security | FLRNKS

Cloud Security Automation

Thu, 26 Nov 2020 11:11:00 +0000

In November 2020 I was lucky to have had the chance to take part in my 2nd SANS course of the year: SEC540 - Cloud Security and DevOps Automation - as part of the SANS Amsterdam. Unlike the first one, this was conducted in a remote-only format that they call LiveOnline. I liked it so much that I wanted to share it. If interested, you can read more about my experience of SEC530 - Defensible Security Architecture - in this post which was an on-site/in-person course as part of the SANS Prague in March 2020.

Pre-Course

About a week before the course was set to begin, I received the Course Booklets via UPS delivery. It was a bit surprising that they did not send an email with the tracking ID, so I was caught off-guard when I was told I needed to pick it up in a nearby UPS affiliate shop. Nevertheless, it was quite fast and efficient, so there were no issues there.

Since this was a LiveOnline course, I needed to download a few things from my SANS account in advance, that normally would be distributed on USB sticks at the start of an in-person course. Luckily they send numerous email reminders about this, and there are also great instructions available online, such as THIS document.

The most important item to download was of course the course VM for the Lab Exercises. For this course, it was a 9 GB iso file which had the compressed VMWare virtual machine image in it. This VM required quite substantial resources, so I felt lucky to have a work laptop that has 32 GB RAM with an 8 core Intel i9 CPU and 1 TB of SSD storage. The RAM was especially critical for the VM, it needed at least 12 GB, but I gave it 16 just to be sure. For students whose machine was no powerful enough they had an AMI image in AWS with a Cloudformation template to set it up quickly.

In addition, we needed to download and set up Slack for chat support during the course and GoToTraining for the actual streaming of the course content. I found that for whatever reason the GoToTraining session was spiking my laptop’s CPU usage to a point that it was almost overheating, so I decided to use my Table for the course streaming, which worked quite well.

Last but not least, I also downloaded the course booklets in pdf format, however they were heavily protected with watermarks and a complex password. Copy-pasting was also disabled. It would have been nice if I could open the pdfs on my tablet and use my pencil to write on it, but since I also had the printed booklets this was a minor annoyance.

Course Content

The first day started with an introduction to the principles of DevOps and how Security can be integrated into CI/CD pipelines. In between the topics, we were getting familiar with the student VM which is home to the Lab Exercises. I have to admit that at first I was quite overwhelmed by the complex setup that’s shipped in this single VM image. There were a surprising number of services running in docker containers behind the scenes, such as Jenkins, GitLab and Hashicorp Vault.

As part of the day 1 labs we practiced the deployment of a web service using Jenkins. We also implemented improved security via pre-commit scanning and Security Analysis (SAST/DAST) as part of the CI/CD pipeline. The next day we set up the environment that paved our journey to the cloud (AWS) relying on concepts such as Infrastructure-as-Code ( Cloudformation) and Configuration Management ( Puppet). On day 3 we embarked on a journey to harden our cloud infrastructure with tools that can do Security Scanning and Continuous Monitoring and Alerting ( Grafana & CloudWatch). We also looked into secrets management best practices on-premise and in the cloud via Hashicorp Vault. On day 4 we fixed some vulnerabilities in our web service using a blue/green deployment setup to minimize downtime. We also looked into protecting microservice APIs using serverless functions that aim to manage authorization and access control. On the final day we looked into certain concepts related to compliance in cloud environments and explored technologies such as AWS WAF, CloudMapper and Cloud Custodian.

I have to admit that the lab environment that’s set up in the Student VM was pretty impressive to me. There were so many moving parts to it, yet everything worked more or less seamlessly. The built-in Wiki always provided detailed instructions with copy-paste support to allow you to work through each lab even if you were unfamiliar with the technology. If you were stuck you could get help very quickly from the Teaching Assistant, or the Instructor as well. Overall they did an excellent job over the 5 days of the course.

NetWars

This post would not be complete without mention of the NetWars arena which I was very keen to take part in. During #SEC530 in March 2020, the NetWars arena was open only on Day 6 when we competed against each other in teams. Thanks to this course, I was invited to several free NetWars events afterwards, such as Core NetWars and the Mini NetWars Missions 1-2-3-4.

I am quite certain that these free NetWars sessions helped me immensely to hone my CTF skillz, that would come in handy during #SEC540 where I had 4 full days to compete. I jumped to the front of the leader board already after the first night, as I stayed up until 3 am working on the NetWars questions. This was a bit reckless as I was a bit tired the day after, so my focus on the course material was not the best, but a few rounds of coffee helped with that.

In the end I managed to keep my position on the top of the leaderboard which made me feel really proud as I’ve worked really long and hard during the whole week. I even managed to solve some of the more advanced 1337 challenges that had no hints, just a description of what was required and we were free to improvise the solution.

Two months later my 2nd NetWars coin has finally arrived by post 🤩

Conclusions

Initially I was quite hesitant about attending SEC540 in the LiveOnline format as I was not sure if it would work well. In the end I was left with only positive feelings about it. The course content was excellent. The delivery was smooth and help was always available through the Slack channel. If someone wants to learn about DevOps, Cloud and Security, I highly recommend this SANS course!

P.S.

On the 1st of February, 2.5 months after my class I successfully passed the GIAC exam and became GCSA certified! 🎉

Defensible Security Architecture

Wed, 22 Apr 2020 11:11:00 +0000

In this post I wanted to write about my experience with #SEC530 which is a SANS course that I took in March during the SANS Prague event. Not long ago I wrote another post about my experience with NetWars in March, now I wanted to write about the infosec course that started it all.

Defensible Security Architecture - SEC530

Initially I was hesitant to register for an advanced level SANS course (5xx in the code). As I had no previous experience with SANS I did not know if an advanced infosec course would be too difficult for me. Luckily, I found a GIAC assessment exam online called SANS Cybertalent Assessment Exam, which I took for free and eventually passed with a score of 93.33%. This made me confident in registering for #SEC530, as the assessment results stated:

“Examinees who score in this range have demonstrated reliable knowledge in core information security principles […] they are typically ready for advanced security training”.

Course Experience

Day 1

The course was taking place at a hotel in Prague 5, about 10 mins walk from my flat, so I was quite happy about the venue. It was a nice hotel with plenty of room for my course and the other ones that were running in parallel with a dozen or so attendees each:

#SEC401 - Security Essentials Bootcamp Style
#SEC504 - Hacker Tools, Techniques, Exploits and Incident Handling

Some colleagues were taking #SEC504, I was alone from my workplace in taking #SEC530. This was nice because knowing nobody in my class forced me to get to know them, and they all turned out to be interesting people! This was also a good opportunity to start recruiting team mates for the NetWars challenge on Day 6!

Our instructor was Mr. Ryan Nicholson from the United States with an interesting career path that led him to become a SANS Instructor. He used to be a Network Administrator in the past and made lots of references to Cisco networking equipment which made me quite nostalgic from time to time … 😊

Eventually the course kicked off and the first day’s goal was to get an overview of Defensible Security Architecture. We discussed the downsides of traditional approach to security and architecture, and how the defensible approach may improve the situation. We were given a recommended reading by Richard Bejtlich titled The Tao of Network Security Monitoring, in which there is a really neat definition: architecture that encourages, rather than frustrates, digital self-defence.

The rest of the day we discussed many interesting topics, including the Layer 2 security that led to a discovery about the WLAN at the hotel: station isolation was not enabled! This wouldn’t be a huge deal normally, but then we became aware of some fellow SANS students in the adjacent room taking the #SEC504 which is a red-team course that has topics such as penetration testing. This inspired me to take some actions as a blue-teamer, which I hoped would earn me the infamous Red coin for #SEC530… More on this later in the Blue Team Project section.

Day 2

After an interesting first day, we dived right-in to the material on the 2nd day titled: Network Security Architecture and Engineering. This day taught me many interesting topics of L3 security, and provided some interesting lab exercises as well. Most interesting to me was the lab on the config auditing tool called nipper-ng that can parse Cisco router/switch config files for security issues and provide actionable recommendations. This surely would have been a nice tool to have back when I worked as a Network Administrator.

Day 3

We continued with the material on the third day with Network-Centric Security with a bunch of different topics on the menu, such as Next Generation Firewalls (NGFW), Network Security Monitoring (NSM) and Secure Remote Access, just to name a few. Probably the most interesting topic for me was NSM that involves the passive capture (in- or out-of-band) and analysis of network / flow metadata. This gave me some good ideas for the Blue Team Project described in a later section.

After our lunch break, just before we resumed class, someone from the SANS support team came to our classroom and informed us that they decided to convert the class to remote/virtual mode of operation for the rest of the week, as a safety measure against the COVID-19 pandemic. Although it was quite frustrating to me at the time, I now totally agree with their approach to handling this safety concern. Eventually they did an excellent job of converting the class to run via the virtual CyberCast platform on such short notice!

Day 4

So on the morning o day four, I did not go to the nearby hotel where the first three days were held, instead I just logged in to my SANS account and accessed the CyberCast session where we continued the course. The teaching duty was split between two new remote instructors from the USA: for the first half of the day we had Mr. Greg Scheidel, in the afternoon Mr. Ismael Valenzuela took over to finish the rest of the material planned for the day.

The main theme was Data Centric Security which included topics such as Web Application Firewalls, Data Loss Prevention and some discussions on Cloud Security and containerisation technologies. This last topic was particularly interesting to me, because I had been learning about Docker prior to the SANS training and I had not really considered it from a security point of view before.

Day 5

This fifth day was dedicated to Zero Trust Security Architecture, which was quite a new and interesting concept to me. During the first half of the day we covered the basic principles of Zero Trust (everything is hostile, verify before establishing trust) and how certain techniques such as mutual authentication can help improve security. The second half of the day with Ismael included some interesting topics such as Security Information and Event Management systems (SIEMs) which are indispensable tools for Security Operations Centres (SOC). This section also proved to have some very valuable lab exercises for the NetWars challenge the following day.

Day 6 - NetWars

This final day was dedicated to the DTF-style NetWars Challenge that ran for about 6 hours. Three teams were formed amongst the class participants who competed against each other and agains the clock to solve the challenge questions that were testing our concepts taught during the course. I have to say I genuinely enjoyed every second of it. Our team was leading the scoreboard all the way until the very end, when we got kicked down to the 2nd place because we rushed to be the first and incurred some penalty for incorrect answers. Regardless of the final result, it was a very valuable experience with tons of fun and learning. For our efforts that got us the 2nd place, were rewarded with the much coveted blue coin of #SEC530 which ~~will hopefully arrive by FedEx soon~~ has arrived to me in Prague via FedEx finally … :)

Blue Team Project

As I previously mentioned, on the first day we discovered that all attendees of the SANS venue will be sharing a WLAN network without station isolation and this was making me somewhat uncomfortable. Some years ago in a university course I had done some simple attacks using MITM technique on shared LAN networks, so I knew that it was not too difficult to steal credentials or do other kinds of malicious attacks when the attacker didn’t even have to crack the wifi password to be able to join the shared WLAN.

Later I was wondering that perhaps the WLAN isolation feature was disabled on purpose so that the red-team students in the adjacent room could practice using some of the typical penetration testing tools. Regardless, this vulnerability enabled by the lack of WLAN isolation gave me the idea to implement some kind of defence system that can monitor and/or if possible alert me to any seemingly malicious attempts targeting my machine.

My first idea was to run a packet capture on my Host OS via Wireshark, but of course that would have been very difficult to manage and quite likely not so effective! I would’ve had to keep an eye on it constantly and check for suspicious packets manually using some filters.

Instead, I got some inspiration from one of the lab exercises with the ELK stack where we had to look for some suspicious log entries from various sources of security telemetry. I decided to set up a similar set of services to run non-stop on my #SEC530 virtual machine. To provide the network metadata I needed, I decided to install PacketBeat and configured it to extract and forward netflow data to the ELK stack. This way I could obtain the necessary visibility into the network activity on my Virtual Machine, without the need to do full packet capture using WireShark!

With the below steps one can run the ELK stack via docker-compose in the #SEC530 VM:

# ELK stack setup
mkdir monitor && cd monitor
cp /labs/1.3/docker-compose.yml ./
sed -i '17,18 s/^/#/' docker-compose.yml #comment out some volumes not needed
sed -i 's/lab13es/elastic_search/g' docker-compose.yml
sed -i 's/kibana13/kibana_dashboard/g' docker-compose.yml
docker container prune -f
docker-compose up

Next I set installed and configured the OSS version of PacketBeat:

# PacketBeat setup
curl -L -O https://artifacts.elastic.co/downloads/beats/packetbeat/packetbeat-oss-7.6.1-amd64.deb
sudo dpkg -i packetbeat-oss-7.6.1-amd64.deb
echo "setup.dashboards.enabled: true" | sudo tee -a /etc/packetbeat/packetbeat.yml
sudo packetbeat setup --dashboards
sudo service packetbeat start

Now, one can test if it’s working by generating some network traffic from the VM which should then appear in the Kibana dashboard at http://localhost:5601/app/kibana.

At this point, it becomes possible to observe malicious hacking attempts by focusing on IP addresses from my local IP subnet… But I was not yet fully satisfied and wanted to take it a bit further.

Blue Team Project - Next Level

It was quite nice to see netflow data being exported to the ELK stack in the previous setup, however I was a bit disappointed with the Kibana dashboards that were set up by PacketBeat. Some were completely dysfunctional due to some syntax errors I could not figure out how to fix.

I spent quite a long time looking for a fix to the Kibana dashboard issues, but eventually I ended up swapping my ELK & PacketBeat setup for a more advanced set of Tools: The Security Onion! Turns out that it also uses docker to run the ELK stack behind the scenes. In addition, it includes some tools such as Zeek/Bro, Suricata/Snort right out of the box, that we also covered in the course. So cool!

Setting it all up on the #SEC530 VM was a bit more lengthy than my previous setup. First I had to add some additional juice to the underlying VM (4 CPUs and min 8GB of RAM) which then I followed up with the below installation steps on a fresh clone of the #SEC530 VM:

Set the VM NIC mode to bridge (Autodetect) (in VMWare Fusion)
Boot the VM, log in and change the settings in Software & Updates:
- on Ubuntu Software tab check all options except restricted software
- on Updates tab select the first two options
- click Close and then click Reload to latest updates

Next run these steps in the Terminal (adopted from here):

echo "debconf debconf/frontend select noninteractive" | sudo debconf-set-selections
sudo rm -rf /var/lib/apt/lists/*
sudo apt-get update
sudo apt-get -y install software-properties-common
sudo add-apt-repository -y ppa:securityonion/stable
sudo apt-get update
sudo apt-get -y -f -o Dpkg::Options::="--force-overwrite" install securityonion-all securityonion-onionsalt securityonion-suricata syslog-ng-core

The above steps install necessary dependencies and then create a desktop shortcut called Setup with the Security Onion icon. Double-click it to continue the install process (alternatively issue sudo sosetup in Terminal):

chose to reconfigure the network interfaces (with DHCP)
accept the necessary reboot now
trigger the Setup process again to finish the installation
chose Evaluation Mode when it asks this question
set up default username/password used to secure the various dashboards

Once the setup finishes, it takes a few minutes, it will show several additional popup windows with useful information about the Security Onion’s functions, while also several new desktop icons will appear:

At this point, the setup is complete and you can see the installed services by clicking on the new icons on the Desktop. Most interesting to me was the Kibana dashboard which comes pre-loaded with some amazing features out of the box:

This really seems like an awesome set of features that can detect malicious attacks much better than my first setup with ELK & Packetbeat. This is exactly what I was looking for, when I was on that shared WLAN, some advanced visibility into network metadata. I’m glad I did not have to implement it by hand after all … :)

Blue Team Project - Next Next Level

While looking around on the net for possible solutions to my issues, I stumbled upon this project from Telekom Security‘s GitHub page, which seemed like an even more advanced version of the Security Onion with various types of built-in honeypots that feed information to a Kibana dashboard. Sadly however, this is not possible to set up on the #SEC530 VM because the built-in installer does not support Xubuntu 16.04 and there were so many moving parts to the project that I did not dare to do it all by hand. For now I just keep it here as a reference, maybe in a future post I will describe it in more detail!

Conclusion

As I already mentioned, this was my first SANS training and I could not be happier about the whole experience, despite the unfortunate situation with the global pandemic disrupting our onsite course. While I was initially a bit worried about the lack of station isolation on the shared WLAN, I really enjoyed digging around the Internet for a solution to earn my some peace of mind. The knowledge and new skills I acquired in the domain of Defensible Security Architecture have been quite overwhelming to say the least.

I also enjoyed building new connections with the people who run these trainings and with my fellow SANS alumni. Taking part in the NetWars events that followed in March and April, I felt good to be part of such an incredible community.

SANS NetWars in March

Sat, 04 Apr 2020 11:11:00 +0000

This past month of March was quite eventful, to say the least, with all the news of this pandemic shaking many different segments of our globalised society. It’s virtually impossible to escape the constant flow of news in the media. While March was practically defined by the continuously evolving story of the virus, I wanted to write a new blog post about a different topic that also greatly impacted this month for me: a live SANS course I took attended in Prague and some online CTF challenges organised by SANS and the Counter Hack team.

SANS Prague March 2020

I still remember how excited I was when I learnt that my employer will sponsor my attendance a 6 days long SANS course in March, taking place in the city where I live and work currently. I was eagerly looking forward to it, taking place between 9th and 14th of March.

The course was arranged in a very nice hotel in Prague 5 district, and we were hosted by a very friendly SANS staff that included some world-class teachers. I really liked how well they organised everything and tried to spoil us with good food. There were actually several courses running in parallel, my course, the SEC530, a.k.a Defensible Security Architecture and Engineering, was taught by Ryan Nicholson, who did a great job during the first 3 days.

Sadly however, on Wednesday (11th of March) we were instructed to go home due to the growing risk of contacting the COVID-19 virus. All was not lost, because the SANS team did their best to convert the whole class to an online CyberCast while the course was in progress. So from the next day onward, we continued remotely with new instructors, who jumped in, while Ryan was on his way back to the States. Initially we thought he would continue hosting the CyberCast from his hotel room, but eventually we got to know two new SANS instructors, Greg Scheidel and Ismael Valenzuela, who took turns teaching the rest of the course material and then hosting the NetWars event for us.

SANS NetWars

While the raw educational content of Sec530 was great, I most enjoyed the last day of the course when we got to take part in a private NetWars challenge hosted just for the participants of the course, which was about 10-15 people. I had some initial ideas about what NetWars was all about, thanks to numerous cleverly placed banners in Holiday Hack Challenges from previous years, I never actually got to participate in one before so it was a completely new experience for me. And I was immediately loving it so much, that when it was over I knew I wanted more!

So you can imagine how excited I was when I learnt that SANS was going to offer a bunch of free NetWars events for SANS alumni, with some special events open to the whole world to take part in! First one was a two-day Core NetWars Tournament, first of its kind, organised completely online via CyberCast from 19th to 20th of March. Due to timezone differences, it lasted until 2 am on both days, but I loved every second of it! While I had no high hopes of winning, I was surprised how well I did, eventually finishing as 12th amongst the first time NetWars players.

Next up was the Mini NetWars Mission 1, also first of its kind, from 2nd till 3rd of April. This was a bit different from Core NetWars, as we did not have to solve the challenges in a virtualised OS environment, instead we relied solely on the browser, very similar to how the Holiday Hack environment works, which was already quite familiar to me!

This time many more people signed up, as registration was not limited to just SANS alumni but open to the public. Eventually we were more than 500 people competing! This time I managed to solve all of the objectives and obtained the maximum score of 92 which qualified me as a winner. My final placement on the ranking was somewhere around 50th, as I took a number of hints and was a bit slower than others. Nevertheless, I was still amazed by how far I have come. By the way, this is my battle station setup, which won me some cool SANS swag on Twitter :)

CONCLUSION

All in all, I cannot thanks SANS enough for hosting these alumni NetWars events, some completely free for the whole cyber security community. I am probably not alone in feeling that they did an amazing service to us all, who are probably stuck at home due to social distancing and quarantine measures implemented world wide. This month for me was surely made a bit special, so big thanks to SANS and the Counter Hack team for all that their efforts!

P.S.:: A very very very cool Spotify Playlist, which works wonders during such CTF contests, is available via this link. I cannot take credit for it, it belongs to Bryce Galbraith who moderated these two previous NetWars events and was kind enough to share his playlist with us.

KringleCon II

Mon, 13 Jan 2020 11:11:00 +0000

In this post I just wanted to announce and link to my write-up in the Tutorials section of my blog, which chronicles my solution to the challenges of the most fun CTF of the holiday season.

A huge thank you goes out to the SANS Institute and the Counter Hack Team who are the organisers of this event. They put a great deal of energy and effort year after year to host this event. It is no wonder the campus of the Elf University was sometimes so crowded, you could barely see your own avatar! :)

To get to the write-up, either click this link, or manually go to the Tutorials section in the top bar. I also welcome any kind of feedback or comment on the write-up, to do so please hit the Contact link in the top bar.