echidna, sistema de respuesta a incidentes open source [guadalajaracon 2013]
DESCRIPTION
http://www.guadalajaracon.org/conferencias/echidna-sistema-de-respuesta-incidentes-open-source/ El proyecto Echidna es un sistema de respuesta incidentes dirigido a analistas de seguridad siguiendo los principios de Network Security Monitoring. Se trata de un proyecto totalmente Open Source donde comparto crédito con autores de populares herramientas como Ian Firns (Barnyard2, SecurityOnion NSM Scripts) y Edward Bjarte (cxtracker, passivedns, prads, etc.). Echidna consiste en agentes, servidor e interfaz de usuario. Los agentes y los servidores estan programados en perl, las aplicaciones especializadas (sesion, eventos…) estan hechos en C/C++. La interfaz de usuario funciona del lado del cliente usando AngularJS. El servidor provee una API REST para uso de la UI o cualquier otro tipo de interfaz alternativa. El proposito de Echidna es integrar diferentes herramientas de análisis en red para las diferentes capas de NSM. Desde Suricata/Snort hasta HTTPRY. Lo interesante es que la mayoría del stack por default son nuestras propias herramientas ej. Cxtracker – sesiones, barnyard2 – spooler de eventos para snort/suricata, prads -deteccion de assets, passivedns – analisis de dns pasivo, etc. Ian aka firnsy es core dev y Edward aka ebf0 dirije desde la perspectiva de analista. Cada uno ha creado uno o mas herramientas expertas que Echidna integra en el stack.TRANSCRIPT
Echidna Framework
NSM/IR Open Source System
whoami
Eduardo Urias (larsx2) OSCP, OSWP, Security+
SoGware Engineer at:
Security Consultant at:
So, What is NSM?
Network Security Monitoring
“It’s the collecMon, analysis and escalaMon of indicaMons and warnings to respond to
intrusions”
Let me repeat that CollecMon This is where you do data adquisiMon Analysis This require correlaMon and human analysis EscalaMon An authority decides how to proceed = This shit is a methodology, NOT a product IDS != NSM != SIEM != Log Management
NSM Process • Products perform collec%on – A piece of soGware or appliance whose purpose is to analyze packets on the network.
• People perform analysis – While products can perform conclusions of what they see, only people can provide context.
• Processes guides escala%on – EscalaMon is the act of bringing informaMon to the a[enMon of decision makers.
NSM Principles • Some intruders are smarter than you • Many intruders are unpredictable • PrevenMon eventually fails
• Intruders who can communicate with vicMms can be detected
• DetecMon through sampling is be[er than no detecMon
• DetecMon through traffic analysis is be[er than no detecMon at all
(SIEM) Alert-‐centric soluMons rely on..
• A[acks can be understood prior execuMon • Methods to detect or prevent a[acks can be encapsulated in programming logic
• Customers will purchase, properly configure, and effecMvely deploy products offering sufficient defensive logic
• The customer’s environment will behave as anMcipated by the developers and vendors
(NSM) Traffic-‐centric approach
• NSM Analysts treat ALL data as indicators, not “false posiMves” or “false negaMves”
• Relies in at least 4 types of data: ü StaMsMcal ü Session ü Full Content ü Alert
• NSM uses a “dumb is be[er” approach relying on traffic to verify the context of indicaMons and warnings as part of an invesMgaMon.
NSM Model
Alert – “Snort fires an alert related to an FTP bounce a[ack”
Session – “We request the session/nealow acMvity in the past 4 hours of src/dst ip”
Full Content – “We request the full packet capture of one of the sessions to see the FTP commands sent in the control channel”
StaMsMcal Data
Alert
Session
Full Packet Capture
In other words….
Just Kidding….
SIEM’s are part of the tools used in the process, just not the end.
Sguil by Bamm Vischer
Snorby by DusMn Webber
Snorby Cloud (now Threat Stack)
Squert by Paul Halliday
Cool Bro.
Why don’t we use one of those fancy tools as well and forget about this
talk.
Why do we subscribe to this?
Because…..
We want to offer something cool too
ü Open Source SoGware ü Easy to Maintain ü That can be extended using other awesome OSS tools
ü Scalable and easy to integrate ü Nice API please?
Enter Echidna
Echidna Architecture
Echidna Server: ü Perl-‐based ü Server/Node CnC communicaMon is done through WebSockets (near-‐realMme).
ü Retrieval and Submission of data is done through a REST interface
ü Modular architecture (use what you need) ü It can be used for RelaMonal DBs and NoSQL
Server: Fetch some records URI: h[p://inspectlabs.com:6970 Controller: /api/pdns Parameters:
? fields = client,server,answer & query_type = A & query = nsm.metaflows.com.
& from = 2012-‐07-‐09 10:21:27 & to = 2012-‐07-‐09 10:21:27
Which means: Give me the client ip, server ip and query answer of all DNS peMMons that returned an address record at 10:21:27AM of 2012-‐07-‐09
Server REST API Response
Echidna Architecture
Echidna UI: ü 100% JavaScript ü Client-‐side MVC using Google’s AngularJS ü HTML5 Stuff ü Focus on usability without compromising aestheMcs
Login
PassiveDNS View
Session (cxtracker) View
Event (alert) View
Echidna as an API
Open Source GPLv2
Turns out, this is Alpha stage
• Not Feature Complete • Not ProducMon Ready • Frequent updates • Features are being added • Focused on NSM for Analysts
We expect an evoluMon to Beta in about 2 weeks
Development
Server/Agents – Perl / Mojolicious
Low Level Components – C/C++
User Interface – JavaScript / AngularJS
Protocol – REST / WebSockets
Team
Edward Fjellskal (ebf0) – Analyst
Ian Firns (firnsy) – Coder Eduardo Urias (larsx2) – Coder
Future (not too far away)
ü OISF -‐ Open InformaMon Security FoundaMon Suricata’s next big friend! ü Bro IDS Engine IntegraMon Cool tools should hang together! ü Cassandra/Hadoop Support SomeMmes things get out of control. ü Full Text Search Support I am looking at you ElasMcSearch ಠ_ಠ!
Wanted!
JavaScript Hackers! – Jump in for the development of a fully featured client side UI for security analysis
Perl/Python Hackers! – Help us creaMng components/plugins for our framework to support more services!
C/C++ Hackers! – Want to build new specialized components for network analysis on extremely fast networks?
Props to: ü Richard Bejtlich ü Bamm Vischer ü Ma[ Jonkman ü David McNelis ü Ian Firns ü Edward Bjarte ü DusMn Webber Because in some way or another all helped in that I could do this talk
Contact Me
ü @larsx2 ü edw.urias [at] gmail.com ü IRC -‐> #snort-‐gui and #nsmframework ü Cel. +521 6621 <deadbeef> ü github.com/firnsy/echidna-‐refresh