Detecting and Defending the HeartBleed OpenSSL Bug

<p>Just two days ago a massive software vulnerability in the popular OpenSSL library was announced under the name Heartbleed, and it is shaping up to be one of the worst vulnerabilities in recent years.</p><p>Here’s a quick and dirty guide on how to get secure.</p><p>First locate and test all of your SSL based systems to see if they are vulnerable. Keep in mind that the vulnerability is not limited to just HTTPS, but also other SSL/TLS systems such as POP3, IMAP, SMTP, FTP and OpenVPN. Many others also exist but these are the low hanging fruit. Nmap can be very helpful here to find the systems to test… Download the nmap heartbleed NSE script here</p><p>Scan your internal and external ranges for heartbleed:</p><p>nmap -p 21,990,1194,443,8443,993,995,<wbr/>465 -sC –script heartbleed.nse 192.168.0.1-255</p><p>(of course replace the IP range with your own)</p><p>The best fix is to update or patch all software such as openssl, openvpn on the vulnerable systems. If that is not possible you can re-configure OpenSSL to disable vulnerable heartbeat functionality: “-DOPENSSL_NO_HEARTBEATS”</p><p>Sourcefire has published Snort signatures HERE to look for active exploitation in the wild. Note there are some evasions for this, so I would recommend also potentially looking at a Honeypot strategy if you want to track who is targeting you specifically.</p><p>Once IDS signatures and or Honeypots are deployed and you have detection capability, a Threat Intelligence platform like Optic is critical in determining who the adversary attacking you is, their history and sharing the attacker details such as IP addresses with your peers. This data can then be automated into SIEM watch-lists or Firewall blocklists automatically.</p><p>Good luck and let us know if we can help strategize your defense. We are here to talk if you want specific details of how to combine a Threat Intelligence+IDS+SIEM+FW strategy for combating Heartbleed.</p><p>@ThreatStream</p>