Merging Network Configuration and Network Traffic Data in ISP-Level Analyses

Transcription

1 Merging Network Configuration and Network Traffic Data in ISP-Level Analyses Timothy J. Shimeall, Ph.D. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Presentation Title Jan 11 14, 2016 Distribution Statement 2016 Carnegie A: Approved Mellon University for Public Release; 1

2 Copyright 2016 Carnegie Mellon University This material is based upon work funded and supported by the Department of Defense under Contract No. FA C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN AS-IS BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. [Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-us Government use and distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. Carnegie Mellon and CERT are registered marks of Carnegie Mellon University. DM

3 Overview The Network Data Flood Analyst Needs Merger Methods Examples of Merger Practical Tips 3

4 Network Data Flood Network Configuration? Host identification Host criticality Host configuration Vulnerability scan Vulnerability impact Subnet relations Network Traffic Network Flows Packet captures Alerts Route information Address resolutions Service Logs 4

5 Analyst Needs Network observation What behaviors are seen from hosts of configuration X? What configurations contribute to the volume of behavior Y? Network orientation Which configurations have vulnerabilities scanned for during event Z? Which hosts are running the services exploited during event Z? Network understanding How difficult is it to apply patch Q on this network? What issues would be involved in blocking service R on this network? Network prediction What is likely to follow event Z due to our traffic and configuration? How likely are our customers to be affected by event Z? 5

6 Merger Methods Config-first: Using configuration to drive network traffic analysis Traffic-first: Using traffic to drive network configuration analysis Deep-dive: Goals-Questions-Metrics Sandwich: Iterate between traffic and configuration driving analysis 6

7 Examples of Merger Assessing encryption Start with hosts configured as servers for encrypted services Filter packets/flows/logs for those servers to generate profiles Identify common users of services Filter for other network points of contact for those users Associate services and configuration associated with those points Network attack impact Start with traffic indicators of attack Generate set of network hosts involved with indicators Associate services and configurations with hosts Filter for contacts Identify vulnerable configurations in contacts 7

8 Practical Tips Watch for topology mismatches Watch for NAT issues Try the simple approach first Generalize from working approaches Do not try to solve the insolvable 8

9 Conclusion Challenges Methods exist Don t try to be too generic: you can extrapolate from what works Need to take into account human and automated advantages 9

10 Contact Information Timothy Shimeall Senior Member of the Technical Staff Telephone: