gibson: 3d visualization and modeling of real time security events dan klinedinst lawrence berkeley...
TRANSCRIPT
![Page 1: Gibson: 3D Visualization and Modeling of Real Time Security Events Dan Klinedinst Lawrence Berkeley National Laboratory](https://reader033.vdocuments.mx/reader033/viewer/2022051417/56649eb75503460f94bc0c15/html5/thumbnails/1.jpg)
Gibson:3D Visualization and Modeling of
Real Time Security Events
Dan KlinedinstLawrence Berkeley National Laboratory
![Page 2: Gibson: 3D Visualization and Modeling of Real Time Security Events Dan Klinedinst Lawrence Berkeley National Laboratory](https://reader033.vdocuments.mx/reader033/viewer/2022051417/56649eb75503460f94bc0c15/html5/thumbnails/2.jpg)
Disclaimers
Gibson is not supported or endorsed by LBL, DOE, UC, etc.
This is Gibson v0.000000001I am not an expert at either 3D or PythonNot all features I'll demonstrate are fully functionalIf you get motion sick, you may want to look away
during some of the demos
![Page 3: Gibson: 3D Visualization and Modeling of Real Time Security Events Dan Klinedinst Lawrence Berkeley National Laboratory](https://reader033.vdocuments.mx/reader033/viewer/2022051417/56649eb75503460f94bc0c15/html5/thumbnails/3.jpg)
So, what is Gibson?
A way to model security events in 3D
Creates a target map (not a network map)Highly customizableShows any security alerts as objects that interact
with the targetsVarious views allow macro or micro examinationPop Up information windows provide specificsVisual cues reflect a wide variety of information
![Page 4: Gibson: 3D Visualization and Modeling of Real Time Security Events Dan Klinedinst Lawrence Berkeley National Laboratory](https://reader033.vdocuments.mx/reader033/viewer/2022051417/56649eb75503460f94bc0c15/html5/thumbnails/4.jpg)
Why modeling is useful
We're visual creatures
Different people process / learn differentlyDecision makers don't like log filesAn enterprise network has a lot of security events.Watching people type at the command line is boring
![Page 5: Gibson: 3D Visualization and Modeling of Real Time Security Events Dan Klinedinst Lawrence Berkeley National Laboratory](https://reader033.vdocuments.mx/reader033/viewer/2022051417/56649eb75503460f94bc0c15/html5/thumbnails/5.jpg)
Why real time is useful
Lots of researchers do studies of archived data
That's a great way to learn about yesterday's
security problemsWhy are exploits called “zero day”?
Why historical data is useful
Research
ForensicsExplaining budget request to your boss
![Page 6: Gibson: 3D Visualization and Modeling of Real Time Security Events Dan Klinedinst Lawrence Berkeley National Laboratory](https://reader033.vdocuments.mx/reader033/viewer/2022051417/56649eb75503460f94bc0c15/html5/thumbnails/6.jpg)
Why 3 Dimensions?
NumberOf
Incidents
Average Cost Per Incident
![Page 7: Gibson: 3D Visualization and Modeling of Real Time Security Events Dan Klinedinst Lawrence Berkeley National Laboratory](https://reader033.vdocuments.mx/reader033/viewer/2022051417/56649eb75503460f94bc0c15/html5/thumbnails/7.jpg)
Why 3 Dimensions?
NumberOf
Incidents
Average Cost Per Incident
Loca
tion?
OS?
Vuln?
![Page 8: Gibson: 3D Visualization and Modeling of Real Time Security Events Dan Klinedinst Lawrence Berkeley National Laboratory](https://reader033.vdocuments.mx/reader033/viewer/2022051417/56649eb75503460f94bc0c15/html5/thumbnails/8.jpg)
The Tech
Panda3D
Free 3D engine from CMUPythonBlenderBro (heuristic based IDS)Nmap / XML
![Page 9: Gibson: 3D Visualization and Modeling of Real Time Security Events Dan Klinedinst Lawrence Berkeley National Laboratory](https://reader033.vdocuments.mx/reader033/viewer/2022051417/56649eb75503460f94bc0c15/html5/thumbnails/9.jpg)
Let's see it!
We'll start small.
![Page 10: Gibson: 3D Visualization and Modeling of Real Time Security Events Dan Klinedinst Lawrence Berkeley National Laboratory](https://reader033.vdocuments.mx/reader033/viewer/2022051417/56649eb75503460f94bc0c15/html5/thumbnails/10.jpg)
The Basics
Objects
Currently supports nmap XML output as input The main sorting is by IP
An IP address identifies a target E.g.: Servers, network equip, VPN, other devices Could also be applications, databases, etc. Could sort by OS, function, any custom XML tag You can also build custom models with Python
![Page 11: Gibson: 3D Visualization and Modeling of Real Time Security Events Dan Klinedinst Lawrence Berkeley National Laboratory](https://reader033.vdocuments.mx/reader033/viewer/2022051417/56649eb75503460f94bc0c15/html5/thumbnails/11.jpg)
The Basics
X Axis (Left → Right) = Individual IP Addresses
Z Axis (Up → Down)=Different Subnets
Y Axis (In → Out)=Security Zones
![Page 12: Gibson: 3D Visualization and Modeling of Real Time Security Events Dan Klinedinst Lawrence Berkeley National Laboratory](https://reader033.vdocuments.mx/reader033/viewer/2022051417/56649eb75503460f94bc0c15/html5/thumbnails/12.jpg)
The Basics
Events
Input from monitoring / alarm system
Currently: Bro, Snort (fast alerts), and syslog
Bro
t=1281415533.93 no=ICMPAsymPayload
na=NOTICE_ALARM_ALWAYS sa=131.243.164.9
sp=60127/tcp da=79.120.86.20 dp=12444/tcp msg=We\ have\
a\ problem tag=@5f-723-2e3d
![Page 13: Gibson: 3D Visualization and Modeling of Real Time Security Events Dan Klinedinst Lawrence Berkeley National Laboratory](https://reader033.vdocuments.mx/reader033/viewer/2022051417/56649eb75503460f94bc0c15/html5/thumbnails/13.jpg)
The Basics
Snort11/06/04-01:32:05.706661 {ICMP} 192.168.1.14:3456 - 192.168.100.5:80 TCP [**] [1:469:3] Bad HTTP [**] [Classification: Attempted Information Leak] [Priority: 2] [Xref = http://www.hackers.r.us]
SyslogJan 6 13:26:27 132.216.164.24 http-alt[24295]: [ID 800047 local1.error] MyApp: My cool application done been hacked!
![Page 14: Gibson: 3D Visualization and Modeling of Real Time Security Events Dan Klinedinst Lawrence Berkeley National Laboratory](https://reader033.vdocuments.mx/reader033/viewer/2022051417/56649eb75503460f94bc0c15/html5/thumbnails/14.jpg)
The Basics
Events
Gibson places event in scene depending on
various fields
Need to add a timeout, but it can handle 1,000+
events in the scene
To replay, just reprocess original logs / events
![Page 15: Gibson: 3D Visualization and Modeling of Real Time Security Events Dan Klinedinst Lawrence Berkeley National Laboratory](https://reader033.vdocuments.mx/reader033/viewer/2022051417/56649eb75503460f94bc0c15/html5/thumbnails/15.jpg)
Core
Ad Hoc Models
Models
Controls
EventPreprocessor
Bro Snort(fast alert)
Syslog
Panda3D
TCP/IP
Whatever
XML Parser
Nmap(XML output)
Security Zones/Network Info
3D Objects,Texture Maps
![Page 16: Gibson: 3D Visualization and Modeling of Real Time Security Events Dan Klinedinst Lawrence Berkeley National Laboratory](https://reader033.vdocuments.mx/reader033/viewer/2022051417/56649eb75503460f94bc0c15/html5/thumbnails/16.jpg)
3D basics
Camera, Lights
Panda assumes nothing
X, Y, Z coordinates describe location in scene
Heading (Yaw), Pitch, Roll describe rotation around
each axis
![Page 17: Gibson: 3D Visualization and Modeling of Real Time Security Events Dan Klinedinst Lawrence Berkeley National Laboratory](https://reader033.vdocuments.mx/reader033/viewer/2022051417/56649eb75503460f94bc0c15/html5/thumbnails/17.jpg)
Panda basics
Each Node inherits all properties of all parents
This means each has its own coordinate system
You can describe transforms relative to any node
Scene graph is two tree hierarchies, 3D and 2D
![Page 18: Gibson: 3D Visualization and Modeling of Real Time Security Events Dan Klinedinst Lawrence Berkeley National Laboratory](https://reader033.vdocuments.mx/reader033/viewer/2022051417/56649eb75503460f94bc0c15/html5/thumbnails/18.jpg)
In this case, a picture really is worth1,000 words.
![Page 19: Gibson: 3D Visualization and Modeling of Real Time Security Events Dan Klinedinst Lawrence Berkeley National Laboratory](https://reader033.vdocuments.mx/reader033/viewer/2022051417/56649eb75503460f94bc0c15/html5/thumbnails/19.jpg)
A real network, with almost real events
Very small chunk of LBL with anonymized addresses
![Page 20: Gibson: 3D Visualization and Modeling of Real Time Security Events Dan Klinedinst Lawrence Berkeley National Laboratory](https://reader033.vdocuments.mx/reader033/viewer/2022051417/56649eb75503460f94bc0c15/html5/thumbnails/20.jpg)
More examples
These are in various stages of actual functionality
1)Single transaction mode
1)You could isolate elements that have some
shared parameter
2)Whole Subnet (/24) Mode
1)256 IP Addresses is too many for one long line
3)Scientific cluster
1)Very few controllers are gateways to all nodes in
the cluster
2)Nodes are all but identical, no criteria to sort on
![Page 21: Gibson: 3D Visualization and Modeling of Real Time Security Events Dan Klinedinst Lawrence Berkeley National Laboratory](https://reader033.vdocuments.mx/reader033/viewer/2022051417/56649eb75503460f94bc0c15/html5/thumbnails/21.jpg)
What It's Not
An Intrusion Detection System
An Event Correlation SystemA Decision TreeA Network Map (Yet!)A Control Panel (Cannot take action)A S(I)(E)MVulnerability Assessment ToolA replacement for skilled analysts and auditors
![Page 22: Gibson: 3D Visualization and Modeling of Real Time Security Events Dan Klinedinst Lawrence Berkeley National Laboratory](https://reader033.vdocuments.mx/reader033/viewer/2022051417/56649eb75503460f94bc0c15/html5/thumbnails/22.jpg)
Use Case 1
Network / Systems Monitoring
How many NOC Operators still watch logs with tail -f?
Ability to take in a large amount of aggregated data in a glance
Ability to explain what's going on without numerous drill downs, reports and graphs
Uh Oh!
![Page 23: Gibson: 3D Visualization and Modeling of Real Time Security Events Dan Klinedinst Lawrence Berkeley National Laboratory](https://reader033.vdocuments.mx/reader033/viewer/2022051417/56649eb75503460f94bc0c15/html5/thumbnails/23.jpg)
Use Case 2
Vulnerability Assessments / Penetration Tests
Especially useful if the attackers will allow you to instrument their machines
See what they're trying, and how you're responding, in real time
Where'd theyGet thatExploit?!
![Page 24: Gibson: 3D Visualization and Modeling of Real Time Security Events Dan Klinedinst Lawrence Berkeley National Laboratory](https://reader033.vdocuments.mx/reader033/viewer/2022051417/56649eb75503460f94bc0c15/html5/thumbnails/24.jpg)
Use Case 3
Simulations / Training Exercises / CTF contests / Test Runs
Much easier to explain to CEOs, Generals, Politicians & Lawyers
(It doesn'tDo this yet.)
![Page 25: Gibson: 3D Visualization and Modeling of Real Time Security Events Dan Klinedinst Lawrence Berkeley National Laboratory](https://reader033.vdocuments.mx/reader033/viewer/2022051417/56649eb75503460f94bc0c15/html5/thumbnails/25.jpg)
Use Case 4
Buzzword Warning
Cyberwar
I bet Iran wishes they had this ability
Future NSACommand CenterRunning Gibson?
![Page 26: Gibson: 3D Visualization and Modeling of Real Time Security Events Dan Klinedinst Lawrence Berkeley National Laboratory](https://reader033.vdocuments.mx/reader033/viewer/2022051417/56649eb75503460f94bc0c15/html5/thumbnails/26.jpg)
To do list
Better Network Mapping
Path taken
Define routers / topologyMultihomed hostsShow virtual machines / hosts as childrenYou really need more than 3 dimensions!
VLANs, Routing Protocols, STP, VRRP VPNs, vSwitches, etc.
![Page 27: Gibson: 3D Visualization and Modeling of Real Time Security Events Dan Klinedinst Lawrence Berkeley National Laboratory](https://reader033.vdocuments.mx/reader033/viewer/2022051417/56649eb75503460f94bc0c15/html5/thumbnails/27.jpg)
To do list
Better Host Information
Right now it only uses syslog:
Jan 6 13:26:27 132.216.164.24 myapp[24295]: [...]Nmap and /etc/servicesApache logs, database logs, Tripwire, OSSECUserspace vs. root / SYSTEM compromisesDifferentiate rootkits, kernel hacks, Meterpreter, etc.A way to programmatically tie related apps together
“Business Process View”
![Page 28: Gibson: 3D Visualization and Modeling of Real Time Security Events Dan Klinedinst Lawrence Berkeley National Laboratory](https://reader033.vdocuments.mx/reader033/viewer/2022051417/56649eb75503460f94bc0c15/html5/thumbnails/28.jpg)
To do list
Host Agents
An event collector specific to Gibson
Targets: gather / correlate information Attackers: Instrument in simulations
Attacker (Red Team) Target
Buffer overflow against sshdWith shell code xxxxxxx
CVE-2011-1234
Got a shell!
![Page 29: Gibson: 3D Visualization and Modeling of Real Time Security Events Dan Klinedinst Lawrence Berkeley National Laboratory](https://reader033.vdocuments.mx/reader033/viewer/2022051417/56649eb75503460f94bc0c15/html5/thumbnails/29.jpg)
To do list
Misc. Clean Up
Better graphic design!
Code cleanup, error handling, etc.Documentation :-(Panda package and web plugin optionsPut in some cool Easter Eggs