UN-GIBSON-MC2

VAST 2012 Challenge
Mini-Challenge 2:

 

 

Team Members:

 

Helen Gibson, University of Northumbria, UK. helen.gibson@northumbria.ac.uk PRIMARY
Paul Vickers, University of Northumbria, UK. paul.vickers@northumbria.ac.uk

Student Team: YES

 

Tool(s):

MySQL – the IDS and Firewall logs were imported into a MySQL database which was accessed by R. TPP (Targeted Projection Pursuit tool) can also access the database to show detailed information about the nodes.

R and RStudio were used to process the data into an aggregate format suitable for use in TPP

Weka (http://www.cs.waikato.ac.nz/ml/weka/) was used to convert and normalize the csv files produced by R into ARFF format

TPP, originally developed by Joe Faith (http://code.google.com/p/targeted-projection-pursuit/), a high dimensional data exploration tool [1] already extended for graph layout [2] was further extended and then adapted for use in the challenge.

 

Background on TPP: TPP is an interactive high-dimensional data exploration tool that allows users to explore two dimensional projections of high dimensional data sets. By moving the points a user is requesting a particular projection of the data. TPP returns the view of a projection that most closely matches the one requested by the user. How much each dimension contributes to the overall projection is shown in the right hand table. This, along with the ability to compare the mean value of each of the selected nodes with the overall mean for that attribute, allows the user to relate the projection back to the original data.

 

Video:

 

UN_GIBSON-MC2.wmv  

 

Answers to Mini-Challenge 2 Questions:

 

MC 2.1 Using your visual analytics tools, can you identify what noteworthy events took place for the time period covered in the firewall and IDS logs? Provide screen shots of your visual analytics tools that highlight the five most noteworthy events of security concern, along with explanations of each event.

The IDS and firewall logs were aggregated so that they could be used in TPP. This means counting the number occurrences of each event for each IP address. For the IDS logs this was the priority, the classification and the label of the event giving 29 possible attributes. For the firewall logs attributes were 15 minute intervals and the number of events each IP address was involved in in that interval became the value of the attribute. Since we are converting edge-attribute data into node-attribute data we also repeated the aggregation process with the attributes split into source or destination events. A list of edges was extracted which did not consider the weight of each edge.

Key to Nodes

Noteworthy Events

The first set of noteworthy events can be seen in the IDS log for day 0406.

Figure 1: Overview of IDS log from day0406. There are some outliers. Edges are coloured by source node and curved clockwise indicating direction (larger version #1)

 

Event 1: Unusual attempts access to the database and email ports

 

Figure 2: The five outlier workstation that connect to the firewall interface to the regional bank network. The table shows which events are causing them to appear as outlier workstations (larger version #2)

 

There are five workstations that appear as outliers. These all connect to the firewall interface to the regional bank network. They are:

·         172.23.231.69

·         172.23.232.4

·         172.23.241.156

·         172.23.234.58

·         172.23.236.8.

 

·         From the table in Figure 2 it is clear that these nodes are involved in events that none of the other workstations are. These events relate to attempts to access the database servers in particular. In Figure 4 we see that in the space of a couple of minutes the IP address 172.23.241.156 makes an SNMP request followed by 4 attempts to access each of the database ports and then VNC scans on 5800-5820 and 5900-5920. The SNMP requests have Xrefs to the URLs:

 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012

http://www.securityfocus.com/bid/4132

http://www.securityfocus.com/bid/4089

http://www.securityfocus.com/bid/4088

 

These indicate that SNMP could be used to remotely execute code on a user’s machine or be involved in a denial of service attack. This pattern is similar for the other IPs.

 

IP addresses 172.23.231.69, 172.23.236.8 and 172.23.234.58 are also involved in potential SSH scans and outbound SSH scans which indicate a potential brute force attack. IP address 172.23.231.69 also tries to access the email ports and is involved in many database, SNMP and VNC events.

 

 

Figure 3: Through connecting to the IDS database we see there is a pattern to the attack (larger version #3).

Event 2: Unusually fast terminal server traffic

Figure 4: The workstation with IP address 172.23.231.69 (larger version #4).

 

IP address 172.23.231.69 also raises an event related to unusually fast server traffic. In the IDS log we see an associated URL (http://threatpost.com/en_us/blogs/new-worm-morto-using-rdp-infect-windows-pcs-082811). This informs that an event of this type could indicate the presence of a worm in the system. An excessive number of TCP connections on source port 3389 are also associated with this event.

 

Event 3: DNS and remote code execution

 

Figure 5: The IDS logs from both days using source and destination attributes (larger version #5)

 

 

Figure 6: Zoomed view of the workstations connected to the DNS. We also see here the only link between two workstations (larger version #6)

Nodes in this group are connecting to the DNS. They are involved in four kinds of events:

·         GPL NETBIOS SMB IPC unicode share access

·         GPL NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt

·         GPL NETBIOS SMB DS IPC unicode share access

·         GPL NETBIOS SMB DS Session Setup NTMLSSP unicode asn1 overflow attempt

 

In the data the NTMLSSP events have a number of associated URLs.

http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx

http://cgi.nessus.org/plugins/dump.php3?id=12065

http://cgi.nessus.org/plugins/dump.php3?id=12052

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0818

http://www.securityfocus.com/bid/9635

http://www.securityfocus.com/bid/9633

 

Each of these describes the fact that vulnerability exists that allows for the remote execution of code on the host machine. This may be how the antivirus software is being installed to run on users’ computers.

 

Event 4: Large number of connections for two nodes in the firewall logs

Here we use the number of connections in each 15 minute period as attributes. This results in a graph as in Figure 7. The two workstations have the IP addresses 172.23.0.132 and 172.23.252.10. Workstation with the address 172.23.10.252 has most connections between 06/04/2012 17:55 and 07/04/2012 09:10 while 172.23.132 has consistently high numbers of connections which seem to peak in the hour before workstation 172.23.10.252 starts making connections. IP 172.23.0.132 connects to the headquarters firewall and to BOM accessible websites in the range 10.32.0.X or 10.32.1.X and are all http connections whilst the IP address 172.23.252.10 connects to IPs in the range 10.32.5.X. In this second case many of the connections are to port 6667 which of often used for IRC which can be exploited by hackers. There are more than 30,000 instances of port 6667 being used as a source port and over 2 million as the destination port.

Figure 7: Two IPs have many more connections than other nodes (larger image #7)

Figure 8: Connections of 172.23.252.10 to BOM accessible websites. The connections to port 6667 all occur within a few seconds. (larger verson #8)

Event 5: Presence of unknown IP addresses in the system.

In the data preparation each node was classified according to their IP address. From this emerged a group of nodes similar to the workstations but have IP range 172.28.29.X. In our time-attribute firewall graph these nodes have an interesting set of connections. They both send and receive connections from BOM accessible websites and the HQ firewall. While some workstation nodes connect to the HQ and to the BOM accessible websites none of them have connections returned; although, these incoming connections were actually denied. Nevertheless there should not be unknown machines connected to the network. These connections appear for short periods of time: from 05/04/2012 18:22 to 06/04/2012 00:27 and from 06/04/2012 18:06 to 07/04/2012 00:57; the same time period each night.

Figure 9: The connection of the nodes with the unknown IPs in the range 172.28.29.X (larger image #9).

 

MC 2.2 What security trend is apparent in the firewall and IDS logs over the course of the two days included here? Illustrate the identified trend with an informative and innovative visualization.

The trend in the network seems to be the numerous opportunities for the potential remote execution of code on the network. In particular, workstation 172.23.231.69 is involved in many of these events. In Figure 4 we see that it is involved in an event that may be responsible for the presence of a worm in the system. In Figure 2 we see it as an outlier to the most of the rest of the workstations and that it is involved in events that try to access the database ports, the email ports (Figure 10 below), a possible brute force attack and through the SNMP events which are another opportunity for remote code execution. In Figure 11 below we also see that when we pinpoint this node in the firewall log it has also tried to connect to FTP and Telnet ports which is strictly not allowed.

Figure 10: IP address 172.23.231.69 tries to connect to the email ports (larger version #10).

 

Figure 11:IP 172.23.231.69 detected making ftp and telnet requests in the firewall log (larger version #11).

As previously mentioned, IRC can be exploited by hackers. If we look at either of the firewall or IDS logs we see that most of the workstations and BOM accessible websites are along two axes. The further along the workstation or BOM accessible website is along these axes, particularly in the IDS log, the great number of IRC events that have been detected from these nodes.

 

MC 2.3 What do you suspect is (are) the root cause(s) of the events identified in MC 2.1? Understanding that you cannot shut down the corporate network or disconnect it from the internet, what actions should the network administrators take to mitigate the root cause problem(s)?

The events seem to indicate that outsiders have been able to access the network and it has been exploited so that the installation of this fake antivirus software and scanning program can be run. It is unlikely that either of these programs is legitimate. The root causes are that is it too easy for this to happen and it seems to have come from a number of vulnerabilities in the system. In order to fix this the following steps should be carried out.

·         All workstations that exhibit the symptoms of the virus need to cleaned and have their software reinstalled.

·         The suggested software patch from Microsoft should be installed onto the network from here in order to eliminate the vulnerability (http://technet.microsoft.com/en-us/security/bulletin/ms04-007)

·         The Morto worm is possibly associated with weak passwords and so all workstations should have their passwords reset and rules about remote desktop connections should be reviewed as this is how the infection is spread. The worm is possibly hosted on machine 172.23.231.69 this needs to be immediately taken offline and the worm removed.

·         The firewall rules should be updated so that no unknown IP addresses can be on the network.

·         Activity on the IRC channel should be closely monitored.

 

References