intelmq a kiss incident handling automation project ihap
play

IntelMQ - a KISS incident handling automation project (IHAP) L. - PowerPoint PPT Presentation

Jun 23, 2023 •167 likes •464 views

IntelMQ - a KISS incident handling automation project (IHAP) L. Aaron Kaplan kaplan@cert.at Sebastian Wagner Tom as Lima tomas.lima@cert.pt wagner@cert.at 2015-11-21 L. Aaron Kaplan kaplan@cert.at, Sebastian Wagner wagner@cert.at , Tom

  1. IntelMQ - a KISS incident handling automation project (IHAP) L. Aaron Kaplan kaplan@cert.at Sebastian Wagner Tom´ as Lima tomas.lima@cert.pt wagner@cert.at 2015-11-21 L. Aaron Kaplan kaplan@cert.at, Sebastian Wagner wagner@cert.at , Tom´ as Lima tomas.lima@cert.pt IntelMQ - a KISS incident handling automation project (IHAP)

  2. Overview 1 cert.at 2 Motivation 3 Intro to IntelMQ 4 History 5 Architecture and data flow 6 Installation 7 Writing a bot 8 Next steps/future L. Aaron Kaplan kaplan@cert.at, Sebastian Wagner wagner@cert.at , Tom´ as Lima tomas.lima@cert.pt IntelMQ - a KISS incident handling automation project (IHAP)

  3. cert.at national cert and goverment cert (govcert) project of nic.at awareness and warnings incident response responsible for austria no obligation to inform us not an authority coordination, contacts, knowledge, trust L. Aaron Kaplan kaplan@cert.at, Sebastian Wagner wagner@cert.at , Tom´ as Lima tomas.lima@cert.pt IntelMQ - a KISS incident handling automation project (IHAP)

  4. Motivation Handling automated collected incident intellgence We receive filtered data directly (by country) via mail botnet drones, vulnerable servers (open resolvers, ntp) etc. We collect non-public and public data c&c servers, spam, brute-force, etc. L. Aaron Kaplan kaplan@cert.at, Sebastian Wagner wagner@cert.at , Tom´ as Lima tomas.lima@cert.pt IntelMQ - a KISS incident handling automation project (IHAP)

  5. Motivation (2) Process data mostly automatically! Ensure accuracy Enrich data (AS, geolocation) Filter data (for AT, don’t complain too often) Find responsible contacts notify responsible persons L. Aaron Kaplan kaplan@cert.at, Sebastian Wagner wagner@cert.at , Tom´ as Lima tomas.lima@cert.pt IntelMQ - a KISS incident handling automation project (IHAP)

  6. Intro to IntelMQ IHAP = I ncident H andling A utomation P roject. Our overall project name. A project of multiple national CERTs (Trusted Introducer): https://www.trusted-introducer.org/ IntelMQ = Threat Intel feeds + M essage Q ueueing system. A concrete tool. Idea and architecture inspired by Abusehelper Data flow oriented toolkit to: Automatically collect & handle events/incidents Process and enrich these events Send them to some output, automatic actions L. Aaron Kaplan kaplan@cert.at, Sebastian Wagner wagner@cert.at , Tom´ as Lima tomas.lima@cert.pt IntelMQ - a KISS incident handling automation project (IHAP)

  7. Intro to IntelMQ (2) Based on message queues (“MQ“) – redis , RabbitMQ, zmq Fast Very easy to extend GUI interface to create pipelines / modify dataflow (“intelmq-manager”) configuration management monitoring L. Aaron Kaplan kaplan@cert.at, Sebastian Wagner wagner@cert.at , Tom´ as Lima tomas.lima@cert.pt IntelMQ - a KISS incident handling automation project (IHAP)

  8. History CERT.at started with Abusehelper (open source) Our problem with AH: everything is co-routine orientated. That‘s hard to debug. Many CERTs either: 1 give up or 2 if they have the money buy Abuse-SA (commercial, closed source). For CERT.at it was too expensive so we needed to stay with the standard open source version. L. Aaron Kaplan kaplan@cert.at, Sebastian Wagner wagner@cert.at , Tom´ as Lima tomas.lima@cert.pt IntelMQ - a KISS incident handling automation project (IHAP)

  9. The Abusehelper Framework Strengths: nice flow-oriented architecture lots of existing bots to fetch data loosely de-coupled: in theory easy to write new “bots” and extend Abusehelper open source Issues/Weaknesses: code complexity. Are you a python guru? Getting code upstream to maintainer is hard hard to understand the dataflow resource-hog = > how to improve on this? no standard way to include into ticket systems like RTIR/OTRS data loss when message queue crashes L. Aaron Kaplan kaplan@cert.at, Sebastian Wagner wagner@cert.at , Tom´ as Lima tomas.lima@cert.pt IntelMQ - a KISS incident handling automation project (IHAP)

  10. The Abusehelper Framework L. Aaron Kaplan kaplan@cert.at, Sebastian Wagner wagner@cert.at , Tom´ as Lima tomas.lima@cert.pt IntelMQ - a KISS incident handling automation project (IHAP)

  11. Alternatives to Abusehelper? Megatron: open source, Java. Aware of two CERTs using it https://github.com/cert-se/megatron-java n6: CERT.pl http://n6.cert.pl/ CIF: USA http://csirtgadgets.org/ Warden: https://wardenw.cesnet.cz/ overview: https://www.cert.pl/PDF/MP-IST-111-18.pdf L. Aaron Kaplan kaplan@cert.at, Sebastian Wagner wagner@cert.at , Tom´ as Lima tomas.lima@cert.pt IntelMQ - a KISS incident handling automation project (IHAP)

  12. Requirements analysis after the Heraklion meeting 5/2014 Reduce the complexity of system administration Reduce the complexity of writing new bots for new data feeds Reduce the probability of events lost in all process with persistence functionality (even system crash) Use and improve the existing “Data Harmonization Ontology“ (= Abusehelper internal key-value standard) Use JSON format for all messages Integration of the existing tools (n6, AbuseHelper, CIF) Provide easy way to store data into Log Collectors like ElasticSearch, Splunk and DBs L. Aaron Kaplan kaplan@cert.at, Sebastian Wagner wagner@cert.at , Tom´ as Lima tomas.lima@cert.pt IntelMQ - a KISS incident handling automation project (IHAP)

  13. Summer sprint 2014 IntelMQ beta 1 is the result of a sprint July-˜Oct 2014. Persons: Tom´ as, Mauro, Aaron, Cosmin, . . . Ideas: KISS! (Keep it simple stupid) Very similar architecture as AH, just more modern tools Message Queues (redis, amq, zmq) Goal: it takes 15 minutes till 1d to create a new bot (without prior knowledge!) Open Source for ever – no separate commercial version Python != config language! We want a simple config (GUI!) Connectable with n6, AH, CIF, syslog, Elastic Search, Splunk, .. L. Aaron Kaplan kaplan@cert.at, Sebastian Wagner wagner@cert.at , Tom´ as Lima tomas.lima@cert.pt IntelMQ - a KISS incident handling automation project (IHAP)

  14. IntelMQ @ hack.lu 2014 Very first public presentation and open source version Test with Fyodor (Taiwan Uni): 15 minutes explanation of code + the next morning he had a hpfeeds bot. It is simple. L. Aaron Kaplan kaplan@cert.at, Sebastian Wagner wagner@cert.at , Tom´ as Lima tomas.lima@cert.pt IntelMQ - a KISS incident handling automation project (IHAP)

  15. IntelMQ components individual and specialized bots Config files: JSON: runtime.conf - runtime parameters of bots startup .conf - which bots to start BOTS = templates for all bots pipeline .conf - describes how bots are connected harmonization.conf - data description (field names and types) Redis , zmq, RabbitMQ or *-MQ as message queue Lib/ { bot.py, pipeline.py, message.py } Web-GUI: IntelMQ-Manager: JS + CSS + AJAX Outputs: Elastic Search or Postgresql or iptables . . . $foo L. Aaron Kaplan kaplan@cert.at, Sebastian Wagner wagner@cert.at , Tom´ as Lima tomas.lima@cert.pt IntelMQ - a KISS incident handling automation project (IHAP)

  16. IntelMQ dataflow: bots L. Aaron Kaplan kaplan@cert.at, Sebastian Wagner wagner@cert.at , Tom´ as Lima tomas.lima@cert.pt IntelMQ - a KISS incident handling automation project (IHAP)

  17. data examples: raw report # Example feed as r e p o r t # L i s t of malware i n f e c t i o n s # . . . # address , time in utc , malware 1 9 2 . 0 . 2 . 4 5 , 2015 − 11 − 15 15:54:41 , feodo 203.0.113.89 , 2015 − 11 − 20 02:51:14 , zeus p2p We have an address, source timestamp, and the incident type L. Aaron Kaplan kaplan@cert.at, Sebastian Wagner wagner@cert.at , Tom´ as Lima tomas.lima@cert.pt IntelMQ - a KISS incident handling automation project (IHAP)

  18. data examples: parsed { ’ type ’ : u ’ Event ’ , ’ c l a s s i f i c a t i o n . type ’ : ’ malware ’ , ’ malware . name ’ : ’ zeus p2p ’ , ’ feed . name ’ : ’ Example feed ’ , ’ raw ’ : ’MTkyLjAuMi40NSwgMjAxNS0xMS0xNSAxNTo1NDo0MSw ’ source . ip ’ : ’ 1 9 2 . 0 . 2 . 4 5 ’ , ’ time . observation ’ : ’2015 − 11 − 19T13 :56:05+02:00 ’ , ’ time . source ’ : ’2015 − 11 − 15T15 :54:41+00:00 ’ } L. Aaron Kaplan kaplan@cert.at, Sebastian Wagner wagner@cert.at , Tom´ as Lima tomas.lima@cert.pt IntelMQ - a KISS incident handling automation project (IHAP)

  19. data examples: cymru lookups { ’ type ’ : ’ Event ’ , ’ c l a s s i f i c a t i o n . type ’ : ’ malware ’ , ’ malware . name ’ : ’ zeus p2p ’ , ’ feed . name ’ : ’ Example feed ’ , ’ raw ’ : ’MTkyLjAuMi40NSwgMjAxNS0xMS0xNSAxNTo1NDo0MSw ’ source . as name ’ : ’ATT − INTERNET4 − AT&T Services , ’ source . asn ’ : 7018 , ’ source . ip ’ : ’ 1 9 2 . 0 . 2 . 4 5 ’ , ’ source . network ’ : ’192.0 .0.0/16 ’ , ’ source . r e g i s t r y ’ : ’ other ’ , ’ time . observation ’ : ’2015 − 11 − 19T13 :56:05+02:00 ’ , ’ time . source ’ : ’2015 − 11 − 15T15 :54:41+00:00 ’ } L. Aaron Kaplan kaplan@cert.at, Sebastian Wagner wagner@cert.at , Tom´ as Lima tomas.lima@cert.pt IntelMQ - a KISS incident handling automation project (IHAP)

  20. IntelMQ manager L. Aaron Kaplan kaplan@cert.at, Sebastian Wagner wagner@cert.at , Tom´ as Lima tomas.lima@cert.pt IntelMQ - a KISS incident handling automation project (IHAP)

  21. IntelMQ manager L. Aaron Kaplan kaplan@cert.at, Sebastian Wagner wagner@cert.at , Tom´ as Lima tomas.lima@cert.pt IntelMQ - a KISS incident handling automation project (IHAP)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Sl d Sludge Handling Automation Sludge Handling Automation Sl d H H dli dli A t A t ti

Sl d Sludge Handling Automation Sludge Handling Automation Sl d H H dli dli A t A t ti

Sl d Sludge Handling Automation Sludge Handling Automation Sl d H H dli dli A t A t ti ti MECH/MECA 440 B Senior Project Spring 2010 Final Design Presentation Tuesday, May 11 th , 2010 y, y , Design Team Members Design Team

522 views • 29 slides
Overview Attacks Handling Security Incidents Security Incidents Handling Security

Overview Attacks Handling Security Incidents Security Incidents Handling Security

Overview Attacks Handling Security Incidents Security Incidents Handling Security Incidents Incident management Methods and Tools Maintaining Incident Preparedness Chapter 7 Standard Incident Handling Procedures Learn

358 views • 7 slides
Extended INCident Handling Working Group (INCH)

Extended INCident Handling Working Group (INCH)

Internet Engineering Task Force Extended INCident Handling Working Group (INCH) http://www.cert.org/ietf/inch/inch_interim_2004.html 12:00 16:00 Sunday, June 13 2004 Interim Meeting Budapest, Hungary Roman Danyliw, <rdd@cert.org>

396 views • 16 slides
Software Vulnerability Handling and practical incident recognition Idea: ( ) Sven Gabriel

Software Vulnerability Handling and practical incident recognition Idea: ( ) Sven Gabriel

EGI Community Forum 2014 Software Vulnerability Handling and practical incident recognition Idea: ( ) Sven Gabriel NIKHEF All the hard work: Heiko Reese KIT-CERT ( ) Sven Gabriel? 20042007: FZK Karlsruhe, T-1 GridKa Site Admin

1.19k views • 38 slides
1 Automation Overview Definition Automation (automation, Automation ) : 1) set of all measures

1 Automation Overview Definition Automation (automation, Automation ) : 1) set of all measures

Industrial Automation Spring 2019, EPFL 1 Automation Overview Definition Automation (automation, Automation ) : 1) set of all measures aiming at replacing human work through machines (e.g. automation is applied science) 2) the

1.39k views • 63 slides
Effective Incident Response Security Orchestration and Automation (SOAR) Miguel Carrero Tammy

Effective Incident Response Security Orchestration and Automation (SOAR) Miguel Carrero Tammy

Effective Incident Response Security Orchestration and Automation (SOAR) Miguel Carrero Tammy Tolbert MicroFocus ArcSight and Siemplify Addressing the needs of SOCs, including: Relieving resource constraints by automating

476 views • 19 slides
Collaborative Incident Handling Based on the Blackboard-Pattern Nadine Herold, Holger Kinkelin

Collaborative Incident Handling Based on the Blackboard-Pattern Nadine Herold, Holger Kinkelin

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Collaborative Incident Handling Based on the Blackboard-Pattern Nadine Herold, Holger Kinkelin and Georg Carle November 8, 2016 Chair of

422 views • 26 slides
ISGC 2017 Security Workshop Sven Gabriel Security Incident handling in Federated Clouds

ISGC 2017 Security Workshop Sven Gabriel Security Incident handling in Federated Clouds

ISGC 2017 Security Workshop Sven Gabriel Security Incident handling in Federated Clouds www.egi.eu EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union under grant number 654142 Introduction CSIRT 2017 March

703 views • 39 slides
Introduction to Security Forensics and Incident Handling Ming Chow (mchow@cs.tufts.edu) Twitter:

Introduction to Security Forensics and Incident Handling Ming Chow (mchow@cs.tufts.edu) Twitter:

Introduction to Security Forensics and Incident Handling Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Topic Outcomes Acquire data (from a disk) using `dd` Analyze image of disk from `dd` using forensics tools including

492 views • 19 slides
MESSAGE HANDLING MESSAGE HANDLING ICS- -213 213 ICS Presented by Chuck Sprick KE5RAD Feb

MESSAGE HANDLING MESSAGE HANDLING ICS- -213 213 ICS Presented by Chuck Sprick KE5RAD Feb

MESSAGE HANDLING MESSAGE HANDLING ICS- -213 213 ICS Presented by Chuck Sprick KE5RAD Feb 17, 2008 1 Message Forms Various forms were used by different agencies & operators Incident Command System requires us to use ICS-213

535 views • 11 slides
KISS: A Bit Too Simple Greg Rose ggr@qualcomm.com Outline q KISS random number generator

KISS: A Bit Too Simple Greg Rose ggr@qualcomm.com Outline q KISS random number generator

KISS: A Bit Too Simple Greg Rose ggr@qualcomm.com Outline q KISS random number generator q Subgenerators q Efficient attack q New KISS and attack q Conclusion PAGE 2 One approach to PRNG security "A random number

594 views • 26 slides
Collaborative Incident Handling Based on the Blackboard-Pattern Nadine Herold, Holger Kinkelin

Collaborative Incident Handling Based on the Blackboard-Pattern Nadine Herold, Holger Kinkelin

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Collaborative Incident Handling Based on the Blackboard-Pattern Nadine Herold, Holger Kinkelin November 25, 2016 Chair of Network

268 views • 25 slides
Incorporating Network Flows in Intrusion Incident Handling and Analysis John Gerth Stanford

Incorporating Network Flows in Intrusion Incident Handling and Analysis John Gerth Stanford

Regional Visualization and Analytics Center Incorporating Network Flows in Intrusion Incident Handling and Analysis John Gerth Stanford University gerth@stanford.edu FloCon 2008 1 EE/CS Network Infrastructure Three buildings with one

349 views • 34 slides
Manage Security Incident Mingchao Ma STFC RAL, UK ISGC 2010 Security Workshop 7 th March

Manage Security Incident Mingchao Ma STFC RAL, UK ISGC 2010 Security Workshop 7 th March

Manage Security Incident Mingchao Ma STFC RAL, UK ISGC 2010 Security Workshop 7 th March 2010 Overview Actively manage incident handling Be ready BEFORE an incident Based on NIST SP800-61rev1 recommendation

466 views • 32 slides
KISS: A Bit Too Simple Greg Rose ggr@qualcomm.com Outline KISS random number generator

KISS: A Bit Too Simple Greg Rose ggr@qualcomm.com Outline KISS random number generator

KISS: A Bit Too Simple Greg Rose ggr@qualcomm.com Outline KISS random number generator Subgenerators Efficient attack New KISS and attack Conclusion PAGE 2 One approach to PRNG security "A random number generator

643 views • 25 slides
SARK PACK PVTLTD (A Material Handling & Automation Solutions Company) SARK PACK PVT LTD

SARK PACK PVTLTD (A Material Handling & Automation Solutions Company) SARK PACK PVT LTD

SARK PACK PVTLTD (A Material Handling & Automation Solutions Company) SARK PACK PVT LTD Introduction SARK PACK PVT LTD SARK PACK PVT LTD was incorporated in 2019 to serve various industries with Material Handling equipment's and

494 views • 31 slides
PGCon-2020 Online 2020-05-26 Database systems: 2002-2005: since

PGCon-2020 Online 2020-05-26 Database systems: 2002-2005: since

PGCon-2020 Online 2020-05-26 Database systems: 2002-2005: since 2005: Worked on XML data type and functions (2005-2007) Long-term community activist #RuPostgres, 2000+ members Conferences Program

909 views • 64 slides
Private ! Virtual ! Infrastructure for ! Cloud ! Computing John ! Krautheim UMBC ! Cyber ! Defense

Private ! Virtual ! Infrastructure for ! Cloud ! Computing John ! Krautheim UMBC ! Cyber ! Defense

Private ! Virtual ! Infrastructure for ! Cloud ! Computing John ! Krautheim UMBC ! Cyber ! Defense ! Lab Cloud ! Computing ! Security ! Someone ! else ! owns ! the ! cloud ! Data ! in ! cloud ! is ! out ! of ! control ! of ! data ! owner ! Does !

324 views • 10 slides
oderint dum metuant... ! Last Release[10/2016]: v0.8\U-NATi0n!

oderint dum metuant... ! Last Release[10/2016]: v0.8\U-NATi0n!

#UFONet (HTTP) WebAbuse ... Ninja DDoS Nation [2016] oderint dum metuant... ! Last Release[10/2016]: v0.8\U-NATi0n! ===================================================================== * Whats UFONet? * How it

878 views • 36 slides
Neuroevolution of Combat Bots Artificial Intelligence for Interactive Media and Games Professor

Neuroevolution of Combat Bots Artificial Intelligence for Interactive Media and Games Professor

3/30/17 Neuroevolution of Combat Bots Artificial Intelligence for Interactive Media and Games Professor Charles Rich Computer Science Department rich@wpi.edu IMGD 4000 (D 17) 1 Constructing Complex NPC Behavior via Multi-Objective

306 views • 16 slides
Social Computing CS 278 | Stanford University | Michael Bernstein How can we design the social

Social Computing CS 278 | Stanford University | Michael Bernstein How can we design the social

Social Computing CS 278 | Stanford University | Michael Bernstein How can we design the social systems that we inhabit? What is social computing? Social computing systems are computational systems that mediate social interactions.

645 views • 38 slides
Security Issues and Solutions in Peer-to- peer Systems for Real-time Communications

Security Issues and Solutions in Peer-to- peer Systems for Real-time Communications

Security Issues and Solutions in Peer-to- peer Systems for Real-time Communications draft-schulzrinne-p2prg-rtc-security-00 Henning Schulzrinne Enrico Marocco Emil Ivov March 2009 (IETF 74) IETF - P2PRG 1 Overview Attacker motivations

323 views • 13 slides
Functions as a Service (Serverless computing) Motivation All require at least one server to

Functions as a Service (Serverless computing) Motivation All require at least one server to

Functions as a Service (Serverless computing) Motivation All require at least one server to be running at all times Want something that costs $0 if not used Portland State University CS 410/510 Internet, Web, and Cloud Systems Serverless

1.3k views • 52 slides
Workshop 3 Running Around Start downloading the TagBot project template (~75MB) in advance

Workshop 3 Running Around Start downloading the TagBot project template (~75MB) in advance

Faculty of Mathematics and Physics Charles University in Prague 10 th March 2015 UT2004 bots made easy! Tag! Tournament Workshop 3 Running Around Start downloading the TagBot project template (~75MB) in advance now Start

731 views • 42 slides

More recommend