Friday, December 2, 2022

Stop saying Log Monitoring

 Observability isn't about alerts & dashboards - It's about discovering what we don't know.

Overview

Organizations can use observability to monitor a wide variety of business processes. Organizations can take advantage of opportunities and optimize performance by understanding how these processes are interconnected. Additionally, observability can help identify potential issues before they cause problems. For example, if a process is not running as expected, observability can help identify the cause. By understanding the business purpose of the process and monitoring its performance, organizations can take action to improve it. Additionally, they can collaborate to find solutions by sharing data about the process with other stakeholders.

Observability is a powerful tool for improving business processes based on information technology. By monitoring and analyzing system behavior, observability can help businesses identify and fix problems before they cause major disruptions. In addition, observability can provide valuable insights into system performance and usage patterns. Ultimately, these benefits can lead to improved efficiency, reliability, and uptime for businesses that rely on information technology.

Tools and instrumentation

Understanding business processes is the key to helping us understand our security posture, system, applications, and network health. Many different types of data can be useful for observability purposes, but some of the most common include the following:

  • System performance data to identify issues with our systems that could impact security or cause problems down the road.

  • Security event data includes data from intrusion detection/prevention systems, web application firewalls, and other security devices. This data can help us understand what types of attacks are being attempted against our systems and how to better defend against them.

  • Application log data can be useful for troubleshooting problems with our applications and identifying exposure of zero-day exploits through exploitable open-source software, insecure coding practices, or business process that could lead to fraudulent transactions.

  • Infrastructure and network data include data from routers, switches, and other infrastructure components. This data can help us understand our network's use, identify potential bottlenecks and capacity issues, and identify the legitimate use of protocols and services.

In addition to collecting data, it is also important to have a way to analyze that data for insights. The most common include the following:

  • Data visualization uses tools like graphs and charts to help us see patterns and trends in the data.

  • Data mining involves using specialized algorithms to look for hidden patterns and relationships in the data.

  • Statistical analysis involves using statistical methods to analyze the data for insights.

By collecting and analyzing data sets for observability purposes, we can better understand our security posture and the company's ability to guarantee delivery.

Using observability data

Observability is a critical component in developing and maintaining metrics. It will enable us to develop metrics based on our ability to identify, protect, detect, respond and recover whether it's production issues or security incidents. By monitoring the performance of what is our normal business activities, observability can help to optimize and improve our security posture. Additionally, observability can help us be a partner at the table when troubleshooting issues during production issues.

Observability also allows for more accurate root cause analysis by providing data that can be used to understand how an issue occurred and identify potential remediation steps. In some cases, observability can even be used to prevent issues from occurring in the first place by identifying potential problems before they cause downtime or data loss.

Business Function

Observability enables us to take action with shared data by connecting people with processes and technology performance. For example, monitoring FTP sessions can help to understand usage patterns and identify potential issues. Organizations can ensure that their use is aligned with business objectives by understanding the business purpose of FTP sessions and monitoring their frequency, the 3rd Party relationships, and their criticality to the business. This helps us identify the unknown when an FTP session occurs out of sequence or an update to existing business processes. Depending on the sensitivity of the information, are the right safeguards in place, and are we able to guarantee it was delivered to the right partners and on time? By doing so, we can take proactive actions to prevent or mitigate any potential issues that could impact the performance of the business systems and processes.

Business Intelligence (i.e., Metrics)

Based on the usage patterns we could start to look at developing metrics to help identify potential issues, disruption from misconfiguration, or susceptibility to vulnerabilities. For example:

  • Session duration can give us an indication of how long a typical transaction should take for an expected file size, which can be useful for capacity planning. If the session duration is unusually long, it could be an indication of a problem with the server or user account.

  • Data transfer rate or a high volume of errors can help us to understand how much data is being transferred over FTP and identify any potential bottlenecks. If the data transfer rate is unusually high, it could be an indication of unauthorized activity or our partners making unannounced changes.

  • Commands issued. If there are an unusual number of commands being issued, it could be a team making an update or indication of a Denial of Service attack.

  • The number of attempts can help to identify potential issues or disruptions from misconfiguration or a brute force attack.

  • An unusual number of side-channel file transfers can help to identify potential issues, fraudulent activities, or the occurrence of a breach resulting from the exploitation of a vulnerability.

Building Observability

There are several key considerations for building observability into our architecture:

  • Gather data from every business process (not just the security logs)

  • Accessibility to the data

  • Making sense of the data

Building observability in a disparate business culture can take time and effort. The key is to build trust and collaboration among the different teams. Doing so can create a shared understanding of the business goals and objectives. This will help you identify potential issues early on and avoid them altogether.

When it comes to data, it is important to have a plan for how you will collect and store it. This will ensure that you have the necessary information to make informed decisions. Additionally, we must consider how to use this data to improve our business by ensuring we have the right tools to make sense of the data.

It is also important to remember that not all data is created equal. Some data is more important than others. Make sure you prioritize the data most important to your business. This will help us make the best decisions possible.

Building observability in a disparate business culture can be challenging, but it is possible. Building trust and collaboration among the different teams can create a shared understanding of the business goals and objectives. This will help us identify potential issues early on and avoid them altogether. Additionally, by having a plan for collecting and storing data, we can ensure that you have the necessary information to make informed decisions.

Turnaround

 

Overview

Our goal is to provide our stakeholders with enough information to make informed decisions. Often, these decisions are time-sensitive and event-driven. We strive to ensure our stakeholders have all the information they need to make the best possible decisions.

Newer technologies offer more relevant features and shorten the time it takes to identify, analyze and communicate the organization's key strengths and weaknesses. As newer team members join the organization, so do their experience and expertise. If existing technologies are not at a maturity level that will support their role in the organization, they will look for something that will. This puts pressure on organizations to continuously update their technologies to stay ahead of the curve. Furthermore, as technology advances, so do customers' and other stakeholders' expectations. They expect faster turnaround times, more accurate information, and higher quality products or services. All of this necessitates an agile organization that can adapt quickly to change.

Approach

There are a few ways to go about this. One way is to use prototype systems. These systems still need to be fully developed, but they can provide enough information to help make decisions. Another way is to use data from experiments or simulations. This can give us an idea of what might happen if we implement a certain decision. Finally, we can also use heuristics. Heuristics is about having enough information to make an educated guess. In other words, problem-solving is based, on past experiences and knowledge to devise a solution that will likely work.

Whichever method we choose, it's important to remember that we need to ensure that the information we're using is consistent and high quality. Otherwise, we might make decisions based on inaccurate information, which can lead to suboptimal outcomes.

GoTTY/tmux Quick Reference

 

TDLR

GoTTY is a command-line tool that turns any CLI tool into a web application.

tmux (terminal multiplexer) is a command-line tool to create multiple terminals in a single screen.

Start Session

  • gotty --permit-write --port 9090

    • Default localhost/127.0.0.1

    • --permit-write, -w Allows the TTY session to be written to

    • --port value, -p value The port to listen on

  • tmux new [-s session-name]

    • creates a new tmux session named 'session-name'

tmux Panes

Split the screen (panes) vertically

Press and release Ctrl + b then press Shift + % to split the pane vertically

Split the screen (panes) horizontally

Press and release Ctrl + b then press Shift + " to split the pane horizontally

Switch between panes

Press and release Ctrl + b then press the arrow keys <- | -> to switch between panes

Or

Press and release Ctrl + b then press the letter o key to switch between panes

Scroll mode

Press and release Ctrl + b then press Shift + [ to enter into scroll mode

q to quit out of scroll mode

Shortcuts

Shortcuts

  • % create a horizontal pane

  • " create a vertical pane

  • h move to the left pane

  • j move to the pane below

  • l move to the right pane

  • k move to the pane above

  • q show pane numbers

  • o toggle between panes

  • } swap with next pane

  • { swap with the previous pane

  • ! break the pane out of the window

  • x kill the current pane

List Sessions

tmux list-sessions

Kill Sessions

tmux kill-sessions -t <session name>

Reference

RCE Fix

 

Prerequisites

Let’s verify our cred’s still work.

1ssh -T git@github.com

Verify the struts2-fixme folder is completely deleted from GitHub and the local source.

Create the repository in GitHub

1gh repo create struts2-fixme

Copy all of the files from struts2-rce into struts2-fixed

1cp -R -n ~/Documents/struts2-rce/ ~/Documents/GitHub/struts2-fixme/

Remove all of the .git folders and files from ~/Documents/GitHub/struts2-fixme/

 

Demo the Fix

As you’ve seen I have code that is exploitable. Again for the sake of time, I’ve made a copy of our bad code. To verify its not fixed, lets run the Snyk test again.

1cd ~/Documents/struts2-fixed/ 2snyk test --file=pom.xml --severity-threshold=critical

Will the bad code still there, lets go ahead and fix it. Let’s push this into the repository.

1git add * 2git commit -m "Bad Code" 3git push