4th Annual SuriCon Agenda

SuriCon-logo

Wednesday, November 14

An introduction to OPNsense, a fully featured open source security platform, and its spinoff OPNids. The core of both systems utilizes the famous meerkat, enhanced with easy GUI based configuration enabling businesses of any size to take advantage of its capabilities. We’ll focus on the importance of open source and talk about OPNids as a sensor on steroids. OPNids is the first software distribution to seamlessly integrate Suricata with Dragonfly, an open source Machine Learning engine.

Coinciding with the 30th anniversary of the Morris Worm, a brief retrospective on the history of Internet security and the birth of modern Intrusion Detection Systems will be presented. As Suricata approaches its tenth birthday, the current challenges facing a 20Gbit deployment on an open and decentralized academic network will be reviewed in context with metrics showing current and future roadblocks. A novel security architecture will be proposed for high-risk networks that will allow for logging and inspection of TLS 1.3 sessions, automated detection of ‘Zero Day’ attacks, insider threats, and data exfiltration. Mitigations for low-risk, decentralized networks will be proposed to still allow for managing risk on an increasingly diverse and encrypted IPv6 Internet.

Network security practitioners frequently correlate alerts produced by Suricata with flow-level logs available from other network monitors, for example in order to understand the context of an alert to gauge the outcome of an attack. Currently the best way to conduct this correlation is by manually identifying the flow tuple involved (usually including the source/dest IP address and port as well as the transport layer protocol) around the timestamps in question. In order to simplify this process, the Bro and Suricata developers have been working jointly to simplify this process via a “Community ID” value that both monitors compute and log identically and that allows immediate correlation on a single hash value. In this talk we will motivate the Community ID, report on its current implementation status, and demonstrate it to the community.

Detection based on content is often impossible for encrypted communication. At the same time, there are a lot of malware that use self-signed certificates or Tor. We would like to introduce to the community new method of leveraging the power of Suricata rules for detecting malicious connections under TLS. Custom closed protocols based upon raw TCP are also the case. We will introduce fingerprints for Dridex, Ursnif, Remcos. All of them are using TLS and/or custom proto. Based on these examples we will show how to detect malicious C2 communication on an early stage of infection. By the way, heartbeat communication contains enough unique data for creating rules too. We’ll demonstrate how to create more accurate detection with these both kinds of special data pieces joining through the flowbits. The aspects that make harder the implementation of this kind of detection, as well as the ways of solving problems (i.e. handling paddings in TLS fragments and joining of such fragments in one Suricata buffer), will be considered. We hope that our methodology will be interesting not only for malware analysts but also for developers who are working on detecting engines optimization. And it will also serve as a catalyst in the development of detection methods.

One of the advanced features available in Suricata is the ability to use the Lua programming language to create sophisticated rules to match malicious traffic that would be hard to match otherwise. In this talk I will discuss this and extending the approach to decode traffic for some malware families and, using some newer Suricata features, expose the results in the EVE log.

Pairing Suricata and Sagan together has given our Security Operation Operations (SOC) greater visibility into malicious activity and improved our ability to detect threats. We leverage Suricata for network threat detection and Sagan to detect threats via log analysis (Windows events logs, syslog, etc). This talk aims to explain how to correlate data between Suricata and Sagan so you can detect and defend against threats and gain greater visibility into your network. This talk also covers the new “Meer” project. Meer is a project that works similarly to “Barnyard2” but rather than reading Unified2 files, Meer reads Suricata and Sagan “EVE” (JSON) alert files. Meer can be found at https://github.com/beave/meer!

In May 2018 ProtectWise 401TRG released an intelligence report titled Burning Umbrella, detailing attacks originating from the Chinese Intelligence Apparatus. In addition, the report details active operations leading to a greater politically focused mission, and links to nearly a decade of attacks. In this talk we will share the process of uncovering the attacking entity and turning it into detection and hunting techniques across network telemetry. This includes review of the entity and basic concepts used to identify and detect active compromises using Suricata. Lastly, we will review broad network hunting techniques we used to detect these attacks and similar groups in the United States and East Asia.

This 10-minute talk is open to all attendees. Those interested in speaking should sign up at the Registration Desk, from 7:30 am – 9:00 am, the first morning of the conference. These talks are first-come, first-served. Please avoid any vendor or sales pitches — SuriCon is a community-centric event.

This 10-minute talk is open to all attendees. Those interested in speaking should sign up at the Registration Desk, from 7:30 am – 9:00 am, the first morning of the conference. These talks are first-come, first-served. Please avoid any vendor or sales pitches — SuriCon is a community-centric event.

All conference attendees are welcome to meet and mingle with our sponsors!

Thursday, November 15

For just about two years, we at DCSO have refined our use of Suricata to form the basis of our network detection capabilities. In our talk, we share our experiences building a multi-customer NSM stack using Debian, Suricata and commodity server hardware, paying special attention to performance, ease of deployment, sensor management and monitoring. Moreover we present and discuss various metadata-based use cases beyond classic IDS/IPS alerting and their benefits for defense in depth. Finally, we introduce new software tools developed in-house (to be released under free licenses before SuriCon) and demonstrate their use to accelerate both service integration and the implementation of new downstream capabilities.

After more than 8 years since the last protocol update, TLS is about to receive a new update: TLS 1.3. Much more than a minor update, this new version aims at improving security and speed of encrypted connections, like HTTP/2. This talk gives an overview of the changes: what are the differences in the protocol messages and state machine (especially 0-RTT), and the changes in cryptographic parameters. Then, it gives a deeper look at how this changes affect detection systems, like parts of the protocol being now encrypted (certificate, and some extensions), the added/removed metadata, and the co-existence of parsers for earlier versions.

Today techniques such as link aggregation, load balancing and asymmetric routing are widely used within data networks to speed up communication and make it failsafe. In such environments feeding modern network threat detection system becomes a challenge as they expect a clean, full-duplex traffic flow on a single wire. Merging load balanced network links is the most common solution to achieve this goal. But merging might lead to traffic duplication, out-off-order network packets or even packet loss. Also, sometimes it is not possible at all to merge network traffic because of restrictions on link bandwidth or infrastructural conditions. My talk illustrates how Suricata handles single sided network connections, data loss within network flows and scrambled packets within network sessions by example. Starting with clean traffic samples the change in Suricata’s behaviour is outlined when manipulating bits and pieces within the samples. The attendees will see how rule writing changes in order to make the most out of Suricata deployed in aggregated, load balanced, asymmetric data networks.

Suricata is an open source IDS / IPS / NSM engine utilizing standards-compliant input and output formats like YAML and JSON. This enables easy integration with databases, Security Information and Event Management (SIEM) solutions, and other analysis tools. syslog-ng is an open source log management application capable of collecting, processing, filtering and storing (or forwarding) log messages. Combining the two applications, you can analyze the logs of Suricata in real-time and send the results to a wide variety of destinations, including e-mail alerts and Elasticsearch. Integrating Suricata and syslog-ng is a smooth and easy process thanks to JSON: Suricata logs network events in JSON format, while syslog-ng can parse JSON-formatted log messages. Once values are turned into name-value pairs, the possibilities are endless. In my talk, I show a few use cases that I tried on my Turris Omnia Linux router, featuring both Suricata and syslog-ng. Here are a few highlights: Filter logs based on field content: route logs to the right places, for example, alerts to SIEM | Add contextual data to logs to enhance filtering or dashboards, for example, machine function based on IP address | Add geolocation information based on IP address. You can use it to display attacks on a world map or create an alert to notify you of a network connection to a suspicious country | Compare IP addresses with a known list of malware command & control IP addresses.

An introduction to Suricata-Update, the new tool included with Suricata to update your Suricata rules. This talk will also include an introduction to a core piece of Suricata-Update, the Suricata Intel Index and how this index helps users find new rules, as well as providing a way for rule publishers to make their rules more discoverable by the Suricata user base.

Creating realistic environments for testing the high-performance Suricata engine can be difficult — an ideal environment will have high-throughput to test engine performance and diverse traffic to test the rule engine. An academic environment is ideal as it presents both: high volume and diverse traffic, as there are generally far less restrictions on an academic network. In this talk, we will discuss ongoing efforts to establish partnerships with academia and industry: the obstacles encountered during partnership exploration, legal considerations, partnership goals and benefits, technical aspects of deploying a sensor as a third-party, and research and development potential.

Suricata 4.1 includes eBPF and XDP support. Suricata will be one of the first generic software to include these recent technologies introduced in Linux kernel. If the addition of these technologies allows Suricata to fix old problems such as multiple VLAN filtering, the main impact is in the improvement of bypass capabilities. The flow bypass can now be done at the driver level and directly in the card advanced device like Netronome. eBPF is an extension of Berkeley Packet Filter that can be programmed in a subset C and provides data structures that are shared between kernel and userspace. eBPF is used in Suricata to filter the capture socket and implement flow bypass. XDP is basically the capability to run eBPF filter in the packet path at the driver level. This allows really early filtering and some fancy tricks that will be described in the talk.

This 10-minute talk is open to all attendees. Those interested in speaking should sign up at the Registration Desk, from 7:30 am – 9:00 am, the first morning of the conference. These talks are first-come, first-served. Please avoid any vendor or sales pitches — SuriCon is a community-centric event.

This 10-minute talk is open to all attendees. Those interested in speaking should sign up at the Registration Desk, from 7:30 am – 9:00 am, the first morning of the conference. These talks are first-come, first-served. Please avoid any vendor or sales pitches — SuriCon is a community-centric event.

Friday, November 16

Suricata provides really great network visibility. We could have even more visibility if we could augment that with host data. Let’s see how we can get the best of both worlds using Security Onion.

When testing Suricata performance on 10G/40G links, production loads can vary significantly, and most people can’t afford to spend over $100K+ US on an Ixia traffic generator that can handle that throughput. Cisco’s TRex provides an open source traffic generator based on DPDK that works on commodity hardware and provides highly reproducible load near saturation on a 40G link. I want to discuss the setup, relative costs, and results of performance testing via this methodology.

Prescriptive analytics is often referred to as the “final frontier of analytic capabilities”, many organizations strive to get there and fail. Evolving from reactive to prescriptive is key for organizations maintain their competitive advantage. So what does this journey look like when organizations embrace an analytics nerve center for security operations? In this session, we will review the advanced analytics maturity model: covering the various stages organizations go through on their journey to analytics-driven decision making. The focus of this journey will be tailored around utilizing Machine Learning to respond to security incidents and automating remediation.