visual security event analysis - defcon 13 - 2005
Post on 18-Oct-2014
1.202 views
DESCRIPTION
More on security visualization: http://secviz.org In the network security world, event graphs are evolving into a useful data analysis tool, providing a powerful alternative to reading raw log data. By visually outlining relationships among security events, analysts are given a tool to intuitively draw conclusions about the current state of their network and to respond quickly to emerging issues. I will be showing a myriad of graphs generated with data from various sources, such as Web servers, firewalls, network based intrusion detection systems, mail servers, and operating system logs. Each of the graphs will be used to show a certain property of the dataset analyzed. They will show anomalous behavior, misconfigurations and simply help document activities in a network. As part of this talk, I will release a tool tool that can be used to experiment with generating event graphs. A quick tutorial will show how easy it is to generate graphs from security data of your own environment. Video at: http://www.youtube.com/watch?v=5GK8mYumn6QTRANSCRIPT
Visual Security Event AnalysisDefCon 13 Las Vegas
Raffael Marty, GCIA, CISSPSenior Security Engineer @ ArcSight
July 29, 2005
*
Raffael Marty 2Defcon 2005 Las Vegas
Raffael Marty►Enterprise Security Management (ESM) specialist►OVAL Advisory Board
(Open Vulnerability and Assessment Language)►ArcSight Research & Development► IBM Research
• Thor - http://thor.cryptojail.net• Log analysis and event correlation research• Tivoli Risk Manager
Raffael Marty 3Defcon 2005 Las Vegas
Table Of Contents► Introduction ►Related Work►Basics►Situational Awareness►Forensic and Historical Analysis►AfterGlow
Raffael Marty 4Defcon 2005 Las Vegas
Introduction
Raffael Marty 5Defcon 2005 Las Vegas
Disclaimer
IP addresses and host names showingup in event graphs and descriptions were obfuscated/changed. The addresses are completely random and any resemblancewith well-known addresses or host names
are purely coincidental.
Raffael Marty 6Defcon 2005 Las Vegas
Text or Visuals?►What would you rather look at?
Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0...Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable?Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failedJun 17 09:42:38 rmarty sendmail: sendmail shutdown succeededJun 17 09:42:38 rmarty sendmail: sm-client shutdown succeededJun 17 09:42:39 rmarty sendmail: sendmail startup succeededJun 17 09:42:39 rmarty sendmail: sm-client startup succeededJun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 09:45:42 rmarty last message repeated 2 timesJun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:00:03 rmarty crond(pam_unix)[30534]: session opened for user root by (uid=0)Jun 17 10:00:10 rmarty crond(pam_unix)[30534]: session closed for user rootJun 17 10:01:02 rmarty crond(pam_unix)[30551]: session opened for user root by (uid=0)Jun 17 10:01:07 rmarty crond(pam_unix)[30551]: session closed for user rootJun 17 10:05:02 rmarty crond(pam_unix)[30567]: session opened for user idabench by (uid=0)Jun 17 10:05:05 rmarty crond(pam_unix)[30567]: session closed for user idabenchJun 17 10:13:05 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.19/192.168.80.19 to UDP port: 192Jun 17 10:13:05 rmarty portsentry[4797]: attackalert: Host: 192.168.80.19/192.168.80.19 is already blocked IgnoringJun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked IgnoringJun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked IgnoringJun 17 10:21:30 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68Jun 17 10:21:30 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked IgnoringJun 17 10:28:40 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:28:45 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked IgnoringJun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked IgnoringJun 17 10:35:28 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 10:35:31 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 10:38:51 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:38:52 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:42:35 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 10:42:38 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128
Raffael Marty 7Defcon 2005 Las Vegas
Why Using Event Graphs?►Visual representation of textual information (logs and
events)►Visual display of most important properties►Reduce analysis and response times
• Quickly visualize thousands of events• A picture tells more than a thousand log lines
►Situational awareness• Visualize status of business posture
►Facilitate communication• Use graphs to communicate with other teams• Graphs are easier to understand than textual events
Raffael Marty 8Defcon 2005 Las Vegas
When To Use Event Graphs►Real-time monitoring
• What is happening in a specific business area(e.g., compliance monitoring)
• What is happening on a specific network• What are certain servers doing• Look at specific aspects of events
►Forensics and Investigations• Selecting arbitrary set of events for investigation• Understanding big picture• Analyzing relationships
Raffael Marty 9Defcon 2005 Las Vegas
Related Work
Raffael Marty 10Defcon 2005 Las Vegas
Related Work
► Classics• Girardin Luc, “A visual Approach for Monitoring Logs” , 12th USENIX System Administration
Conference
• Erbacher: “Intrusion and Misuse Detection in Large Scale Systems”, IEEE Computer Graphics and Applications
• Sheng Ma, et al. “EventMiner: An integrated mining tool for Scalable Analysis of Event Data”
► Tools• Greg Conti, “Network Attack Visualization”,
Defcon 2004.
• NVisionIP from SIFT (Security Incident Fusion Tools), http://www.ncassr.org/projects/sift/.
• Stephen P. Berry, “The Shoki Packet Hustler”, http://shoki.sourceforge.net.
Raffael Marty 11Defcon 2005 Las Vegas
Basics
Raffael Marty 12Defcon 2005 Las Vegas
How To Draw An Event Graph?
ParserDevice Event Analyzer / Visualizer
... | Normalization | ...
Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0...Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable?Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failedJun 17 09:42:38 rmarty sendmail: sendmail shutdown succeededJun 17 09:42:38 rmarty sendmail: sm-client shutdown succeededJun 17 09:42:39 rmarty sendmail: sendmail startup succeededJun 17 09:42:39 rmarty sendmail: sm-client startup succeededJun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 09:45:42 rmarty last message repeated 2 timesJun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8NH
Log File Event Graph
Raffael Marty 13Defcon 2005 Las Vegas
Different Node Configurations
Raw Event:[**] [1:1923:2] RPC portmap UDP proxy attempt [**][Classification: Decode of an RPC Query] [Priority: 2] 06/04-15:56:28.219753 192.168.10.90:32859 -> 192.168.10.255:111UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:148 DFLen: 120
Different node configurations:
NameSIP DIP DIPSIP DPort
192.168.10.90 RPC portmap 192.168.10.255 192.168.10.90 192.168.10.255 111
SPortSIP DPort SIPName DIP
192.168.10.90 32859 111 RPC portmap 192.168.10.90 192.168.10.255
Raffael Marty 14Defcon 2005 Las Vegas
AfterGlow – Peak Preview
►AfterGlow is not a SIM - there are no parsers (well, tcpdump and sendmail are there).
►Demo of the tool for use at home and in the Jacuzzi.
Thanks to Christian @ ArcSight!
CSV FileParser AfterGlow Graph
LanguageFileGrapher
cat input.csv | ./afterglow.pl –c color.properties| neato –Tgif –o output.gif
color.properties:
color.source="red" color.event="green" color.target="blue"
Raffael Marty 15Defcon 2005 Las Vegas
Situational Awareness
Raffael Marty 16Defcon 2005 Las Vegas
Real-time Monitoring With A Dashboard
Raffael Marty 17Defcon 2005 Las Vegas
Forensic and Historical Analysis
Raffael Marty 18Defcon 2005 Las Vegas
A 3D Example
►An LGL example:
Raffael Marty 19Defcon 2005 Las Vegas
Monitoring Web Servers
assetCategory(DestIP)=WebServer
Raffael Marty 20Defcon 2005 Las Vegas
Network Scan
Raffael Marty 21Defcon 2005 Las Vegas
Suspicious Activity?
Raffael Marty 22Defcon 2005 Las Vegas
Port Scan
►Port scan or something else?
Raffael Marty 23Defcon 2005 Las Vegas
Firewall Activity
External Machine
Internal Machine
OutgoingIncoming
Rule#
Rule# DIPSIP
Next Steps: 1. Visualize “FW Blocks” of outgoing traffic
-> Why do internal machines trigger blocks?2. Visualize “FW Blocks” of incoming traffic
-> Who and what tries to enter my network?3. Visualize “FW Passes” of outgoing traffic
-> What is leaving the network?
Raffael Marty 24Defcon 2005 Las Vegas
Firewall Rule-set Analysis
pass block
Raffael Marty 25Defcon 2005 Las Vegas
Load Balancer
Raffael Marty 26Defcon 2005 Las Vegas
Worms
Raffael Marty 27Defcon 2005 Las Vegas
DefCon 2004 Capture The Flag
DstPort < 1024
DstPort > 1024
Source Of Evil
Other Team's Target
DIP
Internal Target
Internal Source
Internet Target
DPortSIP
Our ServersExposed Services
Raffael Marty 28Defcon 2005 Las Vegas
DefCon 2004 Capture The Flag – TTL Games
TTLSource Of EvilInternal Target
DIP TTLSIP
Internal Source
Raffael Marty 29Defcon 2005 Las Vegas
DefCon 2004 Capture The Flag – The Solution
Flags TTLDPort
Only show SYNs
Show Node Counts
Raffael Marty 30Defcon 2005 Las Vegas
Email CliquesFrom: My DomainFrom: Other Domain
To: Other Domain
From To
To: My Domain
Raffael Marty 31Defcon 2005 Las Vegas
Email RelaysFrom: My DomainFrom: Other Domain
To: Other Domain
From To
To: My Domain
Do you run an open relay?
Grey out emails to and from “my domain”
Make “my domain” invisible
Raffael Marty 32Defcon 2005 Las Vegas
Email SPAM?
To Size
Size > 10.000Omit threshold = 1
Multiple recipients withsame-size messages
Raffael Marty 33Defcon 2005 Las Vegas
Email SPAM?
nrcpt => 2Omit threshold = 1
From nrcpt
Raffael Marty 34Defcon 2005 Las Vegas
BIG Emails
From
Size > 100.000Omit Threshold = 2
To Size
Documents leaving the network?
Raffael Marty 35Defcon 2005 Las Vegas
Email Server Problems?
2:00 < Delay < 10:00
Delay > 10:00
To Delay
To
Raffael Marty 36Defcon 2005 Las Vegas
AfterGlowafterglow.sourceforge.net
Raffael Marty 37Defcon 2005 Las Vegas
AfterGlow
►http://afterglow.sourceforge.net►Supported graphing tools:
• GraphViz from AT&T (dot and neato) http://www.research.att.com/sw/tools/graphviz/
• LGL (Large Graph Layout) by Alex Adaihttp://bioinformatics.icmb.utexas.edu/lgl/
Raffael Marty 38Defcon 2005 Las Vegas
AfterGlow – Command Line Parameters
● Some command line parameters:-h : help-t : two node mode-d : print count on nodes-e : edge length-n : no node labels-o threshold : omit threshold (fan-out for nodes to be displayed)-c configfile : color configuration file
Raffael Marty 39Defcon 2005 Las Vegas
AfterGlow – color.properties
color.[source|event|target|edge]=
<perl expression returning a color name>
● Array @fields contains input-line, split into tokens:
color.event=“red” if ($fields[1] =~ /^192\..*)
● Special color “invisible”:
color.target=“invisible” if ($fields[0] eq
“IIS Action”)
● Edge color
color.edge=“blue”
Raffael Marty 40Defcon 2005 Las Vegas
AfterGlow – color.properties - Example
color.source="olivedrab" if ($fields[0]=~/191\.141\.69\.4/);
color.source="olivedrab" if ($fields[0]=~/211\.254\.110\./);
color.source="orangered1"color.event="slateblue4"color.target="olivedrab" if ($fields[2]=~/191\.141\.69\.4/);
color.target="olivedrab" if ($fields[2]=~/211\.254\.110\./);
color.target="orangered1"color.edge="firebrick" if (($fields[0]=~/191\.141\.69.\.4/) or ($fields[2]=~/191\.141\.69\.4/))
color.edge="cyan4"