open source security orchestration -...
TRANSCRIPT
![Page 1: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/1.jpg)
Brucon 9, Ghent 2017
Open SourceSecurity Orchestration
![Page 3: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/3.jpg)
Overview
How This All Began
Orchestrating All The Things
Behold Skynet
Making It Better
Wrapping Up
![Page 4: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/4.jpg)
Original Question
Multiple Cloud Servers
All Using Fail2Ban to Protect Themselves
Can I share Fail2Ban jails between theseServers?
![Page 5: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/5.jpg)
Other Questions
How do we get to threats in time?
How do we make sure that the evidence gets captured?
How do we make sure that the threatis stopped before it is too late?
How do we do this with a limited staff?
![Page 6: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/6.jpg)
This Is Because
Security OperationsMonitor The Enterprise
Process Alerts (or Correlations)
Kick Off Incident Response
Despite Multitude of SolutionsStill A Manual Process!
Each Solution Kicked Off In Sequence By Us
A Lot of Time Is Wasted Being A Bridge Between Systems
![Page 7: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/7.jpg)
What I Want
Keep Doing What Your Doing
Talk Directly To Each Other
Get What You Need from Each Other
Leave Me Out Of It
![Page 8: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/8.jpg)
How This Would Work
![Page 9: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/9.jpg)
Use Cases
![Page 10: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/10.jpg)
Generate Threat Intelligence Feed
Received Events From Peers
Generate A Blacklist from Source of Threat Events
Use With Anything That Can Consume A Blacklist
Firewalls
Endpoint Solutions
Detection Tools
Share The Blacklist with Vendors, Partners, and Colleagues
![Page 11: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/11.jpg)
Firewall Rule Propagation
Receives Events From Peers
Host Firewall
Network Firewall
Blocks Source of Threat Events
Distributes Events Among Peers
Host Firewall
Network Firewall
![Page 12: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/12.jpg)
Drop Propogation
Drop Source of Threat Events
Distributes Events Among Peers
Web Application Firewalls
Intrusion Prevention Systems
![Page 13: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/13.jpg)
Prevent Known Threats
Receives Events From External Threat Feeds
Host Firewall
Network Firewall
Blocks Source of Threat Events
![Page 14: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/14.jpg)
NAT to Honeypot
Receives Events From Peers
Host Firewall
Network Firewall
Redirects Source of Threat Away From Assets
![Page 15: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/15.jpg)
NAT to Tarpit
Receives Events From Peers
Host Firewall
Network Firewall
Slows Down Source of Threat
![Page 16: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/16.jpg)
Capture Threat Activity
Receives Events From Peers
Switches
Routers
Firewalls
Runs Packet Capture on Source of Threat Activity
![Page 17: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/17.jpg)
Inject Beacon
Receives Events From Peers
FTP Server
File Servers
Honey Pots
Drops Beacon into Path of Source of Threat Activity
![Page 18: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/18.jpg)
Redirect Traffic
Receives Events From Peers
Routers
Firewalls
Changes the Route for Source of Threat Activity
Run Their Traffic Through Different Segment
Segment Contains Additional Inline Sensors
Afterwards, It Proceeds to Destination
![Page 19: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/19.jpg)
Reporting Threats
Receives Events From Peers
Email Server
Reports Source of Threat to Abuse Address
![Page 20: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/20.jpg)
Host Isolation
Receives Events From Peers
Switches
Routers
Firewalls
Applies ACL to Target of Threat Activity
![Page 21: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/21.jpg)
Additional Logging
Receives Events From Peers
Switch
Router
Firewall
Server
Application
Verbose Logging for Source of Threat Activity
Verbose Logging for Target of Threat Activity
![Page 22: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/22.jpg)
Trigger Password Resets
Receives Events From Peers
LDAP
Active Directory
Radius
TACACS+
Starts Password Reset Process for Target of Threat
![Page 23: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/23.jpg)
Security Orchestration
![Page 24: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/24.jpg)
Adaptive Network Protocol (ANP)
Shares Events Between Systems In Common Format
Events Are Stored Locally
Peers Make Use of Shared Events How They See Fitfail2ban
modsecurity
ipTables
![Page 25: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/25.jpg)
Server A
![Page 26: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/26.jpg)
Server B
![Page 27: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/27.jpg)
Protocol
Sharing
Multicast to Local Peers
Unicast to Remote Peers
Messages
Add Threat Event
Remove Threat Event
![Page 28: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/28.jpg)
Protocol
Operations
Sends and Receives from local peerson UDP Port 15000
Receives from remote peers on TCP Port 15000
Every message signed with SHA256
Rules
The Signature Must Be A Good Signature
If Already Known, Do Not Share
Do Not Reflect Back To The Source
![Page 29: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/29.jpg)
Packet
Version is 1 Byte
Type is 1 Byte
Event is Variable
Signature is 64 Bytes
![Page 30: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/30.jpg)
Packet
![Page 31: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/31.jpg)
Messages
Add Threat Event
Address
Time-To-Live (TTL)
Remove Threat Event
Address
Time-To-Live (TTL)
![Page 32: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/32.jpg)
Peering
Local
Remote
Same NetworkAcross Same Location
Across Different Locations
Link-up Cloud Resources
Different Networks
![Page 33: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/33.jpg)
Single Location
![Page 34: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/34.jpg)
Multiple Locations
![Page 35: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/35.jpg)
Trusted Partner or Vendor
![Page 36: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/36.jpg)
Cloud Assets
![Page 37: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/37.jpg)
Communities
![Page 38: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/38.jpg)
Interfaces
![Page 39: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/39.jpg)
What They Do
Purpose
Publish Events to ANP
Pull Events From ANP
ComponentsSupporting
Writer
Reader
OperationsPublishes via Loopback interface
Pulls from via published lists
![Page 40: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/40.jpg)
What They Do
![Page 41: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/41.jpg)
Native
Integrated Solution
ANP installed on the same system
Read and Writes Locally
ExamplesFail2Ban
Iptables
modsec
![Page 42: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/42.jpg)
Surrogate
Stand Alone Solution
ANP installed on a different system
Read and Writes to the Remote (Stand Alone) Solution
ExamplesASA
Switch
Router
![Page 43: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/43.jpg)
Surrogate
![Page 44: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/44.jpg)
Existing Interfaces
![Page 45: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/45.jpg)
Fail2Ban
Pulls Events
Reads Threat Events from ANP
Adds Threats to Jail
Publishes Events
Writes Jailed Addresses to ANP
Because of ANP Aging, this means threats stay jailed for 24 hours
Mistakes can be reversed using an additional tool to inject a Remove Threat event
![Page 46: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/46.jpg)
Blacklist
Pulls Events
Reads Threat Events from ANP
Adds Threats to Blacklist
Distribute for Internal or External Use
Detecting
Blocking
Threat Indicator
![Page 47: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/47.jpg)
modsec
Publishes Its Events
Writes Attacker Addresses to ANP
Pair with IPTables interface
NAT attackers to Honeypot
![Page 48: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/48.jpg)
iptables
Pulls Events
Reads Threat Events from ANP
NATs Threats from Local Webserver to Local Honeypot
High Interaction Honeypot of Your Website?
Log Their Activity
Include a beacon?
![Page 49: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/49.jpg)
Sharing Also Provides
Increased VisibilityWe don’t change our enterprise
Everything Keeps Doing Its Job
We are giving them greater visibility to do so
Ability to Be Proactive
![Page 50: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/50.jpg)
Expanded Visibility
![Page 51: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/51.jpg)
Emerges With Sharing
Cooperative Behavior
Ability for the Enterprise To Act On Its Own
![Page 52: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/52.jpg)
Cooperative Behavior
![Page 53: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/53.jpg)
Building Skynet
![Page 54: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/54.jpg)
Acting to Defend The Network
![Page 55: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/55.jpg)
Acting To Investigate A Threat
![Page 56: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/56.jpg)
Acting To Respond To An Incident
![Page 57: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/57.jpg)
Demonstrations
![Page 58: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/58.jpg)
Our Systems
![Page 59: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/59.jpg)
Acting to Defend The Network
![Page 60: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/60.jpg)
Making It Better
![Page 61: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/61.jpg)
Additional Message Types
Add Target Event
Remove Target Event
More Interfaces!
Peer Groups
Filters for Peers and Messages
Needed Improvements
![Page 62: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/62.jpg)
Internet of Things
Reporting Events
Export to STIX/TAXII
Future Direction
![Page 63: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/63.jpg)
Machine To Machine Communication Solves Many Problems
It Doesn’t Have To Be The Apocalypse
With It We Can
Get To The Threat On Time
Make Sure Evidence is Captured
Make Sure That The Threat Is Stopped
We Can Do It With A Limited Staff
Making The Difference
![Page 64: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/64.jpg)
Its Common To Kill Problems with Money and People
Understanding Your Problem Means Better Results
Enabling Synergies
Self Defending Networks
Self Investigating Networks
Self Responding Networks
Final Thoughts
![Page 65: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/65.jpg)
Adaptive Network Protocol (ANP)
SHA1 hash is 976b9e004641f511c9f3eef770b5426478e8646aUpdates can be found at https://adaptive-network-protocol.sourceforge.io/
![Page 66: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/66.jpg)
Blacklist
SHA1 hash is 6fdf91572909e97c5f6e005c93da0524a03463c8Updates can be found at https://adaptive-network-protocol.sourceforge.io/
![Page 67: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/67.jpg)
Fail2Ban
SHA1 hash is 5c210858b5711d326bf1740620df4dedfe7a69c9Updates can be found at https://adaptive-network-protocol.sourceforge.io/
![Page 68: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/68.jpg)
iptables
SHA1 hash is 5c210858b5711d326bf1740620df4dedfe7a69c9Updates can be found at https://adaptive-network-protocol.sourceforge.io/
![Page 69: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/69.jpg)
modsec
SHA1 hash is 5c210858b5711d326bf1740620df4dedfe7a69c9Updates can be found at https://adaptive-network-protocol.sourceforge.io/
![Page 70: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/70.jpg)
Links
https://cybersponse.com/https://www.hexadite.com/https://www.phantom.us/https://www.siemplify.co/https://www.fireeye.com/products/security-orchestrator.htmlhttps://swimlane.com/https://www.saas-secure.com/online-services/fail2ban-ip-sharing.htmlhttp://www.blocklist.de/en/download.htmlhttps://www.blackhillsinfosec.com/configure-distributed-fail2ban/https://stijn.tintel.eu/blog/2017/01/08/want-to-share-your-fail2ban-ip-blacklists-between-all-your-machines-now-you-canhttps://serverfault.com/questions/625656/sharing-of-fail2ban-banned-ipshttps://github.com/fail2ban/fail2ban/issues/874
![Page 71: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/71.jpg)
Links
https://superuser.com/questions/940600/iptables-redirect-blocked-ips-from-one-chain-to-a-honeypothttp://cipherdyne.org/psad/https://taxiiproject.github.io/https://stixproject.github.io/
![Page 72: Open Source Security Orchestration - BruCONfiles.brucon.org/2017/007_Gregory_Pickett_OpenSource_Security_Orchestration.pdfOverview How This All Began Orchestrating All The Things Behold](https://reader036.vdocuments.site/reader036/viewer/2022071212/6024b94215f10f70a2093b81/html5/thumbnails/72.jpg)