Insider Threat Visualization - HITB 2007, Kuala Lumpur

1,069 views
1,015 views

Published on

More on security visualization at: http://secviz.org

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,069
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
32
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Insider Threat Visualization - HITB 2007, Kuala Lumpur

  1. 1. Insider Threat VisualizationRaffael Marty, GCIA, CISSPChief Security Strategist @ Splunk>Hack In The Box - September 07 - Malaysia
  2. 2. Who Am I? Chief Security Strategist and Product Manager @ Splunk> Manager Solutions @ ArcSight, Inc. Intrusion Detection Research @ IBM Research http://thor.cryptojail.net IT Security Consultant @ PriceWaterhouse Coopers Applied Security Open Vulnerability and Assessment Language (OVAL) board Visualization Common Event Expression (CEE) founding member 2008 Passion for Visualization http://secviz.org http://afterglow.sourceforge.net 2
  3. 3. AgendaConvicted Goal:VisualizationLog Data Processing Insider Detection Using Data to Graph Visualization AfterGlow and SplunkInsider ThreatInsider Detection Process Precursors Scoring Watch Lists 3
  4. 4. It’s Not That Easy 4
  5. 5. ConvictedIn February of 2007 a fairly large information leakcase made the news. The scientist Gary Min faces upto 10 years in prison for stealing 16,706 documentsand over 22,000 scientific abstracts from hisemployer DuPont. The intellectual property he wasabout to leak to a DuPont competitor, Victrex, wasassessed to be worth $400 million. There is noevidence Gary actually turned the documents over toVictrex. 5
  6. 6. DuPont CaseHow It Could Have Been Prevented What’s the answer? 6
  7. 7. DuPont Case Log Collection!
  8. 8. DuPont CaseSimple Solution 8
  9. 9. DuPont CaseMore Generic Solution user server 9
  10. 10. Visualization Questions• Who analyzes logs?• Who uses visualization for log analysis?• Who is using AfterGlow?• Have you heard of SecViz.org?• What tools are you using for log analysis? 10
  11. 11. Visualization Answer questions you didn’t even know of ✓ Quickly understand thousands of data entries Increase E ciency ✓ Facilitate communication ✓ Increase response time through improved understanding Make Informed Decisions 11
  12. 12. Insider Threat Visualization• Huge amounts of data • More and other data sources than for the traditional security use-cases • Insiders often have legitimate access to machines and data. You need to log more than the exceptions • Insider crimes are often executed on the application layer. You need transaction data and chatty application logs• The questions are not known in advance! • Visualization provokes questions and helps find answers• Dynamic nature of fraud • Problem for static algorithms • Bandits quickly adapt to fixed threshold-based detection systems • Looking for any unusual patterns 12
  13. 13. Visualizing Log Data ParsingJun 17 09:42:30 rmarty ifup: Determining IP information for eth0...Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable?Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failedJun 17 09:42:38 rmarty sendmail: sendmail shutdown succeededJun 17 09:42:38 rmarty sendmail: sm-client shutdown succeeded VisualJun 17 09:42:39 rmarty sendmail: sendmail startup succeededJun 17 09:42:39 rmarty sendmail: sm-client startup succeededJun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 09:45:42 rmarty last message repeated 2 timesJun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8NH ✓ Interpret Data ✓ Know Data Formats ✓ Re-use don’t re-invent ✓ Find parsers at: http://secviz.org/?q=node/8 13
  14. 14. Charts - Going Beyond Excel• Multi-variate graphs 10.0.0.1 10.12.0.2 - Link Graphs UDP TCP - TreeMaps HTTP DNS UDP TCP - Parallel Coordinates SSH SNMP FTP 14
  15. 15. Beyond The Boring Defaults For Link Graphs 10.0.0.1 SIP Name DIP 10.12.0.2 15
  16. 16. Link Graph Shake Up[**] [1:1923:2] RPC portmap UDP proxy attempt [**][Classification: Decode of an RPC Query] [Priority: 2]06/04-15:56:28.219753 192.168.10.90:32859 -> 192.168.10.255:111UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:148 DFLen: 120 SIP Name DIP SIP DIP DPort192.168.10.90 portmap 192.168.10.255 192.168.10.90 192.168.10.255 111 SIP SPort DPort Name SIP DIP192.168.10.90 32859 111 RPC portmap 192.168.10.90 192.168.10.255 16
  17. 17. TreeMaps ? UDP TCP HTTP DNS What is this? UDP All Network Traffic TCP SSH SNMP FTP 17
  18. 18. TreeMaps Explained Treemap2 (http://www.cs.umd.edu/hcil/treemap) 20% 80% UDP TCP HTTP Size: Count DNS UDP TCP Color: Service SSH SNMP FTP Con guration Hierarchy: Protocol -> Service 18
  19. 19. What’s Splunk?1. Universal Real Time Indexing2. Ad-hoc Search & Navigation search navigate alert report share3. Distributed / Federate Search4. Interactive Alerting & Reporting IT Search Engine The5. Knowledge Capture & Sharing Router Firewall logs con gurations scripts & code messages Switch Web Server App Server traps & alerts activity reports Database stack traces metrics 19
  20. 20. AfterGlow http://afterglow.sourceforge.net Parser AfterGlow Grapher Graph CSV File LanguageFile digraph structs { graph [label="AfterGlow 1.5.8", fontsize=8]; node [shape=ellipse, style=filled, fontsize=10, width=1, height=1, aaelenes,Printing Resume fixedsize=true]; abbe,Information Encrytion edge [len=1.6]; aanna,Patent Access aatharuy,Ping "aaelenes" -> "Printing Resume" ; "abbe" -> "Information Encryption" ; "aanna" -> "Patent Access" ; "aatharuv" -> "Ping" ; } 20
  21. 21. Why AfterGlow? # Variable and Color• Translates CSV into graph description variable=@violation=("Backdoor Access", "HackerTool Download”); color.target="orange" if (grep(/$fields[1]/,@violation));• Define node and edge attributes color.target="palegreen" - color # Node Size and Threshold - size maxnodesize=1; size.source=$fields[2] - shape size=0.5 sum.target=0;• Filter and process data entries threshold.source=14; - threshold filter Fan Out: 3 # Color and Cluster color.source="palegreen" if ($fields[0] =~ /^111/) - fan-out filter color.source="red" color.target="palegreen" - clustering cluster.source=regex_replace("(d+).d+")."/8" 21
  22. 22. AfterGlow - Splunk Demo./splunk <command>./splunk search “<search command>” -admin <user>:<pass>./splunk search "ipfw | elds + SourceAddress DestinationAddress" -authadmin:changeme | awk ‘{printf”%s,%sn”,$1,$2}’ | afterglow -t -b 2 |neato -Tgif -o test.gif 22
  23. 23. Insider Threat Definition"Current or former employee or contractor who • intentionally exceeded or misused an authorized level of access to networks, systems or data in a manner that • targeted a specific individual or affected the security of the organization’s data, systems and/or daily business operations" [CERT: http://www.cert.org/insider_threat Definition of an Insider] 23
  24. 24. Three Types of Insider Threats Information Theft is concernedFraud deals with the with stealing of confidential or misuse of access proprietary information. This privileges or the includes things like financial intentional excess of Information statements, intellectual access levels to obtain Fraud property, design plans, source Leak property or services code, trade secrets, etc. unjustly through deception or trickery. Sabotage Sabotage has to do with any kind of action to harm individuals, organizations, organizational data, systems, or business operations. 24
  25. 25. Insider Threat Detection• Understand who is behind the crime• Know what to look for• Stop insiders before they become a problem• Use precursors to monitor and profile users• Define an insider detection process to analyze precursor activity 25
  26. 26. Insider Detection Process • Accessing job Web sites• Build List of Precursors such as monster.com 1• Assign Scores to Precursors • Sales person accessing patent filings 10 • Printing files with "resume" in the file name 5 • Sending emails to 50 or more recipients outside of the company 3 26
  27. 27. Insider Detection Process Aug 31 15:57:23 [68] ram kCGErrorIllegalArgument:• Build List of Precursors CGXGetWindowDepth: Invalid window -1 Aug 31 15:58:06 [68] cmd "loginwindow" (0x5c07) set hot key operating mode to all disabled• Assign Scores to Precursors Aug 31 15:58:06 [68] Hot key operating mode is now all disabled• Apply Precursors to Log Files Aug 27 10:21:39 ram com.apple.SecurityServer: authinternal failed to authenticate user ra aelmarty. Aug 27 10:21:39 ram com.apple.SecurityServer: Failed to authorize right system.login.tty by process / usr/bin/su do for authorization created by /usr/bin/sudo. Apr 04 19:45:29 rmarty Privoxy(b65ddba0) Request: www.google.com/search?q=password +cracker 27
  28. 28. Insider Detection Process• Build List of Precursors• Assign Scores to Precursors• Apply Precursors to Log Files• Visualize Insider Candidate List 28
  29. 29. Insider Detection Process Engineer• Build List of Precursors• Assign Scores to Precursors• Apply Precursors to Log Files• Visualize Insider Candidate List• Introduce User Roles Legal 29
  30. 30. Insider Detection Process ?• Build List of Precursors• Assign Scores to Precursors• Apply Precursors to Log Files• Visualize Insider Candidate List• Introduce User Roles• Where Did the Scores Go? 30
  31. 31. Visualization for Insider Detection• Visualization as a precursor - analyze data access per user role - find anomalies in financial transactions• Documentation and communication of activity• Tuning and analyzing process output - groups of users with similar behavior - groups of users with similar scores 31
  32. 32. Process Improvements• Bucketizing precursors: - Minimal or no impact - Potential setup for insider crime - Malicious activity okay for some user roles - Malicious activity should never happen - Insider Act• Maximum of 20 points per bucket• Using watch lists to boost / decrease scores for specific groups of users - Input from other departments (HR, etc.) 32
  33. 33. Tiers of Insiders Nothing to On a bad track of Very likely Malicious worry about just going malicious has malicious Insiders yet intentions 0 20 60 80 100 33
  34. 34. The Insider? Finally? 34
  35. 35. Summary• Log visualization• Beyond the boring chart defaults• AfterGlow and Splunk - The free way to understanding your data• Insider threat• Insider detection process 35
  36. 36. Thank You www.secviz.orgraffael.marty@splunk.com raffy.ch/blog

×