Tweet #BroCon2016
Welcome and Introduction
Adam Slagell received an M.S. in computer science from the University of Illinois at Urbana-Champaign in 2003, a masters degree in mathematics from Northern Illinois University (NIU) in 2000, and a B.S. in mathematics from NIU in 1999. He currently serves as the director of the Cybersecurity Division and Chief Information Security Officer at the National Center for Supercomputing Applications (NCSA) where he co-leads the security team for the NSF-funded XSEDE federation, serves as liaison for the Bro Project at the Software Freedom Conservatory, and is a co-PI for the NSF Bro Center of Excellence, which brings its network security monitoring expertise and support to NSF-funded cyber-infrastructure and Higher Ed.
Nathaniel Mendoza is Chief Security Officer and Senior Network Administrator at the University Of Texas Austin’s, Texas Advanced Computing Center (TACC) where he leads a group of the Security, Network, and Systems Administrators. Current areas of work include Cloud Computing, High Speed Networks, Operational Security, and Compliance. Additionally, he is a part of the XSEDE security group and has been a member of Super Computing’s SCInet. Previous to joining TACC in 2011 he was the Chief Security Officer and Senior Network Engineer at the University of Tennessee Knoxville’s, National Institute for Computational Sciences (NICS).
Keynote Address
Karen M. Sandler is the executive director of the Software Freedom Conservancy, which is the nonprofit home of the Bro Project. Karen is known as a cyborg lawyer for her advocacy for free software, particularly in relation to the software on medical devices. Prior to joining Conservancy, she was executive director of the GNOME Foundation. Before that, she was general counsel of the Software Freedom Law Center. Karen co-organizes Outreachy, the award-winning outreach program for women. She is also pro bono counsel to the FSF and GNOME. Karen is a recipient of the O’Reilly Open Source Award and cohost of the oggcast Free as in Freedom.
Bro Debugger
Bro’s Vlad Grigorescu will give a presentation on an underutilized feature of Bro: the debugger.
Notice Correlation and Covert Timing Channel (CTC) Detection
Automatic, active response has become a normal part of operation for many organizations. This works great in a lot of situations, but users of Bro often have to make black and white decisions regarding which notices to block. Meanwhile, Intel feeds can’t always be trusted and, even if they could be, blocking on all indicators might not work for your network hardware.
This first part of this talk examines the possibilities available when correlating multiple Bro notices together both to make more informed, yet still automatic decisions. We’ve found correlation not only useful for more confident blocking decisions, but helpful as a tool when tuning new and existing policies. Updated multi-notice correlation policy code will be made available.
The second part of the talk switches gears completely. Many organizations have implemented traffic shunting to offload large flows that are generally considered to be uninteresting to Bro. However, large file transfers are a perfect place for exfiltration of data via covert timing channels (CTC). This summer we’ve taken research into known CTC detection methods and implemented them in Bro. We’ll share the results of this work.
Speaker Bio: Michael “Dop” Dopheide has spent the majority of his career in information security. Dop spent almost 10 years working for the National Center for Supercomputing Applications (NCSA) in systems engineering, security research, incident response, and network intrusion detection. In addition to his operational security role, Dop developed an incident response training lab for the Federal Bureau of Investigation RCAT agents. Before joining ESnet, Dop spent 3.5 years coordinating and conducting network penetration tests for a major financial institution where he was promoted to manage a team of four. Dop specializes in developing detection methods for new attacks and helping to secure large, open research and education networks.
Ross Gegan is a graduate student at University of California at Davis. He has spent his summer interning at ESnet.
Multi-site Network Intrusion Analysis Case Study
What if there was a multi-site network which exhibited some unusual activity that was thought to be malicious? What are the questions needed to determine that there is indeed unusual network traffic and to the extent that the unusual traffic corresponds to proof points of malicious activities? What are the tools and requirements for those tools to enable analysts to hunt through the data to identify and characterize the network behaviors? There is no shortage of products and services implying they can make it “easy” to identify aberrant behaviors to gather actionable insight. We will describe our work for analysis at scale which can be applied to steady state networks with up to 10’s of gigabit/s bandwidth.
We found that there’s no tool better than Bro to produce full-take metadata that summarizes terabytes of network data into clearly expressed behaviors. This metadata, measured in 100s of billions of records spanning weeks of data, then needs to be examined by human analysts hunting for the anomalous. To be practical, the analysts must be aided by data science tools, with turn-around time in seconds to allow them to identify and characterize network behaviors. Processing these data volumes at these scales, with this required responsiveness, and then using those behaviors to characterize operational networks, requires multiple computing architectures working together, including cloud computing, supercomputing, and high-speed complex event processors.
We will outline how these techniques and approaches have been combined to effectively identify and then combat three phases of a malicious software’s behavior: the breach, the dormant, and the active. We will discuss requirements of the Bro sensor in operational networks maintained by Bro naive systems operators, the value of Bro to address changing needs once deployed, and the analytics engine architecture to enable real-time insight into the data. We discuss some of the analytics such as upload detection, flow size and inter-session timing based beaconing detection, correlated drive-by-download detection, redirection chain identification, newness of hostnames, bump-in-the-night beaconing detection, and outbound attacking behaviors which can be used by the analyst to determine intent.
Utilizing screen captures, we’ll walk through several use cases to outline how we’ve leveraged this new combination of architectures to identify software behaviors and crystallize understanding from indicators of compromise through actionable insights.
Speaker Bios: Eric Dull, Deloitte & Touche LLP and Dilip Madathil, Reservoir
Bro Package Manager
Seth Hall will present the new Bro package manager.
Ransomware Detection with Bro
This talk will present the results from my internship at Fox-IT, which involves creating a Bro policy for detecting ransomware on SMB file share servers using Bro. The goal of the policy is to detect both new and old ransomware encrypting a file share server.
I will showcase some of the different strategies one can take to detect ransomware and will show some of the pros and cons of these strategies. After evaluating these options, I will make the argument that the most generic approach for detecting SMB ransomware is by using the entropy checker in Bro in combination with the File Analyzer framework.
In addition to demonstrating this policy, I will also talk about some of the design choices that were made in writing this policy with regards to efficiency and detection rate.
Speaker Bio: Mike Stokkel is a Security analyst at the Security Operation Center of Fox-it.
In the Fox-IT Security Operations Center (SOC) numerous customer systems and networks are monitored 24/7. Using the Fox-IT Cyber Threat Management platform cyber threats and suspicious activities are detected and analysed. This includes advanced hacking attempts, data leaks, signs of APTs and virus outbreaks. In this function, Mike sees many actual security incidents, including ransomware which is most interesting to him.
Mike’s experience in the field of security started with a minor in Computer Security, where his main project was a pentesting project for a company working with medical information. After completing the minor he started an internship at Fox-IT where he researched ransomware detection over SMB. In June this year he graduated on this project.
Broker API
Bro’s Matthias will present the work on the new Broker API.
Speaker Bios: Matthias Vallentin is a research scientist with the networking and security group at ICSI and a member of the Bro Project.
Detecting Malicious SSL Certificates using Bro
We have developed a set of techniques to detect malicious SSL certificates using data collected by Bro. Our analysis framework consists of Bro for collecting the data and a variety of tools such as Splunk and AWS ML for data analysis. We show how we used Bro for collecting the attributes we needed for SSL certificates from both good and bad sources. Bro is a very effective and simple tool for analyzing and extracting data from network traffic.
Next, the extracted data was loaded into Splunk and we ran a series of Machine Learning algorithms to identify those attributes that correlated with malicious activity. The algorithms we used also allowed for categorization of certificates used in the delivery and control of malware. Our analysis showed that there were a number of patterns that emerged that allowed for classification of high-jacked devices, self-signed certificates, etc. We will present the results of our analysis which show which attributes are the most relevant for detecting malicious SSL certificates and as well the performance of the ML algorithms. Finally, we show how well the training has worked in detecting new malicious sources. All of the source code will be made available on github.
Speaker Bios: Ajit Thyagarajan is the CTO at Atomic Mole. Andrew Beard is the Lead Software Architect at Atomic Mole.
SMB Analyzer
This talk is presented by Bro’s Seth Hall
Running Bro on BSD
An analysis of high performance solutions running on BSD operating systems.
For several years, Security Onion has been the de facto standard for demonstration and even production IDS/IPS deployments. However, there are a number of system administrators and security engineers (like myself) who refuse to run Ubuntu, let alone a Linux operating system. Yet when it comes to ease of use and performance of an NSM system, commodity hardware and inexpensive network cards with Linux and PF_RING rival even commercial monitoring solutions.
The goal for this talk will be to provide an analysis of running Bro on an alternate operating system such as FreeBSD, that provides a solid base OS in comparison to Ubuntu. This talk will provide some background of the BSD operating systems as the basis for Network Security Monitoring, IDS/IPS, and why some recently have been looking for alternatives to Linux due to the adoption of systemd. Highlights will include a discussion on the current FreeBSD solution in use by the Lawrence Berkley Laboratory that is scaling up to be a 100 Gb IDS.
Using commodity hardware, solutions such as PF_RING on Linux will be compared with available solutions on FreeBSD, such as the netmap framework, packet-bricks, and specialized network hardware.
Speaker Bio: Michael Shirk is a BSD zealot who has worked with OpenBSD and FreeBSD for over 9 years. He works in the security community and supports open source security products that run on BSD operating systems (Snort, Suricata, Bro, AIDE).
Michael is the President of Daemon Security Inc., a company which provides security consulting and solutions utilizing UNIX based operating systems: http://www.daemon-security.com
Justin Azoff’s laBrotory
The latest custom solutions Justin created to make his day-to-day job easier.
Justin is a security engineer at NCSA and is a member of the Bro Project.
Scan-detection Internals: Clusterization and netcontrol for active response
In this talk we present intricacies involved in clusterization of existing standalone policies such as scan-detection. We get in-depth on what are reasonings for the chosen architectures and underlying basis of certain design decisions. We further elaborate on some of the techniques used to optimize memory usage and ways to decrease detection latencies. Finally, we showcase a list of features necessary for effective clusterized scan-detection and how new clusterized-scan-detection fares in production. This talk is intended to make audience aware of various strategies needed to clusterize a bro script with expectation that audience could pick up techniques to implement their own clusterized scripts.
Speaker Bio: Aashish Sharma is a member of Cyber Security Team at the Lawrence Berkeley National Lab, Berkeley, CA since 2010. Previously, Aashish was member of the security team at the NCSA at University of Illinois, Urbana-Champaign, IL. His work/research interests include intrusion-detection and incident-response. At present, he is involved with running and architects Bro-IDS at the Berkeley Lab and works very closely with the Bro project.
SSL Research with Bro
The SSL/TLS protocol suite is one of the cornerstones of encrypted communication on the Internet and is used by everyone accessing the Internet on a daily basis. In this talk, we present how we use Bro for SSL centric research. We will present new research results that, among others, show how Tor uses encrypted communication in the Internet, and examine the current state of encryption in electronic communication protocols like SMTP, IMAP or XMPP.
Speaker Bio: Johanna Amann is a researcher at the International Computer Science Institute in Berkeley. Her main interests lie in the areas of network security, Internet measurement and applied cryptography. She has been a member of the Bro development team since joining ICSI in 2011.
Scaling Network Monitoring in a Large Enterprise
In this talk we’ll cover a brief history of how we monitor our corporate network. This includes how we started from using vendor appliances to our own home grown solution built on top of Bro today. We’ll cover some of our learnings over the years of operating at our scale (both geographic and bandwidth), where we’ve gone wrong previously and where we’d like to go in the future.
Speaker Bio: Conor Power is a Systems Development Engineer within Amazon’s Worldwide Consumer Information Security group focusing on network visibility projects.
The Bro ICAP Analyzer
The Bro Internet Content Adaptation Protocol (ICAP) Analyzer – A Novel Method for Monitoring HTTPS Traffic in Clear-Text
This presentation describes the Internet Content Adaptation Protocol (ICAP) analyzer for the Bro Network Security Monitor tool as a novel means by which to inspect Hyper-Text Transfer Protocol Secure (HTTPS) traffic in plain-text. It contains an overview of the ICAP specification, an overview of the Bro ICAP analyzer and how it interfaces with the HTTP analyzer and other Bro analyzers.
ICAP is defined by Internet Engineering Task Force (IETF) Request for Comments (RFC) 3507. It is commonly implemented by web proxy devices to modify content of HTTP messages based on anti-virus (AV), data loss prevention (DLP), or other content inspection services. Either the web client’s original HTTP request and/or a web server’s original HTTP response are encapsulated within the ICAP payload that is sent from the web proxy to the AV/DLP proxy. The AV/DLP proxy inspects the ICAP payload to determine whether or not the content should be modified, according to security policy. For example, if the web page originating from an external HTTP server contains malicious content that triggers an AV signature, then the AV proxy would modify or replace the content with an error or notification message.
The objectives of the Bro ICAP analyzer are (a) to monitor the link between the web proxy and AV/DLP proxy; (b) to extract the original HTTP message from the ICAP payload; and (c) to invoke the Bro HTTP analyzer, fully utilizing Bro’s built-in analysis capabilities for HTTP inspection, file extraction, etc.
While this may appear to be a convoluted method to monitor HTTP traffic, the true benefit of the Bro ICAP analyzer is achieved if the web proxy is capable of intercepting encrypted HTTPS traffic. In such a case, the ICAP payload would contain a decrypted copy of the HTTPS message because the AV/DLP proxy would require the content to be plain text in order to inspect it appropriately. The Bro ICAP analyzer takes advantage of this. By extracting the decrypted copy of the HTTPS message from the ICAP payload and injecting it into the Bro HTTP analyzer, the Bro ICAP analyzer provides a novel means by which to inspect encrypted web traffic in plain-text.
Approved for public release. Distribution unlimited. Case number 16-2621. © 2016 The MITRE Corporation. All rights reserved.
Speaker Bio: Mark Fernandez is a cybersecurity engineer at MITRE Corporation. His first interaction with Bro was last autumn to develop a new protocol analyzer via BinPAC.
Creating the Bro RFB (VNC) Parser
Fox-IT uses Bro in both incident response scenario’s and audits of networks. In both cases, the detection of remote administration software like RDP and VNC can lead to interesting findings regarding lateral movement during compromises or gauging network security in general. While Bro already had support for analysing the RDP protocol, VNC ( or actually ‘RFB’) was not yet supported. With our background in writing protocol parsers, we decided to extend Bro by supplying a RFB parser.
In order to create this parser, the existing RFB documentation was used in addition to network traces of actual VNC connections. Then, the analyser and protocol were written using the Binpac language which is the de-facto standard for writing analysers in Bro. To conclude, the btest unit testing framework was used to create some test cases for the new parser. After several rounds of testing, the code was offered to the Bro repository.
In this talk, the process which led from the realisation that a RFB protocol analyser would be useful to actually implementing and donating the code to the Bro community will be presented. Although some code snippets will be shown, the target audience is not only developers but anyone who has interest in network protocols.
Speaker Bio: Martin van Hensbergen studied Technical Mathematics at the University of Delft and started in 2001 as intern at Fox-IT, and later as a full-time employee. Started mainly as front-end/middleware developer but also did implementations of PKIs and helped with other security related items like security audits.
Worked between 2008 and 2011 on Fox Replay Analyst - network analysis software used by a host of government Lawful Intercept organisations. The software offered analysts a faithful and detailed rendition of network activities where the focus was on full content reconstruction. Worked as developer on many aspects of the product, from GUI to writing protocol analysers in languages like C++, perl, python and javascript.
Between 2011 and 2015 worked at NetScout Systems, continuing development on the network analysis software, where the focus was now on enterprise networks and protocols.
In 2016, returned to Fox and am now part of the Security Research Team which focuses on identifying and researching network threats. Currently working on making tools for - and executing - Passive Audits (using Bro) to determine the ‘health’ of a customer network in relation to security.
Submitted the RFB (VNC) protocol analyzer earlier this year to the Bro community!
v2.5 Release & Broadmap
We’ll review the highlights of the 2.5 release as well as planning for the future.
This talk is presented by Bro’s Robin Sommer & Seth Hall.
Bro Befriends Suricata
How do use Bro and Suricata together to fight malware?
Malware gets more and more sophisticated. Your networks grow larger and more become more complex. Development process is nowhere like ever before, with all that tools that require broad access and some of actions reassemble early stages of attacks.
It is not rarely possible to tell about the infection just by looking at your IDS logs - and that’s why we have NSM which gives us tools like full packet capture.
What if I told you, that I can detect, investigate and confirm (or not) malware without using full packet capture? That it is impossible for us to run it 24/7/365, due to privacy reasons.
I’d like to go over the process we use for daily malware hunting, starting with Suricata and Bro logs, Intel Framework and notices. Tactics will be shared on how we use threat intelligence and adding carefully chosen logs from other systems to make sure we only escalate true positives - and why.
This talk is supported by data from a real malware infections.
Speaker Bio: Michal Purzynski is a Senior Security Engineer responsible for the Threat Management in the Enterprise Information Security group in Mozilla. His responsibilities range from coordinating and writing various kinds of detection mechanisms, network and system based, through supporting the group during incident response with the right data, to developing new ways of modeling and tracing threat actor in your environment.
He created a Network Security Monitoring in Mozilla with Bro, Suricata, netsniff-ng spanning 3 continents, 8 offices, a datacenter and AWS.
Page Contents
Quick Links
- 13 February 2020: Ask the Zeeksperts - Aashish Sharma
- 18 February 2020 - Portland OR: Zeek Days Workshops
- 27 February 2020: Ask the Zeeksperts
- 7-9 October 2020 - Austin, Texas: ZeekWeek 2020
