44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
1 like941 views
The document discusses lessons learned from managing security at the Black Hat conference, highlighting the importance of simplicity and redundancy in network infrastructure. It outlines challenges faced with internal and external security threats, emphasizing the need to segment networks and control access. Additionally, it encourages security professionals to prioritize business concerns and communicate effectively to foster a secure environment.
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
- 1. Lessons Learned: Black Hat’s Infrastructure THE TWEETS MUST FLOW September 11, 2014
- 2. 25,000 DNS PACKETS IN 4 SECONDS BY ONE CLASSROOM
- 3. 3 Then: Technical Engineer & Volunteer Director @ Black Hat Now: Security Analyst @ Bishop Fox Twitter: @conandooley HOW DID I GET HERE? Who am I?
- 4. 4 Introduction Black Hat •Good to talk at; also good to talk about! Entertain •I have some stories Lessons Learned •There were some great security lessons learned Going Meta •Experience at Black Hat as it relates to the problems I see in security LET’S TALK ABOUT YOU AND ME
- 5. 5 Owning Things •Black Hat is owned by UBM Technical Staff •Usually one person, supporting everything •Sometimes two –those were the good days Security Basics •Segment everything •Redundancy •Keep it simple 24/7/365 ON CALL Supporting Infrastructure
- 6. 6 This cloud is dark because of all the black hats Firewalls in High Availability Mode Switches with lots of VLANs It’s BSD and virtualized BSD all the way down PRETTY PICTURES Supporting Infrastructure
- 7. EVENTS USA! USA! USA! USA! (OH, AND EUROPE, AND ABU DHABI, AND…)
- 8. 8 Volunteers •Approximately 75 people willing to work insane hours •Wouldn’t be possible without them Attendees •Nearly 10,000 attendees: Elevate tweets, not privileges Trainings •1500 Wired Students: Ready to chew gum and pop shells Presenters •Yes, my live demo requires Internet! HACKIN’ AROUND THE WORLD, BUT MOSTLY IN THE DESERT Overview
- 9. 9 Assumptions made about Black Hat’s on-site network: •It’s stacked deep with 0days! •Second most hostile network in the world … Security must be the top priority at Black Hat! SOME SAY… Black Hat’s Event Network
- 11. 11 Why would a media company care about security? •None of their other events need security! Security Priorities the Business Cares About •Don’t get the registration database owned •Protect the CFP platform •Avoid Brand Damage •That’s it, right? The Reality of it All
- 12. 12 Linksys Routers •Every classroom, blessed with their own tiny blue protector Switches •10/100 is all any honest network needs Artisanal, Bespoke Cables •Handmade with love •Welcome Volunteer, here’s a roll of cable, some ends, and a punch down tool! LITTLE BOXES MADE OF TICKYTACKY Blue Boxes
- 13. THE ENTIRE WORLD IS FIRE (FIND PICTURE)
- 14. THANKFULLY, I WASN’T AROUND THEN BUT I DID HELP FIX IT…
- 15. 15 STILL KEEPING IT SIMPLE Keep Calm and Segment Your Network SOHO? More like SO NO •Replaced Linksys boxes with Soekris6501 OpenBSD •Reliable •Simple •Does nothing (except what you tell it to) Quality of Service •PF and ALTQ
- 16. 16 Classrooms Soekris 6501 per Classroom Hotel Switches …Gateway laptop? PRETTY PICTURES, A CAVEMAN COULD DO IT EDITION Design
- 17. 17 LIKE FISHER PRICE, BUT WITH MORE USB ADAPTERS Baby’s First NOC Laptop Gateway •Quad Core •Battery Backup •Plenty of USB Ports…good for 10/100 USB adapters Physical Setup •Cardboard Walls •Power Strip •Table •Sometimes the lock would jam –impossible to pick
- 18. THREAT MAUDLIN SHOULD HAVE BEEN MORE OPTIMISTIC
- 19. 19 Nope. Definitely not. Strict no ski mask policy. Block them all. SHOW ME YOUR HACKING HAT External Attackers
- 20. 20 No mask policy: still good Everyone’s gottalive somewhere… 100% successful defense through intimidation and/or yelling BEWARE OF PEOPLE WEARING MASKS OF THEIR OWN FACE Internal Attackers
- 21. 21 FORMALIZE! A Simple Threat Model and Mitigations External Attackers •Blocked Bad Students •Limited to their classrooms or the Internet Bad Attendees •Could be jerks on the wireless –accepted risk •No access to physical networks without breaking something Other Network Attackers •Press –VLANs and isolation plus warnings •Staff –Access controlled •Registration –Access controlled
- 22. 22 BACK TO BASICS Controlled Hostility Monitor •Know where you’re down •Helps you yell at the right people Wireless •Auto-smooshrogue APs •Pineapple the world •Pineapple: Spoof networks wireless devices have connected to previously •No one cares as long as the Internet works
- 23. BLACK HAT: HACKERS BEHAVING NICELY
- 24. GOOD DESIGN COULDN’T TELL YOU WHAT IT IS, BUT I KNOW IT WHEN I SEE IT
- 25. 25 Principals •Keep it Simple –Yes. Still. •Know your networks – Drop everything that doesn’t belong •Segment –Put like with like •Control Physical Access – No USB access, no random drops •Repeatable –Automate everything you can Implementation •No Services –Exposed as little as possible •Dropped it, it was hot – 94% traffic dropped at the gateway •Smart Segments –Break it for your class, they’ll yell at you for me •Protect your ports – Ethernet, USB •YERP STILL NOT TIRED OF KEEPING IT SIMPLE Design Goals
- 26. 26 •Simple Tool –Everyone’s reinvented this wheel, but YOLO •Pushes Preset Configurations –You knew what you wanted, right? •Brain Dead Operation –No sleep is standard, and you don’t want to screw it up in front of everyone WELL, MOSTLY YERP: YERP, Everything Runs Perfectly
- 27. 27 Use it: clone git repo fab yerp.deploy_config:config=<configfile location> -H <targets> http://github.com/conandooley/yerp HOW DID I GET HERE, I AM NOT GOOD WITH COMPUTERS YERP: YERP, Everything Runs Perfectly
- 28. 28 People are generally pretty good Designed to be secure or non-functional Technical failures had a far more significant impact Biggest technical problem? State table exhaustion OUTCOMES ARE IMPORTANT End Results
- 29. ENOUGH ABOUT BLACK HAT WE’RE GOING META
- 30. 30 Security is never a priority –Let’s learn to live with that. Training failed, people demanded refunds –Had to happen to be taken seriously. Why? That jammed lock –Who would actually be stopped by that? You’ve got advantages –What are they? Wear them out. You own this –Know what lives on your network and verify. They only care about the business –So learn enough to show the concerns via business cases WELL, I WROTE THEM DOWN FOR YOU Remember Those Things I Said to Remember?
- 31. 31 •Listen to your Users –There are many ways to give them what they want, find the secure ways •Understand What They Need –If you know what they want, chances are there is a way to do it securely •Create Secure Defaults –Make security choices for them when you can •Educate –When you do have to make life more difficult, explain why •Link security to outcomes –Define consequences, show how they happen •Prioritize –Let’s figure out what makes a difference, and work on that first ONE SIZE NEVER FITS ALL Build Security Into Operations
- 32. 32 •Get out of the comfort zone –We’ve made some impact over the years but nowhere near enough •Learn to Market Ourselves –We’re struggling with effective communication, we need to fix that •Define Language –What does “breach” really mean? •Common knowledge is flawed –The common solution is quick, easy, and almost always wrong •Let’s make friends everywhere –More different, unique people caring about security is great •Impact and outcomes –An honest conversation needs to happen NOW WE ARE ALL SPACE CADETS Going More Meta Again
- 33. QUESTIONS?
- 34. Thank You!