The latest version (1.0.1) of the Stamus App for Splunk adds TLS cipher suite analysis. Conducting analysis of TLS Cipher Suites typically yields interesting results as it highlights the level of confidentiality and security of the TLS sessions. Now, Stamus App for Splunk users can quickly assess the security level of TLS used in their network from an easy-to-view dashboard.
TLS Cipher Suite Analysis in Stamus App For Splunk v1.0.0
TLS Cipher Suites define which algorithms will be used to encrypt communications and secure network connections. There are multiple cipher suites, and the level of security and confidentiality provided by each suite varies greatly.
For example, “TLS_NULL_WITH_NULL_NULL” is a valid TLS cipher suite and, as the name implies, it does nothing to encrypt the communications and the data is transferred in clear text.
While this is an extreme and unlikely case, certain TLS cipher suites should be avoided. For instance, the cipher suites that use the RC4 cipher should be avoided because the RC4 algorithm is known to have vulnerabilities and has reportedly been cracked by nation state actors since 2015.
If the TLS Cipher suite information is not directly available in the Suricata TLS events, it is present in the log as one of the TLS JA3S parameters. JA3S is a technique that is used to fingerprint the TLS implementation of servers. By analyzing the first message from the server, a predefined list of parameters is concatenated to characterize the behavior of a server. This string and its hashed version is added to the TLS event to permit server fingerprinting. You will see that the second parameter of the JA3S string is indeed the Cipher ID. This is an integer, as TLS does not send strings over the wire. So the first step to getting a human readable result is to extract this field and the second step will be to use a mapping to convert it to a string.
We can use Splunk's extraction capabilities to get the value of the Cipher ID in a distinct field.
event_type=tls |
spath tls.ja3s.string output=ja3s_string |
eval ja3s_elt=split(ja3s_string,",") |
eval cipher_id=mvindex(ja3s_elt, 1)
Information can be extracted from the IANA website to build the mapping from integer to string. We can then create and use a lookup table in Splunk to get the string translation. The mapping created from IANA information is useful to query for the usage of some specific TLS cipher suites but it gives no information about the security level of the cipher suites.
The French National Cybersecurity Agency (ANSSI) has published ‘Security Recommendations for TLS”. In this document, they define a list of recommended TLS cipher suites. Their classification also contains ‘degraded’ TLS cipher suites that are ok to use if there are no viable alternatives. All other TLS cipher suites should be considered as insecure. The US National Security Agency (NSA) issued similar guidance in its recently-published CSI sheet, entitled "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations"
By merging the information from IANA with the one from ANSSI, we obtain a mapping that links the cipher ID, their name, and their security level. This mapping is available in the version 1.0.0 of the Stamus App for Splunk.
With this mapping it is possible to search and do statistics on the security of the TLS cipher suite seen on the network. For example, to list all insecure TLS connections seen on the network, one can issue the following query in Splunk:
event_type=tls |
spath tls.ja3s.string output=ja3s_string |
eval ja3s_elt=split(ja3s_string,",") |
eval cipher_id=mvindex(ja3s_elt, 1) |
lookup tls_cipher_mapping.csv id as cipher_id |
search cipher_security=insecure
Using this technique, it is possible to build searches that classify the TLS cipher suites and
display the insecure ones. This is available in one of the Stamus Splunk App dashboards as shown on the illustration above.
Conclusion
The Stamus Networks App for Splunk enables threat hunters, incident responders, and other security practitioners who use Splunk to tap into the power of the Stamus Security Platform and Suricata to more effectively do their jobs. To learn more about the Stamus App for Splunk, visit our page on Splunkbase.