Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Insider Threat Visualization - HackInTheBox 2007


Published on

Presentation on visualization of insider threat given at HackInTheBox 2007.

Published in: Technology, Education
  • Be the first to comment

  • Be the first to like this

Insider Threat Visualization - HackInTheBox 2007

  1. 1. Insider Threat VisualizationRaffael Marty, GCIA, CISSPChief Security Strategist @ Splunk>Hack In The Box - September 07 - Malaysia
  2. 2. Who Am I? Chief Security Strategist and Product Manager @ Splunk> Manager Solutions @ ArcSight, Inc. Intrusion Detection Research @ IBM Research IT Security Consultant @ PriceWaterhouse Coopers Applied Security Open Vulnerability and Assessment Language (OVAL) board Visualization Common Event Expression (CEE) founding member 2008 Passion for Visualization 2
  3. 3. AgendaConvicted Goal:VisualizationLog Data Processing Insider Detection Using Data to Graph Visualization AfterGlow and SplunkInsider ThreatInsider Detection Process Precursors Scoring Watch Lists 3
  4. 4. It’s Not That Easy 4
  5. 5. ConvictedIn February of 2007 a fairly large information leakcase made the news. The scientist Gary Min faces upto 10 years in prison for stealing 16,706 documentsand over 22,000 scientific abstracts from hisemployer DuPont. The intellectual property he wasabout to leak to a DuPont competitor, Victrex, wasassessed to be worth $400 million. There is noevidence Gary actually turned the documents over toVictrex. 5
  6. 6. DuPont CaseHow It Could Have Been Prevented What’s the answer? 6
  7. 7. DuPont Case Log Collection!
  8. 8. DuPont CaseSimple Solution 8
  9. 9. DuPont CaseMore Generic Solution user server 9
  10. 10. Visualization Questions• Who analyzes logs?• Who uses visualization for log analysis?• Who is using AfterGlow?• Have you heard of• What tools are you using for log analysis? 10
  11. 11. Visualization Answer questions you didn’t even know of ✓ Quickly understand thousands of data entries Increase Efficiency ✓ Facilitate communication ✓ Increase response time through improved understanding Make Informed Decisions 11
  12. 12. Insider Threat Visualization• Huge amounts of data • More and other data sources than for the traditional security use-cases • Insiders often have legitimate access to machines and data. You need to log more than the exceptions • Insider crimes are often executed on the application layer. You need transaction data and chatty application logs• The questions are not known in advance! • Visualization provokes questions and helps find answers• Dynamic nature of fraud • Problem for static algorithms • Bandits quickly adapt to fixed threshold-based detection systems • Looking for any unusual patterns 12
  13. 13. Visualizing Log Data ParsingJun 17 09:42:30 rmarty ifup: Determining IP information for eth0...Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable?Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failedJun 17 09:42:38 rmarty sendmail: sendmail shutdown succeededJun 17 09:42:38 rmarty sendmail: sm-client shutdown succeeded VisualJun 17 09:42:39 rmarty sendmail: sendmail startup succeededJun 17 09:42:39 rmarty sendmail: sm-client startup succeededJun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 17 09:45:42 rmarty last message repeated 2 timesJun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on to 00:0c:29:b7:b2:47 via vmnet8NH ✓ Interpret Data ✓ Know Data Formats ✓ Re-use don’t re-invent ✓ Find parsers at: 13
  14. 14. Charts - Going Beyond Excel• Multi-variate graphs - Link Graphs UDP TCP - TreeMaps HTTP DNS UDP TCP - Parallel Coordinates SSH SNMP FTP 14
  15. 15. Beyond The Boring Defaults For Link Graphs SIP Name DIP 15
  16. 16. Link Graph Shake Up[**] [1:1923:2] RPC portmap UDP proxy attempt [**][Classification: Decode of an RPC Query] [Priority: 2]06/04-15:56:28.219753 -> TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:148 DFLen: 120 SIP Name DIP SIP DIP DPort192.168.10.90 portmap 111 SIP SPort DPort Name SIP DIP192.168.10.90 32859 111 RPC portmap 16
  17. 17. TreeMaps ? UDP TCP HTTP DNS What is this? UDP All Network Traffic TCP SSH SNMP FTP 17
  18. 18. TreeMaps Explained Treemap2 ( 20% 80% UDP TCP HTTP Size: Count DNS UDP TCP Color: Service SSH SNMP FTP Configuration Hierarchy: Protocol -> Service 18
  19. 19. What’s Splunk?1. Universal Real Time Indexing2. Ad-hoc Search & Navigation search navigate alert report share3. Distributed / Federate Search4. Interactive Alerting & Reporting IT Search Engine The5. Knowledge Capture & Sharing Router Firewall logs configurations scripts & code messages Switch Web Server App Server traps & alerts activity reports Database stack traces metrics 19
  20. 20. AfterGlow Parser AfterGlow Grapher Graph CSV File LanguageFile digraph structs { graph [label="AfterGlow 1.5.8", fontsize=8]; node [shape=ellipse, style=filled, fontsize=10, width=1, height=1, aaelenes,Printing Resume fixedsize=true]; abbe,Information Encrytion edge [len=1.6]; aanna,Patent Access aatharuy,Ping "aaelenes" -> "Printing Resume" ; "abbe" -> "Information Encryption" ; "aanna" -> "Patent Access" ; "aatharuv" -> "Ping" ; } 20
  21. 21. Why AfterGlow? # Variable and Color• Translates CSV into graph description variable=@violation=("Backdoor Access", "HackerTool Download”);"orange" if (grep(/$fields[1]/,@violation));• Define node and edge attributes"palegreen" - color # Node Size and Threshold - size maxnodesize=1; size.source=$fields[2] - shape size=0.5;• Filter and process data entries threshold.source=14; - threshold filter Fan Out: 3 # Color and Cluster color.source="palegreen" if ($fields[0] =~ /^111/) - fan-out filter color.source="red""palegreen" - clustering cluster.source=regex_replace("(d+).d+")."/8" 21
  22. 22. AfterGlow - Splunk Demo./splunk <command>./splunk search “<search command>” -admin <user>:<pass>./splunk search "ipfw | fields + SourceAddress DestinationAddress" -authadmin:changeme | awk ‘{printf”%s,%sn”,$1,$2}’ | afterglow -t -b 2 |neato -Tgif -o test.gif 22
  23. 23. Insider Threat Definition"Current or former employee or contractor who • intentionally exceeded or misused an authorized level of access to networks, systems or data in a manner that • targeted a specific individual or affected the security of the organization’s data, systems and/or daily business operations" [CERT: Definition of an Insider] 23
  24. 24. Three Types of Insider Threats Information Theft is concernedFraud deals with the with stealing of confidential or misuse of access proprietary information. This privileges or the includes things like financial intentional excess of Information statements, intellectual access levels to obtain Fraud property, design plans, source Leak property or services code, trade secrets, etc. unjustly through deception or trickery. Sabotage Sabotage has to do with any kind of action to harm individuals, organizations, organizational data, systems, or business operations. 24
  25. 25. Insider Threat Detection• Understand who is behind the crime• Know what to look for• Stop insiders before they become a problem• Use precursors to monitor and profile users• Define an insider detection process to analyze precursor activity 25
  26. 26. Insider Detection Process • Accessing job Web sites• Build List of Precursors such as 1• Assign Scores to Precursors • Sales person accessing patent filings 10 • Printing files with "resume" in the file name 5 • Sending emails to 50 or more recipients outside of the company 3 26
  27. 27. Insider Detection Process Aug 31 15:57:23 [68] ram kCGErrorIllegalArgument:• Build List of Precursors CGXGetWindowDepth: Invalid window -1 Aug 31 15:58:06 [68] cmd "loginwindow" (0x5c07) set hot key operating mode to all disabled• Assign Scores to Precursors Aug 31 15:58:06 [68] Hot key operating mode is now all disabled• Apply Precursors to Log Files Aug 27 10:21:39 ram authinternal failed to authenticate user raffaelmarty. Aug 27 10:21:39 ram Failed to authorize right system.login.tty by process / usr/bin/su do for authorization created by /usr/bin/sudo. Apr 04 19:45:29 rmarty Privoxy(b65ddba0) Request: +cracker 27
  28. 28. Insider Detection Process• Build List of Precursors• Assign Scores to Precursors• Apply Precursors to Log Files• Visualize Insider Candidate List 28
  29. 29. Insider Detection Process Engineer• Build List of Precursors• Assign Scores to Precursors• Apply Precursors to Log Files• Visualize Insider Candidate List• Introduce User Roles Legal 29
  30. 30. Insider Detection Process ?• Build List of Precursors• Assign Scores to Precursors• Apply Precursors to Log Files• Visualize Insider Candidate List• Introduce User Roles• Where Did the Scores Go? 30
  31. 31. Visualization for Insider Detection• Visualization as a precursor - analyze data access per user role - find anomalies in financial transactions• Documentation and communication of activity• Tuning and analyzing process output - groups of users with similar behavior - groups of users with similar scores 31
  32. 32. Process Improvements• Bucketizing precursors: - Minimal or no impact - Potential setup for insider crime - Malicious activity okay for some user roles - Malicious activity should never happen - Insider Act• Maximum of 20 points per bucket• Using watch lists to boost / decrease scores for specific groups of users - Input from other departments (HR, etc.) 32
  33. 33. Tiers of Insiders Nothing to On a bad track of Very likely Malicious worry about just going malicious has malicious Insiders yet intentions 0 20 60 80 100 33
  34. 34. The Insider? Finally? 34
  35. 35. Summary• Log visualization• Beyond the boring chart defaults• AfterGlow and Splunk - The free way to understanding your data• Insider threat• Insider detection process 35
  36. 36. Thank You