Cornerstones of Trust 2014: http://cornerstonesoftrust.com.
Presenters: Jaime Blasco (@jaimeblascob) and Santiago Bassett (@santiagobassett). Thank you Jaime.
Threat Intelligence has become increasingly important as the number and severity of threats is growing continuously. We live in an era where our prevention technologies are not enough anymore, antivirus products fail to detect new or sophisticated pieces of malware, our firewalls and perimeter defenses are easily bypassed and the attacker’s techniques are growing in complexity. In this new landscape, sharing threat intelligence has become a key component to mitigate cyber-attacks.
In this session we will define what Threat Intelligence is and discuss how to collect and integrate threat intelligence from public sources. In addition, we’ll demonstrate how to build your own Threat Intelligence data using Open Source tools such as sandboxes, honeypots, sinkholes and other publicly available tools.
The industry’s reticence to share information about attack vectors gives the adversary a huge advantage. Using Threat Intelligence we can reduce this advantage and enable preventative response. We will guide you through the different standards (OpenIOC, STIX, MAEC, OTX, IODEF…) to describe and share cyber intelligence, as well as Open Source Frameworks such as CIF (Collective Intelligence Framework) that allows you to combine different threat sources.
One of the biggest problems with Threat Intelligence is finding out how to take advantage of the data you have to actually improve the detection/prevention capabilities in your environment. We will describe how to leverage Threat Intelligence to detect threats and provide defenses, and we will focus on how to use Open Source Tools (Suricata, OSSIM, OSSEC, Bro, Yara…) to get the most of your Threat Intelligence.
Sunday, October 5, 2014
Tuesday, September 23, 2014
OSSEC CON 2014 - Malware Detection with OSSEC
Happy to share my presentation from the OSSEC CON, which took place on September 16th in Cork, Ireland. Here you can find a brief explanation of different malware collection and analysis techniques, as well as a good example of how to use some IOCs to create a rootcheck signature.
And, for those interested, here is the video as well:
And, for those interested, here is the video as well:
Labels:
cuckoo,
malware,
ossec,
virustotal,
volatility,
yara
Updated OSSEC debian packages
Just published new versions ossec-hids_2.8-2 and ossec-hids-agent_2.8-2, for the different Debian distributions. Those can be found here: http://ossec.alienvault.com/repos/apt/debian/pool/main/o/
Here are the changelogs:
I also took the opportunity to update generate_ossec.sh script, which now accepts a few different arguments:
Here are the changelogs:
ossec-hids (2.8-2) stable; urgency=low
* Fixed Makefile to use ossec-hids-debian.init instead of ossec-hids.init (fixes LSB headers warning).
* Fixed CVE-2014-5284. Patch included.
* Included debconf and templates for initial package configuration (email_to, email_from and smtp). ossec-hids-agent (2.8-2) stable; urgency=low
* Fixed Makefile to use ossec-hids-debian.init instead of ossec-hids.init (fixes LSB headers warning).
* Fixed CVE-2014-5284. Patch included.
* Included debconf and templates for initial package configuration (server_ip). I also took the opportunity to update generate_ossec.sh script, which now accepts a few different arguments:
santiago@debian-package:~# ./generate_ossec.sh -h
USAGE: Command line arguments available:
-h | --help Displays this help.
-u | --update Updates chroot environments.
-b | --build Builds debian packages.
-s | --sync Synchronizes with the debian repository.
Friday, July 25, 2014
Files to create OSSEC HIDS Debian packages
Just published, in Github, the files I used to create OSSEC-HIDS version 2.8 debian packages, the ones included both in ossec.net website and in AlienVault repository.
You can find these packages at: http://www.ossec.net/?page_id=19
or directly at: http://ossec.alienvault.com/repos/apt/debian/pool/main/o/
There are two different packages that can be built with these files:
- ossec-hids: Package that includes both the server and the agent.
- ossec-hids-agent: Package that includes just the agent.
Each one of the subdirectories includes:
- Makefile
- Debian control files: changelog, compat, control, copyright, lintian-overrides, postinst, postrm, preinst, rules
Additionally a script,
generate_ossec.sh, is included to generate the Debian packages for Jessie, Sid and Wheezy Debian distributions, both for i386 and amd64 architectures. This script uses Pbuilder to build the packages, and uploads those to an APT repository, setup with Reprepro.
For more details on how to create Debian Packages and an APT repository you can check my post at:
Please don't hesitate to contribute (preferably via pull requests) to improve these packages.
Saturday, July 19, 2014
Scripts to inject sample data to AlienVault / OSSIM SIEM
I just published a few scripts I wrote to inject sample data to AlienVault or OSSIM (Open Source Version) Unified SIEM. Those can be found in Github:
https://github.com/santiago-bassett/Alienvault-Demo_scripts
The scripts are ready to emulate Syslog data coming from these sources: Aruba Wireless, Cisco ASA, Cisco PIX, ClamAV, Oracle Database, OSSEC HIDS, Sonicwall and SSH.
As well, the scripts are ready to inject malicious network traffic in a dummy interface so it can be analyzed by Snort NIDS. Some of the traffic injected is related to: botnets, C&C communications, Zeus, spambot or spyware. The pcap files can be found in this directory:
https://github.com/santiago-bassett/Alienvault-Demo_scripts/tree/master/pcaps
https://github.com/santiago-bassett/Alienvault-Demo_scripts
The scripts are ready to emulate Syslog data coming from these sources: Aruba Wireless, Cisco ASA, Cisco PIX, ClamAV, Oracle Database, OSSEC HIDS, Sonicwall and SSH.
As well, the scripts are ready to inject malicious network traffic in a dummy interface so it can be analyzed by Snort NIDS. Some of the traffic injected is related to: botnets, C&C communications, Zeus, spambot or spyware. The pcap files can be found in this directory:
https://github.com/santiago-bassett/Alienvault-Demo_scripts/tree/master/pcaps