towards large scale incident response and interactive
play

Towards Large-Scale Incident Response and Interactive Network - PowerPoint PPT Presentation

Feb 01, 2024 •149 likes •790 views

Towards Large-Scale Incident Response and Interactive Network Forensics Matthias Vallentin UC Berkeley / ICSI vallentin@icir.org Dissertation Proposal UC Berkeley December 14, 2011 April 21, 2009: Bad News for UC Berkeley 2 / 63 Blind SQL

  1. Towards Large-Scale Incident Response and Interactive Network Forensics Matthias Vallentin UC Berkeley / ICSI vallentin@icir.org Dissertation Proposal UC Berkeley December 14, 2011

  2. April 21, 2009: Bad News for UC Berkeley 2 / 63

  3. Blind SQL Injection Havij ..?deploy_id=799+and+ascii(substring((database()),1,1))<79 31 ..?deploy_id=799+and+ascii(substring((database()),1,1))<103 11582 ..?deploy_id=799+and+ascii(substring((database()),1,1))<91 31 ..?deploy_id=799+and+ascii(substring((database()),1,1))<97 31 ..?deploy_id=799+and+ascii(substring((database()),1,1))<100 11582 ..?deploy_id=799+and+ascii(substring((database()),1,1))=99 11582 ..?deploy_id=799+and+ascii(substring((database()),2,1))<79 31 ..?deploy_id=799+and+ascii(substring((database()),2,1))<103 31 ..?deploy_id=799+and+ascii(substring((database()),2,1))<115 11582 ..?deploy_id=799+and+ascii(substring((database()),2,1))<109 11582 ..?deploy_id=799+and+ascii(substring((database()),2,1))<106 11582 ..?deploy_id=799+and+ascii(substring((database()),2,1))=105 11582 ..?deploy_id=799+and+ascii(substring((database()),3,1))<79 31 ..?deploy_id=799+and+ascii(substring((database()),3,1))<103 11582 ..?deploy_id=799+and+ascii(substring((database()),3,1))<91 31 Database name: ci... Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) Havij 3 / 63

  4. Example: Debugging an APT Incident Advanced Persistent Threat (APT) Severe security breaches manifest over large time periods 1. Initial compromise: stealthy and inconspicuous 2. Maintenance: periodic access checks 3. Sudden strike: quick and devastating or 3. Continuous leakage: piecemeal exfiltration under the radar Analyst questions ◮ How did the attacker get in? ◮ How long did the attacker stay under the radar? ◮ What is the damage? ◮ Was an insider involved? ◮ How to detect similar attacks in the future ? ◮ How do we describe the attack? 4 / 63

  5. Incident Response Challenges and the Sobering Reality Challenges ◮ Volume : machine-generated data exceeds our analysis capacities ◮ Heterogeneity : multitude of data and log formats ◮ Procedure : unsystematic investigations Reality ◮ Reliance on incomplete context ◮ Manual ad-hoc analysis ◮ UNIX tools (awk, grep, uniq) ◮ Expert islands How do we tackle this situation? 5 / 63

  6. Thesis Statement Hypothesis Key operational networking tasks, such as incident response and forensic investigations, base their decisions on descriptions of activity that are fragmented across space and time : ◮ Space : heterogeneous data formats from disparate sources ◮ Time : discrepancy in expressing past and future activity Statement We can design and build a system to attain a unified view across space and time. past present future past present future 6 / 63

  7. Outline 1. Prior Work: Building a NIDS Cluster 2. Use Cases 3. Workload Characterization 4. Requirements 5. Related Work 6. Architecture 7. Roadmap 8. Summary 7 / 63

  8. Outline 1. Prior Work: Building a NIDS Cluster 2. Use Cases 3. Workload Characterization 4. Requirements 5. Related Work 6. Architecture 7. Roadmap 8. Summary 8 / 63

  9. Basic Network Monitoring Internet Tap Local Network Monitor ◮ Passive tap splits traffic ◮ Optical ◮ Coppper ◮ Switch span port ◮ Monitor receives full packet stream → Challenge: do not fall behind processing packets! 9 / 63

  10. High-Performance Network Monitoring: The NIDS Cluster [VSL + 07] Internet Tap Local Network Frontend Worker Worker Worker Manager Packets Logs State User 10 / 63

  11. The NIDS Cluster ◮ Contributions ◮ Design, prototype, and evaluation of cluster architecture ◮ Bro scripting language enhancements ◮ Runs now in production at large sites with a 10 Gbps uplink: ◮ UC Berkeley (26 workers), 50,000 hosts ◮ LBNL (15 workers), 12,000 hosts ◮ NCSA (10 × 4-core workers), 10,000 hosts ◮ Generates follow-up challenges ◮ How to archive and process the output of the cluster? ◮ How to efficiently support incident response and network forensics? 11 / 63

  12. Outline 1. Prior Work: Building a NIDS Cluster 2. Use Cases 3. Workload Characterization 4. Requirements 5. Related Work 6. Architecture 7. Roadmap 8. Summary 12 / 63

  13. Use Case #1: Classic Incident Response Goal : quickly isolate scope and impact of security breach ◮ ◮ Often begins with a piece of intelligence ◮ “IP X serves malware over HTTP” ◮ “This MD5 hash is malware” ◮ “Connections to 128.11.5.0/27 at port 42000 are malicious” ◮ Analysis style: Ad-hoc, interactive, several refinements/adaptions ◮ Typical operations ◮ Filter : project, select ◮ Aggregate : mean , sum , quantile , min / max , histogram , top-k , unique ⇒ Bottom-up: concrete starting point, then widen scope 13 / 63

  14. Use Case #2: Network Troubleshooting Goal : find root cause of component failure ◮ ◮ Often no specific hint, merely symptomatic feedback ◮ “Email does not work :-/” ◮ Typical operations ◮ Zoom : slice activity at different granularities ◮ Time: seconds, minutes, days, . . . ◮ Space: layer 2/3/4/7, protocol, host, subnet, domain, URL, . . . ◮ Study time series data of activity aggregates ◮ Find abnormal activity ◮ “A sudden huge spike in DNS traffic” ◮ Use past behavior to determine present impact [KMV + 09] and predict future [HZC + 11] ◮ Judicious machine learning [SP10] ⇒ Top-down: start broadly, then narrow scope incrementally 14 / 63

  15. Use Case #3: Combating Insider Abuse Goal : uncover policy violations of personnel ◮ ◮ Insider attack: ◮ Chain of authorized actions, hard to detect individually ◮ E.g., data exfiltration 1. User logs in to internal machine 2. Copies sensitive document to local machine 3. Sends document to third party via email ◮ Analysis procedure: connect the dots ◮ Identify first action: gather and compare activity profiles ◮ “Vern accessed 10x more files on our servers today” [SS11] ◮ “Ion usually does not log in to our backup machine at 3am” ◮ Identify last action: ◮ Filter fingerprints of sensitive documents at border ◮ Reinspect past activity under new bias ⇒ Relate temporally distant events 15 / 63

  16. Outline 1. Prior Work: Building a NIDS Cluster 2. Use Cases 3. Workload Characterization 4. Requirements 5. Related Work 6. Architecture 7. Roadmap 8. Summary 16 / 63

  17. Descriptions of Activity: Bro Event Trace ◮ Use Bro event trace → Descriptions of activity Logs Notifications ◮ Instrumentation: meta events ◮ Timestamp Script Interpreter ◮ Name ◮ Size Events Workload ◮ Generate from real UCB traffic Trace Details Event Engine ◮ October 17, 2011, 2:35pm, 10 min ◮ 219 GB Packets ◮ 284,638,230 packets Network ◮ 6,585,571 connections 17 / 63

  18. Event Workload of one node (1/26) 1.0 20000 0.8 Events per second 0.6 15000 ECDF 0.4 10000 0.2 0.0 5000 0 100 200 300 400 500 600 5000 10000 15000 20000 Time (seconds) Event rate (# events/sec) Estimator Events/sec MB/sec Median 10,760 13.4 Mean 10,370 14.2 Peak 22,460 35 → need to support peaks of 10 6 events/sec and 1 GB/sec 18 / 63

  19. Outline 1. Prior Work: Building a NIDS Cluster 2. Use Cases 3. Workload Characterization 4. Requirements 5. Related Work 6. Architecture 7. Roadmap 8. Summary 19 / 63

  20. Requirements ◮ Interactivity ◮ Security-related incidents are time-critical ◮ Scalability ◮ Distributed system to handle high ingestion rates ◮ Aging: graceful roll-up of older data ◮ Expressiveness ◮ Represent arbitrary activity ◮ Result Fidelity ◮ Trade latency for result correctness ◮ Analytics & Streaming ◮ A unified approach to querying historical and live data 20 / 63

  21. Outline 1. Prior Work: Building a NIDS Cluster 2. Use Cases 3. Workload Characterization 4. Requirements 5. Related Work 6. Architecture 7. Roadmap 8. Summary 21 / 63

  22. Traditional Views ◮ Data Base Management Systems (DBMS) ◮ Store first, query later + Generic – Monolithic ◮ Data Stream Management Systems (DSMS) ◮ Process and discard + High throughput – No persistence ◮ Online Transactional Processing (OLTP) ◮ Small transactional inserts/updates/deletes + Consistency – Overhead ◮ Online Analytical Processing (OLAP) ◮ Aggregation over many dimensions + Speed – Batch loads 22 / 63

  23. Newer Movements ◮ NoSQL + Scalability – Flexibility ◮ MapReduce + Expressive – Batch processing ◮ In-memory Cluster Computing + Speed – Streaming data, initial load 23 / 63

  24. Outline 1. Prior Work: Building a NIDS Cluster 2. Use Cases 3. Workload Characterization 4. Requirements 5. Related Work 6. Architecture 7. Roadmap 8. Summary 24 / 63

  25. VAST: Visibility Across Space and Time VAST ◮ Visibility ◮ Realize interactive data explorations ◮ Across space : ◮ Unify heterogeneous data formats ◮ Across time : ◮ Express past and future behavior uniformly past present future 25 / 63

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Incident Response in Large Complex Business Environments Ramses Martinez Ismail Guneydas Yahoo!

Incident Response in Large Complex Business Environments Ramses Martinez Ismail Guneydas Yahoo!

Incident Response in Large Complex Business Environments Ramses Martinez Ismail Guneydas Yahoo! Agenda 1. Definitions 2. Challenges 3. Solutions 4. Case Studies Definition of Large &amp; Complex 1. Scale: &gt;100k Production

276 views • 14 slides
Incident Response &amp; Evidence Incident Response &amp; Evidence Incident Response &amp;

Incident Response &amp; Evidence Incident Response &amp; Evidence Incident Response &amp;

Incident Response &amp; Evidence Incident Response &amp; Evidence Incident Response &amp; Evidence Incident Response &amp; Evidence Management Management Management Management CIPS Brandon Chapter November 28 2002 Dr. Marc Rogers PhD,

629 views • 27 slides
GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response

GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response

GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response Investing in new talent &amp; capabilities Incident response Cyber intelligence Digital forensics Security architecture Identity management

609 views • 42 slides
Incident Response: Goals of Incident Management Steps to Preparation Risk Assessment

Incident Response: Goals of Incident Management Steps to Preparation Risk Assessment

6/19/2015 Incidents Are Not Necessarily Emergencies Incident Laboratory Incidences and An event thats likely to have adverse consequences Emergency Response Programs Emergency Unanticipated circumstances resulting in

564 views • 5 slides
Introduction to Incident Response Renana Friedlich, National Incident Response Leader March 2016

Introduction to Incident Response Renana Friedlich, National Incident Response Leader March 2016

Introduction to Incident Response Renana Friedlich, National Incident Response Leader March 2016 Agenda Evaluation of Cybersecurity risks The attackers playbook Case study What can you do today Page 2 Evaluation of

622 views • 12 slides
BIRT BIRT Liaisons Incident Response Incident Follow-Up Q&amp;A 1 2 PURPOSE OF

BIRT BIRT Liaisons Incident Response Incident Follow-Up Q&amp;A 1 2 PURPOSE OF

5/20/2014 COURSE OUTLINE Purpose Building Incident Response Team Expectations BIRT BIRT Liaisons Incident Response Incident Follow-Up Q&amp;A 1 2 PURPOSE OF BIRT PURPOSE OF BIRT Prepare units to respond to a

342 views • 4 slides
Incident Response and Information Sharing A Practical Approach Rapha el Vinot - TLP:GREEN May

Incident Response and Information Sharing A Practical Approach Rapha el Vinot - TLP:GREEN May

Incident Response and Information Sharing A Practical Approach Rapha el Vinot - TLP:GREEN May 22, 2015 The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response

407 views • 13 slides
Evaluating Dem and Response in Large Scale Pow er System Studies Niamh OConnell Outline

Evaluating Dem and Response in Large Scale Pow er System Studies Niamh OConnell Outline

Evaluating Dem and Response in Large Scale Pow er System Studies Niamh OConnell Outline Integration Studies and Demand Response Modelling Demand Response for Large Scale Integration Studies Study Outline Study Results

270 views • 16 slides
Agile Incident Response: Operating through Ongoing Confrontation Kevin Mandia Who Am I?

Agile Incident Response: Operating through Ongoing Confrontation Kevin Mandia Who Am I?

Agile Incident Response: Operating through Ongoing Confrontation Kevin Mandia Who Am I? Professorial Lecturer Carnegie Mellon University 95-856 Incident Response Master of Information System Management The George Washington

1.29k views • 60 slides
Above My Pay Grade: Incident Response at the National Level Jason Healey Atlantic Council

Above My Pay Grade: Incident Response at the National Level Jason Healey Atlantic Council

Above My Pay Grade: Incident Response at the National Level Jason Healey Atlantic Council Traditional Incident Response But at the national level, incident response is a different game Implications for Misunderstandings between geeks and

541 views • 27 slides
BALTIC SEA MARITIME INCIDENT RESPONSE GROUP PROJECT BALTIC SEA MARITIME INCIDENT RESPONSE GROUP

BALTIC SEA MARITIME INCIDENT RESPONSE GROUP PROJECT BALTIC SEA MARITIME INCIDENT RESPONSE GROUP

BALTIC SEA MARITIME INCIDENT RESPONSE GROUP PROJECT BALTIC SEA MARITIME INCIDENT RESPONSE GROUP PROJECT MIRG OOERATIONAL GUIDELINES The project developed the following operational guidelines: 1. Assessing the Safety Status of a Vessel

598 views • 16 slides
Dremel: Interactive Analysis of Web-Scale Datasets CS 744 BIG DATA PHIL MARTINKUS Motivation

Dremel: Interactive Analysis of Web-Scale Datasets CS 744 BIG DATA PHIL MARTINKUS Motivation

Dremel: Interactive Analysis of Web-Scale Datasets CS 744 BIG DATA PHIL MARTINKUS Motivation Large Scale Data must be accessible to analysts and engineers Interactive queries are important for data exploration, monitoring, online customer

354 views • 18 slides
An Interactive Web Based Platform for Modeling and Analysis of Large Scale Argus Network Flow

An Interactive Web Based Platform for Modeling and Analysis of Large Scale Argus Network Flow

An Interactive Web Based Platform for Modeling and Analysis of Large Scale Argus Network Flow Data Angel Kodituwakku J.T. Liso Dr. Jens Gregor Jan 10, 2018 This material is based upon work supported by the National Science Foundation under

408 views • 26 slides
FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large

FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large

FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large Scale Solar Lead April 2017 CONTENTS 1. Introduction to CEFC 2. Investment trends 3. The future of large scale solar 4. Pathway to sustainable

664 views • 21 slides
Utilizing Large-Scale Randomized Response at Google: RAPPOR and its lessons lfar Erlingsson,

Utilizing Large-Scale Randomized Response at Google: RAPPOR and its lessons lfar Erlingsson,

Utilizing Large-Scale Randomized Response at Google: RAPPOR and its lessons lfar Erlingsson, Vasyl Pihur, Aleksandra Korolova, Steven Holte, Ananth Raghunathan , Giulia Fanti, Ilya Mironov, Andy Chu DIMACS Security and Privacy Workshop (April

833 views • 44 slides
Planning for the Worst: The Role of Incident Response, Before Youve Had an Incident Sponsored

Planning for the Worst: The Role of Incident Response, Before Youve Had an Incident Sponsored

Planning for the Worst: The Role of Incident Response, Before Youve Had an Incident Sponsored By: Planning for the Worst: The Role of Incident Response, Before Youve Had an Incident Visit www.advisenltd.com at the end of this webinar to

498 views • 18 slides
Computational semantics for the humanities Diarmuid O S eaghdha Natural Language and

Computational semantics for the humanities Diarmuid O S eaghdha Natural Language and

Computational semantics for the humanities Diarmuid O S eaghdha Natural Language and Information Processing Group Computer Laboratory University of Cambridge do242@cam.ac.uk Translation and the Digital 25 April 2014 Introduction

426 views • 10 slides
Small-Footprint Block Cipher Design - How far can you go? A. Bogdanov 1 , L.R. Knudsen 2 , G.

Small-Footprint Block Cipher Design - How far can you go? A. Bogdanov 1 , L.R. Knudsen 2 , G.

Small-Footprint Block Cipher Design - How far can you go? A. Bogdanov 1 , L.R. Knudsen 2 , G. Leander 1 , C. Paar 1 , A. Poschmann 1 , M.J.B. Robshaw 3 , Y. Seurin 3 , and C. Vikkelsoe 2 1 Horst-G ortz-Institute for IT-Security, Ruhr-University

400 views • 15 slides
3rd Grade PSI Ecosystems: Group Behavior www.njctl.org Slide 3 / 78 Ecosystems: Group Behavior

3rd Grade PSI Ecosystems: Group Behavior www.njctl.org Slide 3 / 78 Ecosystems: Group Behavior

Slide 1 / 78 Slide 2 / 78 3rd Grade PSI Ecosystems: Group Behavior www.njctl.org Slide 3 / 78 Ecosystems: Group Behavior Click on the topic to go to that section How do Animals Live? Advantages of Group Living Disadvantages of Group

602 views • 26 slides
Route map of our journey this evening Ciphers - coming of age The Enigma Machine Poles

Route map of our journey this evening Ciphers - coming of age The Enigma Machine Poles

Breaking Enigma &amp; the U-boat Codes and the Legacy of Alan Turing Tuesday 17th April 2012 Professor David Stupples Centre for Cyber Security Sciences Centre for Cyber Security Sciences Route map of our journey this evening Ciphers -

711 views • 36 slides
XSS &amp; CSRF Alex Infhr Whoami Alex Infhr @insertscript Cure53 MS IE Team

XSS &amp; CSRF Alex Infhr Whoami Alex Infhr @insertscript Cure53 MS IE Team

XSS &amp; CSRF Alex Infhr Whoami Alex Infhr @insertscript Cure53 MS IE Team Browser PDF / file formats B Shark movies Topics of today XSS Cross Site Scripting XSRF/CSRF Cross Site Request Forgery

893 views • 56 slides
HR Analytics Workshop 6th June 2018 C R A F T E D B Y C O N C E N T R A Welcome &amp;

HR Analytics Workshop 6th June 2018 C R A F T E D B Y C O N C E N T R A Welcome &amp;

HR Analytics Workshop 6th June 2018 C R A F T E D B Y C O N C E N T R A Welcome &amp; Introductions Giles Slinger, James Gardner, Min Bhogaita HR CIPD Workshop 2 Introductions Giles Slinger James Gardner Min Bhogaita Director, OrgVue

1.39k views • 102 slides
Algebraic Aspects of Symmetric-key Cryptography Carlos Cid (carlos.cid@rhul.ac.uk) Information

Algebraic Aspects of Symmetric-key Cryptography Carlos Cid (carlos.cid@rhul.ac.uk) Information

Algebraic Aspects of Symmetric-key Cryptography Carlos Cid (carlos.cid@rhul.ac.uk) Information Security Group Royal Holloway, University of London 04.May.2007 ECRYPT Summer School 1 Algebraic Techniques in Cryptanalysis Algebra is the

659 views • 61 slides
35 th Shared Awareness Meeting 15 July 2020 Introduction and Area of Interest Brief Event Video

35 th Shared Awareness Meeting 15 July 2020 Introduction and Area of Interest Brief Event Video

35 th Shared Awareness Meeting 15 July 2020 Introduction and Area of Interest Brief Event Video Download: https://drive.google.com/file/d/1Esm3TR7TbwnFkoRQ52cv8LfhZy7ulrd3/view?usp=sharing Welcome Speech SLTC Gary Ow, Head IFC Mission To

622 views • 28 slides

More recommend