A Visual Approach to Security Event Management

EuSecWest ‘06, LondonRaffael Marty, GCIA, CISSPSenior Security Engineer @ ArcSight

February 21th, 2006

*

Raffael Marty 2EuSecWest 2006 London

Raffael Marty, GCIA, CISSP

Enterprise Security Management (ESM) specialist

Strategic Application Solutions @ ArcSight, Inc.

Intrusion Detection Research @ IBM Research

See http://thor.cryptojail.net

IT Security Consultant @ PriceWaterhouse Coopers

Open Vulnerability and Assessment Language (OVAL) board member

Passion for Visual Security Event Analysis

Raffael Marty 3EuSecWest 2006 London

Table Of Contents

► Introduction

►Basics

►Examples of Graphs you can draw with AfterGlow

►AfterGlow

1.x – Event Graphs

2.0 – TreeMaps

Future – All in One!

Raffael Marty 4EuSecWest 2006 London

Introduction

Raffael Marty 5EuSecWest 2006 London

Disclaimer

IP addresses and host names showingup in event graphs and descriptions were obfuscated/changed. The addresses are

completely random and any resemblancewith well-known addresses or host names

are purely coincidental.

Raffael Marty 6EuSecWest 2006 London

Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0...Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable?Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failedJun 17 09:42:38 rmarty sendmail: sendmail shutdown succeededJun 17 09:42:38 rmarty sendmail: sm-client shutdown succeededJun 17 09:42:39 rmarty sendmail: sendmail startup succeededJun 17 09:42:39 rmarty sendmail: sm-client startup succeededJun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 09:45:42 rmarty last message repeated 2 timesJun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:00:03 rmarty crond(pam_unix)[30534]: session opened for user root by (uid=0)Jun 17 10:00:10 rmarty crond(pam_unix)[30534]: session closed for user rootJun 17 10:01:02 rmarty crond(pam_unix)[30551]: session opened for user root by (uid=0)Jun 17 10:01:07 rmarty crond(pam_unix)[30551]: session closed for user rootJun 17 10:05:02 rmarty crond(pam_unix)[30567]: session opened for user idabench by (uid=0)Jun 17 10:05:05 rmarty crond(pam_unix)[30567]: session closed for user idabenchJun 17 10:13:05 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.19/192.168.80.19 to UDP port: 192Jun 17 10:13:05 rmarty portsentry[4797]: attackalert: Host: 192.168.80.19/192.168.80.19 is already blocked IgnoringJun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked IgnoringJun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked IgnoringJun 17 10:21:30 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68Jun 17 10:21:30 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked IgnoringJun 17 10:28:40 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:28:45 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked IgnoringJun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked IgnoringJun 17 10:35:28 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 10:35:31 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 10:38:51 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:38:52 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:42:35 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 10:42:38 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128

Text or Visuals?

►What would you rather look at?

Raffael Marty 7EuSecWest 2006 London

A Picture is Worth a Thousand Log Entries

Detect the Expected & Discover the Unexpected

Detect the Expected & Discover the Unexpected

Make Better DecisionsMake Better Decisions

Reduce Analysis and Response TimesReduce Analysis and Response Times

Raffael Marty 8EuSecWest 2006 London

Three Aspects of Visual Security Event Analysis

► Situational Awareness• What is happening in a specific business area

(e.g., compliance monitoring)• What is happening on a specific network• What are certain servers doing

► Real-Time Monitoring and Incident Response• Capture important activities and take action• Event Workflow• Collaboration

► Forensic and Historic Investigation• Selecting arbitrary set of events for investigation• Understanding big picture• Analyzing relationships - Exploration• Reporting

Raffael Marty 9EuSecWest 2006 London

Basics

Raffael Marty 10EuSecWest 2006 London

How To Generate A Graph?

ParserDevice Event Visualizer

... | Normalization | ...

Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0...Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable?Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failedJun 17 09:42:38 rmarty sendmail: sendmail shutdown succeededJun 17 09:42:38 rmarty sendmail: sm-client shutdown succeededJun 17 09:42:39 rmarty sendmail: sendmail startup succeededJun 17 09:42:39 rmarty sendmail: sm-client startup succeededJun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 09:45:42 rmarty last message repeated 2 timesJun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8NH

Log File

Visual

Raffael Marty 11EuSecWest 2006 London

Visual Types I

►Will focus on visuals that AfterGlow supports:

Event Graphs (Link Graphs)

TreeMaps

AfterGlow 1.x - Perl AfterGlow 2.0 - JAVA

Raffael Marty 12EuSecWest 2006 London

Visual Types II

Event Graphs (Link Graphs)

TreeMaps

NameSIP DIP

Block

►Node Configuration

►Node Coloring

►Edge Coloring

►Hierarchy

►”Box” Coloring

►“Box” Size

Pass

UDP

TCP

UDP

TCP

Raffael Marty 13EuSecWest 2006 London

Link Graph Configurations

Raw Event:[**] [1:1923:2] RPC portmap UDP proxy attempt [**][Classification: Decode of an RPC Query] [Priority: 2] 06/04-15:56:28.219753 192.168.10.90:32859 -> 192.168.10.255:111UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:148 DFLen: 120

Different node configurations:

192.168.10.90 RPC portmap 192.168.10.255 192.168.10.90 192.168.10.255 111

192.168.10.90 32859 111 RPC portmap 192.168.10.90 192.168.10.255

SPortSIP DPort SIPName DIP

DIPSIP DPortNameSIP DIP

Raffael Marty 14EuSecWest 2006 London

TreeMap Configurations

Raw Event:[**] [1:1923:2] RPC portmap UDP proxy attempt [**][Classification: Decode of an RPC Query] [Priority: 2] 06/04-15:56:28.219753 192.168.10.90:32859 -> 192.168.10.255:111UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:148 DFLen: 120

Different configurations:SIP

Name

DIP

SIP

Sport

DIP

SIP

DIP

Dport

Name

SIP

DIP192.168.10.255

Raffael Marty 15EuSecWest 2006 London

Graph Use Cases

Things You Can Do With AfterGlow

Raffael Marty 16EuSecWest 2006 London

Situational Awareness Dashboard

Raffael Marty 17EuSecWest 2006 London

Vulnerability Awareness I

DIP

Vuln

Score

One Machine

One Machine

A Vulnerability

A Vulnerability

Raffael Marty 18EuSecWest 2006 London

Vulnerability Awareness II

DIP

Score

Vuln

Raffael Marty 19EuSecWest 2006 London

AfterGlow - LGL

Raffael Marty 20EuSecWest 2006 London

Monitoring Web Servers

Traffic to WebServers

Raffael Marty 21EuSecWest 2006 London

Suspicious Activity?

Raffael Marty 22EuSecWest 2006 London

Network Scan

Raffael Marty 23EuSecWest 2006 London

Port Scan

►Port scan or something else?

Raffael Marty 24EuSecWest 2006 London

PortScan

SIP

DIP

DPort

Raffael Marty 25EuSecWest 2006 London

Firewall Activity

External Machine

Internal Machine

Outgoing

Incoming

Rule#

Rule# DIPSIP

Next Steps: 1. Visualize “FW Blocks” of outgoing traffic

-> Why do internal machines trigger blocks?2. Visualize “FW Blocks” of incoming traffic

-> Who and what tries to enter my network?3. Visualize “FW Passes” of outgoing traffic

-> What is leaving the network?

Raffael Marty 26EuSecWest 2006 London

Firewall Rule-set Analysis

pass block

Raffael Marty 27EuSecWest 2006 London

Load Balancer

Raffael Marty 28EuSecWest 2006 London

Worms

Raffael Marty 29EuSecWest 2006 London

DefCon 2004 Capture The Flag

DstPort < 1024

DstPort > 1024

Source Of Evil

Other Team's Target

DIP

Internal Target

Internal Source

Internet Target

DPortSIP

Our Servers

Exposed Services

Raffael Marty 30EuSecWest 2006 London

DefCon 2004 Capture The Flag – TTL Games

TTL

Source Of Evil

Internal Target

DIP TTLSIP

Internal Source

Offender TTL

Our Servers

Raffael Marty 31EuSecWest 2006 London

DefCon 2004 Capture The Flag – More TTL

Flags TTLDPort

Show Node Counts

Raffael Marty 32EuSecWest 2006 London

Telecom Malicious Code Propagation

FromPhone#

ToPhone#

ContentType|Size

Raffael Marty 33EuSecWest 2006 London

Email Cliques

From: My Domain

From: Other Domain

To: Other Domain

From To

To: My Domain

Raffael Marty 34EuSecWest 2006 London

Email Relays

From: My Domain

From: Other Domain

To: Other Domain

From To

To: My Domain

Do you run an open relay?

Grey out emails to and from “my domain”

Make “my domain” invisible

Raffael Marty 35EuSecWest 2006 London

Email SPAM?

To Size

Size > 10.000Omit threshold = 1

Multiple recipients withsame-size messages

Raffael Marty 36EuSecWest 2006 London

Email SPAM?

From nrcpt

nrcpt => 2Omit threshold = 1

Raffael Marty 37EuSecWest 2006 London

BIG Emails

From

Size > 100.000Omit Threshold = 2

To Size

Documents leaving the network?

Raffael Marty 38EuSecWest 2006 London

Email Server Problems?

2:00 < Delay < 10:00

Delay > 10:00

To Delay

To

Raffael Marty 39EuSecWest 2006 London

AfterGlow

afterglow.sourceforge.net

Raffael Marty 40EuSecWest 2006 London

AfterGlow

►http://afterglow.sourceforge.net

►Two Versions:

• AfterGlow 1.x – Perl for Event Graphs

• AfterGlow 2.0 – Java for TreeMaps

Raffael Marty 41EuSecWest 2006 London

AfterGlow 1.x - Perl

►Supported graphing tools:

• GraphViz from AT&T (dot and neato) http://www.research.att.com/sw/tools/graphviz/

• LGL (Large Graph Layout) by Alex Adaihttp://bioinformatics.icmb.utexas.edu/lgl/

CSV File

Parser AfterGlow Graph LanguageFile

Grapher

Raffael Marty 42EuSecWest 2006 London

AfterGlow 1.x – Command Line Parameters

● Some command line arguments:-h : help

-t : two node mode

-d : print count on nodes

-e : edge length

-n : no node labels

-o threshold : omit threshold (fan-out for nodes to be displayed)

-c configfile : color configuration file

Raffael Marty 43EuSecWest 2006 London

AfterGlow 1.x – color.properties

color.[source|event|target|edge]=

<perl expression returning a color name>● Array @fields contains input-line, split into tokens:

color.event=“red” if ($fields[1] =~ /^192\..*)

● Special color “invisible”:

color.target=“invisible” if ($fields[0] eq

“IIS Action”)

● Edge color

color.edge=“blue”

Raffael Marty 44EuSecWest 2006 London

AfterGlow 1.x – color.properties - Example

color.source="olivedrab" if ($fields[0]=~/191\.141\.69\.4/);

color.source="olivedrab" if ($fields[0]=~/211\.254\.110\./);

color.source="orangered1"

color.event="slateblue4"

color.target="olivedrab" if ($fields[2]=~/191\.141\.69\.4/);

color.target="olivedrab" if ($fields[2]=~/211\.254\.110\./);

color.target="orangered1"

color.edge="firebrick" if (($fields[0]=~/191\.141\.69.\.4/) or ($fields[2]=~/191\.141\.69\.4/))

color.edge="cyan4"

Raffael Marty 45EuSecWest 2006 London

AfterGlow 2.0 - Java

►Command line arguments:

-h : help

-c file : property file

-f file : data file

CSV File

Parser AfterGlow - Java

Raffael Marty 46EuSecWest 2006 London

Target System Type,SIP,DIP,User,OutcomeDevelopment,192.168.10.1,10.10.2.1,ram,failureVPN,192.168.10.1,10.10.2.1,ram,successFinancial System,192.168.20.1,10.0.3.1,drob,successVPN,192.168.10.1,10.10.2.1,ram,successVPN,192.168.10.1,10.10.2.1,jmoe,failureFinancial System,192.168.10.1,10.10.2.1,jmoe,successFinancial System,192.168.10.1,10.10.2.1,jmoe,failure

AfterGlow 2.0 - Example

►Data:

►Launch:

./afterglow-java.sh –c afterglow.properties

# AfterGlow - JAVA 2.0# Properties File

# File to loadfile.name=/home/ram/afterglow/data/sample.csv

# Column Types (default is STRING), start with 0!# Valid values:# STRING# INTEGER# CATEGORICAL

column.type.count=4column.type[0].column=0column.type[0].type=INTEGERcolumn.type[1].column=1column.type[1].type=CATEGORICALcolumn.type[2].column=2column.type[2].type=CATEGORICALcolumn.type[3].column=3column.type[3].type=CATEGORICAL

# Size Column (default is 0)size.column=0

# Color Column (default is 0)color.column=2

# AfterGlow - JAVA 2.0# Properties File

# File to loadfile.name=/home/ram/afterglow/data/sample.csv

# Column Types (default is STRING), start with 0!# Valid values:# STRING# INTEGER# CATEGORICAL

column.type.count=4column.type[0].column=0column.type[0].type=INTEGERcolumn.type[1].column=1column.type[1].type=CATEGORICALcolumn.type[2].column=2column.type[2].type=CATEGORICALcolumn.type[3].column=3column.type[3].type=CATEGORICAL

# Size Column (default is 0)size.column=0

# Color Column (default is 0)color.column=2

Raffael Marty 47EuSecWest 2006 London

AfterGlow 2.0 – Java - Output

Raffael Marty 48EuSecWest 2006 London

AfterGlow 2.0 – Java - Interaction

►Left-click:

• Zoom in

►Right-click:

• Zoom all the way out

►Middle-click

• Change Coloring to currentdepth

(Hack: Use SHIFT for leafs)

Raffael Marty 49EuSecWest 2006 London

AfterGlow 3.0 – The Future

► Generating LinkGraphs with the Java version

► Adding more output formats

► Saving output as image file

► Animation

Raffael Marty 50EuSecWest 2006 London

AfterGlow – Parsers

► tcpdump2csv.pl

• Takes care of swapping response source and targets

tcpdump -vttttnnelr /tmp/log.tcpdump | ./tcpdump2csv.pl "sip dip sport"

►sendmail_parser.pl

• Reassemble email conversations:Jul 24 21:01:16 rmarty sendmail[17072]: j6P41Gqt017072: from=<root@localhost.localdomain>, size=650, class=0, nrcpts=1,Jul 24 21:01:16 rmarty sendmail[17073]: j6P41Gqt017072: to=ram, ctladdr=<root@localhost.localdomain> (0/0), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=30881, dsn=2.0.0, stat=Sent

Raffael Marty 51EuSecWest 2006 London

Summary

Detect the expected

& discover the unexpected

Make better decisions

Reduce analysis and response times

Raffael Marty 52EuSecWest 2006 London

THANKS!

raffy@arcsight.com

Raffael Marty 52EuSecWest 2006 Lodon