MineMeld: threat intelligence automation – architecture and hardening [1]

This post is the first of a series on Threat Intelligence Automation topic
Post 2: Foundation: write a custom prototype and SOC integration
Post 3: Export internal IoC to the community
Post 4: Search received IoC events with Splunk
Post 5: Connect to a TAXII service

Last slide at my HackInBo talk (italian) was about how to automatically integrate threat intelligence feeds into our near-real-time Information Security Operation Center (i-SOC) SPLUNK engine to reduce the time spent by SOC security analysts on IoC (Indicators of Compromise) analysis.

At the time I was testing an open source project from PaloAlto: MineMeld. It was the right choice; after extensive tests MineMeld now help me to solve the challenges I had in the past while playing with IoC coming from various threat intelligence sources: collection automation, unduplication, aging and SOC integration.

MineMeld can also share our internal IoC to the italian infosec community we are now building from the ground. We are working hard on this and I’m really confident we will succeed (want to join? DM me on twitter or in the comments). Continue reading “MineMeld: threat intelligence automation – architecture and hardening [1]” →

[ITA] HackInBo Spring Edition 2017 – Video

Di seguito il video del mio talk “L’evoluzione del SOC di una infrastruttura critica” tenuto a Maggio 2017 ad HackInBo Spring Edition 2017 (qui le slides).

Potete trovare tutti i video di questa e delle edizioni passate nella pagina youtube di HackInBo

Mario Anglani – introduzione all’evento
Valerio Costamagna – “Making vulnerability mining better than “ALLOC[A-Z0-9_]*\s*\([^,]*,[^;]*[*+-][^>][^;]*\)\s*;””
Roberto Clapis – “Go get my/vulnerabilities: an in-depth analysis of go language runtime and the new class of vulnerabilities it introduces”
Andrea Pierini e Giuseppe Trotta – “Da APK al Golden Ticket”
Michele Spagnuolo – “So we broke all CSPs… You won’t guess what happened next!”
Andrea Draghetti – “Phishing: one shot, many victims!”
Yvette Agostini, Giovanni Ziccardi, Alessio Pennasilico – “Tavola Rotonda”

Grazie ancora a Mario, lo staff di HiB ed agli amici di Segment per il montaggio.

The WannaCry journey from a SOC point of view – internal sinkholing of killswitch servers

In the previous post I described how our Security Operation Center managed the WannaCry news.

We also made a lot of side activities in the past hours and one of these was to implement an internal sinkholing of the killswitch servers in case some clients where infected; with a working local sinkholing we where able to avoid the ransomware spreading in case of infection.

How? Let me explain.

Continue reading “The WannaCry journey from a SOC point of view – internal sinkholing of killswitch servers” →

The WannaCry journey from a SOC point of view

In the past hours a new ransomware called WannaCry (or WCry or WannaCrypt0) spread very fast on Internet and targeted a lot of public and private organizations. The ransomware make use of public exploits related to the last Shadow Brokers leak, in particular MS17-010 vulnerability that was fixed by Microsoft on March 14 (2 months ago). You can read very good tech posts here, here, here and here and I suggest you also to follow on twitter Hacker Fantastic and Malware Tech.

Here I try to summarize my approach to the news, mainly highlighting what we did in my company in the past months and how we monitored WCry from our SOC (Security Operation Center).

There was (and there is also now) a lot of hysteria, but for people like me that work in a SOC this is not an acceptable mood; you need to relax, really understand what’s happening and verify that what you did before is enough and, if not, apply emergency countermeasures. Continue reading “The WannaCry journey from a SOC point of view” →

[ITA] Di ritorno da HackInBo Spring Edition 2017

[ Video del mio intervento ]

Il 6 e 7 Maggio ho partecipato come relatore alla Spring Edition di HackInBo e per me sono stati tre giorni molto molto intensi e carichi di emozioni.

Prima di tutto orgogliosamente abbiamo raccolto 1700€ per i progetti della Onlus “Non Basta un Sorriso“; questo è il vero successo di questa edizione (il target prefissato era di 1200€). Kudos a Gianluca Varisco che si è trasformato in chierichetto acaro e ha raccolto le offerte da tutta la platea (quasi 500 persone). Bravi tutti!!!!

Poi i necessari ringraziamenti a Mario Anglani, instancabile organizzatore, e a tutti i ragazzi dell’organizzazione (povero Riccardo che mi ha sopportato più degli altri). Questa volta il gadget per i partecipanti era una bottiglia di birra al miele (e coordinato boccale) prodotta dal birrificio Valsusa in collaborazione con la Onlus Educatamente. Per tutti i partecipanti poi a disposizione uno stand per degustare la suddetta birra gratuitamente.

Le slides del mio intervento “L’evoluzione del SOC di un’infrastruttura critica” sono state pubblicate insieme a quelle di tutti gli altri relatori sul sito di HackInBo e le riporto anche qui di seguito.

Insieme a me hanno presentato in rigoroso ordine di apparizione 🙂 Continue reading “[ITA] Di ritorno da HackInBo Spring Edition 2017” →

[ITA] HackInBo Spring Edition 2017

[ Qui potete trovare slides e video del mio intervento ]

Il 6 e 7 Maggio prossimi parteciperò come relatore ad HackInBo, un evento sulla Sicurezza Informatica totalmente gratuito che si svolge due volte l’anno a Bologna, ed organizzato in maniera del tutto volontaria dal buon Mario ed il suo staff.

HackInBo si differenzia in maniera netta dagli eventi organizzati qua e la dai vari vendor ed integratori di soluzioni di Sicurezza in quanto viene “dal basso”, è organizzato cioè da un gruppo di amici che lo fa per pura passione. Per dire: gli sponsor non possono parlare, saranno ovviamente (e giustamente) ringraziati ma l’unico vantaggio è il posto in prima fila. Continue reading “[ITA] HackInBo Spring Edition 2017” →

Configure Linux High Availability Cluster in Ubuntu with Corosync and DRBD file sync

I already wrote how to configure a basic High Availability Ubuntu cluster. The steps to setup a basic cluster are detailed in the previous post, so please read the post if you don’t know how to make the cluster up&running. Same conventions are used here.

One of the topic I didn’t covered on the old post was “application replication/synchronization between the nodes“. Now it’s time to show you how to keep in sync files between cluster nodes, using DRBD software. DRBD is a powerful component of Linux kernel and is designed to keep in sync data via TCP/IP between nodes volumes. In this post we will setup a clustered freeradius service that sync /etc/freeradius/clients.conf file between nodes. Continue reading “Configure Linux High Availability Cluster in Ubuntu with Corosync and DRBD file sync” →

Fix OTRS compatibility problems with Internet Explorer via Active Directory GPO

OTRS4 just works with Firefox and Chrome/Chromium but I had a lot of trouble trying to allow people that use Microsoft Internet Explorer to work with OTRS.

Pietro Forti on flickr — Interoperability

Why? Because IE forces by default Compatibility View mode for Intranet web sites and – of course – OTRS is in my company Intranet. With this option forced by IE, OTRS don’t work. I don’t want to go deeper why IE uses Compatibility View mode for Intranet, it’s something legacy and crazy, but a solution exists (or at least works for me now). Continue reading “Fix OTRS compatibility problems with Internet Explorer via Active Directory GPO” →

Block Flash content on Squid proxy

One of the trending topic I discuss regularly with my company IT department is the need to block Flash content on our navigation proxies.

As a Security people I have no doubt about, Flash must be blocked. Period.

Because I manage some Squid proxy I made this simple and effective configuration in squid.conf file. Continue reading “Block Flash content on Squid proxy” →

Forticlient SSLVPN packages for Ubuntu/Debian

[UPDATE: 17th of December 2019]
If you use Ubuntu 19.10 OpenFortiGUI 18.04 package is not working. I’m using openfortivpn from ubuntu repo and is working well

$ sudo apt install openfortivpn
$ cat config.vpn
host = <SERVER>
port = <PORT>
username = <USER>
pppd-use-peerdns = 1
# X509 certificate sha256 sum, trust only this one!
trusted-cert = <CERT>

$ sudo openfortivpn -c config.vpn

[UPDATE: 19th of November 2018]
Since Ubuntu 18.10 I start using the OpenFortiGUI and it works well, so I suggest to give it a try

[UPDATE: 9th Dec 2017]
If you want to use the FortiClient from command line, this is the command (for 64bit, same for 32bit with the right path)

$ yes | /opt/forticlient-sslvpn/64bit/forticlientsslvpn_cli --server <YOUR SERVER IP/FQDN HERE>:<YOUR SERVER PORT HERE> --vpnuser <YOUR USERNAME HERE> > /dev/null

—— original post ——

This post is just to point to the page where the great Rene mantains the .deb packages for Forticlient SSLVPN Linux client (instead of .tar.gz provided by Fortinet).

You can find the .deb files built by Rene in his blog Bits and Bites.