SlideShare a Scribd company logo
1 of 36
Download to read offline
Insider Threat Visualization



Raffael Marty, GCIA, CISSP
Chief Security Strategist @ Splunk>

Hack In The Box - September 07 - Malaysia
Who Am I?
 Chief Security Strategist and Product Manager @ Splunk>
 Manager Solutions @ ArcSight, Inc.
 Intrusion Detection Research @ IBM Research
    http://thor.cryptojail.net
 IT Security Consultant @ PriceWaterhouse Coopers             Applied
                                                             Security
 Open Vulnerability and Assessment Language (OVAL) board   Visualization

 Common Event Expression (CEE) founding member                2008


 Passion for Visualization
    http://secviz.org
    http://afterglow.sourceforge.net


    2
Agenda
Convicted
                                      Goal:
Visualization
Log Data Processing
                            Insider Detection Using
 Data to Graph                    Visualization
 AfterGlow and Splunk
Insider Threat
Insider Detection Process
 Precursors
 Scoring
 Watch Lists



    3
It’s Not That Easy




   4
Convicted
In February of 2007 a fairly large information leak
case made the news. The scientist Gary Min faces up
to 10 years in prison for stealing 16,706 documents
and over 22,000 scientific abstracts from his
employer DuPont. The intellectual property he was
about to leak to a DuPont competitor, Victrex, was
assessed to be worth $400 million. There is no
evidence Gary actually turned the documents over to
Victrex.
   5
DuPont Case
How It Could Have Been Prevented



          What’s the answer?


   6
DuPont Case

         Log Collection!
DuPont Case
Simple Solution




   8
DuPont Case
More Generic Solution


       user




       server


   9
Visualization Questions
• Who analyzes logs?
• Who uses visualization for log analysis?
• Who is using AfterGlow?
• Have you heard of SecViz.org?
• What tools are you using for log
   analysis?



   10
Visualization

                  Answer questions you
                   didn’t even know of

                                ✓ Quickly understand thousands of data entries
        Increase Efficiency     ✓ Facilitate communication
                                ✓ Increase response time through improved
                                  understanding




                Make Informed Decisions
   11
Insider Threat Visualization
• Huge amounts of data
   • More and other data sources than for the traditional security use-cases
   • Insiders often have legitimate access to machines and data. You need to log
       more than the exceptions
   • Insider crimes are often executed on the application layer. You need
       transaction data and chatty application logs
• The questions are not known in advance!
   • Visualization provokes questions and helps find answers
• Dynamic nature of fraud
   • Problem for static algorithms
   • Bandits quickly adapt to fixed threshold-based detection systems
   • Looking for any unusual patterns
      12
Visualizing Log Data

                                                                                              Parsing

Jun   17   09:42:30   rmarty   ifup: Determining IP information for eth0...
Jun   17   09:42:35   rmarty   ifup: failed; no link present. Check cable?
Jun   17   09:42:35   rmarty   network: Bringing up interface eth0: failed
Jun   17   09:42:38   rmarty   sendmail: sendmail shutdown succeeded
Jun   17   09:42:38   rmarty   sendmail: sm-client shutdown succeeded


                                                                                                                     Visual
Jun   17   09:42:39   rmarty   sendmail: sendmail startup succeeded
Jun   17   09:42:39   rmarty   sendmail: sm-client startup succeeded
Jun   17   09:43:39   rmarty   vmnet-dhcpd: DHCPINFORM from 172.16.48.128
Jun   17   09:45:42   rmarty   last message repeated 2 times
Jun   17   09:45:47   rmarty   vmnet-dhcpd: DHCPINFORM from 172.16.48.128
Jun   17   09:56:02   rmarty   vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8
Jun   17   09:56:03   rmarty   vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8
NH




                                                                    ✓ Interpret Data
                                                                    ✓ Know Data Formats
                                                                    ✓ Re-use don’t re-invent
                                                                    ✓ Find parsers at: http://secviz.org/?q=node/8



                  13
Charts - Going Beyond Excel
• Multi-variate graphs                  10.0.0.1

                                                   10.12.0.2
 - Link Graphs
                          UDP    TCP



 - TreeMaps                      HTTP
                          DNS
                          UDP    TCP

 - Parallel Coordinates          SSH

                          SNMP   FTP




    14
Beyond The Boring Defaults For Link Graphs



                     10.0.0.1
               SIP              Name        DIP
                                       10.12.0.2




  15
Link Graph Shake Up
[**] [1:1923:2] RPC portmap UDP proxy attempt [**]

[Classification: Decode of an RPC Query] [Priority: 2]

06/04-15:56:28.219753 192.168.10.90:32859 -> 192.168.10.255:111

UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:148 DF

Len: 120

         SIP    Name      DIP               SIP       DIP       DPort



192.168.10.90 portmap 192.168.10.255    192.168.10.90 192.168.10.255    111

         SIP    SPort    DPort             Name       SIP        DIP


192.168.10.90    32859      111        RPC portmap 192.168.10.90 192.168.10.255

    16
TreeMaps ?
       UDP               TCP



                        HTTP
       DNS       What is this?
       UDP    All Network Traffic
                        TCP
                         SSH

       SNMP              FTP



  17
TreeMaps Explained                       Treemap2 (http://www.cs.umd.edu/hcil/treemap)



        20%                     80%
       UDP                       TCP



                               HTTP             Size: Count
       DNS
       UDP                      TCP            Color: Service
                                SSH

       SNMP                     FTP

        Configuration Hierarchy: Protocol -> Service
  18
What’s Splunk?
1. Universal Real Time Indexing
2. Ad-hoc Search & Navigation          search           navigate       alert        report            share

3. Distributed / Federate Search
4. Interactive Alerting & Reporting IT Search Engine
                               The
5. Knowledge Capture & Sharing
                                                                       Router

                                                                       Firewall
                                         logs       configurations                   scripts & code    messages
                                                                       Switch

                                                                       Web Server

                                                                       App Server

                                     traps & alerts activity reports   Database       stack traces      metrics



     19
AfterGlow                                                                     http://afterglow.sourceforge.net

        Parser                   AfterGlow                                 Grapher
                                                    Graph
                   CSV File                      LanguageFile
                                             digraph structs {
                                               graph [label="AfterGlow 1.5.8", fontsize=8];
                                               node [shape=ellipse, style=filled,
                                                      fontsize=10, width=1, height=1,
             aaelenes,Printing Resume                 fixedsize=true];
             abbe,Information Encrytion        edge [len=1.6];
             aanna,Patent Access
             aatharuy,Ping                       "aaelenes" -> "Printing Resume" ;
                                                 "abbe" -> "Information Encryption" ;
                                                 "aanna" -> "Patent Access" ;
                                                 "aatharuv" -> "Ping" ;
                                             }




  20
Why AfterGlow?
                                          # Variable and Color

• Translates CSV into graph description
                                      variable=@violation=("Backdoor     Access", "HackerTool
                                          Download”);
                                          color.target="orange" if (grep(/$fields[1]/,@violation));
• Define node and edge attributes         color.target="palegreen"

 -   color                                # Node Size and Threshold

 -   size                                 maxnodesize=1;
                                          size.source=$fields[2]
 -   shape                                size=0.5
                                          sum.target=0;
• Filter and process data entries         threshold.source=14;


 -   threshold filter        Fan Out: 3   # Color and Cluster

                                          color.source="palegreen" if ($fields[0] =~ /^111/)
 -   fan-out filter                       color.source="red"
                                          color.target="palegreen"
 -   clustering                           cluster.source=regex_replace("(d+).d+")."/8"



        21
AfterGlow - Splunk

                            Demo
./splunk <command>
./splunk search “<search command>” -admin <user>:<pass>

./splunk search "ipfw | fields + SourceAddress DestinationAddress" -auth
admin:changeme | awk ‘{printf”%s,%sn”,$1,$2}’ | afterglow -t -b 2 |
neato -Tgif -o test.gif

   22
Insider Threat Definition
"Current or former employee or contractor who
 • intentionally exceeded or misused an authorized level of
    access to networks, systems or data in a manner that
 • targeted a specific individual or affected the security of
    the organization’s data, systems and/or daily business
    operations"
          [CERT: http://www.cert.org/insider_threat Definition of an Insider]
   23
Three Types of Insider Threats
                                               Information Theft is concerned
Fraud deals with the                             with stealing of confidential or
  misuse of access                               proprietary information. This
  privileges or the                              includes things like financial
  intentional excess of             Information statements, intellectual
  access levels to obtain
                            Fraud                property, design plans, source
                                        Leak
  property or services                           code, trade secrets, etc.
  unjustly through
  deception or trickery.
                               Sabotage
                                          Sabotage has to do with any kind of
                                           action to harm individuals,
                                           organizations, organizational data,
                                           systems, or business operations.

       24
Insider Threat Detection
• Understand who is behind the crime
• Know what to look for
• Stop insiders before they become a problem


• Use precursors to monitor and profile users
• Define an insider detection process to
   analyze precursor activity
   25
Insider Detection Process
                                • Accessing job Web sites
• Build List of Precursors        such as monster.com            1
• Assign Scores to Precursors   • Sales person accessing
                                  patent filings                 10
                                • Printing files with "resume"
                                  in the file name               5
                                • Sending emails to 50 or
                                  more recipients outside of
                                  the company
                                                                 3

   26
Insider Detection Process
                                  Aug 31 15:57:23 [68] ram kCGErrorIllegalArgument:
• Build List of Precursors        CGXGetWindowDepth: Invalid window -1
                                  Aug 31 15:58:06 [68] cmd "loginwindow" (0x5c07)
                                  set hot key operating mode to all disabled
• Assign Scores to Precursors     Aug 31 15:58:06 [68] Hot key operating mode is now
                                  all disabled
• Apply Precursors to Log Files   Aug 27 10:21:39 ram com.apple.SecurityServer:
                                  authinternal failed to authenticate user
                                  raffaelmarty.
                                  Aug 27 10:21:39 ram com.apple.SecurityServer:
                                  Failed to authorize right system.login.tty by process /
                                  usr/bin/su
                                  do for authorization created by /usr/bin/sudo.
                                  Apr 04 19:45:29 rmarty Privoxy(b65ddba0)
                                  Request: www.google.com/search?q=password
                                  +cracker



   27
Insider Detection Process
• Build List of Precursors
• Assign Scores to Precursors
• Apply Precursors to Log Files
• Visualize Insider Candidate List




   28
Insider Detection Process            Engineer


• Build List of Precursors
• Assign Scores to Precursors
• Apply Precursors to Log Files
• Visualize Insider Candidate List
• Introduce User Roles

                                                Legal


   29
Insider Detection Process
              ?
• Build List of Precursors
• Assign Scores to Precursors
• Apply Precursors to Log Files
• Visualize Insider Candidate List
• Introduce User Roles
• Where Did the Scores Go?

   30
Visualization for Insider Detection
• Visualization as a precursor
 -   analyze data access per user role
 -   find anomalies in financial transactions

• Documentation and communication of activity
• Tuning and analyzing process output
     -   groups of users with similar behavior
     -   groups of users with similar scores




           31
Process Improvements
• Bucketizing precursors:
 -   Minimal or no impact
 -   Potential setup for insider crime
 -   Malicious activity okay for some user roles
 -   Malicious activity should never happen
 -   Insider Act

• Maximum of 20 points per bucket
• Using watch lists to boost / decrease scores for specific groups of
  users
 -   Input from other departments (HR, etc.)
        32
Tiers of Insiders


   Nothing to        On a bad track of    Very likely         Malicious
 worry about just     going malicious    has malicious        Insiders
       yet                                 intentions



 0              20                       60              80           100




     33
The Insider? Finally?




   34
Summary
• Log visualization
• Beyond the boring chart defaults
• AfterGlow and Splunk
 -   The free way to understanding your data

• Insider threat
• Insider detection process




        35
Thank You
      www.secviz.org
raffael.marty@splunk.com
        raffy.ch/blog

More Related Content

What's hot

Burning Down the Haystack to Find the Needle: Security Analytics in Action
Burning Down the Haystack to Find the Needle:  Security Analytics in ActionBurning Down the Haystack to Find the Needle:  Security Analytics in Action
Burning Down the Haystack to Find the Needle: Security Analytics in Action
Josh Sokol
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
Rod Soto
 
Treat Detection using Hadoop
Treat Detection using HadoopTreat Detection using Hadoop
Treat Detection using Hadoop
DataWorks Summit
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2
Spyglass Security
 
AI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are Dangerous
Raffael Marty
 

What's hot (20)

RSA 2006 - Visual Security Event Analysis
RSA 2006 - Visual Security Event AnalysisRSA 2006 - Visual Security Event Analysis
RSA 2006 - Visual Security Event Analysis
 
Advances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defenseAdvances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defense
 
Burning Down the Haystack to Find the Needle: Security Analytics in Action
Burning Down the Haystack to Find the Needle:  Security Analytics in ActionBurning Down the Haystack to Find the Needle:  Security Analytics in Action
Burning Down the Haystack to Find the Needle: Security Analytics in Action
 
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
 
Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
 
Open Security Operations Center - OpenSOC
Open Security Operations Center - OpenSOCOpen Security Operations Center - OpenSOC
Open Security Operations Center - OpenSOC
 
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
 
Treat Detection using Hadoop
Treat Detection using HadoopTreat Detection using Hadoop
Treat Detection using Hadoop
 
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
 
AI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are Dangerous
 
Using Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security MonitoringUsing Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security Monitoring
 
Visualization for Security
Visualization for SecurityVisualization for Security
Visualization for Security
 
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
 
Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 

Viewers also liked

Viewers also liked (6)

How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes
 
Forcepoint - Analýza chování uživatelů
Forcepoint - Analýza chování uživatelůForcepoint - Analýza chování uživatelů
Forcepoint - Analýza chování uživatelů
 
Backup DB to Cloud and Restore
Backup DB to Cloud and RestoreBackup DB to Cloud and Restore
Backup DB to Cloud and Restore
 
Insider threat v3
Insider threat v3Insider threat v3
Insider threat v3
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider Threat
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection Recommendations
 

Similar to Insider Threat Visualization - HackInTheBox 2007

Splunk app for stream
Splunk app for stream Splunk app for stream
Splunk app for stream
csching
 
Group Apres
Group ApresGroup Apres
Group Apres
ramya5a
 
IRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OSIRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OS
ICT PRISTINE
 
Hacking Robotics(English Version)
Hacking Robotics(English Version)Hacking Robotics(English Version)
Hacking Robotics(English Version)
Kensei Demura
 

Similar to Insider Threat Visualization - HackInTheBox 2007 (20)

Insider Threat Visualization - HITB 2007, Kuala Lumpur
Insider Threat Visualization - HITB 2007, Kuala LumpurInsider Threat Visualization - HITB 2007, Kuala Lumpur
Insider Threat Visualization - HITB 2007, Kuala Lumpur
 
Peer-to-peer Internet telephony
Peer-to-peer Internet telephonyPeer-to-peer Internet telephony
Peer-to-peer Internet telephony
 
Cloud Native Networking & Security with Cilium & eBPF
Cloud Native Networking & Security with Cilium & eBPFCloud Native Networking & Security with Cilium & eBPF
Cloud Native Networking & Security with Cilium & eBPF
 
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...
 
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...
 
Splunk app for stream
Splunk app for stream Splunk app for stream
Splunk app for stream
 
Group Apres
Group ApresGroup Apres
Group Apres
 
C Cpres
C CpresC Cpres
C Cpres
 
C Cpres
C CpresC Cpres
C Cpres
 
C Cpres
C CpresC Cpres
C Cpres
 
IRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OSIRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OS
 
Troubleshooting Dual-Protocol Networks and Systems by Scott Hogg at gogoNET L...
Troubleshooting Dual-Protocol Networks and Systems by Scott Hogg at gogoNET L...Troubleshooting Dual-Protocol Networks and Systems by Scott Hogg at gogoNET L...
Troubleshooting Dual-Protocol Networks and Systems by Scott Hogg at gogoNET L...
 
Hacking Robotics(English Version)
Hacking Robotics(English Version)Hacking Robotics(English Version)
Hacking Robotics(English Version)
 
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
 
OpenStack and OpenFlow Demos
OpenStack and OpenFlow DemosOpenStack and OpenFlow Demos
OpenStack and OpenFlow Demos
 
Protocol and Integration Challenges for SDN
Protocol and Integration Challenges for SDNProtocol and Integration Challenges for SDN
Protocol and Integration Challenges for SDN
 
Prdc2012
Prdc2012Prdc2012
Prdc2012
 
Kentik Network@Scale (Dan Ellis)
Kentik Network@Scale (Dan Ellis)Kentik Network@Scale (Dan Ellis)
Kentik Network@Scale (Dan Ellis)
 
Detecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking DataDetecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking Data
 
Learning the basics of Apache NiFi for iot OSS Europe 2020
Learning the basics of Apache NiFi for iot OSS Europe 2020Learning the basics of Apache NiFi for iot OSS Europe 2020
Learning the basics of Apache NiFi for iot OSS Europe 2020
 

More from Raffael Marty

Delivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and VisualizationDelivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and Visualization
Raffael Marty
 

More from Raffael Marty (20)

Exploring the Defender's Advantage
Exploring the Defender's AdvantageExploring the Defender's Advantage
Exploring the Defender's Advantage
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR)An Overhyped Product Category With Ulti...Extended Detection and Response (XDR)An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
 
How To Drive Value with Security Data
How To Drive Value with Security DataHow To Drive Value with Security Data
How To Drive Value with Security Data
 
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
 
Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?
 
Understanding the "Intelligence" in AI
Understanding the "Intelligence" in AIUnderstanding the "Intelligence" in AI
Understanding the "Intelligence" in AI
 
Security Chat 5.0
Security Chat 5.0Security Chat 5.0
Security Chat 5.0
 
AI & ML in Cyber Security - Why Algorithms Are Dangerous
AI & ML in Cyber Security - Why Algorithms Are DangerousAI & ML in Cyber Security - Why Algorithms Are Dangerous
AI & ML in Cyber Security - Why Algorithms Are Dangerous
 
Delivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and VisualizationDelivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and Visualization
 
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't ChangedAI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
 
Security Insights at Scale
Security Insights at ScaleSecurity Insights at Scale
Security Insights at Scale
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
 
Visualization in the Age of Big Data
Visualization in the Age of Big DataVisualization in the Age of Big Data
Visualization in the Age of Big Data
 
Big Data Visualization
Big Data VisualizationBig Data Visualization
Big Data Visualization
 
Workshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityWorkshop: Big Data Visualization for Security
Workshop: Big Data Visualization for Security
 
DAVIX - Data Analysis and Visualization Linux
DAVIX - Data Analysis and Visualization LinuxDAVIX - Data Analysis and Visualization Linux
DAVIX - Data Analysis and Visualization Linux
 
Cloud - Security - Big Data
Cloud - Security - Big DataCloud - Security - Big Data
Cloud - Security - Big Data
 
Cyber Security – How Visual Analytics Unlock Insight
Cyber Security – How Visual Analytics Unlock InsightCyber Security – How Visual Analytics Unlock Insight
Cyber Security – How Visual Analytics Unlock Insight
 
AfterGlow
AfterGlowAfterGlow
AfterGlow
 
Supercharging Visualization with Data Mining
Supercharging Visualization with Data MiningSupercharging Visualization with Data Mining
Supercharging Visualization with Data Mining
 

Recently uploaded

“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
Muhammad Subhan
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc
 

Recently uploaded (20)

ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdf
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & Ireland
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptx
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджера
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 

Insider Threat Visualization - HackInTheBox 2007

  • 1. Insider Threat Visualization Raffael Marty, GCIA, CISSP Chief Security Strategist @ Splunk> Hack In The Box - September 07 - Malaysia
  • 2. Who Am I? Chief Security Strategist and Product Manager @ Splunk> Manager Solutions @ ArcSight, Inc. Intrusion Detection Research @ IBM Research http://thor.cryptojail.net IT Security Consultant @ PriceWaterhouse Coopers Applied Security Open Vulnerability and Assessment Language (OVAL) board Visualization Common Event Expression (CEE) founding member 2008 Passion for Visualization http://secviz.org http://afterglow.sourceforge.net 2
  • 3. Agenda Convicted Goal: Visualization Log Data Processing Insider Detection Using Data to Graph Visualization AfterGlow and Splunk Insider Threat Insider Detection Process Precursors Scoring Watch Lists 3
  • 5. Convicted In February of 2007 a fairly large information leak case made the news. The scientist Gary Min faces up to 10 years in prison for stealing 16,706 documents and over 22,000 scientific abstracts from his employer DuPont. The intellectual property he was about to leak to a DuPont competitor, Victrex, was assessed to be worth $400 million. There is no evidence Gary actually turned the documents over to Victrex. 5
  • 6. DuPont Case How It Could Have Been Prevented What’s the answer? 6
  • 7. DuPont Case Log Collection!
  • 9. DuPont Case More Generic Solution user server 9
  • 10. Visualization Questions • Who analyzes logs? • Who uses visualization for log analysis? • Who is using AfterGlow? • Have you heard of SecViz.org? • What tools are you using for log analysis? 10
  • 11. Visualization Answer questions you didn’t even know of ✓ Quickly understand thousands of data entries Increase Efficiency ✓ Facilitate communication ✓ Increase response time through improved understanding Make Informed Decisions 11
  • 12. Insider Threat Visualization • Huge amounts of data • More and other data sources than for the traditional security use-cases • Insiders often have legitimate access to machines and data. You need to log more than the exceptions • Insider crimes are often executed on the application layer. You need transaction data and chatty application logs • The questions are not known in advance! • Visualization provokes questions and helps find answers • Dynamic nature of fraud • Problem for static algorithms • Bandits quickly adapt to fixed threshold-based detection systems • Looking for any unusual patterns 12
  • 13. Visualizing Log Data Parsing Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0... Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable? Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failed Jun 17 09:42:38 rmarty sendmail: sendmail shutdown succeeded Jun 17 09:42:38 rmarty sendmail: sm-client shutdown succeeded Visual Jun 17 09:42:39 rmarty sendmail: sendmail startup succeeded Jun 17 09:42:39 rmarty sendmail: sm-client startup succeeded Jun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 09:45:42 rmarty last message repeated 2 times Jun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 NH ✓ Interpret Data ✓ Know Data Formats ✓ Re-use don’t re-invent ✓ Find parsers at: http://secviz.org/?q=node/8 13
  • 14. Charts - Going Beyond Excel • Multi-variate graphs 10.0.0.1 10.12.0.2 - Link Graphs UDP TCP - TreeMaps HTTP DNS UDP TCP - Parallel Coordinates SSH SNMP FTP 14
  • 15. Beyond The Boring Defaults For Link Graphs 10.0.0.1 SIP Name DIP 10.12.0.2 15
  • 16. Link Graph Shake Up [**] [1:1923:2] RPC portmap UDP proxy attempt [**] [Classification: Decode of an RPC Query] [Priority: 2] 06/04-15:56:28.219753 192.168.10.90:32859 -> 192.168.10.255:111 UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:148 DF Len: 120 SIP Name DIP SIP DIP DPort 192.168.10.90 portmap 192.168.10.255 192.168.10.90 192.168.10.255 111 SIP SPort DPort Name SIP DIP 192.168.10.90 32859 111 RPC portmap 192.168.10.90 192.168.10.255 16
  • 17. TreeMaps ? UDP TCP HTTP DNS What is this? UDP All Network Traffic TCP SSH SNMP FTP 17
  • 18. TreeMaps Explained Treemap2 (http://www.cs.umd.edu/hcil/treemap) 20% 80% UDP TCP HTTP Size: Count DNS UDP TCP Color: Service SSH SNMP FTP Configuration Hierarchy: Protocol -> Service 18
  • 19. What’s Splunk? 1. Universal Real Time Indexing 2. Ad-hoc Search & Navigation search navigate alert report share 3. Distributed / Federate Search 4. Interactive Alerting & Reporting IT Search Engine The 5. Knowledge Capture & Sharing Router Firewall logs configurations scripts & code messages Switch Web Server App Server traps & alerts activity reports Database stack traces metrics 19
  • 20. AfterGlow http://afterglow.sourceforge.net Parser AfterGlow Grapher Graph CSV File LanguageFile digraph structs { graph [label="AfterGlow 1.5.8", fontsize=8]; node [shape=ellipse, style=filled, fontsize=10, width=1, height=1, aaelenes,Printing Resume fixedsize=true]; abbe,Information Encrytion edge [len=1.6]; aanna,Patent Access aatharuy,Ping "aaelenes" -> "Printing Resume" ; "abbe" -> "Information Encryption" ; "aanna" -> "Patent Access" ; "aatharuv" -> "Ping" ; } 20
  • 21. Why AfterGlow? # Variable and Color • Translates CSV into graph description variable=@violation=("Backdoor Access", "HackerTool Download”); color.target="orange" if (grep(/$fields[1]/,@violation)); • Define node and edge attributes color.target="palegreen" - color # Node Size and Threshold - size maxnodesize=1; size.source=$fields[2] - shape size=0.5 sum.target=0; • Filter and process data entries threshold.source=14; - threshold filter Fan Out: 3 # Color and Cluster color.source="palegreen" if ($fields[0] =~ /^111/) - fan-out filter color.source="red" color.target="palegreen" - clustering cluster.source=regex_replace("(d+).d+")."/8" 21
  • 22. AfterGlow - Splunk Demo ./splunk <command> ./splunk search “<search command>” -admin <user>:<pass> ./splunk search "ipfw | fields + SourceAddress DestinationAddress" -auth admin:changeme | awk ‘{printf”%s,%sn”,$1,$2}’ | afterglow -t -b 2 | neato -Tgif -o test.gif 22
  • 23. Insider Threat Definition "Current or former employee or contractor who • intentionally exceeded or misused an authorized level of access to networks, systems or data in a manner that • targeted a specific individual or affected the security of the organization’s data, systems and/or daily business operations" [CERT: http://www.cert.org/insider_threat Definition of an Insider] 23
  • 24. Three Types of Insider Threats Information Theft is concerned Fraud deals with the with stealing of confidential or misuse of access proprietary information. This privileges or the includes things like financial intentional excess of Information statements, intellectual access levels to obtain Fraud property, design plans, source Leak property or services code, trade secrets, etc. unjustly through deception or trickery. Sabotage Sabotage has to do with any kind of action to harm individuals, organizations, organizational data, systems, or business operations. 24
  • 25. Insider Threat Detection • Understand who is behind the crime • Know what to look for • Stop insiders before they become a problem • Use precursors to monitor and profile users • Define an insider detection process to analyze precursor activity 25
  • 26. Insider Detection Process • Accessing job Web sites • Build List of Precursors such as monster.com 1 • Assign Scores to Precursors • Sales person accessing patent filings 10 • Printing files with "resume" in the file name 5 • Sending emails to 50 or more recipients outside of the company 3 26
  • 27. Insider Detection Process Aug 31 15:57:23 [68] ram kCGErrorIllegalArgument: • Build List of Precursors CGXGetWindowDepth: Invalid window -1 Aug 31 15:58:06 [68] cmd "loginwindow" (0x5c07) set hot key operating mode to all disabled • Assign Scores to Precursors Aug 31 15:58:06 [68] Hot key operating mode is now all disabled • Apply Precursors to Log Files Aug 27 10:21:39 ram com.apple.SecurityServer: authinternal failed to authenticate user raffaelmarty. Aug 27 10:21:39 ram com.apple.SecurityServer: Failed to authorize right system.login.tty by process / usr/bin/su do for authorization created by /usr/bin/sudo. Apr 04 19:45:29 rmarty Privoxy(b65ddba0) Request: www.google.com/search?q=password +cracker 27
  • 28. Insider Detection Process • Build List of Precursors • Assign Scores to Precursors • Apply Precursors to Log Files • Visualize Insider Candidate List 28
  • 29. Insider Detection Process Engineer • Build List of Precursors • Assign Scores to Precursors • Apply Precursors to Log Files • Visualize Insider Candidate List • Introduce User Roles Legal 29
  • 30. Insider Detection Process ? • Build List of Precursors • Assign Scores to Precursors • Apply Precursors to Log Files • Visualize Insider Candidate List • Introduce User Roles • Where Did the Scores Go? 30
  • 31. Visualization for Insider Detection • Visualization as a precursor - analyze data access per user role - find anomalies in financial transactions • Documentation and communication of activity • Tuning and analyzing process output - groups of users with similar behavior - groups of users with similar scores 31
  • 32. Process Improvements • Bucketizing precursors: - Minimal or no impact - Potential setup for insider crime - Malicious activity okay for some user roles - Malicious activity should never happen - Insider Act • Maximum of 20 points per bucket • Using watch lists to boost / decrease scores for specific groups of users - Input from other departments (HR, etc.) 32
  • 33. Tiers of Insiders Nothing to On a bad track of Very likely Malicious worry about just going malicious has malicious Insiders yet intentions 0 20 60 80 100 33
  • 35. Summary • Log visualization • Beyond the boring chart defaults • AfterGlow and Splunk - The free way to understanding your data • Insider threat • Insider detection process 35
  • 36. Thank You www.secviz.org raffael.marty@splunk.com raffy.ch/blog