SlideShare una empresa de Scribd logo

Proofpoint Emerging Threats Suricata 5.0 Webinar

Descargar como PPTX, PDF
J
Jason Williams

Slides from the webinar 9/25/2019 related to ET support for Suricata 5.0 and various updates to the rulesets.

Tecnología
1 de 27
1 © 2019 Proofpoint, Inc. PROOFPOINT EMERGINGTHREATS ETPROSURICATA5.0
2 © 2019 Proofpoint, Inc. The ET team today on the call:  Richard Gonzalez  ET Manager  Jason Williams  ET Researcher  @switchingtoguns  Jack Mott  ET Researcher  @malwareforme  Brad Woodberg  ET Product Manager
3 © 2019 Proofpoint, Inc. Agenda  We've never done this before...please go easy on our lack of webinar skills.  Where we've been.  Where we are.  Where we're going.  Thanks and QA
4 © 2019 Proofpoint, Inc. WHERE WE'VE BEEN
5 © 2019 Proofpoint, Inc. Where we've been  It's been ~4 ½ years since ET was acquired by Proofpoint  We've seen the shifts in landscape from EKs to Ransomware to Maldocs to Coinminers to Phish and all in between.  We've been shifting focus in our detections with those changes in the landscape to help analysts detect network comms best we can.  ET rules and detection logic are part of many Proofpoint products even when you might not see it in the traditional sense.  Visibility gained from Proofpoint has been extremely valuable in writing new detections, but we're still a small scrappy team.  The research teams at Proofpoint are fantastic. We work closely with them and they have helped to fuel our detections.
6 © 2019 Proofpoint, Inc. Where we've been  We love the ET ruleset but there are things we know we can improve The categories & classifications are dated TROJAN and MALWARE don’t entirely mean what they are called CURRENT_EVENTS turned into a dumping ground for all the "cool stuff".  We want to better prune and update older rules within the ruleset.  That documentation thing  Yea we read the tweets about us  These things take people, time, and effort.  It is complicated and dangerous to make sweeping rule edits.  It's not just a sed replace for various things.  We always have perf and QA in mind with our changes
7 © 2019 Proofpoint, Inc. Where we've been  We have a LOT of malicious traffic, but we don't have complete visibility into non-malicious traffic.  We rely on our users and our partners to give us more visibility into wider networks and geos. Every network is special.  We were happy when we were able to fork the ruleset to 4.0 (then 4.1 came out)  Our internal tools have sometimes kept us from being able to act as fast as we have wanted. (4.1)  ET OPEN vs ET PRO – Still the same policies, still committed to supporting the community
8 © 2019 Proofpoint, Inc. WHERE WEARE
9 © 2019 Proofpoint, Inc. What is ET focused on today?  We tend to spend much of our time writing rules on the things that we see hitting people today out in the world.  ITW > !ITW  We're always writing rules for malware  This means that we follow today's landscape writing lots of:  Social Engineering / Credential Theft – Phishing  Malicious Documents  Coinminers  RATs, Keyloggers, VARIOUS CnC  Things that are SSL encrypted (more on this later)
10 © 2019 Proofpoint, Inc. We're supporting Suricata 5.0 at launch (today)  We are actively supporting 60k (PRO) rules across 4 rule engines.  ~48k active and ~12k disabled  Snort 2.9.x / Suricata 2 / Suricata 4 / Suricata 5  Suricata 4 will continue to be supported for the foreseeable future.  Suricata 2 will be EOL'd in 90 days. (no new rules)  We look forward to supporting Snort3 when it goes GA.  The Suricata 5 ruleset will feature new categories and classifications as well as updates to existing categories and rules to make more sense.  Some of these things haven't been changed in a decade or more and most are a result of drift.
11 © 2019 Proofpoint, Inc. New Categories - msg:"ET $CATEGORY"  This will be the first iteration of the ruleset that steps into the current malware landscape in terms of metadata *These changes are only affecting the new Suricata 5 ruleset  MALWARE will be renamed to ADWARE_PUP  TROJAN will be renamed to MALWARE  New Categories: - PHISHING (phishing.rules) - COINMINER (coinminer.rules) - JA3 (ja3.rules) - EXPLOIT_KIT (exploit_kit.rules) - HUNTING (hunting.rules)
12 © 2019 Proofpoint, Inc. New Classtypes - classtype:this-stuff-is-new;  classtype:credential-theft; (phishing)  classtype:social-engineering;  classtype:command-and-control; (replacing lots of trojan-activity)  classtype:coin-mining;  classtype:external-ip-lookup;  classtype:domain-c2;  classtype:exploit-kit;  classtype:pup-activity; (possibly unwanted program)  classtype:targeted-activity; https://github.com/OISF/suricata/blob/master/classification.config
13 © 2019 Proofpoint, Inc. New things/trends in the Suricata 5 ruleset  New sticky buffers utilized immediately, and old rules will be converted over time. There are some perf bonuses to be had here:  content:".php"; http_uri; isdataat:!1,relative; (old)  http.uri; content:".php"; endswith; (new hotness)  Support for JA3 and JA3S hash rules:  https://suricata.readthedocs.io/en/latest/rules/ja3-keywords.html  Usage of transforms:  https://suricata.readthedocs.io/en/suricata-5.0.0-beta1/rules/transforms.html  More frequent usage of XBITS:  https://suricata.readthedocs.io/en/suricata-5.0.0-beta1/rules/xbits.html  Datasets...?
14 © 2019 Proofpoint, Inc. Suricata 5 rule examples (1) # alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Observed Malicious Hash (Trickbot CnC)"; flow:established,to_server; ja3_hash; content:"6734f37431670b3ab4292b8f60f29984"; classtype:command-and-control; sid:1; rev:1;) # alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Spelevo EK Landing"; flow:established,to_client; file_data; compress_whitespace; content:"function CheckVersionFlash("; classtype:exploit-kit; sid:2; rev:1;)
15 © 2019 Proofpoint, Inc. Suricata 5 rule examples (2) # alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Glupteba CnC Domain in DNS Query"; dns_query; content:"postnews.club"; bsize:13; nocase; classtype:domain-c2; sid:3; rev:1;) # alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike User-Agent"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/5.0|3b 20|BOIE9|3b|ENGB)"; bsize:82; classtype:command-and-control; sid:4; rev:1;)
16 © 2019 Proofpoint, Inc. Rule Migrations  If you've been watching the rulesets, we've had some big rule migrations  Things leaving CURRENT_EVENTS: - Some things being disabled, like a SSL cert that hit for a week in 2017 - Some things being moved, like Maldoc signatures into the MALWARE category - Some other things being moved, like EK signatures into the WEB_CLIENT category (this includes Suri4)  Things being rewritten: - We had a lot of DNS rules that were written for *most* cases, but not all. Rewritten for all engines and updated for dns_query where possible.  Things generally being disabled that haven't hit in a long, long time or are no longer around.
17 © 2019 Proofpoint, Inc. WHERE WE GOIN'
18 © 2019 Proofpoint, Inc. Where we're going – Our Vision for ET ruleset  Enable analysts to make informed decisions about what actions to take on their network. Suricata is NSM not just IDS.  The old way of thinking "An alert means something bad" should not always be applied to every alert.  If you see something fire from the MALWARE (or TROJAN) category, it should be malware. You probably need to do something about it.  If you see something fire from the INFO category, it is just trying to save you some time and help provide context to other events around it.  Lots of rule migration will continue to occur... HUNTING.  The community matters.
19 © 2019 Proofpoint, Inc. Where we're going  We will continue to support both the PRO and OPEN rulesets along with the ETPRO Telemetry edition.  Writing more rules with the stipulation that they require SSL MITM to trigger. See metadata tag 'SSLDecrypt' for 'Signature Deployment'  More automation around the signature "performance impact" metadata tag to help provide some more accurate data here based on larger datasets.  Actively seeking organizations who can share pcap data for usage in our QA processes.
20 © 2019 Proofpoint, Inc. Where we're going  We don't expect to be making large changes in category and classification like this outside of major engine releases.  Like we saw in Suricata 4.1, which had many new features, we don't expect to be able to fork the ruleset for minor versions.  Suricata 2 will be EOL'd in 90 days (no new rules)  Working on more documentation™.  We do expect to be adding more metadata to the rules such as:  Mitre ATT&CK Framework  Backfilling Legacy Rules with Metadata  Source  SSL_Decrypt
21 © 2019 Proofpoint, Inc. What do I do if I see a FP in an ET rule?  https://feedback.emergingthreats.net  If you're seeing it, other people are seeing it.  We always want to know about it.  We can see a lot of data, but chances are we can't see YOUR data--so help us help you help everyone.  If you want to discuss the rule the mailing list is a great option. If you want it fixed the feedback portal is the fastest way to do so. We check the twitters, but it's not part of our ticketing workflow.  POLICY rule firing on stuff you don’t care about is not a FP.  Local tunes vs global tune
22 © 2019 Proofpoint, Inc. I'm an ET user, what do I need to do?  If you're on Suri 2, you need to look at migrating in the next 90 days to Suri 4 or 5 to continue getting rule updates. If you're lower than 2, update. Please.  If you're on Suri 4 and you don't have the ability to update, update when you can. This ruleset will continue to get new rules.  I want to Upgrade  Upgrade Suricata on your sensors  Change your download links to point to the Suricata 5 download location - OPEN: https://rules.emergingthreats.net/open/suricata-5.0/ - PRO: https://rules.emergingthreatspro.com/[LICENSE_CODE]/suricata-5.0/  If you are only pulling in certain rulesets – You may want to re-eval which ones you are grabbing. Eg. CURRENT_EVENTS won't have any EKs
23 © 2019 Proofpoint, Inc. How can I participate?  The mailing list  https://lists.emergingthreats.net/mailman/listinfo/  Twitter  @et_labs (research and cool stuff)  @emergingthreats (probably more marketing type stuff)  The Malware Exchange  Join our team (senior researcher role open)  ETPRO Telemetry edition  Custom sharing agreements (NDA)  Report issues via feedback portal  https://feedback.emergingthreats.net
24 © 2019 Proofpoint, Inc. Thanks from the whole ET team to the community  PT Security – Contributing some great rules to ET Open  Travis Green – OG ET, still contributing to the community  Protectwise – Thank you for all the reports of ways various rules could be improved  Opnsense – Thank you for the partnership in helping bring the ETPRO Telemetry to life  MS-ISAC  GM CIRT  The Suricata and OISF Teams (Suricon 2019)
25 © 2019 Proofpoint, Inc. Q & A
26 © 2019 Proofpoint, Inc.
27 © 2019 Proofpoint, Inc.

Recomendados

Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)
Jason Williams
 
Suricata
SuricataSuricata
Suricata
tex_morgan
 
Introduction to Snort Rule Writing
Introduction to Snort Rule WritingIntroduction to Snort Rule Writing
Introduction to Snort Rule Writing
Cisco DevNet
 
Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareZero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source Software
MyNOG
 
Snort
SnortSnort
Snort
bala150985
 
Snort-IPS-Tutorial
Snort-IPS-TutorialSnort-IPS-Tutorial
Snort-IPS-Tutorial
Vladimir Koychev
 
Security onion
Security onionSecurity onion
Security onion
Kaustubh Padwad
 
Security Onion Advance
Security Onion AdvanceSecurity Onion Advance
Security Onion Advance
Kaustubh Padwad
 

Recomendados

Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)
Jason Williams
 
Suricata
SuricataSuricata
Suricata
tex_morgan
 
Introduction to Snort Rule Writing
Introduction to Snort Rule WritingIntroduction to Snort Rule Writing
Introduction to Snort Rule Writing
Cisco DevNet
 
Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareZero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source Software
MyNOG
 
Snort
SnortSnort
Snort
bala150985
 
Snort-IPS-Tutorial
Snort-IPS-TutorialSnort-IPS-Tutorial
Snort-IPS-Tutorial
Vladimir Koychev
 
Security onion
Security onionSecurity onion
Security onion
Kaustubh Padwad
 
Security Onion Advance
Security Onion AdvanceSecurity Onion Advance
Security Onion Advance
Kaustubh Padwad
 
2014 Security Onion Conference
2014 Security Onion Conference2014 Security Onion Conference
2014 Security Onion Conference
DefensiveDepth
 
G3t R00t at IUT
G3t R00t at IUTG3t R00t at IUT
G3t R00t at IUT
Nahidul Kibria
 
The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)
The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)
The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)
Martin Schütte
 
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
RootedCON
 
Python Cryptography & Security
Python Cryptography & SecurityPython Cryptography & Security
Python Cryptography & Security
Jose Manuel Ortega Candel
 
05 06 ike
05 06 ike05 06 ike
05 06 ike
Babaa Naya
 
Строим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиСтроим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атаки
Positive Hack Days
 
Chapter 8 security tools ii
Chapter 8 security tools iiChapter 8 security tools ii
Chapter 8 security tools ii
Syaiful Ahdan
 
The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)
Martin Schütte
 
Security Onion
Security OnionSecurity Onion
Security Onion
johndegruyter
 
Shamoon
ShamoonShamoon
Shamoon
Shakacon
 
Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and ssl
Mohd Arif
 
I psec
I psecI psec
I psec
nlekh
 
2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali Linux2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali Linux
Jason Murray
 
FastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection toolFastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection tool
Pavel Odintsov
 
DeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPSDeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPS
Pavel Odintsov
 
IPsec on Mikrotik
IPsec on MikrotikIPsec on Mikrotik
IPsec on Mikrotik
GLC Networks
 
Security Onion Conference - 2015
Security Onion Conference - 2015Security Onion Conference - 2015
Security Onion Conference - 2015
DefensiveDepth
 
Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014
Santiago Bassett
 
" Breaking Extreme Networks WingOS: How to own millions of devices running on...
" Breaking Extreme Networks WingOS: How to own millions of devices running on..." Breaking Extreme Networks WingOS: How to own millions of devices running on...
" Breaking Extreme Networks WingOS: How to own millions of devices running on...
PROIDEA
 
Are you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAre you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security Checklist
APNIC
 
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Barry Greene
 

Más contenido relacionado

La actualidad más candente

Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and ssl
Mohd Arif
 
I psec
I psecI psec
I psec
nlekh
 
" Breaking Extreme Networks WingOS: How to own millions of devices running on...
" Breaking Extreme Networks WingOS: How to own millions of devices running on..." Breaking Extreme Networks WingOS: How to own millions of devices running on...
" Breaking Extreme Networks WingOS: How to own millions of devices running on...
PROIDEA
 

La actualidad más candente (20)

2014 Security Onion Conference
2014 Security Onion Conference2014 Security Onion Conference
2014 Security Onion Conference
 
G3t R00t at IUT
G3t R00t at IUTG3t R00t at IUT
G3t R00t at IUT
 
The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)
The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)
The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)
 
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
 
Python Cryptography & Security
Python Cryptography & SecurityPython Cryptography & Security
Python Cryptography & Security
 
05 06 ike
05 06 ike05 06 ike
05 06 ike
 
Строим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиСтроим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атаки
 
Chapter 8 security tools ii
Chapter 8 security tools iiChapter 8 security tools ii
Chapter 8 security tools ii
 
The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)
 
Security Onion
Security OnionSecurity Onion
Security Onion
 
Shamoon
ShamoonShamoon
Shamoon
 
Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and ssl
 
I psec
I psecI psec
I psec
 
2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali Linux2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali Linux
 
FastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection toolFastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection tool
 
DeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPSDeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPS
 
IPsec on Mikrotik
IPsec on MikrotikIPsec on Mikrotik
IPsec on Mikrotik
 
Security Onion Conference - 2015
Security Onion Conference - 2015Security Onion Conference - 2015
Security Onion Conference - 2015
 
Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014
 
" Breaking Extreme Networks WingOS: How to own millions of devices running on...
" Breaking Extreme Networks WingOS: How to own millions of devices running on..." Breaking Extreme Networks WingOS: How to own millions of devices running on...
" Breaking Extreme Networks WingOS: How to own millions of devices running on...
 

Similar a Proofpoint Emerging Threats Suricata 5.0 Webinar

Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Barry Greene
 
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
Berezha Security Group
 
IT 8003 Cloud ComputingGroup Activity 1 SuperTAX Soft.docx
IT 8003 Cloud ComputingGroup Activity 1 SuperTAX Soft.docxIT 8003 Cloud ComputingGroup Activity 1 SuperTAX Soft.docx
IT 8003 Cloud ComputingGroup Activity 1 SuperTAX Soft.docx
vrickens
 
TotalEconomicBenefitOfSparqlycode 1.2
TotalEconomicBenefitOfSparqlycode 1.2TotalEconomicBenefitOfSparqlycode 1.2
TotalEconomicBenefitOfSparqlycode 1.2
Paul Worrall
 
Sample Discussion 1Security is one of the most important fun.docx
Sample Discussion 1Security is one of the most important fun.docxSample Discussion 1Security is one of the most important fun.docx
Sample Discussion 1Security is one of the most important fun.docx
rtodd599
 
Sample Discussion 1Security is one of the most important fun.docx
Sample Discussion 1Security is one of the most important fun.docxSample Discussion 1Security is one of the most important fun.docx
Sample Discussion 1Security is one of the most important fun.docx
jeffsrosalyn
 
[Analyst Research Slides] Build vs. Buy: Finding the Best Path to Network Aut...
[Analyst Research Slides] Build vs. Buy: Finding the Best Path to Network Aut...[Analyst Research Slides] Build vs. Buy: Finding the Best Path to Network Aut...
[Analyst Research Slides] Build vs. Buy: Finding the Best Path to Network Aut...
Enterprise Management Associates
 
Businesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docxBusinesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docx
dewhirstichabod
 

Similar a Proofpoint Emerging Threats Suricata 5.0 Webinar (20)

Are you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAre you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security Checklist
 
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...
 
DotNetnuke
DotNetnukeDotNetnuke
DotNetnuke
 
Sydney mule soft meetup 30 april 2020
Sydney mule soft meetup 30 april 2020Sydney mule soft meetup 30 april 2020
Sydney mule soft meetup 30 april 2020
 
From Duke of DevOps to Queen of Chaos - Api days 2018
From Duke of DevOps to Queen of Chaos - Api days 2018From Duke of DevOps to Queen of Chaos - Api days 2018
From Duke of DevOps to Queen of Chaos - Api days 2018
 
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
 
Safecrossroads ep01
Safecrossroads ep01Safecrossroads ep01
Safecrossroads ep01
 
2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdf2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdf
 
IT 8003 Cloud ComputingGroup Activity 1 SuperTAX Soft.docx
IT 8003 Cloud ComputingGroup Activity 1 SuperTAX Soft.docxIT 8003 Cloud ComputingGroup Activity 1 SuperTAX Soft.docx
IT 8003 Cloud ComputingGroup Activity 1 SuperTAX Soft.docx
 
DotNetnuke
DotNetnukeDotNetnuke
DotNetnuke
 
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCESCOMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
 
Complete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resourcesComplete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resources
 
SEC1671/ Attack range/Splunk SIEMulator splunkconf2019
SEC1671/ Attack range/Splunk SIEMulator splunkconf2019SEC1671/ Attack range/Splunk SIEMulator splunkconf2019
SEC1671/ Attack range/Splunk SIEMulator splunkconf2019
 
TotalEconomicBenefitOfSparqlycode 1.2
TotalEconomicBenefitOfSparqlycode 1.2TotalEconomicBenefitOfSparqlycode 1.2
TotalEconomicBenefitOfSparqlycode 1.2
 
Sample Discussion 1Security is one of the most important fun.docx
Sample Discussion 1Security is one of the most important fun.docxSample Discussion 1Security is one of the most important fun.docx
Sample Discussion 1Security is one of the most important fun.docx
 
Sample Discussion 1Security is one of the most important fun.docx
Sample Discussion 1Security is one of the most important fun.docxSample Discussion 1Security is one of the most important fun.docx
Sample Discussion 1Security is one of the most important fun.docx
 
The Developer is the New CIO: How Vendors Adapt to the Changing Landscape
The Developer is the New CIO: How Vendors Adapt to the Changing LandscapeThe Developer is the New CIO: How Vendors Adapt to the Changing Landscape
The Developer is the New CIO: How Vendors Adapt to the Changing Landscape
 
[Analyst Research Slides] Build vs. Buy: Finding the Best Path to Network Aut...
[Analyst Research Slides] Build vs. Buy: Finding the Best Path to Network Aut...[Analyst Research Slides] Build vs. Buy: Finding the Best Path to Network Aut...
[Analyst Research Slides] Build vs. Buy: Finding the Best Path to Network Aut...
 
Businesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docxBusinesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docx
 
neXt Curve reThink: What Meltdown & Spectre Mean for IoT Past, Present & Future?
neXt Curve reThink: What Meltdown & Spectre Mean for IoT Past, Present & Future?neXt Curve reThink: What Meltdown & Spectre Mean for IoT Past, Present & Future?
neXt Curve reThink: What Meltdown & Spectre Mean for IoT Past, Present & Future?
 

Último

Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
CzechDreamin
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
UXDXConf
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
Femke de Vroome
 
Connecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKConnecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAK
UXDXConf
 

Último (20)

Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
Agentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdfAgentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdf
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
 
AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
Connecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKConnecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAK
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
 

Proofpoint Emerging Threats Suricata 5.0 Webinar

  • 1. 1 © 2019 Proofpoint, Inc. PROOFPOINT EMERGINGTHREATS ETPROSURICATA5.0
  • 2. 2 © 2019 Proofpoint, Inc. The ET team today on the call:  Richard Gonzalez  ET Manager  Jason Williams  ET Researcher  @switchingtoguns  Jack Mott  ET Researcher  @malwareforme  Brad Woodberg  ET Product Manager
  • 3. 3 © 2019 Proofpoint, Inc. Agenda  We've never done this before...please go easy on our lack of webinar skills.  Where we've been.  Where we are.  Where we're going.  Thanks and QA
  • 4. 4 © 2019 Proofpoint, Inc. WHERE WE'VE BEEN
  • 5. 5 © 2019 Proofpoint, Inc. Where we've been  It's been ~4 ½ years since ET was acquired by Proofpoint  We've seen the shifts in landscape from EKs to Ransomware to Maldocs to Coinminers to Phish and all in between.  We've been shifting focus in our detections with those changes in the landscape to help analysts detect network comms best we can.  ET rules and detection logic are part of many Proofpoint products even when you might not see it in the traditional sense.  Visibility gained from Proofpoint has been extremely valuable in writing new detections, but we're still a small scrappy team.  The research teams at Proofpoint are fantastic. We work closely with them and they have helped to fuel our detections.
  • 6. 6 © 2019 Proofpoint, Inc. Where we've been  We love the ET ruleset but there are things we know we can improve The categories & classifications are dated TROJAN and MALWARE don’t entirely mean what they are called CURRENT_EVENTS turned into a dumping ground for all the "cool stuff".  We want to better prune and update older rules within the ruleset.  That documentation thing  Yea we read the tweets about us  These things take people, time, and effort.  It is complicated and dangerous to make sweeping rule edits.  It's not just a sed replace for various things.  We always have perf and QA in mind with our changes
  • 7. 7 © 2019 Proofpoint, Inc. Where we've been  We have a LOT of malicious traffic, but we don't have complete visibility into non-malicious traffic.  We rely on our users and our partners to give us more visibility into wider networks and geos. Every network is special.  We were happy when we were able to fork the ruleset to 4.0 (then 4.1 came out)  Our internal tools have sometimes kept us from being able to act as fast as we have wanted. (4.1)  ET OPEN vs ET PRO – Still the same policies, still committed to supporting the community
  • 8. 8 © 2019 Proofpoint, Inc. WHERE WEARE
  • 9. 9 © 2019 Proofpoint, Inc. What is ET focused on today?  We tend to spend much of our time writing rules on the things that we see hitting people today out in the world.  ITW > !ITW  We're always writing rules for malware  This means that we follow today's landscape writing lots of:  Social Engineering / Credential Theft – Phishing  Malicious Documents  Coinminers  RATs, Keyloggers, VARIOUS CnC  Things that are SSL encrypted (more on this later)
  • 10. 10 © 2019 Proofpoint, Inc. We're supporting Suricata 5.0 at launch (today)  We are actively supporting 60k (PRO) rules across 4 rule engines.  ~48k active and ~12k disabled  Snort 2.9.x / Suricata 2 / Suricata 4 / Suricata 5  Suricata 4 will continue to be supported for the foreseeable future.  Suricata 2 will be EOL'd in 90 days. (no new rules)  We look forward to supporting Snort3 when it goes GA.  The Suricata 5 ruleset will feature new categories and classifications as well as updates to existing categories and rules to make more sense.  Some of these things haven't been changed in a decade or more and most are a result of drift.
  • 11. 11 © 2019 Proofpoint, Inc. New Categories - msg:"ET $CATEGORY"  This will be the first iteration of the ruleset that steps into the current malware landscape in terms of metadata *These changes are only affecting the new Suricata 5 ruleset  MALWARE will be renamed to ADWARE_PUP  TROJAN will be renamed to MALWARE  New Categories: - PHISHING (phishing.rules) - COINMINER (coinminer.rules) - JA3 (ja3.rules) - EXPLOIT_KIT (exploit_kit.rules) - HUNTING (hunting.rules)
  • 12. 12 © 2019 Proofpoint, Inc. New Classtypes - classtype:this-stuff-is-new;  classtype:credential-theft; (phishing)  classtype:social-engineering;  classtype:command-and-control; (replacing lots of trojan-activity)  classtype:coin-mining;  classtype:external-ip-lookup;  classtype:domain-c2;  classtype:exploit-kit;  classtype:pup-activity; (possibly unwanted program)  classtype:targeted-activity; https://github.com/OISF/suricata/blob/master/classification.config
  • 13. 13 © 2019 Proofpoint, Inc. New things/trends in the Suricata 5 ruleset  New sticky buffers utilized immediately, and old rules will be converted over time. There are some perf bonuses to be had here:  content:".php"; http_uri; isdataat:!1,relative; (old)  http.uri; content:".php"; endswith; (new hotness)  Support for JA3 and JA3S hash rules:  https://suricata.readthedocs.io/en/latest/rules/ja3-keywords.html  Usage of transforms:  https://suricata.readthedocs.io/en/suricata-5.0.0-beta1/rules/transforms.html  More frequent usage of XBITS:  https://suricata.readthedocs.io/en/suricata-5.0.0-beta1/rules/xbits.html  Datasets...?
  • 14. 14 © 2019 Proofpoint, Inc. Suricata 5 rule examples (1) # alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Observed Malicious Hash (Trickbot CnC)"; flow:established,to_server; ja3_hash; content:"6734f37431670b3ab4292b8f60f29984"; classtype:command-and-control; sid:1; rev:1;) # alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Spelevo EK Landing"; flow:established,to_client; file_data; compress_whitespace; content:"function CheckVersionFlash("; classtype:exploit-kit; sid:2; rev:1;)
  • 15. 15 © 2019 Proofpoint, Inc. Suricata 5 rule examples (2) # alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Glupteba CnC Domain in DNS Query"; dns_query; content:"postnews.club"; bsize:13; nocase; classtype:domain-c2; sid:3; rev:1;) # alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike User-Agent"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/5.0|3b 20|BOIE9|3b|ENGB)"; bsize:82; classtype:command-and-control; sid:4; rev:1;)
  • 16. 16 © 2019 Proofpoint, Inc. Rule Migrations  If you've been watching the rulesets, we've had some big rule migrations  Things leaving CURRENT_EVENTS: - Some things being disabled, like a SSL cert that hit for a week in 2017 - Some things being moved, like Maldoc signatures into the MALWARE category - Some other things being moved, like EK signatures into the WEB_CLIENT category (this includes Suri4)  Things being rewritten: - We had a lot of DNS rules that were written for *most* cases, but not all. Rewritten for all engines and updated for dns_query where possible.  Things generally being disabled that haven't hit in a long, long time or are no longer around.
  • 17. 17 © 2019 Proofpoint, Inc. WHERE WE GOIN'
  • 18. 18 © 2019 Proofpoint, Inc. Where we're going – Our Vision for ET ruleset  Enable analysts to make informed decisions about what actions to take on their network. Suricata is NSM not just IDS.  The old way of thinking "An alert means something bad" should not always be applied to every alert.  If you see something fire from the MALWARE (or TROJAN) category, it should be malware. You probably need to do something about it.  If you see something fire from the INFO category, it is just trying to save you some time and help provide context to other events around it.  Lots of rule migration will continue to occur... HUNTING.  The community matters.
  • 19. 19 © 2019 Proofpoint, Inc. Where we're going  We will continue to support both the PRO and OPEN rulesets along with the ETPRO Telemetry edition.  Writing more rules with the stipulation that they require SSL MITM to trigger. See metadata tag 'SSLDecrypt' for 'Signature Deployment'  More automation around the signature "performance impact" metadata tag to help provide some more accurate data here based on larger datasets.  Actively seeking organizations who can share pcap data for usage in our QA processes.
  • 20. 20 © 2019 Proofpoint, Inc. Where we're going  We don't expect to be making large changes in category and classification like this outside of major engine releases.  Like we saw in Suricata 4.1, which had many new features, we don't expect to be able to fork the ruleset for minor versions.  Suricata 2 will be EOL'd in 90 days (no new rules)  Working on more documentation™.  We do expect to be adding more metadata to the rules such as:  Mitre ATT&CK Framework  Backfilling Legacy Rules with Metadata  Source  SSL_Decrypt
  • 21. 21 © 2019 Proofpoint, Inc. What do I do if I see a FP in an ET rule?  https://feedback.emergingthreats.net  If you're seeing it, other people are seeing it.  We always want to know about it.  We can see a lot of data, but chances are we can't see YOUR data--so help us help you help everyone.  If you want to discuss the rule the mailing list is a great option. If you want it fixed the feedback portal is the fastest way to do so. We check the twitters, but it's not part of our ticketing workflow.  POLICY rule firing on stuff you don’t care about is not a FP.  Local tunes vs global tune
  • 22. 22 © 2019 Proofpoint, Inc. I'm an ET user, what do I need to do?  If you're on Suri 2, you need to look at migrating in the next 90 days to Suri 4 or 5 to continue getting rule updates. If you're lower than 2, update. Please.  If you're on Suri 4 and you don't have the ability to update, update when you can. This ruleset will continue to get new rules.  I want to Upgrade  Upgrade Suricata on your sensors  Change your download links to point to the Suricata 5 download location - OPEN: https://rules.emergingthreats.net/open/suricata-5.0/ - PRO: https://rules.emergingthreatspro.com/[LICENSE_CODE]/suricata-5.0/  If you are only pulling in certain rulesets – You may want to re-eval which ones you are grabbing. Eg. CURRENT_EVENTS won't have any EKs
  • 23. 23 © 2019 Proofpoint, Inc. How can I participate?  The mailing list  https://lists.emergingthreats.net/mailman/listinfo/  Twitter  @et_labs (research and cool stuff)  @emergingthreats (probably more marketing type stuff)  The Malware Exchange  Join our team (senior researcher role open)  ETPRO Telemetry edition  Custom sharing agreements (NDA)  Report issues via feedback portal  https://feedback.emergingthreats.net
  • 24. 24 © 2019 Proofpoint, Inc. Thanks from the whole ET team to the community  PT Security – Contributing some great rules to ET Open  Travis Green – OG ET, still contributing to the community  Protectwise – Thank you for all the reports of ways various rules could be improved  Opnsense – Thank you for the partnership in helping bring the ETPRO Telemetry to life  MS-ISAC  GM CIRT  The Suricata and OISF Teams (Suricon 2019)
  • 25. 25 © 2019 Proofpoint, Inc. Q & A
  • 26. 26 © 2019 Proofpoint, Inc.
  • 27. 27 © 2019 Proofpoint, Inc.