behavioral analysis
play

Behavioral Analysis Using Network traffic, DNS and logs JOSH PYORRE - PowerPoint PPT Presentation

Feb 06, 2023 •175 likes •1.45k views

Behavioral Analysis Using Network traffic, DNS and logs JOSH PYORRE Security Researcher Previously: Threat Analyst at NASA Threat Analyst at Mandiant @joshpyorre rootaccesspodcast.com Behavioral Analysis VIDEO analyzing website visitors

  1. masterbrand.com mathads.com mdswanson.com medicaresupplement.com metanetwork.net mfg.com mhthemes.com military.com ministerial5.com mixpanel.com mobileapptracking.com mom.me monarchads.com mrsteam.com msftncsi.com mshcdn.com myfonts.net myvzw.com newsinc.com nexage.com nextadvisor.com norcraftcompanies.com notanpest.net obtrk.xyz office.net

  2. This one is ok… masterbrand.com mathads.com mdswanson.com medicaresupplement.com metanetwork.net mfg.com mhthemes.com military.com ministerial5.com mixpanel.com mobileapptracking.com mom.me monarchads.com mrsteam.com msftncsi.com mshcdn.com myfonts.net myvzw.com newsinc.com nexage.com nextadvisor.com norcraftcompanies.com notanpest.net obtrk.xyz office.net

  3. masterbrand.com mathads.com mdswanson.com medicaresupplement.com metanetwork.net mfg.com mhthemes.com military.com ministerial5.com mixpanel.com mobileapptracking.com mom.me monarchads.com mrsteam.com msftncsi.com mshcdn.com myfonts.net myvzw.com newsinc.com nexage.com nextadvisor.com norcraftcompanies.com notanpest.net obtrk.xyz office.net

  4. masterbrand.com mathads.com mdswanson.com medicaresupplement.com metanetwork.net mfg.com mhthemes.com military.com ministerial5.com mixpanel.com mobileapptracking.com mom.me monarchads.com mrsteam.com msftncsi.com mshcdn.com myfonts.net myvzw.com newsinc.com nexage.com nextadvisor.com norcraftcompanies.com notanpest.net obtrk.xyz office.net

  5. masterbrand.com mathads.com mdswanson.com medicaresupplement.com metanetwork.net mfg.com mhthemes.com military.com ministerial5.com mixpanel.com mobileapptracking.com mom.me monarchads.com mrsteam.com msftncsi.com mshcdn.com myfonts.net myvzw.com newsinc.com nexage.com nextadvisor.com norcraftcompanies.com notanpest.net obtrk.xyz office.net

  6. masterbrand.com mathads.com mdswanson.com medicaresupplement.com metanetwork.net mfg.com mhthemes.com military.com ministerial5.com mixpanel.com mobileapptracking.com mom.me monarchads.com mrsteam.com msftncsi.com mshcdn.com myfonts.net myvzw.com newsinc.com nexage.com nextadvisor.com norcraftcompanies.com notanpest.net obtrk.xyz office.net

  7. Found a bad one! masterbrand.com mathads.com mdswanson.com medicaresupplement.com metanetwork.net mfg.com mhthemes.com military.com ministerial5.com mixpanel.com mobileapptracking.com mom.me monarchads.com mrsteam.com msftncsi.com mshcdn.com myfonts.net myvzw.com newsinc.com nexage.com nextadvisor.com norcraftcompanies.com notanpest.net obtrk.xyz office.net

  8. That process is really tedious

  9. Tedious • Mostly Manual Process • Searching and Personal Expertise

  10. Automate Things • Auto-process Logs / Streams • Save it so it’s Workable

  11. Getting data • Log files • DNS, AD, System, Web, etc • Network Capture

  12. Have to Write Parsers • We all have custom data • Use whatever is easiest for you • Python h g U • Excel • R

  13. Creating a baseline • Counting Total Number of Domains • Getting “Scores” • Categorization

  14. DNS • Starting with data from OpenDNS • Over a billion queries per day - approximately 3% of the internet • How do you baseline that? (You need a LOT of that data - as in TB) • Can you baseline that?

  15. DNS looks like this

  16. Let’s try anyway • Count how many times a domain is seen • Over 10 times: Write to normal_traffic.txt • Under 3 times: Write to suspicious_traffic.txt

  17. 08/25/2016 17:20:00,s1.mohito.com,A,360,78.24.161.76 08/25/2016 17:29:00,hotspotcostablanca.ath.cx,A,60,81.36.140.179 9 Minutes of DNS

  18. 664,938 domains looked up wc -l 2016-08-25-17-20.myzPMsaJ 664,938 2016-08-25-17-20.myzPMsaJ

  19. File size of original logs, the normal_traffic and the suspicious_traffic output files

  20. Normal Traffic

  21. Suspicious Traffic

  22. Picking one ‘suspicious’ site Suspicious Traffic

  23. Looking at DNS requests for that ‘suspicious’ site

  24. It’s probably fine…

  25. Picking another ‘suspicious’ site More Suspicious Traffic

  26. Looking at DNS requests:

  27. Looking at the site (no longer available)

  28. Looking at categorization: Categorization

  29. We still have a lot that is uncategorized Categorization

  30. Look at the Bandwidth

  31. Total traffic by Minute

  32. Doesn’t mean much It’s random data from unrelated sources

  33. We must Narrow the Focus

  34. DNS One Organization

  35. 19,801,469 DNS Requests: For a 17 hour period:

  36. Looks like this. Lots of visits to directv.com

  37. Remove unneeded data, still a large file:

  38. Get rid of the obviously normal: Down to 493,351 DNS Requests:

  39. Get rid of additional normal domains Down to 1,320 DNS Requests:

  40. Graphing on a timeline, but it’s not too clean

  41. Graph by domain and visit count (with some mistakes)

  42. Auto processing through past data can take a toll 2 GB File: Taking forever

  43. DNS • Looking at DNS traffic on the wire • Processing with various tools • Python • Pandas, etc…

  44. DNS • Ran this on a system at home: tcpdump -i eth1 -j host port 53 -tttt >> tcpdump.log eth1 is hooked up to a network tap watching traffic between the routers internet port and the cable modem

  45. It looks like this: 12:56:37.854306 IP 73.202.157.15.53018 > 208.67.222.222.53: 46044+ A? apple.com. (27) E..7..@.@...I....C..... 5.#.w.............apple.com..... 12:56:37.854517 IP 73.202.157.15.2461 > 208.67.222.222.53: 18586+ A? calendar.google.com. (37) E..A..@.@...I....C.. .. 5.-.xH............calendar.google.com..... 12:56:37.854681 IP 73.202.157.15.25959 > 208.67.222.222.53: 17850+ A? 1-courier.push.apple.com. (42) E..F..@.@...I....C..eg.5.2V.E........... 1- courier.push.apple.com..... 12:56:37.854906 IP 73.202.157.15.15125 > 208.67.222.222.53: 63415+ A? 14-lvl3-pdl.vimeocdn.com. (42)

  46. Just the time, domain and visit count

  47. Graph by domain and visit count

  48. This is anomalous:

  49. See if we can get an idea of network behavior from patterns Compare Traffic

Recommend

A Behavioral Analysis of the DSM-5 Criteria for Autism: Failure of Normal Back -and- Forth

A Behavioral Analysis of the DSM-5 Criteria for Autism: Failure of Normal Back -and- Forth

A Behavioral Analysis of the DSM-5 Criteria for Autism: Failure of Normal Back -and- Forth Conversation Mark L. Sundberg, Ph.D., BCBA-D (www.marksundberg.com) Introduction The historical progression of behavior analysis and autism

168 views • 16 slides
A Brief Introduction to Behavioral Economics A field that Integrates behavioral sciences

A Brief Introduction to Behavioral Economics A field that Integrates behavioral sciences

A Brief Introduction to Behavioral Economics A field that Integrates behavioral sciences (psychology, sociology) into analysis of human decision-making. Assumes decision-making behavior can be irrational, too, not only logical

306 views • 7 slides
Applied Behavioral Analysis 2019 CPT Code Crosswalk HEALTH SYSTEMS DIVISION Medicaid Program

Applied Behavioral Analysis 2019 CPT Code Crosswalk HEALTH SYSTEMS DIVISION Medicaid Program

Applied Behavioral Analysis 2019 CPT Code Crosswalk HEALTH SYSTEMS DIVISION Medicaid Program Unit Applied Behavioral Analysis ORABA Presentation Introduction Purpose 2019 ABA code crosswalk Information about current work

347 views • 13 slides
Gaps Analysis of Behavioral Health Services Updated Presented by: February 5, 2014 Kelly

Gaps Analysis of Behavioral Health Services Updated Presented by: February 5, 2014 Kelly

Nevada Department of Health and Human Services DIVISION OF PUBLIC AND BEHAVIORAL HEALTH Gaps Analysis of Behavioral Health Services Updated Presented by: February 5, 2014 Kelly Marschall, MSW Legislative Committee on Health Care Purpose of

880 views • 55 slides
How bluetooth may jeopardize your privacy. An analysis of people behavioral patterns in

How bluetooth may jeopardize your privacy. An analysis of people behavioral patterns in

How bluetooth may jeopardize your privacy. An analysis of people behavioral patterns in the street. Vernica Valeros, Sebastin Garca MatesLab Hackspace, Mar del Plata, Argentina {vero.valeros,eldraco}@gmail.com Abstract

393 views • 18 slides
CAFE Standards and Behavioral Welfare Analysis Hunt Allcott New York University and National

CAFE Standards and Behavioral Welfare Analysis Hunt Allcott New York University and National

CAFE Standards and Behavioral Welfare Analysis Hunt Allcott New York University and National Bureau of Economic Research Agenda What are internalities? Why internalities are important for CAFE Measuring internalities Behavioral

507 views • 25 slides
Behavioral Study of Bot Obedience using Causal Relationship Analysis Pekka Pietikinen, Lari

Behavioral Study of Bot Obedience using Causal Relationship Analysis Pekka Pietikinen, Lari

Behavioral Study of Bot Obedience using Causal Relationship Analysis Pekka Pietikinen, Lari Huttunen Oulu University Secure Programming Group Botnets have become an increasing menace Tens of strategically placed hosts to hundreds of

164 views • 15 slides
Behavioral Economics and the Conduct of Benefit-Cost Analysis: Towards Principles and Standards*

Behavioral Economics and the Conduct of Benefit-Cost Analysis: Towards Principles and Standards*

Behavioral Economics and the Conduct of Benefit-Cost Analysis: Towards Principles and Standards* Prepared for: Developing Standards for Benefit-Cost Analysis Conference October 18-19, 2010 Washington, DC Prepared by: Lisa A. Robinson,

621 views • 14 slides
BEHAVIORAL FINANCE: USING IT TO MAKE YOUR TECHNICAL ANALYSIS MORE PRODUCTIVE HOW TO LEARN MORE

BEHAVIORAL FINANCE: USING IT TO MAKE YOUR TECHNICAL ANALYSIS MORE PRODUCTIVE HOW TO LEARN MORE

BEHAVIORAL FINANCE: USING IT TO MAKE YOUR TECHNICAL ANALYSIS MORE PRODUCTIVE HOW TO LEARN MORE IF YOU WISH Don Cassidy www.R-I-I.org Don Cassidy Founder and President Retirement Investing Institute www.

558 views • 37 slides
Welfare Analysis for Behavioral Models Vast evidence on people holding wrong beliefs and

Welfare Analysis for Behavioral Models Vast evidence on people holding wrong beliefs and

A W ELFARE C RITERION F OR M ODELS WITH D ISTORTED B ELIEFS M ARKUS B RUNNERMEIER , A LP S IMSEK & W EI X IONG Welfare Analysis for Behavioral Models Vast evidence on people holding wrong beliefs and making inefficient decisions. e.g.,

768 views • 24 slides
The Behavioral Health Workforce Gail W. Stuart, PhD, RN 55% of US counties have no behavioral

The Behavioral Health Workforce Gail W. Stuart, PhD, RN 55% of US counties have no behavioral

The Behavioral Health Workforce Gail W. Stuart, PhD, RN 55% of US counties have no behavioral health provider 77% have unmet behavioral health needs Plagued with shortages and maldistribution CALL TO ACTION 2007 Mental

391 views • 15 slides
Behavioral Health ASO Overview Rebecca Frechard, LCPC, Deputy Director Medicaid Behavioral Health

Behavioral Health ASO Overview Rebecca Frechard, LCPC, Deputy Director Medicaid Behavioral Health

Behavioral Health ASO Overview Rebecca Frechard, LCPC, Deputy Director Medicaid Behavioral Health Division Behavioral Health System of Care Workgroup: October 23, 2019 1 Behavioral Health ASO The Administrative Service Organizations (ASO) is

100 views • 7 slides
Louisiana Behavioral Health Partnership A New Approach to Behavioral Health LOUISIANA DEPARTMENT

Louisiana Behavioral Health Partnership A New Approach to Behavioral Health LOUISIANA DEPARTMENT

Louisiana Behavioral Health Partnership A New Approach to Behavioral Health LOUISIANA DEPARTMENT OF HEALTH AND HOSPITALS System is fragmented: No clear single vision for how the state serves children and adults with significant behavioral

335 views • 8 slides
Behavioral Health Hom e Plus and Optim al Health James Schuster, MD, MBA CMO, Medicaid, SNP, and

Behavioral Health Hom e Plus and Optim al Health James Schuster, MD, MBA CMO, Medicaid, SNP, and

Behavioral Health Hom e Plus and Optim al Health James Schuster, MD, MBA CMO, Medicaid, SNP, and Behavioral Services UPMC Insurance Division What is a Behavioral Health Hom e? A behavioral health home (BHH) is a service delivery model that

606 views • 25 slides
Behavioral Health Clinics (BHCs) New Options for Providers of Community-Based Behavioral

Behavioral Health Clinics (BHCs) New Options for Providers of Community-Based Behavioral

Behavioral Health Clinics (BHCs) New Options for Providers of Community-Based Behavioral Services June 2018 www2.illinois.gov/hfs 1 1 Behavioral Health Clinics Webinar Housekeeping Items: Phone lines are in listen only mode

391 views • 22 slides
Applied Behavioral Analysis (ABA) Increased numbers of Students Receiving ABA Services

Applied Behavioral Analysis (ABA) Increased numbers of Students Receiving ABA Services

BOSTON PUBLIC SCHOOLS Office of Special Education and Student Services BOSTON PUBLIC SCHOOLS Department Name Applied Behavioral Analysis (ABA) Increased numbers of Students Receiving ABA Services students identified annually 700 and

304 views • 3 slides
Behavioral Health Services COVID Check In Department of Health Services Behavioral Health

Behavioral Health Services COVID Check In Department of Health Services Behavioral Health

Behavioral Health Services COVID Check In Department of Health Services Behavioral Health Services Ryan Quist, Ph.D., Behavioral Health Director March 23, 2020 Evolving Situation Working in collaboration with Public Health Materials

366 views • 9 slides
Behavioral Health Presentation Division of Public and Behavioral Health Amy Roukie, BS/MBA

Behavioral Health Presentation Division of Public and Behavioral Health Amy Roukie, BS/MBA

Brian Sandoval Richard Whitley Governor Director Behavioral Health Presentation Division of Public and Behavioral Health Amy Roukie, BS/MBA Deputy Administrator- Clinical Services February 2017 Helping People. Its who we are and what we

419 views • 21 slides
Behavioral Development Economics Chapter prepared for the Handbook of Behavioral Economics (Vol 2)

Behavioral Development Economics Chapter prepared for the Handbook of Behavioral Economics (Vol 2)

1 Intro 2 Euler puzzle 3 Health 4 Savings 5 Risk and insurance 6 Technology 7 Labor 8 Firms 9 Social prefs 10 Psychology References Behavioral Development Economics Chapter prepared for the Handbook of Behavioral Economics (Vol 2)

1.84k views • 106 slides
Behavioral Development Economics Chapter prepared for the Handbook of Behavioral Economics (Vol 2)

Behavioral Development Economics Chapter prepared for the Handbook of Behavioral Economics (Vol 2)

1 Intro 3 Health 4 Savings 5 Risk and insurance 9 Social prefs 10 Psychology References Behavioral Development Economics Chapter prepared for the Handbook of Behavioral Economics (Vol 2) [With edits from Vojt ech Barto s; see original

737 views • 55 slides
Office of Behavioral Health Community Behavioral Heath Community Prevention and Early

Office of Behavioral Health Community Behavioral Heath Community Prevention and Early

Office of Behavioral Health Community Behavioral Heath Community Prevention and Early Intervention Programs August 14, 2014 The Office of Behavioral Health (OBH) is within the Colorado Department of Human Services. OBH is the States

594 views • 40 slides
Behavioral Finance: The Collision of Finance and Psychology Behavioral Finance: The Collision of

Behavioral Finance: The Collision of Finance and Psychology Behavioral Finance: The Collision of

Behavioral Finance: The Collision of Finance and Psychology Behavioral Finance: The Collision of Finance and Psychology Presented by: Dr. Joel M. DiCicco, CPA Florida Atlantic University Order of Presentation Behavioral Finance 1)

304 views • 28 slides
Behavioral Health Services FY 2019-20 Budget Overview Department of Health Services Behavioral

Behavioral Health Services FY 2019-20 Budget Overview Department of Health Services Behavioral

Behavioral Health Services FY 2019-20 Budget Overview Department of Health Services Behavioral Health Services Ryan Quist, Ph.D., Behavioral Health Director MHSA Steering Committee February 20, 2020 Behavioral Health Services Overview

413 views • 12 slides
Agenda Classroom Management and Positive Behavioral Intervention & Supports (PBIS)

Agenda Classroom Management and Positive Behavioral Intervention & Supports (PBIS)

11/12/18 Classroom Management and Problem Behavior: Strategies for Success RENE DAMAN, PT, MS, BCBA, LBA JOSHUA PULOS Brief Overview of Applied Behavior Analysis (ABA) Agenda Classroom Management and Positive Behavioral

571 views • 21 slides

More recommend