MineMeld - there's gold in them thar hills!

much press just give me a second [Music] share out my screen [Music]

you

all right can everybody see that looks great sounds good okay perfect all right so yeah Thank You Bryce appreciate that my name is Jason Rivera aka nimble and we're gonna talk about my mouth today really just wanted to give a shout out to all the b-sides sponsors and the b-sides Organic organizers you know just fantastic job switching this over to virtual you know I'm gonna miss seeing everybody this year but great that we can still get together virtually and and have these good conversations so it's it's been a great con so far and really enjoyed it so this is me this is how to get in touch with me I've been a consultant for a long time recently

moved over to a technical marketing engineer position with in Palo Alto Networks I do want to mention that while I am a big fan of Palo Alto Networks and obviously an employ the views expressed here are my own and not directly a bland lawyer then I'm here just as a as an enthusiast security practitioner and not directly representing them so you know I've been around a while member DC 801 I love cryptography and privacy I'm a bit of an enthusiast they're not an expert and enthusiast so so mind-meld solves some interesting problems and I want to talk about what we're trying to do with it you know there's a lot of really good resources out there on the

internet whether they're threat intelligence or or lists of data that can be leveraged by security appliances by endpoint security products by Sims you name it right but the problem is is while we have kind of an established format with sticks taxi a lot of these tools don't natively digest that that format so the problem that mind-meld is trying to solve is essentially to normalize that data into a format that these other tools can handle you know there's some really interesting use cases that you can you can use that for right so you can take these threat intelligence feeds whether they're public open source threat intelligence feeds like one of my favorites the sans D shield top twenty

you can also digest private feeds there's some you know full threat intelligence platforms that you can pull that data in and what mine will meld will do like I said will kind of normalize that data to be digested by these other systems downstream it will also help maybe be duplicate that data as it's being normalized so that if for some reason the platform that you're you're using to as an enforcement point for instance it has a hard limit on the number of data points it can pull in mind-meld can help reduce that those number of data points as they're being pulled in so so very very helpful especially if you know the the platform has any kind of limitations around that

there's also some interesting use cases about pulling in feeds for positive enforcement not just for you know understanding threats or that sort of thing but in a dynamic cloud environment for instance your your resources are going to be spun up and tore down on a regular basis and those say IP addresses or fqd ends will constantly be changing and it's a very dynamic list right and so understanding network traffic close to say Microsoft 365 Microsoft 365 so right you know can be a very cumbersome task without being able to I jest Microsoft's published list of resources that are out there and so to like mind-meld helps helps really pull that into your toolset and understand where

that traffic is going so you're interested right I hope you know how can you do more how can you digest this tool so the current two best options for installation are spinning up the docker image or compiling directly from source using ansible when my meld was first released you know it was released as a VM on an OVA that sort of thing you know really it seems like the docker way is is probably the best easiest way right now so I've got here the full URLs but I created some some bitly shortened URLs for everybody to use if you're interested in the docker image it's there you want to compile direct from source on the ansible it's there and

I'll post the slides to slack after this - the copyrighted materials so okay so I'm gonna show you today pulling and leveraging mind-meld from the docker image but I want to show you a couple things that I did ahead of time before we dive directly into the demo so my linux distro of choices of one two so I spun up a new app onto server and basically the first thing we want to do is just make sure that there's no legacy or pre-installed docker packages you then pull down some prerequisites for docker and then also the docker gbg key and then update your repository with the official docker repository for a bun - and then install docker

I went through that a little - Oh what one one other thing I don't like running docker images as root so I then add my user to the docker group just kind of security best practice I guess I mean if you think I went through that a little too quick this is all very well documented on the docker website and you know I don't want to turn this into an exercise on how to run docker I want to focus on my mouth so there's a link to doing that alright so let's switch out of the slides and get right to business here

see the screen okay yeah we can still sing script okay perfect okay thank you very much so in the interest of time I am going to copy and paste these commands but again if you go to that that docker link this is all very well documented there I'm going to pull the docker image from the official docker repository

you

I'm going to going to a volume for the mind-meld logs and for my mind-meld local configuration and then we're going to spin up the docker image you and again that's kind of a long command I just copied and pasted and cheated but again I didn't want to be sitting here fumbling around on the keyboard well so if you look at the logs you can see what we're looking for here is is the successful start of a mind-meld web service and so then we should be able to pivot over to the mind-meld instance [Music]

right and the default credentials here are admin mine now you see here we've already on the dashboard view the docker image comes pre compiled and set up with four miners a processor and three outputs I'll go into those in a minute but you know again this is a security conference for all security people so first thing we're gonna do is go in and change that admin password so I'm gonna click admin and then I'm going to click password there and I'll give it a stronger password alright the other thing that I want to do is maybe I don't want to use the default admin username maybe I want to create an additional user that's done with this Plus right

here add me as a user this guy super secret password alright and now I've got a non admin user and then I can go in and delete that admin user if I wanted to so let's look across the top here at the different tabs first one I want to show you is the system tab this is kind of your high-level view of what mind-meld is up to you know are the services running you know how much CPU utilization is happening here memory utilization I'm already touched on the admin tab we looked at the dashboard but what I really want to show you here is the nodes right so this is this is the meat of what my melt is doing we've got these

three different node types within my mouth you have your miners which are essentially the sources for data out on the internet or you know maybe on private systems what-have-you then you have an aggregator that those miners are connected to that aggregator or processor takes that data and as I mentioned normalizes it and deduplicate sit and then feeds it to an output an easier way to sometimes look at this is if we click on the miner you can and then click on the connection graph we can see here on the on the left side you know all these miners reaching out going into an aggregator and then feeding into these output feeds out on the right so

pretty straightforward from from a graphical representation standpoint the other thing that you can do is look at the statistics of these miners how much data is it pulling in right you know the DCO block list is always going to be 20 the top 20 class sees that you should just generally block on your network or watch for traffic that's egress in your network that you know or communications happening to these so so one of the key things here is you know being able to understand the relationship that your your your endpoints or your network traffic is having to these known bad networks right there's no known bad data so let's see let's say you know you want to add some

more data to come in here right so first thing I like to point out is the pre-built whitelist for ipv4 right so so here we've got a static list that we can add so say you leverage Google DNS heavily and you never want Google DNS to be included on one of those one of those output feeds that you're leveraging in your your security appliance we can come in here and add that to the whitelist and then if we look at that that relationship we can see now that the whitelist has one indicator IP so if kua dates google dns wherever to show up on say the spam house drop or a drop list or b shield or any of those it would

always be white listed because it's part of this this minor that will be pulled into the aggregator and will override but let's say you want to add another minor right you've got your favorite source of data that you know is really really high fidelity but you want to pull in and leverage within the network so how you do that is you click on configuration here and then down here this little hamburger looking icon is where you can look at the prototypes so these prototypes are either minors or aggregators or output prototypes one of my favorites is the et open blacklist so emerging threats really good group does some good work so if we search for

each key open we see that you know that that list is maintained here as a pre-built prototype click on that then we click clone a new node from this prototype and normalize name all right so now we have it listed here but notice it's not connected to the processor this is slightly counterintuitive piece to my melt that sometimes will trip folks up when I when I help people put this in in their networks you have to click over here on inputs if you remember the relationship diagram that I showed you earlier you know your miners were on the Left they feed into processors or the processors has input from those miners and then the processor then pushes to

the output or the output you know has pulls from the processor so we have to add that new node or miner excuse me to the the processor and we do that by clicking over here on the right hand side and when we click in here we'll see this look et open is knowing that click OK we see it here but you're not done you have to commit those changes so you commit that configuration and it restarts the the mind-meld engine gives you lots of good statistical graphic representation of what it's doing on the top right there in the second round

you

you you all right so now we're running so now if we click on the nodes and look at the eto per block list we can see that there are 1834 indicators and it is directly feeding into that aggregator so what's this data look like if we actually you know were to try and pull it into one of these systems and leverage it within a system how you can view that is looking if you click on the output note you can see here the feed base URL I open that up there's your data right so this is IP range format to to view or you know to be ingested into one of your your control systems right again whether it's

a Sam or a network appliance or an endpoint management system let's say the system that you're leveraging does not understand this format right this this IP range format you can change your outputs right so okay so if we just append TR equals or question mark TR equals one to the output feed URL we see that now it gives it to us in cider format which is another very common format that that a security appliance or sim might be able to ingest so let's talk about maybe some some more advanced use cases right let's say you've got a favorite threat feed that is you know again you you feel is is really high fidelity but when you go into the

prototypes it's not listed that so some a lot of folks out there like the Talos group right they do good work and they publish a really nice IP list right their IP blacklist but if we search for prototypes the Talos group is not there so let's go look at their their IP blacklists really quick and it's just an output of IP addresses right so individual IP address is pretty common format so I know that other prototypes leverage that same thing specifically the et open blacklist right so this is again my my friends at emerging threats and instead of cloning this one we're going to create a new from this this minor we can come in and

we can modify this we can say this is the Telos right and notice down here we've got a really simple way of building out a minor you know it basically asks for your confidence level in this source you know and then give it a name and then a URL where we're pulling that information from so let's put in that Talos IP blacklist let's change this the blacklist

okay so I've modified it so that it's consistent for Talos and now when I search for Telus I have a mind-meld local Talos blacklist same same workflow I can clone it give it a common name and then that that tricky thing to remember is adding it to this IP aggregator right now he commits that let it run through its course and I'll show you that it's pulling in that data there's obviously a lot more different types of data sources out there beyond ipv4 addresses right and you know there's there's a lot of debate on how valuable this information can be but for me my thought is just reduce your attack surface as much as possible right take

out these known bags and you know if you can block them on a network level great you know if the security appliance you're you're leveraging allows you to to block them it just reduces that that attack surface you know they're not these hot io C's or whatever that some of these these different groups will claim that they've got you know the best the best lists right now but I again you know it can be debated as much as we want but it's it's a it's really just about reducing that attack surface right and you just take the nomads out so that we can really focus on on what matters and looking at the the the more advanced

type threat data but we can see now that Telus blacklist is pulled in 1266 indicators and our outbound feeds now are incrementing up one one nice view on the dashboard that I kind of didn't touch on earlier because if you look here you can change the time frame I just click that gear on the right you can take change the time range so as your your mind-meld instance is running for for days and weeks you'll have nice statistical graphs here that will show you as indicators have been pulled in from miners and what your total number of indicators are from your outputs so you can see as I added ET threat feeds and metallo threat feeds we've had

a significant increase in the number of indicators across all the nodes so I've got a little bit of time I can show you a couple more advanced use cases here this is the mind-meld instance that I run my house and one thing that's interesting is if you notice I've got some other some other aggregators here right not just IP aggregators aggregators but domain and URL aggregators as well that are feeding out to different types of Lists so again you know threat indicators are not always going to be IPS right there there are free lists out there that will give you other interesting things like malware domain list things like that right and if we look at what those outputs and we can

see here these are you know full you are eyes right and if we look at say this one

you so sorry you

so instead of we full you our eyes you know here I've got just malicious domains no malicious domains and so you can see how maybe that that might be interesting on integrating it to say threat hunting feed within a sim or you know some kind of EDR toolset something like that you questions I'll just do one more thing really quick and show you guys how again how you would pull this into my favorite security funds anybody who knows me knows that I've been a fan of this for a very long time

you

all right so X dynamic lists are generally how the palatal network security platform digests mind-meld data and so we can see here you know I've got these dynamic IP lists these are pointing directly to those those sources on my mind meld instance I've also got these domains and URLs that are just showed you guys there so these dynamic IP lists are essentially IP groups that can be leveraged in security policy for positive or negative enforcement you know you can block things to known bad you can block bogans that sort of thing how you leverage your your domain lists are in the spyware security profiles you can see here the the mind-meld domain list is available there and you

can take security action on that and the URL filtering is also in the URL filtering profiles so with that I am about out of time but I think we've got a call minutes for QA if if anybody has any questions again mind meld is a is a is a open source project it was started by Palo Alto Networks but it is community maintained so you know feel free to to be involved as much as as appropriate and I appreciate the time