Datascape for Cyber-Security NSA Cyber Defence Exercise Worked Example



Similar documents
Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Cyber Exercises, Small and Large

Hands-on Network Traffic Analysis Cyber Defense Boot Camp

Intrusion Detection: Game Theory, Stochastic Processes and Data Mining

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

The IP Transmission Process. V1.4: Geoff Bennett

Decoding DNS data. Using DNS traffic analysis to identify cyber security threats, server misconfigurations and software bugs

Solution of Exercise Sheet 5

Chapter 4 Firewall Protection and Content Filtering

Firewall Firewall August, 2003

Chapter 6 Virtual Private Networking Using SSL Connections

What communication protocols are used to discover Tesira servers on a network?

Reverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006

NETWORK SECURITY (W/LAB) Course Syllabus

Intrusion Detection in AlienVault

TLP WHITE. Denial of service attacks: what you need to know

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals

Testing Network Security Using OPNET

1 Log visualization at CNES (Part II)

Network Configuration Settings

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

Configuring Security for FTP Traffic

How To Configure Apple ipad for Cyberoam L2TP

Comprehensive IP Traffic Monitoring with FTAS System

From Network Security To Content Filtering

ΕΠΛ 674: Εργαστήριο 5 Firewalls

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

CSCI 4250/6250 Fall 2015 Computer and Networks Security

Intrusion Detection Systems

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Lesson 5: Network perimeter security

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

Knowledgebase Solution

Network Layers. CSC358 - Introduction to Computer Networks

Configuring Security for SMTP Traffic

CYBER DEFENSE COMPETITION: A TALE OF TWO TEAMS *

AlienVault Unified Security Management Solution Complete. Simple. Affordable Life Cycle of a log

Firewalls. Ahmad Almulhem March 10, 2012

CYBER SCIENCE 2015 AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION

Video Conferencing and Firewalls

IP address format: Dotted decimal notation:

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Firewalls. ITS335: IT Security. Sirindhorn International Institute of Technology Thammasat University ITS335. Firewalls. Characteristics.

Firewalls. Contents. ITS335: IT Security. Firewall Characteristics. Types of Firewalls. Firewall Locations. Summary

Chapter 4 Firewall Protection and Content Filtering

Cyber Security Where Do I Begin?

Fuzzy Network Profiling for Intrusion Detection

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Controlling Ashly Products From a Remote PC Location

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

About Firewall Protection

Chapter 15. Firewalls, IDS and IPS

Intrusion Detections Systems

Mobile IP Network Layer Lesson 02 TCP/IP Suite and IP Protocol

1Fortinet. 2How Logtrust. Firewall technologies from Fortinet offer integrated, As your business grows and volumes of data increase,

Intrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12

19. Exercise: CERT participation in incident handling related to the Article 13a obligations

NetFlow use cases. ICmyNet / NetVizura. Miloš Zeković, milos.zekovic@soneco.rs. ICmyNet Chief Customer Officer Soneco d.o.o.

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

A Network Design Primer

CHAPETR 3. DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM

1. Firewall Configuration

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Assets, Groups & Networks

Source-Connect Network Configuration Last updated May 2009

Firewalls, Tunnels, and Network Intrusion Detection

Security visualisation

Network Security Administrator

ACHILLES CERTIFICATION. SIS Module SLS 1508

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

GlobalSCAPE DMZ Gateway, v1. User Guide

Access control policy: Role-based access

Secure Networks for Process Control

Chapter 4 Security and Firewall Protection

Chapter 9 Firewalls and Intrusion Prevention Systems

Firewalls, IDS and IPS

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

Security Advisory. Some IPS systems can be easily fingerprinted using simple techniques.

F-SECURE MESSAGING SECURITY GATEWAY

Getting Ahead of Malware

Intrusion Detection Systems

Network Security Incident Analysis System for Detecting Large-scale Internet Attacks

CS2107 Introduction to Information and System Security (Slid. (Slide set 8)

Guideline on Firewall

Network Instruments white paper

Concierge SIEM Reporting Overview

Safeguards Against Denial of Service Attacks for IP Phones

Guideline for setting up a functional VPN

Transcription:

Datascape for Cyber-Security NSA Cyber Defence Exercise Worked Example In 2009 the National Security Agency/Central Security Service (NSA/CSS - www.nsa.gov) ran the annual Cyber Defense Exercise (CDX http://www.nsa.gov/public_info/press_room/2009/cyber_defense_trophy.shtml). This annual event, sponsored by NSA/CSS, is a computer security competition designed to foster education and awareness among future military leaders about the role of information assurance (IA). During the CDX, NSA/CSS network specialists challenged teams in their abilities to defend the closed computer networks that the students had designed, built and configured at their respective schools. Teams from the U.S. Air Force Academy, U.S. Coast Guard Academy, U.S. Merchant Marine Academy, U.S. Naval Academy, and West Point participated at their respective schools. Also participating was the Air Force Institute of Technology, the Naval Postgraduate School and, for the first time, an allied partner school the Royal Military College of Canada. The 2009 competition was won by the United States Military Academy at West Point (their equivalent of Sandhurst in the UK, my alma-mater), and conveniently the datasets from their entry have been released into the public domain and are available, with supporting information, at http://www.westpoint.edu/crc/sitepages/datasets.aspx and https://www.itoc.usma.edu/research/dataset/. There are three main datasets: The ITOC NSA (Attacker) Firewall Log taken from a machine located outside of the protected network and recording the events from the attacker s point of view. USMA outside Firewall Log taken from a firewall at the boundary of the protected network and recording the events from the victim s point of view. USMA Snort log taken from a machine located within the USMA network and recording suspicious behaviour in that network based on the Snort rules. In order to see how Datascape might be able to visualise this sort of cyber data we brought extracts of all three datasets into Datascape. Initially we imported 1000 log entries from each system, corresponding to 2-3 minutes of ITOC data, 6 minutes of outside data and 3.5 hours of Snort data (note that the time periods did not necessarily overlap). Please bear in mind that we are not cyber-security, or even network data, experts, so we don't have the expertise to look at the data or these visualisations and tell you what is happening, or where the threats may be, but hopefully even so they serve to show how Datascape can take a cyber-security dataset and render a visualisations that might both a) make sense and be useful to an expert in understanding what is going on and identifying a potential threat and b) be used by that expert to explain the activity to a non-expert in a very clear, understandable and memorable way. As ever some data cleansing (particularly removing nulls and invalid IP addresses), and enrichment (splitting the IP address into 4 fields, splitting the single log files into seperate node and edge files) was required, and all achieved within Excel/OpenOffice. And please bear in mind we know nothing about cyber-security we are effectively lay users 1

looking to see if we can find what might be interesting patterns and anomalies. If some cyberexperts would like to use Datascape to properly analyse this dataset then please get in touch. ITOC (External) Data To the laymen the ITOC data was by far the most interesting, so lets start there. This is an extract of the node data after cleansing/enrichment. Note that we've used Excel functions to split the IP address into its four component byte and to add the Source/destination End flag. The Node list was derived from the link list provided. And here is the link data. Again we've used Excel functions to generate the NodeBId by just offsetting the NodeAId by 1000 (the number of links). Note that in this data each node is an IP address at a moment in time, so one PC will have a separate node for each link its a part of. These were then imported into Datascape and mappings created as follows: 2

For the nodes: Note that: We have used the event ID as a proxy for time (since we only have 1s resolution in the data, but often many events per second), and placed time/id on the Z axis Have used the Y axis for the MSB of the IP address, as a proxy for network Have used the X axis for the LSB of the IP address, as the identity for a particular device Mapped Shape to whether the node originated (sphere) or received (cube) the exchange Mapped Colour to some of the more interesting Ports (92 ports were present in total, we have mapped about 10) The factors for X, Y and Z are just to get a usable layout. For the edges: 3

Note that: We have mapped Colour to the network protocols (EIGRP=Red, TCP=Green, UDP=Orange) The resulting plot is shown below: In this visualisation: We are looking down a time-tunnel, oldest data closest to us Each horizontal layer is a different network (defined by MSB of IP address) Each point on a line/layer across the screen is a different device/ip LSB Each line of points down the time tunnel is a different devices's transactions Just from this view (which is only a few minutes data) we can see: Frequent activity on the bottom layer (actually the 10.n.n.n network) between low numbered devices across TCP and UDP Consistent activity between low numbered devices on the 10.n.n.n network and low numbered devices on a high numbered network (actually 224.0.0.10) using the EIGRP protocol A regular but infrequent between a low and high numbered device on the 10.n.n.n network Bursts of UDP activity between high numbered devices on the 10.n.n.n and a high numbered network (actually 239.255.255.250). 4

Regular activity from a low numbered device on a high numbered network (192) and a high numbered device on the 10. network A couple of unique transactions from a low numbered device on a low numbered network (actually 0.0.0.0) to a high numbered device on a high numbered network (actually 255.255.255.255) If we zoom in on a segment of the plot (from the activity at lower left in the above visualisation) we can also see some of the fine detail. For instance in the section above we can see: 5 groups of TCP (green) exchanges with a pattern of two long (ie broad) transmissions from bottom (actually 10.2.20.50) to top (10.1.110.10), followed by a reverse and smaller transmission (an acknowledgement?), all on a high numbered (red) port 2 groups of UDP (yellow) exchanges, a small one from top to bottom (10.1.90.5 to 10.2.20.52), and a slightly larger one in the reverse direction (both on a low numbered (grey) port. So whilst we ourselves don't know a lot about network systems and cyber-security Datascape is already beginning to reveal things that look like common patterns, and transmissions that look unique within the dataset and so may be worthy of further study. 5

OUTSIDE Data Although called outside data this is actually the view form inside of the firewall as far as we can work out. The data formats are similar to the ITOC data. For nodes: And for links: Note that we are removing from the link list any data specific to the nodes, (eg port), and removing from the node list any data specific to the link (eg protocol, length). The mappings used were essentially the same as for the ITOC data, but the visualisation is quite different: 6

As would be expected we are now primarily seeing traffic on the internal 10. network the horizontal layer across the bottom. There are no links from 10. to any other network, and we are just seeing a few links not on the 10. network. And here is the colour translation table which we based on the protocol in use: 7

Orientating to a look-down/2d view (and changing our background) we can nicely see the burst of DNS activity (the yellow & white transactions at left), and a repeating pattern of Jabber/XML activity (red and cyan). The original view also showed a couple of transactions well above the 10. plane. And looking at them we see that they are all on the 169 network and going to 169.254.255.255 and appear to consist of management broadcasts involving ITOC (the organisers) and USMA (the network who's data we have). 8

SNORT The final set of data comes from SNORT, a lightweight network intrusion detection system running within the USMA network. The data for this is more rules based, flagging issues rather than showing raw transactions. The node data looks much like the others: and the edges data: We used a similar visualisation to the other two, and this time coloured the links by the rule being triggered, grouping similar rules/alerts into similar or the same colours. 9

Giving us this visualisation: 10

And from the side: Most of the activity is within 10. but there are quite a number of cross-network links. That one reaching to the sky is from 10.1.60.25 to 222.100.5.223 and has a rule of data sent on a stream not accepting data. An oblique view is also useful. 11

And then we can start clicking on the links of interest and put them into their own group and get Datascape to display the relevant labels. BRINGING IT ALL TOGETHER Although these samples are not synchronised in time, we could with a synchronised dataset display all sets simultaneously in order to track activities across the three sensor points, showing: ITOC (external) at the bottom SNORT in the middle Outside (internal) at the top. 12

SUMMARY As mentioned at the beginning we are not cyber-security experts, but hopefully these visualisations may show those who are experts some original ways of looking at IT network and cyber-security data, and show others the versatility of Datascape and give you some ideas as to how you might visualise your own data. Note: The datasets we have used here are only extracts of 1000 links, but we have run Datascape on reasonable (not even pro-gamer standard) PCs and plotted up to around 250,000 points (about 80,000 links, so we do have the capability to show quite significant portions of these sort of datasets. For more information on Datascape please email datascape@daden.co.uk or visit our web site at http://www.daden.co.uk//datascape. 13

14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information