towards large scale incident response and interactive
play

Towards Large-Scale Incident Response and Interactive Network - PowerPoint PPT Presentation

Feb 01, 2024 •149 likes •790 views

Towards Large-Scale Incident Response and Interactive Network Forensics Matthias Vallentin UC Berkeley / ICSI vallentin@icir.org Dissertation Proposal UC Berkeley December 14, 2011 April 21, 2009: Bad News for UC Berkeley 2 / 63 Blind SQL

  1. Towards Large-Scale Incident Response and Interactive Network Forensics Matthias Vallentin UC Berkeley / ICSI vallentin@icir.org Dissertation Proposal UC Berkeley December 14, 2011

  2. April 21, 2009: Bad News for UC Berkeley 2 / 63

  3. Blind SQL Injection Havij ..?deploy_id=799+and+ascii(substring((database()),1,1))<79 31 ..?deploy_id=799+and+ascii(substring((database()),1,1))<103 11582 ..?deploy_id=799+and+ascii(substring((database()),1,1))<91 31 ..?deploy_id=799+and+ascii(substring((database()),1,1))<97 31 ..?deploy_id=799+and+ascii(substring((database()),1,1))<100 11582 ..?deploy_id=799+and+ascii(substring((database()),1,1))=99 11582 ..?deploy_id=799+and+ascii(substring((database()),2,1))<79 31 ..?deploy_id=799+and+ascii(substring((database()),2,1))<103 31 ..?deploy_id=799+and+ascii(substring((database()),2,1))<115 11582 ..?deploy_id=799+and+ascii(substring((database()),2,1))<109 11582 ..?deploy_id=799+and+ascii(substring((database()),2,1))<106 11582 ..?deploy_id=799+and+ascii(substring((database()),2,1))=105 11582 ..?deploy_id=799+and+ascii(substring((database()),3,1))<79 31 ..?deploy_id=799+and+ascii(substring((database()),3,1))<103 11582 ..?deploy_id=799+and+ascii(substring((database()),3,1))<91 31 Database name: ci... Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) Havij 3 / 63

  4. Example: Debugging an APT Incident Advanced Persistent Threat (APT) Severe security breaches manifest over large time periods 1. Initial compromise: stealthy and inconspicuous 2. Maintenance: periodic access checks 3. Sudden strike: quick and devastating or 3. Continuous leakage: piecemeal exfiltration under the radar Analyst questions ◮ How did the attacker get in? ◮ How long did the attacker stay under the radar? ◮ What is the damage? ◮ Was an insider involved? ◮ How to detect similar attacks in the future ? ◮ How do we describe the attack? 4 / 63

  5. Incident Response Challenges and the Sobering Reality Challenges ◮ Volume : machine-generated data exceeds our analysis capacities ◮ Heterogeneity : multitude of data and log formats ◮ Procedure : unsystematic investigations Reality ◮ Reliance on incomplete context ◮ Manual ad-hoc analysis ◮ UNIX tools (awk, grep, uniq) ◮ Expert islands How do we tackle this situation? 5 / 63

  6. Thesis Statement Hypothesis Key operational networking tasks, such as incident response and forensic investigations, base their decisions on descriptions of activity that are fragmented across space and time : ◮ Space : heterogeneous data formats from disparate sources ◮ Time : discrepancy in expressing past and future activity Statement We can design and build a system to attain a unified view across space and time. past present future past present future 6 / 63

  7. Outline 1. Prior Work: Building a NIDS Cluster 2. Use Cases 3. Workload Characterization 4. Requirements 5. Related Work 6. Architecture 7. Roadmap 8. Summary 7 / 63

  8. Outline 1. Prior Work: Building a NIDS Cluster 2. Use Cases 3. Workload Characterization 4. Requirements 5. Related Work 6. Architecture 7. Roadmap 8. Summary 8 / 63

  9. Basic Network Monitoring Internet Tap Local Network Monitor ◮ Passive tap splits traffic ◮ Optical ◮ Coppper ◮ Switch span port ◮ Monitor receives full packet stream → Challenge: do not fall behind processing packets! 9 / 63

  10. High-Performance Network Monitoring: The NIDS Cluster [VSL + 07] Internet Tap Local Network Frontend Worker Worker Worker Manager Packets Logs State User 10 / 63

  11. The NIDS Cluster ◮ Contributions ◮ Design, prototype, and evaluation of cluster architecture ◮ Bro scripting language enhancements ◮ Runs now in production at large sites with a 10 Gbps uplink: ◮ UC Berkeley (26 workers), 50,000 hosts ◮ LBNL (15 workers), 12,000 hosts ◮ NCSA (10 × 4-core workers), 10,000 hosts ◮ Generates follow-up challenges ◮ How to archive and process the output of the cluster? ◮ How to efficiently support incident response and network forensics? 11 / 63

  12. Outline 1. Prior Work: Building a NIDS Cluster 2. Use Cases 3. Workload Characterization 4. Requirements 5. Related Work 6. Architecture 7. Roadmap 8. Summary 12 / 63

  13. Use Case #1: Classic Incident Response Goal : quickly isolate scope and impact of security breach ◮ ◮ Often begins with a piece of intelligence ◮ “IP X serves malware over HTTP” ◮ “This MD5 hash is malware” ◮ “Connections to 128.11.5.0/27 at port 42000 are malicious” ◮ Analysis style: Ad-hoc, interactive, several refinements/adaptions ◮ Typical operations ◮ Filter : project, select ◮ Aggregate : mean , sum , quantile , min / max , histogram , top-k , unique ⇒ Bottom-up: concrete starting point, then widen scope 13 / 63

  14. Use Case #2: Network Troubleshooting Goal : find root cause of component failure ◮ ◮ Often no specific hint, merely symptomatic feedback ◮ “Email does not work :-/” ◮ Typical operations ◮ Zoom : slice activity at different granularities ◮ Time: seconds, minutes, days, . . . ◮ Space: layer 2/3/4/7, protocol, host, subnet, domain, URL, . . . ◮ Study time series data of activity aggregates ◮ Find abnormal activity ◮ “A sudden huge spike in DNS traffic” ◮ Use past behavior to determine present impact [KMV + 09] and predict future [HZC + 11] ◮ Judicious machine learning [SP10] ⇒ Top-down: start broadly, then narrow scope incrementally 14 / 63

  15. Use Case #3: Combating Insider Abuse Goal : uncover policy violations of personnel ◮ ◮ Insider attack: ◮ Chain of authorized actions, hard to detect individually ◮ E.g., data exfiltration 1. User logs in to internal machine 2. Copies sensitive document to local machine 3. Sends document to third party via email ◮ Analysis procedure: connect the dots ◮ Identify first action: gather and compare activity profiles ◮ “Vern accessed 10x more files on our servers today” [SS11] ◮ “Ion usually does not log in to our backup machine at 3am” ◮ Identify last action: ◮ Filter fingerprints of sensitive documents at border ◮ Reinspect past activity under new bias ⇒ Relate temporally distant events 15 / 63

  16. Outline 1. Prior Work: Building a NIDS Cluster 2. Use Cases 3. Workload Characterization 4. Requirements 5. Related Work 6. Architecture 7. Roadmap 8. Summary 16 / 63

  17. Descriptions of Activity: Bro Event Trace ◮ Use Bro event trace → Descriptions of activity Logs Notifications ◮ Instrumentation: meta events ◮ Timestamp Script Interpreter ◮ Name ◮ Size Events Workload ◮ Generate from real UCB traffic Trace Details Event Engine ◮ October 17, 2011, 2:35pm, 10 min ◮ 219 GB Packets ◮ 284,638,230 packets Network ◮ 6,585,571 connections 17 / 63

  18. Event Workload of one node (1/26) 1.0 20000 0.8 Events per second 0.6 15000 ECDF 0.4 10000 0.2 0.0 5000 0 100 200 300 400 500 600 5000 10000 15000 20000 Time (seconds) Event rate (# events/sec) Estimator Events/sec MB/sec Median 10,760 13.4 Mean 10,370 14.2 Peak 22,460 35 → need to support peaks of 10 6 events/sec and 1 GB/sec 18 / 63

  19. Outline 1. Prior Work: Building a NIDS Cluster 2. Use Cases 3. Workload Characterization 4. Requirements 5. Related Work 6. Architecture 7. Roadmap 8. Summary 19 / 63

  20. Requirements ◮ Interactivity ◮ Security-related incidents are time-critical ◮ Scalability ◮ Distributed system to handle high ingestion rates ◮ Aging: graceful roll-up of older data ◮ Expressiveness ◮ Represent arbitrary activity ◮ Result Fidelity ◮ Trade latency for result correctness ◮ Analytics & Streaming ◮ A unified approach to querying historical and live data 20 / 63

  21. Outline 1. Prior Work: Building a NIDS Cluster 2. Use Cases 3. Workload Characterization 4. Requirements 5. Related Work 6. Architecture 7. Roadmap 8. Summary 21 / 63

  22. Traditional Views ◮ Data Base Management Systems (DBMS) ◮ Store first, query later + Generic – Monolithic ◮ Data Stream Management Systems (DSMS) ◮ Process and discard + High throughput – No persistence ◮ Online Transactional Processing (OLTP) ◮ Small transactional inserts/updates/deletes + Consistency – Overhead ◮ Online Analytical Processing (OLAP) ◮ Aggregation over many dimensions + Speed – Batch loads 22 / 63

  23. Newer Movements ◮ NoSQL + Scalability – Flexibility ◮ MapReduce + Expressive – Batch processing ◮ In-memory Cluster Computing + Speed – Streaming data, initial load 23 / 63

  24. Outline 1. Prior Work: Building a NIDS Cluster 2. Use Cases 3. Workload Characterization 4. Requirements 5. Related Work 6. Architecture 7. Roadmap 8. Summary 24 / 63

  25. VAST: Visibility Across Space and Time VAST ◮ Visibility ◮ Realize interactive data explorations ◮ Across space : ◮ Unify heterogeneous data formats ◮ Across time : ◮ Express past and future behavior uniformly past present future 25 / 63

Recommend

Incident Response in Large Complex Business Environments Ramses Martinez Ismail Guneydas Yahoo!

Incident Response in Large Complex Business Environments Ramses Martinez Ismail Guneydas Yahoo!

Incident Response in Large Complex Business Environments Ramses Martinez Ismail Guneydas Yahoo! Agenda 1. Definitions 2. Challenges 3. Solutions 4. Case Studies Definition of Large &amp; Complex 1. Scale: &gt;100k Production

276 views • 14 slides
Incident Response &amp; Evidence Incident Response &amp; Evidence Incident Response &amp;

Incident Response &amp; Evidence Incident Response &amp; Evidence Incident Response &amp;

Incident Response &amp; Evidence Incident Response &amp; Evidence Incident Response &amp; Evidence Incident Response &amp; Evidence Management Management Management Management CIPS Brandon Chapter November 28 2002 Dr. Marc Rogers PhD,

629 views • 27 slides
GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response

GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response

GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response Investing in new talent &amp; capabilities Incident response Cyber intelligence Digital forensics Security architecture Identity management

609 views • 42 slides
Incident Response: Goals of Incident Management Steps to Preparation Risk Assessment

Incident Response: Goals of Incident Management Steps to Preparation Risk Assessment

6/19/2015 Incidents Are Not Necessarily Emergencies Incident Laboratory Incidences and An event thats likely to have adverse consequences Emergency Response Programs Emergency Unanticipated circumstances resulting in

564 views • 5 slides
Introduction to Incident Response Renana Friedlich, National Incident Response Leader March 2016

Introduction to Incident Response Renana Friedlich, National Incident Response Leader March 2016

Introduction to Incident Response Renana Friedlich, National Incident Response Leader March 2016 Agenda Evaluation of Cybersecurity risks The attackers playbook Case study What can you do today Page 2 Evaluation of

622 views • 12 slides
BIRT BIRT Liaisons Incident Response Incident Follow-Up Q&amp;A 1 2 PURPOSE OF

BIRT BIRT Liaisons Incident Response Incident Follow-Up Q&amp;A 1 2 PURPOSE OF

5/20/2014 COURSE OUTLINE Purpose Building Incident Response Team Expectations BIRT BIRT Liaisons Incident Response Incident Follow-Up Q&amp;A 1 2 PURPOSE OF BIRT PURPOSE OF BIRT Prepare units to respond to a

342 views • 4 slides
Incident Response and Information Sharing A Practical Approach Rapha el Vinot - TLP:GREEN May

Incident Response and Information Sharing A Practical Approach Rapha el Vinot - TLP:GREEN May

Incident Response and Information Sharing A Practical Approach Rapha el Vinot - TLP:GREEN May 22, 2015 The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response

407 views • 13 slides
Evaluating Dem and Response in Large Scale Pow er System Studies Niamh OConnell Outline

Evaluating Dem and Response in Large Scale Pow er System Studies Niamh OConnell Outline

Evaluating Dem and Response in Large Scale Pow er System Studies Niamh OConnell Outline Integration Studies and Demand Response Modelling Demand Response for Large Scale Integration Studies Study Outline Study Results

270 views • 16 slides
Agile Incident Response: Operating through Ongoing Confrontation Kevin Mandia Who Am I?

Agile Incident Response: Operating through Ongoing Confrontation Kevin Mandia Who Am I?

Agile Incident Response: Operating through Ongoing Confrontation Kevin Mandia Who Am I? Professorial Lecturer Carnegie Mellon University 95-856 Incident Response Master of Information System Management The George Washington

1.29k views • 60 slides
Above My Pay Grade: Incident Response at the National Level Jason Healey Atlantic Council

Above My Pay Grade: Incident Response at the National Level Jason Healey Atlantic Council

Above My Pay Grade: Incident Response at the National Level Jason Healey Atlantic Council Traditional Incident Response But at the national level, incident response is a different game Implications for Misunderstandings between geeks and

541 views • 27 slides
BALTIC SEA MARITIME INCIDENT RESPONSE GROUP PROJECT BALTIC SEA MARITIME INCIDENT RESPONSE GROUP

BALTIC SEA MARITIME INCIDENT RESPONSE GROUP PROJECT BALTIC SEA MARITIME INCIDENT RESPONSE GROUP

BALTIC SEA MARITIME INCIDENT RESPONSE GROUP PROJECT BALTIC SEA MARITIME INCIDENT RESPONSE GROUP PROJECT MIRG OOERATIONAL GUIDELINES The project developed the following operational guidelines: 1. Assessing the Safety Status of a Vessel

598 views • 16 slides
Dremel: Interactive Analysis of Web-Scale Datasets CS 744 BIG DATA PHIL MARTINKUS Motivation

Dremel: Interactive Analysis of Web-Scale Datasets CS 744 BIG DATA PHIL MARTINKUS Motivation

Dremel: Interactive Analysis of Web-Scale Datasets CS 744 BIG DATA PHIL MARTINKUS Motivation Large Scale Data must be accessible to analysts and engineers Interactive queries are important for data exploration, monitoring, online customer

354 views • 18 slides
An Interactive Web Based Platform for Modeling and Analysis of Large Scale Argus Network Flow

An Interactive Web Based Platform for Modeling and Analysis of Large Scale Argus Network Flow

An Interactive Web Based Platform for Modeling and Analysis of Large Scale Argus Network Flow Data Angel Kodituwakku J.T. Liso Dr. Jens Gregor Jan 10, 2018 This material is based upon work supported by the National Science Foundation under

408 views • 26 slides
FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large

FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large

FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large Scale Solar Lead April 2017 CONTENTS 1. Introduction to CEFC 2. Investment trends 3. The future of large scale solar 4. Pathway to sustainable

664 views • 21 slides
Utilizing Large-Scale Randomized Response at Google: RAPPOR and its lessons lfar Erlingsson,

Utilizing Large-Scale Randomized Response at Google: RAPPOR and its lessons lfar Erlingsson,

Utilizing Large-Scale Randomized Response at Google: RAPPOR and its lessons lfar Erlingsson, Vasyl Pihur, Aleksandra Korolova, Steven Holte, Ananth Raghunathan , Giulia Fanti, Ilya Mironov, Andy Chu DIMACS Security and Privacy Workshop (April

833 views • 44 slides
Planning for the Worst: The Role of Incident Response, Before Youve Had an Incident Sponsored

Planning for the Worst: The Role of Incident Response, Before Youve Had an Incident Sponsored

Planning for the Worst: The Role of Incident Response, Before Youve Had an Incident Sponsored By: Planning for the Worst: The Role of Incident Response, Before Youve Had an Incident Visit www.advisenltd.com at the end of this webinar to

498 views • 18 slides
Interactive Remote Large-Scale Data Visualization via Prioritized Multi-resolution Streaming Jon

Interactive Remote Large-Scale Data Visualization via Prioritized Multi-resolution Streaming Jon

Interactive Remote Large-Scale Data Visualization via Prioritized Multi-resolution Streaming Jon Woodring, Los Alamos National Laboratory James P. Ahrens 1 , Jonathan Woodring 1 , David E. DeMarle 2 , John Patchett 1 , and Mathew Maltrud 1 1 Los

299 views • 29 slides
Multiresol olution M on Method hods f for Large-scale L Learni ning ng @ @ NIPS 2 S 2015

Multiresol olution M on Method hods f for Large-scale L Learni ning ng @ @ NIPS 2 S 2015

Multiresol olution M on Method hods f for Large-scale L Learni ning ng @ @ NIPS 2 S 2015 Ily lya Safro ro Clemso son U Universi sity Multigrid-inspired Methods for Large-scale Networks Fast Response to Infection Spread (with S.

796 views • 56 slides
Dynamic Response of a Large-scale Prestressed Concrete Girder Bridge Subjected to Hurricane Wave

Dynamic Response of a Large-scale Prestressed Concrete Girder Bridge Subjected to Hurricane Wave

Civil &amp; Environmental Engineering Session: Bridge Survivability under Extreme Multi-Hazard Loading Dynamic Response of a Large-scale Prestressed Concrete Girder Bridge Subjected to Hurricane Wave Forces Thomas Schumacher, University of

397 views • 29 slides
Detection and Incident Response With osquery Javier Marcos @javutin $ whoami Security

Detection and Incident Response With osquery Javier Marcos @javutin $ whoami Security

Detection and Incident Response With osquery Javier Marcos @javutin $ whoami Security Engineer/Incident Responder Open source contributor (github.com/javuto) Former IBM, Facebook, Uber and Airbnb Current BitMEX Agenda Part 1:

981 views • 59 slides
PhiGARo: Automatic Phishing Detection and Incident Response Framework Martin Husk, Jakub

PhiGARo: Automatic Phishing Detection and Incident Response Framework Martin Husk, Jakub

PhiGARo: Automatic Phishing Detection and Incident Response Framework Martin Husk, Jakub egan {husakm|cegan}@ics.muni.cz ECTCM 2014 Fribourg, Switzerland Outline Introduction, Phishing incident response, PhiGARo (phishing

270 views • 23 slides
Cyber Up! Digital Forensics &amp; Incident Response Tobi West Principal Investigator Coastline

Cyber Up! Digital Forensics &amp; Incident Response Tobi West Principal Investigator Coastline

Cyber Up! Digital Forensics &amp; Incident Response Tobi West Principal Investigator Coastline College NSF Grant Award #1800999 Agenda Background on Coastline College Need for Incident Response Professionals Overview Advisory

571 views • 14 slides
Large-Scale Survey Interviewing Following Large Scale Survey Interviewing Following the 2008

Large-Scale Survey Interviewing Following Large Scale Survey Interviewing Following the 2008

Large-Scale Survey Interviewing Following Large Scale Survey Interviewing Following the 2008 WenChuan Earthquake Zhang Huafeng and Jon Pedersen International Blaise Users Conference (IBUC) Baltimore, USA , 1 Introduction Two household

712 views • 22 slides
INCORPORATING LARGE-SCALE CITIZEN INCORPORATING LARGE-SCALE CITIZEN DELIBERATION INTO

INCORPORATING LARGE-SCALE CITIZEN INCORPORATING LARGE-SCALE CITIZEN DELIBERATION INTO

INCORPORATING LARGE-SCALE CITIZEN INCORPORATING LARGE-SCALE CITIZEN DELIBERATION INTO ENVIRONMENTAL CONFLICT RESOLUTION America Speaks presentation to the 2008 ECR Conference Table Introductions Please form groups of 4-5 and give: Your name

848 views • 41 slides

More recommend