visual security event analysis - defcon 13 - 2005
Post on 18-Oct-2014
1.199 views
DESCRIPTION
More on security visualization: http://secviz.org In the network security world, event graphs are evolving into a useful data analysis tool, providing a powerful alternative to reading raw log data. By visually outlining relationships among security events, analysts are given a tool to intuitively draw conclusions about the current state of their network and to respond quickly to emerging issues. I will be showing a myriad of graphs generated with data from various sources, such as Web servers, firewalls, network based intrusion detection systems, mail servers, and operating system logs. Each of the graphs will be used to show a certain property of the dataset analyzed. They will show anomalous behavior, misconfigurations and simply help document activities in a network. As part of this talk, I will release a tool tool that can be used to experiment with generating event graphs. A quick tutorial will show how easy it is to generate graphs from security data of your own environment. Video at: http://www.youtube.com/watch?v=5GK8mYumn6QTRANSCRIPT
![Page 1: Visual Security Event Analysis - DefCon 13 - 2005](https://reader034.vdocuments.us/reader034/viewer/2022051816/544347bdb1af9f130d8b496a/html5/thumbnails/1.jpg)
Visual Security Event AnalysisDefCon 13 Las Vegas
Raffael Marty, GCIA, CISSPSenior Security Engineer @ ArcSight
July 29, 2005
*
![Page 2: Visual Security Event Analysis - DefCon 13 - 2005](https://reader034.vdocuments.us/reader034/viewer/2022051816/544347bdb1af9f130d8b496a/html5/thumbnails/2.jpg)
Raffael Marty 2Defcon 2005 Las Vegas
Raffael Marty►Enterprise Security Management (ESM) specialist►OVAL Advisory Board
(Open Vulnerability and Assessment Language)►ArcSight Research & Development► IBM Research
• Thor - http://thor.cryptojail.net• Log analysis and event correlation research• Tivoli Risk Manager
![Page 3: Visual Security Event Analysis - DefCon 13 - 2005](https://reader034.vdocuments.us/reader034/viewer/2022051816/544347bdb1af9f130d8b496a/html5/thumbnails/3.jpg)
Raffael Marty 3Defcon 2005 Las Vegas
Table Of Contents► Introduction ►Related Work►Basics►Situational Awareness►Forensic and Historical Analysis►AfterGlow
![Page 4: Visual Security Event Analysis - DefCon 13 - 2005](https://reader034.vdocuments.us/reader034/viewer/2022051816/544347bdb1af9f130d8b496a/html5/thumbnails/4.jpg)
Raffael Marty 4Defcon 2005 Las Vegas
Introduction
![Page 5: Visual Security Event Analysis - DefCon 13 - 2005](https://reader034.vdocuments.us/reader034/viewer/2022051816/544347bdb1af9f130d8b496a/html5/thumbnails/5.jpg)
Raffael Marty 5Defcon 2005 Las Vegas
Disclaimer
IP addresses and host names showingup in event graphs and descriptions were obfuscated/changed. The addresses are completely random and any resemblancewith well-known addresses or host names
are purely coincidental.
![Page 6: Visual Security Event Analysis - DefCon 13 - 2005](https://reader034.vdocuments.us/reader034/viewer/2022051816/544347bdb1af9f130d8b496a/html5/thumbnails/6.jpg)
Raffael Marty 6Defcon 2005 Las Vegas
Text or Visuals?►What would you rather look at?
Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0...Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable?Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failedJun 17 09:42:38 rmarty sendmail: sendmail shutdown succeededJun 17 09:42:38 rmarty sendmail: sm-client shutdown succeededJun 17 09:42:39 rmarty sendmail: sendmail startup succeededJun 17 09:42:39 rmarty sendmail: sm-client startup succeededJun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 09:45:42 rmarty last message repeated 2 timesJun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:00:03 rmarty crond(pam_unix)[30534]: session opened for user root by (uid=0)Jun 17 10:00:10 rmarty crond(pam_unix)[30534]: session closed for user rootJun 17 10:01:02 rmarty crond(pam_unix)[30551]: session opened for user root by (uid=0)Jun 17 10:01:07 rmarty crond(pam_unix)[30551]: session closed for user rootJun 17 10:05:02 rmarty crond(pam_unix)[30567]: session opened for user idabench by (uid=0)Jun 17 10:05:05 rmarty crond(pam_unix)[30567]: session closed for user idabenchJun 17 10:13:05 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.19/192.168.80.19 to UDP port: 192Jun 17 10:13:05 rmarty portsentry[4797]: attackalert: Host: 192.168.80.19/192.168.80.19 is already blocked IgnoringJun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked IgnoringJun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked IgnoringJun 17 10:21:30 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68Jun 17 10:21:30 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked IgnoringJun 17 10:28:40 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:28:45 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked IgnoringJun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked IgnoringJun 17 10:35:28 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 10:35:31 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 10:38:51 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:38:52 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:42:35 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 10:42:38 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128
![Page 7: Visual Security Event Analysis - DefCon 13 - 2005](https://reader034.vdocuments.us/reader034/viewer/2022051816/544347bdb1af9f130d8b496a/html5/thumbnails/7.jpg)
Raffael Marty 7Defcon 2005 Las Vegas
Why Using Event Graphs?►Visual representation of textual information (logs and
events)►Visual display of most important properties►Reduce analysis and response times
• Quickly visualize thousands of events• A picture tells more than a thousand log lines
►Situational awareness• Visualize status of business posture
►Facilitate communication• Use graphs to communicate with other teams• Graphs are easier to understand than textual events
![Page 8: Visual Security Event Analysis - DefCon 13 - 2005](https://reader034.vdocuments.us/reader034/viewer/2022051816/544347bdb1af9f130d8b496a/html5/thumbnails/8.jpg)
Raffael Marty 8Defcon 2005 Las Vegas
When To Use Event Graphs►Real-time monitoring
• What is happening in a specific business area(e.g., compliance monitoring)
• What is happening on a specific network• What are certain servers doing• Look at specific aspects of events
►Forensics and Investigations• Selecting arbitrary set of events for investigation• Understanding big picture• Analyzing relationships
![Page 9: Visual Security Event Analysis - DefCon 13 - 2005](https://reader034.vdocuments.us/reader034/viewer/2022051816/544347bdb1af9f130d8b496a/html5/thumbnails/9.jpg)
Raffael Marty 9Defcon 2005 Las Vegas
Related Work
![Page 10: Visual Security Event Analysis - DefCon 13 - 2005](https://reader034.vdocuments.us/reader034/viewer/2022051816/544347bdb1af9f130d8b496a/html5/thumbnails/10.jpg)
Raffael Marty 10Defcon 2005 Las Vegas
Related Work
► Classics• Girardin Luc, “A visual Approach for Monitoring Logs” , 12th USENIX System Administration
Conference
• Erbacher: “Intrusion and Misuse Detection in Large Scale Systems”, IEEE Computer Graphics and Applications
• Sheng Ma, et al. “EventMiner: An integrated mining tool for Scalable Analysis of Event Data”
► Tools• Greg Conti, “Network Attack Visualization”,
Defcon 2004.
• NVisionIP from SIFT (Security Incident Fusion Tools), http://www.ncassr.org/projects/sift/.
• Stephen P. Berry, “The Shoki Packet Hustler”, http://shoki.sourceforge.net.
![Page 11: Visual Security Event Analysis - DefCon 13 - 2005](https://reader034.vdocuments.us/reader034/viewer/2022051816/544347bdb1af9f130d8b496a/html5/thumbnails/11.jpg)
Raffael Marty 11Defcon 2005 Las Vegas
Basics
![Page 12: Visual Security Event Analysis - DefCon 13 - 2005](https://reader034.vdocuments.us/reader034/viewer/2022051816/544347bdb1af9f130d8b496a/html5/thumbnails/12.jpg)
Raffael Marty 12Defcon 2005 Las Vegas
How To Draw An Event Graph?
ParserDevice Event Analyzer / Visualizer
... | Normalization | ...
Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0...Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable?Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failedJun 17 09:42:38 rmarty sendmail: sendmail shutdown succeededJun 17 09:42:38 rmarty sendmail: sm-client shutdown succeededJun 17 09:42:39 rmarty sendmail: sendmail startup succeededJun 17 09:42:39 rmarty sendmail: sm-client startup succeededJun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 09:45:42 rmarty last message repeated 2 timesJun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8NH
Log File Event Graph
![Page 13: Visual Security Event Analysis - DefCon 13 - 2005](https://reader034.vdocuments.us/reader034/viewer/2022051816/544347bdb1af9f130d8b496a/html5/thumbnails/13.jpg)
Raffael Marty 13Defcon 2005 Las Vegas
Different Node Configurations
Raw Event:[**] [1:1923:2] RPC portmap UDP proxy attempt [**][Classification: Decode of an RPC Query] [Priority: 2] 06/04-15:56:28.219753 192.168.10.90:32859 -> 192.168.10.255:111UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:148 DFLen: 120
Different node configurations:
NameSIP DIP DIPSIP DPort
192.168.10.90 RPC portmap 192.168.10.255 192.168.10.90 192.168.10.255 111
SPortSIP DPort SIPName DIP
192.168.10.90 32859 111 RPC portmap 192.168.10.90 192.168.10.255
![Page 14: Visual Security Event Analysis - DefCon 13 - 2005](https://reader034.vdocuments.us/reader034/viewer/2022051816/544347bdb1af9f130d8b496a/html5/thumbnails/14.jpg)
Raffael Marty 14Defcon 2005 Las Vegas
AfterGlow – Peak Preview
►AfterGlow is not a SIM - there are no parsers (well, tcpdump and sendmail are there).
►Demo of the tool for use at home and in the Jacuzzi.
Thanks to Christian @ ArcSight!
CSV FileParser AfterGlow Graph
LanguageFileGrapher
cat input.csv | ./afterglow.pl –c color.properties| neato –Tgif –o output.gif
color.properties:
color.source="red" color.event="green" color.target="blue"
![Page 15: Visual Security Event Analysis - DefCon 13 - 2005](https://reader034.vdocuments.us/reader034/viewer/2022051816/544347bdb1af9f130d8b496a/html5/thumbnails/15.jpg)
Raffael Marty 15Defcon 2005 Las Vegas
Situational Awareness
![Page 16: Visual Security Event Analysis - DefCon 13 - 2005](https://reader034.vdocuments.us/reader034/viewer/2022051816/544347bdb1af9f130d8b496a/html5/thumbnails/16.jpg)
Raffael Marty 16Defcon 2005 Las Vegas
Real-time Monitoring With A Dashboard
![Page 17: Visual Security Event Analysis - DefCon 13 - 2005](https://reader034.vdocuments.us/reader034/viewer/2022051816/544347bdb1af9f130d8b496a/html5/thumbnails/17.jpg)
Raffael Marty 17Defcon 2005 Las Vegas
Forensic and Historical Analysis
![Page 18: Visual Security Event Analysis - DefCon 13 - 2005](https://reader034.vdocuments.us/reader034/viewer/2022051816/544347bdb1af9f130d8b496a/html5/thumbnails/18.jpg)
Raffael Marty 18Defcon 2005 Las Vegas
A 3D Example
►An LGL example:
![Page 19: Visual Security Event Analysis - DefCon 13 - 2005](https://reader034.vdocuments.us/reader034/viewer/2022051816/544347bdb1af9f130d8b496a/html5/thumbnails/19.jpg)
Raffael Marty 19Defcon 2005 Las Vegas
Monitoring Web Servers
assetCategory(DestIP)=WebServer
![Page 20: Visual Security Event Analysis - DefCon 13 - 2005](https://reader034.vdocuments.us/reader034/viewer/2022051816/544347bdb1af9f130d8b496a/html5/thumbnails/20.jpg)
Raffael Marty 20Defcon 2005 Las Vegas
Network Scan
![Page 21: Visual Security Event Analysis - DefCon 13 - 2005](https://reader034.vdocuments.us/reader034/viewer/2022051816/544347bdb1af9f130d8b496a/html5/thumbnails/21.jpg)
Raffael Marty 21Defcon 2005 Las Vegas
Suspicious Activity?
![Page 22: Visual Security Event Analysis - DefCon 13 - 2005](https://reader034.vdocuments.us/reader034/viewer/2022051816/544347bdb1af9f130d8b496a/html5/thumbnails/22.jpg)
Raffael Marty 22Defcon 2005 Las Vegas
Port Scan
►Port scan or something else?
![Page 23: Visual Security Event Analysis - DefCon 13 - 2005](https://reader034.vdocuments.us/reader034/viewer/2022051816/544347bdb1af9f130d8b496a/html5/thumbnails/23.jpg)
Raffael Marty 23Defcon 2005 Las Vegas
Firewall Activity
External Machine
Internal Machine
OutgoingIncoming
Rule#
Rule# DIPSIP
Next Steps: 1. Visualize “FW Blocks” of outgoing traffic
-> Why do internal machines trigger blocks?2. Visualize “FW Blocks” of incoming traffic
-> Who and what tries to enter my network?3. Visualize “FW Passes” of outgoing traffic
-> What is leaving the network?
![Page 24: Visual Security Event Analysis - DefCon 13 - 2005](https://reader034.vdocuments.us/reader034/viewer/2022051816/544347bdb1af9f130d8b496a/html5/thumbnails/24.jpg)
Raffael Marty 24Defcon 2005 Las Vegas
Firewall Rule-set Analysis
pass block
![Page 25: Visual Security Event Analysis - DefCon 13 - 2005](https://reader034.vdocuments.us/reader034/viewer/2022051816/544347bdb1af9f130d8b496a/html5/thumbnails/25.jpg)
Raffael Marty 25Defcon 2005 Las Vegas
Load Balancer
![Page 26: Visual Security Event Analysis - DefCon 13 - 2005](https://reader034.vdocuments.us/reader034/viewer/2022051816/544347bdb1af9f130d8b496a/html5/thumbnails/26.jpg)
Raffael Marty 26Defcon 2005 Las Vegas
Worms
![Page 27: Visual Security Event Analysis - DefCon 13 - 2005](https://reader034.vdocuments.us/reader034/viewer/2022051816/544347bdb1af9f130d8b496a/html5/thumbnails/27.jpg)
Raffael Marty 27Defcon 2005 Las Vegas
DefCon 2004 Capture The Flag
DstPort < 1024
DstPort > 1024
Source Of Evil
Other Team's Target
DIP
Internal Target
Internal Source
Internet Target
DPortSIP
Our ServersExposed Services
![Page 28: Visual Security Event Analysis - DefCon 13 - 2005](https://reader034.vdocuments.us/reader034/viewer/2022051816/544347bdb1af9f130d8b496a/html5/thumbnails/28.jpg)
Raffael Marty 28Defcon 2005 Las Vegas
DefCon 2004 Capture The Flag – TTL Games
TTLSource Of EvilInternal Target
DIP TTLSIP
Internal Source
![Page 29: Visual Security Event Analysis - DefCon 13 - 2005](https://reader034.vdocuments.us/reader034/viewer/2022051816/544347bdb1af9f130d8b496a/html5/thumbnails/29.jpg)
Raffael Marty 29Defcon 2005 Las Vegas
DefCon 2004 Capture The Flag – The Solution
Flags TTLDPort
Only show SYNs
Show Node Counts
![Page 30: Visual Security Event Analysis - DefCon 13 - 2005](https://reader034.vdocuments.us/reader034/viewer/2022051816/544347bdb1af9f130d8b496a/html5/thumbnails/30.jpg)
Raffael Marty 30Defcon 2005 Las Vegas
Email CliquesFrom: My DomainFrom: Other Domain
To: Other Domain
From To
To: My Domain
![Page 31: Visual Security Event Analysis - DefCon 13 - 2005](https://reader034.vdocuments.us/reader034/viewer/2022051816/544347bdb1af9f130d8b496a/html5/thumbnails/31.jpg)
Raffael Marty 31Defcon 2005 Las Vegas
Email RelaysFrom: My DomainFrom: Other Domain
To: Other Domain
From To
To: My Domain
Do you run an open relay?
Grey out emails to and from “my domain”
Make “my domain” invisible
![Page 32: Visual Security Event Analysis - DefCon 13 - 2005](https://reader034.vdocuments.us/reader034/viewer/2022051816/544347bdb1af9f130d8b496a/html5/thumbnails/32.jpg)
Raffael Marty 32Defcon 2005 Las Vegas
Email SPAM?
To Size
Size > 10.000Omit threshold = 1
Multiple recipients withsame-size messages
![Page 33: Visual Security Event Analysis - DefCon 13 - 2005](https://reader034.vdocuments.us/reader034/viewer/2022051816/544347bdb1af9f130d8b496a/html5/thumbnails/33.jpg)
Raffael Marty 33Defcon 2005 Las Vegas
Email SPAM?
nrcpt => 2Omit threshold = 1
From nrcpt
![Page 34: Visual Security Event Analysis - DefCon 13 - 2005](https://reader034.vdocuments.us/reader034/viewer/2022051816/544347bdb1af9f130d8b496a/html5/thumbnails/34.jpg)
Raffael Marty 34Defcon 2005 Las Vegas
BIG Emails
From
Size > 100.000Omit Threshold = 2
To Size
Documents leaving the network?
![Page 35: Visual Security Event Analysis - DefCon 13 - 2005](https://reader034.vdocuments.us/reader034/viewer/2022051816/544347bdb1af9f130d8b496a/html5/thumbnails/35.jpg)
Raffael Marty 35Defcon 2005 Las Vegas
Email Server Problems?
2:00 < Delay < 10:00
Delay > 10:00
To Delay
To
![Page 36: Visual Security Event Analysis - DefCon 13 - 2005](https://reader034.vdocuments.us/reader034/viewer/2022051816/544347bdb1af9f130d8b496a/html5/thumbnails/36.jpg)
Raffael Marty 36Defcon 2005 Las Vegas
AfterGlowafterglow.sourceforge.net
![Page 37: Visual Security Event Analysis - DefCon 13 - 2005](https://reader034.vdocuments.us/reader034/viewer/2022051816/544347bdb1af9f130d8b496a/html5/thumbnails/37.jpg)
Raffael Marty 37Defcon 2005 Las Vegas
AfterGlow
►http://afterglow.sourceforge.net►Supported graphing tools:
• GraphViz from AT&T (dot and neato) http://www.research.att.com/sw/tools/graphviz/
• LGL (Large Graph Layout) by Alex Adaihttp://bioinformatics.icmb.utexas.edu/lgl/
![Page 38: Visual Security Event Analysis - DefCon 13 - 2005](https://reader034.vdocuments.us/reader034/viewer/2022051816/544347bdb1af9f130d8b496a/html5/thumbnails/38.jpg)
Raffael Marty 38Defcon 2005 Las Vegas
AfterGlow – Command Line Parameters
● Some command line parameters:-h : help-t : two node mode-d : print count on nodes-e : edge length-n : no node labels-o threshold : omit threshold (fan-out for nodes to be displayed)-c configfile : color configuration file
![Page 39: Visual Security Event Analysis - DefCon 13 - 2005](https://reader034.vdocuments.us/reader034/viewer/2022051816/544347bdb1af9f130d8b496a/html5/thumbnails/39.jpg)
Raffael Marty 39Defcon 2005 Las Vegas
AfterGlow – color.properties
color.[source|event|target|edge]=
<perl expression returning a color name>
● Array @fields contains input-line, split into tokens:
color.event=“red” if ($fields[1] =~ /^192\..*)
● Special color “invisible”:
color.target=“invisible” if ($fields[0] eq
“IIS Action”)
● Edge color
color.edge=“blue”
![Page 40: Visual Security Event Analysis - DefCon 13 - 2005](https://reader034.vdocuments.us/reader034/viewer/2022051816/544347bdb1af9f130d8b496a/html5/thumbnails/40.jpg)
Raffael Marty 40Defcon 2005 Las Vegas
AfterGlow – color.properties - Example
color.source="olivedrab" if ($fields[0]=~/191\.141\.69\.4/);
color.source="olivedrab" if ($fields[0]=~/211\.254\.110\./);
color.source="orangered1"color.event="slateblue4"color.target="olivedrab" if ($fields[2]=~/191\.141\.69\.4/);
color.target="olivedrab" if ($fields[2]=~/211\.254\.110\./);
color.target="orangered1"color.edge="firebrick" if (($fields[0]=~/191\.141\.69.\.4/) or ($fields[2]=~/191\.141\.69\.4/))
color.edge="cyan4"