Your SlideShare is downloading. ×
Visual Security Event Analysis - DefCon 13 - 2005
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Visual Security Event Analysis - DefCon 13 - 2005

1,103
views

Published on

More on security visualization: http://secviz.org …

More on security visualization: http://secviz.org

In the network security world, event graphs are evolving into a useful data analysis tool, providing a powerful alternative to reading raw log data. By visually outlining relationships among security events, analysts are given a tool to intuitively draw conclusions about the current state of their network and to respond quickly to emerging issues.

I will be showing a myriad of graphs generated with data from various sources, such as Web servers, firewalls, network based intrusion detection systems, mail servers, and operating system logs. Each of the graphs will be used to show a certain property of the dataset analyzed. They will show anomalous behavior, misconfigurations and simply help document activities in a network.

As part of this talk, I will release a tool tool that can be used to experiment with generating event graphs. A quick tutorial will show how easy it is to generate graphs from security data of your own environment.

Video at: http://www.youtube.com/watch?v=5GK8mYumn6Q

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,103
On Slideshare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
38
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Visual Security Event AnalysisDefCon 13 Las VegasRaffael Marty, GCIA, CISSPSenior Security Engineer @ ArcSightJuly 29, 2005 *
  • 2. Raffael Marty ► Enterprise Security Management (ESM) specialist ► OVAL Advisory Board (Open Vulnerability and Assessment Language) ► ArcSight Research & Development ► IBM Research • Thor - http://thor.cryptojail.net • Log analysis and event correlation research • Tivoli Risk ManagerRaffael Marty Defcon 2005 Las Vegas 2
  • 3. Table Of Contents ► Introduction ► Related Work ► Basics ► Situational Awareness ► Forensic and Historical Analysis ► AfterGlowRaffael Marty Defcon 2005 Las Vegas 3
  • 4. IntroductionRaffael Marty Defcon 2005 Las Vegas 4
  • 5. Disclaimer IP addresses and host names showing up in event graphs and descriptions were obfuscated/changed. The addresses are completely random and any resemblance with well-known addresses or host names are purely coincidental.Raffael Marty Defcon 2005 Las Vegas 5
  • 6. Text or Visuals? ► What would you rather look at? Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0... Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable? Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failed Jun 17 09:42:38 rmarty sendmail: sendmail shutdown succeeded Jun 17 09:42:38 rmarty sendmail: sm-client shutdown succeeded Jun 17 09:42:39 rmarty sendmail: sendmail startup succeeded Jun 17 09:42:39 rmarty sendmail: sm-client startup succeeded Jun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 09:45:42 rmarty last message repeated 2 times Jun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:00:03 rmarty crond(pam_unix)[30534]: session opened for user root by (uid=0) Jun 17 10:00:10 rmarty crond(pam_unix)[30534]: session closed for user root Jun 17 10:01:02 rmarty crond(pam_unix)[30551]: session opened for user root by (uid=0) Jun 17 10:01:07 rmarty crond(pam_unix)[30551]: session closed for user root Jun 17 10:05:02 rmarty crond(pam_unix)[30567]: session opened for user idabench by (uid=0) Jun 17 10:05:05 rmarty crond(pam_unix)[30567]: session closed for user idabench Jun 17 10:13:05 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.19/192.168.80.19 to UDP port: 192 Jun 17 10:13:05 rmarty portsentry[4797]: attackalert: Host: 192.168.80.19/192.168.80.19 is already blocked Ignoring Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:21:30 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:21:30 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:28:40 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:28:45 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:35:28 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 10:35:31 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 10:38:51 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:38:52 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:42:35 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 10:42:38 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Raffael Marty Defcon 2005 Las Vegas 6
  • 7. Why Using Event Graphs? ► Visual representation of textual information (logs and events) ► Visual display of most important properties ► Reduce analysis and response times • Quickly visualize thousands of events • A picture tells more than a thousand log lines ► Situational awareness • Visualize status of business posture ► Facilitate communication • Use graphs to communicate with other teams • Graphs are easier to understand than textual eventsRaffael Marty Defcon 2005 Las Vegas 7
  • 8. When To Use Event Graphs ► Real-time monitoring • What is happening in a specific business area (e.g., compliance monitoring) • What is happening on a specific network • What are certain servers doing • Look at specific aspects of events ► Forensics and Investigations • Selecting arbitrary set of events for investigation • Understanding big picture • Analyzing relationshipsRaffael Marty Defcon 2005 Las Vegas 8
  • 9. Related WorkRaffael Marty Defcon 2005 Las Vegas 9
  • 10. Related Work ► Classics • Girardin Luc, “A visual Approach for Monitoring Logs” , 12th USENIX System Administration Conference • Erbacher: “Intrusion and Misuse Detection in Large Scale Systems”, IEEE Computer Graphics and Applications • Sheng Ma, et al. “EventMiner: An integrated mining tool for Scalable Analysis of Event Data” ► Tools • Greg Conti, “Network Attack Visualization”, Defcon 2004. • NVisionIP from SIFT (Security Incident Fusion Tools), http://www.ncassr.org/projects/sift/. • Stephen P. Berry, “The Shoki Packet Hustler”, http://shoki.sourceforge.net.Raffael Marty Defcon 2005 Las Vegas 10
  • 11. BasicsRaffael Marty Defcon 2005 Las Vegas 11
  • 12. How To Draw An Event Graph? ... | Normalization | ... Device Parser Event Analyzer / Visualizer Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0... Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable? Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failed Jun 17 09:42:38 rmarty sendmail: sendmail shutdown succeeded Jun 17 09:42:38 rmarty sendmail: sm-client shutdown succeeded Jun 17 09:42:39 rmarty sendmail: sendmail startup succeeded Jun 17 09:42:39 rmarty sendmail: sm-client startup succeeded Jun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 09:45:42 rmarty last message repeated 2 times Jun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 NH Log File Event GraphRaffael Marty Defcon 2005 Las Vegas 12
  • 13. Different Node Configurations Raw Event: [**] [1:1923:2] RPC portmap UDP proxy attempt [**] [Classification: Decode of an RPC Query] [Priority: 2] 06/04-15:56:28.219753 192.168.10.90:32859 -> 192.168.10.255:111 UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:148 DF Len: 120 Different node configurations: SIP Name DIP SIP DIP DPort 192.168.10.90 RPC portmap 192.168.10.255 192.168.10.90 192.168.10.255 111 SIP SPort DPort Name SIP DIP 192.168.10.90 32859 111 RPC portmap 192.168.10.90 192.168.10.255Raffael Marty Defcon 2005 Las Vegas 13
  • 14. AfterGlow – Peak Preview ► AfterGlow is not a SIM - there are no parsers (well, tcpdump and sendmail are there). Parser AfterGlow Grapher Graph CSV File LanguageFile color.properties: ► Demo of the tool for use at home and in the Jacuzzi. color.source="red" cat input.csv | ./afterglow.pl –c color.properties color.event="green" | neato –Tgif –o output.gif color.target="blue" Thanks to Christian @ ArcSight!Raffael Marty Defcon 2005 Las Vegas 14
  • 15. Situational AwarenessRaffael Marty Defcon 2005 Las Vegas 15
  • 16. Real-time Monitoring With A DashboardRaffael Marty Defcon 2005 Las Vegas 16
  • 17. Forensic and Historical AnalysisRaffael Marty Defcon 2005 Las Vegas 17
  • 18. A 3D Example ► An LGL example:Raffael Marty Defcon 2005 Las Vegas 18
  • 19. Monitoring Web Servers assetCategory(DestIP)= WebServerRaffael Marty Defcon 2005 Las Vegas 19
  • 20. Network ScanRaffael Marty Defcon 2005 Las Vegas 20
  • 21. Suspicious Activity?Raffael Marty Defcon 2005 Las Vegas 21
  • 22. Port Scan ► Port scan or something else?Raffael Marty Defcon 2005 Las Vegas 22
  • 23. Firewall Activity External Machine Internal Machine Rule# Next Steps: Outgoing Incoming 1. Visualize “FW Blocks” of outgoing traffic -> Why do internal machines trigger blocks? 2. Visualize “FW Blocks” of incoming traffic -> Who and what tries to enter my network? 3. Visualize “FW Passes” of outgoing traffic -> What is leaving the network? SIP Rule# DIPRaffael Marty Defcon 2005 Las Vegas 23
  • 24. Firewall Rule-set Analysis pass blockRaffael Marty Defcon 2005 Las Vegas 24
  • 25. Load BalancerRaffael Marty Defcon 2005 Las Vegas 25
  • 26. WormsRaffael Marty Defcon 2005 Las Vegas 26
  • 27. DefCon 2004 Capture The Flag DstPort < 1024 DstPort > 1024 Source Of Evil Internal Target Other Teams Target Internal Source Internet Target Exposed Services Our Servers SIP DIP DPortRaffael Marty Defcon 2005 Las Vegas 27
  • 28. DefCon 2004 Capture The Flag – TTL Games TTL Source Of Evil Internal Target Internal Source SIP DIP TTLRaffael Marty Defcon 2005 Las Vegas 28
  • 29. DefCon 2004 Capture The Flag – The Solution DPort Flags TTL Show Node Counts Only show SYNsRaffael Marty Defcon 2005 Las Vegas 29
  • 30. Email Cliques From: My Domain From: Other Domain To: My Domain To: Other Domain From ToRaffael Marty Defcon 2005 Las Vegas 30
  • 31. Email Relays Grey out “my domain” invisible My Domain Make emails to From: From: Other Domain and from “my domain” To: My Domain To: Other Domain Do you run an open relay? From ToRaffael Marty Defcon 2005 Las Vegas 31
  • 32. Email SPAM? Size > 10.000 Omit threshold = 1 To Size Multiple recipients with same-size messagesRaffael Marty Defcon 2005 Las Vegas 32
  • 33. Email SPAM? nrcpt => 2 Omit threshold = 1 From nrcptRaffael Marty Defcon 2005 Las Vegas 33
  • 34. BIG Emails Size > 100.000 Omit Threshold = 2 Documents leaving the network? From To SizeRaffael Marty Defcon 2005 Las Vegas 34
  • 35. Email Server Problems? 2:00 < Delay < 10:00 Delay > 10:00 To To DelayRaffael Marty Defcon 2005 Las Vegas 35
  • 36. AfterGlow afterglow.sourceforge.netRaffael Marty Defcon 2005 Las Vegas 36
  • 37. AfterGlow ► http://afterglow.sourceforge.net ► Supported graphing tools: • GraphViz from AT&T (dot and neato) http://www.research.att.com/sw/tools/graphviz/ • LGL (Large Graph Layout) by Alex Adai http://bioinformatics.icmb.utexas.edu/lgl/Raffael Marty Defcon 2005 Las Vegas 37
  • 38. AfterGlow – Command Line Parameters ● Some command line parameters: -h : help -t : two node mode -d : print count on nodes -e : edge length -n : no node labels -o threshold : omit threshold (fan-out for nodes to be displayed) -c configfile : color configuration fileRaffael Marty Defcon 2005 Las Vegas 38
  • 39. AfterGlow – color.properties color.[source|event|target|edge]= <perl expression returning a color name> ● Array @fields contains input-line, split into tokens: color.event=“red” if ($fields[1] =~ /^192..*) ● Special color “invisible”: color.target=“invisible” if ($fields[0] eq “IIS Action”) ● Edge color color.edge=“blue”Raffael Marty Defcon 2005 Las Vegas 39
  • 40. AfterGlow – color.properties - Example color.source="olivedrab" if ($fields[0]=~/191.141.69.4/); color.source="olivedrab" if ($fields[0]=~/211.254.110./); color.source="orangered1" color.event="slateblue4" color.target="olivedrab" if ($fields[2]=~/191.141.69.4/); color.target="olivedrab" if ($fields[2]=~/211.254.110./); color.target="orangered1" color.edge="firebrick" if (($fields[0]=~/191.141.69..4/) or ($fields[2]=~/191.141.69.4/)) color.edge="cyan4"Raffael Marty Defcon 2005 Las Vegas 40
  • 41. THANKS! raffy@cryptojail.netRaffael Marty Defcon 2005 Las Vegas 41