a graph model for incident analysis - uni-bonn.de · 2015-07-06 · © fraunhofer fkie 1 cyber...
TRANSCRIPT
![Page 1: A graph model for incident analysis - uni-bonn.de · 2015-07-06 · © Fraunhofer FKIE 1 Cyber Analysis & Defense A graph model for incident analysis Christian Kollee (christian.kollee@fkie.fraunhofer.de)](https://reader034.vdocuments.us/reader034/viewer/2022042120/5e99761d4432c402ed11ba08/html5/thumbnails/1.jpg)
© Fraunhofer FKIE
1
© Fraunhofer FKIE
Cyber Analysis & DefenseA graph model for incident analysis
Christian Kollee ([email protected])
![Page 2: A graph model for incident analysis - uni-bonn.de · 2015-07-06 · © Fraunhofer FKIE 1 Cyber Analysis & Defense A graph model for incident analysis Christian Kollee (christian.kollee@fkie.fraunhofer.de)](https://reader034.vdocuments.us/reader034/viewer/2022042120/5e99761d4432c402ed11ba08/html5/thumbnails/2.jpg)
© Fraunhofer FKIE `2
Vorfallsanalyse
Graphmodell
Herausforderungen und Ausblick
![Page 3: A graph model for incident analysis - uni-bonn.de · 2015-07-06 · © Fraunhofer FKIE 1 Cyber Analysis & Defense A graph model for incident analysis Christian Kollee (christian.kollee@fkie.fraunhofer.de)](https://reader034.vdocuments.us/reader034/viewer/2022042120/5e99761d4432c402ed11ba08/html5/thumbnails/3.jpg)
© Fraunhofer FKIE `3
lokale IP
externe IP
Payload
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 58|"; fast_pattern:only; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012086; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 58|"; fast_pattern:only; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012086; rev:1;)
![Page 4: A graph model for incident analysis - uni-bonn.de · 2015-07-06 · © Fraunhofer FKIE 1 Cyber Analysis & Defense A graph model for incident analysis Christian Kollee (christian.kollee@fkie.fraunhofer.de)](https://reader034.vdocuments.us/reader034/viewer/2022042120/5e99761d4432c402ed11ba08/html5/thumbnails/4.jpg)
© Fraunhofer FKIE
4
Unterstützung des Analysten
Analyst benötigt unterschiedliche Informationsquelle Host-Informationen DNS HTTP Session
Darstellung der Beziehungen zwischen den Informationen
![Page 5: A graph model for incident analysis - uni-bonn.de · 2015-07-06 · © Fraunhofer FKIE 1 Cyber Analysis & Defense A graph model for incident analysis Christian Kollee (christian.kollee@fkie.fraunhofer.de)](https://reader034.vdocuments.us/reader034/viewer/2022042120/5e99761d4432c402ed11ba08/html5/thumbnails/5.jpg)
© Fraunhofer FKIE `5
Cyber Observable Expression (CybOXTM)
192.168.13.1 [email protected]
Address Object
Abstract.pdf
PDF File Object
IOC
![Page 6: A graph model for incident analysis - uni-bonn.de · 2015-07-06 · © Fraunhofer FKIE 1 Cyber Analysis & Defense A graph model for incident analysis Christian Kollee (christian.kollee@fkie.fraunhofer.de)](https://reader034.vdocuments.us/reader034/viewer/2022042120/5e99761d4432c402ed11ba08/html5/thumbnails/6.jpg)
© Fraunhofer FKIE `6
AddressObjectValue: 192.168.1.1Category: ipv4-addr
AddressObjectValue: 192.168.1.2Category: ipv4-addr
NetworkConnectionObject
Layer 3 Protocol: IPv4Layer 4 Protocol: UDPLayer 7 Protocol: DNS
src ip
dst ip
DNSQueryObjectQType: A
QName: „google.de“
dns query
![Page 7: A graph model for incident analysis - uni-bonn.de · 2015-07-06 · © Fraunhofer FKIE 1 Cyber Analysis & Defense A graph model for incident analysis Christian Kollee (christian.kollee@fkie.fraunhofer.de)](https://reader034.vdocuments.us/reader034/viewer/2022042120/5e99761d4432c402ed11ba08/html5/thumbnails/7.jpg)
© Fraunhofer FKIE `7
Auswahl der benötigten CybOX-Objekte
ausgewählte CybOX-Objekte und deren Beziehungen in einer Datenbank erfassen
zusätzliche Custom-Objekte, z. B. „Snort Event“
ermöglicht es einem Analysten sich „durchzuhangeln“
Vorgehen
![Page 8: A graph model for incident analysis - uni-bonn.de · 2015-07-06 · © Fraunhofer FKIE 1 Cyber Analysis & Defense A graph model for incident analysis Christian Kollee (christian.kollee@fkie.fraunhofer.de)](https://reader034.vdocuments.us/reader034/viewer/2022042120/5e99761d4432c402ed11ba08/html5/thumbnails/8.jpg)
© Fraunhofer FKIE `8
Event
NetCon
Addr
Addr
AddrDNSQry
NetCon
dst ip
src ip
src ip
occured indst ip
answer
HTTP
contains
dns query
![Page 9: A graph model for incident analysis - uni-bonn.de · 2015-07-06 · © Fraunhofer FKIE 1 Cyber Analysis & Defense A graph model for incident analysis Christian Kollee (christian.kollee@fkie.fraunhofer.de)](https://reader034.vdocuments.us/reader034/viewer/2022042120/5e99761d4432c402ed11ba08/html5/thumbnails/9.jpg)
© Fraunhofer FKIE `9
Indicators of Compromise
Atomar Computed Behavioral
192.168.13.12
md5sum badfile.pdf
pcre:"/forum=.*'/"
count(failedLogins)
„badfile.pdf“
(A1, A2, C1)
(B1, A3, C2)
Sanders, Applied Network Security Monitoring, S.151ff
![Page 10: A graph model for incident analysis - uni-bonn.de · 2015-07-06 · © Fraunhofer FKIE 1 Cyber Analysis & Defense A graph model for incident analysis Christian Kollee (christian.kollee@fkie.fraunhofer.de)](https://reader034.vdocuments.us/reader034/viewer/2022042120/5e99761d4432c402ed11ba08/html5/thumbnails/10.jpg)
© Fraunhofer FKIE `10
Darstellung eines IOC als (Teil-)Graph
Ist der IOC-Graph enthalten?
![Page 11: A graph model for incident analysis - uni-bonn.de · 2015-07-06 · © Fraunhofer FKIE 1 Cyber Analysis & Defense A graph model for incident analysis Christian Kollee (christian.kollee@fkie.fraunhofer.de)](https://reader034.vdocuments.us/reader034/viewer/2022042120/5e99761d4432c402ed11ba08/html5/thumbnails/11.jpg)
© Fraunhofer FKIE `11
![Page 12: A graph model for incident analysis - uni-bonn.de · 2015-07-06 · © Fraunhofer FKIE 1 Cyber Analysis & Defense A graph model for incident analysis Christian Kollee (christian.kollee@fkie.fraunhofer.de)](https://reader034.vdocuments.us/reader034/viewer/2022042120/5e99761d4432c402ed11ba08/html5/thumbnails/12.jpg)
© Fraunhofer FKIE `12
Herausforderungen
Auswahl der CybOX-Objekte und geeignete Abstraktion
Datenmengen
Zeitliche Beziehungen
Anbindung der benötigten Datenquellen
![Page 13: A graph model for incident analysis - uni-bonn.de · 2015-07-06 · © Fraunhofer FKIE 1 Cyber Analysis & Defense A graph model for incident analysis Christian Kollee (christian.kollee@fkie.fraunhofer.de)](https://reader034.vdocuments.us/reader034/viewer/2022042120/5e99761d4432c402ed11ba08/html5/thumbnails/13.jpg)
© Fraunhofer FKIE `13
Erweiterung um Host-basierte Objekte
Weitere Custom-Objekte (z. B. Reputation, Reports)
Prototypische Implementierung
Erprobung im CERT-Umfeld
Datenschutz- und Privatsphäre
Weitere Möglichkeiten zur Unterstützung des Analysten
Weiteres Vorgehen
![Page 14: A graph model for incident analysis - uni-bonn.de · 2015-07-06 · © Fraunhofer FKIE 1 Cyber Analysis & Defense A graph model for incident analysis Christian Kollee (christian.kollee@fkie.fraunhofer.de)](https://reader034.vdocuments.us/reader034/viewer/2022042120/5e99761d4432c402ed11ba08/html5/thumbnails/14.jpg)
© Fraunhofer FKIE `14
Zusammenfassung
Analysten benötigen Informationen aus unterschiedlichen Quellen
Graphmodell ermöglicht es Beziehungen zwischen den Informationen zu verdeutlichen
Verwendung von CybOX als Grundlage ermöglichen Im- und Export von IOCs