Open Source Defensive Security (closed) presented at deepsec 2017

by Leszek Miś,

Summary : Open Source Defensive Security Training is an Open Source IT Security laboratory dedicated to professionals who want to close the gaps in Linux & Open Source Security knowledge. Very detailed and up to date course content with focus especially on defensive approach gives you the best opportunity to create stronger defensive layers inside your network infrastructures or/and Linux-based products. Delivering real world scenarios in our Open Source Defensive Security hands-on lab provides you with a very practical knowledge you need to expand your Linux Security skills.
This is an extremely deep dive training on Open Source-based infrastructure security, Linux systems and network services hardening. We like details as attackers do and these details make all the difference - in the offensive and defensive approach. Our high-tech workshop has a unique formula when it comes to “protection vs attack”. This means that most of the security issues we are talking about will be effectively protected by the use of a suitable approach, sophisticated software and dedicated secure configuration.
We focus on delivering a defensive content, but we understand that for being good in defense you have to also be good in offense. We are providing a kind of knowledge-mix in these fields using Open Source software. Except for basic Linux skills and TCP/IP knowledge, most of the lab exercises require at least a basic understanding of how attacker techniques work and so we'll introduce you to it. We strongly believe that only a mix of broad, systematic Defensive and Offensive Security knowledge can guarantee secure solutions.
1) Threats are everywhere - Introduction to the technical Open Source Defensive Security program.
2) Web application security -> hardened Reverse Proxy -> modsecurity vs HTTP security issues:
Analysis and practical use of exploits for popular web applications: Jenkins, Zimbra, PHPnuke, Joomla, Drupal, PHPmyadmin, OScommerce, Magento, Wordpress, dotProject and others
Authorization and authentication: CAS SSO, OAuth, SAML (ipsilon), Federation, Basic / Digest Auth, SSL authentication, LDAP authorization, SAML based -mod_auth_mellon, Kerberos based - mod_auth_kerb, Login-form based -mod_intercept_form_submit, Mod_lookup_identity, mod_pubcookie
HTTPS – how to achieve status A+?:
Attacks:
Heartbleed
Breach
Drown
Beast
Poodle
MiTM: sslstrip
Mutual SSL
Security headers: Content Security Policy, Cross Origin Resource Sharing / Same Origin Policy, X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Fetch API, Service Workers, Sub_resource Integrity, Per-page sub-origins, Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), Same Origin Policy (SOP) / Cross Origin Resource Sharing (CORS), HPKP, PFS
Cookies:Secure, Httponly, Domain, Path, Same_site, Clear Site Data Feature Policy, First-party cookies
HTTP header anomalies
Virtual patching
Full HTTP auditing
LUA/OpenResty support
Sensor approach - OWASP Appsensor
Web application security using Modsecurity - creating dedicated WAF rules against:
Injections
Null bytes
Path/directory traversal
LFI/RFI->Command Execution
Cross Site Scripting (XSS)
Cross Site Request Forgery (CSRF)
HTTP Parameter Pollution (HPP)
Open Redirect
Insecure Direct Object Reference vs HMAC
Forceful Browsing
CSWSH - Cross Site Websocket Hijacking
Session Security
Brute force
Slow DOS
GEO restrictions
Error handling
Leakage detection
Secure file upload
Secure logout / forgot password form
Web honeypots
Bot/scan protection
AV protection
PHP Security
Tomcat Security
Tools:
Sqlmap, sqlninja
Xsser
Dominator
Skipfish
ZAP / Burp
Wafdetect
Joomla, wpscan
Dirbuster, dirb
Nikto
JSDetox
Brakeman
3) Hardened Linux vs exploits/rootkits:
Discretionary Access Control (DAC) vs Mandatory Access Control (MAC)
Grsecurity / PAX
SELinux / Multi Category Security / sVirt
Apparmor, Tomoyo, Smack, RSBAC
GCC hardening: SSP, NX, PIE, RELRO, ASLR vs buffer overflow
Linux Containers - Docker/LXC
LKM-off / YAMA / enforcing
Linux capabilities vs SUID and others
System call restriction - seccomp
Integrity checking - IMA/EVM
Package mgmt security
Debuggers and profilers - gdb/strace/ldd/Valgring/Yara
Chroot/jail/pivot_root
Behavioural analysis - systemtap / LTTng / sysdig
Memory forensics - Volatility vs malware
PAM / 2FA
System update vs reboot
*privchecks
4) Network security:
Vulnerability scanning:
Nmap NSE
Seccubus
OpenVAS
Metasploit
Linux Domain Controller - IdM/HBAC/SUDO
SFTP/SCP - Secure SSH Relay
Restricted shells/commands
SSH tips and tricks
Public Key Infrastructure – SSL/TLS
NFS Security
Database Security
DNS Security
Mail Security
DOS / scanning / brute-force protection techniques
Advanced network firewall: iptables/nftables/ebtables
System honeypots
Network traffic analysis - wireshark, scapy / tcpdump / tcpreplay
Suricata / Bro IDS / Snort / SELKS vs known malware and attacks:
metasploit,
PtH,
Heartbleed,
shellshock and others
Security by obscurity
5) System Auditing, integrating & accounting:
*syslog
auditd
OSSEC / Samhain / aide
SIEM: Splunk/ELK/OSSIM/osquery
6) Summary: offense vs defense. Additional labs:
GDB introduction LAB
Seccomp -> additional LABs
Apparmor policy development
Volatility LAB - diffing between infected and clean memory dumps
Malware PCAP analysis / tcpreplay / suricata+ELK(SELK) / cuckoo / limon sandbox
SELinux module development
PAX - policy development
PAM LAB: google-authenticator / yubikey
Simple kernel module development + hidding + detection
Suricata vs metasploit, PtH, heartbleed, shellshock and others
WLAN Security vs Evil Twin / Karma and others attack detection