Ending the
Tyranny of
Expensive
Security Tools:
A New Hope
�Who Am I?
Michele Chubirka, aka "Mrs. Y., Security Architect
and professional contrarian.
Analyst, blogger, B2B writer, podcaster.
Researches and pontificates on topics such as
security architecture and best practices.
chubirka@[Link]
[Link]
[Link]
@MrsYisWhy
[Link]/in/mchubirka/
�So Many Tools.
�So Little
Budget
�You Probably Already Have More Than You Need
Many products have functionality that can be leveraged
for security purposes.
Its not about the best tool, but the one that gets the
job done.
Ignore the siren song of the shiny new toy.
Expensive tools arent a quick fix.
�Explore Open Source
Many commercial products developed out of
open source projects:
Nmap
Tripwire
Sendmail
ISC Bind/DHCP
OpenSSL
�Monitoring Tools
Helpful in identifying anomalies.
Can detect signs of malicious activity.
Some provide canned compliance and security reports.
Information can be correlated with data from security
tools for better intrusion detection and incident
response.
Some have historical data useful during and post
breach.
�Monitoring Tool Examples
MRTG
Solarwinds Orion
Nagios
Netdisco
Wireless Management
Systems (WMS)
�MRTG Multi Router Traffic Grapher
Can detect anomalies in link
usage, indicating possible data
exfiltration or DDoS.
�Solarwinds Orion: Netflow
Can detect anomalies,
indicating unusual
patterns of traffic and
top talkers. Useful
for incident response.
�Nagios
Is it a security
incident or just an
outage?
�Netdisco
Open
source
network
management
tool
that
keeps
a
history
of
MAC
to
IP
address.
Useful
in
iden>fying
hosts
for
malware
remedia>on
and
other
incident
response.
Uses
SNMP
to
collect
ARP
and
MAC
tables,
then
stores
in
a
database.
�Compliance
Initiatives?
PCI DSS
SOX
HIPAA
Make existing tools work for
you.
�Solarwinds Orion: Compliance Reporting
�Cisco Prime Network Control System
�Cisco Prime NCS Reporting
�Aerohive Hive Manager
�Aerohive
Reporting
�System Tools
Cron and Logcheck alerting
Configuration management tools for automated
patching, tracking and reporting:
Puppet
Chef
Microsoft System Center Configuration Manager (SCCM)
Asset Management, HIDS, File Integrity Tools
Eracent
OSSEC
�What changed? Was it
authorized?
When is an error an
incident?
�OSSEC: an open
source Host Intrusion
Detection tool can
also be used as a file
integrity monitoring
tool to meet PCI DSS
requirements.
�Network Controls and Tools
ACLs and Route Maps
AOLs Trigger: open source network automation toolkit used for pushing
out configs and security policies, turns L3 devices into firewalls.
Load Balancers (aka Application Delivery Controllers)
SYN Cookies: prevent SYN flood attacks
DDoS protection
Protocol checks
Wireshark and NetworkMiner protocol analysis tools
RADIUS: provides authentication, authorization and accounting
802.1X: port-based network access control
�SYN Cookie
Server receives SYN.
Sends SYN+ACK, but discards the original SYN.
If server receives ACK, server reconstructs SYN entry
using information encoded in the TCP sequence
number.
�NetworkMiner Network Forensic Analysis Tool
Free and professional
editions can be used
live or to parse PCAP
files. Focuses on
collecting data about
hosts.
�Your Web Browser Is a Security Tool
Both Firefox and Chrome have free add-ons for application
security inspection, testing and fuzzing.
Groundspeed: application pentesting
HttpFox: analyzer
Live HTTP headers: analyzer
HackBar: application pentesting
Wappalyzer: application reconnaissance
PassiveRecon: web site reconnaissance
Shodan web site and plugin: reconnaissance
�Shodan
Search engine of
insecure devices
and systems
available on the
Internet.
Is your network in
Shodan?
�DNS Sinkholes and RPZ
DNS servers can be effective tools for blocking
malware, phishing and spam.
Support for Response Policy Zones (RPZ) introduced
with ISC BIND 9.8.
An RBL for DNS, makes it into a DNS firewall by
leveraging reputation feeds.
Can block or redirect internal traffic associated with
malicious activity (yes, just like OpenDNS).
[Link]
�Fun with Wifi
Kismet
An open source WIDS that works with any wireless devices
supporting monitor-mode.
Aircrack-NG
An open source reconnaissance, key-cracking and testing
tool.
�Aircrack-NG
�Kismet
�inSSIDer
notice any
similarities?
�Network Security Monitor: Security Onion
�Whats Inside?
Snort
Suricata
Bro Network Security Monitor
Argus and Ra
Xplico
Network Miner
Squil and Snorby
ELSA
�Kali Linux: the Kitchen Sink for Pentesters
�Threat and
Vulnerability
Management with
Zenmap a GUI
front-end to Nmap
�Pentest Dropboxes aka Creepers
Unobtrusive, form factor device used by pentesters to
gain a backdoor into a target network.
Can be used to perform a security profile of your own
infrastructure.
Also used as an inexpensive monitoring tool.
�Where You Can Find One
Minipwner
OG150
PwnPi
Low cost open source
alternatives to Pwnie
Express.
��Roll Your Own
Raspberry Pi
Intel NUC
TP-Link portable routers running Open-Wrt.
Pwnie Express even has a community edition you can
build yourself.
�Available Tools
Aircrack-NG
Iperf
OpenVPN
SSLStrip
Tor
TTCP
Kismet
�Get A Pineapple
A wireless network
auditing tool. Highly
customizable Wifi
router, based on OpenWrt and Jasager.
�Do You Always Need the Commercial Product?
Suricata vs. Sourcefire
Bro-NSM vs. FireEye
Security Onion or OSSIM vs. commercial SIEMs
SANS Investigative Forensic Toolkit (SIFT) vs. EnCase
Armitage or OG150 vs. Metasploit Pro
FreeRADIUS vs. Cisco ISE
OSSEC vs. Symantec Critical System Protection
ELSA, Graylog, Logstash/Kibana vs. Splunk
Nmap or Zenmap vs. Qualys
�Security Isnt About Managing Tools
Good information
security (and
engineering) is about
solving problems.
You dont always need
to buy a product.
Be Creative.
�Resources
[Link]
[Link]
Metasploit Minute with @mubix
OWASP
Offensive Security
�Questions?
�Where Can You Find Me?
Michele Chubirka
Spending quality time in kernel
mode.
Prefers Star Wars original trilogy.
[Link]
Twitter @MrsYisWhy
Google+ MrsYisWhy
chubirka@[Link]
