Charlotte Visualization Center – Log Visualization
VAST 2011
Challenge
Mini-Challenge
2
Authors and Affiliations:
Lane Harrison, Univ. of North
Carolina at Charlotte, ltharri1@uncc.edu [PRIMARY contact]
Xiaoyu
Wang, Univ. of North Carolina at Charlotte, xwang25@uncc.edu
Wenwen Dou, Univ. of North Carolina at
Charlotte, wdou1@uncc.edu
Aidong
Lu, Univ. of North Carolina at Charlotte, aidong.lu@uncc.edu
Tool(s):
Three tools were used for this
analysis. The log visualizations were prototyped by one member of the team
using Processing (processing.org) over the course of a month. The SQL queries
were handled through Navicat Lite (navicat.com). All data was converted to a
database-importable format using Perl scripts, which took two weeks to
implement.
Video:
ANSWERS:
MC 2.1 Events of Interest: Using the
new situation awareness display(s), what noteworthy events took place for the
time period covered in the firewall, IDS and syslog logs? Which events are of
concern from a security standpoint? Limit your answer to no more than five
noteworthy events. For each event, at least one of the submitted screen shots
must be relevant in your explanation of the event.
Event 1: Ingreslock activity on DC01 (192.168.1.2)
Security concern: high
In the log visualization we see anomalous Snort
activity (see dark pink bar in figure 1). The visualization shows, via
highlighting the machines green, that DC01 and the office computers are
involved. After clicking on DC01 to query the database for the services used in
that time period, we see that DC01 is using ingreslock. A quick Google search
for “ingreslock” shows that ingreslock is related to serious vulnerabilities. A
search for neighbors within the same time range yields no results. However,
expanding the time range shows that DC01 attempts to use ingreslock to connect
with 192.168.2.62 around 4-13 21:00. Since only one IP is targeted, this may be
considered a targeted attack.
Figure 1: DC01 showing ingreslock activity.
Event 2: Variety of potentially malicious activity
on 192.168.2.175 and 192.168.2.174
Security concern: high
When the log visualization is moved between 4-14
08:00 and 4-14 11:00, we see a large rise in Snort alerts for certain timesteps
since very few bars are large (see figure 2). By selecting these bars, we see
that DC2, the office computers, and the firewall log are involved (correlated
by IP). After querying for the office computers’ services during this time
range (all others were queried with no suspicious results), we see many
suspicious looking services (doom, gopher, ingreslock, etcetera). We then form
a SQL query to see which office computers are generating this activity. This
query consists of the date/time shown on figure 2 and all IPs beginning with
192.168.2. A quick scan of the resulting source IPs shows that 192.168.2.174 and 192.168.1.175 are
generating most of the suspicious activity. Given the wide range of IPs these
two machines attempt to connect to, this is likely an automated
attack/reconnaissance. Furthermore, since the Nessus report does not include
vulnerabilities related to the high priority machines, we must now look for
suspicious activity coming from these machines. In fact, after querying the
high priority machines as destination IPs in this time range who were connected
to by these two office machines, we see that only 192.168.1.14 (DC2) was
targeted. Queries later in the timeline show that DC2 also starts sending out
ingreslock requests, which means that it is likely compromised.
Figure 2: Highly suspicious office activity (see
Services on the right).
Event 3: Suspicious Activity on Port 1033
Security concern: med
On 4-14 around 02:00, we see an increase in system
log activity, in part resulting in the highlight of external_web. External IPs
10.200.150.201/206/207/208/209 all attempt to access the external web
server (172.20.1.5) via port 1033. This
was found by monitoring (via queries) the types of services used by external
IPs accessing the external web server. A Google search for “port 1033” reveals
that this is related to netspy.exe, which can act as a keylogger. In fact, a
query for source port 1033 with 172.20.1.5 as source IP shows that it also
attempts to access both 192.168.1.14 and 192.168.1.2. This therefore could be a
targeted attack attempting to take over the DNS/DHCP servers. The query used is
shown in figure 3.
Figure 3: Query showing activity on port 1033 from
the external web server to two high priority machines.
Event 4: Remote Desktop to External Web Server
Security concern: low
The analysis in Event 3 prompted an investigation of
IPs that accessed the server and the services they used. The services used were
determined via the visualization interactions, and the IPs connecting to these
machines were examined via SQL queries. By querying the firewall data for all
distinct services accessing the external web server, we see that port 3389,
which is used for Remote Desktop, is used. This could be correlated to the
system logs to look for logon events, but no evidence was found to suggest that
an external IP successfully logged in.
Figure
4: A rise in Snort alerts, shown to involve the mail, dns/dhcp servers, and the
office machines.
MC 2.2 Timeliness: For each event
submitted in MC 2.1, how early in the course of the event would your display(s)
enable a CNO team member to recognize that the event was noteworthy? For each
event, specify the earliest moment of recognition as a timestamp and provide a
screen shot at the earliest moment of recognition. Explain how the CNO team
member had enough information to determine that the event warranted attention.
Event
1 Time of Recognition: 4-14 00:00 (See timestamp near the bottom right on
figure 1)
The
anomalous Snort alert (dark pink in figure 1) prompted a search into the
services used by the machines involved. Via the visualization, the analyst sees
that ingreslock is used, which, following a search on Google, is shown to be
related to various exploits.
Event
2 Time of Recognition: 4-14 12:00 (See timestamp near the bottom right on
figure 2)
The
large increase in Snort Alerts is shown best in the video where, in one time
range, bars are near to each other in size, but in when the spike comes, all
other bars are made small while the spikes are large. After using the
visualization to determine which machines are affected, an analyst can click on
the machines in turn to query the firewall-data database for the distinct
services used by the machine (or in the case of the office node, group of
machines). When the analyst gets to the office machine node, they see a variety
of suspicious services (shown in figure 2, right hand side). By modifying a SQL
query to search for only those machines that are using suspicious services such
as doom, ingreslock or gopher, machines 192.168.2.174 and 192.168.2.175 are
shown to be producing most of this suspicious activity.
Event
3 Time of Recognition: 4-14 02:00 (See timestamp near the bottom right on
figure 5)
In
figure 5, the center of the top barchart shows an increase in system event
logs. Highlighting these show all the machines involved (the green nodes). The
highlighted nodes were consistent for each of the larger bars. Each nodes’
services were investigated in turn with no new results. However, since this was
the first that the external web had been highlighted, activity involving
external IPs was examined. This was done via SQL queries specifying the
internet address range 10.xxx.xxx.xxx as the source IP and the external web
server as the destination IP. A scan of the results showed activity on 1033,
which was known by the analyst to be the remote desktop port.
Event
4 Time of Recognition: 4-14 02:00 (See timestamp near the bottom right on
figure 5)
Via
the same analysis in Event 3, port 3389 was also shown to have been used by
external IPs.
Figure
5: external web and other machines shown at period of high activity late at
night. This prompted an investigation into the services and source/destination
IPs related to the increase in activity.
On
analysis time:
It
should be noted that queries involving system logs or snort logs are at
interactive speed, while queries involving firewall data took at most a full
minute to complete. In total, approximately 4 hours was spent on analysis using
the log visualizations and SQL.
MC 2.3 Recommendations: What are the
implications of the events discovered in MC 2.1? What report should the CNO
give to the CEO and/or what actions should the CNO take to improve security?
The DNS/DHCP servers and the Mail servers are likely compromised. Having DNS servers compromised leaves the entire company open to phishing attacks that can steal passwords, so these need to be quarantined and re-imaged right away. The mail server should also be fixed immediately, as being compromised may also lead to data loss or other phishing type attacks.
The Nessus report should include all high priority
machines.
Machines 192.168.2.175/174 should be quarantined.
All ingreslock and gopher activity should be
blocked.
Steps should be taken to better enforce company
policy regarding remote access.
The log visualization system should be modified to
allow for dynamic filtering of benign events. For example logon events were so
common that invalid logon events were difficult to find.