When a Picture is Worth a Thousand Network Packets and System Logs

Transcript

1. Awalin Sopan @awalinsopan Senior Software Engineer, Analysis Team, FireEye, Inc

2. Over 200 attacks on major industrial control systems in 2013.

   “Cyber threat is one of the most serious economic and national security challenges we face as a nation”- White House Press release, May 29, 2009

3. FireEye Report 2014

4. Cyber Attack Lifecycle FireEye Report 2017

5. None

6. DEFENSE AGAINST CYBER ATTACK: Role of a Human (Cyber Analyst)

   • Detect intrusion • Recommend solution • Threat insight • Gather evidence • Prevent intrusion • Find vulnerability in the system • Block suspected traffic • Forensic analysis: • Create rules to detect future attack • Nature of attack

7. ▪Multivariate: ▪Packet Capture/TCP dump, (ip, port, pkt size, time, etc.

   multiple features) from network sensors. ▪Logs ▪ OS ▪ Servers ▪ Applications ▪ Firewalls SECURITY DATA: DATA CAPTURED THROUGH SENSORS
8. None

9. ▪Relational: ▪Flow data through Network: can be collected from routers:

   connection between IPs, hosts. SECURITY DATA: DATA CAPTURED THROUGH SENSORS
10. None
11. None
12. None

13. ▪Temporal: ▪Log Files/Activity/Events: Host/endpoint events over time SECURITY DATA: DATA

    CAPTURED THROUGH SENSORS

14. • Communicate findings • Overview • Analyze: • Compare and

    Relate • Find trend/ pattern • Predict • Find anomaly WHY VISUALIZATION

15. VISUAL ANALYTICS: INTERACTIVE VISUAL INTERFACE FOR DECISION MAKING

16. Visual Information Seeking “Mantra” -Ben Shneiderman • Overview data using

    charts, dashboard, tables: see all relevant data • Find pattern, trend, outlier, correlation • Sort by rank • Group similar features • Zoom and filter: select only interesting ones • Details on Demand: details of the selected alert

17. DATA -> VISUALIZATION Multivariate Packet capture, tcp dump from network

    sensors, server logs, operating system logs, firewall logs: Host based Intrusion Detection System. Data with multiple variables like ip, port, packet size, time, etc. Table, scatter plot, bubble chart, parallel coordinate Relational/ Hierarchical Network data flow from routers, connection between ips, hosts. Top-down hierarchy of the system: Network Based Intrusion Detection System. Node-link diagram, matrix diagram. Pie chart, treemap. Tempor al Log file, activity events over time Line chart, time series, timeline, histogram, sparklines Designing the User Interface 4th Edition: Ben Shneiderman and Catherine Plaisant

18. NETWORK

19. VAST 2012 Challenge Data: 2 days of Flow data Nodes

    sized by in-degree Sized by in-degree
20. None

21. Color coded: showing only top 25% strong links Links color

    coded by strength: red low, green high

22. Color coded: showing only top 10% strong links Filtered out

    weak links to declutter network

23. Color coded: showing only top 5% strong links DDoS attack

    ?

24. wikipedia DDoS attack

25. CONTENT OF PACKETS

26. Network Packet Sensing Rule

27. Network Packet

28. None

29. PACKET LABELING

30. None
31. None

32. Distraction ! Real target!

33. PORT ANALYSIS

34. Target IP Source IP

35. Target IP Source IP

36. None

37. EVENT LOG

38. System events log

39. Event timeline

40. Details on demand

41. TIME SERIES OF EVENTS

42. None

43. Events in Network (rendered using Grafana) ANOMALY DETECTION Login attempts

    in the system

44. MODES OF OPERATIONS Put it all together in analysts workflow:

    • Contextual views • Dashboard for overview • Visual analytics with multiple coordinated views • Situational awareness for immediate assessment

45. DASHBOARDS

46. Example: SPLUNK

47. None

48. MULTIPLE COORDINATED VISUALIZATIONS

49. TempoViz

50. Low priority High priority Mid priority Alerts aggregated over time

51. SITUATIONAL AWARENESS

52. Situation awareness is the ability to : •assess data •evaluate

    options •make decisions in a timely manner.

53. VIZSEC: WORKSHOP ON SECURITY VISUALIZATION

54. CYNOMIX GOVE ET A.L, VIZSEC 2014 Find similar malwares

55. Visualizing the Insider Threat http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=7312772&url=http%3A%2F%2Fieeexplore.ieee.org%2Fiel7%2F7310645%2F7312757%2F0731 2772.pdf%3Farnumber%3D7312772 Interactive PCA of user

    activity Anomalous cluster

56. • (Machine + Human) > Machine || Human. • Bridge

    the gap btwn security experts & dataviz experts. • Provide contextual clues to the analysts. • Integrate visual analytics in analyst workflow. • Make room for scalability and efficiency. • Avoid visual representations requiring lot of explanation. • Choose the network layout that avoids edge crossing or node overlapping. • Aggregation of data should be obvious. TAKE AWAY [email protected]