5th Annual SuriCon Agenda

SuriCon-Amsterdam

Wednesday, October 30

Five years ago, Suricata 2.0 introduced EVE-JSON as a single common data output format for alerts, metadata and other event information. Its structured syntax makes it easy to capture diverse information in much detail and to pass it to downstream tools for further analysis. However, up to now no in-depth documentation exists for EVE-JSON (regarding both extent and meaning of fields and values), partly because it is difficult to derive an comprehensive specification from static analysis of the Suricata source code. The lack of such a spec makes it difficult for tool authors to reliably consume and interpret all variations of Suricata output. We report on our effort to jump-start documentation of the EVE-JSON format produced by Suricata empirically. In particular, we present a reproducible method to derive JSON schemas (https://json-schema.org) from the results of running various Suricata versions against diverse input traffic. We also comment on the evolution of the schema as it appears de facto and show how the generated schema information can be used to enable collaborative editing of detailed EVE-JSON documentation.

ntopng is an open source network traffic monitoring application included in most Linux distributions and security toolkits. Recently it has been enhanced to include native support of Suricata generated events. This allows network administrators to monitor with a single tool both network traffic and security threats, and enhance Suricata by complementing it with features typical of monitoring tools such as SNMP, IPFIX/sFlow support, as well visibility of containerized environments. This allows Suricata events to be placed on the right context and root cause of threats to be better identified, this to provide network administrators a clear picture of the traffic flowing into their network.

In the first round of Suricata performance testing presented at Suricata 2017, we explored how Suricata performed under a number of configurations. With the launch of Suricata 5.0 we’re going to revisit our performance testing with the latest and greatest instance of Suricata, testing new features and functionality, and comparing it to Snort 2.9 and 3.0 head to head.

The common way of using Suricata is finding threats in your network. What if we already know that the file poses a threat and want to determine which malware family does it belong to, or trace its evolution? In my talk I will share our experience of using Suricata in the sandbox environment as a threat intelligence tool to classify malware samples. Threat actors often modify or heavily obfuscate executable files, but rarely think about changing the protocol of communication between the bot and the server. Another example is different malware families using the same packers or obfuscators, when analyzing network traffic is one of the most effective ways to distinguish them. I will show examples of malicious families for different platforms whose network behavior remains the same for many years. I will show cases when a good Suricata rule helped us to attribute malware with different functionality to one campaign or determine that one malware family evolved from another. A separate section of my talk will be devoted to Suricata rules for Android platform which is often deprived of attention.

During the 2018 Suricata Roadmap Brainstorming session, it became apparent that there is a need and desire for Suricata to integrate with “Threat Intelligence” feeds. Not just simple blacklists, but Threat Intelligence feeds with context and substance. In addition, the ability to weigh Threat Intelligence data based on its age and/or its type is also important. However, this is a difficult job for Suricata to do alone. Suricata is busy (very busy!) being the best intrusion detection & prevention engine it can be, yet Threat Intel queries are expensive, and take time and resources. It became clear that the types of Threat Intel queries people want would be better performed at the “post processing” level.

This talk will cover using Sagan (https://sagan.io) which is a log analysis engine, and Meer (https://quadrantsec.com/meer) which is a data spooling system, to ingest all your Suricata data, in real time, and perform the Threat Intel look-ups you need. Since Sagan can natively decode Suricata EVE files, it can quickly and easily perform look-ups on hashes, URLs, IP addresses, and DNS data. This talk will cover configurations and steps to performs these data look-ups, at scale, using Sagan and Meer technologies. We will also cover building your own distributed Threat Intel platform.

In this talk we show how the open-source network forensics platform VAST enables advanced threat hunting with network monitoring data, in particular Suricata logs and raw packet traces. VAST is a UNIX-centric alternative to SIEMs and bulk packet recorders. We demonstrate how to ingest both EVE JSON plus raw PCAP traces and how to pivot between subsets of the two data formats.

Cyber Defense Exercises have received much attention in recent years. Crossed Swords is an exercise directed at training Red Team members for responsive cyber defense. However, these Red Team members may not be aware how their actions are visible from the detection side. Yellow team role is to provide this feedback, preferably near real time while the player actions are still fresh on their mind.

This presentation is about the tools and techniques used, as well as challenges encountered, while building Frankenstack, an open source toolbox for providing this feedback. Current iteration is a data pipeline and correlation stack build around Kafka message queue and SEC event correlation rules. Events were collected from network via Suricata, Zeek, Moloch and Mendel. Host logs were enhanced with Snoopy on Linux and Sysmon on Windows targets to generate a full audit trail, and collected via Syslog. A custom data normalization engine was written in Golang to enhance each message with meta information needed to correlate event fragments from multiple sources, and to anonymize targets in order to avoid revealing too much to players. Correlated alerts were displayed on central screens using various custom and existing front-end dashboards.

Every year, our Yellow Team compiles a group of like-minded hackers, hunters and developers. Then we cobble together core parts of the stack over the course of four day hackathon that takes place during the exercise test run. Crazy ideas are encouraged, friendships are made, and we make an effort to open-source any tool that ends up working. And meerkat is always compiled from master.

Computer networks rely mainly on IP and TCP to transmit data across the world. These protocols are complex and have evolved since their design almost forty years ago. Security detection tools analyze these protocols, detect malicious or suspicious patterns and raise alerts. They need to account for protocol complexity and evolution in order to correctly parse packets and reassemble data flows. We address two specific protocol aspects : IP (4 and 6) fragmentation and TCP state machine management. While these protocols are widely deployed since a long time, the complexity of their specifications and the huge number of implementations lead to many differences, from implementation choices, support of optional features, to implementation bugs. The consequences of these differences goes from functional differences (and possible implementation fingerprinting) to detection bypass. In particular, IDS detection mechanism can be bypassed if it doesn’t reconstruct the same data flow as the one between a client and a server.

We propose two methodologies and associated tools that test flow reassembly implementations. These methodologies allows generating PCAP files from the protocol specifications. We then use these inputs to verify protocol implementations in existing detection tools.

As network bandwidth increases, attack methodologies expand, malicious traffic patterns fluctuate, and IDS/IPS ruleset sizes grow, the ability to programmatically understand the teleological characteristics of each IDS/IPS rule becomes invaluable. The decades-old practice of maintaining a rigid classification.config file and segregating rules into distinct files is onerous, unscalable, and, in many deployments, inviable for those wishing to tune their rulesets. Simply enabling all available Suricata rules is rarely wise, prudent, or feasible for those concerned about rule performance, false-positives, volume, and value. There needs to be an easy way to “slice and dice” large rulesets so that they can be customized for each particular deployment.

This talk will discuss the need for rule taxonomy and propose a flexible standard for embedding such classifications, including teleological information, within each rule. For Suricata, this is done by leveraging the “metadata” keyword to include key-value pairs that can be programmatically consumed to enable powerful ruleset optimization.

This talk will provide an update of MOB League efforts from SuriCon 2018. Highlights include an update on an academic, private-sector research project, SuriCon poster session and scholarship, Suricata-sponsored capture the flag competitions and efforts of establishing a community. Opportunities to become an active member of this community will be introduced, along with instructions on how to access the latest resources offered by the MOB.

The MOB League is a community focused on fostering a collection of academic and industry outreach efforts focused around Suricata. These efforts include joint reserach opportunities, classroom materials, SuriCon events and much more.

All conference attendees are welcome to meet and mingle with our sponsors!

Thursday, October 31

Suricata – Verify & eve2test Walkthrough

XDP support was added in Suricata 4.1 to mainly provide bypass capabilities in the AF_PACKET capture method. Recent work did add a lot of features. Main one is XDP in hardware that has been tested on Netronome cards. It is now possible to get the eBPF code run in the card providing really efficient bypass capabilities and some more exotic things such as programmable RSS load balancing. This talk will briefly describe these new features and show how tests were made using live traffic but also T-rex and tcpreplay runs. Test systems include Netronome, Intel, Mellanox NICs.

Suricata as a library has been a feature requested, but one that has largely been seen as unfeasible given the amount of work involved. Suricata as a “library” is now however a reality, using a cocktail of rust, Suricata, shared memory, and open source libraries. This cocktail provides library like functionality over the pureness of Suricata being available as a library.

We will discuss the approach and motivation to achieving this functionality, as well as new capabilities added to Suricata to enable this use case. We will compare this to previous attempts to integrate with Suricata as a library, and the limitations and performance of this approach. An example will be provided showing how this cocktail of functionality can easily be consumed.

German critical infrastructures, such as the IT-based control of electric grids, power generation, gas and water distribution, are obliged by federal law to implement state of the art IT-security measures. Furthermore, they are legally bound to report occurred security incidents to German Federal Office for Information Security, “BSI.” Hence, the detection of security incidents in control networks is key to fullfil these legal requirements.

As the available solutions for intrusion detection does not meet our quality expectations, we decided to implement a solution for intrusion detection targeted for critical infrastructures. Since Suricata is available and maintained very well, we decided to use it as the foundation for our intrusion detection solution named “KRITIS Defender” .

The key factor of KRITIS Defender is the detection and inspection of control system specific network traffic, e.g. the commonly used IEC-60870-5-104 protocol. This protocol is used primarily for communications between Master- and Remote- Terminal Units in electric grid control systems, as well as in gas and water distribution systems.

In our talk we will show how KRITIS defender utilizes Suricata and its rule engine to detect and inspect IEC-60870-5-104 traffic. We will explain more benefits of using Suricata as intrusion detection engine in control system networks of critical infrastructures, e.g. the simultaneous integration of a KRITIS Defender appliance at the SCADA- and automation-level. The possibilities and advantages to integrate honeypots in the KRITIS Defender as well as the UI of KRITIS Defender, fitted to operating procedures of power grid operators, gas and water distributor and power plants, will be shown.

Concluding, we will explain how Suricata can be used in future for intrusion detection in critical infrastructure process control systems and give an outlook on upcoming developments for KRITIS Defender.

In this talk we’ll go over the the usage of Suricata in AWS VPC. We’ll cover the (old) inline approach and how NSM programs can benefit from the newly introduced AWS VPC Session Mirroring. We’ll also cover automation around Session Mirror configuration to create scalable and redundant deployments and talk about the applicability of NSM in cloud environments while comparing it with managed services, such as AWS GuardDuty.

As more and more traffic is encrypted with TLS, there is a stronger need for decrypting TLS traffic inside captured packet data (pcap files). But getting everything aligned to be able to decrypt the TLS traffic is not that trivial. Access to the servers private key is often not possible and even if you have access to the private key, most TLS sessions use Diffie-Hellman to negotiate the session key which makes decryption based on the private key impossible.

Using session keys (instead of the private key of the server) to do the decryption is much more feasible. However, you need a way to get these session keys. There are several ways to get the session keys from one of the TLS endpoints. And sometimes you can use man-in-the-middle proxying to get them. Which method of retrieving the session keys could be used depends on the level of control you have over the used components in the TLS traffic flow. This presentation will discuss how to get the session keys in different scenarios and how to use these session keys to decrypt the TLS traffic with Wireshark and Tshark.

Even though Suricata’s multi-threaded architecture allowed for better performance than other IDS tools, our bandwidth grows faster every year. Currently we are faced with the task to monitor up to 400 Gbit/s of traffic in realtime with Suricata. Even with the Suricata Extreme Tuning Guide, it is not possible to handle this kind of bandwidth with commodity hardware. Using the latest features of XDP and Flow Shunting, we set out to find a cost effective solution that can handle at least 80 Gbit/s of traffic per Server (and possibly more). We evaluated different network card vendors to figure out which works best with Suricata in a regular Server under high load. In our talk we will present our results and experiences with setting up a high-performance Suricata cluster and also look at further challenges that are you will be facing – i.e. log / event shipping at more than 1000 events per seconds.

Signature language is well known for its ability to match complex things but recent evolution and not well known features could change the way we approach signature writing in Suricata. Matching is seen as the main point but creating the data to a better understanding of the event is an underrated point.. Better events with more context open new possibilities in terms of human and automated analysis. In this talk we will show hands on examples utilizing lua, flow variables and new sticky buffers available to Suricata 5.0 to showcase how analysis can benefit of better alert events.

Testing Suricata at 10/40G line rates requires either expensive equipment or using complex open source tools like TRex. Generating test data to make the results reproducible for a given network traffic profile is also time consuming. I will discuss and share the tools and techniques we’ve used to streamline this process, the traffic profiles we’ve developed, and some results of testing Suricata at 40G across several different traffic profiles.

Passive Fingerprinting using Suricata allows your Security Operations Center a greater understanding of the operating systems, devices, software and services running on your network. This process uses signatures that you control to detect and document these potential targets on a constantly running platform. The increased awareness grants the ability to improve your signal to noise ratio on alerts or be aware of the need to add in new rule sets based on the information discovered. Instead of having to spend your time determining if a device is vulnerable to a certain exploit attempted against it you will be able to reference the database created and save yourself some time. This talk will describe how we created the signatures and how we use Meer and a unique SID range to populate the database that can be referenced in the research of the IDS alerts.

Voice-over-IP is a technology widely used for the delivery of voice and multimedia traffic over networks such as the Internet. The driving factor for the success of this technology is the cost reduction with respect to traditional phone systems. As for all technologies, it does not bring only advantages, it also bring a major issue: security. In the early days of VoIP there was concern mainly about cost, functionality and reliability. In fact, one of the main actors of VoIP, the SIP protocol, which is essential for most communication, is vulnerable by its nature since it was not designed to be secure. In order to avoid attacks and protect VoIP infrastructure it is necessary to be aware of typical risks and to have a good understanding of how vulnerabilities can be exploited SIP (Session Initial Protocol) will be the rock star of this talk. We will dive deep in its structure and explore how it works, why it is unsecure and most important how Suricata can help us to defend VoIP infrastructure.

CERTitude is a Python-based tool which aims at assessing the compromised perimeter during incident response assignments. It allows analysts to perform large scale scans of Windows-based information systems by searching for behavioral patterns described in IOC (Indicator of Compromise) files.
Notable features include:
* Ability to scan hosts in a way that prevents the target workstation from knowing what the investigator is searching for
* Ability to retrieve some pieces of data from the hosts
* Multiple scanner instances (for IOCs and/or hash scans) can be run at the same time for parallel scanning
* Built with security considerations in mind (protected database, secure communications with hosts using IPSec)
Current roadmap is set to support new types of IOC (including data from MISP APIs) and new target operating systems (Linux).

This 10-minute talk is open to all attendees. Those interested in speaking should sign up at the Registration Desk, from 7:30 am – 9:00 am, the first morning of the conference. These talks are first-come, first-served. Please avoid any vendor or sales pitches — SuriCon is a community-centric event.

Friday, November 1

*** THIS PRESENTATION IS CLASSIFIED — NO AUDIO/VIDEO RECORDING WILL BE PERMITTED ***

An exclusive ‘inside’ view of the APT40 investigation will be presented by one of the primary investigators. Tactics, techniques and procedures for detecting, disrupting and defending against targeted “Zero Day” attacks from advanced threat actors will be presented in the context of a ‘live’ APT event. An example of “Next-Generation” fileless malware recovered from compromised systems will be revealed, along with processes to detect novel IOCs on both the network and endpoints. Limitations of current detection mechanisms will be discussed, as well as a proposal to extend Suricata functionality to provide true ‘Zero Day’ threat detection and allow for more effective machine learning solutions.

The growth of the underground economy has led to increased collaboration and dependencies between criminal actors. The model describing the ecosystem of specialized goods and services bought and sold by criminal actors is known as malware-as-a-service (MaaS) or cybercrime-as-a-service. MaaS has enabled actors to buy capabilities from third parties without needing to develop it internally. Examples of illicit goods and services include bulletproof hosting, packers, translation and distribution. In this presentation, we focus on the latter – distribution – and demonstrate how to use honeypots as a method of identifying malicious actors who profit from distributing the malware of other actors.

This talk is about the generation of test data. Test data (ideally, pcaps) are often required for several reasons: during the development, testing a parser often requires complete sessions (and not only individual packets) which can be hard to capture. It is also difficult to provide meaningful captures while being sure they do not contain sensitive or personal information. Creating synthetic data is one way to avoid these problems, but it is often a tedious task, often manual. We aim at providing tools that can be used to create data forged data in a programmatic and easy way.

To create and manipulate network data, scapy (https://scapy.net/) is the de-facto standard. However, while it allows creating packets easily, it provides no tool for creating entire sessions. We will present a new tool and library, scapy-flow, to perform complex stream data management. Using a similar concept as scapy, it allows creating network layers automata, and stack them to implement a full simulated network client or server. For example, an SNMP client is implemented using a stack IPFlow/UDPFlow/SNMPFlow. Each stack can then be connecting to the real network, thus providing a real client or server, or to another Flow stack, making the two sides communicate entirely in software. This allows an easy implementation of many protocols, only having to create a stub layer to simulate a client or server. This way, it is easy to generate thousands of sessions with different parameters, for example one session for every single TLS ciphersuite available in the standard. Invalid data can also be inserted, since scapy allows raw manipulation of data, to test parser robustness. Another advantage is the ability to simulate network problems by inserting a layer in the stack, for example an item that will simulate IP fragmentation problems, or reordering of packets, etc.

scapy-flow is open-source, written in Python, and will be published by the time of SuriCon (as a submission to the mainstream project scapy).