Rantings of a Paranoid Security Engineer

In an environment where security matters all choices made must come down to a risk versus value assessment.

This is true be it my electronic world of bits and bytes, the business word (what services will we provide, and to whom?), even at home (must we keep X in the safety deposit box, or a shoe box in the closet?)

Because of this it is important to understand how to prioritize and respond to security issues logical fashion. Far too many respond with a knee jerk reaction. 

Now that we have a premise to work from we one two big questions. How do we prioritize threats, and how do we weigh the associated value?

The Risk Metric

Risk is the most definitive way to analyse how big of a threat you are dealing with. This can be calculated in a number of ways. I am a fan of one of the most basic methods.

Priority * Reliability * Value / 25 = Risk

Priority (0-5) How much harm, and how much of a mess could this risk cause? 

Reliability (0-10) How likely is this risk to happen? 

Value (0-5) How valuable is what you are trying to protect? This can be in monetary, time, etc. 

Risk (0-10) The resulting amount of risk your threat poses. 

The Response 

After going through the above process for your environment you need to make a decision as to how you choose to respond. Everyone - and every company - has different thresholds for what is acceptable. I highly recommend using a numerical scale based on the risk outlined above, and four categories. 

For example:

Risk (0) None. We can safely ignore this as a potential threat. 

Risk (1-5) Low. Implement fixes if they are easy and inexpensive. Don't worry about addressing every one of these. 

Risk (6-7) Medium. Implement fixes, even if they require expenditure or changes to how work is done. Keep chipping away at these items, as they tend to be the hardest to keep addressed.

Hello blogging world. Been a while. 

Today was a ton of 'fun'. It looks like a couple days ago I bound a group policy to my domain controllers intending to shut of spurious schannel failures. The same policy also included the setting Network security: LAN Manager authentication level, with the setting turned up to the highest security level. This is a non issue for my workstations and servers, which have been configured this way for years.

My domain controllers were another case entirely due to the evils of Forefront TMG's client VPN implementation. 

Our clients are set up for IPSec and MSCHAPv2 authentication. This isn't EAP-MSCHAP-v2.

I'm happy.This morning I set up a custom, easy to distribute community edition of Alienvault correlation rules. 

Not only did I set up a framework capable of a lot of growth down the road, I also got a number of correlation rules put together and published as examples. 

I've been assembling a number of projects that extend the core functionality of Alienvault OSSIM 

Today was interesting as well. One of our domain controllers experienced hardware failure on a RAID mirror. We replaced the drive. Afterwards it red screened and started reporting bad blocks.. 

We demoted it to be on the safe side. When the process completed our network came to a grinding halt. Apparently the system rebooted itself - maybe another bugcheck, I'm not sure. After that happened the server was up and folks were trying to use this DC for resolving DNS. It didn't work, resulting in widespread mayhem. 

Today was an interesting day. I had one of my domain controllers red screen while rebuilding the RAID array, so I got to spend hours downloading a HP bios update utility.. Why it’s 3 GB for something that should take a few hundred KB is beyond me. 

I also got to play with a new security camera, a NFD130-IR. In the end no matter how I tried it there just isn’t a way to get motion sensing and scheduling to work together. That felt like a monumental waste of time. 

I also got something I really wanted to do off my list - I finally got the Nova honeypot (as part of the ADHD project - working. It runs fine on the live CD but when you install it to disk it would die with ‘socket: Operation not permitted’. Extremely annoying and hard to track down.

In the end that  was actually an easy fix. chmod g+s /usr/bin/nova. 

I actually got a hold of John Strand - the coauthor of ‘Offensive Countermeasures: The Art of Active Defense’ - and let him know about this issue. Very cool. :)

Around a month ago I reported to the Alienvault staff that there was an issue in writing correlation rules for custom data sources. 

When I applied the latest updates (on 2014-4-28) all the sudden everything started working. I have no idea why. 

Funnily enough just a couple days later I inadvertently set of a level 10 alert that should trigger our incident response plan. I happened to reuse an IP address from an old vSphere appliance on one of my honeypots. 

So I recently assembled some custom Icinga checks which test out the functionality of an internal application. It's been in production for a couple weeks. Today I got our wonderful DBA somewhat panicked - she couldn't get an exclusive lock on a table to complete one of her jobs. 

Turns out that my monitoring logs in and interacts just like a standard user account. Looks like it has worked as it should for the last couple weeks by pure dumb luck. 

Good for monitoring, not good for users are supposed to keep out.

In conjunction with my previous post on vulnerability assessments in Alienvault I thought I'd share how these results look, and how to suppress those pesky false positives. 

The previously mentioned process will create a SIEM event for each scan result item. If the risk high enough (>=1) it will automatically raise an alarm.

Each of these needs to be evaluated and responded to. 

My preferred method for doing so is researching via the OpenVAS site and looking up the plugin OID. This is available in the 'raw log' of the event detail without needing to wade through the default reports. 

After you have verified a false positive it is a simple matter of updating the plugin's reliability and / or priority metrics via the GUI. 

Alienvault has a number of limitations for executing vulnerability assessments. One of the biggest is that it isn’t possible to prioritize responses based on both the severity of the vulnerability in conjunction with the value of the asset.

For those of you familiar with Alienvault the risk formula (Priority * Reliability * Asset Value / 25 = Risk) should be familiar.

This would make a great metric for determining how important / how much risk a given vulnerability poses to a given environment.  

By default OSSIM doesn’t use the correlation engine used for risk analysis on vulnerability assessments.This renders Alienvault totally unable to use correlation on vulnerabilities.

Thankfully when I brought this up on the Forums PacketInspector was kind enough to provide a workaround. See here. 

At this point enabling the OpenVAS plugin allows for users to easily execute correlation rules. 

A few short months after enabling this option I came to a startling realization. In order for the OpenVAS plugins to work the plugin_sid database needs to be kept up to date. I mentioned this to the folks on the Forums but didn't get a reply. 

In retrospect I'm glad that was the case. I've developed a killer workaround that reliably keeps this database up to date. See my github project page for details. 

This is a handy little script which will automatically keep the plugin_sid table up to date. 

The only downside is that it needs to be run after any updates. I didn't want to overwrite any user customizations made to these priorities. 

A number of the windows events really benefit from automatically extracting "Field Name": "This is a value" pairs. 

The following is a small transform (add to your transforms.conf) to readily extract these values. 

[with_colon] REGEX = ([A-Z][^\t]*?):\s(\S*?)\s FORMAT = $1::$2 CLEAN_KEYS = 1 MV_ADD = 1 REPEAT_MATCH = true

A lot of the logs that are dictated by PCI-DSS for retention simply don't need to be kept for daily review. 

I'm a long time Splunk user and I've grown accustomed to keeping damn near everything there. 

It reaches a certain point that this just isn't feasible. 

Some basic preprocessing with syslog-ng and depositing to a non Splunk location is just the ticket. The following is a perfect example. 

Syslog-NG's filters have all the power and flexibility required to get very granular in what you don't need to review, all the way down to certain Windows event IDs from certain servers. 

It does take a couple tricks for a standard syslog server to act as PCI compliant storage platform - you need to be sure the local access auditing is enabled, and you need to sign the messages as they come in.

My preferred method is using a logrotate script.

As the day's events are archived a single line containing a SHA sum of the events (to prove against tampering, per the PCI standard) is then written to Splunk. 

It might just be me but a SIEM product that doesn't have good integration (and documentation) on using a honeypot seems a bit.. lacking. 

Although there is some discussion the validity of using a honeypot in a production environment a number of security professionals like Roger Grimes and Alienvault's own Conrad Constantine state that it is a good idea. 

I'm of a like mind. When it came time to look at a honeypot in my organization I was amazed that there isn't a single good, conclusive way to add a honeypot to OSSIM. 

To that end I've written a Alienvault Dionaea module that can be used to provide basic integration. 

The more I think about it the more I realize that my biggest complaint with Alienvault OSSIM is a lack of complete documentation. 

Yes, it is an open source product, yes it is free. Nagios and  Icinga are as well. The documentation for both is clear, concise and easy to follow. 

The Alienvault Repository of Knowledge  is useful - but it feels a lot more like introductory and marketing materials than anything really intended for the hardcore setup this security professional needs. 

And it is still very much incomplete. It took me days to track down the plugin writing guide back in early 2013. Over a year later and it still hasn't made its way into the new repository.  

Not only that but a number of documents I've used are orphaned on the main alienvault site - http://alienvault.com/docs used to have this information available. Now these documents are orphaned and I'm depending on Google to find just the right terms. 

Update 

As I grew more and more confident working with Alienvault I made a number of customizations to the various plugins I work with / have developed. 

A classic example of this is the mcafee-epo.cfg file. Every time I applied an update to Alienvault it would be overwritten by the update process, and it would take me days to figure out why. 

Alex - one of the real good guys working at Alienvault - did eventually provide me with a workaround. Just rename my file with the ".local" extension, "mcafee-epo.cfg.local"