Answers to Mini-Challenge 2 Questions:

MC 2.1 Using your visual analytics tools, can you identify what noteworthy events took place for the time period covered in the firewall and IDS logs? Provide screen shots of your visual analytics tools that highlight the five most noteworthy events of security concern, along with explanations of each event.

There are attacks from various workstations which occur at a fairly constant rate of five per minute but with a periods of rates as high as 14 per minute. As well as the attacks on the DNS there are websites accessible by the back of money's computers which are recruiting more bots in to the botnet required to bring down the DNS and perform as Denial of Service attack. On Day two the activity spikes and the DNS appears compromised at which time the much more attacks occur from external sites through high custom port numbers. The attack primarily occurs on port 445 which is a typical port for leveraging attacks on XP based systems. The first two graphs of the IDS logs show distinctly different activity. On the first day there is a large amount of attacks on the DNS whereas on the second day there is a larger proportional of misc activity.

MC 2.2 What security trend is apparent in the firewall and IDS logs over the course of the two days included here? Illustrate the identified trend with an informative and innovative visualization.

We first looked at the four files, given the IDS snort log were substantially smaller than the firewall logs we started by opening the snort logs by importing the CSV into MS excel. The snort log shows that the low priority (3) warnings are showing many attempts by workstation IP addresses to access SMB samba shares. This is almost entirely done through port 445. This is a port which is known for windows XP to have security vulnerabilities. It would be our estimation that a corporate banking system workstations such as this would be running windows systems. The IP address all these attempt to access SMB shares has a destination IP of 172.23.0.10. This IP is listed on the bank of money's network as its DNS, "Server running critical network operations: domain controller and domain name server". There are 2150 of these attempts made to access the DNS from 17:55 to 20:25. This is 2hr 30mins or 150mins so a rate of 14.3 per minute.

At 20:25 the snort log description column shows misc activity. At this point the activity switches from being all directed at the DNS to having originated from 10.32.5.xx subnet. Internet web sites accessible by Bank of Money employees and have a destination of the workstations at the Bank of Money i.e. the 172.23.xxx.xxx subnet. We speculate the purpose of the misc activity is to propagate the virus/malware to more and more workstations on the bank of money's network before attempting again to bombard the DNS server again. After a further five minutes this action repeats. In those five minutes from 20:25 to 20:30 there are 19 ip log in the firewall snort log which originate from websites accessible by the employees of the bank of money. Their destination is a range of ip addresses which are general workstations based in cubicles at the bank of money.

at 20:29 there are 6 more and a further 3 of these low priority logs. The DNS server is then attacked again.

2182 - 2299 dns attacks = 117 in one minute

at 20:31 more external website accesses

2333 - 2388 dns attacks 20:36 - 20:36 > 1 minute

This is an export of a graphs for 04/06/2012 ids snort logs

The crosses represent the cumulative counts for each minute of time in the snort log.

This filtering/bining of the data was done in excel using if and countif statements.

This is the second day 04/07/2012

The x axis label is omitted because excel was using arbitrary numerical values instead of times / dates. The graph is a scatter plot not a histogram so it has a true linear scale on the x axis for the time.

This is a histogram to show the DNS attacks from the IDS snort log. being a histogram the x axis is no linear from this data. This shows that there is a large prevalence to 5 DNS attacks per minute.

We needed to make visualizations of the data, to do this our team built a parallel co-ordinate plot. The first step to creating this was handling the data into a SQL database; to do this we wrote a SQL script that transferred the data from the CSV files into a table structure. Once the data was in the database we wrote some Processing code that managed grabbing this data and building a Parallel Plot, the results of which can be seen below.

Diagram Above: Parallel plot for the IDS log data set

MC 2.3 What do you suspect is (are) the root cause(s) of the events identified in MC 2.1? Understanding that you cannot shut down the corporate network or disconnect it from the internet, what actions should the network administrators take to mitigate the root cause problem(s)?

We suspect a piece of malware which is self propagating behind the firewall, attacking the DNS server until it is compromised at which time it can reach external websites which will allow the author to redirect control of the infected PCs. The network admin should be closing down high port numbers to prevent the botnet fully compromising the DNS server. If possible to monitor number of hits per second as traffic on the main DNS to preempt failure of that node.