This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Feed - Insecure Cipher Suites

EricPartington
Employee
Employee
‎2018-01-04 01:06 PM

This was an idea originally spawned by Sean Ennis‌ so I have to give kudos to him for coming up with the original data set and link to the source data ...

 

NetWitness with the TLS parser (or any other parser that might write values into the crypto metakey) writes the crypto/cipher suites that are detected into this metakey, which makes it really easy to match up against a list of known good or bad suites to provide alerting or reporting on what is seen in the events.

 

So where to find a good, trusted source for weak cipher suites?

 

How's My SSL? 

 

This site is a great reference to check your own browser cipher suites and provide a report card on what is presented and if legacy or weak suites are presented (potential downgrade attacks).

 

If you hop over to the GitHub page for this site you can locate this file which lists the weak cipher suites that can be used in a feed to match against what is see on the wire and provide additional alerting or reporting on what is detected.

 

howsmyssl/insecure_suites.go at master · jmhodges/howsmyssl · GitHub 

 

With a little work in Notepad++ you can get a file as included in this post and create a matching xml file for feed deployment.  Then deploy to your decoders (packet and log) and now you have the ability to create matching meta (in this case the xml points to

analysis.service = 'insecure_cipher_suites'

 

and more detailed reason of why in threat.desc

threat.desc='sweet32ciphersuites:uses 3des which is vulnerable to the swe...'

 

in this case matching this suite

tls_rsa_with_3des_ede_cbc_sha

 

The additional meta as well as direction or specific applications or workstation subnets can form the basis of additional alerts/meta or rules that can end up in IM/Respond for Triaging.  Can also be an Ops report to provide locations where weak suites are being used (maybe a legacy internal app is requesting them or legacy browsers on unmanaged devices)

pastedImage_6.png

 

which can also be used in  addition to the other serivce analysis keys to look for addities in the properties of TLS traffic that might give you further reason to look at the source or destination of the traffic.

 

pastedImage_7.png

badciphers.xml.zip
badciphers.csv.zip
badciphers.xml.zip
badciphers.csv.zip
2 Comments
© 2022 RSA Security LLC or its affiliates. All rights reserved.