http://www.guadalajaracon.org/conferencias/echidna-sistema-de-respuesta-incidentes-open-source/
El proyecto Echidna es un sistema de respuesta incidentes dirigido a analistas de seguridad siguiendo los principios de Network Security Monitoring. Se trata de un proyecto totalmente Open Source donde comparto crédito con autores de populares herramientas como Ian Firns (Barnyard2, SecurityOnion NSM Scripts) y Edward Bjarte (cxtracker, passivedns, prads, etc.).
Echidna consiste en agentes, servidor e interfaz de usuario. Los agentes y los servidores estan programados en perl, las aplicaciones especializadas (sesion, eventos…) estan hechos en C/C++. La interfaz de usuario funciona del lado del cliente usando AngularJS. El servidor provee una API REST para uso de la UI o cualquier otro tipo de interfaz alternativa.
El proposito de Echidna es integrar diferentes herramientas de análisis en red para las diferentes capas de NSM. Desde Suricata/Snort hasta HTTPRY. Lo interesante es que la mayoría del stack por default son nuestras propias herramientas ej. Cxtracker – sesiones, barnyard2 – spooler de eventos para snort/suricata, prads -deteccion de assets, passivedns – analisis de dns pasivo, etc.
Ian aka firnsy es core dev y Edward aka ebf0 dirije desde la perspectiva de analista. Cada uno ha creado uno o mas herramientas expertas que Echidna integra en el stack.
4. Network
Security
Monitoring
“It’s
the
collecMon,
analysis
and
escalaMon
of
indicaMons
and
warnings
to
respond
to
intrusions”
5. Let
me
repeat
that
CollecMon
This
is
where
you
do
data
adquisiMon
Analysis
This
require
correlaMon
and
human
analysis
EscalaMon
An
authority
decides
how
to
proceed
=
This
shit
is
a
methodology,
NOT
a
product
IDS
!=
NSM
!=
SIEM
!=
Log
Management
6. NSM
Process
• Products
perform
collec%on
– A
piece
of
soGware
or
appliance
whose
purpose
is
to
analyze
packets
on
the
network.
• People
perform
analysis
– While
products
can
perform
conclusions
of
what
they
see,
only
people
can
provide
context.
• Processes
guides
escala%on
– EscalaMon
is
the
act
of
bringing
informaMon
to
the
a[enMon
of
decision
makers.
7. NSM
Principles
• Some
intruders
are
smarter
than
you
• Many
intruders
are
unpredictable
• PrevenMon
eventually
fails
• Intruders
who
can
communicate
with
vicMms
can
be
detected
• DetecMon
through
sampling
is
be[er
than
no
detecMon
• DetecMon
through
traffic
analysis
is
be[er
than
no
detecMon
at
all
8. (SIEM)
Alert-‐centric
soluMons
rely
on..
• A[acks
can
be
understood
prior
execuMon
• Methods
to
detect
or
prevent
a[acks
can
be
encapsulated
in
programming
logic
• Customers
will
purchase,
properly
configure,
and
effecMvely
deploy
products
offering
sufficient
defensive
logic
• The
customer’s
environment
will
behave
as
anMcipated
by
the
developers
and
vendors
9. (NSM)
Traffic-‐centric
approach
• NSM
Analysts
treat
ALL
data
as
indicators,
not
“false
posiMves”
or
“false
negaMves”
• Relies
in
at
least
4
types
of
data:
ü
StaMsMcal
ü
Session
ü
Full
Content
ü
Alert
• NSM
uses
a
“dumb
is
be[er”
approach
relying
on
traffic
to
verify
the
context
of
indicaMons
and
warnings
as
part
of
an
invesMgaMon.
10. NSM
Model
Alert
– “Snort
fires
an
alert
related
to
an
FTP
bounce
a[ack”
Session
– “We
request
the
session/nealow
acMvity
in
the
past
4
hours
of
src/dst
ip”
Full
Content
– “We
request
the
full
packet
capture
of
one
of
the
sessions
to
see
the
FTP
commands
sent
in
the
control
channel”
25. We
want
to
offer
something
cool
too
ü Open
Source
SoGware
ü Easy
to
Maintain
ü That
can
be
extended
using
other
awesome
OSS
tools
ü Scalable
and
easy
to
integrate
ü Nice
API
please?
27. Echidna
Architecture
Echidna
Server:
ü
Perl-‐based
ü
Server/Node
CnC
communicaMon
is
done
through
WebSockets
(near-‐realMme).
ü
Retrieval
and
Submission
of
data
is
done
through
a
REST
interface
ü
Modular
architecture
(use
what
you
need)
ü
It
can
be
used
for
RelaMonal
DBs
and
NoSQL
28.
29. Server:
Fetch
some
records
URI:
h[p://inspectlabs.com:6970
Controller:
/api/pdns
Parameters:
?
fields
=
client,server,answer
&
query_type
=
A
&
query
=
nsm.metaflows.com.
&
from
=
2012-‐07-‐09
10:21:27
&
to
=
2012-‐07-‐09
10:21:27
Which
means:
Give
me
the
client
ip,
server
ip
and
query
answer
of
all
DNS
peMMons
that
returned
an
address
record
at
10:21:27AM
of
2012-‐07-‐09
38. Turns
out,
this
is
Alpha
stage
• Not
Feature
Complete
• Not
ProducMon
Ready
• Frequent
updates
• Features
are
being
added
• Focused
on
NSM
for
Analysts
41. Team
Edward
Fjellskal
(ebf0)
–
Analyst
Ian
Firns
(firnsy)
–
Coder
Eduardo
Urias
(larsx2)
–
Coder
42. Future
(not
too
far
away)
ü
OISF
-‐
Open
InformaMon
Security
FoundaMon
Suricata’s
next
big
friend!
ü
Bro
IDS
Engine
IntegraMon
Cool
tools
should
hang
together!
ü
Cassandra/Hadoop
Support
SomeMmes
things
get
out
of
control.
ü
Full
Text
Search
Support
I
am
looking
at
you
ElasMcSearch
ಠ_ಠ!
43. Wanted!
JavaScript
Hackers!
– Jump
in
for
the
development
of
a
fully
featured
client
side
UI
for
security
analysis
Perl/Python
Hackers!
– Help
us
creaMng
components/plugins
for
our
framework
to
support
more
services!
C/C++
Hackers!
– Want
to
build
new
specialized
components
for
network
analysis
on
extremely
fast
networks?
44. Props
to:
ü Richard
Bejtlich
ü Bamm
Vischer
ü Ma[
Jonkman
ü David
McNelis
ü Ian
Firns
ü Edward
Bjarte
ü DusMn
Webber
Because
in
some
way
or
another
all
helped
in
that
I
could
do
this
talk