Network security monitoring. Patrick Crowley Bo Bayles!

Transcription

1 Network security monitoring Patrick Crowley Bo Bayles!

2 Part 1: The coming cryptopocalypse

3 Image credit: Bo s search history

4 Other things in Bo s search history

5 Encryption is eating the world You ve probably heard about the effect encryption is having on traditional security tools Deep packet inspection relies on extracting data from network traffic, e.g., to compare payloads against signatures Encryption prevents DPI from working - packet payloads are unintelligible when encrypted More services and apps switch to using end-to-end encryption every day; in the limit everything is encrypted

6 No encryption: DPI is possible OSI model - deep packet inspection examines works for unencrypted traffic

7 TLS encryption: DPI is impossible OSI model - deep packet inspection fails for encrypted traffic

8 The drunk looking for keys under the streetlight approach One response to this trend: just pretend like encryption doesn t exist. Inspect the unencrypted traffic and ignore the rest. I probably don t need to point out the flaws here. \_(ツ)_/

9 The single point of, uh, success approach Description The SSL gateway is a popular method used by big companies Sets up a man in the middle between clients and servers Tricks clients into accepting the MITM s certificate as valid for the servers Replays and rewrites client requests and server responses Problems The SSL gateway is a valuable target Can t always install the MITM certificate on the clients (especially for IoT) Browser certificate pinning and HPKP can detect snooping and refuse to work Who says bad things have to use SSL?

10 The go ahead and trust the thing we re not sure whether we should trust approach Description Install a software agent on clients to snoop on decrypted traffic Analyze the decrypted traffic on the client itself (traditional antivirus approach) Send summary traffic and logging to a central server for analysis or archival Problems We re worried about the client being compromised, so... we ll ask it whether it s compromised? Can t always install agents on the clients (espeically for IoT) This is an O(N) solution and not O(1) You probably have to do this in spite of the problems

11 Image credit:

12 Part 2: Monitoring tools and cloud computing

13 Image credit:

14 Image from Observable Networks

15 Clown watching The shift to cloud computing is sort of a dream for security in some ways There is a centralized place to configure resources, you re always aware of what you ve got running, you get fine-grained controls over who can do what However, some important monitoring tools practices aren t (or weren t) available Since you don t control the network you can t run IDSs or sample traffic

16 Requiem for Wireshark When you control the network you have access to useful things like mirror ports and NetFlow logging Traffic captures are helpful for debugging Some IDSs aren t terrible... NetFlow is a primary input to DDoS detectors Malicious users can t help but leave a trail on the network (this is important!)

17 Sample NetFlow data - unlike DPI, NetFlow provides data from layers 3 and 4 (no cat pictures)

18 Ode to VPC Flow Logs Good news for AWS users: as of , you can turn on Flow Logs if you use VPCs VPC Flow Logs are akin to NetFlow Flow Logs get stored in CloudWatch Logs Most everything gets logged, even the things you can t install agents on You should turn on flow logging! They re useful for performance and security monitoring, forensics, and making flashy graphics

19 VPC Flow Logs - just like NetFlow

20 Part 3: Endpoint modeling

21 What to do when life gives you lemons, water, and sugar We ve discussed two problems Most packet capture tools are unavailable in the cloud (the best thing is VPC flow logging) Even where we have packet capture, encryption prevents us from seeing beyond layers 3 and 4 Perhaps we can work with what we ve got?

22 Endpoint modeling approach Model: Use flow log data to build a model of the behavior of each device on the network Observe: As new flows come in, compare them to the model and ask what s changed? Alert: From the set of things that have changed, ask do any of these changes represent a security threat?

23 Observation examples The model of each device tracks lots of different behaviors over time Have we ever observed instance X connecting to the Internet? How much does instance X send in a day? What connections does instance X make over and over again? What ports and protocols have we seen instance X use? At what times is instance X normally active?

24 Generalized endpoint modeling Do all of the instances on the local network use the same DNS server? Does one member of this auto-scaling group act different from the rest? Is one instance in contact with a geographic region that no others on the network are? Are the security groups (or firewalls) allowing new traffic to reach instances? Does this network normally see Dropbox / Github / TeamViewer traffic?

25 Example alert from the Observable Networks web portal - tracking a persistent change in behavior

26 Benefits of endpoint modeling Incorporating the past behavior of a device helps contextualize new information - we discover the roles a device plays on the network This helps to keep the signal-to-noise ratio high for alerts - what s OK for the mail server may not be OK for a user s PC Multiple levels of analysis possible: rule-based, pattern-based, devicefocused, network-focused Using NetFlow data keeps sensitive information out of the monitoring system

27 Observable Networks Endpoint modeling as a service Network security alerts delivered to your , Slack chatroom, log collector, or ticketing system Driven by VPC Flow Logs (in AWS), NetFlow, or mirror port connection Integrates AWS metadata to track instances, groups, tagged resources, etc. over time Integrates with other AWS services like CloudTrail and Inspector for additional alert types

28 Observable spam alert - endpoint modeling knows the mail server from the user s PC

29 Observable role identification and AWS metadata integration

30 Part 4: Analyzing flow logs

31 CloudWatch Logs & VPC Flow Logs For low-to-medium traffic VPCs you can use the CloudWatch Logs API to retrieve VPC flow logs The AWS CLI can can easily give you JSON: Observable s flowlogs-reader tool can easily give you plaintext output aws logs filter-log-events --log-group-name="flowlog_group" pip install flowlogs-reader flowlogs_reader "flowlog_group"

32 Kinesis & VPC Flow Logs For high-traffic VPCs the CWL API probably won t work The AWS CLI will give you JSON, but the payload is Base64-encoded and gzipped, not something you can easily use Never fear: Observable s kinesis-logs-reader will give you plaintext output pip install kinesis-logs-reader kinesis_logs_reader flowlog_group

33 VPC Flow Logs Analysis Pipeline CWL subscriptions can automatically feed data into Kinesis A Kinesis data source can automatically feed data into many different Lambda instances The Lambda function can examine the flow logs and output results to a location of your choice.

34 Part 5: Vulnerability assessment

35 Amazon Inspector Amazon s new Inspector service automates vulnerability discovery Would you know if your EC2 instances were running outdated versions of OpenSSH, ImageMagick, or NTP? To use Inspector you must install its agent on targeted instances Run different assessments by selecting different instance tags Run again after making changes to verify fixes

36 Sample inspector finding - this instance needs a kernel update

37 Observable integration with Amazon Inspector, which reports on vulnerability assessments

38 Part 6: Slightly faster ransomware detection

39 State of ransomware detection: not good? A bit not good, yeah. Antivirus coverage is really low. Malware can do a lot of damage in a short amount of time, especially if it gets hold of a network share. Your backup processes may prevent you from having to pay up, but restoring is a pain itself.

40 Locky malware executable with 0 detections

41 What did miners have against canaries? Until AV vendors get their acts together, decreasing time-to-detection for ransomware will be important Some administrators have hit upon the idea of a honeypot / tripwire network share Hosts some files whose contents are well known, monitor them for changes When there s a change alert administrator about who did it

42 Why can t there ever be a silver bullet The sentinel file approach has all the limitations you can think of... The ransomware has to find and change that file to generate a notification It probably needs to be put into a mapped drive Curious users can trip the alarm by modifying the target file Some malware is smart enough to look for recently-changed files, might skip the sentinel

43 Alert for sentinel file change in Observable web portal

44 This too shall pass The AV vendors will probably figure something out C&C server tracking is getting better - the abuse.ch tracker took a chunk out of several large botnets; will do the same for ransomware But in the meantime: make sure your backups are good

45 The end Bo Bayles: Observable Networks: Open-source AWS tools and more:

46 Observable free tier Monitor a small VPC (e.g. development environment) for free Up to 10M flows / month (you can see what the usage is) Normally we ve 60-day trials, but if you put Art Vandelay as your name we ll set you up as a free tier user