Dale Lakes - Home Defense for an IoT Infested World

welcome back to track for our next talk will be home defense for an internet of things infested world presented by Dale lakes all right afternoon everyone I hope you all had a good lunch I know tip who after chick-fil-a I wanted to Sumida ly take a nap so I'll try to not be boring talk today talking about is home defense IOT infested world quick background on me a recently graduated college thousand seventeen computer science played capture the flag a lot so most of the things that I've learned was through capture the flag if you have the chance to play in a capture the flag competition and you've not before I highly recommended a lot of fun

I'm starting my own security company in Augusta and doing that for about six months now it's our first conference that we're sponsoring and my big thing is go so anybody that knows me knows that I love to go programming language so I'll be pushing that a little bit today but more the focus is going to be on the way that we approach network security for your house so what am I talking about today come on a new machine learning approach to big data analytics by correlating cloud native threat intelligence to real-time cyber threat feeds and feeding those models into a neural network endpoint protection platform in order to generate threat crafts on the blockchain with

just a Raspberry Pi zero alright if anybody needs to go to the bathroom because they just could not take all of that buzzwords jargon awfulness I don't blame you all right what am I actually talking about so as a homeowner is anybody who cares about home network defense there's a lot going on and you're just one person man in the house woman in the house whatever it's your responsibility to know what's going on in your network to defend your family so I'm going to be trying to take a very straightforward approach to this problem so that you don't have to spend a bunch of hours learning some you know crazy new technology or doing something that

requires a lot of you know time that you don't have next we'll be demoing a new project that I've been working on that goes along with this then in general talking about the fight against snake oil so when I say snake oil the definition that I'm gonna be using is what's in red the cure-all elixirs this idea that if I just run this magic tool it's gonna solve all my problems I give it my packets it spits out the bad guy that's really not how anything works if anybody has been in this field for you know more than a minute there's a lot of talk about you know using these bugs words like cyber AI machine learning your home network is

very unique the devices that you buy and the things that you do on your home network are not like anywhere else enterprise networks generally have a process or a standards that they follow you with your home network do your own thing because you get to do whatever you want and so if we try to approach this problem the way that you know traditionally you'd maybe go to you know some government website and look and see how they recommend to defend your network and here's just a quick description from DHS and DOD cio of how to defend your home network most people who have been in this community for a while know these things there's nothing

surprising up here on the slides so when you go to the conference and you learn about these things are quite cool and you do them and you do them pretty well and you're and you're happy about what's going on but then let's just say you know let's let's pretend that I'm some you know thirty year old family man I got a couple kids and Christmas is around the corner I also just moved I moved from down here in Georgia let's say up to Maryland and so I get to this new apartment complex and they have this smart lock and this smart lock you can use your phone to remotely unlock your house you also kids really want for you

know Christmas this Wi-Fi connected camera because you can share your two little daughters can share pictures with each other you know with their family tablet and then they want the smart speaker 1:what the bear one wants the duck so that they can be in the room and listen to their favorite music and then of course your wife wants the all-powerful internet connected because why not you know just add fuel to the fire and so what do I do about all this garbage that has now just been introduced into my home I can't just you know tell my wife and kids your needs are not valued here you can't have these things maybe you can probably should I

wouldn't blame you if you did but you know let's just assume for the sake of the argument that you let these things into your house or especially for the remotely connected smartlock like you have no control over that if you have an apartment complex and they you know you walk into that situation it's pretty hard process to get that change so let's just assume that you have all these things well first is like a step back you know why should we even care about these IOT devices I'm not using them for anything that's you know it's sensitive or private it's just you know they're letting my kids take pictures letting me unlock my house you know nothing crazy

but do you remember this guy this camera thing from Amazon I pulled it off Amazon bought it did a little bit of research into it like a lot of IOT talks a lot of IOT talks tell you about how terrible and awful they are and I'm not gonna go down that rabbit hole because there's enough of those I'm just going to do a very brief overview of just one example of why IOT matters from a security perspective so this device is a Wi-Fi connected kid camera you download an Android app to communicate with that camera and then the app itself when you download it comes with a cheap C++ library as a shared object you know has

over a million downloads created in Taiwan by some company and when we tear it apart you look and see and you can you can be like him on the bottom right and start losing your mind a little bit the app allows you to basically specify whatever IP address you want to send these streaming pictures of your kids back to all these permissions on the top have you know let me access all your Wi-Fi and change the state whenever I want let me have a wakelock turned on so that I can always be running let me modify your audio settings right to external storage basically do all the things that any sketchy app would do we also implemented all these custom

commands where they can download upload firmware send raw data to the firmware if they want who knows if that secure probably not doubt it and so you can decide to go down that rabbit hole and you can start messing with IOT devices and you know getting freaked out more and more and eventually you'll turn into I forgot his name sunny in philadelphia guy bottom right Carla yeah all right and so even if you did want to control this device and have you know greater control over what these vests are doing you don't have a user interface to actually interact with like you just click a button and it takes photos there's no source code you have to pull

the firmware yourself there's a lot of hardware that exists on there to send and receive data that you also have no control over they're always on they're always running and it's in your house recording your kids so you know what I'm strong with that so you decide as the family man or family woman of the house that you're gonna set up a home network security architecture you've been to you know security onion Khan you've been to all these great different things and you've seen all these great sexy tools let's just use all of them because you know they all must do something important and so you begin the descent down the rabbit hole of creating your

home network security architecture and so first use both Wireshark you start looking at the packets coming across you're like oh that's cool I didn't know that thing was talking to that thing I didn't know that even talked to the internet I don't even know that thing had wireless capabilities and so you started looking and seeing some weird stuff but then there's a lot of data and you just can't handle all that so naturally the next thing is go to dashboard and that dashboard gives you great summary statistics about everything that's going on who's talking to what where and when and what frequencies maybe you start looking some query languages you learn even Splunk query language or the elastic query

language so you can get more find greens control over what's going on and start having a greater understanding of your network and then you synthesize all that up and some other cool tools and you got some automated notifications or custom alerts and you've done a lot so far and he's Arlena prologues lots of bro logs so many bro logs summaries of your Bo logs the payloads of your vlogs and it just never ends there's just always so many things to look at and so many things to do and you're always just scrolling and scrolling and creating new dashboards and eventually you just completely burn out because you have no way you have no idea why you did all these things you've

just been lost in these tools because these tools are going to solve all your problems and so this this common thing is alert fatigue right you're just getting inundated with a bunch of different alerts and you know notifications and dashboards and spikes and whatever whatever things says ah maybe there's a bad guy here you should look at this it's just unbearable as somebody who's trying to defend their network or their home network especially because here's one person and there's a lot going on and as IOT continues to come into the house and as various different devices start connecting the Internet there's only gonna be more and more and more data that's gonna be coming across your

network and so what are you supposed to do like there's so much data there's really no way you can do it without tools you can't just pipe stuff too you know pipe all your data to some log file and then use grep you can't just you know you have to use some sort of visualization or some tool and so you have two choices you have two choices with this one you go all in and start finding some more magical cyber right or maybe you find something that's has machine learning and AI because it's gonna make the malware cry it has to be there you haven't found it yet but it just has to be there there's no way it's not there

and so that's one approach or the other is you recover you start actually picking in an introspection and why you did all this in the first place and understand what is the point of actually doing all this stuff what am I actually trying to defend as a homeowner and so I have two things to give away I will let the person who can answer this question correctly pick whichever one they want it looks like a wireless adapter AC 1200 from alpha network and the other one believe is a lock-picking kit oh no something in a zippered buy zippered bag so who can name the picture person in the picture correct so that is one of our presidents case you didn't

know did you want that do you want this one or you want that one all right cool yep all right so Warren G Harding's famous for their return to normalcy quote so I included him all right so now you're in recovery you've decided to not go down the a I'm machine-learning gonna get your PhD just so you can defend your house approach and it's added instead to take a step back say okay what do I actually care about all these things are automated what am I actually you know why does this tool suggest or imply that it will magically find malicious but for me when it has no idea what's actually on my network it's

not designed for my network Don foreigner what is the false positive and false negative rates for any of these things and is there a definition of weird or abnormal in line with my definition is this IOT device was it made weird to begin with do I actually need to classify everything that it's doing is weird or can I just say okay that's normal and move on and so we bring it back to the basics right now security we care about privacy confidentiality integrity and you know we want to make sure that the decisions we make are based on accurate data and that we are not getting things aren't looking at our traffic or looking at us if I ot you

know you got your cameras and audio and all that stuff you want to make sure that your privacy is protected and your family's privacy is protected so the initial approach here's some good questions asked right where and how does my family use data to make decisions while at home if they are looking at you know a smart speaker what are the results of that smart speakers giving to them is that has has it been locked down so that my kids are receiving and making queries and getting data back that is in compliance with maybe my home or network usage policies are just you know good practice so for example next slide I have yeah you know is my

child using their iPad after their bedtime because already you know watching Netflix after the bedtime if you got an SSH server let you get back into your house are using failed aband is it actually still working are you just blindly hoping that it's working and not actually monitoring that and then what are your IOT devices talking to if you set up a VLAN is the VLAN actually working and you know or your home security device is functioning properly while you're not at home so I should be able to if I have like you know a IOT connected camera be able to quickly verify that that camera is running not just because it gives me a

screenshot but because access to the network traffic of it running because you know some adversary can just keep giving me the same screenshot we've all seen in the movies right like you can do that it's pretty easy if you're able to hack the IOT device and have it broadcast you know just the same picture over and over so stuff like that those are some good questions to ask and that's where you get started not just turn on all the data and just influx all of my tools and so what we discover at least initially is that you still have to gather all the data at some point unfortunately and store it somewhere because there's really no good way for

me to filter out the data at the beginning right the tools that I use at the end their main job is the filtering and the visualization the upfront part were actually captured off the wire there's really not that good of a way to filter out that stuff either you're gonna be using like you know bro most likely or you're meeting full pcap analysis and so the filtering process is well towards the end depending on what tool you're using if you're still in the process of learning it it's a lot of trial and error you got to figure out how that Tool Works to filter out that data then you may or may not care about

in the first place and then you're still researching what is normal which isn't ever going to go away and then you want to be able to easily generate custom alerts and reports automatically if a tool doesn't allow you to do that but it does a lot of other things well why couldn't I have generated that alert much earlier in the process and still fed it into my tool later to visualize so pushing this part of the process much earlier it's gonna be what the focus of my demo project is on which I'll get to which is gourmet so you swing by my booth today you've seen a little handout that I got about gourmet so the idea

behind gourmet is let's take the filtering and analysis process and push out as early as we can in the pipeline right with bro you have bro scripting and that's pretty commonplace to use that but can we make it so that as a community when I want to customize how I secure my environment can I push those customizations as early in the process and distribute those customizations as widely as possible and so I know it's ironic I'm telling you all these tools will not solve your problems and now I'm demoing a tool I get it but it's not so much about the tool it's more of the approach to network security the idea that if we can

push the filtering analysis process early as we can we won't end up with a big data problem towards the end of the process and so demo time let's see

all right so so let's say we take that example that I gave take the example that I gave about the Netflix detecting Netflix let's blow that up a little bit

does that work for a buddy right about there yeah cool let's take the example I gave about detecting Netflix after a bedtime if you wanted to do that what would happen is you probably feed all of your DNS data into elasticsearch then on the Cabana side of things you just check to see if from a certain range of IP addresses at a certain time in the night was there a DNS query that contained Netflix com if so you know however you want it to alert you you want it to send you a message don't slack do you want it to pop up this big red box that says your child's still up like whatever whatever you want to do what if we can

push that as early on in the process for this simple type of problem obviously more complex types of problems you're gonna need these tools later on but for the simple type of simple example why can't we just do this at the sensor level why can't as packets come into the sensor that we're taking directly off the wire if we see a DNS packet that has you know that flick saw calm in it after a certain time from certain range of IP addresses haven't sent this lot have it send a message on slack bot to us directly and so if we build

you know that all right so Maine's already built I think so with go this would be a little bit about how go works for those not familiar as well I've built a go binary just doing go build it's called gourmet instead

and so if we run gourmet by default what this is doing is I've specified in default values yeah mol my configuration and what the in the configuration file what it's going to have as analyzer so those analyzers are going to take your standard connection traffic enrich it do something with it and then spit out a log file and on permission because I need to run this command set cap anybody familiar with this it allows you to capture packets without sudo but first you after you run it with sudo alright so now it's running open up a new tab

all right so gourmet doubt log has been you know it's logs reading appended to it or maybe not oh I know what so this is all in a container right now so I need to actually make some web requests so we'll do that

all right so let's just go to google run those couple things and now if we go back yeah core made out logs a little bigger and so this is what gourmet spit out all the connection traffic's are your standard comm logs you'll see the same information that you would always see there well then you see this field called analyzers and as you add analyzers to Gourmet you will be able to basically add key value pairs where the key is some string the value is Lily whatever you want it to be and it'll start adding that to your connection so if your filler bro the idea of having a bunch of CSV is that are linked by a

connection UID all those together put all of those things maps to the connection UID into one JSON object and then spit that out to a single log file and so for things on DNS port 53 we haven't loaded the DNS analyzer so it's just giving us standard common log information but if we go down to era HTTP you'll see that for the request I made to either Google or web scan test the HTTP analyzer was loaded and so now you get all this information about your HTTP requests as JSON this is all using goes open source libraries this isn't anything like crazy there's no magic or secret sauce it's just the way that go does HTTP the same way that

Python has all their HTTP libraries let's just give the bytes from the packet tear out the HTTP data and put that in the JSON object nothing crazy we're good this can get fun is if I and it's the config file is if I add this analyzer I wrote called the bedtime analyzer and the bedtime analyzer depends on the DNS analyzer now I haven't loaded the DNS analyzer on some purpose we're going to let it break for a second and let's see hmm all right need to grab my slack token I totally forgot to add that to this config I'm gonna have this config pre-loaded but I did not add the slack took I'm like I

wanted so you're gonna see me you get to go to my slack and grab this real quick I'll to rotate these after that's fine but I'll be good

then you this off-screen actually

all right well let's just pray that my laptop with 18 minutes left we get this done well all right so all right so this config file if we just go through it real quick you get to define your interface type of packet capture technology when you use so you want AF packet use make this AF packet promiscuous mode stamped route length the standard stuff that any packet capture you're gonna be you know wanting to configure this stuff and then when I start adding in analyzers what this allows me to do is I can and I'll pull up the code workflows all thrown off right now if we look at what an analyzer is

and those were to go for zoom and yes code edit

all right well I'll just to create an analyzer and go all I have to do in these two functions filter and analyze filter all it does is taking a connection object connection abductor now there gonna be a UDP packet turn into a comm log just for the bro analogy as sake and then or a TCP stream that's been reassembled and made into a connection object I'm just going to maintain your have your basic connection metadata and then also it has your payload the payload isn't logged by default but when you write your analyze function that's your ability actually connection apart going on underneath the hood there's all like I said can be literally anything you want as long as

it you define a key function so that it can be logged and so what this allows you to do is as early on in the process as possible I'm going to be getting all of my UDP packets and TCP streams that have been reassembled and do I want to keep them do I not want to keep them if my filter returns false then I'm just gonna throw it in the trash and I don't care about that you know connection if it's true that I'm going to keep it I'm gonna analyze it and so I don't know if my demo is gonna work honestly because I have to do all the setup but with the bedtime analyzer what I wrote which is

on github if you want to look at it is okay all I care about is DNS requests that occur in a certain range of IP addresses after 9 p.m. at night let's say that's bedtime before 6:00 a.m. so that's my filter function right that's the only things I really care about for this this specific situation then for analyze you actually check and see ok is Netflix calm in the domain if so call the slack bot function that I wrote this is all code I can just write the slack bot function in the analyzer itself because the way that these analyzers work is it's another go repository which you see the host on github get labs

somewhere that I then specify a gets pulled down automatically built as a plugin that plug-in then gets put inside of Gourmet and now you can have all of these various different things enriching your core sensor without having to wait until three or four steps down the process start doing all that enrichment and so you're saving a lot of bandwidth on a lot of storage doing something like that using gourmet and so thinking about it this way from a home defense perspective I don't have the storage capacity to store full pcap of my network for weeks months at a time I don't have the bandwidth to be able to send all that stuff if I have just a

standard commodity you know router thanks so from a home defense like I saying from a home defense perspective it makes sense to push this as early on in the process because I don't want to have to store all this stuff and do all this complex elasticsearch setup and Cabana setup if I can get rid of 95% of the data upfront because I don't care about it gourmet was designed to do it like this because there's a lot of problems with just sending full pcap all the way down the pipe and then waiting towards the end to actually do all the analysis so not saying this is the best way to do it or this is the right way to do it but I

think creating a very simple way for you as you know the home defender or whoever to implement your own customizations of your network defense it's early on in the process as possible it's just from what I've seen for what I work I've been doing it just saves you a lot of hassle and struggle down the road so back

this guy who's wrapping up real quick that went shorter because the demo is not gonna work for me right now as a home defender there's a lot of data going on and as IOT continues to you know get into your home sending a lot more data across the wire filtering out as much unnecessary data as early as possible it's gonna save you a lot of storage and bandwidth you shouldn't take the approach of turn on all the things and hope that the bad guy magically pops out or turn on all the things and hope that you'll have a greater understanding of your network because there's just going to be an ear it's gonna be you

know overwhelmed with how much is going on with all these different tools and so the tools are great like the tools do an amazing job but you shouldn't be dependent upon what they're spinning out you should have more control as early on the process as possible with what data you're looking at and so kind of the closing thesis of this talk is as more and more IOT comes into your home start thinking about okay what specific decisions do I make on a daily basis with my data what services or applications or devices in my network should I care about based on you know the level of risk that they introduce into my network and how can I have

greater control over the data that is being sent across my network through the tools that I use and not having it be the opposite where based on the tools that I use here's what I'm able to do kind of flipping that equation is kind of the focus of this talk and I think is the best approach to home defense and so I know this ended a lot earlier than it should have but good for any questions first question get to this guy so fire away

yeah this is all gonna be published [Laughter] cool anyone else yep right there

yep so the question was once this you know once gourmet processes your network traffic and spits out you know JSON how does that then get presented to the user in a more you know a GUI or something else that generally what question was so the idea like I said the tools that exist for visualization are great already Qabbani Splunk are not Splunk Kabana some and the one I guess coming my mind right now this isn't try to replace any of those things the idea is how can I is early on in the process gain greater control of the data that I send tools just a lot of data that you don't need and then on the

flip side with with bro and a lot of the other tools that take your it's for you you're like is is the main goal of the project not necessarily replacing Kabana because they already lot of good work there all right

the idea is either get gourmet to the point where it is the source that you use and then the other ones you know you can do full pcap just for posterity but the goal is have a sensor that's so is the ability to be customized to your liking so that once it gets to that point where you've mapped out you know your risk assessment your threats however you define the best way to there the types of data that you care about and you've mapped that into gourmet analyzers to pick apart the various pieces of data easily and create you know spit all that out then that is then the sensor that he is for analyzing the

data later on and Splunk and Caban and everything else yep

yeah I mean so you have to ask whose network was it designed for right if there's some machine learning algorithm that's been trained and modeled off of some Network whose network was that what data were they using why is that the solution for me and so in in many situations it's gonna like give you a lot more information than you already had if you didn't have anything to start with but the best course of action is as early on in the process have as much information to start with and so as the data moves from your sensor to your indexing with elasticsearch to them being visualized in Cabana in that process as early as possible I'd like to gain as much

control and granularity on what's being fed where so that I don't have to do all that legwork later on right so the so the reason that I and I wanted to get into this more in the demo but I didn't have a chance so with gourmet you implement two functions to write your analyzer and then once you do that it gets put up on github so the people that do write code that do want to make you know gourmet or whatever product better having it so that with you know the way that go the language works is I can just specify a github URL and that's my package and so part of what gourmets building right now is having that sort

of package manager so if I want to deploy this technology to defend my home network if I care about these these in these things I should be able just go into a GUI click on I want these four analyzers added to my sensor pulls them down runs it right now that's what we're working on the analyzers work it's just you have to do it with the amyl file right now but the ultimate goal is yeah be able to as a normal user who doesn't need know how to program if I do know that I have these certain devices on my network and these analyzers have been written for these certain devices or I care about these certain things these

analyzers create take connections look to see if those things exist and then spits out results if I can select those from a GUI and just package them all up into one sensor spit that out that's one of the big design goals right now with gourmet right yep

right so I mean that's like the universal question right is like if I've already been owned how do I defend myself if I'm trying to define normal because I have no definition of normal I would like to think that if you put any sort of network sensor whether it's just Wireshark whatever on your network without specifying what you care about to begin with you're not even gonna find that bag X there's so much noise around it getting rid of the noise at the start is how you start getting more into you know selectively targeting which devices might have a bad guy analyzing you know so like the IOT speaker right that I mentioned in the the example probably

want to know when that's talking to the Internet and if that's talking to the Internet when there's nobody home why is it talking to the Internet and just trying to start building out those sort of questions and answers for just creating greater understanding what's going on because as a community like there's a lot of out there that we don't know about we don't normally know how it works from like an IOT perspective because it's hard it's hard to actually look at all that stuff and so if there's an easy way to do the research find out how it works define an analyzer that says okay this is normal this is not normal publish that and someone else who doesn't have

the time or technical wherewithal to do all that research they can just take that and okay supposedly this finds this make sure that this device is talking normally we just plug that in and creating that sort of back-and-forth collective security approach it's kind of what gourmets looking looking to do with do the analyzers but yeah you're put to your question though like if you're already owns how do you like find the thing

know so I mean you can you can say all IPS for all eyepiece captured ENS and so then your filter function would literally just be returned IP top source equals 53 or IP destination equals 53 for the port's that'll be your filter function and so now you're analyzing all DNS and then your analyze function is going to actually go into the bytes and make sure that like you know and the library that this is using is go packet which is very similar to escapee and so a lot of the works already been done to take raw bytes turn that into layers of your network so like they already have like a dns layer HTTP or TCP layer HTTP

is a library so like just taking all those open source libraries and putting them together because it is like a standard programming language you get a lot of power and flexibility in building out analyzers that way early on in the process so

absolutely yeah so that's really the same state they occupy the same space with gourmet the idea is let me make it as simple as possible to customize let me streamline the configuration process and then just spit out one JSON file that house all your connection as all your comm logs that have already been enriched and depending on which protocol it is have all that data cuz with row right now it's like I have ten different CSVs I got a connection UID I linked all them together depending on where the connection entity shows up and then that becomes my like here's what your connection is doing it'd be nice if you had one JSON file that spits out you

know all that stuff in one JSON object so some design decisions like that just streamlining that process they do walk by the same space once there is enough protocol analyzers and once because the interface to create so with bro scripting right bro scripts you have a bunch of events you write a way to handle that event and then you can either add that to a log or create an alert or use the you know logging framework being able to append it to your JSON object I mean that's right now what it does adding the alert framework and all that other stuff is stuff that we're working on as well that is ultimately the goal though is to occupy

that same space

alright give y'all 15 minutes so no more questions it's all I got thanks for coming [Applause]