“University of Buenos Aires – svc+canvas+processing heatmaps ”

VAST 2011 Challenge
Mini-Challenge 2 – Computer Networking Operations at All Freight Corporation

Authors and Affiliations:

Walter Marcelo Lamagna, Universidad de Buenos Aires, wlamagna@hotmail.com  

Tool(s):

I used Linux, shell and perl scripts. The Database was Postgres. For the challenge i developed a custom application using canvas, processing and html.

In addition a parallel coordinates visualization module was done in processing. This module has no name yet but it will be released to the Open Source community in the near future.

This was done during the Data Visualization course on the Datamining Master Degree in the Universidad of Buenos Aires, the first semester of 2011. I would like to thank my teacher Ariel Aizemberg for his knowledge transfer and orientation, his lessons are usefull in infinite fields.

The data for the visualization was processed. First i had to syncronize the logs based on fingerprints in the network traffict and then i created some perl scripts to create the javascript files with the data for the visualization.

 

Video:

Link to the video

 

ANSWERS:

MC 2.1 Events of Interest: Using the new situation awareness display(s), what noteworthy events took place for the time period covered in the firewall, IDS and syslog logs? Which events are of concern from a security standpoint? Limit your answer to no more than five noteworthy events. For each event, at least one of the submitted screen shots must be relevant in your explanation of the event.



Data syncronization
First the logfiles have been syncronized, i started with the IDS logs and syncronized it with PCAP, then the firewall log was syncronized with PCAP, which means that IDS and Firewall are syncronized. Finally, Security was syncronized with Firewall, which means that Security is syncronized with IDS. This was done by searching a pattern of port access that appears just once, in the same order and time sequence. Like a fingerprint.

1. Attacking the web server
The webserver has had a suspiciouslly high amount of traffic from 15:41 to 16:49 from the first day (Screen #1, the green bar), then the large amount of traffic decreases. It may have been a DoS or a vulnerability was scanned, may be a remote buffer overflow wanted to be exploited. (Screen #1, the green line identifies this event).


big version #1 big version #2
2. From the web server to the internal network
What happened 5 minutes after the web servers was hacked ? A connection is done with the user EWS$, from the webserver (172.20.1.5) to DC01 (192.168.1.2). (Screen #2, the 2.A and 2.B codes identify using a parallel coordinates visualization what happened that moment. This can be observed by clicking the red square at 16:54. (Screen #1. 2. From the web server to the internal network).

big version #3
In Screen #3, are 3 marks identified as "2.from the web server to the internal network", these green marks are permitted connections, done from the outside to the web server, but using a port greater than 1024 and it may be a backdoor installed to keep having access even the web server is restarted. The backdoor port listening is the 3389.

3. Coordinated and internal attacks
What happened 20 minutes after the web servers was hacked ? An attack at 17:14, the first day. (Screen #3. 3.C). The blue marks are the TCP Window Scale option (some scanning method). (Picture #3, the 3.A, 3.B marks).


Big version #1  Big version #2  Big version #3
This graphic, combined with the observation of "Successfully log in accounts", minutes before the portscan at 17:14, provides the time correlated information from the login done into the machine being used for attacks.

17:37, 17:38, 17:40 are the moments when a coordinated port scan starts, (Picture #2, the 3.B mark) each of them from a different machine in the users network. A minute earlier to the attack performed from 192.168.2.171, the user "tara.jones" logued into that machine at 17:36 (figure #1), and two minutes later, the attack takes place from 192.168.2.172. An Anonymous Log on was performed on that machine 7 minutes earlier. (Picture #2, the 3.C mark)

The second day a clear internal attack takes place. From the external web server (172.20.1.5) and two other machines (192.168.2.174, 192.168.2.175), directed to the servers network trying to reach the production servers.

4. An operation was performed on an object
Some task has been schedule since the first day and after the moment when the attackers penetrated the network, this task takes place every 54 minutes. (Picture #5. the 4.A mark)


Big version #1  Big version #2 
5. An account tries to log in
Every 15 minutes an account tries to login. Each time this is performed from the internal web server to DC01.AFC.com. It could be suppose that this is a normal cronjob with a wrong password, but it was installed during the instrusion and it started an ended in a time period. (Picture #4. The 4.B mark) What may need even more attention is that an administrator failed to login, exactly in the same pattern of those failed logins. (Picture #4. The 4.C mark).


Big version #1  Big version #2  Big version #3

MC 2.2 Timeliness: For each event submitted in MC 2.1, how early in the course of the event would your display(s) enable a CNO team member to recognize that the event was noteworthy? For each event, specify the earliest moment of recognition as a timestamp and provide a screen shot at the earliest moment of recognition. Explain how the CNO team member had enough information to determine that the event warranted attention.

1. Attacking the web server

The webserver attack could be noticed during the first minutes because the traffic increases from just a few connections to an average of 60000 per minute. This can be noticed by looking the heatmap and the parallel coorinates of that very first minute.
(Picture #2.1.A) The CNO team could be notified because the traffic to the web server increased suspiciously.

2. From the web server to the internal network

(Picture #2.1.B)
Minute by minute, the heatmap would start displaying the network activity. After the webserver is hacked and stops answering (the green color dissapears). The logons could be monitored (red color) and it is suspicious that somebody is connecting from the webserver itself

3. Coordinated and internal attacks




(Picture #2.1.B)
After the websever hack and the strange connection to DC01 from the webserver itself, a portscan starts taking place (blue color). In the moment the IDS detects it, the blue color would identify this threat. A CNO team member clicks that blue mark and inspect the parallel coordinates that display one graph for each logfile (ids,firewall,security) to gain more knowledge about the issue.



4. An operation was performed on an object

A red color would notify that an operation was done on an object. The parallel coordinates graph is observed by clicking the red marks and it notifies which operation was done and in which server. May be somebody opened a door to the intruder because this happens one hour before the attack starts.
(Picture #2.3.A)

5. An account tries to log in
In one hand, the failed account login may be difficult to detect because it is common that a user fails its password. In the other hand, during the 4 days of logs there were only this pattern from failed logins (every 15 minutes). If this is the case, then it could be detected immediately because the red color would notify that an outlayer happened. (Picture #2.3.B)

MC 2.3 Recommendations: What are the implications of the events discovered in MC 2.1? What report should the CNO give to the CEO and/or what actions should the CNO take to improve security?

The implications are serious, the network security was broken and I would suspect of somebody from inside helping this to happen. The CNO should notify the CEO about the security flaw and do an analysis of the webserver, the mail server and the shipping routing database. If possible, he should request security survilance video tapes, entrance logs to verify the hipotesis of an internal person helping this to happen. The CNO should deny all the connections from the Webserver to the DMZ (internal lan). If the firewall is not able to do it, he should replace it for a Linux firewall with iptables. If possible he should replace the windows web server for an apache. He should also set up another firewall that protects the Datacenter from the Office network, in addition he could set the HR Database and Shipping Routing DB in a separate network behind another firewall.