View
675
Download
2
Category
Preview:
DESCRIPTION
Event Graph visualization presentation from EUSec West 2006
Citation preview
A Visual Approach to Security Event Management
EuSecWest ‘06, LondonRaffael Marty, GCIA, CISSPSenior Security Engineer @ ArcSight
February 21th, 2006
*
Raffael Marty 2EuSecWest 2006 London
Raffael Marty, GCIA, CISSP
Enterprise Security Management (ESM) specialist
Strategic Application Solutions @ ArcSight, Inc.
Intrusion Detection Research @ IBM Research
See http://thor.cryptojail.net
IT Security Consultant @ PriceWaterhouse Coopers
Open Vulnerability and Assessment Language (OVAL) board member
Passion for Visual Security Event Analysis
Raffael Marty 3EuSecWest 2006 London
Table Of Contents
► Introduction
►Basics
►Examples of Graphs you can draw with AfterGlow
►AfterGlow
1.x – Event Graphs
2.0 – TreeMaps
Future – All in One!
Raffael Marty 4EuSecWest 2006 London
Introduction
Raffael Marty 5EuSecWest 2006 London
Disclaimer
IP addresses and host names showingup in event graphs and descriptions were obfuscated/changed. The addresses are
completely random and any resemblancewith well-known addresses or host names
are purely coincidental.
Raffael Marty 6EuSecWest 2006 London
Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0...Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable?Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failedJun 17 09:42:38 rmarty sendmail: sendmail shutdown succeededJun 17 09:42:38 rmarty sendmail: sm-client shutdown succeededJun 17 09:42:39 rmarty sendmail: sendmail startup succeededJun 17 09:42:39 rmarty sendmail: sm-client startup succeededJun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 09:45:42 rmarty last message repeated 2 timesJun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:00:03 rmarty crond(pam_unix)[30534]: session opened for user root by (uid=0)Jun 17 10:00:10 rmarty crond(pam_unix)[30534]: session closed for user rootJun 17 10:01:02 rmarty crond(pam_unix)[30551]: session opened for user root by (uid=0)Jun 17 10:01:07 rmarty crond(pam_unix)[30551]: session closed for user rootJun 17 10:05:02 rmarty crond(pam_unix)[30567]: session opened for user idabench by (uid=0)Jun 17 10:05:05 rmarty crond(pam_unix)[30567]: session closed for user idabenchJun 17 10:13:05 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.19/192.168.80.19 to UDP port: 192Jun 17 10:13:05 rmarty portsentry[4797]: attackalert: Host: 192.168.80.19/192.168.80.19 is already blocked IgnoringJun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked IgnoringJun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked IgnoringJun 17 10:21:30 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68Jun 17 10:21:30 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked IgnoringJun 17 10:28:40 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:28:45 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked IgnoringJun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked IgnoringJun 17 10:35:28 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 10:35:31 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 10:38:51 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:38:52 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:42:35 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 10:42:38 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128
Text or Visuals?
►What would you rather look at?
Raffael Marty 7EuSecWest 2006 London
A Picture is Worth a Thousand Log Entries
Detect the Expected & Discover the Unexpected
Detect the Expected & Discover the Unexpected
Make Better DecisionsMake Better Decisions
Reduce Analysis and Response TimesReduce Analysis and Response Times
Raffael Marty 8EuSecWest 2006 London
Three Aspects of Visual Security Event Analysis
► Situational Awareness• What is happening in a specific business area
(e.g., compliance monitoring)• What is happening on a specific network• What are certain servers doing
► Real-Time Monitoring and Incident Response• Capture important activities and take action• Event Workflow• Collaboration
► Forensic and Historic Investigation• Selecting arbitrary set of events for investigation• Understanding big picture• Analyzing relationships - Exploration• Reporting
Raffael Marty 9EuSecWest 2006 London
Basics
Raffael Marty 10EuSecWest 2006 London
How To Generate A Graph?
ParserDevice Event Visualizer
... | Normalization | ...
Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0...Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable?Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failedJun 17 09:42:38 rmarty sendmail: sendmail shutdown succeededJun 17 09:42:38 rmarty sendmail: sm-client shutdown succeededJun 17 09:42:39 rmarty sendmail: sendmail startup succeededJun 17 09:42:39 rmarty sendmail: sm-client startup succeededJun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 09:45:42 rmarty last message repeated 2 timesJun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8NH
Log File
Visual
Raffael Marty 11EuSecWest 2006 London
Visual Types I
►Will focus on visuals that AfterGlow supports:
Event Graphs (Link Graphs)
TreeMaps
AfterGlow 1.x - Perl AfterGlow 2.0 - JAVA
Raffael Marty 12EuSecWest 2006 London
Visual Types II
Event Graphs (Link Graphs)
TreeMaps
NameSIP DIP
Block
►Node Configuration
►Node Coloring
►Edge Coloring
►Hierarchy
►”Box” Coloring
►“Box” Size
Pass
UDP
TCP
UDP
TCP
Raffael Marty 13EuSecWest 2006 London
Link Graph Configurations
Raw Event:[**] [1:1923:2] RPC portmap UDP proxy attempt [**][Classification: Decode of an RPC Query] [Priority: 2] 06/04-15:56:28.219753 192.168.10.90:32859 -> 192.168.10.255:111UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:148 DFLen: 120
Different node configurations:
192.168.10.90 RPC portmap 192.168.10.255 192.168.10.90 192.168.10.255 111
192.168.10.90 32859 111 RPC portmap 192.168.10.90 192.168.10.255
SPortSIP DPort SIPName DIP
DIPSIP DPortNameSIP DIP
Raffael Marty 14EuSecWest 2006 London
TreeMap Configurations
Raw Event:[**] [1:1923:2] RPC portmap UDP proxy attempt [**][Classification: Decode of an RPC Query] [Priority: 2] 06/04-15:56:28.219753 192.168.10.90:32859 -> 192.168.10.255:111UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:148 DFLen: 120
Different configurations:SIP
Name
DIP
SIP
Sport
DIP
SIP
DIP
Dport
Name
SIP
DIP192.168.10.255
Raffael Marty 15EuSecWest 2006 London
Graph Use Cases
Things You Can Do With AfterGlow
Raffael Marty 16EuSecWest 2006 London
Situational Awareness Dashboard
Raffael Marty 17EuSecWest 2006 London
Vulnerability Awareness I
DIP
Vuln
Score
One Machine
One Machine
A Vulnerability
A Vulnerability
Raffael Marty 18EuSecWest 2006 London
Vulnerability Awareness II
DIP
Score
Vuln
Raffael Marty 19EuSecWest 2006 London
AfterGlow - LGL
Raffael Marty 20EuSecWest 2006 London
Monitoring Web Servers
Traffic to WebServers
Raffael Marty 21EuSecWest 2006 London
Suspicious Activity?
Raffael Marty 22EuSecWest 2006 London
Network Scan
Raffael Marty 23EuSecWest 2006 London
Port Scan
►Port scan or something else?
Raffael Marty 24EuSecWest 2006 London
PortScan
SIP
DIP
DPort
Raffael Marty 25EuSecWest 2006 London
Firewall Activity
External Machine
Internal Machine
Outgoing
Incoming
Rule#
Rule# DIPSIP
Next Steps: 1. Visualize “FW Blocks” of outgoing traffic
-> Why do internal machines trigger blocks?2. Visualize “FW Blocks” of incoming traffic
-> Who and what tries to enter my network?3. Visualize “FW Passes” of outgoing traffic
-> What is leaving the network?
Raffael Marty 26EuSecWest 2006 London
Firewall Rule-set Analysis
pass block
Raffael Marty 27EuSecWest 2006 London
Load Balancer
Raffael Marty 28EuSecWest 2006 London
Worms
Raffael Marty 29EuSecWest 2006 London
DefCon 2004 Capture The Flag
DstPort < 1024
DstPort > 1024
Source Of Evil
Other Team's Target
DIP
Internal Target
Internal Source
Internet Target
DPortSIP
Our Servers
Exposed Services
Raffael Marty 30EuSecWest 2006 London
DefCon 2004 Capture The Flag – TTL Games
TTL
Source Of Evil
Internal Target
DIP TTLSIP
Internal Source
Offender TTL
Our Servers
Raffael Marty 31EuSecWest 2006 London
DefCon 2004 Capture The Flag – More TTL
Flags TTLDPort
Show Node Counts
Raffael Marty 32EuSecWest 2006 London
Telecom Malicious Code Propagation
FromPhone#
ToPhone#
ContentType|Size
Raffael Marty 33EuSecWest 2006 London
Email Cliques
From: My Domain
From: Other Domain
To: Other Domain
From To
To: My Domain
Raffael Marty 34EuSecWest 2006 London
Email Relays
From: My Domain
From: Other Domain
To: Other Domain
From To
To: My Domain
Do you run an open relay?
Grey out emails to and from “my domain”
Make “my domain” invisible
Raffael Marty 35EuSecWest 2006 London
Email SPAM?
To Size
Size > 10.000Omit threshold = 1
Multiple recipients withsame-size messages
Raffael Marty 36EuSecWest 2006 London
Email SPAM?
From nrcpt
nrcpt => 2Omit threshold = 1
Raffael Marty 37EuSecWest 2006 London
BIG Emails
From
Size > 100.000Omit Threshold = 2
To Size
Documents leaving the network?
Raffael Marty 38EuSecWest 2006 London
Email Server Problems?
2:00 < Delay < 10:00
Delay > 10:00
To Delay
To
Raffael Marty 39EuSecWest 2006 London
AfterGlow
afterglow.sourceforge.net
Raffael Marty 40EuSecWest 2006 London
AfterGlow
►http://afterglow.sourceforge.net
►Two Versions:
• AfterGlow 1.x – Perl for Event Graphs
• AfterGlow 2.0 – Java for TreeMaps
Raffael Marty 41EuSecWest 2006 London
AfterGlow 1.x - Perl
►Supported graphing tools:
• GraphViz from AT&T (dot and neato) http://www.research.att.com/sw/tools/graphviz/
• LGL (Large Graph Layout) by Alex Adaihttp://bioinformatics.icmb.utexas.edu/lgl/
CSV File
Parser AfterGlow Graph LanguageFile
Grapher
Raffael Marty 42EuSecWest 2006 London
AfterGlow 1.x – Command Line Parameters
● Some command line arguments:-h : help
-t : two node mode
-d : print count on nodes
-e : edge length
-n : no node labels
-o threshold : omit threshold (fan-out for nodes to be displayed)
-c configfile : color configuration file
Raffael Marty 43EuSecWest 2006 London
AfterGlow 1.x – color.properties
color.[source|event|target|edge]=
<perl expression returning a color name>● Array @fields contains input-line, split into tokens:
color.event=“red” if ($fields[1] =~ /^192\..*)
● Special color “invisible”:
color.target=“invisible” if ($fields[0] eq
“IIS Action”)
● Edge color
color.edge=“blue”
Raffael Marty 44EuSecWest 2006 London
AfterGlow 1.x – color.properties - Example
color.source="olivedrab" if ($fields[0]=~/191\.141\.69\.4/);
color.source="olivedrab" if ($fields[0]=~/211\.254\.110\./);
color.source="orangered1"
color.event="slateblue4"
color.target="olivedrab" if ($fields[2]=~/191\.141\.69\.4/);
color.target="olivedrab" if ($fields[2]=~/211\.254\.110\./);
color.target="orangered1"
color.edge="firebrick" if (($fields[0]=~/191\.141\.69.\.4/) or ($fields[2]=~/191\.141\.69\.4/))
color.edge="cyan4"
Raffael Marty 45EuSecWest 2006 London
AfterGlow 2.0 - Java
►Command line arguments:
-h : help
-c file : property file
-f file : data file
CSV File
Parser AfterGlow - Java
Raffael Marty 46EuSecWest 2006 London
Target System Type,SIP,DIP,User,OutcomeDevelopment,192.168.10.1,10.10.2.1,ram,failureVPN,192.168.10.1,10.10.2.1,ram,successFinancial System,192.168.20.1,10.0.3.1,drob,successVPN,192.168.10.1,10.10.2.1,ram,successVPN,192.168.10.1,10.10.2.1,jmoe,failureFinancial System,192.168.10.1,10.10.2.1,jmoe,successFinancial System,192.168.10.1,10.10.2.1,jmoe,failure
AfterGlow 2.0 - Example
►Data:
►Launch:
./afterglow-java.sh –c afterglow.properties
# AfterGlow - JAVA 2.0# Properties File
# File to loadfile.name=/home/ram/afterglow/data/sample.csv
# Column Types (default is STRING), start with 0!# Valid values:# STRING# INTEGER# CATEGORICAL
column.type.count=4column.type[0].column=0column.type[0].type=INTEGERcolumn.type[1].column=1column.type[1].type=CATEGORICALcolumn.type[2].column=2column.type[2].type=CATEGORICALcolumn.type[3].column=3column.type[3].type=CATEGORICAL
# Size Column (default is 0)size.column=0
# Color Column (default is 0)color.column=2
# AfterGlow - JAVA 2.0# Properties File
# File to loadfile.name=/home/ram/afterglow/data/sample.csv
# Column Types (default is STRING), start with 0!# Valid values:# STRING# INTEGER# CATEGORICAL
column.type.count=4column.type[0].column=0column.type[0].type=INTEGERcolumn.type[1].column=1column.type[1].type=CATEGORICALcolumn.type[2].column=2column.type[2].type=CATEGORICALcolumn.type[3].column=3column.type[3].type=CATEGORICAL
# Size Column (default is 0)size.column=0
# Color Column (default is 0)color.column=2
Raffael Marty 47EuSecWest 2006 London
AfterGlow 2.0 – Java - Output
Raffael Marty 48EuSecWest 2006 London
AfterGlow 2.0 – Java - Interaction
►Left-click:
• Zoom in
►Right-click:
• Zoom all the way out
►Middle-click
• Change Coloring to currentdepth
(Hack: Use SHIFT for leafs)
Raffael Marty 49EuSecWest 2006 London
AfterGlow 3.0 – The Future
► Generating LinkGraphs with the Java version
► Adding more output formats
► Saving output as image file
► Animation
Raffael Marty 50EuSecWest 2006 London
AfterGlow – Parsers
► tcpdump2csv.pl
• Takes care of swapping response source and targets
tcpdump -vttttnnelr /tmp/log.tcpdump | ./tcpdump2csv.pl "sip dip sport"
►sendmail_parser.pl
• Reassemble email conversations:Jul 24 21:01:16 rmarty sendmail[17072]: j6P41Gqt017072: from=<root@localhost.localdomain>, size=650, class=0, nrcpts=1,Jul 24 21:01:16 rmarty sendmail[17073]: j6P41Gqt017072: to=ram, ctladdr=<root@localhost.localdomain> (0/0), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=30881, dsn=2.0.0, stat=Sent
Raffael Marty 51EuSecWest 2006 London
Summary
Detect the expected
& discover the unexpected
Make better decisions
Reduce analysis and response times
Raffael Marty 52EuSecWest 2006 London
THANKS!
raffy@arcsight.com
Raffael Marty 52EuSecWest 2006 Lodon
Recommended