Andrew Hay
September 25, 2017
200

# An Introduction to Graph Theory for Security People Who Can’t 'Math Good'

This session aims to gently introduce graph theory and the applied use of graphs for people who, like the speaker, consider themselves lacking the often perceived advanced math, science and computer programming knowledge needed to harness their power. The applied use of graphs will be discussed to help attendees track security threats, build attacker profiles and better understand organizational risk based on introducing new tools, processes or legal requirements.

Attendees may not leave with a Ph.D., but they’ll certainly walk away with a firmer understanding of graph theory and how to construct, deploy and maintain graphs for security and compliance initiatives within their organization.

Learning Objectives:

- Have a firm understanding of graph theory and the applied use of graphs for security tasks
- Track security threats, construct attacker profiles and use graphs to better understand organizational risk
- Walk away with a firmer understanding of graph theory and how to construct, deploy and maintain graphs for security and compliance initiatives within their organization

#### Andrew Hay

September 25, 2017

## Transcript

1. None
2. ### An Introduction to Graph Theory for Security People Who Can’t

Math Good Andrew Hay, CISSP
3. ### Session Overview » A gentle introduction to graph theory »

Graphs in every day life » Freely available tools » The application of graphs in a security context » Summary & Application

5. ### If You’re Anything Like Me… » You completely zone out

when you see something like this source: http://article.sapub.org/10.5923.j.am.20150505.01.html

A B C
7. ### A Graph Is… » A graph is a collection of

• vertices (i.e. nodes, dots) - where a vertex is an entity which represents some object (e.g. a person, a place, etc.) • edges (i.e. relationships, lines) - where an edge represents the relationship between two vertices source: http://tinkerpop.apache.org/
8. ### A Graph Is (continued)… » Diagram above shows a graph

with two vertices • One with a unique identifier of 1 • Another with a unique identifier of 3 » There is an edge connecting the two with a unique identifier of 9 » It is important to consider that the edge has a direction which goes out from vertex 1 and in to vertex 3 source: http://tinkerpop.apache.org/
9. ### A Graph Is (continued)… » To give some meaning to

this basic structure, vertices and edges can each be given labels to categorize them » You can now see that a vertex 1 is a person and vertex 3 is a software vertex source: http://tinkerpop.apache.org/
10. ### A Graph Is (continued)… » They are joined by a

created edge which allows you to see that a person created software » The label and the id are reserved attributes of vertices and edges, but you can add your own arbitrary properties as well source: http://tinkerpop.apache.org/

A B C

3 4 5
13. ### A Little More Advanced Graph Theory » You’ll often hear

the words network and graph used interchangeably…and there is nothing wrong with that » If the edges in a network are directed (i.e. pointing in only one direction) the network is called a directed network or a directed graph, sometimes digraph for short » When drawing a directed network, the edges are typically drawn as arrows indicating the direction source: http://mathinsight.org/definition/network
14. ### A Little More Advanced Graph Theory » If all edges

are bidirectional, or undirected, the network is an undirected network (or undirected graph) source: http://mathinsight.org/definition/network
15. ### A Little More Advanced Graph Theory » Variations • A

small undirected network where the nodes and edges have different types, as indicated by their colors and line styles • A small directed network where the edges and nodes have different weights, as indicated by their sizes source: http://mathinsight.org/image/small_undirected_node_edge_types_network source: http://mathinsight.org/image/small_directed_weighted_nodes_edges_network

17. ### Graphs in Every Day Life: Internet » Everyone has seen

a visual representation of the Internet » Often, colors indicate operator of network, country, etc. » Structure determined by sending a storm of IP packets out randomly across the network » Each packet is programmed to self-destruct after a delay, and when this happens, the packet failure notice reports back the path the packet took before it died source: http://mathinsight.org/image/internet_map_jurvetson_2004
18. ### Graphs in Every Day Life: TSP » Travelling salesman problem

(TSP) • "Given a list of cities and the distances between each pair of cities, what is the shortest possible route that visits each city exactly once and returns to the origin city?” source: https://www.mathworks.com/help/optim/examples/travelling-salesman-problem.html
19. ### Graphs in Every Day Life: More Examples… » Mapping •

Google maps, self-driving cars, etc. • “Hey, Siri, how do I get to 1 Main Street?” » Perception/Attitude Analysis • What hashtags are trending right now? • Which Presidential candidate is being talked about most on which social media platform? » And, of course, security! source: https://datasemantics.files.wordpress.com/2013/12/graph3.png
20. ### Freely Available Tools Including clients, databases, and programming modules

• Basic network mapping tool • Some useful filter functionality • Lacks the deep customization options and analysis functionality • Can produce insightful visualizations » developers.google.com/fusiontables • Create, update, and delete tables and table data • Issue SQL-like queries
22. ### Tools: Graphviz » www.graphviz.org • Open source graph visualization software

• The Graphviz layout programs take descriptions of graphs in a simple text language, and make diagrams in useful formats - Images, SVG, PDF, Postscript , interactive graph browser • Many useful features for diagrams - options for colors, fonts, tabular node layouts, line styles, hyperlinks, and custom shapes source: http://www.graphviz.org/content/profile
23. ### Tools: Visual Investigate Scenarios (VIS) » vis.occrp.org • Designed to

assist investigative journalists, activists and others in mapping complex business or crime networks • Help investigators understand and explain corruption, organized crime and other wrongdoings and to translate complex narratives into simple, universal visual language • Customizable, dynamic html5 visualization templates • Illustrate entities, networks and complex configurations of data
24. ### Tools: Gephi » gephi.org • Desktop tool for performing powerful

network analysis and creating network visualizations • Described as being like Photoshop™ but for graph data • The user interacts with the representation, manipulate the structures, shapes and colors to reveal hidden patterns • Designed to help data analysts to make hypothesis, intuitively discover patterns, isolate structure singularities or faults during data sourcing source: https://gephi.org/screenshots/
25. ### Tools: OpenGraphiti » www.opengraphiti.com • OpenGraphiti is a free and

open source 3D data visualization engine created by Thibault Reuille of OpenDNS • Designed for data scientists to visualize semantic networks and to work with them • It offers an easy-to-use API with several associated libraries to create custom-made datasets
26. ### Tools: Maltego » www.paterva.com/web7/buy/malte go-clients/maltego-ce.php • Maltego CE is the

community editio • Available for free for everyone after a quick registration • Interactive data mining tool • Renders directed graphs for link analysis • Used in online investigations for finding relationships between pieces of information from various sources located on the Internet source: www.paterva.com
27. ### Tools: Maltego (continued…) » www.paterva.com/web7/buy/malte go-clients/casefile.php • CaseFile is Paterva's

answer to the offline intelligence problem • Allows for analysts to examine links between offline data • Same graphing application as Maltego without the ability to run transforms • CaseFile gives you the ability to quickly add, link and analyze data source: www.paterva.com
28. ### Graph Databases: neo4j » neo4j.com • Graph database management system

developed by Neo Technology, Inc • ACID-compliant transactional database with native graph storage and processing • Implemented in Java • Accessible from software written in other languages using the Cypher Query Language • Exposes a transactional HTTP endpoint source: https://neo4j.com/
29. ### Graph Databases: OrientDB » orientdb.com • Open source NoSQL database

management system • Written in Java • Multi-model database, supporting graph, document, key/value, and object models • Relationships are managed as in graph databases with direct connections between records • Supports schema-less, schema-full, and schema-mixed modes source: http://orientdb.com/orientdb/
30. ### Graph Databases: Titan » titan.thinkaurelius.com • Scalable graph database optimized

for - Storing and querying graphs - Containing hundreds of billions of vertices and edges - Distributed across a multi-machine cluster • Support for various storage backends • Support for global graph data analytics, reporting, and ETL through integration with big data platforms • Native integration with the TinkerPop graph stack source: http://titan.thinkaurelius.com/
31. ### Graph Stack: Apache TinkerPop » tinkerpop.apache.org • Open source Graph

Computing Framework • Goal is to make it easy for developers to create graph applications by providing APIs and tools that simplify their endeavors • Abstraction layer over different graph databases and different graph processors • As an abstraction layer, TinkerPop provides a way to avoid vendor lock-in to a specific database or processor source: https://tinkerpop.apache.org/
32. ### Development Modules » NetworkX • networkx.github.io • Package for the

creation, manipulation, and study of the structure, dynamics, and functions of complex networks » Graph-tool • graph-tool.skewed.de • Manipulation and statistical analysis of graphs » SNAP for Python • snap.stanford.edu/snappy/ • General purpose, high performance system for analysis and manipulation of large networks • Written in C++ and optimized for maximum performance and compact graph representation • Scales to massive networks with hundreds of millions of nodes, and billions of edges
33. ### Development Modules » semanticnet • github.com/ThibaultReuille/semanticnet • Small python library

to create semantic graphs in JSON • Datasets can then be visualized with OpenGraphiti » Plotly for Python • plot.ly/ipython- notebooks/network-graphs • Store position as node attribute data • Add, change, delete nodes, node color, connections, etc.
34. ### Development Modules » vis.js • visjs.org • Designed to be

easy to use, to handle large amounts of dynamic data, and to enable manipulation of and interaction with the data » sigmajs • sigmajs.org • Allows developers to integrate network exploration in rich Web applications » JSNetworkX • jsnetworkx.org • JavaScript port of the NetworkX graph library » Cytoscape.js • js.cytoscape.org • Fully featured graph library written in pure JS • Designed for users first, for both front facing app and developer use cases

Context
37. ### Scenario: Incident Response » “We had a data breach, what

was taken, and who was involved?” Mary Rahim Stu SSN CC
38. ### Scenario: Incident Response Mary Rahim Stu SSN CC » “We

had a data breach, what was taken, and who was involved?”

» “We had a data breach, what was taken, and who was involved?”

» “We had a data breach, what was taken, and who was involved?”
41. ### Scenario: Incident Response » What would this look like in

a tool? » Using Google’s experimental Fusion Tables we can easily graph this » Easy to show links, directionality, and node colors
42. ### Scenario: Incident Response » Type by Name shows who has

interacted with what data
43. ### Scenario: Incident Response » Action by Name shows who has

performed what actions

Context
45. ### Scenario: Actor Tracking » “New Phishing Campaign Targets South-East Asia”*

• http://www.minerva-labs.com/post/new-phishing- campaign-targets-south-east-asia » Malware variant that was distributed via phishing emails in south-east Asia. » The binary mimicked Navicat and had multiple info- stealing capabilities - and possibly a later stage POS oriented module. * source: https://app.threatconnect.com/auth/incident/incident.xhtml?incident=3440670
46. ### Scenario: Actor Tracking » Let’s load the indicators of compromise

(IOC) from the blog post into a tool » This time, we’ll use Maltego Community Edition (CE) source: www.paterva.com
47. ### Scenario: Actor Tracking » Add the various elements that you

want to track • Hashes • Domains • IP addresses • Email addresses • etc.
48. ### Scenario: Actor Tracking » Use the transforms to enrich the

data • VirusTotal Public • ThreatCrowd • PassiveTotal - Get Passive DNS with Time - Get Whois Details - Whois Search by Email Address » Avoid running “All Transforms”

50. ### Scenario: Actor Tracking » Zooming in we can see interesting

associations…like how the malware hashes are being recognized
51. ### Scenario: Actor Tracking » Zooming in we can see interesting

associations…like how the domains are associated with the same registrant email address
52. ### Scenario: Actor Tracking » Zooming in we can see interesting

associations…like how the domains are associated with the same and IP address
53. ### Scenario: Actor Tracking » We can also enrich the data

with…all of the other domains registered using that email address
54. ### Scenario: Actor Tracking » As you can imagine, this can

quickly get out of hand…
55. ### General Suggestions » Just because you CAN graph or run

a transform on something… » Consider using only the data you need for a particular task or project » If you want to experiment with different transforms, data points, nodes, edges, etc…
56. ### General Suggestions » Just because you CAN graph or run

a transform on something… » Consider using only the data you need for a particular task or project » If you want to experiment with different transforms, data points, nodes, edges, etc… USE A NEW GRAPH AND DON’T TINKER WITH THE MAIN ONE

58. ### Summary » The general application of graph theory doesn’t require

an advanced degree in mathematics • Especially once you know the basics » The connection of related information (read: nodes & edges) helps represent the data • Both visually and programmatically » There are a growing number of tools to help create graph associations, store graph data, and programmatically traverse and modify said data • Pick what works best for you and your environment source: https://en.wikipedia.org/wiki/Travelling_salesman_problem
59. ### Apply What You Have Learned Today » Next week you

should: • Take a look at the various free tools and see which one(s) resonate » In the first three months following this presentation you should: • Begin graphing connections for a simple project (e.g. threat actor tracking) • Use your graph project to teach your team or peers the value » Within six months you should: • Have a firm grasp of your own graph project • Look to introduce graph relationships, where applicable, to current security projects
60. ### Thank You, Questions? » Andrew Hay, CISSP » Co-Founder &

CTO, LEO Cyber Security • email: andrew.hay@leocybersecurity.com • mobile: +1.415.940.9660 • twitter: @andrewsmhay • linkedin: http://www.linkedin.com/in/andrewhay • schedule a meeting: https://ahay.acuityscheduling.com
61. None