44con 2104 - lessons learned from black hat's infrastructure, conan dooley
DESCRIPTION
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley Let’s take a quick trip across the sea to the halls of Black Hat. What made the training network tick? How was it created, who was attacking the network, and how was it defended? How do you keep the wired training network up and reliable when you have nearly two thousand people hammering on it? What tricks kept the wireless running for all those tweets?TRANSCRIPT
Lessons Learned:Black Hat’s InfrastructureTHE TWEETS MUST FLOW
September 11, 2014
25,000 DNS PACKETSIN 4 SECONDS BY ONE CLASSROOM
3
Then: Technical Engineer & Volunteer Director @ Black Hat
Now: Security Analyst @ Bishop Fox
Twitter: @conandooley
HOW DID I GET HERE?
Who am I?
4
Introduction
Black Hat • Good to talk at; also good to talk about!
Entertain• I have some stories
Lessons Learned• There were some great security lessons learned
Going Meta• Experience at Black Hat as it relates to the problems I see
in security
LET’S TALK ABOUT YOU AND ME
5
Owning Things
• Black Hat is owned by UBM
Technical Staff
• Usually one person, supporting everything
• Sometimes two – those were the good days
Security Basics
• Segment everything
• Redundancy
• Keep it simple
24/7/365 ON CALL
Supporting Infrastructure
6
This cloud is dark because of all the black hats
Firewalls in High Availability Mode
Switches with lots of VLANs
It’s BSD and virtualized BSD all the way down
PRETTY PICTURES
Supporting Infrastructure
EVENTSUSA! USA! USA! USA! (OH, AND EUROPE, AND ABU DHABI, AND…)
8
Volunteers
• Approximately 75 people willing to work insane hours
• Wouldn’t be possible without them
Attendees
• Nearly 10,000 attendees: Elevate tweets, not privileges
Trainings
• 1500 Wired Students: Ready to chew gum and pop shells
Presenters
• Yes, my live demo requires Internet!
HACKIN’ AROUND THE WORLD, BUT MOSTLY IN THE DESERT
Overview
9
Assumptions made about Black Hat’s on-site network:
• It’s stacked deep with 0days! • Second most hostile network in the world …
Security must be the top priority at Black Hat!
SOME SAY…
Black Hat’s Event Network
LOL (FIND PICTURE)
11
Why would a media company care about security?
• None of their other events need security!
Security Priorities the Business Cares About
• Don’t get the registration database owned
• Protect the CFP platform
• Avoid Brand Damage
• That’s it, right?
The Reality of it All
12
Linksys Routers
• Every classroom, blessed with their own tiny blue protector
Switches
• 10/100 is all any honest network needs
Artisanal, Bespoke Cables
• Handmade with love
• Welcome Volunteer, here’s a roll of cable, some ends, and a punch down tool!
LITTLE BOXES MADE OF TICKY TACKY
Blue Boxes
THE ENTIRE WORLD IS FIRE (FIND PICTURE)
THANKFULLY, I WASN’T AROUND THENBUT I DID HELP FIX IT…
15
STILL KEEPING IT SIMPLE
Keep Calm and Segment Your Network
SOHO? More like SO NO
• Replaced Linksys boxes with Soekris 6501
OpenBSD
• Reliable
• Simple
• Does nothing (except what you tell it to)
Quality of Service
• PF and ALTQ
16
Classrooms
Soekris 6501 per Classroom
Hotel Switches
…Gateway laptop?
PRETTY PICTURES, A CAVEMAN COULD DO IT EDITION
Design
17
LIKE FISHER PRICE, BUT WITH MORE USB ADAPTERS
Baby’s First NOC
Laptop Gateway
• Quad Core
• Battery Backup
• Plenty of USB Ports…good for 10/100 USB adapters
Physical Setup
• Cardboard Walls
• Power Strip
• Table
• Sometimes the lock would jam – impossible to pick
THREAT MAUDLINSHOULD HAVE BEEN MORE OPTIMISTIC
19
Nope.
Definitely not.
Strict no ski mask policy.
Block them all.
SHOW ME YOUR HACKING HAT
External Attackers
20
No mask policy: still good
Everyone’s gottalive somewhere…
100% successful defense through intimidation and/or yelling
BEWARE OF PEOPLE WEARING MASKS OF THEIR OWN FACE
Internal Attackers
21
FORMALIZE!
A Simple Threat Model and Mitigations
External Attackers
• Blocked
Bad Students
• Limited to their classrooms or the Internet
Bad Attendees
• Could be jerks on the wireless – accepted risk
• No access to physical networks without breaking something
Other Network Attackers
• Press – VLANs and isolation plus warnings
• Staff – Access controlled
• Registration – Access controlled
22
BACK TO BASICS
Controlled Hostility
Monitor
• Know where you’re down
• Helps you yell at the right people
Wireless
• Auto-smoosh rogue APs
• Pineapple the world
• Pineapple: Spoof networks wireless devices have connected to previously
• No one cares as long as the Internet works
BLACK HAT: HACKERS BEHAVING NICELY
GOOD DESIGNCOULDN’T TELL YOU WHAT IT IS, BUT I KNOW IT WHEN I SEE IT
25
Principals
• Keep it Simple – Yes. Still.
• Know your networks –Drop everything that doesn’t belong
• Segment – Put like with like
• Control Physical Access –No USB access, no random drops
• Repeatable – Automate everything you can
Implementation
• No Services – Exposed as little as possible
• Dropped it, it was hot –94% traffic dropped at the gateway
• Smart Segments – Break it for your class, they’ll yell at you for me
• Protect your ports –Ethernet, USB
• YERP
STILL NOT TIRED OF KEEPING IT SIMPLE
Design Goals
26
• Simple Tool – Everyone’s reinvented this wheel, but YOLO
• Pushes Preset Configurations – You knew what you wanted, right?
• Brain Dead Operation – No sleep is standard, and you don’t want to screw it up in front of everyone
WELL, MOSTLY
YERP: YERP, Everything Runs Perfectly
27
Use it:
clone git repo
fab yerp.deploy_config:config=<config file location> -H <targets>
http://github.com/conandooley/yerp
HOW DID I GET HERE, I AM NOT GOOD WITH COMPUTERS
YERP: YERP, Everything Runs Perfectly
28
People are generally pretty good
Designed to be secure or non-functional
Technical failures had a far more significant impact
Biggest technical problem? State table exhaustion
OUTCOMES ARE IMPORTANT
End Results
ENOUGH ABOUT BLACK HATWE’RE GOING META
30
Security is never a priority – Let’s learn to live with that.
Training failed, people demanded refunds – Had to happen to be taken seriously. Why?
That jammed lock – Who would actually be stopped by that?
You’ve got advantages – What are they? Wear them out.
You own this – Know what lives on your network and verify.
They only care about the business – So learn enough to show the concerns via business cases
WELL, I WROTE THEM DOWN FOR YOU
Remember Those Things I Said to Remember?
31
• Listen to your Users – There are many ways to give them what they want, find the secure ways
• Understand What They Need – If you know what they want, chances are there is a way to do it securely
• Create Secure Defaults – Make security choices for them when you can
• Educate – When you do have to make life more difficult, explain why
• Link security to outcomes – Define consequences, show how they happen
• Prioritize – Let’s figure out what makes a difference, and work on that first
ONE SIZE NEVER FITS ALL
Build Security Into Operations
32
• Get out of the comfort zone – We’ve made some impact over the years but nowhere near enough
• Learn to Market Ourselves – We’re struggling with effective communication, we need to fix that
• Define Language – What does “breach” really mean?
• Common knowledge is flawed – The common solution is quick, easy, and almost always wrong
• Let’s make friends everywhere – More different, unique people caring about security is great
• Impact and outcomes – An honest conversation needs to happen
NOW WE ARE ALL SPACE CADETS
Going More Meta Again
QUESTIONS?
Thank You!