secops workshop (gregory pickett)
TRANSCRIPT
![Page 1: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/1.jpg)
SACON
SACONInternational2017
GregoryPickettHellfireSecurity
CybersecurityOperations@shogun7273
India|Bangalore|November10– 11|HotelLalitAshok
OpenSourceSecurityOrchestration
![Page 2: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/2.jpg)
SACON 2017
• HowThisAllBegan• OrchestratingAllTheThings• BeholdSkynet• MakingItBetter• WrappingUp
Overview
![Page 3: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/3.jpg)
SACON 2017
• MultipleCloudServers• AllUsingFail2BantoProtectThemselves• CanIshareFail2BanjailsbetweentheseServers?
OriginalQuestion
![Page 4: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/4.jpg)
SACON 2017
• Howdowegettothreatsintime?• Howdowemakesurethattheevidencegetscaptured?• Howdowemakesurethatthethreatisstoppedbeforeitistoolate?• Howdowedothiswithalimitedstaff?
OtherQuestions
![Page 5: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/5.jpg)
SACON 2017
• SecurityOperations• MonitorTheEnterprise• ProcessAlerts(orCorrelations)• KickOffIncidentResponse
• DespiteMultitudeofSolutions• StillAManualProcess!• EachSolutionKickedOffInSequenceByUs
• ALotofTimeIsWastedBeingABridgeBetweenSystems
ThisIsBecause
![Page 6: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/6.jpg)
SACON 2017
• KeepDoingWhatYourDoing• TalkDirectlyToEachOther• GetWhatYouNeedfromEachOther• LeaveMeOutOfIt
WhatIWant
![Page 7: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/7.jpg)
SACON 2017
HowThisWouldWork
![Page 8: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/8.jpg)
SACON 2017
UseCases
![Page 9: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/9.jpg)
SACON 2017
• ReceivedEventsFromPeers• GenerateABlacklistfromSourceofThreatEvents• UseWithAnythingThatCanConsumeABlacklist• Firewalls• EndpointSolutions• DetectionTools
• ShareTheBlacklistwithVendors,Partners,andColleagues
GenerateThreatIntelligenceFeed
![Page 10: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/10.jpg)
SACON 2017
• ReceivesEventsFromPeers• HostFirewall• NetworkFirewall
• BlocksSourceofThreatEvents• DistributesEventsAmongPeers• HostFirewall• NetworkFirewall
FirewallRulePropagation
![Page 11: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/11.jpg)
SACON 2017
• DropSourceofThreatEvents• DistributesEventsAmongPeers• WebApplicationFirewalls• IntrusionPreventionSystems
DropPropagation
![Page 12: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/12.jpg)
SACON 2017
• ReceivesEventsFromExternalThreatFeeds• HostFirewall• NetworkFirewall
• BlocksSourceofThreatEvents
PreventKnownThreats
![Page 13: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/13.jpg)
SACON 2017
• ReceivesEventsFromPeers• HostFirewall• NetworkFirewall
• RedirectsSourceofThreatAwayFromAssets
NATtoHoneypot
![Page 14: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/14.jpg)
SACON 2017
• ReceivesEventsFromPeers• HostFirewall• NetworkFirewall
• SlowsDownSourceofThreat
NATtoTarpit
![Page 15: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/15.jpg)
SACON 2017
• ReceivesEventsFromPeers• Switches• Routers• Firewalls
• RunsPacketCaptureonSourceofThreatActivity
CaptureThreatActivity
![Page 16: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/16.jpg)
SACON 2017
• ReceivesEventsFromPeers• FTPServer• FileServers• HoneyPots
• DropsBeaconintoPathofSourceofThreatActivity
InjectBeacon
![Page 17: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/17.jpg)
SACON 2017
• ReceivesEventsFromPeers• Routers• Firewalls
• ChangestheRouteforSourceofThreatActivity• RunTheirTrafficThroughDifferentSegment• SegmentContainsAdditionalInlineSensors• Afterwards,ItProceedstoDestination
RedirectTraffic
![Page 18: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/18.jpg)
SACON 2017
• ReceivesEventsFromPeers• EmailServer
• ReportsSourceofThreattoAbuseAddress
ReportingThreats
![Page 19: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/19.jpg)
SACON 2017
• ReceivesEventsFromPeers• Switches• Routers• Firewalls
• AppliesACLtoTargetofThreatActivity
HostIsolation
![Page 20: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/20.jpg)
SACON 2017
• ReceivesEventsFromPeers• Switch• Router• Firewall• Server• Application
• VerboseLoggingforSourceofThreatActivity• VerboseLoggingforTargetofThreatActivity
AdditionalLogging
![Page 21: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/21.jpg)
SACON 2017
• ReceivesEventsFromPeers• LDAP• ActiveDirectory• Radius• TACACS+
• StartsPasswordResetProcessforTargetofThreat
TriggerPasswordResets
![Page 22: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/22.jpg)
SACON 2017
SecurityOrchestration
![Page 23: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/23.jpg)
SACON 2017
• Swimlane• Hexadite• Siemplify• SecurityOrchestrator• Phantom• Cybersponse
VendorSolutions
![Page 24: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/24.jpg)
SACON 2017
ThisistheWorld
According to Cybersponse
![Page 25: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/25.jpg)
SACON 2017
• ProvideContext(Meta-SIEM)• Importexistingcasesintoplatform• Acquireadditionaldataonadversary,target,orpayload• PushOuttoOtherPlatforms
• WorkflowandReporting• DecisionMakingandExecution• PerformIncidentResponse
• Deletefilesandkillsprocesses• Forcepasswordchangesanddisablesaccounts• Blockaddresses
WhatTheyDo
![Page 26: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/26.jpg)
SACON 2017
• MachinetoController• ConnectedOnlytoController• MessagesOnlytheController• EventsSharedOnlywiththeController
• Nodesexistsinahierarchy• SlavedtoTheController• JustExecuteCommandsGiven
• Centralized,LimitedinScope,andExpensive
HowTheyDoIt
![Page 27: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/27.jpg)
SACON 2017
• StillRequiresIntervention• Insteadofbeingdependentonme• Itisnowdependentonmeandmyexpensivesolution
Doesn’tReallySolveMyProblem
![Page 28: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/28.jpg)
SACON 2017
• ShareFail2BanJails• BanActions,CustomScripts,andCronJobs• Banactions,andsharedfilemount• Vallumd
• ImportKnownThreatsintoFail2Ban• CustomScripts
• NATiptablesthreatstoHoneyPot• psadandCustomScripts
• ReportFail2BanthreattoAbuse• www.blocklist.de
OpenSourceSolutions
![Page 29: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/29.jpg)
SACON 2017
• MachinetoMachine• DirectConnectionstoEachOther• MessagingEachOther• SharingEvents
• NodesRetainsAutonomy• Theykeepdoingtheirjob• Expandtheirvisibility
HowTheyDoIt
![Page 30: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/30.jpg)
SACON 2017
• DoesNotRequireIntervention• LimitedUseCases
• MessagesTooCloselyTiedToSpecificUse• CanOnlyBeUsedForOriginalPurpose• NowDependentOnFunction
WeAreGettingCloser
![Page 31: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/31.jpg)
SACON 2017
• SharesEventsBetweenSystemsInCommonFormat• EventsAreStoredLocally• PeersMakeUseofSharedEventsHowTheySeeFit
• fail2ban• modsecurity• iptables
AdaptiveNetworkProtocol(ANP)
![Page 32: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/32.jpg)
SACON 2017
ServerA
![Page 33: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/33.jpg)
SACON 2017
ServerB
![Page 34: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/34.jpg)
SACON 2017
• Sharing• MulticasttoLocalPeers• UnicasttoRemotePeers
• Messages• AddThreatEvent• RemoveThreatEvent
Protocol
![Page 35: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/35.jpg)
SACON 2017
• Operations• SendsandReceivesfromlocalpeersonUDPPort15000
• ReceivesfromremotepeersonTCPPort15000
• EverymessagesignedwithSHA256
• Rules• TheSignatureMustBeAGoodSignature• IfAlreadyKnown,DoNotShare• DoNotReflectBackToTheSource
Protocol
![Page 36: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/36.jpg)
SACON 2017
• Versionis1Byte• Typeis1Byte• EventisVariable• Signatureis64Bytes
Packet
![Page 37: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/37.jpg)
SACON 2017
Packet
![Page 38: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/38.jpg)
SACON 2017
• AddThreatEvent• Address• Time-To-Live(TTL)
• RemoveThreatEvent• Address• Time-To-Live(TTL)
Messages
![Page 39: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/39.jpg)
SACON 2017
• Local• Remote
• SameNetwork• AcrossSameLocation• AcrossDifferentLocations• Link-upCloudResources
• DifferentNetworks
Peering
![Page 40: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/40.jpg)
SACON 2017
SingleLocation
![Page 41: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/41.jpg)
SACON 2017
MultipleLocations
![Page 42: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/42.jpg)
SACON 2017
TrustedPartnerorVendor
![Page 43: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/43.jpg)
SACON 2017
CloudAssets
![Page 44: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/44.jpg)
SACON 2017
Communities
![Page 45: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/45.jpg)
SACON 2017
Interfaces
![Page 46: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/46.jpg)
SACON 2017
• Purpose• PublishEventstoANP• PullEventsFromANP
• Components• Supporting• Writer• Reader
• Operations• PublishesviaLoopbackinterface• Pullsfromviapublishedlists
WhatTheyDo
![Page 47: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/47.jpg)
SACON 2017
WhatTheyDo
![Page 48: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/48.jpg)
SACON 2017
• IntegratedSolution• ANPinstalledonthesamesystem• ReadandWritesLocally
• Examples• Fail2Ban• Iptables• modsec
Native
![Page 49: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/49.jpg)
SACON 2017
• StandAloneSolution• ANPinstalledonadifferentsystem• ReadandWritestotheRemote(StandAlone)Solution
• Examples• ASA• Switch• Router
Surrogate
![Page 50: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/50.jpg)
SACON 2017
Surrogate
![Page 51: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/51.jpg)
SACON 2017
ExistingInterfaces
![Page 52: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/52.jpg)
SACON 2017
• PullsEvents• ReadsThreatEventsfromANP• AddsThreatstoJail
• PublishesEvents• WritesJailedAddressestoANP
• BecauseofANPAging,thismeansthreatsstayjailedfor24hours• MistakescanbereversedusinganadditionaltooltoinjectaRemoveThreatevent
Fail2Ban
![Page 53: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/53.jpg)
SACON 2017
• PullsEvents• ReadsThreatEventsfromANP• AddsThreatstoBlacklist
• DistributeforInternalorExternalUse• Detecting• Blocking• ThreatIndicator
Blacklist
![Page 54: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/54.jpg)
SACON 2017
• PublishesItsEvents• WritesAttackerAddressestoANP
• Pairwithiptablesinterface• NATattackerstoHoneypot
modsec
![Page 55: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/55.jpg)
SACON 2017
• PullsEvents• ReadsThreatEventsfromANP• NATsThreatsfromLocalWebservertoLocalHoneypot
• HighInteractionHoneypotofYourWebsite?• LogTheirActivity• Includeabeacon?
iptables
![Page 56: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/56.jpg)
SACON 2017
• IncreasedVisibility• Wedon’tchangeourenterprise• EverythingKeepsDoingItsJob• Wearegivingthemgreatervisibilitytodoso
• AbilitytoBeProactive
SharingAlsoProvides
![Page 57: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/57.jpg)
SACON 2017
ExpandedVisibility
![Page 58: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/58.jpg)
SACON 2017
• CooperativeBehavior• AbilityfortheEnterpriseToActOnItsOwn
EmergesWithSharing
![Page 59: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/59.jpg)
SACON 2017
CooperativeBehavior
![Page 60: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/60.jpg)
SACON 2017
BuildingSkynet
![Page 61: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/61.jpg)
SACON 2017
ActingToDefendTheNetwork
![Page 62: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/62.jpg)
SACON 2017
ActingToInvestigateAThreat
![Page 63: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/63.jpg)
SACON 2017
ActingToRespondToAnIncident
![Page 64: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/64.jpg)
SACON 2017
Demonstrations
![Page 65: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/65.jpg)
SACON 2017
OurSystems
![Page 66: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/66.jpg)
SACON 2017
ActingToDefendTheNetwork
![Page 67: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/67.jpg)
SACON 2017
• LocalANPAgent• YourSystemorOtherNetworkAsset• OneWayPeeringtoFederation
• RunTheScript• Shares“RemoveThreat”event• SetstheThreatExpirationToTwoHours
• Don’tForgetToClearAnyLogsThatStartedItAll
RemoveTool
![Page 68: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/68.jpg)
SACON 2017
RemovingThreats
![Page 69: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/69.jpg)
SACON 2017
TechnicalDetails
![Page 70: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/70.jpg)
SACON 2017
• Python• TestedwithPython2.7.x• ShouldworkwithPython3.6.x
• OtherOpenSourceSoftwareAsRequired• iptables• modsec• Fail2ban• Etc.
RequirementsforANPandInterfaces
![Page 71: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/71.jpg)
SACON 2017
1.Downloadpackage2.Unzippackage3.Run“pythonsetup.pyinstall”4.Check“readme.txt”foranyadditionalsteps
InstallationofANPandInterfaces
![Page 72: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/72.jpg)
SACON 2017
ConfigurationforANP
![Page 73: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/73.jpg)
SACON 2017
• DefaultsWillWorkBest• OnlyNeedtoChange
• Group• Salt
• OccasionallyNeedtoSet• Peers• Debug
ConfigurationforANP
![Page 74: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/74.jpg)
SACON 2017
ConfigurationforFail2Ban
![Page 75: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/75.jpg)
SACON 2017
• DefaultsWillWorkBest• OnlyNeedtoChange
• Jail• Prefix
• OccasionallyNeedtoSet• Debug
ConfigurationforFail2Ban
![Page 76: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/76.jpg)
SACON 2017
ConfigurationforBlacklist
![Page 77: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/77.jpg)
SACON 2017
• DefaultsWillWorkBest• OnlyNeedtoChange
• Blacklist• OccasionallyNeedtoSet
• Debug
ConfigurationforBlacklist
![Page 78: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/78.jpg)
SACON 2017
Configurationformodsec
![Page 79: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/79.jpg)
SACON 2017
• DefaultsWillWorkBest• OnlyNeedtoChange
• Log• OccasionallyNeedtoSet
• Debug
Configurationformodsec
![Page 80: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/80.jpg)
SACON 2017
Configurationforiptables
![Page 81: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/81.jpg)
SACON 2017
• DefaultsWillWorkBest• OnlyNeedtoChange
• Webserver• Honeypot
• OccasionallyNeedtoSet• Debug
Configurationforiptables
![Page 82: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/82.jpg)
SACON 2017
Demonstrations
![Page 83: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/83.jpg)
SACON 2017
• AssociatewithOurWAP(SaconCommunity)• StartYourVM• PeerwithOtherAttendees
• FindYourAddressIntheList• PeerWithTheSystemAboveYou• PeerWithTheSystemBelowYou
• Thiswillbethesalt:SSttczghHYrU5fNE
OurCommunity
![Page 84: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/84.jpg)
SACON 2017
BuildingCommunity
![Page 85: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/85.jpg)
SACON 2017
• ChangeYourRootPasswords• WaitfortheAttacks
• AttemptedLogins• ScannedWebsites
• CheckResponse• CheckBlacklist• Checkiptables• Checkfail2ban
ThreatActor
fail2ban-client status sshdiptables -t nat -L
![Page 86: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/86.jpg)
SACON 2017
IntroduceThreats
![Page 87: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/87.jpg)
SACON 2017
ExtendingANP
![Page 88: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/88.jpg)
SACON 2017
• Purpose• PublishEventstoANP• PullEventsFromANP
• Components• Supporting• Writer• Reader
• Operations• PublishesviaLoopbackinterface• Pullsfromviapublishedlists
RefresheronInterfaces
![Page 89: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/89.jpg)
SACON 2017
Setup
<Supporting>
<Reader>
<Writer>
![Page 90: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/90.jpg)
SACON 2017
Reader
![Page 91: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/91.jpg)
SACON 2017
Reader(Fail2Ban)
![Page 92: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/92.jpg)
SACON 2017
Writer
![Page 93: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/93.jpg)
SACON 2017
Writer(Fail2Ban)
![Page 94: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/94.jpg)
SACON 2017
MakingItBetter
![Page 95: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/95.jpg)
SACON 2017
• AdditionalMessageTypes• AddTargetEvent• RemoveTargetEvent
• MoreInterfaces!• PeerGroups• FiltersforPeersandMessages• InclusionofIPv6Addressing
NeededImprovements
![Page 96: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/96.jpg)
SACON 2017
• InternetofThings• ReportingEvents• ExporttoSTIX/TAXII
FutureDirection
![Page 97: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/97.jpg)
SACON 2017
• MachineToMachineCommunicationSolvesManyProblems• ItDoesn’tHaveToBeTheApocalypse• WithItWeCan• GetToTheThreatOnTime• MakeSureEvidenceisCaptured• MakeSureThatTheThreatIsStopped
• WeCanDoItWithALimitedStaff
MakingTheDifference
![Page 98: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/98.jpg)
SACON 2017
• ItsCommonToKillProblemswithMoneyandPeople• UnderstandingYourProblemMeansBetterResults• EnablingSynergies• SelfDefendingNetworks• SelfInvestigatingNetworks• SelfRespondingNetworks
FinalThoughts
![Page 99: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/99.jpg)
SACON 2017
AdaptiveNetworkProtocol(ANP)
SHA1 hash is 976b9e004641f511c9f3eef770b5426478e8646aUpdates can be found at https://adaptive-network-protocol.sourceforge.io/
![Page 100: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/100.jpg)
SACON 2017
Blacklist
SHA1 hash is 6fdf91572909e97c5f6e005c93da0524a03463c8Updates can be found at https://adaptive-network-protocol.sourceforge.io/
![Page 101: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/101.jpg)
SACON 2017
Fail2Ban
SHA1 hash is 5c210858b5711d326bf1740620df4dedfe7a69c9Updates can be found at https://adaptive-network-protocol.sourceforge.io/
![Page 102: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/102.jpg)
SACON 2017
iptables
SHA1 hash is 5c210858b5711d326bf1740620df4dedfe7a69c9Updates can be found at https://adaptive-network-protocol.sourceforge.io/
![Page 103: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/103.jpg)
SACON 2017
modsec
SHA1 hash is 5c210858b5711d326bf1740620df4dedfe7a69c9Updates can be found at https://adaptive-network-protocol.sourceforge.io/
![Page 104: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/104.jpg)
SACON 2017
• https://cybersponse.com/• https://www.hexadite.com/• https://www.phantom.us/• https://www.siemplify.co/• https://www.fireeye.com/products/security-orchestrator.html• https://swimlane.com/• https://www.saas-secure.com/online-services/fail2ban-ip-sharing.html• http://www.blocklist.de/en/download.html• https://www.blackhillsinfosec.com/configure-distributed-fail2ban/• https://stijn.tintel.eu/blog/2017/01/08/want-to-share-your-fail2ban-ip-blacklists-between-all-your-machines-now-you-can• https://serverfault.com/questions/625656/sharing-of-fail2ban-banned-ips• https://github.com/fail2ban/fail2ban/issues/874
Links
![Page 105: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/105.jpg)
SACON 2017
• https://superuser.com/questions/940600/iptables-redirect-blocked-ips-from-one-chain-to-a-honeypot• http://cipherdyne.org/psad/• https://taxiiproject.github.io/• https://stixproject.github.io/
Links
![Page 106: SecOps Workshop (Gregory Pickett)](https://reader034.vdocuments.net/reader034/viewer/2022050614/5a6482497f8b9a3b568b4b1d/html5/thumbnails/106.jpg)
SACON 2017
Questions