Upgrade to Pro — share decks privately, control downloads, hide ads and more …

An Introduction to Graph Theory for Security Pe...

Andrew Hay
September 25, 2017

An Introduction to Graph Theory for Security People Who Can’t 'Math Good'

This session aims to gently introduce graph theory and the applied use of graphs for people who, like the speaker, consider themselves lacking the often perceived advanced math, science and computer programming knowledge needed to harness their power. The applied use of graphs will be discussed to help attendees track security threats, build attacker profiles and better understand organizational risk based on introducing new tools, processes or legal requirements.

Attendees may not leave with a Ph.D., but they’ll certainly walk away with a firmer understanding of graph theory and how to construct, deploy and maintain graphs for security and compliance initiatives within their organization.

Learning Objectives:

- Have a firm understanding of graph theory and the applied use of graphs for security tasks
- Track security threats, construct attacker profiles and use graphs to better understand organizational risk
- Walk away with a firmer understanding of graph theory and how to construct, deploy and maintain graphs for security and compliance initiatives within their organization

Andrew Hay

September 25, 2017
Tweet

More Decks by Andrew Hay

Other Decks in Technology

Transcript

  1. Session Overview » A gentle introduction to graph theory »

    Graphs in every day life » Freely available tools » The application of graphs in a security context » Summary & Application
  2. If You’re Anything Like Me… » You completely zone out

    when you see something like this source: http://article.sapub.org/10.5923.j.am.20150505.01.html
  3. A Graph Is… » A graph is a collection of

    • vertices (i.e. nodes, dots) - where a vertex is an entity which represents some object (e.g. a person, a place, etc.) • edges (i.e. relationships, lines) - where an edge represents the relationship between two vertices source: http://tinkerpop.apache.org/
  4. A Graph Is (continued)… » Diagram above shows a graph

    with two vertices • One with a unique identifier of 1 • Another with a unique identifier of 3 » There is an edge connecting the two with a unique identifier of 9 » It is important to consider that the edge has a direction which goes out from vertex 1 and in to vertex 3 source: http://tinkerpop.apache.org/
  5. A Graph Is (continued)… » To give some meaning to

    this basic structure, vertices and edges can each be given labels to categorize them » You can now see that a vertex 1 is a person and vertex 3 is a software vertex source: http://tinkerpop.apache.org/
  6. A Graph Is (continued)… » They are joined by a

    created edge which allows you to see that a person created software » The label and the id are reserved attributes of vertices and edges, but you can add your own arbitrary properties as well source: http://tinkerpop.apache.org/
  7. A Little More Advanced Graph Theory » You’ll often hear

    the words network and graph used interchangeably…and there is nothing wrong with that » If the edges in a network are directed (i.e. pointing in only one direction) the network is called a directed network or a directed graph, sometimes digraph for short » When drawing a directed network, the edges are typically drawn as arrows indicating the direction source: http://mathinsight.org/definition/network
  8. A Little More Advanced Graph Theory » If all edges

    are bidirectional, or undirected, the network is an undirected network (or undirected graph) source: http://mathinsight.org/definition/network
  9. A Little More Advanced Graph Theory » Variations • A

    small undirected network where the nodes and edges have different types, as indicated by their colors and line styles • A small directed network where the edges and nodes have different weights, as indicated by their sizes source: http://mathinsight.org/image/small_undirected_node_edge_types_network source: http://mathinsight.org/image/small_directed_weighted_nodes_edges_network
  10. Graphs in Every Day Life: Internet » Everyone has seen

    a visual representation of the Internet » Often, colors indicate operator of network, country, etc. » Structure determined by sending a storm of IP packets out randomly across the network » Each packet is programmed to self-destruct after a delay, and when this happens, the packet failure notice reports back the path the packet took before it died source: http://mathinsight.org/image/internet_map_jurvetson_2004
  11. Graphs in Every Day Life: TSP » Travelling salesman problem

    (TSP) • "Given a list of cities and the distances between each pair of cities, what is the shortest possible route that visits each city exactly once and returns to the origin city?” source: https://www.mathworks.com/help/optim/examples/travelling-salesman-problem.html
  12. Graphs in Every Day Life: More Examples… » Mapping •

    Google maps, self-driving cars, etc. • “Hey, Siri, how do I get to 1 Main Street?” » Perception/Attitude Analysis • What hashtags are trending right now? • Which Presidential candidate is being talked about most on which social media platform? » And, of course, security! source: https://datasemantics.files.wordpress.com/2013/12/graph3.png
  13. Tools: Google Fusion Tables » support.google.com/fusiontables/answer/2566732 ?hl=en – Network Graph

    • Basic network mapping tool • Some useful filter functionality • Lacks the deep customization options and analysis functionality • Can produce insightful visualizations » developers.google.com/fusiontables • Create, update, and delete tables and table data • Issue SQL-like queries
  14. Tools: Graphviz » www.graphviz.org • Open source graph visualization software

    • The Graphviz layout programs take descriptions of graphs in a simple text language, and make diagrams in useful formats - Images, SVG, PDF, Postscript , interactive graph browser • Many useful features for diagrams - options for colors, fonts, tabular node layouts, line styles, hyperlinks, and custom shapes source: http://www.graphviz.org/content/profile
  15. Tools: Visual Investigate Scenarios (VIS) » vis.occrp.org • Designed to

    assist investigative journalists, activists and others in mapping complex business or crime networks • Help investigators understand and explain corruption, organized crime and other wrongdoings and to translate complex narratives into simple, universal visual language • Customizable, dynamic html5 visualization templates • Illustrate entities, networks and complex configurations of data
  16. Tools: Gephi » gephi.org • Desktop tool for performing powerful

    network analysis and creating network visualizations • Described as being like Photoshop™ but for graph data • The user interacts with the representation, manipulate the structures, shapes and colors to reveal hidden patterns • Designed to help data analysts to make hypothesis, intuitively discover patterns, isolate structure singularities or faults during data sourcing source: https://gephi.org/screenshots/
  17. Tools: OpenGraphiti » www.opengraphiti.com • OpenGraphiti is a free and

    open source 3D data visualization engine created by Thibault Reuille of OpenDNS • Designed for data scientists to visualize semantic networks and to work with them • It offers an easy-to-use API with several associated libraries to create custom-made datasets
  18. Tools: Maltego » www.paterva.com/web7/buy/malte go-clients/maltego-ce.php • Maltego CE is the

    community editio • Available for free for everyone after a quick registration • Interactive data mining tool • Renders directed graphs for link analysis • Used in online investigations for finding relationships between pieces of information from various sources located on the Internet source: www.paterva.com
  19. Tools: Maltego (continued…) » www.paterva.com/web7/buy/malte go-clients/casefile.php • CaseFile is Paterva's

    answer to the offline intelligence problem • Allows for analysts to examine links between offline data • Same graphing application as Maltego without the ability to run transforms • CaseFile gives you the ability to quickly add, link and analyze data source: www.paterva.com
  20. Graph Databases: neo4j » neo4j.com • Graph database management system

    developed by Neo Technology, Inc • ACID-compliant transactional database with native graph storage and processing • Implemented in Java • Accessible from software written in other languages using the Cypher Query Language • Exposes a transactional HTTP endpoint source: https://neo4j.com/
  21. Graph Databases: OrientDB » orientdb.com • Open source NoSQL database

    management system • Written in Java • Multi-model database, supporting graph, document, key/value, and object models • Relationships are managed as in graph databases with direct connections between records • Supports schema-less, schema-full, and schema-mixed modes source: http://orientdb.com/orientdb/
  22. Graph Databases: Titan » titan.thinkaurelius.com • Scalable graph database optimized

    for - Storing and querying graphs - Containing hundreds of billions of vertices and edges - Distributed across a multi-machine cluster • Support for various storage backends • Support for global graph data analytics, reporting, and ETL through integration with big data platforms • Native integration with the TinkerPop graph stack source: http://titan.thinkaurelius.com/
  23. Graph Stack: Apache TinkerPop » tinkerpop.apache.org • Open source Graph

    Computing Framework • Goal is to make it easy for developers to create graph applications by providing APIs and tools that simplify their endeavors • Abstraction layer over different graph databases and different graph processors • As an abstraction layer, TinkerPop provides a way to avoid vendor lock-in to a specific database or processor source: https://tinkerpop.apache.org/
  24. Development Modules » NetworkX • networkx.github.io • Package for the

    creation, manipulation, and study of the structure, dynamics, and functions of complex networks » Graph-tool • graph-tool.skewed.de • Manipulation and statistical analysis of graphs » SNAP for Python • snap.stanford.edu/snappy/ • General purpose, high performance system for analysis and manipulation of large networks • Written in C++ and optimized for maximum performance and compact graph representation • Scales to massive networks with hundreds of millions of nodes, and billions of edges
  25. Development Modules » semanticnet • github.com/ThibaultReuille/semanticnet • Small python library

    to create semantic graphs in JSON • Datasets can then be visualized with OpenGraphiti » Plotly for Python • plot.ly/ipython- notebooks/network-graphs • Store position as node attribute data • Add, change, delete nodes, node color, connections, etc.
  26. Development Modules » vis.js • visjs.org • Designed to be

    easy to use, to handle large amounts of dynamic data, and to enable manipulation of and interaction with the data » sigmajs • sigmajs.org • Allows developers to integrate network exploration in rich Web applications » JSNetworkX • jsnetworkx.org • JavaScript port of the NetworkX graph library » Cytoscape.js • js.cytoscape.org • Fully featured graph library written in pure JS • Designed for users first, for both front facing app and developer use cases
  27. Scenario: Incident Response » “We had a data breach, what

    was taken, and who was involved?” Mary Rahim Stu SSN CC
  28. Scenario: Incident Response Mary Rahim Stu SSN CC » “We

    had a data breach, what was taken, and who was involved?”
  29. Scenario: Incident Response Stu SSN CC HTTP Proxy upload download

    » “We had a data breach, what was taken, and who was involved?”
  30. Scenario: Incident Response Stu SSN CC HTTP Proxy upload download

    » “We had a data breach, what was taken, and who was involved?”
  31. Scenario: Incident Response » What would this look like in

    a tool? » Using Google’s experimental Fusion Tables we can easily graph this » Easy to show links, directionality, and node colors
  32. Scenario: Actor Tracking » “New Phishing Campaign Targets South-East Asia”*

    • http://www.minerva-labs.com/post/new-phishing- campaign-targets-south-east-asia » Malware variant that was distributed via phishing emails in south-east Asia. » The binary mimicked Navicat and had multiple info- stealing capabilities - and possibly a later stage POS oriented module. * source: https://app.threatconnect.com/auth/incident/incident.xhtml?incident=3440670
  33. Scenario: Actor Tracking » Let’s load the indicators of compromise

    (IOC) from the blog post into a tool » This time, we’ll use Maltego Community Edition (CE) source: www.paterva.com
  34. Scenario: Actor Tracking » Add the various elements that you

    want to track • Hashes • Domains • IP addresses • Email addresses • etc.
  35. Scenario: Actor Tracking » Use the transforms to enrich the

    data • VirusTotal Public • ThreatCrowd • PassiveTotal - Get Passive DNS with Time - Get Whois Details - Whois Search by Email Address » Avoid running “All Transforms”
  36. Scenario: Actor Tracking » Zooming in we can see interesting

    associations…like how the malware hashes are being recognized
  37. Scenario: Actor Tracking » Zooming in we can see interesting

    associations…like how the domains are associated with the same registrant email address
  38. Scenario: Actor Tracking » Zooming in we can see interesting

    associations…like how the domains are associated with the same and IP address
  39. Scenario: Actor Tracking » We can also enrich the data

    with…all of the other domains registered using that email address
  40. General Suggestions » Just because you CAN graph or run

    a transform on something… » Consider using only the data you need for a particular task or project » If you want to experiment with different transforms, data points, nodes, edges, etc…
  41. General Suggestions » Just because you CAN graph or run

    a transform on something… » Consider using only the data you need for a particular task or project » If you want to experiment with different transforms, data points, nodes, edges, etc… USE A NEW GRAPH AND DON’T TINKER WITH THE MAIN ONE
  42. Summary » The general application of graph theory doesn’t require

    an advanced degree in mathematics • Especially once you know the basics » The connection of related information (read: nodes & edges) helps represent the data • Both visually and programmatically » There are a growing number of tools to help create graph associations, store graph data, and programmatically traverse and modify said data • Pick what works best for you and your environment source: https://en.wikipedia.org/wiki/Travelling_salesman_problem
  43. Apply What You Have Learned Today » Next week you

    should: • Take a look at the various free tools and see which one(s) resonate » In the first three months following this presentation you should: • Begin graphing connections for a simple project (e.g. threat actor tracking) • Use your graph project to teach your team or peers the value » Within six months you should: • Have a firm grasp of your own graph project • Look to introduce graph relationships, where applicable, to current security projects
  44. Thank You, Questions? » Andrew Hay, CISSP » Co-Founder &

    CTO, LEO Cyber Security • email: [email protected] • mobile: +1.415.940.9660 • twitter: @andrewsmhay • linkedin: http://www.linkedin.com/in/andrewhay • schedule a meeting: https://ahay.acuityscheduling.com