\A0"ORNL-Goodall-MC2"

VAST 2012 Challenge
Mini-Challenge 2:

 

 

Team Members:

 

John Goodall, Oak Ridge National Laboratory, jgoodall@ornl.gov\A0\A0\A0\A0 PRIMARY
Jason Laska, Oak Ridge National Laboratory, Student Intern, laskaja@ornl.gov
Erik Ferragut, Oak Ridge National Laboratory, ferragutem@ornl.gov
Lane Harrison, Oak Ridge National Laboratory, Student Intern, harrisonlt@ornl.gov
Mike Iannacone, Oak Ridge National Laboratory, iannaconemd@ornl.gov

Evan Downing, Oak Ridge National Laboratory, Student Intern, downingep@ornl.gov

Student Team: \A0NO

 

Tool(s):

 

Redis-server

node.js

crossfilter.js

jQuery.js

D3.js

We developed "vis.js" at Oak Ridge National Laboratory to visualize our data and to help us analyze network traffic in real-time. (As seen in our video)
We also used real-time anomaly detection methods in order to classify network traffic as malicious or anomalous

 

"vis.js" screenshot: 

 

Video:

 

video link

 

 

Answers to Mini-Challenge 2 Questions:

 

MC 2.1 \A0Using your visual analytics tools, can you identify what noteworthy events took place for the time period covered in the firewall and IDS logs? Provide screen shots of your visual analytics tools that highlight the five most noteworthy events of security concern, along with explanations of each event.

    • A. Firewall Login 172.23.0.1 at 18:21:54 - 18:22:04

    • B. Logserver communication is stopped at 18:05:13 ( previous frequency average is 5 minute update (using available info ))

    • C. Additional computers added to the network. Computers assigned the IP addresses 172.28.X.X are added to the network typography at 05/Apr/2012 18:22:31 using the FW log. IP addresses in the range are not designated any role as given in the network role responsibility document.

  2. Port scan: a set of internal IP address attempts to gain access to 172.23.0.1 by means of a port scan. The IP addresses 172.23.240.156, 172.23.236.8, 172.23.231.69, 172.23.234.58, 172.23.232.4 at times 4/5/12 21:48 ,4/5/12 23:30, 4/6/12 0:23, 4/6/12 0:33, 4/6/12 1:32.

    These IP addresses progress through the following collection of ports while communicating to the DNS Server. 22, 161, 1433,1521,3306,5432, 5800-5820,5900-5920.
    • A. Firewall Login 172.23.0.1 at 06/Apr/2012 17:41:13 06/Apr/2012 17:45:14 screenshot

    • B. Only 172.23.X.X address communicating is 172.23.0.108 during 06/Apr/2012 17:41:41 -18:06:03. Suspect that a 24 hour call center has such spare traffic. Possibility of rerouted traffic or widespread shut downs.

    • C. DNS 172.23.0.10 communicates to the financial services NAT 10.32.2.100, 10.32.2.101 at 06/Apr/2012 17:58:03 and 06/Apr/2012 17:50:40, respectively.

  4. The IP addresses: 172.23.0.101, 172.23.0.100 start on the "inside" and the end up on the "outside"

    2012-04-06 17:44:59 Local4.Info 172.23.0.1 %ASA-6-305010: Teardown static translation from inside:172.23.0.100 to outside:10.32.2.100 duration 173:13:05

    2012-04-06 17:57:58 Local4.Error 172.23.0.1 %ASA-3-305006: regular translation creation failed for icmp src inside:172.23.0.10 dst outside:172.23.0.100 (type 0, code 0)

  5. 20min gap in the log entries:

    tail -1 Firewall-04062012.csv ; head -2 Firewall-04072012.csv | tail -1

    06/Apr/2012 17:20:53,Info,Built,ASA-6-302013,TCP,172.23.5.142,10.32.0.100,(empty),(empty),4329,80,http,outbound,1,0

    06/Apr/2012 17:40:02,Info,Built,ASA-6-302015,UDP,172.23.0.10,128.8.10.90,(empty),(empty),64048,53,domain,outbound,1,0

MC 2.2\A0 What security trend is apparent in the firewall and IDS logs over the course of the two days included here? Illustrate the identified trend with an informative and innovative visualization.\A0\A0

First, the attackers gain their initial access to the network, as described above in MC2.1 number 1 part a. They are able to reconnoiter the network from within (as MC2.1 again describes.) They assert some control over multiple internal machines, possibly incorporating them into a botnet (This is indicated by the communication over port 6667, used for IRC, as discussed in MC 2.3. ) At this point, they are able to exert nearly complete control over network topography (see MC1 part 4.) They then manipulate the financial services NAT, possibly stealing useful information. They engage in exfiltration of this data, possibly through the botnet mentioned above. One especially suspicious machine in this regard is 172.23.252.10, which has no traffic on day1, and 121,752 connections on traffic day2.

MC 2.3\A0 What do you suspect is (are) the root cause(s) of the events identified in MC 2.1?\A0 Understanding that you cannot shut down the corporate network or disconnect it from the internet, what actions should the network administrators take to mitigate the root cause problem(s)?\A0

  1. Disable / restrict traffic over ports 6667. IRC is a popular way to control a botnet. Communication from offsite IRC servers (10.32.5.5X) and infected computers 172.23.23[1-5,8,9].X occurs about every second.
  2. Disable / restrict traffic over port 445 buffer overflow exploit. These machines should be patched.
  3. Disable / restrict traffic over ports 137-139. These ports provide an alternative avenue for file-sharing between internal machines.
  4. Whereas you are unable to shut down the corporate network, temporarily refusing access to the Financial Servers after the events of day1 could be useful.
  5. Quarantine the port scanners and shut down 172.23.0.108.
  6. Create a stricter rule concerning functionality of machines not listed under existing network topology (172.28.X.X).