Slide 1

Slide 1 text

Cyber Sleuth: Finding Hidden Connections in Cyber Data Jennifer Reif Developer Advocate, Neo4j [email protected] @JMHReif github.com/JMHReif jmhreif.com linkedin.com/in/jmhreif

Slide 2

Slide 2 text

Who is Jennifer Reif? Developer Advocate, Neo4j • Continuous learner • Conference speaker • Tech blogger • Other: geek Jennifer Reif Developer Advocate, Neo4j [email protected] @JMHReif github.com/JMHReif jmhreif.com linkedin.com/in/jmhreif

Slide 3

Slide 3 text

Let’s talk Cybersecurity Diverse topic https://www.linkedin.com/pulse/map-cybersecurity-domains-version-20-henry-jiang-ciso-cissp/

Slide 4

Slide 4 text

Attack chain for CVE-2018-20250 exploit (WinRAR RCE) https://www.microsoft.com/security/blog/2019/04/10/analysis-of-a-targeted-attack-exploiting-the-winrar-cve-2018-20250-vulnerability/

Slide 5

Slide 5 text

Who are we up against? Everyday data - complex, intricate Photo by mauro mora on Unsplash

Slide 6

Slide 6 text

Cybersecurity tasks Identify and prevent: • Attacks (DOS / Ransomware) • Disclosure of private / sensitive data • Unauthorized changes to applications / privileges • Unauthorized account access

Slide 7

Slide 7 text

How do we fight (all) these? • Separate hardware solution tools • Tackle multiple aspects: • (Usual) Internal accounts / exploits • External user accounts (customer + partner) • Exploitation pathways (exposed account) • Multiple action paths: • Reactive • Proactive

Slide 8

Slide 8 text

Recap The problem(s) • Complex, intricate data • Attackers: looking for gaps across many vectors • Several cybersecurity tasks to manage • Need to compile multiple sources • Need to strategize from multiple perspectives

Slide 9

Slide 9 text

What do the scenarios have in common?

Slide 10

Slide 10 text

It’s a graph! Connected data = graph

Slide 11

Slide 11 text

John Lambert -- Distinguished Engineer, Microsoft Threat Intelligence Center

Slide 12

Slide 12 text

Defenders: lists Row + Column view of data • List of access user has • List of groups • List of permissions • List of applications • Lists of steps to perform Photo by Thomas Bormans on Unsplash

Slide 13

Slide 13 text

Attackers: graphs Entrypoint -> What’s connected • Admin user -> workstation -> domain controller • User -> group -> machine <- admin

Slide 14

Slide 14 text

Attack chain for CVE-2018-20250 exploit (WinRAR RCE) https://www.microsoft.com/security/blog/2019/04/10/analysis-of-a-targeted-attack-exploiting-the-winrar-cve-2018-20250-vulnerability/

Slide 15

Slide 15 text

Path Connections present attack path(s) https://github.com/JohnLaTwC/Shared/blob/master/Defenders%20think%20in%20lists.%20Attackers%20think%20in%20graphs. %20As%20long%20as%20this%20is%20true%2C%20attackers%20win.md

Slide 16

Slide 16 text

Networks are connected graphs Holistic view of network • Surface hidden connections • Combine data sources for direct/indirect relationships • Provide uni fi ed view • Naturally visual analysis/tooling https://ernw.de/download/BloodHoundWorkshop/ERNW_DogWhispererHandbook.pdf

Slide 17

Slide 17 text

Graph can help Approach data di ff erently • Minimize impacts by • Quickly identify risks • Detect anomalies • Protect systems from multiple vectors

Slide 18

Slide 18 text

Building a graph

Slide 19

Slide 19 text

Graph components Graph theory foundations • Node (vertex) • Relationship (edge)

Slide 20

Slide 20 text

Nodes Graph components • Represent objects or entities • Can be labeled • May have properties Order Product Employee orderId: 162468 orderDate: 2019-04-01 productId: 08746589 name: “Ipoh Coffee” id: 247924 startDate: 2016-05-04 position: “Barista”

Slide 21

Slide 21 text

Relationships Graph components • Must have a type • Must have a direction • May have properties • Nodes can have multiple Order Product Employee orderId: 162468 orderDate: 2019-04-01 productId: 08746589 name: “Ipoh Coffee” id: 247924 startDate: 2016-05-04 position: “Barista” CONTAINS date: 2022-08-16 tip: 1.00 SOLD CONTACT CREATED

Slide 22

Slide 22 text

Label Graph components • A group of nodes • Like a category Person Employee Customer

Slide 23

Slide 23 text

Neo4j Export / Import • Cypher + APOC • ETL Tool • Dump fi le (not backward-compatible)

Slide 24

Slide 24 text

Cypher: powerful and expressive Jennifer Neo4j WORKS_FOR CREATE (:Person { name: ‘Jennifer’}) -[:WORKS_FOR]-> (:Company { name: ‘Neo4j’}) NODE PROPERTY NODE PROPERTY LABEL LABEL

Slide 25

Slide 25 text

Cypher: read Jennifer Neo4j WORKS_FOR MATCH (:Person { name: ‘Jennifer’} ) -[:WORKS_FOR]-> ( whom ) RETURN whom

Slide 26

Slide 26 text

Loading a dump file Drag+Drop

Slide 27

Slide 27 text

APOC library Import CSVs (or other data) • Cypher LOAD CSV • apoc.load. • MERGE (node) • SET properties • APOC functions/procedures for manipulation and cleaning

Slide 28

Slide 28 text

Demo!

Slide 29

Slide 29 text

No content

Slide 30

Slide 30 text

Resources • Github repository (today’s code): github.com/JMHReif/cybersecurity-sleuth • Sandbox (hands-on - cybersecurity): sandbox.neo4j.com/ • GraphAcademy: graphacademy.neo4j.com/ • NODES 2024: dev.neo4j.com/nodes24 Jennifer Reif Developer Advocate, Neo4j [email protected] @JMHReif github.com/JMHReif jmhreif.com linkedin.com/in/jmhreif