embracing the chaos

mark lorenc

lorencm@ornl.gov

2 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos

• cyber security geek

• ORNL for a year

• formerly unix sysadmin

• open networks

3 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos

virtual computing data cloud

4 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos

5 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos

[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-

z0-9](?:[a-z0-9-]*[a-z0-9])?

6 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos

[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-

z0-9](?:[a-z0-9-]*[a-z0-9])?

“What could possibly go wrong?”

7 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos

“Cisco IOS NetFlow efficiently provides a key set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, Denial of Service monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing.”

8 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos

“Cisco IOS NetFlow efficiently provides a key set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, Denial of Service monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing.”

9 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos

“Cisco IOS NetFlow efficiently provides a key set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, Denial of Service monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing.”

10 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos

“Cisco IOS NetFlow efficiently provides a key set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, Denial of Service monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing.”

11 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos

netflow version 5

• source IP address

• destination IP address

• next hop router IP address

• packet count

• byte count

• source port

• destination port

• TCP flags

• layer 4 protocol

• time at start of flow

• time at end of flow

12 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos

13 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos

14 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos

15 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos

SANS top 10?

hot botnet of the week?

today’s curre

nt spearphish

ing attack?

long term trending?

advanced host /network filtering?

unflattering Halloween costume?

16 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos

flow-tools, fprobe, probescan, flowd, psyche, ntop, lots of others

flow-tools

discrete remote IPs and timestamps

database of your liking

grind through data, possibly index

profit!

17 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos

18 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos

• easy to get lost in the minutiae• duplication of work amongst analysts• make sure your datasets are complete

• documentation is the sad answer• mailing lists• command line entries• full blown ticketing system (please no)• sit everyone in the same room

problems:

solutions:

19 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos

20 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos

21 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos

22 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos

23 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos

May 22 15:17:59 160.91.1.30 srcip=160.91.1.30 named[23144]: [ID 873579 local3.info] 22-May-2009 15:17:59.997 queries: info: client 128.219.232.138#62031: view ns1: query: hfirw5.ornl.gov IN A +

DNS Logs

24 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos

25 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos

URL Common Logs (urlsnarf)

160.91.20.87 - - [22/May/2009:15:20:17 -0400] "GET http://photos-f.ak.fbcdn.net/photos-ak-sf2p/v43/33/68557016085/app_1_68557016085_5504.gif HTTP/1.1" - - "http://apps.facebook.com/schoolofmagic/?src=sidenav&ref=ts" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8)"

26 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos

27 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos

28 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos

Homebrew data sources

#!/bin/bash

unique=`netstat -an |grep :9997 |grep EST |sed -e 's/.*:9997 *//' -e 's/:.*//'|sort |uniq |wc -l`

total=`netstat -an |grep :9997 |grep EST |wc -l`

echo "netstat total=$total unique=$unique"

29 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos

30 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos

31 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos

WindowsEventLogs

32 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos

A few notes about windows event logs for the brave...

• Different operating systems have different codes

• Overloaded variable names exist in one event

• Inconsistent formats between applications

• Forced API usage – no flat text file interface

• Difficult to adjust what should or should not be logged

• Designed around forensics and not discovery

33 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos

34 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos

PCAP – raw data capture

• your largest dataset

• easily the hardest to use

• computationally intensive

• smoking gun (unless the traffic is encrypted...)

• location of the tap?

• software used?

• tcpdump, time machine, wireshark, tshark... many technologies

All of these technologies can be combined to create something beautiful!

35 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos

thanks!