Defensible Security Architecture

In this post I wanted to write about my experience with #SEC530 which is a SANS course that I took in March during the SANS Prague event. Not long ago I wrote another post about my experience with NetWars in March, now I wanted to write about the infosec course that started it all.

Defensible Security Architecture - SEC530

Initially I was hesitant to register for an advanced level SANS course (5xx in the code). As I had no previous experience with SANS I did not know if an advanced infosec course would be too difficult for me. Luckily, I found a GIAC assessment exam online called SANS Cybertalent Assessment Exam, which I took for free and eventually passed with a score of 93.33%. This made me confident in registering for #SEC530, as the assessment results stated:

“Examinees who score in this range have demonstrated reliable knowledge in core information security principles […] they are typically ready for advanced security training”.

Course Experience

Day 1

The course was taking place at a hotel in Prague 5, about 10 mins walk from my flat, so I was quite happy about the venue. It was a nice hotel with plenty of room for my course and the other ones that were running in parallel with a dozen or so attendees each:

• #SEC401 - Security Essentials Bootcamp Style
• #SEC504 - Hacker Tools, Techniques, Exploits and Incident Handling

Some colleagues were taking #SEC504, I was alone from my workplace in taking #SEC530. This was nice because knowing nobody in my class forced me to get to know them, and they all turned out to be interesting people! This was also a good opportunity to start recruiting team mates for the NetWars challenge on Day 6!

Our instructor was Mr. Ryan Nicholson from the United States with an interesting career path that led him to become a SANS Instructor. He used to be a Network Administrator in the past and made lots of references to Cisco networking equipment which made me quite nostalgic from time to time … 😊

Eventually the course kicked off and the first day’s goal was to get an overview of Defensible Security Architecture. We discussed the downsides of traditional approach to security and architecture, and how the defensible approach may improve the situation. We were given a recommended reading by Richard Bejtlich titled The Tao of Network Security Monitoring, in which there is a really neat definition: architecture that encourages, rather than frustrates, digital self-defence.

The rest of the day we discussed many interesting topics, including the Layer 2 security that led to a discovery about the WLAN at the hotel: station isolation was not enabled! This wouldn’t be a huge deal normally, but then we became aware of some fellow SANS students in the adjacent room taking the #SEC504 which is a red-team course that has topics such as penetration testing. This inspired me to take some actions as a blue-teamer, which I hoped would earn me the infamous Red coin for #SEC530… More on this later in the Blue Team Project section.

Day 2

After an interesting first day, we dived right-in to the material on the 2nd day titled: Network Security Architecture and Engineering. This day taught me many interesting topics of L3 security, and provided some interesting lab exercises as well. Most interesting to me was the lab on the config auditing tool called nipper-ng that can parse Cisco router/switch config files for security issues and provide actionable recommendations. This surely would have been a nice tool to have back when I worked as a Network Administrator.

Day 3

We continued with the material on the third day with Network-Centric Security with a bunch of different topics on the menu, such as Next Generation Firewalls (NGFW), Network Security Monitoring (NSM) and Secure Remote Access, just to name a few. Probably the most interesting topic for me was NSM that involves the passive capture (in- or out-of-band) and analysis of network / flow metadata. This gave me some good ideas for the Blue Team Project described in a later section.

After our lunch break, just before we resumed class, someone from the SANS support team came to our classroom and informed us that they decided to convert the class to remote/virtual mode of operation for the rest of the week, as a safety measure against the COVID-19 pandemic. Although it was quite frustrating to me at the time, I now totally agree with their approach to handling this safety concern. Eventually they did an excellent job of converting the class to run via the virtual CyberCast platform on such short notice!

Day 4

So on the morning o day four, I did not go to the nearby hotel where the first three days were held, instead I just logged in to my SANS account and accessed the CyberCast session where we continued the course. The teaching duty was split between two new remote instructors from the USA: for the first half of the day we had Mr. Greg Scheidel, in the afternoon Mr. Ismael Valenzuela took over to finish the rest of the material planned for the day.

The main theme was Data Centric Security which included topics such as Web Application Firewalls, Data Loss Prevention and some discussions on Cloud Security and containerisation technologies. This last topic was particularly interesting to me, because I had been learning about Docker prior to the SANS training and I had not really considered it from a security point of view before.

Day 5

This fifth day was dedicated to Zero Trust Security Architecture, which was quite a new and interesting concept to me. During the first half of the day we covered the basic principles of Zero Trust (everything is hostile, verify before establishing trust) and how certain techniques such as mutual authentication can help improve security. The second half of the day with Ismael included some interesting topics such as Security Information and Event Management systems (SIEMs) which are indispensable tools for Security Operations Centres (SOC). This section also proved to have some very valuable lab exercises for the NetWars challenge the following day.

Day 6 - NetWars

This final day was dedicated to the DTF-style NetWars Challenge that ran for about 6 hours. Three teams were formed amongst the class participants who competed against each other and agains the clock to solve the challenge questions that were testing our concepts taught during the course. I have to say I genuinely enjoyed every second of it. Our team was leading the scoreboard all the way until the very end, when we got kicked down to the 2nd place because we rushed to be the first and incurred some penalty for incorrect answers. Regardless of the final result, it was a very valuable experience with tons of fun and learning. For our efforts that got us the 2nd place, were rewarded with the much coveted blue coin of #SEC530 which will hopefully arrive by FedEx soon has arrived to me in Prague via FedEx finally … :)

Blue Team Project

As I previously mentioned, on the first day we discovered that all attendees of the SANS venue will be sharing a WLAN network without station isolation and this was making me somewhat uncomfortable. Some years ago in a university course I had done some simple attacks using MITM technique on shared LAN networks, so I knew that it was not too difficult to steal credentials or do other kinds of malicious attacks when the attacker didn’t even have to crack the wifi password to be able to join the shared WLAN.

Later I was wondering that perhaps the WLAN isolation feature was disabled on purpose so that the red-team students in the adjacent room could practice using some of the typical penetration testing tools. Regardless, this vulnerability enabled by the lack of WLAN isolation gave me the idea to implement some kind of defence system that can monitor and/or if possible alert me to any seemingly malicious attempts targeting my machine.

My first idea was to run a packet capture on my Host OS via Wireshark, but of course that would have been very difficult to manage and quite likely not so effective! I would’ve had to keep an eye on it constantly and check for suspicious packets manually using some filters.

Instead, I got some inspiration from one of the lab exercises with the ELK stack where we had to look for some suspicious log entries from various sources of security telemetry. I decided to set up a similar set of services to run non-stop on my #SEC530 virtual machine. To provide the network metadata I needed, I decided to install PacketBeat and configured it to extract and forward netflow data to the ELK stack. This way I could obtain the necessary visibility into the network activity on my Virtual Machine, without the need to do full packet capture using WireShark!

With the below steps one can run the ELK stack via docker-compose in the #SEC530 VM:

# ELK stack setup
mkdir monitor && cd monitor
cp /labs/1.3/docker-compose.yml ./
sed -i '17,18 s/^/#/' docker-compose.yml #comment out some volumes not needed
sed -i 's/lab13es/elastic_search/g' docker-compose.yml
sed -i 's/kibana13/kibana_dashboard/g' docker-compose.yml
docker container prune -f
docker-compose up

Next I set installed and configured the OSS version of PacketBeat:

# PacketBeat setup
curl -L -O https://artifacts.elastic.co/downloads/beats/packetbeat/packetbeat-oss-7.6.1-amd64.deb
sudo dpkg -i packetbeat-oss-7.6.1-amd64.deb
echo "setup.dashboards.enabled: true" | sudo tee -a /etc/packetbeat/packetbeat.yml
sudo packetbeat setup --dashboards
sudo service packetbeat start

Now, one can test if it’s working by generating some network traffic from the VM which should then appear in the Kibana dashboard at http://localhost:5601/app/kibana.

At this point, it becomes possible to observe malicious hacking attempts by focusing on IP addresses from my local IP subnet… But I was not yet fully satisfied and wanted to take it a bit further.

Blue Team Project - Next Level

It was quite nice to see netflow data being exported to the ELK stack in the previous setup, however I was a bit disappointed with the Kibana dashboards that were set up by PacketBeat. Some were completely dysfunctional due to some syntax errors I could not figure out how to fix.

I spent quite a long time looking for a fix to the Kibana dashboard issues, but eventually I ended up swapping my ELK & PacketBeat setup for a more advanced set of Tools: The Security Onion! Turns out that it also uses docker to run the ELK stack behind the scenes. In addition, it includes some tools such as Zeek/Bro, Suricata/Snort right out of the box, that we also covered in the course. So cool!

Setting it all up on the #SEC530 VM was a bit more lengthy than my previous setup. First I had to add some additional juice to the underlying VM (4 CPUs and min 8GB of RAM) which then I followed up with the below installation steps on a fresh clone of the #SEC530 VM:

• Set the VM NIC mode to bridge (Autodetect) (in VMWare Fusion)

• Boot the VM, log in and change the settings in Software & Updates:

  • on Ubuntu Software tab check all options except restricted software
  • on Updates tab select the first two options
  • click Close and then click Reload to latest updates

• Next run these steps in the Terminal (adopted from here):

  echo "debconf debconf/frontend select noninteractive" | sudo debconf-set-selections
  sudo rm -rf /var/lib/apt/lists/*
  sudo apt-get update
  sudo apt-get -y install software-properties-common
  sudo add-apt-repository -y ppa:securityonion/stable
  sudo apt-get update
  sudo apt-get -y -f -o Dpkg::Options::="--force-overwrite" install securityonion-all securityonion-onionsalt securityonion-suricata syslog-ng-core
  

The above steps install necessary dependencies and then create a desktop shortcut called Setup with the Security Onion icon. Double-click it to continue the install process (alternatively issue sudo sosetup in Terminal):

• chose to reconfigure the network interfaces (with DHCP)
• accept the necessary reboot now
• trigger the Setup process again to finish the installation
• chose Evaluation Mode when it asks this question
• set up default username/password used to secure the various dashboards

Once the setup finishes, it takes a few minutes, it will show several additional popup windows with useful information about the Security Onion’s functions, while also several new desktop icons will appear:

At this point, the setup is complete and you can see the installed services by clicking on the new icons on the Desktop. Most interesting to me was the Kibana dashboard which comes pre-loaded with some amazing features out of the box:

This really seems like an awesome set of features that can detect malicious attacks much better than my first setup with ELK & Packetbeat. This is exactly what I was looking for, when I was on that shared WLAN, some advanced visibility into network metadata. I’m glad I did not have to implement it by hand after all … :)

Blue Team Project - Next Next Level

While looking around on the net for possible solutions to my issues, I stumbled upon this project from Telekom Security‘s GitHub page, which seemed like an even more advanced version of the Security Onion with various types of built-in honeypots that feed information to a Kibana dashboard. Sadly however, this is not possible to set up on the #SEC530 VM because the built-in installer does not support Xubuntu 16.04 and there were so many moving parts to the project that I did not dare to do it all by hand. For now I just keep it here as a reference, maybe in a future post I will describe it in more detail!

Conclusion

As I already mentioned, this was my first SANS training and I could not be happier about the whole experience, despite the unfortunate situation with the global pandemic disrupting our onsite course. While I was initially a bit worried about the lack of station isolation on the shared WLAN, I really enjoyed digging around the Internet for a solution to earn my some peace of mind. The knowledge and new skills I acquired in the domain of Defensible Security Architecture have been quite overwhelming to say the least.

I also enjoyed building new connections with the people who run these trainings and with my fellow SANS alumni. Taking part in the NetWars events that followed in March and April, I felt good to be part of such an incredible community.