UKON-Fischer-MC2
VAST 2012 Challenge
Mini-Challenge 2:
Team
Members:
Fabian
Fischer, University of Konstanz, Fabian.Fischer@uni-konstanz.de
(Primary)
Johannes
Fuchs, University of Konstanz, fuchs@dbvis.inf.uni-konstanz.de
Florian Mansmann, University of Konstanz, Florian.Mansmann@uni-konstanz.de
Daniel A. Keim, University of
Konstanz, Daniel.Keim@uni-konstanz.de
Student Team: No
Tool(s):
BANKSAFE, Java Web Application developed by us for the VAST Challenge.
Apache Tomcat, Server Infrastructure.
Vaadin, Java Web Framework.
Google BigQuery, Scalable Backend Database.
Memcached, High-performance, distributed memory object caching system.
Ehcache, Java-based persistent
cache.
D3.js, JavaScript library for web
visualizations.
Java Applets, Some visualizations
are traditional Java Applets.
Scripting Languages & R, Preprocessing and chart plotting.
Video:
Answers to Mini-Challenge 2 Questions:
MC 2.1 Using your visual analytics tools, can you identify
what noteworthy events took place for the time period covered in the firewall
and IDS logs? Provide screen shots of your visual analytics tools that
highlight the five most noteworthy events of security concern, along with
explanations of each event.
Noteworthy Event #1
The
first obvious noteworthy event is the massive data outage in the firewall data
(shown in the following figure). Without further insider information it is not
possible to say, if this was a result for example part of maintenance work or
if this was a traffic outage initiated by an intruder. Besides of that there
are several peaks which are noteworthy and could be explored further.
Noteworthy Event #2
To visualize time-series data of the
firewall log within their respective hierarchy, we make use of the ClockMap visualizations. Basically a circular treemap is used and enhanced with circular temporal glyphs
using a clock metaphor to represent 24-hour time-series data. For more
information about this recent visualization technique, please refer to the paper and website.
The following visualizations shows all
source machines, connecting to an IRC service on port 6667/TCP during the 24
hours of 06/Apr/2012. This behavior is highly suspect. This means that it is
very likely that all those machines are compromised, because they are trying to
communicate with their master server and might be part of a bot network. The
administrators should react immediately. With the help of the 24-hour glyph
representation, where each segment of a circle represents one hour, it can be
explored, which subnets start in which hour to communicate with the external
IRC servers. It can be seen, that most of the machines within the different
subnets behave very similar, which could indicate that the bots are spreading
within their subnets first.
Further ports can be investigated using
the service selector shown in the following figure.
Noteworthy Event #3
For
many tasks visualizations are really helpful, but there are also cases where
analysts prefer tabular representations. The following is an example for this.
In the whole firewall data there are just a few events, which indicate that
there are commands executed on the firewall. This can be seen, by investigating
the list of occurred operations. This is definitely a noteworthy event, because
this could be an attacker modifying the firewall configuration. However, the
administrators should know, if there was planned maintenance work during those
time intervals or not.
Noteworthy Event #4
On 05/Apr/2012 there are just a few,
but very interesting connections from several hosts to SSH servers. This is
very interesting and should be investigated even further, because those remote
connections occur during night times and are highly suspicious. This could be
an outgoing data connection to transmit company data to an external attacker.
However, we have no proof for that based on the data. But investigating the
syslog data of the origin hosts or ask the person responsible for those
machines in the company might resolve the issue.
Noteworthy Event #5
So far we have just concentrated on the
firewall data, but we have even more specialized visualizations integrated to
BANKSAFE. The Relaxed IDS Timeline represents all IDS events. Each row
represents the events for a particular source IP address. Each fixed-size
column represents the events the events of one hour. Within each column there
are all events occurred in that hour. Color is mapped to the event
classification attribute. This helps to visually distinguish the event types.
Selecting an event gives more information and highlights all other events of
this event type using connecting lines.
In the following visualization the
analyst selected an interesting event, because it occurs at a very specific
time just twice for many computers. It is an ET POLICY DNS Update FROM External event, which could indicate an
illegal DNS update change request.
It also becomes very clear using the
visualizations, that there are some sources generating many more IDS events
than others.
Further exploration shows very
noteworthy events, which can be seen in the following figure.
Here suddenly several hosts are
producing IRC authorization messages, which is very suspicious. It seems that
those machines suddenly got infected and trying to talk with their bot master.
Another event can also directly been seen in the following figure. A highly
suspicious IP 172.23.240.156 is generating many suspicious events.
MC 2.2 What security
trend is apparent in the firewall and IDS logs over the course of the two days
included here? Illustrate the identified trend with an informative and
innovative visualization.
We already discussed several trends in
the previous visualizations. The overall trend is clear. There is an increase
of IRC related events, which is also confirmed by the firewall data. Several IP
addresses have highly suspicious behavior. In the following figure we searched
for IRC which highlights most of the
events in the bottom area using black connecting lines.
MC 2.3 What do you
suspect is (are) the root cause(s) of the events identified in MC 2.1? Understanding that you cannot shut down the
corporate network or disconnect it from the internet, what actions should the
network administrators take to mitigate the root cause problem(s)?
Probably some of the machines got infected by
a virus which exploited an open vulnerability, which made it easy to spread
across the network. The computers then tried to connect to their bot master
using the IRC protocol. Additionally, there was an intruder attacking in a more
guided way specific services. The network administrators should immediately
export the IP list of the suspicious machines with BANKSAFE and they should
check if critical machines have already been affected. It seems to be that most
machines directly start IRC traffic, which is good, because it makes it easy to
track compromised machines in the network. The network administrators should
take care of installing the most recent anti-virus software on the machines.
Additionally, automatic updating should be enforced, because it is quite
likely, that the spread was done using unpatched security holes. With the help
of BANKSAFE, the administrators can also query for the destination IP addresses
(the remote IRC servers) the clients trying to connect to. Blocking those IP
addresses on the firewall will not influence the normal network usage of the
company, but will prevent the infected machines to load additional malware or
to react to new commands by the bot master.
Deployment
of BANKSAFE
The developed BANKSAFE framework is a web application which makes use of
scalable distributed database technologies and high-performance caching to
provide situational awareness for large-scale networks.
