Here is my quick wrap-up of the FIRST Technical Colloquium hosted by Cisco in Amsterdam. This is my first participation to a FIRST event. FIRST is an organization helping in incident response as stated on their website:
FIRST is a premier organization and recognized global leader in incident response. Membership in FIRST enables incident response teams to more effectively respond to security incidents by providing access to best practices, tools, and trusted communication with member teams.
The event was organized at Cisco office. Monday was dedicated to a training about incident response and the two next days were dedicated to presentations. All of them focussing on the defence side (“blue team”). Here are a few notes about interesting stuff that I learned.
The first day started with two guys from Facebook: Eric Water @ Matt Moren. They presented the solution developed internally at Facebook to solve the problem of capturing network traffic: “PCAP don’t scale”. In fact, with their solution, it scales! To investigate incidents, PCAPs are often the gold mine. They contain many IOC’s but they also introduce challenges: the disk space, the retention policy, the growing network throughput. When vendors’ solutions don’t fit, it’s time to built your own solution. Ok, only big organizations like Facebook have resources to do this but it’s quite fun. The solution they developed can be seen as a service: “PCAP as a Service”. They started by building the right hardware for sensors and added a cool software layer on top of it. Once collected, interesting PCAPs are analyzed using the Cloudshark service. They explained how they reached top performances by mixing NFS and their GlusterFS solution. Really a cool solution if you have multi-gigabits networks to tap!
Indeed, when a DNS request is blocked, the user is redirected to a landing page which gives more details about the problem. Note that this can have a collateral issue like blocking a complete domain (and not only specific URLs). This is a great security control to deploy. Note that RPZ support is implemented in many solutions, especially Bind 9.
Finally, the first day ended with a presentation by Tatsuya Ihica from Recruit CSIRT: “Let your CSIRT do malware analysis”. It was a complete review of the platform that they deployed to perform more efficient automatic malware analysis. The project is based on Cuckoo that was heavily modified to match their new requirements.
The second day started with an introduction to the FIRST organization made by Aaron Kaplan, one of the board members. I liked the quote given by Aaron:
If country A does not talk to country B because of ‘cyber’, then a criminal can hide in two countries
- Using the Google API, VT API
- Paste websites (like pastebin.com)
- YARA rules
- DNS typosquatting
- Whois queries
All the tools are available here. A very nice talk with tips & tricks that you can use immediately in your organization.
- Discover RFC1918 address space
- Discover internal services
- Look for blacklisted services
- Reveal reconnaissance
- Bad behaviours
- Compromised hosts, pivot
- HTTP connection to external host
- SSH reverse shell
- Port scanning port 445 / 139
- Telemetry collection
- Data exfiltration
- Network exploration
- Vulnerability/discovery scanning
- You need a reverse proxy (to be able to change quests on the fly)
- LUA hooks
- State db for concurrency
- Load balancer for scalability
- fingerprintjs2 / JS Challenge
- WSA logs (350M+ events / day)
- Passive DNS (7.5TB / day)
- Users identification
- osquery data
Some useful tips that gave and that are valid for any log management platform:
- Don’t assume your data is well-formed and complete
- Don’t assume your data is always flowing
- Don’t collect all the things at once
Two intense days full of useful information and tips to better defend your networks and/or collect intelligence. The slides should be published soon.