VT-Cao-MC2

VAST 2012 Challenge
Mini-Challenge 2:

 

 

Team Members:

 

Yong Cao, Virginia Tech, yongcao@vt.edu PRIMARY

Reese Moore, Virginia Tech, ram@vt.edu

Peng Mi, Virginia Tech, mipeng@vt.edu

Alex Endert, Virginia Tech, aendert@cs.vt.edu

Chris North, Virginia Tech, north@cs.vt.edu

Randy Marchany, Virginia Tech, marchany@vt.edu

 

Student Team: NO

 

Tool(s):

 

AVIST, developed by the Computer Science Department of Virginia Tech.

 

Video:

 

VT-Cao-MC2.mov

 

 

Answers to Mini-Challenge 2 Questions:

 

MC 2.1 Using your visual analytics tools, can you identify what noteworthy events took place for the time period covered in the firewall and IDS logs? Provide screen shots of your visual analytics tools that highlight the five most noteworthy events of security concern, along with explanations of each event.

 

1.      In the firewall data, External Websites Source IPs 10.32.x.x are scanning unknown Destination IPs (172.28.X.X), which are unknown because they are not part of the Bank network diagram. These scans Start at 18:20 each day, there are 4 consecutive destination port scans for 2.5 hours, at source port 80, and destination port 1100-5000. Immediately after these scans, the IDS stabilizes.

Figure 1: In parallel coordinated view, unknown destination IPs being scanned at port from 1100 to 5000. This is one snap shot at 4/5/2012 19:20:06, covers a period of 530 second. The tools searches 90285 records and uses the filter of “message code = ASA-6-106015 and Source port = 80 and Destination service = tcp and Operation = deny and Destination IP = 172.28.X.X and Destination port != 80”.

Figure 2: In Dynamic view, it shows the time periods of scans. X axis is time. Gray shows all the activities excluding “Destination port = 80”, Red shows the records that satisfied the filter in Figure 1. The red periods show the scanning period.

 

2.      There is unexpected IRC traffic in the bank. External website IPs 10.32.5.X used IRC port 6667 as source port to access destination IP 10.32.0.1. These accesses are all denied, as shown in Figure 3. These accesses started at 4/5/2012 20:27:16, as shown in Figure 4.

Figure 3: Traffic at source port 6667. This is the snap shot of Parallel Coordinate Window at 4/6/2012 15:00:06 during 1000 second period. The highlight filter is “Source port = 6667”. These access randomly use the destination ports.

Figure 4: Dynamic view of source port 6667 activities. Red shows the highlighted traffic using the filter in Figure 3. It indicates that the activities started at 4/5/2012 20:24:46. And, the traffic amount increases during the period until 4/6/2012 17:20:46.

3.      Another unexpected IRC traffic. Workstation Source IPs 172.23.x.x in internal network accessing external websites destination IPs 10.32.5.x using destination IRC port 6667, starting at 20:21:06 on April 5^th, and continuing for the rest of the period. The traffic pattern is very close to the previous IRC traffic pattern, as shown in Figure 4. These communications scan the source ports from 1100 and up. Source 172.23.0.108 starts after the break in data. The result is shown in Figure 5.

Figure 5: In parallel coordinated view of Firewall data, we found a set of bank workstations (IP 172.23.x.x) were accessing external websites 10.32.5.x using destination IRC port 6667. This snapshot is taken at 4/6/2012 08:19:36 during 2000 second period. Totally 334392 records are filtered using the highlight query of “Destination Port = 6667”. We can see these are also scanning the source port from low to high. (See the video).

Figure 6: In Dynamic view of Firewall data. Destination Port 6667 (IRC traffic), starting at 20:21:06 on April 5^th, and continuing for the rest of the period.

 

4.      The IDS log verification of the previous two IRC port scans. We found the similar detection in IRC log that shows the IRC traffic through source port 6667 and source IP 10.32.5.X and destination IP is a set of bank workstations 172.23.X.X, as shown in Figure 7 and Figure 8.

Figure 7: IDS log verification of IRC traffic. The snap shot is taken at 4/6/2012 20:18:40 during a 6225 second period. We can see the scanning the destination port using the source port 6667.

Figure 8: In Dynamic view of the IDS log data. Destination Port 6667 (IRC traffic), starting at 20:21:06 on April 5^th, and continuing for the rest of the period.

5.      There are two suspicious gaps in the logs. There is no firewall data during 17:22 – 17:37 on April 6, for 15 minutes, and at 16:46 for 2 minutes (see Figure 2). Also, gap in IDS data during 7:19 – 17:19 on April 6^th for 10 hours.

Figure 9: Gap in IDS logs

 

 

MC 2.2 What security trend is apparent in the firewall and IDS logs over the course of the two days included here? Illustrate the identified trend with an informative and innovative visualization.

Trends were discovered in the scans, detailed in MC 2.1. (see above)

 

MC 2.3 What do you suspect is (are) the root cause(s) of the events identified in MC 2.1? Understanding that you cannot shut down the corporate network or disconnect it from the internet, what actions should the network administrators take to mitigate the root cause problem(s)?

1. Scans are being denied by the firewall, which is good. One solution would be to determine what the unknown IPs being scanned (172.28.X.X) are. If they do not exist, de-register them from DNS. Because the IDS logs stabilize after the first scan, check the IDS configuration to ensure it is not compromised.

2. Stop IRC traffic by blocking port 6667 on the firewall. Since this communication is bi-directional, your workstations are potentially compromised via a botnet.

3. Check server and log configuration due to large gaps in logs. Gaps this large may indicate a crashed server.