0

This is a guest post for Primal Security by: Zachary Meyers

In this edition of the Primal Security blog, I will share my experiences during the SEC511 community edition course hosted in Atlanta GA in December 2014. The SANS instructor for our class was Bryan Simon.

This review will cover the brand new SANS lecture and lab course that focuses around the core values of Continuous Monitoring & Security Operations. Below I have broken out my review by day in the same manner that I learned during my experience with SEC 511.

What is this course for? I hear the term “Continuous Monitoring” all the time!!!

This course is meant to improve any business or firms security operations as a whole. In this class you truly discover the tactics, techniques and procedures (TTP’s) associated with utilizing continuous detection and mitigation techniques (CDM) to beat your adversaries. Hence CDM = CSM and the only way to truly defend your networks is through the power of keeping your TTPs update in real-time.

In other words the days of putting up a firewall and blocking your network at the perimeter for safety from evil inbound traffic days are over…. Now the adversary will attack your client users, web applications and any vulnerable network device they can touch. This class is built to help improve your “blue team” defenses and detect/ prevent these daily adversarial attacks.

As we all know the great saying it’s not are you compromised….it’s when will you be?

Day One: State Assessment & SOCs (Security Operations Center)

1

On Day One of the SEC 511 course I learned that continuous monitoring is broken down into two overall umbrellas being Network Security Monitoring (NSM) and Continuous Security Monitoring (CSM). NSM consists of detecting adversaries through various instruments such as alert data, packet data, logs, sessions, meta-data, etc. While CSM focuses on the landscape of emerging vulnerabilities CVEs , patching and configuration issues that affect the security architecture of any firm. But now today the new hip term that’s catching on in regards to CSM and can be used interchangeably is Continuous Diagnostics and Mitigation (CDM). CDM is been deemed a better term since it names mitigation within it’s title (aka Hey WE FOUND THE PROBLEM….now what do we do?) #Mitigation.

Day one also had a interesting lab where we leveraged a virtual machine using the Linux OS “Security Onion”. Security Onion is built as a defensive operating system, meaning that it comes pre-installed with many helpful detection tools often related to host and network based intrusion detection. (Think of Security Onion is the Blue teams version of Kali Linux a Red teams favorite OS).

An awesome tool I leveraged during day ones lab was called “Sguil”, which is a Network Intrusion Detection front end tool that has snort alerts feed into it. During the lab we investigated a listing of snort alerts from a service side attack that then could be sent over to wireshark to follow the TCP flow and see the network traffic in more depth. Sguil can also display various widgets such as a Snort alerts rule or analyzing the packet in hex. Overall I believe day one covered some great topics like how adversaries commonly in the past and today attack systems, as well as what their motives are when they are trying to exploit clients or server systems.

Day Two: Network Security Architecture

Tennessee Titans v Indianapolis Colts

For Day Two we covered modern security defense architecture and how it’s used to support detection, prevention and response against the adversary. Some of the major items of interest from this day was how we need to not only have sensors for detection located at the perimeter, but also spread through the internal network. (Yes that’s right we must protect our castle with more than a wall)

Often most firms that have security analyst monitoring their network will only have sensors located at the perimeter of the network, thus limiting the visibility of issues such as adversaries pivoting once inside your network and the insider threat. The reality of today is that we need to focus on training our staff to not open or visit malicious content as adversaries often use client side attacks due to firewalls blocking their direct attempts to the network. We must also monitor our egress “outbound” connections in more detail and implement more deny all configurations and allow only necessary outbound connections such as 53 (DNS), 80 (HTTP) and 443 (HTTPS).

During day two a exercise that we did demonstrated the power of implementing web application firewalls. We worked through a scenario where we were able to attack a web application due to a lack of sanitizing input even with a WAF in place. I then was able to re-configure the WAF and block my attack that I performed prior to witness the power of how a properly configured WAF can strengthen your web apps defenses.

Day Three: Endpoint Security Architecture

3

Day three chimed in on the importance of securing your client systems and how endpoint security is a MUST today. One major component for endpoint security is the enforcement of least privilege and removing key windows privileges that are installed by default but unnecessary to have enabled (i.e. debug mode can allow adversaries the ability to inject malicious code into memory). You realize the power of building out not only blacklisting entries of domains/ services (Yes, you’re bad and we know it…), but also implementing a strong whitelist of what your organization is allowed (Yes you may Pass Go & Collect $200!).

This day focuses also on how baselines should be created and then compared to other various snapshots for client/ server systems, to identify abnormalities and yes EVIL. Overall the best thing to walk away with from day three was the five quick wins among the 20 Critical Security Controls (CSC):

– Application Whitelisting

– Use common, secure configs

– Patch applications in 48 hours!!! (SAY WHAT!?!? yep it’s true)

– Patch systems in 48 hours!!! (YOU GOTTA BE KIDDING…nope)

– Reduce the number of users with administrative privileges (lock it down)

In one of the labs covered in day three we learned how to analyze unencrypted pcap network traffic and extract information in a passive manner. Rather than using Nmap like I normally do, which actively probes the network to identify the network services we used p0f. The tool p0f (version 3) demonstrated how a user can extract useful information from network traffic such as user agent strings. (Note: User agent strings can sometimes identify what browser and operating system the client is using ) We then exported the raw data from p0f into an excel spreadsheet to view it in a more user friendly manner by separating via a “|” delimiter. (Hooray Management will be happy to look at it now!)

Day Four: Network Security Monitoring

4

Day four covers the mindset of assuming that your network is already compromised (aka Owned) and that we must resolve it!! During day four one can realize that full packet capture analysis has become more of a reality in the sense of both cost and effectiveness for detection. Today this is possible through disk and span ports, which can both assist with the buffering of network data and not overloading over firm while performing. (#Winning)

During day four we also learned how to monitor and track various indicators of compromise that can all lead to tracking: exe transfers, user agent abnormalities, and encryption certificate irregularities… just to name a few 🙂 .

On this fine day we used a CLI tool called “bro”, that extracts useful information out of network traffic. In the exercise we used bro to extract out any executables from a pcap file. Once the tool finished we fed the list of extracted exe’s that were downloaded via HTTP, and ran the list against an anti virus. The anti-virus we used then came back with some hits and revealed bingo we had a TROJAN on our hands.

Day Five: Automation and Continuous Security Monitoring

5

On day Cinco for SEC 511 we discussed and worked on best practices for “automation and continuous security monitoring”. This day truly focused on the importance of patch management and leveraging built in or often free downloaded software that can aid tracking in your firewalls, events and overall detection.

Day five also covered the top four mitigation strategies that could help improve a targeted systems security by (85%+) <jingle> Go For It Connect Four!!! </jingle> :

– Use application whitelisting to help prevent malicious software and other unapproved programs from running.
– Patch applications such as PDF readers, Microsoft Office, Java, Flash Player and web browsers.
– Patch Operating System vulnerabilities
– Minimize the number of users with administrative privileges.

In this day we also learned how to detect and monitor critical Window Events. We viewed how an adversary would use a meterpreter payload to exploit and execute simple commands against a vulnerable system. Upon execution these attacks can and should be tracked via Windows event logs. These Windows events can be monitored and looked at manually through their given system event IDs or automatically by scripting via powershell.

(i.e. Get-WinEvent -FilterHashtable @{logname=’system’; id=7030,7045} )

Day Six: Capture the Flag

On day six we wrapped up the class with a taste of SANS netwars. This helped put our skills to the test in teams and gave us scenario like questions where we had to go through various forms of data. Once we thought we had the right answer we could submit it into the form and if we got it wrong you would have points deducted. (Whomp Whomp) The challenges progressed in difficulty as you moved along, but did allow for hints to be given at a price of course 🙂 Ultimately I found this last day to be a challenge, but highly practical for any blue teamer to get their hands on.

Conclusion: CDM is the new hotness.

At the end of the day security is always a game of cat and mouse. But as the mouse (DEFENSE) we can always learn from the attackers mistakes. 🙂 YES it’s true as with any adversary if you want to be persistent and maintain access on any system you must make moves (#noise). This class teaches you how to detect that noise and the importance of finding our foes through their mistakes or footprints. In the end I would highly suggest any host, network or web application defender to attend this class to learn practical tools and knowledge that YOU, YES YOU can take back home to your business or home.

7