Event Graphs - EUSecWest 2006

1,027 views

Published on

Event Graph visualization presentation from EUSec West 2006

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,027
On SlideShare
0
From Embeds
0
Number of Embeds
49
Actions
Shares
0
Downloads
32
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • This graph utilizes a filter that only passes events targeting Web servers (the green nodes). It is configured to show what events (red nodes) target Web servers (green nodes) on what destination port (white nodes). You can see that there is one event that deserves some attention (the “Attack From Suspicious Source”). To assess what happened, it is probably necessary to drill-down into a channel for further investigation. Furthermore it can be seen that only well-known Web destination ports (80, 443) are being accessed on the Web servers, indicating probably benign traffic!
  • Focus on the little circles (especially on the bottom of the graph). These circles indicate sources (red nodes) that are connecting to many machines (green nodes) on the same port (white node). The zoom on the right side shows that there is one machine (the left red node) which connects to about a dozen machines on the same port. Depending on the source machine, this is normal or possibly anomalous behavior! Certainly worth investigating. For graphs like this it might make sense to apply a filter which prevents servers (especially Windows Domain Controllers) from being drawn. Those usually show very different behavior than all the other machines.
  • The graph shows a configuration that uses the destination address (green nodes) and target ports (white nodes). The contiguous port numbers either represent a part of a portscan or, what is more likely, a device which reports source ports as destination ports for some of the events.
  • This s an example of a graph that is useful in analyzing firewall rule-sets.
  • This shows a somewhat unconventional graph which greatly helps to analyze the firewall rule-set. On the left we see all the rules (red nodes) which passed traffic as opposed to the right side, which shows blocked traffic. Along with the rule-set the destination port of the traffic blocked by this rule-set is displayed. This helps debug the rule-set to see why a certain port was passed or blocked. In this graph it can be seen that there is one rule on the right side (in the middle of the green cluster), which seems to be responsible for most of the blocked packets.
  • Visualizing tcpdump logs can be very eye-opening. In this case I imported a tcpdump log which shows traffic going to three Web servers (white nodes). I was interested in where the traffic comes from (red nodes). There were too many source addresses to be visualized and therefore some aggregation had to be done. In this case I decided to have a look at the region where the events are coming from (again, the red nodes). Green nodes are showing through which access router the packets entered the network to get to the Web servers. It turned out that the Web servers are located behind a load balancer, indicated by the two distinct entry points for the traffic (two green nodes). How is it possible to determine the entry point? Tcpdump logs the source MAC address of incoming traffic, which reflects the router/machine passing the traffic into the internal network. This is why I used the sourceMac address as event nodes. The graph nicely shows that traffic from certain regions entered the network through either of the load balancers (all the red nodes in the middle of the graph). Other regions of the world entered only through one of the balancers. It would be interesting to plot this data onto a world map to see whether it is true that certain regions of the world always enter through the same entry point (i.e., the load balancers are setup to do regional balancing).
  • Fans like the one shown in this graph are very prominent for worm behavior. It has to be investigated whether this is indeed a worm spreading on the network or some other behavior generated this kind of graph.
  • In this graph we are looking at a zoom of the graph from the previous slide again. Because we chose to show the destination ports only once in the graph (configure the graph to be show nodes “once per distinct source node”), we can quickly identify all the machines that are using a specific service on the network (red nodes connecting to to the same white node) and also what machines are making use of those services (green nodes connecting to the white nodes). Filter out all the services (i.e., ports) that you know are running on your network and you will be able to spot servers that you did not know of and should not exist on the network!
  • Event Graphs - EUSecWest 2006

    1. 1. A Visual Approach to SecurityEvent ManagementEuSecWest ‘06, LondonRaffael Marty, GCIA, CISSPSenior Security Engineer @ ArcSightFebruary 21th, 2006 *
    2. 2. Raffael Marty, GCIA, CISSP  Enterprise Security Management (ESM) specialist  Strategic Application Solutions @ ArcSight, Inc.  Intrusion Detection Research @ IBM Research  See http://thor.cryptojail.net  IT Security Consultant @ PriceWaterhouse Coopers  Open Vulnerability and Assessment Language (OVAL) board member  Passion for Visual Security Event AnalysisRaffael Marty EuSecWest 2006 London 2
    3. 3. Table Of Contents ► Introduction ► Basics ► Examples of Graphs you can draw with AfterGlow ► AfterGlow 1.x – Event Graphs 2.0 – TreeMaps Future – All in One!Raffael Marty EuSecWest 2006 London 3
    4. 4. IntroductionRaffael Marty EuSecWest 2006 London 4
    5. 5. Disclaimer IP addresses and host names showing up in event graphs and descriptions were obfuscated/changed. The addresses are completely random and any resemblance with well-known addresses or host names are purely coincidental.Raffael Marty EuSecWest 2006 London 5
    6. 6. Text or Visuals? ► What would you rather look at? Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0... Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable? Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failed Jun 17 09:42:38 rmarty sendmail: sendmail shutdown succeeded Jun 17 09:42:38 rmarty sendmail: sm-client shutdown succeeded Jun 17 09:42:39 rmarty sendmail: sendmail startup succeeded Jun 17 09:42:39 rmarty sendmail: sm-client startup succeeded Jun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 09:45:42 rmarty last message repeated 2 times Jun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:00:03 rmarty crond(pam_unix)[30534]: session opened for user root by (uid=0) Jun 17 10:00:10 rmarty crond(pam_unix)[30534]: session closed for user root Jun 17 10:01:02 rmarty crond(pam_unix)[30551]: session opened for user root by (uid=0) Jun 17 10:01:07 rmarty crond(pam_unix)[30551]: session closed for user root Jun 17 10:05:02 rmarty crond(pam_unix)[30567]: session opened for user idabench by (uid=0) Jun 17 10:05:05 rmarty crond(pam_unix)[30567]: session closed for user idabench Jun 17 10:13:05 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.19/192.168.80.19 to UDP port: 192 Jun 17 10:13:05 rmarty portsentry[4797]: attackalert: Host: 192.168.80.19/192.168.80.19 is already blocked Ignoring Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:21:30 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:21:30 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:28:40 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:28:45 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:35:28 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 10:35:31 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 10:38:51 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:38:52 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:42:35 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 10:42:38 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Raffael Marty EuSecWest 2006 London 6
    7. 7. A Picture is Worth a Thousand Log Entries Detect the Expected Detect the Expected & Discover the Unexpected & Discover the Unexpected Reduce Analysis and Response Times Reduce Analysis and Response Times Make Better Decisions Make Better DecisionsRaffael Marty EuSecWest 2006 London 7
    8. 8. Three Aspects of Visual Security Event Analysis ► Situational Awareness • What is happening in a specific business area (e.g., compliance monitoring) • What is happening on a specific network • What are certain servers doing ► Real-Time Monitoring and Incident Response • Capture important activities and take action • Event Workflow • Collaboration ► Forensic and Historic Investigation • Selecting arbitrary set of events for investigation • Understanding big picture • Analyzing relationships - Exploration • ReportingRaffael Marty EuSecWest 2006 London 8
    9. 9. BasicsRaffael Marty EuSecWest 2006 London 9
    10. 10. How To Generate A Graph? ... | Normalization | ... Device Parser Event Visualizer Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0... Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable? Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failed Jun 17 09:42:38 rmarty sendmail: sendmail shutdown succeeded Jun 17 09:42:38 rmarty sendmail: sm-client shutdown succeeded Jun 17 09:42:39 rmarty sendmail: sendmail startup succeeded Jun 17 09:42:39 rmarty sendmail: sm-client startup succeeded Jun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 09:45:42 rmarty last message repeated 2 times Jun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Visual Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 NH Log FileRaffael Marty EuSecWest 2006 London 10
    11. 11. Visual Types I ► Will focus on visuals that AfterGlow supports: Event Graphs TreeMaps (Link Graphs) AfterGlow 1.x - Perl AfterGlow 2.0 - JAVARaffael Marty EuSecWest 2006 London 11
    12. 12. Visual Types II Event Graphs TreeMaps (Link Graphs) Block Pass TCP TCP SIP Name DIP UDP UDP ►Node Configuration ►Hierarchy ►Node Coloring ►”Box” Coloring ►Edge Coloring ►“Box” SizeRaffael Marty EuSecWest 2006 London 12
    13. 13. Link Graph Configurations Raw Event: [**] [1:1923:2] RPC portmap UDP proxy attempt [**] [Classification: Decode of an RPC Query] [Priority: 2] 06/04-15:56:28.219753 192.168.10.90:32859 -> 192.168.10.255:111 UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:148 DF Len: 120 Different node configurations: SIP Name DIP SIP DIP DPort 192.168.10.90 RPC portmap 192.168.10.255 192.168.10.90 192.168.10.255 111 SIP SPort DPort Name SIP DIP 192.168.10.90 32859 111 RPC portmap 192.168.10.90 192.168.10.255Raffael Marty EuSecWest 2006 London 13
    14. 14. TreeMap Configurations Raw Event: [**] [1:1923:2] RPC portmap UDP proxy attempt [**] [Classification: Decode of an RPC Query] [Priority: 2] 06/04-15:56:28.219753 192.168.10.90:32859 -> 192.168.10.255:111 UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:148 DF Len: 120 Different configurations: SIP SIP Name DIP DIP Dport SIP Name Sport SIP DIP 192.168.10.255 DIPRaffael Marty EuSecWest 2006 London 14
    15. 15. Graph Use Cases Things You Can Do With AfterGlowRaffael Marty EuSecWest 2006 London 15
    16. 16. Situational Awareness DashboardRaffael Marty EuSecWest 2006 London 16
    17. 17. Vulnerability Awareness I One One Machine Machine DIP A A Vulnerability Vuln Vulnerability ScoreRaffael Marty EuSecWest 2006 London 17
    18. 18. Vulnerability Awareness II DIP Score VulnRaffael Marty EuSecWest 2006 London 18
    19. 19. AfterGlow - LGLRaffael Marty EuSecWest 2006 London 19
    20. 20. Monitoring Web Servers Traffic to WebServersRaffael Marty EuSecWest 2006 London 20
    21. 21. Suspicious Activity?Raffael Marty EuSecWest 2006 London 21
    22. 22. Network ScanRaffael Marty EuSecWest 2006 London 22
    23. 23. Port Scan ► Port scan or something else?Raffael Marty EuSecWest 2006 London 23
    24. 24. PortScan SIP DIP DPortRaffael Marty EuSecWest 2006 London 24
    25. 25. Firewall Activity External Machine Internal Machine Rule# Next Steps: Outgoing Incoming 1. Visualize “FW Blocks” of outgoing traffic -> Why do internal machines trigger blocks? 2. Visualize “FW Blocks” of incoming traffic -> Who and what tries to enter my network? 3. Visualize “FW Passes” of outgoing traffic -> What is leaving the network?SIP Rule# DIPRaffael Marty EuSecWest 2006 London 25
    26. 26. Firewall Rule-set Analysis pass blockRaffael Marty EuSecWest 2006 London 26
    27. 27. Load BalancerRaffael Marty EuSecWest 2006 London 27
    28. 28. WormsRaffael Marty EuSecWest 2006 London 28
    29. 29. DefCon 2004 Capture The Flag DstPort < 1024 DstPort > 1024 Source Of Evil Internal Target Other Teams Target Internal Source Internet Target Exposed Services Our Servers SIP DIP DPortRaffael Marty EuSecWest 2006 London 29
    30. 30. DefCon 2004 Capture The Flag – TTL Games TTL Source Of Evil Internal Target Internal Source Offender TTL Our Servers SIP DIP TTLRaffael Marty EuSecWest 2006 London 30
    31. 31. DefCon 2004 Capture The Flag – More TTL DPort Flags TTL Show Node CountsRaffael Marty EuSecWest 2006 London 31
    32. 32. Telecom Malicious Code Propagation From Content To Phone# Type|Size Phone#Raffael Marty EuSecWest 2006 London 32
    33. 33. Email Cliques From: My Domain From: Other Domain To: My Domain To: Other Domain From ToRaffael Marty EuSecWest 2006 London 33
    34. 34. Email Relays Grey out “my domain” invisibleDomain Make emails to From: My From: Other Domain and from “my domain” To: My Domain To: Other Domain Do you run an open relay? From ToRaffael Marty EuSecWest 2006 London 34
    35. 35. Email SPAM? Size > 10.000 Omit threshold = 1 To Size Multiple recipients with same-size messagesRaffael Marty EuSecWest 2006 London 35
    36. 36. Email SPAM? nrcpt => 2 Omit threshold = 1 From nrcptRaffael Marty EuSecWest 2006 London 36
    37. 37. BIG Emails Size > 100.000 Omit Threshold = 2 Documents leaving the network? From To SizeRaffael Marty EuSecWest 2006 London 37
    38. 38. Email Server Problems? 2:00 < Delay < 10:00 Delay > 10:00 To To DelayRaffael Marty EuSecWest 2006 London 38
    39. 39. AfterGlow afterglow.sourceforge.netRaffael Marty EuSecWest 2006 London 39
    40. 40. AfterGlow ► http://afterglow.sourceforge.net ► Two Versions: • AfterGlow 1.x – Perl for Event Graphs • AfterGlow 2.0 – Java for TreeMapsRaffael Marty EuSecWest 2006 London 40
    41. 41. AfterGlow 1.x - Perl Parser AfterGlow Grapher Graph CSV File LanguageFile ► Supported graphing tools: • GraphViz from AT&T (dot and neato) http://www.research.att.com/sw/tools/graphviz/ • LGL (Large Graph Layout) by Alex Adai http://bioinformatics.icmb.utexas.edu/lgl/Raffael Marty EuSecWest 2006 London 41
    42. 42. AfterGlow 1.x – Command Line Parameters ● Some command line arguments: -h : help -t : two node mode -d : print count on nodes -e : edge length -n : no node labels -o threshold : omit threshold (fan-out for nodes to be displayed) -c configfile : color configuration fileRaffael Marty EuSecWest 2006 London 42
    43. 43. AfterGlow 1.x – color.properties color.[source|event|target|edge]= <perl expression returning a color name> ● Array @fields contains input-line, split into tokens: color.event=“red” if ($fields[1] =~ /^192..*) ● Special color “invisible”: color.target=“invisible” if ($fields[0] eq “IIS Action”) ● Edge color color.edge=“blue”Raffael Marty EuSecWest 2006 London 43
    44. 44. AfterGlow 1.x – color.properties - Example color.source="olivedrab" if ($fields[0]=~/191.141.69.4/); color.source="olivedrab" if ($fields[0]=~/211.254.110./); color.source="orangered1" color.event="slateblue4" color.target="olivedrab" if ($fields[2]=~/191.141.69.4/); color.target="olivedrab" if ($fields[2]=~/211.254.110./); color.target="orangered1" color.edge="firebrick" if (($fields[0]=~/191.141.69..4/) or ($fields[2]=~/191.141.69.4/)) color.edge="cyan4"Raffael Marty EuSecWest 2006 London 44
    45. 45. AfterGlow 2.0 - Java Parser AfterGlow - Java CSV File ► Command line arguments: -h : help -c file : property file -f file : data fileRaffael Marty EuSecWest 2006 London 45
    46. 46. AfterGlow 2.0 - Example ► Data: ## AfterGlow -- JAVA 2.0 AfterGlow JAVA 2.0 ## Properties File Properties File Target System Type,SIP,DIP,User,Outcome Development,192.168.10.1,10.10.2.1,ram,failure ## File to load File to load file.name=/home/ram/afterglow/data/sample.csv VPN,192.168.10.1,10.10.2.1,ram,success file.name=/home/ram/afterglow/data/sample.csv Financial System,192.168.20.1,10.0.3.1,drob,success ## Column Types (default is STRING), start with 0! VPN,192.168.10.1,10.10.2.1,ram,success Column Types (default is STRING), start with 0! ## Valid values: Valid values: VPN,192.168.10.1,10.10.2.1,jmoe,failure ## STRING STRING Financial System,192.168.10.1,10.10.2.1,jmoe,success ## INTEGER INTEGER Financial System,192.168.10.1,10.10.2.1,jmoe,failure ## CATEGORICAL CATEGORICAL column.type.count=4 column.type.count=4 ► Launch: column.type[0].column=0 column.type[0].column=0 column.type[0].type=INTEGER column.type[0].type=INTEGER column.type[1].column=1 column.type[1].column=1 ./afterglow-java.sh –c afterglow.properties column.type[1].type=CATEGORICAL column.type[1].type=CATEGORICAL column.type[2].column=2 column.type[2].column=2 column.type[2].type=CATEGORICAL column.type[2].type=CATEGORICAL column.type[3].column=3 column.type[3].column=3 column.type[3].type=CATEGORICAL column.type[3].type=CATEGORICAL ## Size Column (default is 0) Size Column (default is 0) size.column=0 size.column=0 ## Color Column (default is 0) Color Column (default is 0) color.column=2 color.column=2Raffael Marty EuSecWest 2006 London 46
    47. 47. AfterGlow 2.0 – Java - OutputRaffael Marty EuSecWest 2006 London 47
    48. 48. AfterGlow 2.0 – Java - Interaction ► Left-click: • Zoom in ► Right-click: • Zoom all the way out ► Middle-click • Change Coloring to current depth (Hack: Use SHIFT for leafs)Raffael Marty EuSecWest 2006 London 48
    49. 49. AfterGlow 3.0 – The Future ► Generating LinkGraphs with the Java version ► Adding more output formats ► Saving output as image file ► AnimationRaffael Marty EuSecWest 2006 London 49
    50. 50. AfterGlow – Parsers ► tcpdump2csv.pl • Takes care of swapping response source and targets tcpdump -vttttnnelr /tmp/log.tcpdump | ./tcpdump2csv.pl "sip dip sport" ► sendmail_parser.pl • Reassemble email conversations: Jul 24 21:01:16 rmarty sendmail[17072]: j6P41Gqt017072: from=<root@localhost.localdomain>, size=650, class=0, nrcpts=1, Jul 24 21:01:16 rmarty sendmail[17073]: j6P41Gqt017072: to=ram, ctladdr=<root@localhost.localdomain> (0/0), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=30881, dsn=2.0.0, stat=SentRaffael Marty EuSecWest 2006 London 50
    51. 51. Summary Detect the expected & discover the unexpected Reduce analysis and response times Make better decisionsRaffael Marty EuSecWest 2006 London 51
    52. 52. THANKS! raffy@arcsight.comRaffael Marty EuSecWest 2006 London EuSecWest 2006 Lodon 52

    ×