using bro to tattle on other
play

Using BRO to tattle on other tools Patrick Cain The Cooper-Cain - PowerPoint PPT Presentation

Feb 27, 2023 •424 likes •642 views

Using BRO to tattle on other tools Patrick Cain The Cooper-Cain Group. Inc. pcain@coopercain.com (@BC @APWG) Using BRO ZEEK to tattle on other tools Patrick Cain The Cooper-Cain Group. Inc. pcain@coopercain.com (@BC @APWG) I dont do

  1. Using BRO to tattle on other tools Patrick Cain The Cooper-Cain Group. Inc. pcain@coopercain.com (@BC @APWG)

  2. Using BRO ZEEK to tattle on other tools Patrick Cain The Cooper-Cain Group. Inc. pcain@coopercain.com (@BC @APWG) I don’t do BIG data, I do LARGE data!

  3. A hypotethical environment… Br Zeek Kafka ES

  4. An environment… Br Zeek Kafka ES Windows servers Linux servers DHCP/802.1x, Arcsight Apache/IIS ESM Nginx/APEX Etc.

  5. An environment… Br Zeek Kafka ES Windows servers Linux servers ACTION DHCP/802.1x, Arcsight Apache/IIS ESM Nginx/APEX Etc.

  6. An environment… Br Zeek Kafka ES Windows servers Linux servers ACTION DHCP/802.1x, Arcsight Apache/IIS ESM Nginx/APEX Etc.

  7. An environment… Br Zeek Kafka ES FWs Windows servers Linux servers ACTION DHCP/802.1x, Arcsight Apache/IIS ESM Nginx/APEX Etc. MSS

  8. An environment… Br Zeek Kafka ES FWs Windows servers Linux servers ACTION DHCP/802.1x, Arcsight Apache/IIS ESM Nginx/APEX Etc. MSS

  9. Normal Event ‘flow’ • Taps feed br zeek • Zeek feeds elasticsearch (ES) via a kafka buffer • Analyst can search in ES using kibana • ES sends filtered things to the SIEM • SIEM does correlation, add user detail, etc • No sense in rebuilding the SIEM • SIEM alerts on “bad things” and sends alert to tix

  10. We have an MSSP, too • “they will watch stuff as we sleep”  • They run snort; we get tickets when they see “stuff” • Snort is uni- directional; there are a lot of false positives in “stuff”

  11. We have an MSSP, too • “they will watch stuff as we sleep” ☺ • They run snort; we get tickets when they see “stuff” • Snort is uni- directional; there are a lot of false positives in “stuff” • We wrote a script to log into their ticketing system: 1. Grab IP, port, timestamp 2. Search ES for the zeek conn log 3. If connection not blocked -> generate a ticket for us. 4. If port is 80 and http_resoonse is 200 -> generate a ticket to us. 5. Else, close vendor ticket

  12. We have an MSSP, too • “they will watch stuff as we sleep” ☺ • They run snort; we get tickets when they see “stuff” • Snort is uni- directional; there are a lot of false positives in “stuff” • We wrote a script to log into their ticketing system: 1. Grab IP, port, timestamp 2. Search ES for the zeek conn log 3. If connection not blocked -> generate a ticket for us. 4. If port is 80 and http_resoonse is 200 -> generate a ticket to us. 5. Else, close vendor ticket

  13. We have an MSSP, too • “they will watch stuff as we sleep” ☺ • They run snort; we get tickets when they see “stuff” • Snort is uni- directional; there are a lot of false positives in “stuff” • We wrote a script to log into their ticketing system: 1. Grab IP, port, timestamp 2. Search ES for the zeek conn log 3. If connection not blocked -> generate a ticket for us. 4. If port is 80 and http_response is 200 -> generate a ticket to us. 5. Else, close vendor ticket

  14. We have an MSSP, too • “they will watch stuff as we sleep” ☺ • They run snort; we get tickets when they see “stuff” • Snort is uni- directional; there are a lot of false positives in “stuff” • We wrote a script to log into their ticketing system: 1. Grab IP, port, timestamp 2. Search ES for the zeek conn log 3. If connection not blocked -> generate a ticket for us. 4. If port is 80 and http_response is 200 -> generate a ticket to us. 5. Else, close vendor ticket

  15. We’re slowly adding new things • Hey! We run snort, too! • Let’s verify other snort alerts • Did the RDP actually succeeed? (Nope -> blocked at FW) • Was the remote shell attempt successful? (# bytes in conn.log) • Did the exploit actually succeed?

  16. We’re slowly adding new things • Hey! We run snort, too! • Let’s verify other snort alerts • Did the RDP actually succeeed? (Nope -> blocked at FW) • Was the remote shell attempt successful? (# bytes in conn.log) • Did the exploit actually succeed? • Put zeek behind the F5 (SSL-decryptor) • Did bad stuff seen in decrypted traffic hit other servers encrypted? • Zeek to the rescue.

  17. We’re slowly adding new things • Hey! We run snort, too! • Let’s verify other snort alerts • Did the RDP actually succeeed? (Nope -> blocked at FW) • Was the remote shell attempt successful? (# bytes in conn.log) • Did the exploit actually succeed? • Put zeek behind the F5 (SSL-decryptor) • Did bad stuff seen in decrypted traffic hit other servers encrypted? • Zeek to the rescue.

  18. We’re slowly adding new things • Hey! We run snort, too! • Let’s verify other snort alerts • Did the RDP actually succeed? (Nope -> blocked at FW) • Was the remote shell attempt successful? (# bytes in conn.log) • Did the exploit actually succeed? • Put zeek behind the F5 (SSL-decryptor) • Did bad stuff seen in decrypted traffic hit other servers encrypted? • Zeek to the rescue. • Can we skim 10% off the coin miner traffic? • Keep tuition low ☺

  19. We’re slowly adding new things • Hey! We run snort, too! • Let’s verify other snort alerts • Did the RDP actually succeed? (Nope -> blocked at FW) • Was the remote shell attempt successful? (# bytes in conn.log) • Did the exploit actually succeed? • Put zeek behind the F5 (SSL-decryptor) • Did bad stuff seen in decrypted traffic hit other servers encrypted? • Zeek to the rescue. • Can we skim 10% off the coin miner traffic? • Keep tuition low ☺

  20. Always looking for more ideas ☺ Pat Cain pcain@coopercain.com

More recommend