Presented at
DeepSec 2017 „Science First!“,
Unknown date/time
(Unknown duration)
Open Source Defensive Security Training is an Open Source IT Security laboratory dedicated to professionals who want to close the gaps in Linux & Open Source Security knowledge. Very detailed and up to date course content with focus especially on defensive approach gives you the best opportunity to create stronger defensive layers inside your network infrastructures or/and Linux-based products. Delivering real world scenarios in our Open Source Defensive Security hands-on lab provides you with a very practical knowledge you need to expand your Linux Security skills.
This is an extremely deep dive training on Open Source-based infrastructure security, Linux systems and network services hardening. We like details as attackers do and these details make all the difference - in the offensive and defensive approach. Our high-tech workshop has a unique formula when it comes to "protection vs attack". This means that most of the security issues we are talking about will be effectively protected by the use of a suitable approach, sophisticated software and dedicated secure configuration.
We focus on delivering a defensive content, but we understand that for being good in defense you have to also be good in offense. We are providing a kind of knowledge-mix in these fields using Open Source software. Except for basic Linux skills and TCP/IP knowledge, most of the lab exercises require at least a basic understanding of how attacker techniques work and so we'll introduce you to it. We strongly believe that only a mix of broad, systematic Defensive and Offensive Security knowledge can guarantee secure solutions.
1) Threats are everywhere - Introduction to the technical Open Source Defensive Security program.
2) Web application security -> hardened Reverse Proxy -> modsecurity vs HTTP security issues:
Analysis and practical use of exploits for popular web applications: Jenkins, Zimbra, PHPnuke, Joomla, Drupal, PHPmyadmin, OScommerce, Magento, Wordpress, dotProject and others
Authorization and authentication: CAS SSO, OAuth, SAML (ipsilon), Federation, Basic / Digest Auth, SSL authentication, LDAP authorization, SAML based -mod_auth_mellon, Kerberos based - mod_auth_kerb, Login-form based -mod_intercept_form_submit, Mod_lookup_identity, mod_pubcookie
HTTPS - how to achieve status A+?:
Attacks:
Heartbleed
Breach
Drown
Beast
Poodle
MiTM: sslstrip
Mutual SSL
Security headers: Content Security Policy, Cross Origin Resource Sharing / Same Origin Policy, X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Fetch API, Service Workers, Sub_resource Integrity, Per-page sub-origins, Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), Same Origin Policy (SOP) / Cross Origin Resource Sharing (CORS), HPKP, PFS
Cookies:Secure, Httponly, Domain, Path, Same_site, Clear Site Data Feature Policy, First-party cookies
HTTP header anomalies
Virtual patching
Full HTTP auditing
LUA/OpenResty support
Sensor approach - OWASP Appsensor
Web application security using Modsecurity - creating dedicated WAF rules against:
Injections
Null bytes
Path/directory traversal
LFI/RFI->Command Execution
Cross Site Scripting (XSS)
Cross Site Request Forgery (CSRF)
HTTP Parameter Pollution (HPP)
Open Redirect
Insecure Direct Object Reference vs HMAC
Forceful Browsing
CSWSH - Cross Site Websocket Hijacking
Session Security
Brute force
Slow DOS
GEO restrictions
Error handling
Leakage detection
Secure file upload
Secure logout / forgot password form
Web honeypots
Bot/scan protection
AV protection
PHP Security
Tomcat Security
Tools:
Sqlmap, sqlninja
Xsser
Dominator
Skipfish
ZAP / Burp
Wafdetect
Joomla, wpscan
Dirbuster, dirb
Nikto
JSDetox
Brakeman
3) Hardened Linux vs exploits/rootkits:
Discretionary Access Control (DAC) vs Mandatory Access Control (MAC)
Grsecurity / PAX
SELinux / Multi Category Security / sVirt
Apparmor, Tomoyo, Smack, RSBAC
GCC hardening: SSP, NX, PIE, RELRO, ASLR vs buffer overflow
Linux Containers - Docker/LXC
LKM-off / YAMA / enforcing
Linux capabilities vs SUID and others
System call restriction - seccomp
Integrity checking - IMA/EVM
Package mgmt security
Debuggers and profilers - gdb/strace/ldd/Valgring/Yara
Chroot/jail/pivot_root
Behavioural analysis - systemtap / LTTng / sysdig
Memory forensics - Volatility vs malware
PAM / 2FA
System update vs reboot
*privchecks
4) Network security:
Vulnerability scanning:
Nmap NSE
Seccubus
OpenVAS
Metasploit
Linux Domain Controller - IdM/HBAC/SUDO
SFTP/SCP - Secure SSH Relay
Restricted shells/commands
SSH tips and tricks
Public Key Infrastructure - SSL/TLS
NFS Security
Database Security
DNS Security
Mail Security
DOS / scanning / brute-force protection techniques
Advanced network firewall: iptables/nftables/ebtables
System honeypots
Network traffic analysis - wireshark, scapy / tcpdump / tcpreplay
Suricata / Bro IDS / Snort / SELKS vs known malware and attacks:
metasploit,
PtH,
Heartbleed,
shellshock and others
Security by obscurity
5) System Auditing, integrating & accounting:
*syslog
auditd
OSSEC / Samhain / aide
SIEM: Splunk/ELK/OSSIM/osquery
6) Summary: offense vs defense. Additional labs:
GDB introduction LAB
Seccomp -> additional LABs
Apparmor policy development
Volatility LAB - diffing between infected and clean memory dumps
Malware PCAP analysis / tcpreplay / suricata+ELK(SELK) / cuckoo / limon sandbox
SELinux module development
PAX - policy development
PAM LAB: google-authenticator / yubikey
Simple kernel module development + hidding + detection
Suricata vs metasploit, PtH, heartbleed, shellshock and others
WLAN Security vs Evil Twin / Karma and others attack detection
Presenters:
-
Leszek Mis
- Defensive Security
Leszek Miś has over 11 years of experience in IT security technology, supporting some of the largest companies and institutions for implementation, consulting and technical training. Furthermore, he has 8 years of experience in teaching and transferring technical knowledge and experience. He trained more than 500+ persons with the average evaluation in a 1 to 5 scale of 4.9. He is an IT Security Architect with a love for pentestesting and recognized expert of enterprise Open Source solutions, provides web application and infrastructure penetration tests and specializes in Linux/OS hardening and defensive security of web application platforms
He is a known and respected trainer/examiner of Red Hat products in Poland (RHCA, RHCSS, RHCE) and author of many IT Security workshops (ModSecurity, FreeIPA, SELinux, Linux Hardening).
As a speaker he attended many conferences like Confidence 2016 ("Honey(pot) flavored hunt for cyber enemy), PLNOG 2016 ("Yoyo! It's us, packets! Catch us if you can"), NGSEC 2016 ("Many security layers for many defensive opportunities"), Open Source Day 2010/2011/2012/2013/2014, SysDay 2008 ("SELinux vs exploits"), Confitura 2014 ("Detection and elimination of threats in real time - OWASP Appsensor in action."), Red Hat Roadshow 2014, OWASP Chapter Poland 2015("Does your WAF can handle it?), ISSA InfoTrams 2015, BIN Gigacon 2015("Mapping pen testers knowledge for the need to protect a critical IT infrastructure").
Certifications :
Holder of OSCP, Red Hat Certified Architect, Red Hat Certified Security
Specialist, RHCDS, CompTIA Security +, Splunk Certified Architect and others.
Links:
Similar Presentations: