Insider Threat Visualization

Raffael Marty GCIA CISSPChief Security Strategist Splunkgt

Hack In The Box - September 07 - Malaysia

Who Am IChief Security Strategist and Product Manager SplunkgtManager Solutions ArcSight IncIntrusion Detection Research IBM Research

httpthorcryptojailnetIT Security Consultant PriceWaterhouse CoopersOpen Vulnerability and Assessment Language (OVAL) boardCommon Event Expression (CEE) founding memberPassion for Visualization

httpsecvizorghttpafterglowsourceforgenet

2

AppliedSecurity

Visualization

2008

Who Am IChief Security Strategist and Product Manager SplunkgtManager Solutions ArcSight IncIntrusion Detection Research IBM Research

httpthorcryptojailnetIT Security Consultant PriceWaterhouse CoopersOpen Vulnerability and Assessment Language (OVAL) boardCommon Event Expression (CEE) founding memberPassion for Visualization

httpsecvizorghttpafterglowsourceforgenet

2

AppliedSecurity

Visualization

2008

AgendaConvicted

Visualization

Log Data Processing

Data to Graph

AfterGlow and Splunk

Insider Threat

Insider Detection Process

Precursors

Scoring

Watch Lists

3

GoalInsider Detection Using

Visualization

Itrsquos Not That Easy

4

ConvictedIn February of 2007 a fairly large information leak case made the news The scientist Gary Min faces up to 10 years in prison for stealing 16706 documents and over 22000 scientific abstracts from his employer DuPont The intellectual property he was about to leak to a DuPont competitor Victrex was assessed to be worth $400 million There is no evidence Gary actually turned the documents over to Victrex

5

DuPont CaseHow It Could Have Been Prevented

6

Whatrsquos the answer

DuPont Case

Log Collection

DuPont CaseSimple Solution

8

DuPont CaseMore Generic Solution

9

user

server

Visualization Questions

bull Who analyzes logsbull Who uses visualization for log analysisbull Who is using AfterGlowbull Have you heard of SecVizorgbull What tools are you using for log

analysis

10

DuPont CaseSimple Solution

8

DuPont CaseMore Generic Solution

9

user

server

Visualization Questions

bull Who analyzes logsbull Who uses visualization for log analysisbull Who is using AfterGlowbull Have you heard of SecVizorgbull What tools are you using for log

analysis

10

DuPont CaseMore Generic Solution

9

user

server

Visualization Questions

bull Who analyzes logsbull Who uses visualization for log analysisbull Who is using AfterGlowbull Have you heard of SecVizorgbull What tools are you using for log

analysis

10

Visualization Questions

bull Who analyzes logsbull Who uses visualization for log analysisbull Who is using AfterGlowbull Have you heard of SecVizorgbull What tools are you using for log

analysis

10

Visualization

Increase Eciency

Answer questions you didnrsquot even know of

Make Informed Decisions

Quickly understand thousands of data entries Facilitate communication Increase response time through improved

understanding

11

Insider Threat Visualizationbull Huge amounts of data

bull More and other data sources than for the traditional security use-casesbull Insiders often have legitimate access to machines and data You need to log

more than the exceptionsbull Insider crimes are often executed on the application layer You need

transaction data and chatty application logsbull The questions are not known in advance

bull Visualization provokes questions and helps find answersbull Dynamic nature of fraud

bull Problem for static algorithmsbull Bandits quickly adapt to fixed threshold-based detection systemsbull Looking for any unusual patterns

12

Visual

Jun 17 094230 rmarty ifup Determining IP information for eth0Jun 17 094235 rmarty ifup failed no link present Check cableJun 17 094235 rmarty network Bringing up interface eth0 failedJun 17 094238 rmarty sendmail sendmail shutdown succeededJun 17 094238 rmarty sendmail sm-client shutdown succeededJun 17 094239 rmarty sendmail sendmail startup succeededJun 17 094239 rmarty sendmail sm-client startup succeededJun 17 094339 rmarty vmnet-dhcpd DHCPINFORM from 1721648128Jun 17 094542 rmarty last message repeated 2 timesJun 17 094547 rmarty vmnet-dhcpd DHCPINFORM from 1721648128Jun 17 095602 rmarty vmnet-dhcpd DHCPDISCOVER from 000c29b7b247 via vmnet8Jun 17 095603 rmarty vmnet-dhcpd DHCPOFFER on 1721648128 to 000c29b7b247 via vmnet8NH

Visualizing Log Data

13

Parsing

Interpret DataKnow Data FormatsRe-use donrsquot re-invent Find parsers at httpsecvizorgq=node8

Charts - Going Beyond Excel

bull Multi-variate graphs- Link Graphs

- TreeMaps

- Parallel Coordinates

14

10001

101202

UDP TCP

HTTP

SSH

FTP

DNS

SNMP

UDP TCP

Beyond The Boring Defaults For Link Graphs

15

10001

101202

NameSIP DIP

Link Graph Shake Up[] [119232] RPC portmap UDP proxy attempt []

[Classification Decode of an RPC Query] [Priority 2]

0604-155628219753 192168109032859 -gt 19216810255111

UDP TTL64 TOS0x0 ID0 IpLen20 DgmLen148 DF

Len 120

16

1921681090 portmap 19216810255 1921681090 19216810255 111

1921681090 32859 111 RPC portmap 1921681090 19216810255

SPortSIP DPort SIPName DIP

DIPSIP DPortNameSIP DIP

TreeMaps

17

All Network TrafficUDP TCP

HTTP

SSH

FTP

DNS

SNMP

UDP TCP

What is this

SNMP

TreeMaps Explained

18

UDP TCP

Conguration Hierarchy Protocol

8020

HTTP

SSH

FTP

DNS

SNMP

UDP TCP

SNMP

Conguration Hierarchy Protocol -gt Service

Size CountColor Service

Treemap2 (httpwwwcsumdeduhciltreemap)

Whatrsquos Splunk1 Universal Real Time Indexing

2 Ad-hoc Search amp Navigation

3 Distributed Federate Search

4 Interactive Alerting amp Reporting

5 Knowledge Capture amp Sharing

19

The IT Search Engine

navigatesearch reportalert share

Database

App Server

Web Server

Switch

Firewall

Router

logs congurations

metricstraps amp alerts stack traces

messagesscripts amp code

activity reports

digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled

fontsize=10 width=1 height=1fixedsize=true]

edge [len=16]

aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping

aaelenesPrinting ResumeabbeInformation EncrytionaannaPatent AccessaatharuyPing

AfterGlow

20

CSV FileParser AfterGlow Graph

LanguageFileGrapher

httpafterglowsourceforgenet

Why AfterGlowbull Translates CSV into graph description

bull Define node and edge attributes

- color

- size

- shape

bull Filter and process data entries

- threshold filter

- fan-out filter

- clustering

21

Fan Out 3

Variable and Color

variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen

Node Size and Threshold

maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14

Color and Cluster

colorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8

AfterGlow - Splunk

22

Demosplunk ltcommandgtsplunk search ldquoltsearch commandgtrdquo -admin ltusergtltpassgt

splunk search ipfw | elds + SourceAddress DestinationAddress -auth adminchangeme | awk lsquoprintfrdquossnrdquo$1$2rsquo | afterglow -t -b 2 | neato -Tgif -o testgif

Insider Threat Definition

Current or former employee or contractor who

bull intentionally exceeded or misused an authorized level of access to networks systems or data in a manner that

bull targeted a specific individual or affected the security of the organizationrsquos data systems andor daily business operations

23

[CERT httpwwwcertorginsider_threat Definition of an Insider]

Three Types of Insider Threats

24

Fraud InformationLeak

Sabotage

Information Theft is concerned with stealing of confidential or proprietary information This includes things like financial statements intellectual property design plans source code trade secrets etc

Sabotage has to do with any kind of action to harm individuals organizations organizational data systems or business operations

Fraud deals with the misuse of access privileges or the intentional excess of access levels to obtain property or services unjustly through deception or trickery

Insider Threat Detection

bull Understand who is behind the crimebull Know what to look forbull Stop insiders before they become a problem

25

bull Use precursors to monitor and profile usersbull Define an insider detection process to

analyze precursor activity

Insider Detection Process

bull Build List of Precursorsbull Assign Scores to Precursors

26

bull Accessing job Web sites such as monstercom

bull Sales person accessing patent filings

bull Printing files with resume in the file name

bull Sending emails to 50 or more recipients outside of the company

1105

3

Insider Detection Process

bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Files

27

Aug 31 155723 [68] ram kCGErrorIllegalArgument CGXGetWindowDepth Invalid window -1Aug 31 155806 [68] cmd loginwindow (0x5c07) set hot key operating mode to all disabledAug 31 155806 [68] Hot key operating mode is now all disabledAug 27 102139 ram comappleSecurityServer authinternal failed to authenticate user raaelmartyAug 27 102139 ram comappleSecurityServer Failed to authorize right systemlogintty by process usrbinsudo for authorization created by usrbinsudoApr 04 194529 rmarty Privoxy(b65ddba0) Request wwwgooglecomsearchq=password+cracker

Insider Detection Process

bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate List

28

Insider Detection Process

bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Roles

29

Legal

Engineer

Insider Detection Process

bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Rolesbull Where Did the Scores Go

30

Visualization for Insider Detectionbull Visualization as a precursor

- analyze data access per user role

- find anomalies in financial transactions

bull Documentation and communication of activity

bull Tuning and analyzing process output

- groups of users with similar behavior- groups of users with similar scores

31

Insider Detection Process

bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Roles

29

Legal

Engineer

Insider Detection Process

bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Rolesbull Where Did the Scores Go

30

Visualization for Insider Detectionbull Visualization as a precursor

- analyze data access per user role

- find anomalies in financial transactions

bull Documentation and communication of activity

bull Tuning and analyzing process output

- groups of users with similar behavior- groups of users with similar scores

31

Insider Detection Process

bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Rolesbull Where Did the Scores Go

30

Visualization for Insider Detectionbull Visualization as a precursor

- analyze data access per user role

- find anomalies in financial transactions

bull Documentation and communication of activity

bull Tuning and analyzing process output

- groups of users with similar behavior- groups of users with similar scores

31

Visualization for Insider Detectionbull Visualization as a precursor

- analyze data access per user role

- find anomalies in financial transactions

bull Documentation and communication of activity

bull Tuning and analyzing process output

- groups of users with similar behavior- groups of users with similar scores

31

Process Improvementsbull Bucketizing precursors

- Minimal or no impact

- Potential setup for insider crime

- Malicious activity okay for some user roles

- Malicious activity should never happen

- Insider Act

bull Maximum of 20 points per bucket

bull Using watch lists to boost decrease scores for specific groups of users

- Input from other departments (HR etc)

32

0 20 60 80 100

Nothing toworry about just

yet

On a bad track ofgoing malicious

Very likelyhas malicious

intentions

MaliciousInsiders

Tiers of Insiders

33

The Insider Finally

34

Summarybull Log visualization

bull Beyond the boring chart defaults

bull AfterGlow and Splunk

- The free way to understanding your data

bull Insider threat

bull Insider detection process

35

Summarybull Log visualization

bull Beyond the boring chart defaults

bull AfterGlow and Splunk

- The free way to understanding your data

bull Insider threat

bull Insider detection process

35

Thank Youwwwsecvizorg

raffaelmartysplunkcomraffychblog