Practical shoe string security

Have you ever read an article about people claiming things that should be done or chastising others security and never ran a whole company? Well, I am going to discuss my methods that worked for me. Did I run a whole company?  Yes from the routers to a/v, servers to workstations, and IDS to HIDS. The enviroment was a mix of linux and windows along with as400 which I was one of the programmers on. It sounds like a lot for a single person to maintain for a 200 person company,  but with practicle understanding of what you need you can manage this. To help make this understandable I will break this up into sections like a book.

1.) Logging (collecting and a
2.) Antivirus
3.) IDS / HIDS
4.) Email and malware analysis
5.) Remote management
6.) Trouble shooting

I am sure that I will talk about lots of other relevant topics and will edit this page as it all progresses.

Offensive Live Response

I haven't posted on this site much since I really haven't been working in the defensive operations side of things, but doing red team activities. Even tho I've been doing red teaming I still think in terms of defense. In all honesty , I believe they go hand in hand do to the fact you need to understand how defensive measures are working in order to subvert them. Running snort sensors for 12 years has helped me gain a pretty solid understanding and some of the faults also. Lately, I have been working engagements and thinking of ways to provide an additional benefit other than your security isn't up to par. This leads me to offensive live response and offensive forensics.

Let me give a little theory behind this. As a red team member we are focused heavily on adversary simulation along with exploitation. This leads me to a question, what happens when you are doing work for a business that does not have the visibility that you have? You yourself gain that visibility. Let me ask another question. As a pentester or red team member do you ever look for signs of other compromise when on a remote system? The truth is that I don't believe many actually think about doing this when in fact they could be walking on top of the footsteps of threats previous. What? Really? Yes, I hate to rain on the parade but there are groups of people that are smarter or have a wider set of resources that can compromise a system. Worst yet, what if this compromise happen to be APT related. So with this , I propose the idea of doing offensive live response on any of the systems that are compromised and have the appropriate groups look at it. If you company doesn't have a group that have live response scripts it really wouldn't be that hard to do with just a simple auto-runs or possibly process memory dumping. The whole idea would be to just provide enough visibility on a compromised system without setting off alarms that you are there working or interrupting the service on that workstation/server.

Integrate Emerging threats into Sguil

This is to be used as a brief overview to get ET into your NIDS and not ment to help configure your system. If you are first time installer for Snort or Sguil I would recommend using securixlive.com nsmnow with centos 5 series as this is pretty painless and should get you a quick setup for monitoring. The first step that you need to do is go over to emergingthreats.net and pull down the compressed rules to your sguil server. After this is finished untar the file and move the .rules files to the /etc/nsm/sensor1/rules folder if you did a default install. Make sure they are the correct permissions
#chown sguil:sguil emerg*
Next you need to alter the snort.conf file and add the rules. You can simply do a cut and paste from the emerging.conf file and just add it to the bottom of the snort.conf. Next add the to the sid-msg.map in /etc/nsm/sensor1
#cat emerging-sid-msg.map >> sid-msg.map
Finally you need to copy the emerging rules over to the /nsm/server_data/server1/rules/sensor1 folder so that you can view the rules in the sguil client. Now just start up your nsm and you should have a little more help with alerts.

Are you sure you are safe!

When I happen to get a free moment I usually test out the outside sguil and BASE sensors against metasploit attacks. This time was a controlled test and the exploitable box secure from the outside world. So with the latest metasploit in hand I smacked a default win2k server with no service packs with just port 445. I know what you are thinking who in there right mind leaves 445 open on the net and most ISP filter this anyway. Again this is just a test and a simple one that I figured the sguil sensor would catch... sort of. Why sort of? Well I did get a few alerts.

NETBIOS DCERPC NCACN-IP-TCP lsass DsRolerUpgradeDownlevelServer overflow attempt
NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrPathCanonicalize overflow attempt
NETBIOS DCERPC NCACN-IP-TCP wkssvc NetrAddAlternateComputerName overflow attempt
NETBIOS DCERPC NCACN-IP-TCP umpnpmgr PNP_QueryResConfList attempt
NETBIOS SMB-DS repeated logon failure

To an ordinary user the alerts would look like and SMB attempt and why would the suspect anything else since we did leave 445 open. The icing is the fact that I spawned 4 meterpreter bind sessions just from 445 and what did the IDS have to say about that ....not much. I was skipping along getting hash dumps and files. Sure there was occasional complain about shell code but if you are not versed it might as well be in a different language. Keep in mind this is just with the snort default rules and not using emerging threats rules.

I also testing this using emerging threats rules and wanted to see how well this would help recognize it. This is at least promising with a few extra alerts.

ET EXPLOIT x86 JmpCallAdditive Encoder
ET POLICY PE EXE or DLL Windows file download
ET POLICY TLS/SSL Encrypted Application Data on Unusual Port SSLv3

This would be enough to tip off anyone that something is awry and you would be able to correlate the attempt with ET alerts to validate it. You could also make it easy my tying this all together with some splunk and a netflow.

Netwar

This being my first netwars and it being round 6 I cannot help but feel that I am a little behind and a underdog. There are still 5 days left but with my busy life style with kids and prior obligations I might just leave at 86 points. If you do not know what netwars are, it is a competition put on by the sans institute that is basically hacking systems and getting points. Hack and defend basically. Not sure if it qualifies as red and blue but it is fast paced. 10-60 minute regen on systems and you need to hold them from others for the duration and then reattack when the system are regenerated. At times I felt it was frustrating and time consuming and often left me sleepless thinking of the different attack vectors and why certain ones didn't work.
This left me wondering about the remote hack net and what the traffic would look like. I am sure if there was and IDS it would have been flipping out for the lack of a better word. This isn't the problem. The problem is the analysis end. Me being a sole admin, it presents a daunting task. Sifting through sguil alerts and seeing whether I need to escalate or not and looking at the packet trace. Lets take for instance a single autopwn if a system with port 80 and 139 open. This alone would generate roughly 128 individual attacks all with potential compromise and this is just from the outside in.
As you can see, us as system/network/security admins do have our hands full in the day to day and participating in netwars it has made me realize speed and efficiency are key. With these two matched with skill you should be all right. Good luck to all sec ops and cirt's I know it's tough out there. user0330

Red Blue or Kung Fu

Recently I came across a security blog sighting the use of red and blue teams for internal auditing if you will. This could be a good thing since it is sort of thinking outside of the box . I do mention sort of. Since the dawn of computers people have been using tools to conduct audits on resources. Some of the well know from back in the 90's such as AutoHack. You know you remember using it. This was basically Pentesting. So the value of red blue teams really depends of the skill of the team member. Will it give you a fuzzy happy safe feeling that I trained Offensive Security and that I can write a buffer overflow or that I can script a quick html and BEEF and pwn. I say yes and no. Let me digress. I have been trained in the martial arts for over 21 years and understand the dynamics of defensive and offensive tactics. Yes I have read " The art of war". What I am getting at is that I was the best in my dojang. Yes. Did I do fairly well in local tournaments? Yes. Did I rock when at colorado OTC. No. How about the US OPEN. No. This is the no part. Is your team the best of the best? If they are using the tools and being a monkey and see-and-do from a video I say no. If your members can script there own exploit with ruby,python, perl...etc and really think outside the box and attack then it is a good idea.

Now the use of red/blue as an outcome I am not really sure about. In my eyes Red team if well versed will always pwn. Using the team as a means to redirect the income again will just be putting you back in a blue / defensive behavior. Now add a social aspect to team and you have an even more complex scenario. For example red team fail to capture the flag as you will on a test system it is demed compliant. Operator at said compiant system get rooted from a zero day or BEEFd site and blew the security. I guess a prime example is pwn to own. If you were to take attack vector 1 day one as said security. All systems are compliant they didn't hacked. Add human social interaction the playing field changes and said system is no longer compliant. So add the social factor to the RED team and you are getting more rounded.

So just as a recap. There are people smarter, faster, more cunning than you or your team. If this statement was false I wouldn't be writing this and life would be happy and my brother wouldn't have called me and hour ago complaining about antivirus 2010 on his system. So what part does a red team really get us? Really to make us better blue team.. because they are smarter and faster so we must defend. ../../

how much detection is enough

This week I have added an additional layer of security with a great product called Sguil. Yes I know it has been around and Yes I know I have toyed with it before and felt that at the time I didn't need the granularity that it provides hence the reason that I have been using BASE. The need has arisen with the growth of security issues and the need for security escalation. Being a one man show things can be a little daunting and using BASE it added a little more overhead on me since I did have to trace pcap's just to make sure that nothing really did happen and if it did what happened. With Sguil I should get that and have the overhead transfered to the software in a single console. Maybe I can get a little rest then. If you are looking to do the same there are several pieces of of software that will get you going fast such as nsnnow and the boot-able security onion that works great if you are looking to give it a test run.. it has the nice feature of being able to run snort 3.0 woohoo. Anyway good luck to all NSM's out there and bad_mojo stay away from my net , my little ones keep me up enough as is. ../../