Visual Security Event AnalysisDefCon 13 Las VegasRaffael Marty, GCIA, CISSPSenior Security Engineer @ ArcSightJuly 29, 200...
Raffael Marty    ► Enterprise      Security Management (ESM) specialist    ► OVAL      Advisory Board          (Open Vulne...
Table Of Contents    ► Introduction    ► Related   Work    ► Basics    ► Situational   Awareness    ► Forensic   and Histo...
IntroductionRaffael Marty   Defcon 2005 Las Vegas   4
Disclaimer                  IP addresses and host names showing                up in event graphs and descriptions were   ...
Text or Visuals?  ► What                               would you rather look at?     Jun   17   09:42:30   rmarty   ifup: ...
Why Using Event Graphs?  ► Visual  representation of textual information (logs and    events)  ► Visual display of most im...
When To Use Event Graphs  ► Real-time      monitoring        • What is happening in a specific business area          (e.g...
Related WorkRaffael Marty   Defcon 2005 Las Vegas   9
Related Work  ► Classics        • Girardin Luc, “A visual Approach for Monitoring Logs” , 12th USENIX System Administratio...
BasicsRaffael Marty   Defcon 2005 Las Vegas   11
How To Draw An Event Graph?                                                                                      ... | Nor...
Different Node Configurations     Raw Event:     [**] [1:1923:2] RPC portmap UDP proxy attempt [**]     [Classification: D...
AfterGlow – Peak Preview  ► AfterGlow    is not a SIM - there are no parsers (well,        tcpdump and sendmail are there)...
Situational AwarenessRaffael Marty   Defcon 2005 Las Vegas    15
Real-time Monitoring With A DashboardRaffael Marty        Defcon 2005 Las Vegas   16
Forensic and Historical                 AnalysisRaffael Marty   Defcon 2005 Las Vegas      17
A 3D Example  ► An          LGL example:Raffael Marty                  Defcon 2005 Las Vegas   18
Monitoring Web Servers                                            assetCategory(DestIP)=                                  ...
Network ScanRaffael Marty     Defcon 2005 Las Vegas   20
Suspicious Activity?Raffael Marty        Defcon 2005 Las Vegas   21
Port Scan    ► Port      scan or something else?Raffael Marty                  Defcon 2005 Las Vegas   22
Firewall Activity                                                          External Machine                               ...
Firewall Rule-set Analysis                pass                           blockRaffael Marty          Defcon 2005 Las Vegas...
Load BalancerRaffael Marty      Defcon 2005 Las Vegas   25
WormsRaffael Marty   Defcon 2005 Las Vegas   26
DefCon 2004 Capture The Flag                                                     DstPort < 1024                           ...
DefCon 2004 Capture The Flag – TTL Games                                                   TTL                            ...
DefCon 2004 Capture The Flag – The Solution                                             DPort   Flags   TTL               ...
Email Cliques                                              From: My Domain                                              Fr...
Email Relays                  Grey out “my domain” invisible My Domain                    Make emails to            From: ...
Email SPAM?                                         Size > 10.000                                         Omit threshold =...
Email SPAM?                                         nrcpt => 2                                         Omit threshold = 1 ...
BIG Emails                                        Size > 100.000                                        Omit Threshold = 2...
Email Server Problems?                                                 2:00 < Delay < 10:00                               ...
AfterGlow                 afterglow.sourceforge.netRaffael Marty   Defcon 2005 Las Vegas        36
AfterGlow  ► http://afterglow.sourceforge.net  ► Supported       graphing tools:        • GraphViz from AT&T (dot and neat...
AfterGlow – Command Line Parameters  ●     Some command line parameters:        -h            : help        -t            ...
AfterGlow – color.properties        color.[source|event|target|edge]=           <perl expression returning a color name>  ...
AfterGlow – color.properties - Example  color.source="olivedrab"    if ($fields[0]=~/191.141.69.4/);  color.source="olived...
THANKS!                     raffy@cryptojail.netRaffael Marty   Defcon 2005 Las Vegas   41
Upcoming SlideShare
Loading in...5
×

Visual Security Event Analysis - DefCon 13 - 2005

1,234

Published on

More on security visualization: http://secviz.org

In the network security world, event graphs are evolving into a useful data analysis tool, providing a powerful alternative to reading raw log data. By visually outlining relationships among security events, analysts are given a tool to intuitively draw conclusions about the current state of their network and to respond quickly to emerging issues.

I will be showing a myriad of graphs generated with data from various sources, such as Web servers, firewalls, network based intrusion detection systems, mail servers, and operating system logs. Each of the graphs will be used to show a certain property of the dataset analyzed. They will show anomalous behavior, misconfigurations and simply help document activities in a network.

As part of this talk, I will release a tool tool that can be used to experiment with generating event graphs. A quick tutorial will show how easy it is to generate graphs from security data of your own environment.

Video at: http://www.youtube.com/watch?v=5GK8mYumn6Q

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,234
On Slideshare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
42
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Visual Security Event Analysis - DefCon 13 - 2005

  1. 1. Visual Security Event AnalysisDefCon 13 Las VegasRaffael Marty, GCIA, CISSPSenior Security Engineer @ ArcSightJuly 29, 2005 *
  2. 2. Raffael Marty ► Enterprise Security Management (ESM) specialist ► OVAL Advisory Board (Open Vulnerability and Assessment Language) ► ArcSight Research & Development ► IBM Research • Thor - http://thor.cryptojail.net • Log analysis and event correlation research • Tivoli Risk ManagerRaffael Marty Defcon 2005 Las Vegas 2
  3. 3. Table Of Contents ► Introduction ► Related Work ► Basics ► Situational Awareness ► Forensic and Historical Analysis ► AfterGlowRaffael Marty Defcon 2005 Las Vegas 3
  4. 4. IntroductionRaffael Marty Defcon 2005 Las Vegas 4
  5. 5. Disclaimer IP addresses and host names showing up in event graphs and descriptions were obfuscated/changed. The addresses are completely random and any resemblance with well-known addresses or host names are purely coincidental.Raffael Marty Defcon 2005 Las Vegas 5
  6. 6. Text or Visuals? ► What would you rather look at? Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0... Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable? Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failed Jun 17 09:42:38 rmarty sendmail: sendmail shutdown succeeded Jun 17 09:42:38 rmarty sendmail: sm-client shutdown succeeded Jun 17 09:42:39 rmarty sendmail: sendmail startup succeeded Jun 17 09:42:39 rmarty sendmail: sm-client startup succeeded Jun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 09:45:42 rmarty last message repeated 2 times Jun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:00:03 rmarty crond(pam_unix)[30534]: session opened for user root by (uid=0) Jun 17 10:00:10 rmarty crond(pam_unix)[30534]: session closed for user root Jun 17 10:01:02 rmarty crond(pam_unix)[30551]: session opened for user root by (uid=0) Jun 17 10:01:07 rmarty crond(pam_unix)[30551]: session closed for user root Jun 17 10:05:02 rmarty crond(pam_unix)[30567]: session opened for user idabench by (uid=0) Jun 17 10:05:05 rmarty crond(pam_unix)[30567]: session closed for user idabench Jun 17 10:13:05 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.19/192.168.80.19 to UDP port: 192 Jun 17 10:13:05 rmarty portsentry[4797]: attackalert: Host: 192.168.80.19/192.168.80.19 is already blocked Ignoring Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:21:30 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:21:30 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:28:40 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:28:45 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:35:28 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 10:35:31 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 10:38:51 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:38:52 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:42:35 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 10:42:38 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Raffael Marty Defcon 2005 Las Vegas 6
  7. 7. Why Using Event Graphs? ► Visual representation of textual information (logs and events) ► Visual display of most important properties ► Reduce analysis and response times • Quickly visualize thousands of events • A picture tells more than a thousand log lines ► Situational awareness • Visualize status of business posture ► Facilitate communication • Use graphs to communicate with other teams • Graphs are easier to understand than textual eventsRaffael Marty Defcon 2005 Las Vegas 7
  8. 8. When To Use Event Graphs ► Real-time monitoring • What is happening in a specific business area (e.g., compliance monitoring) • What is happening on a specific network • What are certain servers doing • Look at specific aspects of events ► Forensics and Investigations • Selecting arbitrary set of events for investigation • Understanding big picture • Analyzing relationshipsRaffael Marty Defcon 2005 Las Vegas 8
  9. 9. Related WorkRaffael Marty Defcon 2005 Las Vegas 9
  10. 10. Related Work ► Classics • Girardin Luc, “A visual Approach for Monitoring Logs” , 12th USENIX System Administration Conference • Erbacher: “Intrusion and Misuse Detection in Large Scale Systems”, IEEE Computer Graphics and Applications • Sheng Ma, et al. “EventMiner: An integrated mining tool for Scalable Analysis of Event Data” ► Tools • Greg Conti, “Network Attack Visualization”, Defcon 2004. • NVisionIP from SIFT (Security Incident Fusion Tools), http://www.ncassr.org/projects/sift/. • Stephen P. Berry, “The Shoki Packet Hustler”, http://shoki.sourceforge.net.Raffael Marty Defcon 2005 Las Vegas 10
  11. 11. BasicsRaffael Marty Defcon 2005 Las Vegas 11
  12. 12. How To Draw An Event Graph? ... | Normalization | ... Device Parser Event Analyzer / Visualizer Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0... Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable? Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failed Jun 17 09:42:38 rmarty sendmail: sendmail shutdown succeeded Jun 17 09:42:38 rmarty sendmail: sm-client shutdown succeeded Jun 17 09:42:39 rmarty sendmail: sendmail startup succeeded Jun 17 09:42:39 rmarty sendmail: sm-client startup succeeded Jun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 09:45:42 rmarty last message repeated 2 times Jun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 NH Log File Event GraphRaffael Marty Defcon 2005 Las Vegas 12
  13. 13. Different Node Configurations Raw Event: [**] [1:1923:2] RPC portmap UDP proxy attempt [**] [Classification: Decode of an RPC Query] [Priority: 2] 06/04-15:56:28.219753 192.168.10.90:32859 -> 192.168.10.255:111 UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:148 DF Len: 120 Different node configurations: SIP Name DIP SIP DIP DPort 192.168.10.90 RPC portmap 192.168.10.255 192.168.10.90 192.168.10.255 111 SIP SPort DPort Name SIP DIP 192.168.10.90 32859 111 RPC portmap 192.168.10.90 192.168.10.255Raffael Marty Defcon 2005 Las Vegas 13
  14. 14. AfterGlow – Peak Preview ► AfterGlow is not a SIM - there are no parsers (well, tcpdump and sendmail are there). Parser AfterGlow Grapher Graph CSV File LanguageFile color.properties: ► Demo of the tool for use at home and in the Jacuzzi. color.source="red" cat input.csv | ./afterglow.pl –c color.properties color.event="green" | neato –Tgif –o output.gif color.target="blue" Thanks to Christian @ ArcSight!Raffael Marty Defcon 2005 Las Vegas 14
  15. 15. Situational AwarenessRaffael Marty Defcon 2005 Las Vegas 15
  16. 16. Real-time Monitoring With A DashboardRaffael Marty Defcon 2005 Las Vegas 16
  17. 17. Forensic and Historical AnalysisRaffael Marty Defcon 2005 Las Vegas 17
  18. 18. A 3D Example ► An LGL example:Raffael Marty Defcon 2005 Las Vegas 18
  19. 19. Monitoring Web Servers assetCategory(DestIP)= WebServerRaffael Marty Defcon 2005 Las Vegas 19
  20. 20. Network ScanRaffael Marty Defcon 2005 Las Vegas 20
  21. 21. Suspicious Activity?Raffael Marty Defcon 2005 Las Vegas 21
  22. 22. Port Scan ► Port scan or something else?Raffael Marty Defcon 2005 Las Vegas 22
  23. 23. Firewall Activity External Machine Internal Machine Rule# Next Steps: Outgoing Incoming 1. Visualize “FW Blocks” of outgoing traffic -> Why do internal machines trigger blocks? 2. Visualize “FW Blocks” of incoming traffic -> Who and what tries to enter my network? 3. Visualize “FW Passes” of outgoing traffic -> What is leaving the network? SIP Rule# DIPRaffael Marty Defcon 2005 Las Vegas 23
  24. 24. Firewall Rule-set Analysis pass blockRaffael Marty Defcon 2005 Las Vegas 24
  25. 25. Load BalancerRaffael Marty Defcon 2005 Las Vegas 25
  26. 26. WormsRaffael Marty Defcon 2005 Las Vegas 26
  27. 27. DefCon 2004 Capture The Flag DstPort < 1024 DstPort > 1024 Source Of Evil Internal Target Other Teams Target Internal Source Internet Target Exposed Services Our Servers SIP DIP DPortRaffael Marty Defcon 2005 Las Vegas 27
  28. 28. DefCon 2004 Capture The Flag – TTL Games TTL Source Of Evil Internal Target Internal Source SIP DIP TTLRaffael Marty Defcon 2005 Las Vegas 28
  29. 29. DefCon 2004 Capture The Flag – The Solution DPort Flags TTL Show Node Counts Only show SYNsRaffael Marty Defcon 2005 Las Vegas 29
  30. 30. Email Cliques From: My Domain From: Other Domain To: My Domain To: Other Domain From ToRaffael Marty Defcon 2005 Las Vegas 30
  31. 31. Email Relays Grey out “my domain” invisible My Domain Make emails to From: From: Other Domain and from “my domain” To: My Domain To: Other Domain Do you run an open relay? From ToRaffael Marty Defcon 2005 Las Vegas 31
  32. 32. Email SPAM? Size > 10.000 Omit threshold = 1 To Size Multiple recipients with same-size messagesRaffael Marty Defcon 2005 Las Vegas 32
  33. 33. Email SPAM? nrcpt => 2 Omit threshold = 1 From nrcptRaffael Marty Defcon 2005 Las Vegas 33
  34. 34. BIG Emails Size > 100.000 Omit Threshold = 2 Documents leaving the network? From To SizeRaffael Marty Defcon 2005 Las Vegas 34
  35. 35. Email Server Problems? 2:00 < Delay < 10:00 Delay > 10:00 To To DelayRaffael Marty Defcon 2005 Las Vegas 35
  36. 36. AfterGlow afterglow.sourceforge.netRaffael Marty Defcon 2005 Las Vegas 36
  37. 37. AfterGlow ► http://afterglow.sourceforge.net ► Supported graphing tools: • GraphViz from AT&T (dot and neato) http://www.research.att.com/sw/tools/graphviz/ • LGL (Large Graph Layout) by Alex Adai http://bioinformatics.icmb.utexas.edu/lgl/Raffael Marty Defcon 2005 Las Vegas 37
  38. 38. AfterGlow – Command Line Parameters ● Some command line parameters: -h : help -t : two node mode -d : print count on nodes -e : edge length -n : no node labels -o threshold : omit threshold (fan-out for nodes to be displayed) -c configfile : color configuration fileRaffael Marty Defcon 2005 Las Vegas 38
  39. 39. AfterGlow – color.properties color.[source|event|target|edge]= <perl expression returning a color name> ● Array @fields contains input-line, split into tokens: color.event=“red” if ($fields[1] =~ /^192..*) ● Special color “invisible”: color.target=“invisible” if ($fields[0] eq “IIS Action”) ● Edge color color.edge=“blue”Raffael Marty Defcon 2005 Las Vegas 39
  40. 40. AfterGlow – color.properties - Example color.source="olivedrab" if ($fields[0]=~/191.141.69.4/); color.source="olivedrab" if ($fields[0]=~/211.254.110./); color.source="orangered1" color.event="slateblue4" color.target="olivedrab" if ($fields[2]=~/191.141.69.4/); color.target="olivedrab" if ($fields[2]=~/211.254.110./); color.target="orangered1" color.edge="firebrick" if (($fields[0]=~/191.141.69..4/) or ($fields[2]=~/191.141.69.4/)) color.edge="cyan4"Raffael Marty Defcon 2005 Las Vegas 40
  41. 41. THANKS! raffy@cryptojail.netRaffael Marty Defcon 2005 Las Vegas 41

×