my security is a graph your argument is invalid · 2014-08-04 · attack paths –email password...
TRANSCRIPT
![Page 1: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/1.jpg)
My Security is a Graph –Your Argument is Invalid
![Page 2: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/2.jpg)
Who am I
2
INTR
OD
UC
TIO
N
![Page 3: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/3.jpg)
Gabe
• @gdbassett
• https://github.com/gdbassett
• http://blog.infosecanalytics.com/
• http://www.infosecanalytics.com/
• Information Security Analytics LLC
• Security Architect
• I love solving problems with graphs
3
INTR
OD
UC
TIO
N
![Page 4: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/4.jpg)
HERE’S THE PLAN
4
INTR
OD
UC
TIO
N
![Page 5: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/5.jpg)
Infosec + Graph Theory = Sexy Defense
5
INTR
OD
UC
TIO
N
![Page 6: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/6.jpg)
Graph Theory and Infosec
• What are Graphs
• What can you do with them (the math stuff)
• Kill chains, attack paths, and attack paths
• How to work with graphs
• What Can you do with them (the infosec stuff)
• What I’m doing with them
6
INTR
OD
UC
TIO
N
![Page 7: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/7.jpg)
WTF is a Graph
7
WH
AT
AR
E G
RA
PH
SWhat are Graphs
What can you do with them (the math stuff)
Kill chains, attack paths, and attack paths
How to work with graphs
What Can you do with them (the infosec stuff)
What I’m doing with them
![Page 8: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/8.jpg)
DATABASES ARE ABOUT RECORDS.GRAPHS ARE ABOUT RELATIONSHIPS.8
WH
AT
AR
E G
RA
PH
S
![Page 9: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/9.jpg)
Graphs/Networks is EasyNodes/Vertexes Edges/Lines
9
WH
AT
AR
E G
RA
PH
S
![Page 10: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/10.jpg)
When you put them together, you get a graph
10
WH
AT
AR
E G
RA
PH
S
![Page 11: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/11.jpg)
Words
• Actor: Some with free will
• Threat: A mean actor
• Risk: A potential future negative situation. Likelihood and Impact
• Vulnerability: A vulnerable condition. Something that increases risk likelihood
• Mitigation: A mitigating condition. Something that decreases risk likelihood
• Consequence: A negative event or condition
• Impact: Just how bad a consequence is
11
WH
AT
AR
E G
RA
PH
S
![Page 12: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/12.jpg)
Math Happens Here
12
GR
AP
H M
ATH
What are Graphs
What can you do with them (the math stuff)
Kill chains, attack paths, and attack paths
How to work with graphs
What Can you do with them (the infosec stuff)
What I’m doing with them
![Page 13: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/13.jpg)
THE COOL THING ABOUT GRAPHS IS THAT MATH HAPPENS ALL UP IN THEM13
GR
AP
H M
ATH
![Page 14: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/14.jpg)
Depth First Search
http://en.wikipedia.org/wiki/File:Depth-first-tree.svg14
GR
AP
H M
ATH
![Page 15: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/15.jpg)
Breath First Search
http://en.wikipedia.org/wiki/File:Breadth-first-tree.svg15
GR
AP
H M
ATH
![Page 16: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/16.jpg)
PageRank – The Drunken Walk
http://upload.wikimedia.org/wikipedia/commons/f/fb/PageRanks-Example.svg16
GR
AP
H M
ATH
![Page 17: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/17.jpg)
Hot Infosec Pro in Pony Tails
17
GR
AP
H M
ATH
![Page 18: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/18.jpg)
Shortest Path
http://www.cs.sunysb.edu/~skiena/combinatorica/animations/dijkstra.html18
GR
AP
H M
ATH
![Page 19: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/19.jpg)
Centrality
http://en.wikipedia.org/wiki/File:Centrality.svg19
GR
AP
H M
ATH
![Page 20: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/20.jpg)
Communities / Modularity
20http://en.wikipedia.org/wiki/Community_structurehttp://en.wikipedia.org/wiki/Modularity_(networks)
GR
AP
H M
ATH
![Page 21: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/21.jpg)
Bipartite Networks
21
GR
AP
H M
ATH
![Page 22: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/22.jpg)
Monopartite Networks
22
GR
AP
H M
ATH
![Page 23: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/23.jpg)
Monopartite Networks
23
GR
AP
H M
ATH
![Page 24: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/24.jpg)
Bayesian Math
http://en.wikipedia.org/wiki/Bayes%27_formula24
GR
AP
H M
ATH
![Page 25: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/25.jpg)
Kill Chains and Attack Graphs
25
ATTA
CK
GR
AP
HS
What are Graphs
What can you do with them (the math stuff)
Kill chains, attack paths, and attack graphs
How to work with graphs
What Can you do with them (the infosec stuff)
What I’m doing with them
![Page 26: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/26.jpg)
Quick Example
26http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf
ATTA
CK
GR
AP
HS
![Page 27: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/27.jpg)
Lockheed Martin Kill Chains
http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf
27
ATTA
CK
GR
AP
HS
![Page 28: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/28.jpg)
ATTACK PATHS
Need
A threat
Events
Conditions
28http://infosecanalytics.blogspot.com/2013/07/cyber-attack-graph-schema-cags-10.html
ATTA
CK
GR
AP
HS
![Page 29: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/29.jpg)
Attack Paths – Dave’s a FB Hacker
29
Dave (a threat)
wants to embarrass me by posting our
honeymoon photos on my FB account
Attempts to brute force my FB
password (event)
I have a weak FB password
(condition)
FB has password brute force detection
(condition)
FB doesn’t notice the brute force
(event)
Dave finds my FB password (event)
Dave has my FB login credentials (condition)
Dave uses it to authenticate to FB
(event)
Dave is authenticated as me
(condition)
Dave posts our honeymoon photos
on my FB page (event)
Our bromance is outted! (condition)
ATTA
CK
GR
AP
HS
![Page 30: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/30.jpg)
9/2
8/2
01
3G
rap
hs
in In
fose
c
30
![Page 31: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/31.jpg)
Attack Paths – FB Password Brute Force
31
Dave (a threat)
wants to embarrass me by posting our
honeymoon photos on my FB account
Attempts to brute force my FB
password (event)
I have a weak FB password
(condition)
FB has password brute force
detection (condtion)
FB doesn’t notice the brute force
(event)
Dave finds my FB password (event)
Dave has my FB login credentials (condition)
Dave uses it to authenticate to FB
(event)
Dave is authenticated as me
(condition)
Dave posts our honeymoon photos
on my FB page (event)
Our bromance is outted! (condition)
Impact
Mitigation
Vulnerability
Likelihood
Consequence
ATTA
CK
GR
AP
HS
![Page 32: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/32.jpg)
ATTACK PATH
Kinda looks like a risk…
32
ATTA
CK
GR
AP
HS
![Page 33: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/33.jpg)
ATTACK PATHS
Dave has Options
33
ATTA
CK
GR
AP
HS
![Page 34: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/34.jpg)
Attack Paths – Email Password Brute Force
Events and Conditions thanks to An Attack Graph-Based Probabilistic Security Metric – Wang et al
34
Dave (a threat)
wants to embarrass me by posting our
honeymoon photos on my FB account
Attempts to brute force my email
password (event)
I have a strong email password (kind of)
(condition)
Dave finds my Email password (event)
Dave has my email login credentials
(condition)
Dave resets my FB password (event)
Dave gets the reset email and sets my FB
password (event)
Dave uses it to authenticate to FB
(event)
Dave is authenticated as me
(condition)
Dave posts our honeymoon photos
on my FB page
Our bromance is outted! (condition)
ATTA
CK
GR
AP
HS
![Page 35: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/35.jpg)
Attack Paths – Phishing with a Link
Events and Conditions thanks to An Attack Graph-Based Probabilistic Security Metric – Wang et al
35
Dave (a threat)
wants to embarrass me by posting our
honeymoon photos on my FB account
Emails me a link to a malicious website
(event)
I open the mail, click sh*t, and get
pwned (event)
My computer is infected (condition)
The malware takes my FB
authentication cookie (event)
Dave uses it to authenticate to FB
(event)
Dave is authenticated as me (condition)
Dave posts our honeymoon photos
on my FB page
ATTA
CK
GR
AP
HS
![Page 36: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/36.jpg)
Attack Paths – Phishing with Malware
Events and Conditions thanks to An Attack Graph-Based Probabilistic Security Metric – Wang et al
36
Dave (a threat)
wants to embarrass me by posting our
honeymoon photos on my FB account
Emails me some custom pentestmalware from
Raphael (event)
I open the mail, click sh*t, and run
the malware (event)
My computer is infected (condition)
The malware takes my FB
authentication cookie (event)
Dave uses it to authenticate to FB
(event)
Dave is authenticated as me (condition)
Dave posts our honeymoon photos
on my FB pageOnly these 2
changed
ATTA
CK
GR
AP
HS
![Page 37: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/37.jpg)
ATTA
CK
GR
AP
HS
Attack Path Attributes
Events and Conditions thanks to An Attack Graph-Based Probabilistic Security Metric – Wang et al
37
wants to embarrass me by posting our
honeymoon photos on my FB account
(attribute)
Dave (a threat)
Emails me some custom pentest malware from
Raphael (event)
I open the mail and run the malware (event)
My computer is infected (condition)
The malware takes my FB authentication
cookie (event)
Dave uses it to authenticate to FB
(event)
Dave is authenticated as me (condition)
Dave posts our honeymoon photos on
my FB page
Has Raphael’s uberpentest malware
(attribute)
![Page 38: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/38.jpg)
So Graphs are cool. How do I get me one?
38
What are Graphs
What can you do with them (the math stuff)
Kill chains, attack paths, and attack paths
How to work with graphs
What Can you do with them (the infosec stuff)
What I’m doing with them
WO
RK
ING
WIT
H G
RA
PH
S
![Page 39: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/39.jpg)
Tools and Stuff• Maltego: www.paterva.com• An infosec graph tool for threat modeling
• Gephi: www.gephi.org• A visual graph manipulation tool
• Neo4j: www.neo4j.org• A graph database• Cypher: A graph query language for neo4j
• Networkx: networkx.github.io• A python module for storing and using graphs
• Py2neo: py2neo.org• An easy python to neo4j binding
• Ubigraph: http://ubietylab.net/ubigraph/• Simple python binding to visualize graphs in 3D
• RDF: www.w3.org/RDF/• An easy way to describe graphs. (until you try and use it.)
• SPARQL: www.w3.org/TR/sparql11-overview/• Another graph query language, primarily associated with RDF
39
WO
RK
ING
WIT
H G
RA
PH
S
![Page 40: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/40.jpg)
DEMO TIME
Lets make an attack graph out of those attack paths.
40
WO
RK
ING
WIT
H G
RA
PH
S
![Page 41: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/41.jpg)
Attack Path SummaryActor(threat)
Motive Narrative Consequence
DaveKennedy…
wants to embarrass me by posting our honeymoon photos on my FB account. He…
Brute force’s my Facebook password, avoiding FB’s detection, gets my password, authenticates as me, logs into my account, and posts our honeymoon photos.
Our bromance is outted!
DaveKennedy…
wants to embarrass me by posting our honeymoon photos on my FB account. He…
Brute force’s my email password. Resets my FB password & collects the new login from my email, authenticates as me, logs into my account, and posts our honeymoon photos.
Our bromance is outted!
DaveKennedy…
wants to embarrass me by posting our honeymoon photos on my FB account. He…
Has some leet PT malware from Raphael that he emails to me. I run it and infect my computer. He steals my FB cookie, authenticates as me, logs into my account, and posts our honeymoon photos.
Our bromance is outted!
DaveKennedy…
wants to embarrass me by posting our honeymoon photos on my FB account. He…
He sends me a malicious link. I click it and infect my computer. He steals my FB cookie, authenticates as me, logs into my account, and posts our honeymoon photos.
Our bromance is outted!
41
WO
RK
ING
WIT
H G
RA
PH
S
![Page 42: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/42.jpg)
THIS PREDICTS HUMAN BEHAVIOR
It doesn’t just predict infosec risks
42
CO
NC
LUSI
ON
![Page 43: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/43.jpg)
Think Psychohistory
http://en.wikipedia.org/wiki/File:Isaac_Asimov_on_Throne.png43
CO
NC
LUSI
ON
![Page 44: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/44.jpg)
Infosec Things to do with Graphs
44
What are Graphs
What can you do with them (the math stuff)
Kill chains, attack paths, and attack paths
How to work with graphs
What Can you do with them (the infosec stuff)
What I’m doing with them
GR
AP
HS
AN
D IN
FOSE
C
![Page 45: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/45.jpg)
Make Pretty Pictures
45
GR
AP
HS
AN
D IN
FOSE
C
![Page 46: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/46.jpg)
46
Make Pretty PicturesG
RA
PH
S A
ND
INFO
SEC
![Page 47: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/47.jpg)
47
Make Pretty PicturesG
RA
PH
S A
ND
INFO
SEC
![Page 48: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/48.jpg)
48
Make Pretty PicturesG
RA
PH
S A
ND
INFO
SEC
![Page 49: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/49.jpg)
49
Make Pretty PicturesG
RA
PH
S A
ND
INFO
SEC
![Page 50: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/50.jpg)
Risk Management
50
GR
AP
HS
AN
D IN
FOSE
C
![Page 51: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/51.jpg)
Threat Modeling
51 http://www.secureworks.com/cyber-threat-intelligence/threats/chasing_apt/
GR
AP
HS
AN
D IN
FOSE
C
![Page 52: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/52.jpg)
Data Sharing(A)ID:
<value>
(D)WHOIS: <value>
(H)DNS QUERY:
<value 2>
(I)DNS RECORD: <value 2>
(J)RECORD TYPE:
<value 2>
(C)DOMAIN: <value>
(B)URL: <value> (E)DNS
QUERY: <value>
(F)DNS RECORD: <value>
(G)RECORDTYPE:
<value>
http://infosecanalytics.blogspot.com/2013/03/defensive-construct-exchange-standard-03.html
GR
AP
HS
AN
D IN
FOSE
C
![Page 53: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/53.jpg)
Intrusion Detection
53
GR
AP
HS
AN
D IN
FOSE
C
![Page 54: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/54.jpg)
Incident Investigation
54
GR
AP
HS
AN
D IN
FOSE
C
![Page 55: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/55.jpg)
Incident Documentation
55
GR
AP
HS
AN
D IN
FOSE
C
![Page 56: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/56.jpg)
My Tools
56
What are Graphs
What can you do with them (the math stuff)
Kill chains, attack paths, and attack paths
How to work with graphs
What Can you do with them (the infosec stuff)
What I’m doing with them
MY
STU
FF
![Page 57: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/57.jpg)
57
https://github.com/gdbassett/odds_and_ends/tree/master/minionshttp://despicableme.com/post/1807http://ihdwallpapers.com/minions_in_despicable_me_2-wallpapers.html#
MY
STU
FF
MY MINIONS
![Page 58: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/58.jpg)
DCES – Defensive Construct Exchange Standard
58
DB Record
Graph (networkx)
XML
Dictionary (JSON)
DCES
http://infosecanalytics.blogspot.com/2013/03/defensive-construct-exchange-standard-03.html
MY
STU
FF
![Page 59: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/59.jpg)
Moirai
59
Neo4J
Moirai (Autobahn, py2neo neo4j connection)
RPC PubSub
Log Search Client
Visualization Client
GUI ClientSecurity
ProxyIDS Client
https://github.com/gdbassett/moirai
MY
STU
FF
![Page 60: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/60.jpg)
Visualization
60
http://linkurio.us/ http://keylines.com/
http://sigmajs.org/Ghost in the Shell: Innocence
MY
STU
FF
![Page 61: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/61.jpg)
Moirai
61Neo4J
Moirai (Autobahn, py2neo neo4j connection)
RPC PubSub
Log Search Client
Visualization Client
GUI ClientSecurity
ProxyIDS Client
MY
STU
FF
![Page 62: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/62.jpg)
Other Ideas
• Offense:
• Auto-attack down an attack graph
• Automatic Pen Test Documentation
• Network Analysis
• Collect information about your network, the devices on it and their attributes using a graph database.
62
MY
STU
FF
![Page 63: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/63.jpg)
In Summary
63
CO
NC
LUSI
ON
![Page 64: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/64.jpg)
Bla Bla Bla Evil Haxors
(Credit to @451wendy)64
CO
NC
LUSI
ON
Threats. Vulns.
![Page 65: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/65.jpg)
Scary
(Credit to @451wendy)65
CO
NC
LUSI
ON
BIGNUM
BIGNUM
Hundreds of Threats
Thousands
Of Attacks
Millions of Logs
![Page 66: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/66.jpg)
Solution: Graphs solve everything
(Credit to @451wendy)66
CO
NC
LUSI
ON
![Page 67: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/67.jpg)
Solution: ATTACK GRAPHS
(Credit to @451wendy)67
CO
NC
LUSI
ON
![Page 68: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/68.jpg)
Best & Unique Because…
(Credit to @451wendy)68
CO
NC
LUSI
ON • Is not antivirus
• Is not firewall
![Page 69: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/69.jpg)
Best & Unique Because…
(Credit to @451wendy)69
CO
NC
LUSI
ON
BIG DI DATA
![Page 70: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/70.jpg)
Fastest Realest Time Because…
(Credit to @451wendy), http://giraph.apache.org/70
CO
NC
LUSI
ON
•Cloud
•Analytics
•Giraph (Hadoop but better)
![Page 71: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/71.jpg)
(Credit to @451wendy)71
CO
NC
LUSI
ON
CYBER
CYBER
CYBER
CYBER CYBER CYBER CYBER CYBER CYBER
CYBER
![Page 72: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/72.jpg)
CONCLUSION
Infosec + Graph Theory = Sexy Defense
Now you try!
72
CO
NC
LUSI
ON
![Page 73: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/73.jpg)
73
CO
NC
LUSI
ON
![Page 74: My Security is a Graph Your Argument is Invalid · 2014-08-04 · Attack Paths –Email Password Brute Force Events and Conditions thanks to An Attack Graph-Based Probabilistic Security](https://reader033.vdocuments.site/reader033/viewer/2022041710/5e4786e9ea88e775a6550dbf/html5/thumbnails/74.jpg)
LINKS
74
• My Blog: http://infosecanalytics.blogspot.com/• Has DCES, CAGS, Attack Path, CPT standards
• My Code: https://github.com/gdbassett/• Maltego: www.paterva.com• Gephi: www.gephi.org• Neo4j: www.neo4j.org• Networkx: networkx.github.io• Py2neo: py2neo.org• Ubigraph: http://ubietylab.net/ubigraph/• RDF: www.w3.org/RDF/• SPARQL: www.w3.org/TR/sparql11-overview/• Visualization: http://linkurio.us/, http://keylines.com/,
http://sigmajs.org/• Lockheed Martin paper: http://goo.gl/pU2KXF• Giraph: http://giraph.apache.org/• Wikipedia Articles: Community structure, Graph theory, Depth-first
search, Breath-first search, Shortest path problem, Dijkstra's algorithm, Modularity (networks), Centrality, Bayesian inference, Bipartite graph, Psychohistory (fictional), PageRank
CO
NC
LUSI
ON