabilities and Exposures)
�CWE (Common Weakness Enumeration)
Example: sudo chown root /etc/shadow
27. November 2017 SLIDE 18
Wazuh: Kibana AppGeneralOverview
27. November 2017 SLIDE 19
Wazuh: Kibana AppFile integrity
27. November 2017 SLIDE 20
Current status and future workAll components have been tested individually with limited data set
Working on setting up SiLK for production
Working on Wazuh
Full prototype
�Will start working on it soon
�Anonymized data in the beginning
�Real data when things are secured
• Small scale from selected sources• UNINETT CERT will use it every day for analysis
Production
�Late 2018?
27. November 2017 SLIDE 21
SiLKNetFlow/IPFIX tool
>50 commands
�Connected through pipes, named pipes or files
�Essential: Rwfilter, rwstats, rwcount, rwcut, rwsort, rwuniq
Flexiblearchitecture
27. November 2017 SLIDE 22
SiLK traffic types
27. November 2017 SLIDE 23
rwfilter
27. November 2017 SLIDE 24
Multiple rwfilter
27. November 2017 SLIDE 25
SiLK commands
27. November 2017 SLIDE 26
$ rwfilter --start-date=2017/11/17T11 --end-date=2017/11/17T12 --type=all --ip-version=6 --print-volume-statistics
| Recs| Packets| Bytes| Files|Total| 31227822| 733951870| 581778614555| 12| Pass| 2200839| 17778318| 13850680377| | Fail| 29026983| 716173552| 567927934178| |
$ rwfilter --start-date=2017/11/17T11 --end-date=2017/11/17T12 --sensors=oslo-gw7 --type=in --protocol=6 --packets=100- --pass=stdout --max-pass-records=5 | rwcut--fields=1-5
sIP| dIP|sPort|dPort|pro|78.83.x.y| 128.39.x.y| 56084|33896| 6| 78.83.x.y| 128.39.x.y |56084| 3308| 6| 78.83.x.y| 128.39.x.y |56084| 3483| 6| 78.83.x.y| 128.39.x.y |56084| 3344| 6| 91.247x.y| 128.39.x.y |45762| 911| 6|
SiLK commands (2)
27. November 2017 SLIDE 27
$ rwfilter --start-date=2017/11/17T11 --end-date=2017/11/17T12 --type=all --protocol=6 --pass=stdout | rwuniq --fields=sIP --values=Bytes,Packets,Flows,Distinct:dIP --flows=1000-
sIP| Bytes| Packets| Records|dIP-Distin| 13.33.x.y| 13028387| 29081| 6729| 81|
151.157.x.y| 8558322| 20683| 1490| 111| 40.101.x.y| 4038893| 7921| 1554| 51| 185.33.x.y| 4872539| 10564| 1195| 47| 37.252.x.y| 7671261| 14449| 1404| 52| 17.252.x.y| 1744592| 8616| 1058| 31|
Manual analysis: FlowViewer
27. November 2017 SLIDE 28
SilkWeb
27. November 2017 SLIDE 29
Automatic analysis: Analysis Pipeline
Processes flows in realtime
Simple but powerful scripting language
27. November 2017 SLIDE 30
Router stops sending data:
FILE_EVALUATION sensorOutageCHECK FILE_OUTAGE
SENSOR_LIST ALL SENSORSTIME_WINDOW 2 HOURS
END CHECKEND FILE_EVALUATION
Outbound SSH scan:FILTER Ssh
DPORT == 22END FILTER
EVALUATION SSHScanFILTER SshFOREACH SIPCHECK THRESHOLD
DISTINCT DIP > 20TIME_WINDOW 5 MINUTES
END CHECKALERT 1 TIMES 7 DAYSALERT TYPE OutboundSSHScanCLEAR ALWAYS
END EVALUATION
Analysis Pipeline Alerts
27. November 2017 SLIDE 31
{"@timestamp":"2017-11-16T13:24:05.135Z","_service":"certlogs","_token":"CSE1D7A0176X59CG","beat":{"hostname":"trd-col.cert.uninett.no","name":"trd-col.cert.uninett.no","version":"5.6.4"},"input_type":"log","message":"{\n\"envelope\": {\n \"generator\": \"org.cert.netsa.pipeline\",\n\"generator_version\": \"4.5.1\",\n \"severity\": 3,\n\"timestamp\": \"2017-11-16T13:23:58.837102Z\",\n\"analysis_tags\": [\"type:OutboundSSHScan\",\"analysis:SSHScan\"]\n},\n \"body\": {\n\"flow\": [{\"stime\": \"2017-11-16T13:22:44.744000Z\", \"elapsed\": 2.304, \"sip\": \"158.38.x.y\", \"dip\": \"158.39.x.y\", \"sport\": 60941, \"dport\": 22, \"proto\": 6, \"packets\": 32, \"bytes\": 5001, \"flags\": \"\", \"flags_initial\": \"\", \"sensor_name\": \"teknobyen-gw2\", \"flow_class\": \"all\", \"flow_type\": \"int2int\", \"application_id\": 0, \"icmp_type\": 0, \"icmp_code\": 0}],\n \"sip.cc\": [\"no\"],\n\"dip.cc\": [\"no\"],\n \"pipeline.unique.field\": [\"SIP\"],\n\"pipeline.unique.value\": [158.38.x.y],\n\"pipeline.metric.type\": [\"DISTINCT\"],\n\"pipeline.metric.fields\": [\"DIP\"],\n\"pipeline.metric.value\": [3]}\n}","offset":5068063,"source":"/data/pipeline/log/pipeline-20171116.log","type":"analysis_pipeline"}