Open Source IDS - How to use them as a powerful fee Defensive and Offensive tool
- 1. {elysiumsecurity} Open Source IDS How to use them as a powerful free Defensive and Offensive tool Version: 1.2w Author: Sylvain Martinez cyber protection & response Classification: Public
- 2. {elysiumsecurity} Agenda • Introduction; • Cyber Security Context; • IDS Concept; • Requirements for success; • IDS Benefits; • Something different…
- 4. {elysiumsecurity} Why Listen? * If you already have a TAP setup • Understand why you need an IDS; • How everyone can get started with a free IDS; • This dashboard in your home/company in less than 2h!*
- 5. {elysiumsecurity} Today’s Cyber Security Risk Context Cyber Security Risks’ probability and impact are increasing. Their ability to disrupt companies business operation have growing financial, reputational and legal negative consequences; This overall diagram is copyright Elysiumsecurity LTD and can only be re-used if the source is referenced as: Sylvain Martinez, https://www.elysiumsecurity.com Yesterday Tomorrow 100% 0% TIME GROWTH Yesterday Tomorrow 100% 0% TIME GROWTH Yesterday Tomorrow 100% 0% TIME GROWTH
- 6. {elysiumsecurity} Cyber Security Puzzle PREVENT DETECT RESPOND • End Point Protection • Policies • DLP • DRM • SOC • F/W • IPS • IDS • Incident Response • Forensics • DLP • SIEM • CERT • Incident Management
- 7. {elysiumsecurity} Importance of Detection PREVENT DETECT RESPOND DETECTION allows you to know there is a problem, and that you need to do something!
- 8. {elysiumsecurity} IDS? What IDS? IDS NIDS HIDS IPS Signature Based Behaviour Based Pattern Based Passive Active
- 9. {elysiumsecurity} FREE IDS • Snort based engine; • Suricata based engine; • Suites of software available as VM: - Security Onion (SO): https://securityonion.net/ - SELKS: https://www.stamus-networks.com/open-source/ • Great community is here to help; • Authors are very active; • Professional support available from them too; • Various install guide available: https://www.elysiumsecurity.com/blog/Guides/post7.html
- 10. {elysiumsecurity} cyber protection & response DEFENSIVE IDS
- 11. {elysiumsecurity} Simplistic NIDS Concept Guest WIFI Users Servers DMZ IDS Duplicated Traffic Duplicated Traffic INTERNET Traffic Analysis Signatures Patterns/ Behaviours Security Alerts Icons from VMWARE
- 12. {elysiumsecurity} IDS Requirements for success 1. Traffic Visibility 2. Asset Inventory 3. Context COVERAGE TRACKING TUNING
- 13. {elysiumsecurity} Traffic Visibility • TAP/Span port on key egress points • Corporate Solutions - Dedicated hardware - Soft Config in most switch (Ubiquity Networks, CISCO...) • Home Solutions: - Netgear GS105E - Mikrotik Router NATting
- 14. {elysiumsecurity} Asset Inventory • IP/Asset inventory software • - Network dedicated • - Part of wider asset inventory • Mac Address Fingerprinting • Fixed IP • Reserved DHCP NATting
- 15. {elysiumsecurity} Context QUESTIONS • Is that a false positive? • Is that normal behaviour? • Is the end point targeted critical? • Is this a configuration issue? • Have we seen this before? • … ANSWERS • Network Topology knowledge; • Asset owner knowledge; • Application owner knowledge; • Business analyst contact; • Cyber Security knowledge. • …
- 16. {elysiumsecurity} IDS Defensive Benefits • Alerts you of Cyber Security attacks; • Alerts you of Cyber Security issues; • Finds vulnerable hosts on your network; • Finds vulnerable applications on your network; • Monitors network flow behaviours; • Monitors network ports activity; • Monitors network traffic; • Monitors file transfers; • Establish network entity relationships; • …
- 18. {elysiumsecurity} IDS Defensive Benefits - revisited • Alerts you of Cyber Security attacks; • Alerts you of Cyber Security issues; • Finds vulnerable hosts on your network; • Finds vulnerable applications on your network; • Monitors network flow behaviours; • Monitors network ports activity; • Monitors network traffic; • Monitors file transfers; • Establish network entity relationships; • …
- 19. {elysiumsecurity} cyber protection & response OFFENSIVE IDS
- 20. {elysiumsecurity} Simplistic NIDS Concept - Revisited Guest WIFI Users Servers DMZ IDS Duplicated Traffic Duplicated Traffic INTERNET Traffic Analysis Signatures Patterns/ Behaviours Security Alerts Files Passwords,… Files Extraction PCAP Files PCAP Files PCAP Files Icons from VMWARE
- 21. {elysiumsecurity} IDS Requirements - Offensive 1. Traffic Capture REPLAY & ANALYSIS 2. Asset Inventory 3. Context TARGETING PRIORITISATION
- 22. {elysiumsecurity} Traffic Capture • Physical Access required in most cases • TAP traffic against key targets • Powered/Unpowered solutions • Dummy Capture Devices: • - Small Router; • - Throwing Star LAN; • Intelligent Capture Devices: • - Raspberry Pi; • - Hak5 Packet Squirrel. NO IMPACT
- 23. {elysiumsecurity} IDS Offensive Benefits • Speed up Network Traffic Analysis; • Identify interesting timelines; • Identify targets of interest; • Identify vulnerabilities to exploit; • Extract sensitive information; • Profile users and applications; • …
- 24. {elysiumsecurity} Takeaway • Free IDS available; • Pre-configured and easy to deploy; • Provide good defensive visibility and alerts; • Provide good offensive capabilities; • Instant returned value; • Try one today!
- 25. {elysiumsecurity} cyber protection & response emailus@elysiumsecurity.com THANK YOU https://www.elysiumsecurity.com