A lot of phishes are starting to use SSL certificates, and this makes things interesting for a few reasons. Two big ones are:
– End users are trained to look for the green padlock, because if it’s there the page is secure!
– Encrypted traffic makes it more difficult to monitor with traditional IDS/IPS
Comparing what it would take to try to get around those two issues, finding a way to inspect the traffic it probably going to be easier than re-training your userbase.
To try to find these sessions going to most-likely-malicious sites, I’m going to use Bro to do a few things:
– Log all SSL certs that it sees
– Write a notice script to look for certs that have your domain in them, but not your CA.
– Compare every cert to the ICSI Certificate Notary
Bro has a lot of these features built in, but not enabled by default. I’m going to show how to get these turned on so you can start tracking the SSL certs you see, and part 2 will be using the notice framework to take action when a cert meets that criteria that it’s likely malicious.
Both parts of the SSL cert logging are turned on in the local.bro config. In Security Onion that file is here: /opt/bro/share/bro/site/local.bro
The first command is one you add in to log every cert, and the other two you can uncomment to enable them.
# Log every SSL cert you see
@load protocols/ssl/extract-certs-pem
redef SSL::extract_certs_pem = ALL_HOSTS;
# This script prevents the logging of SSL CA certificates in x509.log
@load protocols/ssl/log-hostcerts-only
# Uncomment the following line to check each SSL certificate hash against the ICSI
# certificate notary service; see http://notary.icsi.berkeley.edu .
@load protocols/ssl/notary
Once you edit your local.bro config, you’ll need to deploy the new configs which installs them and restarts the service.
root@heimdall:/# broctl deploy
checking configurations ...
installing ...
removing old policies in /nsm/bro/spool/installed-scripts-do-not-touch/site ...
removing old policies in /nsm/bro/spool/installed-scripts-do-not-touch/auto ...
creating policy directories ...
installing site policies ...
generating cluster-layout.bro ...
generating local-networks.bro ...
generating broctl-config.bro ...
generating broctl-config.sh ...
stopping ...
stopping heimdall-eth6-1 ...
stopping proxy ...
stopping manager ...
starting ...
starting manager ...
starting proxy ...
starting heimdall-eth6-1 ...
Finally, to check that everything is being logged appropriately, go to /nsm/bro/logs/current/ and look at x509.log and ssl.log.
# tail -f x509.log | grep google
1521823138.074886 FS7qq2r7IDquPEj9j 3 2C07C78DFDF8C840 CN=*.googleusercontent.com,O=Google Inc,L=Mountain View,ST=California,C=US CN=Google Internet Authority G3,O=Google Trust Services,C=US 1520451687.000000 1527706320.000000 id-ecPublicKey sha256WithRSAEncryption ecdsa 256 - prime256v1 *.googleusercontent.com,*.apps.googleusercontent.com,*.appspot.com.storage.googleapis.com,*.blogspot.com,*.bp.blogspot.com,*.commondatastorage.googleapis.com,*.content-storage-download.googleapis.com,*.content-storage-upload.googleapis.com,*.content-storage.googleapis.com,*.doubleclickusercontent.com,*.ggpht.com,*.googledrive.com,*.googlesyndication.com,*.googleweblight.com,*.local.amp4mail.googleusercontent.com,*.prod.amp4mail.googleusercontent.com,*.safenup.googleusercontent.com,*.sandbox.googleusercontent.com,*.storage-download.googleapis.com,*.storage-upload.googleapis.com,*.storage.googleapis.com,*.storage.select.googleapis.com,*.translate.goog,*.validator.amp4mail.googleusercontent.com,blogspot.com,bp.blogspot.com,commondatastorage.googleapis.com,doubleclickusercontent.com,ggpht.com,googledrive.com,googleusercontent.com,googleweblight.com,manifest.lh3.googleusercontent.com,static.panoramio.com.storage.googleapis.com,storage.googleapis.com,storage.select.googleapis.com,translate.goog,unfiltered.news - - - F -
# tail -f ssl.log | grep google
1521823217.898206 CujJlbaiGNUwroQKj 192.168.254.204 43498 216.58.217.174 443 TLSv12 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - clients4.google.com T - h2 T - - - - - - - - - - -
Now if you find a phishing site that is using SSL, you can search your Bro logs for that cert to see who has gone out to the site. In the next post, we’ll do some automation around this.