Cyber Sleuth: Finding Hidden Connections in Cyber Data

Transcript

1. Cyber Sleuth: Finding Hidden Connections in Cyber Data Jennifer Reif

   Developer Advocate, Neo4j [email protected] @JMHReif github.com/JMHReif jmhreif.com linkedin.com/in/jmhreif

2. Who is Jennifer Reif? Developer Advocate, Neo4j • Continuous learner

   • Conference speaker • Tech blogger • Other: geek Jennifer Reif Developer Advocate, Neo4j [email protected] @JMHReif github.com/JMHReif jmhreif.com linkedin.com/in/jmhreif

3. Let’s talk Cybersecurity Diverse topic https://www.linkedin.com/pulse/map-cybersecurity-domains-version-20-henry-jiang-ciso-cissp/

4. Attack chain for CVE-2018-20250 exploit (WinRAR RCE) https://www.microsoft.com/security/blog/2019/04/10/analysis-of-a-targeted-attack-exploiting-the-winrar-cve-2018-20250-vulnerability/

5. Who are we up against? Everyday data - complex, intricate

   Photo by mauro mora on Unsplash

6. Cybersecurity tasks Identify and prevent: • Attacks (DOS / Ransomware)

   • Disclosure of private / sensitive data • Unauthorized changes to applications / privileges • Unauthorized account access

7. How do we fight (all) these? • Separate hardware solution

   tools • Tackle multiple aspects: • (Usual) Internal accounts / exploits • External user accounts (customer + partner) • Exploitation pathways (exposed account) • Multiple action paths: • Reactive • Proactive

8. Recap The problem(s) • Complex, intricate data • Attackers: looking

   for gaps across many vectors • Several cybersecurity tasks to manage • Need to compile multiple sources • Need to strategize from multiple perspectives

9. What do the scenarios have in common?

10. It’s a graph! Connected data = graph

11. John Lambert -- Distinguished Engineer, Microsoft Threat Intelligence Center

12. Defenders: lists Row + Column view of data • List

    of access user has • List of groups • List of permissions • List of applications • Lists of steps to perform Photo by Thomas Bormans on Unsplash

13. Attackers: graphs Entrypoint -> What’s connected • Admin user ->

    workstation -> domain controller • User -> group -> machine <- admin

14. Attack chain for CVE-2018-20250 exploit (WinRAR RCE) https://www.microsoft.com/security/blog/2019/04/10/analysis-of-a-targeted-attack-exploiting-the-winrar-cve-2018-20250-vulnerability/

15. Path Connections present attack path(s) https://github.com/JohnLaTwC/Shared/blob/master/Defenders%20think%20in%20lists.%20Attackers%20think%20in%20graphs. %20As%20long%20as%20this%20is%20true%2C%20attackers%20win.md

16. Networks are connected graphs Holistic view of network • Surface

    hidden connections • Combine data sources for direct/indirect relationships • Provide uni fi ed view • Naturally visual analysis/tooling https://ernw.de/download/BloodHoundWorkshop/ERNW_DogWhispererHandbook.pdf

17. Graph can help Approach data di ff erently • Minimize

    impacts by • Quickly identify risks • Detect anomalies • Protect systems from multiple vectors

18. Building a graph

19. Graph components Graph theory foundations • Node (vertex) • Relationship

    (edge)

20. Nodes Graph components • Represent objects or entities • Can

    be labeled • May have properties Order Product Employee orderId: 162468 orderDate: 2019-04-01 productId: 08746589 name: “Ipoh Coffee” id: 247924 startDate: 2016-05-04 position: “Barista”

21. Relationships Graph components • Must have a type • Must

    have a direction • May have properties • Nodes can have multiple Order Product Employee orderId: 162468 orderDate: 2019-04-01 productId: 08746589 name: “Ipoh Coffee” id: 247924 startDate: 2016-05-04 position: “Barista” CONTAINS date: 2022-08-16 tip: 1.00 SOLD CONTACT CREATED

22. Label Graph components • A group of nodes • Like

    a category Person Employee Customer

23. Neo4j Export / Import • Cypher + APOC • ETL

    Tool • Dump fi le (not backward-compatible)

24. Cypher: powerful and expressive Jennifer Neo4j WORKS_FOR CREATE (:Person {

    name: ‘Jennifer’}) -[:WORKS_FOR]-> (:Company { name: ‘Neo4j’}) NODE PROPERTY NODE PROPERTY LABEL LABEL

25. Cypher: read Jennifer Neo4j WORKS_FOR MATCH (:Person { name: ‘Jennifer’}

    ) -[:WORKS_FOR]-> ( whom ) RETURN whom

26. Loading a dump file Drag+Drop

27. APOC library Import CSVs (or other data) • Cypher LOAD

    CSV • apoc.load.<dataFormat> • MERGE (node) • SET properties • APOC functions/procedures for manipulation and cleaning

28. Demo!

29. None

30. Resources • Github repository (today’s code): github.com/JMHReif/cybersecurity-sleuth • Sandbox (hands-on

    - cybersecurity): sandbox.neo4j.com/ • GraphAcademy: graphacademy.neo4j.com/ • NODES 2024: dev.neo4j.com/nodes24 Jennifer Reif Developer Advocate, Neo4j [email protected] @JMHReif github.com/JMHReif jmhreif.com linkedin.com/in/jmhreif