Find out why open source is not just for software anymore! Get a comprehensive directory of best of breed, open source security tools including: Nmap, PRADS, OpenVAS, Snort, OSSEC, Nagios, ntop and more. Learn how to use these free resources for improved threat detection and incident response in your environment.
2. AGENDA
The Case for Detective Security Controls
Leveraging Open Source: The Essential Controls
A Guided Tour/Demo:
Asset Discovery: Nmap & PRADS
Wireless IDS: Kismet
Unified Security Management: OSSIM (OSSEC, SNORT, Ntop, OpenVAS)
Open Source Threat Sharing
MDL (Malware Domain List) & OTX (Open Threat Exchange)
Q&A
3. Preventative Controls
Used to Implement C-I-A
Crypto, Firewall, Antivirus
PKI, VPN, SSL, DLP, EIEIO
Prevent an incident
Detective Controls
Provide visibility & response
Asset
Discovery, VA, IDS/IPS, Log
Management, Analytics
Detect & respond to an incident
2 Types of Security Controls
4. IF WE ALREADY HAVE PREVENTATIVE
CONTROLS…
WHY SHOULD WE CARE ABOUT
DETECTIVE CONTROLS?
5. PREVENTION HAS PROVEN TO BE ELUSIVE
Example: 2012 “Cost of Cybercrime Study”, Ponemon Institute
A detailed study of 56 “Large US firms”
Results:
102 successful intrusions
between them
EVERY WEEK !
6. “There are two types of companies that use
computers. Victims of crime that know they
are victims of crime and victims of crime that
don’t have a clue yet.”
- James Routh, 2007
CISO Depository Trust Clearing Corporation
Some pretty savvy recent victims
7. “How would you change your strategy if
you knew for certain that you were going to
be compromised?”
- Martin Roesch, 2013
Founder & CTO Sourcefire, Author SNORT
8. Prevent Detect & Respond
GET GOOD AT DETECTION & RESPONSE
The basics are in
place. Beyond
that, buyer
beware!
New prevention thingy
9.0 with advanced
fuzzy logic. Stops 100%
of all web-born threats
at the perimeter!
New capabilities to develop
10. Many professional SOC’s are powered by open source
THERE’S AN APP FOR THAT!
PRADS NFSend
P0F
OVALdi
MDL
OpenFPC
PADS
Challenge: How do we make sense
of all these?
11. FIRST WE CATEGORIZE THEM!
What is the state of
my environment –
anything strange?
Put it all together with
external intelligence &
determine a response!
The 5
essential
capabilities
for effective
detection &
response
Vulnerability
Assessment
Threat Detection
Behavioral
Monitoring
Intelligence &
Analytics
What am I protecting &
what is most valuable?
Asset
Discovery
How, when and where am I
being attacked?
Where are my
assets exposed?
12. CHALLENGE: NAME THAT TOOL!
Vulnerability
Assessment
Threat Detection
Behavioral
Monitoring
Analytics &
Intelligence
Asset
Discovery
13. THE ESSENTIAL CONTROLS
Vulnerability
Assessment
Threat Detection
Behavioral
Monitoring
Analytics &
Intelligence
Asset
Discovery
P0F
OpenFPC
NFSen
OVALdi
PRADS
PADS
open source
alternatives for
each of the 5
categories
14. LETS SEE THEM IN ACTION
Asset Discovery with Nmap & PRADS
Wireless IDS with Kismet
Unified Security Management with OSSIM
includes (OSSEC, SNORT, ntop, opnVAS)
15. NMAP & PRADS
Problem it solves:
I need an inventory of assets on my network (Nmap) and I need to continuously keep it up to
date as things change (PRADS).
Pros:
Nmap is very mature, robust & feature rich.
Both tools produce verbose output.
Cons:
Both tools produce extremely very verbose output.
PRADS does not have a GUI
Why we like it:
These cover both active and passive asset discovery. PRADS is relatively new but it covers
the same functionality as two older tools (PADS and p0f).
16. KISMET
Problem it solves:
I need to know how are wireless networks being accessed and if anyone setup a rogue access
point in my facility.
Pros:
Great command line interface.
Outputs log events for WIDS events and a periodic XML report for observed networks.
Cons:
Wireless adapter can’t transmit when in monitor mode- need a dedicated adapter
Why we like it:
This tool is very versatile. There are plugins for DECT and Ubertooth devices.
17. OSSIM
Problem it solves:
I need all the essential detective controls, but it takes too long to install them and I have way
too many dashboards to look at when I am done.
Pros:
USM: Unifies management of these tools and offers correlation between event sources.
Includes incident response templates & workflows
Cons:
Full intelligence feed, log management and management features requires commercial
version
Why we like it:
The company I work for makes OSSIM and It makes it easy to implement and manage all
these tools at once.
(OSSEC, Snort, Ntop, OpenVAS & others)
18. OPEN SOURCE IS NOT JUST
FOR SOFTWARE ANYMORE….
Open Threat Sharing
22. MDL AND OTX
Problem it solves:
My detective controls only show me what’s happening in my environment. What are the
experts seeing (MDL), what are my peers seeing (OTX)?
Pros:
Allows me to collect threats from security researchers (MDL) and from peers (OTX).
Allows me to share threats with my peers (OTX).
These add an intelligence layer to traditional tools, like NIDS and SIEM.
Cons:
Most feeds are a teaser to a commercial offering.
Why we like it:
If we get this right and everyone involved, the bad guys only get one “first attack” for the entire
network – attack one and all will detect and respond.
23. THE PRACTITIONER’S GUIDE
Open Source Asset Discovery Tools
Nmap http://nmap.org
The de-facto standard utility for network mapping. Use to scan network on a
periodic basis to create and update inventory of assets.
PADS http://passive.sourceforge.net
Passive Asset detection system is a network sniffer that detects (infers) assets by
monitoring traffic. Use to augment Nmap scans.
P0f http://lcamtuf.coredump.cx/p0f3/
Passive OS fingerprinting tool. Use to identify and profile assets on your network
(including that of the attackers).
PRADS http://gamelinux.github.io/prads
Passive Real-Time Asset Detection. Alternative to PADS - listens to network and
gathers information on hosts and services.
Open Source Threat Detection Tools
Snort http://www.snort.org
The world’s most popular network IDS/IPS. Provides signature, protocol, and
anomaly-based inspection. Use to identify attacks.
Suricata http://suricata-ids.org
“Next Generation” alternative (or not) to SNORT funded by US DHS/DoD. Use to
identify attacks and extract malware from network traffic.
Kismet http://www.kismetwireless.net
An 802.11 layer 2 wireless IDS. Use to identify and monitor (legitimate and rogue)
networks via passively monitoring traffic.
OSSEC http://www.ossec.net
Host-based Intrusion Detection System. Use to perform log analysis, file integrity
monitoring, policy monitoring and rootkit detection on endpoint assets.
24. THE PRACTITIONER’S GUIDE
Open Source Behavioral Monitoring Tools
Ntop http://www.ntop.org
A Unix tool that shows the network usage, similar to what the popular top Unix
command does Use to determine what processes and services are running.
Nfsen http://nfsen.sourceforge.net A web-based GUI for the nfdump netflow tools. Use to monitor netfows.
OpenFPC http://www.openfpc.org
A set of tools that combine to provide a lightweight full-packet network traffic
recorder & buffering system. Use to monitor network traffic & flows.
Nagios http://www.nagios.org Open source IT monitoring system. Use to monitor activity on servers.
Open Source Vulnerability Assessment Tools
OpenVAS http://openvas.org
Framework of services and tools for vulnerability scanning and vulnerability
management. The open source fork of Nessus that converted to closed source.
OVALdi http://www.decalage.info/en/ovaldi
An open source reference implementation of a vulnerability scanner based on the
OVAL definition. Alternative to OpenVAS.
Open Source Intelligence and Analytics Tools
OSSIM http://www.alienvault.com/ossim
Unified security management & the world’s most popular SIEM. Use to combine
essential controls into a single unified system managed from single pane of glass.
Logstash http://http://logstash.net/
A tool for managing events and logs. Use to collect logs, parse them, and store for
later use or analysis.
25. THE PRACTITIONER’S GUIDE
Open Threat Intelligence Feeds & Threat Sharing Communities
MDL http://www.malwaredomainlist.com
A continuously updated list of malware-related sites plus a discussion forum on
new threats. Use to tune threat detection tools.
ETO http://www.emergingthreats.net
A platform independent (SNORT & Suricata) ruleset for tuning IDS. Us to make
your IDS more effective at identifying threats.
OTX http://www.alienvault.com/otx
The world’s largest collaborative threat sharing network. Use to share threat
information in real-time with others on the exchange. Several free risk-
monitoring tools also available.