Mozilla Defense Platform: MozDef

2014-12-16T20:47:38
ID N0WHERE:21558
Type n0where
Reporter N0where
Modified 2014-12-16T20:47:38

Description

Mozilla Defense Platform


The inspiration for MozDef comes from the large arsenal of tools available to attackers. Suites like metasploit, armitage, lair, dradis and others are readily available to help attackers coordinate, share intelligence and finely tune their attacks in real time. Defenders are usually limited to wikis, ticketing systems and manual tracking databases attached to the end of a Security Information Event Management (SIEM) system.

The Mozilla Defense Platform (MozDef) seeks to automate the security incident handling process and facilitate the real-time activities of incident handlers.

Mozilla Defense Platform: MozDef Mozilla Defense Platform: MozDef

Health and Status

MozDef includes an integrated health and status screen under the ‘about’ menu showing key performance indicators like events per second from rabbit-mq and elastic search cluster health

Mozilla Defense Platform: MozDef Mozilla Defense Platform: MozDef

Alerts

Alerts are simply python jobs run as celery tasks that query elastic search for either individual events, or correlate multiple events into an alert

Mozilla Defense Platform: MozDef

Incident Handling

MozDef includes an integrated, real time incident handling facility that allows multiple responders to work collaboratively on a security incident

mozdef4

Geo location of Attackers

MozDef includes the WebGL globe as a three.js visualization that geolocates attackers to give you quick, interactive context about threat actors.

Goals

  • Provide a platform for use by defenders to rapidly discover and respond to security incidents.
  • Automate interfaces to other systems like MIG, flowspec, load balancers, etc
  • Provide metrics for security events and incidents
  • Facilitate real-time collaboration amongst incident handlers
  • Facilitate repeatable, predictable processes for incident handling
  • Go beyond traditional SIEM systems in automating incident handling, information sharing, workflow, metrics and response automation

Architecture

MozDef is based on open source technologies including:

  • Nginx (http(s)-based log input)
  • RabbitMQ (message queue and amqp(s)-based log input)
  • uWSGI (supervisory control of python-based workers)
  • bottle.py (simple python interface for web request handling)
  • elasticsearch (scalable indexing and searching of JSON documents)
  • Meteor (responsive framework for Node.js enabling real-time data sharing)
  • MongoDB (scalable data store, tightly integrated to Meteor)
  • VERIS from verizon (open source taxonomy of security incident categorizations)
  • d3 (javascript library for data driven documents)
  • dc.js (javascript wrapper for d3 providing common charts, graphs)
  • three.js (javascript library for 3d visualizations)
  • Firefox (a snappy little web browser)

Mozilla Defense Platform: MozDef documentation

Frontend processing

Frontend processing for MozDef consists of receiving an event/log (in json) over HTTP(S) or AMQP(S), doing data transformation including normalization, adding metadata, etc. and pushing the data to elasticsearch.

Internally MozDef uses RabbitMQ to queue events that are still to be processed. The diagram below shows the interactions between the python scripts (controlled by uWSGI), the RabbitMQ exchanges and elasticsearch indices.

Mozilla Defense Platform: MozDef Mozilla Defense Platform: MozDef

Mozilla Defense Platform: MozDef download