 Hi everyone, I'm Alexander Adamov, and I'm from Rantis and then Lambert from Red Hat will tell you about few use cases related to cloud security. We'll play with Snort and Surikata IPS during this talk. And when discussing with Dan the title for our presentation, we agreed to include open source to the title, just to be accepted for sure. So what open source means actually for security? From my point, the main thing with open source is transparency. So everyone can see the code, so your solution can be easily adopted by any company, any organization, even government, or special services. What's wrong with targeted attacks? Why are they in the focus? My journey in security started 10 years ago with Kaspersky Lab. And I and my team were lucky enough to participate in an investigation with the Stuxnet targeted attacks. Stuxnet is a targeted attack that destroyed nuclear enrichment facilities in Iran. It was designed supposedly designed by the United States and Israel Special Services. So since that, I figured out that targeted attacks should be in the focus when you consider, when you create some appliances for enterprise, security appliances. Another thing that came into my focus recently is crypto lockers. So data encryption can be another threat that can drastically affect the companies, the organizations, and clouds as well. Recently, I and my colleague went to forensic investigation to Swedish telecom company. And we found their Tesla Crypt Crypto Locker. And my first question to the administrator was, do we have anti-virus installed in your company? And they said, of course, we have. But why didn't check, why didn't trigger the alert and didn't block the attack? So the problem was that the modern crypto lockers and the APT Advanced Persistence threat, they use quite sophisticated self-defense protections and active method of protection. So they block anti-virus solution and they use sophistication to hide its malicious payload inside. So finally, we found the Tesla Crypto body. And when I applied to multi-scanner, I figured out that only three anti-viruses out of 57 managed to detect. So the solution I came to was using signature-based scanning with behavioral analysis. In particular, we will use network IDS IPS systems. And in advance, we will extend our scanners with sandbox solutions. Please, Dan. OK, so I'm going to be talking about my experience looking into something called TAP as a service. And I'll do a deep dive into how that works with some implementation details and how you use it, how you install it. Then I'll show you two use cases, one with intrusion detection systems. The use case Alex just mentioned. And a new one, which I think is very exciting, called file extraction and malware analysis. This is where you take a file off the traffic stream and analyze it. So last year in Vancouver, I was looking for a way to snoop traffic inside the cloud. And at the time, there wasn't much out there, but just emerging was various companies' implementations of network monitoring or mirroring. Back then, I looked at the internal networks of OpenStack. Here's possibly a familiar diagram to many of you, with the instance in the green circle at the top, the firewall bridge, Linux bridge right below it, QBR, et cetera, and the integration bridge. And I went over different ways you could, different places. You could insert a sniffer or TAP into this network. And it seemed like the integration bridge was the logical place, because all the traffic goes through there. And you can select which flows through the integration bridge you're particularly interested in. So Ericsson about the same time was just coming out with this nifty new software called TAP as a service. Since then, I've learned that Juniper has something, which Alex and Andrew will talk about. And I guess even Intel has something now. Since Ericsson came out first, it was the one that I started to look into and research and whatnot. This particular network sniffing mechanism is a neutron plug-in. Fits very nicely into it. And well, you can use it for analytics, checking, getting stats on what traffic is going through your network to your instances. For debugging, security, what we'll be talking about, lawful intercept, lawfully sniffing packets. This particular implementation TAP as a service was built for OVS, but in fact, it could be used in other places. They made it in an extensible way. You can snoop either direction or both, ingress the aggress. In my situation, in my own tests, I did see a small performance degradation between 8% and 17%. Probably more sophisticated checking should be done to really say that. But that is what I saw in my own cases. And I encourage people to look at last year's OpenStack lecture from Ericsson for more details about this. To install, the way I did it was I'm using DevStack. I haven't tried it with RDO. And I just add these lines here. This loads the latest TAP as a service right off of GitHub. One parameter of note, you have to set this port security in order to make sure that traffic with a MAC address not intended for the destination, that's your monitor, will actually get delivered. It won't happen without that port security switch. So yeah, it's pretty easy to install using local.conf in DevStack. So in the last, well, I guess right around the turn of the year, Ericsson developers put in a neutron CLI. In the demo I have, I'm using the previous CLI. So it won't look exactly like this. But the new neutron CLI looks like what you see on the screen. There's two important concepts. The service is the monitor. And the flows are the sources which flow data into the monitor. So you, say, have two or three instances which you wish to monitor. Each one of those can be represented as a flow. And then you have one instance, which is your IDS or something else. And each of the flows connect to it. And what you do is you represent these services flows. You demarc their points in the network using ports. And I'll show that in the demo. So now to the two use cases in a demo. So I am going to, in this demo, I'm going to create some flows and add them to a service. And I'll show you traffic gets redirected or mirrored to the destination. Really kind of cool. It's basically something like this where you have the two blue boxes represent instances, mirror traffic, which can be captured by snort. And in turn, execute a script to, say, set up a firewall or some such. All right. Let's get to this video. So I'm just going to first show with NovaList. And yes, I'm typing without any fingers. This is the recording. So there are three instances here. If I recall correctly, the top one is the monitor. The middle one is the attacker. And the lower one, Cirrus, is the victim. So what I'm going to be doing, first I'll ping from the attacker to the victim. And then we'll see with TCP dump that those ping packets actually do arrive on the monitor. And then we'll do the same thing with a Nmap reconnaissance scan. I'll use a thin scan to scan all the ports. And we'll see that snort will catch that. So first I show that I've got a service already created. Again, this is the older CLI. But tap service list shows that there is one service created. And then there's the port. The port ID is of the first instance there. Now I'm going to get the ports of the attacker and the victim. That's what I'm doing here. It's a neutron port list and a grepping private IP address of those two instances. Next, I'm going to create those two flows. So I'll use tap flow create. You give it a name. You associate a service with it. That's going to be where the traffic gets directed to. And then the ports that I just looked up. So we're creating two flows here, one for each instance. All right, so those two things have been created. We can look at the flows with this nice command there. And there they are. I probably shouldn't have given them both the same names. And then if you are good at neutron, you can use the OBS cuddle show and OF cuddle dump flows. And you can see that new flows were created. Now at this point, I'm switching over to a different instance. I was on the bare metal machine. Now I'm getting onto the attacker instance. And all I'm going to do here is ping. That's the IP address of the victim. So yeah, I'm sending ping packets. Now I'm jumping over to the, and this is just to show you that it actually is the IP address of the monitor. And do a TCP dump. And you'll see that the ICMP packets are arriving. Yep, very nice. So it works really well. And then we do something similar. The same thing only with Snort. Here you can see Snort is running. That's our intrusion detection system. And it's reading off the ETH0 port. Here I'm going to watch the logs with tail. Here we go. And on the other screen, which is not in this demo, I'm doing an nmap minus lowercase f, capital F, and boom. I get all these fins scanned. So this shows you that we have a nice working, and it's quite possible to actually do intrusion detection in the cloud as of this time. So what can you do next? Now that intrusion detection is a semi-solved problem, what's sort of the next thing to check out? Well, probably you've all heard about the increasing popularity amongst hackers of ransomware, where they'll actually get onto your system and encrypt all your data with a massively complicated encryption screen, forcing you to pay them in bitcoins in order to decrypt your data. And a lot of people have been hit by that. It's a good business model if you're a hacker. So what can we do about this? Well, it's a malware attack. What do you do about with malware? You run virus scans and other things. So how can this fit into the cloud? All right, so the snort and similar intrusion detection systems do have a method of actually extracting files off traffic. So if you have a MIME attachment in an email, or if you're using, say, WGAT, HTTP, over the HTTP protocol, or even FTP, which hopefully you're not using FTP, we have to pause this. Can you pause this? Very good, thank you. Yeah, so yeah, you can extract the files right from the packets. And it's such a useful thing, because now you have the file, which is possibly a hacker malware. And you can then do some sort of analysis on it. Static or dynamic. Static meaning you just, without running it, you check it out. Dynamic meaning as it's running, check it out. In a quarantine environment, quarantine means if it blows up and does bad things, won't affect anybody else. And then you can tell the user, yay or nay, this is a good file or this is a bad file. And the flowchart that I just described is below. Alexander's going to be talking about a different way, which is sort of where you have a sort of, in a way, man in the middle sniffer. Whereas I'm mirroring the traffic, so this payload will still reach the destination instance. And that can be perceived as either an advantage or a disadvantage. There's no slowdown in terms of performance. The payload instantly gets to destination. But in parallel, we've married it to another instance, which will do the virus scan. And how could we do this virus scan? So there's a few different ways. Let me go through these. One would be to just run the executable and watch what happens on the machine. And for example, you could run an HIDS host intrusion detection system, which does things like looks to see if any system files have been modified. Or if any, it can snoop, OSAC can parse other logs from other applications, such as Snort. So if Snort detects that outgoing traffic to some place it shouldn't be going, OSAC will parse that, read it, and can give you an alert. It can snoop var log messages as well. Now what's really cool is if you want to do this at scale. So let's say you're a corporation and you want to do this at high scales. That is many, many payloads are coming in from all over the place. Perhaps you could run this in a container and have many containers started and running. And so I think this is a really cool area to explore that I'm looking forward to doing. There are some hurdles here because, for example, system cuddle, the services daemon doesn't run in a container easily. It's possible to run it, but it doesn't run by default. And there's a whole list of things like that. So in fact, this would probably not give you perfect feelings of confidence that this file is secure. But you can't have 100% certainty anyway with a virus. All a virus scan will give you some level of confidence, but it cannot give you perfect confidence. Another popular virus scanning open source solution is something called Cuckoo Box. And this is a dynamic analysis analyzer which will actually watch the system calls which are being made and observe memory as the thing is running, looking for signatures or bad behavior. This is particularly good for if you happen to be running Windows in the cloud. It's great for that, I believe, from what I've read about it. It's also intelligent enough to hide itself. So if the malware is smart enough to say, hey, you're running in a virtual machine or even in the future, you're running in a container, the Cuckoo Box will hide that. So it's difficult for the malware to know that it's running inside of Cuckoo Box. That's kind of interesting. How could we do that in a container so that we could run it at scale? I think that something like atomic, the atomic VM, is something that's really going to be worth exploring. And we'll see. Another idea is to submit the virus to a third party. Lots of cons with this idea. So one is that a container could not probably be exactly the same as the instance that you're verifying it for. Of course, the malware might be able to know that you're inside of a container. I think this is an important one. The user has to somehow wait for this processing to be completed. And so you need some coordination between the target instance to wait for the analysis to finish. And that gets to the other solution, which is having a VM right in front of the target instance, which will. And then the user has to wait for the analysis to complete. So this is what I'm thinking about prototyping. All right, so that's intrusion detection and malware analysis. Now I'll turn it back over to Alex. Thank you, Dan. Yeah, actually, I have a demo about this Cuckoo Box. So I will show you. So the main thing with the Cuckoo. OK, so I'm going to use IPS as a virtual network function. To create a demo environment, I use two ingredients. The first one is a fuel. This is an OpenStack deployment service. And the good thing that it has a fuel-contrail plugin, which will help me to deploy open-contrail SDN on top of my OpenStack. Here you can see the deployed contrail made by Juniper. It's open source as well. So to enable service chaining, I'm going to first create a service template for my IPS. I need to choose a service mode. I'm going to use in-network. It's kind of a robot mode. And the firewall service type means I need at least two interfaces, left and right. If you want to manage this IPS virtual function separately, you need to add management interface as well. But it's not necessary. So in this case, I use only two interfaces, left and right. Then I need to create actually service instances. I type the name. I need to select a service template. And then I need to assign both interfaces to the networks. I'm going to monitor traffic between. So I'm going to monitor traffic between internal and external network. So the attacker will be here. You can see the network topology. Attacker will be in external network. And my host, my virtual machine, will be in internal network. Then I create this instance. As you can see, I have this instance running in the dashboard. To show you demo, I need one more instance. It will be VM I'm going to protect. So I'm going to use some test VM template. And I will connect it to net04, which is internal network, a network that I'm going to protect against attack. And the server, the malicious server, is located in external network. Net04 X. So finally, I have my instance running. And I have my VM running as well. Next, the thing which I used to forget to do, you need to assign policy to your networks. So a policy will tell, control what traffic exactly you want to steer to your service instance. It's very important. So I'm going to check the traffic between internal network, net04, and external network, net04 X. So I need to assign this policy to both networks, to external and to internal. So now, control knows that it needs to steer the traffic to my service instance. Then I'm going to switch to service instance, which has the IPS instance 01. Here you can see the topology. So as you can see, this is my instance that connects to networks. And of course, you need to stop routing on this instance. So the traffic will be forwarded correctly from between two networks. So I open a console just to check if I can see. Yeah, this is my VM series. And this is IPS instance. So let me login. First thing, I need to check if I have a network interface is properly configured. So interface Ethernet 0 is connected to internal network. And Ethernet 1 is to external. Then I do TCP dump to see if the traffic is really redirected to IPS instance. So I ping. And I see my TCP dump catch these pings. Next, I start Suricata. Suricata is another open source IPS, internal prevention system, sometimes called IDS. I know that to enable Suricata, I need to create rules. So here I have four rules. The first one is test rule to check alarm word in HTTP traffic. And the three others is to detect executables, Windows and Linux executables. So I load the test file. And I see my Suricata correctly notifies me about that. Then I download Linux Scriptor. Linux Scriptor is a kind of targeted attack. As you can see, it was correctly identified. Linux Scriptor targets web servers. It encrypts nice scale engines in the patch folders with data. And third one is Tesla Crypt. It's a Windows Crypto Locker. I already mentioned it. And the third file is Plugix. Plugix is a Windows backdoor, one of the most popular backdoor software which is used in targeted attacks. So the thing is Suricata can extract executable files that I specify in my rules. So here you can see folder with extracted files. And you can see it has metadata which defines what kind of file it was extracted. The file name, source, destination, and it's important, MD5. So using MD5, you can search, for example, on the internet to find more information about the sample. I like virus total. I mentioned it's like multi-scanner owned recently by Google. I put MD5 here just to get the verdict from 57 antivirus. And I see it is detected by 31 of them. As I said, initially, when I submitted this sample first, it was detected only by three antiviruses. That's kind of complicated. And we need to solve this problem. And this problem can be solved with behavioral analysis. Virus total enables cuckoo sandbox. You can see this short report is actually produced by cuckoo sandbox. And you can see even the folder C slash cuckoo. So you can even recognize that this report was generated by cuckoo sandbox. And here you can see two files, the source and destination. Destination has extra extension dot ABC. This is a sign that your file has been encrypted by Cryptolocker. The interesting thing you can find HTTP traffic in your sandbox report. So here you can see a pink, so-called pink message or chicken request to remote server. This is an AES encrypted message, which includes a Bitcoin address where a victim should pay the money. Another thing is malware.com, another sandbox. It is based also on a cuckoo sandbox engine. It's online, so you can use it for free. So there is no such sample in the database, so I need to upload. And of course, you need to have some basic arithmetic skills to use malware, malware.com. And yeah, the best thing with the behavioral analysis and sandboxing is that it takes time. It's not like it will not generate your immediate verdict, so it needs to run it in an isolated environment in virtual machine. And then it says, OK, is it malware? Is it malicious or not? So after five minutes, I get my report. So I click on the link, looking forward to seeing the report from cuckoo. Yeah, there are several sections. Static analysis, behavioral analysis, network analysis, drop files, and so on. So it depends what you're looking for. And the interesting thing is it also generates some behavioral signatures. So it says, OK, it performs some HTTP request. It also contains screenshots, as you can see. And the screenshots actually shows you the message that your files have been encrypted. And there is no chance to decrypt them because they use ARSA 2048. Actually, they lied. They didn't use ARSA. They use AES, advanced encryption standard, just simple symmetric cryptography with the key lens 256. Demands, which were instructed from the dumps, from the memory dumps, I believe. And these domains can be used as an indicator of compromise. So you can teach your IPS or IDS to block connections to those domains. Dropped files are here. We'll see encrypted files. As I said, all encrypted files by Tesla Crypto, they have this dot ABC extension, like second extension. Of course, it's not really useful information, but it shows like the CryptoLocker worked in the sandbox environment well. So I was not happy with the Cookleson box. That's why I created my own sandbox. This is my PhD project. So it contains some extra features that Cookleson box has now, unfortunately. So it provides also dynamic analysis. It shows you dumps, that is what Cookleson box looks like in its implementation. Also, almost all sandboxes, they contain very different which is kind of from virus total usually. I included also YaraPickup engine. Yara engine to detect pickup files, to detect processes, to detect files. So Yara is a kind of standard for creating signatures among antivirus industries. As well, we can see URLs, requests. And the good thing is you can open this HTTP request and see, OK, this packet for example shows that chicken request was accepted by server and the information from the victim was inserted into the database. That's a story about how you can extend your simple signature-based detection software, like IDS IPS, with some more advanced behavior analysis with sandboxing. Thank you very much. Your question, please. Fake applause. Actually, I have one question. Yes, please. On the other side. Thank you. You used Tab as a service and you told about performance degradation. Is there any notable performance degradation when you used the free router as what you did? Actually, as for VRouter, I didn't measure performance. But the good thing with VRouter is that Contrail supports DPDK. So you can install DPDK on ComputeNote to speed up. And you can also set up your IPS using AF-iNet or PF-RIN if you support this. I don't know, maybe some comments from then about DPDK service performance. When you do port mirroring, I have seen degradation in performance. But I haven't quantified it. And so I want to be careful in that these are just my own observations I haven't. So I wouldn't want to say that those are confirmed numbers. OK. Well, that's an answer. Thank you. Thank you. OK, and if no more question, thank you one more time and have a nice evening at the Stacklight party. Stack City.