Securing AWS with HIDS. Gaurav Harsola Mayank Gaikwad

Similar documents
OSSEC and PCI DSS Compliance

For Internet Facing and Private Data Systems. Functionality and Purpose

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

New Generation SIEM. Solution Development

owlh_documentation Documentation

Sharing is Caring: Improving Detection with Sigma

Simple and Powerful Security for PCI DSS

Cloud Security (WS 2015/16)

Magento Commerce Architecture and Security Model Last updated: Aug 2017

How can OSSIM help you with your PCI DSS Wireless requirements?

GIT. A free and open source distributed version control system. User Guide. January, Department of Computer Science and Engineering

Intrusion Detection. Comp Sci 3600 Security. Introduction. Analysis. Host-based. Network-based. Distributed or hybrid. ID data standards.

Total Security Management PCI DSS Compliance Guide

PCI DSS and VNC Connect

CN!Express CX-6000 Single User Version PCI Compliance Status Version June 2005

Dynamic Datacenter Security Solidex, November 2009

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

Securing CS-MARS C H A P T E R

Scalable Data Analytics Pipeline for Real-Time Attack Detection; Design, Validation, and Deployment in a Honeypot Environment

12 Habits of Highly Secured Magento Merchants

EveBox Documentation. Release. Jason Ish

Hackproof Your Cloud: Preventing 2017 Threats for a New Security Paradigm

SUB1X Masternode Setup Guide: LINUX Version

WHITE PAPERS. INSURANCE INDUSTRY (White Paper)

Setting up a Chaincoin Masternode

EveBox Documentation. Jason Ish

CROWDCOIN MASTERNODE SETUP COLD WALLET ON WINDOWS WITH LINUX VPS

Intrusion Detection Systems

OSSEC 3.0 Preview OSSEC CON Scott Shinn OSSEC Project Manager

Tutorial: Automating OSSEC HIDS Deployment on Modern Infrastructure Pipelines for Security at a Touch

Daxko s PCI DSS Responsibilities

Are You Sure Your AWS Cloud Is Secure? Alan Williamson Solution Architect at TriNimbus

SECURITY PRACTICES OVERVIEW

USER MANUAL OF OSSEC (Open Source Security)

LOGmanager and PCI Data Security Standard v3.2 compliance

Compare Security Analytics Solutions

Cisco Stealthwatch Cloud. Private Network Monitoring Advanced Configuration Guide

VANGUARD WHITE PAPER VANGUARD INSURANCE INDUSTRY WHITEPAPER

IJSER. Virtualization Intrusion Detection System in Cloud Environment Ku.Rupali D. Wankhade. Department of Computer Science and Technology

Firewall Configuration and Management Policy

Title: Planning AWS Platform Security Assessment?

Honeynet Weekly Report Canadian Institute for Cybersecurity (CIC)

Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security Cisco Italy

GUIDE TO STAYING OUT OF PCI SCOPE

WHITE PAPER. PCI and PA DSS Compliance with LogRhythm

This guide assumes that you are setting up a masternode for the first time. You will need:

Commerce PCI: A Four-Letter Word of E-Commerce

Tizen TCT User Guide

Integrate Viper business antivirus EventTracker Enterprise

Intrusion Detection - Snort

VANGUARD WHITE PAPER VANGUARD GOVERNMENT INDUSTRY WHITEPAPER

Benefits. Centrally managed protection of corporate networks

in PCI Regulated Environments

Annexure E Technical Bid Format

Administration of Symantec Cyber Security Services (July 2015) Sample Exam

Honeynet Weekly Report Canadian Institute for Cybersecurity (CIC)

OptiSol FinTech Platforms

CNIT 50: Network Security Monitoring. 6 Command Line Packet Analysis Tools

HANDS UP IF YOU DON T HAVE A VM OR IF YOU DON T REMEMBER YOUR PASSWORDS. Or something broke

Ansible Tower Quick Setup Guide

BitcoinMonster Masternode Linux VPS Tutorial - Vultr VPS Created By : Samshak Donet Mon: MKX8PFz1uvBkwNDTXtUuj6KinudhsKZh1K

Configuring SSL. SSL Overview CHAPTER

Streamline AWS Security Incidents

OSSEC. Intrusion detection and response System and log analysis of Drupal sites and servers

Lab Exercises: Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open Source Tools

Real-Time PCI Compliance Monitoring

Configuring Antivirus Devices

Intrusion Detection - Snort

Carbon Black PCI Compliance Mapping Checklist

Who done it: Gaining visibility and accountability in the cloud

MarketC - Masternode Setup Guide

On Assessing the Impact of Ports Scanning on the Target Infrastructure

PCI DSS Compliance. White Paper Parallels Remote Application Server

Payment Card Industry Data Security Standard (PCI DSS) Incident Response Plan

PCI DSS and the VNC SDK

What s New in Version 3.5 Table of Contents

Payment Card Industry (PCI) Data Security Standard

DEFENSE-IN-DEPTH. Shankar Chebrolu. Security Architecture Strategy for Deploying Apps and Services in IaaS Hybrid Cloud

EnhancedEndpointTracker Documentation

During security audits, over 15,000 vulnerability assessments are made, scanning the network IP by IP.

On-Line Password Breaks CSC 193 WAKE FOREST. U N I V E R S I T Y Department of Computer Science. Spring 2014

Honeynet Weekly Report Canadian Institute for Cybersecurity (CIC)

Audience. Overview. Enterprise Protection Platform for PCI DSS & HIPAA Compliance

Eyes Everywhere: Monitoring Today's Borderless Landscape

WHITE PAPER. Achieve PCI Compliance and Protect Against Data Breaches with LightCyber

Git. Charles J. Geyer School of Statistics University of Minnesota. Stat 8054 Lecture Notes

Contents User Guide... 1 Overview... 1 Create a New Report... 3 Create Report... 3 Select Devices... 3 Report Generation... 4 Your Audit Report...

Complete Guide to Setting Up Linda on Ubuntu 16 For Staking

Autopology Installation & Quick Start Guide

PCI DSS v3.2 Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD PCI DSS

MASTERNODE Setup Guide

IDS / SNORT. Matsuzaki maz Yoshinobu stole slides from Fakrul Alam

Honeynet Weekly Report Canadian Institute for Cybersecurity (CIC)

Chapter 9. Firewalls

Safeguarding Cardholder Account Data

KINGSTON COIN VPS MASTERNODE SETUP GUIDE

Contents. Crave Masternode Setup Guides. Single / Multiple Local Masternode(s) Single Masternode using a VPS. Multiple Masternodes using a VPS

Venusense UTM Introduction

OSSEC Wazuh documentation

Project #3: Implementing NIS

Transcription:

Securing AWS with HIDS» Gaurav Harsola Mayank Gaikwad

IDS What? Why? How?

Intrusion Detection System An IDS is a software application that monitors network or system activities for malicious activities.

An IDS is not a Firewall

NIDS and HIDS HIDS A host-based intrusion detection system (HIDS) is a system that run on individual hosts and monitors a computer system Detect an intrusion and/or misuse, and responds by logging the activity It is an agent that monitors and analyzes whether anything or anyone, whether internal or external, has bypass the system s security policy. Tools like : Samhain, Ossec NIDS NIDS is placed within the network to monitor traffic to and from all devices on network NIDS scan all inbound and outbound traffic NIDS tools operate by inspecting traffic that occurs between hosts. Various Tools like Snort, Suricata, Bro, Kismet

Available HIDS OSSEC: OpenSource Wazuh : OpenSource, Wrapper Over OSSEC with API, ELK, And Signature DB AlianVault: Licenced, USM (Unified Security Management) is based OSSEC MicroTrend: Licenced AlertLogic: Licenced,

OSSEC? OSSEC is an Open Source Host-based Intrusion Detection System. Key Features: Log analysis File Integrity checking (Unix and Windows) Registry Integrity checking (Windows) Host-based anomaly detection (for Unix rootkit detection) Active response Ossec is mainly used for three things: See what is going on Stop brute-force attacks ( ftp, ssh, web )

Ossec Benefits Open-Source Log Analysis Easy to install Easy to customize (rules and config in XML format) Scalable (client/server architecture) High Availability (Can have multiple OSSEC Server) Multi-Platform Ossec comes with existing standard decoders /rules which analyse our logs like telnetd, Sudo, SSH, FTP etc PCI DSS Compliance at some extent.

Ossec Agent/Server Flow

Ossec Internal Components Analysisd Does all the analysis (main process) Remoted Receives remote logs from agents Logcollector Reads log files (syslog, Flat files, Windows event log, IIS, etc) Agentd Forwards logs to the server Maild Sends e-mail alerts Execd Executes the active responses Monitord Monitors agent status, compresses and signs log files, etc Integratord - Integrating OSSEC with Slack and PagerDuty Authd - Daemon will automatically add an agent to an OSSEC manager

Wazuh Wazuh, A wrapper over OSSEC that provide additonal fucntionality like Restful API, ELK integration.

Ossec Server/Client Installtion Firstly, Install necessary package required sudo apt-get install gcc make git sudo apt-get install libssl-dev After this clone our Github repository mkdir ossec_tmp && cd ossec_tmp git clone -b stable https://github.com/wazuh/ossec-wazuh.git cd ossec-wazuh sudo./install.sh Choose server for server installation and agent for client installation when being asked about the installation type and answer the rest of questions as desired. Once installed, you can start your OSSEC manager running: sudo /var/ossec/bin/ossec-control start Check the service : ps aux grep ossec

Connect Client with Server After Setting up agent we need to Connect it with OSSEC-Server. To make life easier, OSSEC added a new daemon on the server, called ossec-authd. it is a daemon you run on the server when you deploy your agent; it will populate your agents key; when you have finished to deploy, you stop it. Once the keys are created, you can start the ossec-authd: /var/ossec/bin/ossec-authd -p 1515 Setting up the agents On the agents, the work is minimal. All you have to do is to run the following command: /var/ossec/bin/agent-auth -m <ServerIP> -p 1515 -A <agent-name> That s it. The keys are now exchanged and you can start your agent. sudo /var/ossec/bin/ossec-control start

Sample of Alerts.json

Ossec Integration with ELK OSSEC HIDS integration with ELK Stack provides a real-time alerts managemnet console, as well as flexible way to store data for as long as needed.

Ossec Directory Structure

Internal log flow

Log pre-decoding (1) Decoding of a SSHD message: After pre-decoding by OSSEC? time/date -> Apr 14 17:32:06 hostname -> ubuntu program_name -> sshd log -> Accepted password for root from 192.168.2.190 port...

Log Decoding (2) Process to identify key information from logs OSSEC comes with hundreds of decoders Generally we want to extract source ip, user name, id After Decode by OSSEC : time/date -> Apr 14 17:32:06 hostname -> ubuntu program_name -> sshd log -> Accepted password for root from 192.168.2.190 port srcip -> 192.168.2.190 user -> root

Writing decoders Writing a decoder. What it requires? sshd example: We want to extract the user name and source ip If program name was pre-decoded as sshd (remember predecoding?), try this regular expression

Log Rules Next step after decoding is to check the rules User-defined XML Very easy to write! Allows to match based on decoded information OSSEC comes with more than 400 rules by default! What it requires? A Rule id (any integer) A Level - from 0 (lowest) to 15 (highest) Level 0 is ignored, not alerted at all Pattern - anything from regex, to srcip, id, user, etc

Writing your own rules

PCI DSS Payment Card industry Data Security Standard. Visa, MasterCard and other card brands create common industry security requirements Intended to protect cardholders data wherever it resides compliance is mandated for all organization handling credit card data 12 Steps that we need to take to achieve PCI DSS compliance are Firewall, password, storage, Encrypt, anti-virus, uniquid, track and monitor etc OSSEC helps to implement PCI DSS by performing log analysis, file integrity checking, policy monitoring, intrusion detection, real-time alerting and active response.

Monitor AWS logs Cloudtrail pushes data to s3 bucket and then using python script we store that log on ossec server

Alerting and Notification Slack Integration: Integration of logs with slack and set alert level so that only particular message come in slack. <integration> <name>slack</name> <hook_url>https://hooks.slack.com/services/t0ev123bk/b1v3jhzuko97idmcal</hook_url> <level>7</level> </integration> Email Integration: Integration with Email.Send granule email alert based on the level/rulegroups/rule_id to different recipient. <email_alerts> <email_to>gaurav04@protonmail.com</email_to> <group>sql_injection authentication_failed authentication_failures</group> <level>6</level> <format>sms</format> </email_alerts>

HIDS Implementation Testing Tested FTP, SSH brute force attack using HYDRA as penetration testing tool. Example: hydra -L /home/ubuntu/user.txt -P /home/ubuntu/pwd.txt -s 22 <IP> <servicename> -L file which contain list of username -P file which contain list of password service-name : it may be ssh,ftp,mysql,telnet -s port Number for service

Elasticsearch UI

Kibana UI

Thanks & Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback