conducting defensive information warfare on open platforms
play

Conducting Defensive Information Warfare on Open Platforms 23rd - PowerPoint PPT Presentation

Oct 11, 2022 •291 likes •883 views

Conducting Defensive Information Warfare on Open Platforms 23rd October 2013 LinuxCon Europe Ben Tullis (formerly of) LinuxIT (Europe) Ltd. Ben Tullis - Background Professional Linux sysadmin (etc.) for 12+ years Worked in

  1. Conducting Defensive Information Warfare on Open Platforms 23rd October 2013 – LinuxCon Europe Ben Tullis – (formerly of) LinuxIT (Europe) Ltd.

  2. Ben Tullis - Background ● Professional Linux sysadmin (etc.) for 12+ years ● Worked in several markets: – Independent Software Vendor – UK Government Research: (British Antarctic Survey) – Managed Services Providers – Specialist Linux Consultancy ● Broad experience of Linux and IT security: – ...in the SME Sector – ...in the Outsourced Enterprise Sector

  3. Presentation Topics Defensive Information Warfare on Open Platforms ● Definitions, Threats, Targets, The Basics ● Increasing Network Visibility ● Increasing Host Visibility ● Log Management Tools & Techniques ● Collating and Presenting Security Information ● Focused Distributions

  4. What is Information Warfare? It's a model that helps to achieve good security practice. Comprised of four key elements: 1: Information Resources These resource have intrinsic value to someone: ● Exchange value – how much is it worth? ● Operational value – how useful/important is it?

  5. What is Information Warfare? 2: Players of The Game Offence In this context, the enemy. – Could be anyone with Motive, Means & Opportunity – to launch an attack on an Information Resource One or more of: insiders, hackers, criminals, – corporations, governments, and terrorists Those ever-present “ unknown unknowns” – Defence Everyone else, from individuals to governments – Anyone with Information Resources to protect – In this context, us –

  6. What is Information Warfare? 3: Offensive Operations Their aim is to: Increase the value of an Information Resource to an Offensive player. ● Decrease the value of an Information Resource to a Defensive player. ● Three classes of attack Increased availability of information for the offence e.g. espionage, identity theft, physical theft Decreased integrity of information e.g. tampering, fabrication, perception management Decreased availability of information for the defence e.g. sabotage, denial of service, physical theft

  7. What is Information Warfare? 4: Defensive Operations Their aim is to: Protect Information Resources from these three forms of attack. ● They must: Cost less than the losses that would occur in their absence. ● Six classes of defensive operation Prevention ● Deterrence ● Indications and Warnings ● Detection ● Emergency Preparedness ● Response ●

  8. Random Threats - Can affect anyone equally Examples: ● Malware distribution: – Removable Media – Infected Downloads ● IP Address scanning: Brute-force attacks – Zero-day attacks – e.g. Carna Botnet (420k node bot-net created by using – default passwords) ● Wardriving ● Session Hijacking

  9. Focused Threats - We are the target ● Traditional Network Penetration: – Dictionary Attacks – Off-line Attacks (e.g. Cloudcracker) ● Known Exploits: – Vulnerable Network Services – Privilege Escalation ● Social Engineering

  10. Focused Threats - We are the target Stealthy Devices: Requiring physical access – Dropboxes e.g. ● Pwnie Express ● MiniPwner ● Pwn Pi – Rogue Access Point e.g. ● WiFi Pineapple – Key Stroke Loggers – Miniature Cameras etc.

  11. Defining the Targets They are/will be everywhere.

  12. Defending Information – The Basics ● Good documentation & communication ● Good passwords & security policies ● Appropriate physical security measures ● Well defined change-management procedures ● Apply security patches promptly ● Standardize where possible/appropriate ● Back it all up

  13. Defending Information – The Basics ● Your Monitoring Solution TM – Monitor everything you can think of – Record as many metrics as possible – Review its configuration periodically and... ● ...in response to change ● ...in response to significant incidents – If appropriate, use multiple/parallel systems. ● Availability Monitoring ● Performance Monitoring ● Network Security Monitoring

  14. Increasing Network Visibility - Overview Making the best possible haystack/needle finding machine: – Capture as much network traffic as possible – Scan captured traffic: NIDS – Consider wireless protocols: WIDS – Profile network traffic: ● Record detailed statistical information ● Visualise normal network behaviour ● Facilitates filtering-out of legitimate traffic – Implement anomaly detection

  15. Capturing Ethernet Traffic Often use Switch Mirror Ports (aka. SPAN or Monitor Port) One port receives all traffic sent to/from the other ports. Most smart/managed switches support this feature. Another technique is to use a Network Tap

  16. Capturing Ethernet Traffic Simplest case: ● All traffic passing through the switch is visible at the protective Monitoring Server ● Do not assign an IP address to the capture interface: # ifconfig eth1 up promisc # ifconfig eth1 up promisc

  17. Capturing Ethernet Traffic Redundant System: ● Dual interfaces on all servers: active/active or active/passive ● One capture interface per switch

  18. Capturing Ethernet Traffic Tree Topology - Option 1 – Remote Port Mirroring ● Requires high-end switches. e.g. Cisco, HP, H3C, Alcatel ● Send all captured traffic to a central location for analysis/profiling. ● Upgrade interface links as necessary. ● Uses VLANs to isolate the mirrored traffic. ● Fairly complex to configure.

  19. Capturing Ethernet Traffic Tree Topology - Option 2 – Distributed Monitoring Requires several capture servers Remote servers send back: ● Events & Alerts ● Statistical traffic information ● System log files

  20. Network Intrusion Detection Systems Snort – Passive mode – Intrusion Detection – Inline mode – Intrusion Prevention – Searches network traffic for pattern matches – Rules files updated daily ● Up-to-date VRT rules available immediately to subscribers ● VRT rules freely available to registered users after 30 days ● Community rules under GPL. A subset of the VRT rules ● Third-party rule sets available. e.g. http://www.emergingthreats.net

  21. Network Intrusion Detection Systems Snort – Update rules daily with one of: ● Oinkmaster ● Pulled Pork – Expect to spend some time tuning: ● Main config file: snort.conf ● Rules files ● Ethernet interface configuration e.g. Disable ”Large Receive Offload” and ”Generic Receive Offload” on the collector: ethtool -K eth1 gro off ethtool -K eth1 gro off ethtool -K eth1 lro off ethtool -K eth1 lro off

  22. Network Intrusion Detection Systems Snort – Each rule has an Action associated, e.g. ● Send an alert and log traffic. ● Simply drop the offending packets. (Inline mode) ● Reject the traffic: TCP reset. UDP unreachable. (Inline mode) ● Custom actions & custom log types – Very flexible alerting and logging methods, e.g. ● Text → email alert & Pcap log file ● Syslog alert & logging to database ● Unified2 (recommended, high-performance format)

  23. Network Intrusion Detection Systems Suricata ● IDS/IPS project started in 2009 – Multi-threaded for greater native performance – Unified2 output by default – Protocol detection. Not based on port number – File identification by md5. Extract and save files from traffic – Can use Snort rules and can co-exist – http://suricata-ids.org/

  24. Network Intrusion Detection Systems Bro ● Passive Network Analysis Platform: – IDS features available – require custom scripting. – Detailed statistical log files created – Application-layer transcripts, e.g. HTTP, SSL etc. – Cluster-aware for high-capacity analysis – Scripting engine : Highly extensible – Match MD5 against Team Cymru malware database

  25. Wireless Intrusion Detection Systems ● Current best practice in IEEE 802.11: – Implement WPA2-Enterprise ● RADIUS – e.g. FreeRADIUS ● EAP – Strong Authentication ● hostapd + wpa_supplicant [+ OpenSSL] – Implement IEEE 802.11w ● Management Frames Protected ● We consider two types of attack: – A Rogue Access Point – A De-Authentication Attack

  26. Wireless Intrusion Detection Systems Kismet ● Monitor 802.11 traffic for known attack patterns: – Use additional wireless radios in monitor mode – (optionally) Channel-hop on the channels that you use – Drones can be distributed network-wide – Suitable for embedded use i.e. OpenWRT, DD-WRT etc. – Client can view real-time client list and traffic – Alerts can be sent via syslog – Tap interface permits full 802.11 capture

  27. Wireless Intrusion Detection Systems Kismet 1: Detecting rogue access points Legitimate Clients

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Information warfare The term information warfare refers to peace time activities

Information warfare The term information warfare refers to peace time activities

Information warfare The term information warfare refers to peace time activities psychological operations (psyop) cyber war/net war In wartime the term is Command, Control, Communications, Intelligence, Sensors Warfare(C3ISW)

287 views • 13 slides
BCPS FY 2019-20 Open Enrollment Communication Conducting these information meetings.

BCPS FY 2019-20 Open Enrollment Communication Conducting these information meetings.

BCPS FY 2019-20 Open Enrollment Communication Conducting these information meetings. Email was sent to all employees with enrollment information Human Resources Web Page has all the information, including this presentation

347 views • 8 slides
Building Open Sour Building Open Source platforms ce platforms on A on AWS WS Julien Simon

Building Open Sour Building Open Source platforms ce platforms on A on AWS WS Julien Simon

Building Open Sour Building Open Source platforms ce platforms on A on AWS WS Julien Simon Principal Technical Evangelist Amazon Web Services julsimon@amazon.fr @julsimon Agenda Agenda Development infrastructure VMs & OSes

888 views • 51 slides
CHRISTIAN WARFARE OUTLINE What do we mean by Christian warfare? Who is the enemy, and how do

CHRISTIAN WARFARE OUTLINE What do we mean by Christian warfare? Who is the enemy, and how do

CHRISTIAN WARFARE OUTLINE What do we mean by Christian warfare? Who is the enemy, and how do they operate? How do we arm ourselves? WHAT DO WE MEAN BY CHRISTIAN WARFARE? 3 writers: Spiritual warfare is an integral part of the entire

416 views • 25 slides
political warfare as it refers both to the whole of warfare directed at producing political

political warfare as it refers both to the whole of warfare directed at producing political

Gray zone operations can be defined as political warfare as it refers both to the whole of warfare directed at producing political results and to that part of warfare that employs political means to attain the political goals of war even

524 views • 34 slides
Conducting Survey Data Analysis using JMP Fit Model Platforms Mixed Model Personality (Fit

Conducting Survey Data Analysis using JMP Fit Model Platforms Mixed Model Personality (Fit

Conducting Survey Data Analysis using JMP Fit Model Platforms Mixed Model Personality (Fit Mixed) In order to improve employee satisfaction, we need to know which factors influence it. We examined the relationship between employee satisfaction

297 views • 12 slides
How can we fix the identity problem? Asymmetric Warfare v3 Open banking and its discontents

How can we fix the identity problem? Asymmetric Warfare v3 Open banking and its discontents

How can we fix the identity problem? Asymmetric Warfare v3 Open banking and its discontents David G.W. Birch (15Mb Ltd.) The Point (Auckland, August 2018) dave@15Mb.ltd www.15Mb.ltd @dgwbirch Please copy and distribute (last updated 16

849 views • 22 slides
Open Router Platforms: Is it time to move to an open routing infrastructure? Thomas Woo Bell

Open Router Platforms: Is it time to move to an open routing infrastructure? Thomas Woo Bell

Open Router Platforms: Is it time to move to an open routing infrastructure? Thomas Woo Bell Labs Disclaimer Opinions expressed here are my own and do not necessarily reflect official Alcatel- Lucent position What is an Open Router?

300 views • 7 slides
Presentation for the Baltic Defence College Annual Conference on Russia Non-linear warfare:

Presentation for the Baltic Defence College Annual Conference on Russia Non-linear warfare:

Presentation for the Baltic Defence College Annual Conference on Russia Non-linear warfare: The Russian Challenge Panel IV: Euro-Atlantic responses to Russian nonlinear warfare Taking Away the Open Battlefield: Breaking the cycle

228 views • 6 slides
We make it accessible Who are we ? What are we doing ? - Open polyvalent platforms -

We make it accessible Who are we ? What are we doing ? - Open polyvalent platforms -

October 2016 We make it accessible Who are we ? What are we doing ? - Open polyvalent platforms - Development of diagnostic kits and reagents Cap Alpha 9 Avenue de lEurope 34830 Clapiers, France Tel : +33 (0)4.34.35.91.18

505 views • 18 slides
KBC Investment Strategy Presentation Defensive July 2020 Investment strategy Defensive

KBC Investment Strategy Presentation Defensive July 2020 Investment strategy Defensive

KBC Investment Strategy Presentation Defensive July 2020 Investment strategy Defensive Investment climate Key rate trends and outlook The European and US economies are restarting relatively quickly. 3,0 3,0 High-frequency indicators

388 views • 11 slides
Conducting empirical research in virtual worlds Shailey Minocha, The Open University, UK Shailey

Conducting empirical research in virtual worlds Shailey Minocha, The Open University, UK Shailey

Conducting empirical research in virtual worlds Shailey Minocha, The Open University, UK Shailey Garfield (Second Life) Collaborators: Christopher Hardy, Ahmad Reeves, Derek Richardson and Minh Tran, The Open University, UK Aims of the tutorial

318 views • 12 slides
KBC Investment Strategy Presentation Defensive June 2020 Investment strategy Defensive

KBC Investment Strategy Presentation Defensive June 2020 Investment strategy Defensive

KBC Investment Strategy Presentation Defensive June 2020 Investment strategy Defensive Investment climate Substantial economic contraction, uncertain outlook Key rate trends and outlook 3,0 3,0 Initial estimates suggest that the euro

457 views • 11 slides
MARITIME DIVISION Dr David Kershaw Chief 1 Maritime Division Maritime Undersea Platform

MARITIME DIVISION Dr David Kershaw Chief 1 Maritime Division Maritime Undersea Platform

MARITIME DIVISION Dr David Kershaw Chief 1 Maritime Division Maritime Undersea Platform Warfare System Sciences Sciences Surface Air and Submarine Littoral Submarine Ship Land ASW Platform Warfare Warfare Platforms Platform

559 views • 29 slides
How to Win at Spiritual Warfare or Tri, Tri Again Spiritual Warfare Part 6 TRIATHLON

How to Win at Spiritual Warfare or Tri, Tri Again Spiritual Warfare Part 6 TRIATHLON

How to Win at Spiritual Warfare or Tri, Tri Again Spiritual Warfare Part 6 TRIATHLON Swim Bike Run Tri + Prize = TRIATHLON TRINITY Tri + Unity = TRINITY May the grace of the Lord Jesus the Anointed, the love of

744 views • 58 slides
Future for EW in conducting multi-role/multi- effect EMSO Mr. Jeff Walsh, AOC Director

Future for EW in conducting multi-role/multi- effect EMSO Mr. Jeff Walsh, AOC Director

Electronic Warfare Asia 2020 Future for EW in conducting multi-role/multi- effect EMSO Mr. Jeff Walsh, AOC Director International Region II 4 & 5 February 2020 Timeline 1980s Stealth 1990s Iraq Bosnia WTC

284 views • 25 slides
SVT DAQ 2019 Physics Run Cameron Bravo (SLAC) Introduction SVT DAQ system underwent a major

SVT DAQ 2019 Physics Run Cameron Bravo (SLAC) Introduction SVT DAQ system underwent a major

SVT DAQ 2019 Physics Run Cameron Bravo (SLAC) Introduction SVT DAQ system underwent a major overhaul before the run FEB bootloader image Rogue framework TI interface on PCIE cards in SVT DAQ blades (clonfarm 2 and 3)

530 views • 10 slides
Fusing Beliefs of Multi-Layer Metrics for Detecting Security Attacks Konstantinos Kyriakopoulos

Fusing Beliefs of Multi-Layer Metrics for Detecting Security Attacks Konstantinos Kyriakopoulos

Fusing Beliefs of Multi-Layer Metrics for Detecting Security Attacks Konstantinos Kyriakopoulos Francisco J. Aparicio Navarro David Parish Coseners House - July 2011 Wednesday, 6 July 2011 Overview Introduction Aims Metrics -

242 views • 20 slides
WiF iFi security UW Madison CS 642 1 Announcements HW 3 (network security) out today

WiF iFi security UW Madison CS 642 1 Announcements HW 3 (network security) out today

WiF iFi security UW Madison CS 642 1 Announcements HW 3 (network security) out today Due April 2 nd Online classes going forward Testing out BBCollaborate Ultra today Recordings should be available Might use different

1.19k views • 27 slides
Introduction to Network Security Chapter 5 Physical Network Layer Dr. Doug Jacobson -

Introduction to Network Security Chapter 5 Physical Network Layer Dr. Doug Jacobson -

Introduction to Network Security Chapter 5 Physical Network Layer Dr. Doug Jacobson - Introduction to 1 Network Security - 2009 Topics Lower Layer Security Physical Layer Overview Common attack methods Ethernet

1.01k views • 80 slides
Building Scalable Wireless Networks Network Startup Resource Center ATI-4 Campus Wireless

Building Scalable Wireless Networks Network Startup Resource Center ATI-4 Campus Wireless

Building Scalable Wireless Networks Network Startup Resource Center ATI-4 Campus Wireless Networking www.nsrc.org These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license Text

1.27k views • 28 slides
Security APIs ARSPA-WITS10 () Formal Analysis of Key Integrity in PKCS#11s 2 / 17 Security

Security APIs ARSPA-WITS10 () Formal Analysis of Key Integrity in PKCS#11s 2 / 17 Security

Formal Analysis of Key Integrity in PKCS#11 Andrea Falcone 1 Riccardo Focardi 1 1 Universit` a Ca Foscari di Venezia, Italy focardi@dsi.unive.it ARSPA-WITS10 Paphos, Cyprus March 27-28, 2010 Work partially supported by: Miur07

729 views • 17 slides
GSM Security Problems Harald Welte osmocom.org hmw-consulting.de sysmocom.de July 2013, TSC

GSM Security Problems Harald Welte osmocom.org hmw-consulting.de sysmocom.de July 2013, TSC

Introduction GSM security problems The False BTS Security beyond the Um interface GSM Security Problems Harald Welte osmocom.org hmw-consulting.de sysmocom.de July 2013, TSC TIB, Taipei/TAIWAN 1 / 77 Harald Welte GSM Security Problems

1.19k views • 77 slides
Security and the .NET Framework Code Access Security Enforces security policy on code

Security and the .NET Framework Code Access Security Enforces security policy on code

Security and the .NET Framework Code Access Security Enforces security policy on code Regardless of user running the code Regardless of whether the code is in the same application with other code Other code can be more, less, or

695 views • 21 slides

More recommend