Insider Threat Visualization - HackInTheBox 2007
2 likes2,153 views
Raffael Marty discusses using log visualization to detect insider threats. He outlines an insider detection process that involves building a list of precursor activities, assigning them scores, applying the precursors to log files, and visualizing results to surface insider candidates. Visualization helps analyze data access patterns, financial transactions, and tune the detection process by grouping similar user behaviors. Improvements include bucketizing precursors and using watch lists to adjust user scores.
![Link Graph Shake Up
[**] [1:1923:2] RPC portmap UDP proxy attempt [**]
[Classification: Decode of an RPC Query] [Priority: 2]
06/04-15:56:28.219753 192.168.10.90:32859 -> 192.168.10.255:111
UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:148 DF
Len: 120
SIP Name DIP SIP DIP DPort
192.168.10.90 portmap 192.168.10.255 192.168.10.90 192.168.10.255 111
SIP SPort DPort Name SIP DIP
192.168.10.90 32859 111 RPC portmap 192.168.10.90 192.168.10.255
16](https://image.slidesharecdn.com/martyvisualizationhitb07-120811210922-phpapp02/85/Insider-Threat-Visualization-HackInTheBox-2007-16-320.jpg)
![AfterGlow http://afterglow.sourceforge.net
Parser AfterGlow Grapher
Graph
CSV File LanguageFile
digraph structs {
graph [label="AfterGlow 1.5.8", fontsize=8];
node [shape=ellipse, style=filled,
fontsize=10, width=1, height=1,
aaelenes,Printing Resume fixedsize=true];
abbe,Information Encrytion edge [len=1.6];
aanna,Patent Access
aatharuy,Ping "aaelenes" -> "Printing Resume" ;
"abbe" -> "Information Encryption" ;
"aanna" -> "Patent Access" ;
"aatharuv" -> "Ping" ;
}
20](https://image.slidesharecdn.com/martyvisualizationhitb07-120811210922-phpapp02/85/Insider-Threat-Visualization-HackInTheBox-2007-20-320.jpg)
![Why AfterGlow?
# Variable and Color
• Translates CSV into graph description
variable=@violation=("Backdoor Access", "HackerTool
Download”);
color.target="orange" if (grep(/$fields[1]/,@violation));
• Define node and edge attributes color.target="palegreen"
- color # Node Size and Threshold
- size maxnodesize=1;
size.source=$fields[2]
- shape size=0.5
sum.target=0;
• Filter and process data entries threshold.source=14;
- threshold filter Fan Out: 3 # Color and Cluster
color.source="palegreen" if ($fields[0] =~ /^111/)
- fan-out filter color.source="red"
color.target="palegreen"
- clustering cluster.source=regex_replace("(d+).d+")."/8"
21](https://image.slidesharecdn.com/martyvisualizationhitb07-120811210922-phpapp02/85/Insider-Threat-Visualization-HackInTheBox-2007-21-320.jpg)
![Insider Threat Definition
"Current or former employee or contractor who
• intentionally exceeded or misused an authorized level of
access to networks, systems or data in a manner that
• targeted a specific individual or affected the security of
the organization’s data, systems and/or daily business
operations"
[CERT: http://www.cert.org/insider_threat Definition of an Insider]
23](https://image.slidesharecdn.com/martyvisualizationhitb07-120811210922-phpapp02/85/Insider-Threat-Visualization-HackInTheBox-2007-23-320.jpg)
![Insider Detection Process
Aug 31 15:57:23 [68] ram kCGErrorIllegalArgument:
• Build List of Precursors CGXGetWindowDepth: Invalid window -1
Aug 31 15:58:06 [68] cmd "loginwindow" (0x5c07)
set hot key operating mode to all disabled
• Assign Scores to Precursors Aug 31 15:58:06 [68] Hot key operating mode is now
all disabled
• Apply Precursors to Log Files Aug 27 10:21:39 ram com.apple.SecurityServer:
authinternal failed to authenticate user
raffaelmarty.
Aug 27 10:21:39 ram com.apple.SecurityServer:
Failed to authorize right system.login.tty by process /
usr/bin/su
do for authorization created by /usr/bin/sudo.
Apr 04 19:45:29 rmarty Privoxy(b65ddba0)
Request: www.google.com/search?q=password
+cracker
27](https://image.slidesharecdn.com/martyvisualizationhitb07-120811210922-phpapp02/85/Insider-Threat-Visualization-HackInTheBox-2007-27-320.jpg)
More Related Content
![[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx](https://cdn.slidesharecdn.com/ss_thumbnails/threathuntingtocampaigntrackingworkshop-hitcon2020ctivillage-201213185811-thumbnail.jpg?width=560&fit=bounds){kind=tracking}
Similar to Insider Threat Visualization - HackInTheBox 2007 (20)
Insider Threat Visualization - HackInTheBox 2007
- 1. Insider Threat Visualization Raffael Marty, GCIA, CISSP Chief Security Strategist @ Splunk> Hack In The Box - September 07 - Malaysia
- 2. Who Am I? Chief Security Strategist and Product Manager @ Splunk> Manager Solutions @ ArcSight, Inc. Intrusion Detection Research @ IBM Research http://thor.cryptojail.net IT Security Consultant @ PriceWaterhouse Coopers Applied Security Open Vulnerability and Assessment Language (OVAL) board Visualization Common Event Expression (CEE) founding member 2008 Passion for Visualization http://secviz.org http://afterglow.sourceforge.net 2
- 3. Agenda Convicted Goal: Visualization Log Data Processing Insider Detection Using Data to Graph Visualization AfterGlow and Splunk Insider Threat Insider Detection Process Precursors Scoring Watch Lists 3
- 4. It’s Not That Easy 4
- 5. Convicted In February of 2007 a fairly large information leak case made the news. The scientist Gary Min faces up to 10 years in prison for stealing 16,706 documents and over 22,000 scientific abstracts from his employer DuPont. The intellectual property he was about to leak to a DuPont competitor, Victrex, was assessed to be worth $400 million. There is no evidence Gary actually turned the documents over to Victrex. 5
- 6. DuPont Case How It Could Have Been Prevented What’s the answer? 6
- 7. DuPont Case Log Collection!
- 9. DuPont Case More Generic Solution user server 9
- 10. Visualization Questions • Who analyzes logs? • Who uses visualization for log analysis? • Who is using AfterGlow? • Have you heard of SecViz.org? • What tools are you using for log analysis? 10
- 11. Visualization Answer questions you didn’t even know of ✓ Quickly understand thousands of data entries Increase Efficiency ✓ Facilitate communication ✓ Increase response time through improved understanding Make Informed Decisions 11
- 12. Insider Threat Visualization • Huge amounts of data • More and other data sources than for the traditional security use-cases • Insiders often have legitimate access to machines and data. You need to log more than the exceptions • Insider crimes are often executed on the application layer. You need transaction data and chatty application logs • The questions are not known in advance! • Visualization provokes questions and helps find answers • Dynamic nature of fraud • Problem for static algorithms • Bandits quickly adapt to fixed threshold-based detection systems • Looking for any unusual patterns 12
- 13. Visualizing Log Data Parsing Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0... Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable? Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failed Jun 17 09:42:38 rmarty sendmail: sendmail shutdown succeeded Jun 17 09:42:38 rmarty sendmail: sm-client shutdown succeeded Visual Jun 17 09:42:39 rmarty sendmail: sendmail startup succeeded Jun 17 09:42:39 rmarty sendmail: sm-client startup succeeded Jun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 09:45:42 rmarty last message repeated 2 times Jun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 NH ✓ Interpret Data ✓ Know Data Formats ✓ Re-use don’t re-invent ✓ Find parsers at: http://secviz.org/?q=node/8 13
- 14. Charts - Going Beyond Excel • Multi-variate graphs 10.0.0.1 10.12.0.2 - Link Graphs UDP TCP - TreeMaps HTTP DNS UDP TCP - Parallel Coordinates SSH SNMP FTP 14
- 15. Beyond The Boring Defaults For Link Graphs 10.0.0.1 SIP Name DIP 10.12.0.2 15
- 16. Link Graph Shake Up [**] [1:1923:2] RPC portmap UDP proxy attempt [**] [Classification: Decode of an RPC Query] [Priority: 2] 06/04-15:56:28.219753 192.168.10.90:32859 -> 192.168.10.255:111 UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:148 DF Len: 120 SIP Name DIP SIP DIP DPort 192.168.10.90 portmap 192.168.10.255 192.168.10.90 192.168.10.255 111 SIP SPort DPort Name SIP DIP 192.168.10.90 32859 111 RPC portmap 192.168.10.90 192.168.10.255 16
- 17. TreeMaps ? UDP TCP HTTP DNS What is this? UDP All Network Traffic TCP SSH SNMP FTP 17
- 18. TreeMaps Explained Treemap2 (http://www.cs.umd.edu/hcil/treemap) 20% 80% UDP TCP HTTP Size: Count DNS UDP TCP Color: Service SSH SNMP FTP Configuration Hierarchy: Protocol -> Service 18
- 19. What’s Splunk? 1. Universal Real Time Indexing 2. Ad-hoc Search & Navigation search navigate alert report share 3. Distributed / Federate Search 4. Interactive Alerting & Reporting IT Search Engine The 5. Knowledge Capture & Sharing Router Firewall logs configurations scripts & code messages Switch Web Server App Server traps & alerts activity reports Database stack traces metrics 19
- 20. AfterGlow http://afterglow.sourceforge.net Parser AfterGlow Grapher Graph CSV File LanguageFile digraph structs { graph [label="AfterGlow 1.5.8", fontsize=8]; node [shape=ellipse, style=filled, fontsize=10, width=1, height=1, aaelenes,Printing Resume fixedsize=true]; abbe,Information Encrytion edge [len=1.6]; aanna,Patent Access aatharuy,Ping "aaelenes" -> "Printing Resume" ; "abbe" -> "Information Encryption" ; "aanna" -> "Patent Access" ; "aatharuv" -> "Ping" ; } 20
- 21. Why AfterGlow? # Variable and Color • Translates CSV into graph description variable=@violation=("Backdoor Access", "HackerTool Download”); color.target="orange" if (grep(/$fields[1]/,@violation)); • Define node and edge attributes color.target="palegreen" - color # Node Size and Threshold - size maxnodesize=1; size.source=$fields[2] - shape size=0.5 sum.target=0; • Filter and process data entries threshold.source=14; - threshold filter Fan Out: 3 # Color and Cluster color.source="palegreen" if ($fields[0] =~ /^111/) - fan-out filter color.source="red" color.target="palegreen" - clustering cluster.source=regex_replace("(d+).d+")."/8" 21
- 22. AfterGlow - Splunk Demo ./splunk <command> ./splunk search “<search command>” -admin <user>:<pass> ./splunk search "ipfw | fields + SourceAddress DestinationAddress" -auth admin:changeme | awk ‘{printf”%s,%sn”,$1,$2}’ | afterglow -t -b 2 | neato -Tgif -o test.gif 22
- 23. Insider Threat Definition "Current or former employee or contractor who • intentionally exceeded or misused an authorized level of access to networks, systems or data in a manner that • targeted a specific individual or affected the security of the organization’s data, systems and/or daily business operations" [CERT: http://www.cert.org/insider_threat Definition of an Insider] 23
- 24. Three Types of Insider Threats Information Theft is concerned Fraud deals with the with stealing of confidential or misuse of access proprietary information. This privileges or the includes things like financial intentional excess of Information statements, intellectual access levels to obtain Fraud property, design plans, source Leak property or services code, trade secrets, etc. unjustly through deception or trickery. Sabotage Sabotage has to do with any kind of action to harm individuals, organizations, organizational data, systems, or business operations. 24
- 25. Insider Threat Detection • Understand who is behind the crime • Know what to look for • Stop insiders before they become a problem • Use precursors to monitor and profile users • Define an insider detection process to analyze precursor activity 25
- 26. Insider Detection Process • Accessing job Web sites • Build List of Precursors such as monster.com 1 • Assign Scores to Precursors • Sales person accessing patent filings 10 • Printing files with "resume" in the file name 5 • Sending emails to 50 or more recipients outside of the company 3 26
- 27. Insider Detection Process Aug 31 15:57:23 [68] ram kCGErrorIllegalArgument: • Build List of Precursors CGXGetWindowDepth: Invalid window -1 Aug 31 15:58:06 [68] cmd "loginwindow" (0x5c07) set hot key operating mode to all disabled • Assign Scores to Precursors Aug 31 15:58:06 [68] Hot key operating mode is now all disabled • Apply Precursors to Log Files Aug 27 10:21:39 ram com.apple.SecurityServer: authinternal failed to authenticate user raffaelmarty. Aug 27 10:21:39 ram com.apple.SecurityServer: Failed to authorize right system.login.tty by process / usr/bin/su do for authorization created by /usr/bin/sudo. Apr 04 19:45:29 rmarty Privoxy(b65ddba0) Request: www.google.com/search?q=password +cracker 27
- 28. Insider Detection Process • Build List of Precursors • Assign Scores to Precursors • Apply Precursors to Log Files • Visualize Insider Candidate List 28
- 29. Insider Detection Process Engineer • Build List of Precursors • Assign Scores to Precursors • Apply Precursors to Log Files • Visualize Insider Candidate List • Introduce User Roles Legal 29
- 30. Insider Detection Process ? • Build List of Precursors • Assign Scores to Precursors • Apply Precursors to Log Files • Visualize Insider Candidate List • Introduce User Roles • Where Did the Scores Go? 30
- 31. Visualization for Insider Detection • Visualization as a precursor - analyze data access per user role - find anomalies in financial transactions • Documentation and communication of activity • Tuning and analyzing process output - groups of users with similar behavior - groups of users with similar scores 31
- 32. Process Improvements • Bucketizing precursors: - Minimal or no impact - Potential setup for insider crime - Malicious activity okay for some user roles - Malicious activity should never happen - Insider Act • Maximum of 20 points per bucket • Using watch lists to boost / decrease scores for specific groups of users - Input from other departments (HR, etc.) 32
- 33. Tiers of Insiders Nothing to On a bad track of Very likely Malicious worry about just going malicious has malicious Insiders yet intentions 0 20 60 80 100 33
- 34. The Insider? Finally? 34
- 35. Summary • Log visualization • Beyond the boring chart defaults • AfterGlow and Splunk - The free way to understanding your data • Insider threat • Insider detection process 35
- 36. Thank You www.secviz.org [email protected] raffy.ch/blog