Carter Bullard
President and CEO
QoSient LLC
"Implementing Packet Dynamic Awareness in Argus"
New ideas are needed to improve computer network defense with regard to scalable attack attribution (AA) and advanced situational understanding (SU). In this talk we willl present one aspect of our efforts to investigate new network behavioral monitoring strategies in support of cyber-security situational awareness.
We present implementation details of inter-packet arrival analytics with particular focus on its support of Packet Dynamics awareness. We present packet timings as a new set of connection-level variables and discuss an implementation of a packet dynamic algorithm that detects human keystroke behavior in arbitrary bi-directional network flows in real-time. We discuss its implementation in Argus and how we use this new Packet Dynamic in near-real-time cyber-situational awareness systems.
Thayne R. Coffman
Chief Technology Officer
21st Century Technologies
"Lessons Learned from 10 Years of Network Traffic Analysis Research for the Defense and Intelligence"
In this presentation we will describe a variety of insights gained from 10 years of developing cyber network traffic analysis approaches and tools for the United States defense and intelligence communities. We will first describe the context of the lessons by briefly summarizing our background experience and relevant areas of work. Second a small selection of insights will be described such as the following three examples. Flexible multi-flow search patterns of medium complexity can be more useful and robust than very large and complex patterns; further medium-complexity patterns are more easily integrated into exploration-focused analyst workflows used for detecting unknown unknowns. Anomaly detection offers significant long-term promise but continued research into non-traditional approaches is needed; three areas that would benefit from additional exploration are the use of non-traditional features the fusion of heuristic human expertise and context-sensitive techniques. When building tools for government use the customers motivations needs and most effective sales strategies change as the tools mature from idea to prototypes to operational use. Also government customers have significant interest in knowledge capture mitigating analyst turnover and easing the learning curve of inexperienced analysts.
We conclude the talk with recommendations and calls to action based on the insights presented. Discussion will emphasize the conference theme of maturing analytics from ideas to prototypes to tools. Discussion will also emphasize insights that may be unapparent to those outside the defense and intelligence communities.
Russell L. Couturier
Founder,
CyberTap
"Search Engines as a Tool for Massively Scalable Network Forensic Analysis"
The use of open source search engine technology is rapidly advancing the capabilities of network forensics and analysis. Historically network forensics relies upon multiple repositories of disparate evidence gathered from many tools (netflow analysis, log analysis, 3rd party solutions) and then "vertically" researched using a second set of tools similar to Wireshark.
Network forensic data tends to be archival in nature and unstructured in format. Network packets log files e-mail archives and financial data have varying formats and must be homogenized for use by third party tools. Open source search engine technology provides a single rich repository of disparate, unstructured forensic data for forensic analysis. Search engines by nature provide a rich analytic interface for querying diverse data sets. Imagine being able to search your entire forensic repository in the same way you search the web? The presentation will focus on the use of free open source technology for forensic analysis using SOLR/Lucene demonstrations and real world use cases that incorporate search engines.
Network forensic data are islands of unstructured information produced by a multitude of technologies with minimal standards for cooperative analysis. How do you correlate financial data packet data log data and netflow data? The solution may entail the linking of packet headers appliance log files and invoice numbers. Search engines are thought of as a web solution for searching and presenting massive information repositories. Network forensic data are also massive repositories that can be searched and presented in a similar fashion. In fact they are a perfect solution to combining the disparate islands of diverse unstructured data. Forensic data parallels the same data used by search engines (files documents video logs and archives) The technology is significant because it provides a new and innovative way to easily analyze a massive forensic data set.
Martin Drasar
RNDr.
Institute of Computer Science Masaryk University
"Brute Force in the Shadows—Evading Automated Detection"
Networks of today face multitude of attacks of various complexities, but research of suitable defences is often done on limited or unsuitable datasets or insufficient testbeds. Therefore many proposed detection mechanisms are usable only for relatively small subsets of attacks, which significantly disturbs traffic patterns such as flooding attacks or massive port scans.
At Masaryk University, which has about 15,000 networked computers, we employ a wide range of detection tools based on NetFlow, such as port scan, botnet, and brute-force attack detectors. Their initial versions proved to be useful for detecting attacks that generate significant behavioral changes in traffic patterns. However we have found that there are several techniques to lessen the behavioral impact and in effect to hide an attack from the detection mechanisms.
In our presentation we will discuss three such techniques. The first one restricts the number of attempts in a given time window under the detection threshold. The second and the third ones mimic legitimate traffic either by inserting irregular delays between individual attack attempts or by exploiting features of protocols to create the illusion of legitimate traffic. These methods are inexpensive to implement, but they can be very effective for evading detection. Therefore we would like to raise awareness about them and their importance for designing new detection methods.
Joel Ebrahimi
Senior Solutions Architect
Bivio Networks Inc.
"Achieving Real Real-Time Context-Based Actionable Intelligence in Cyber Investigations"
Phishing. Spam Attacks. Viruses. Security Breaches. There are various types of cyber threats to be combated in today's fast-paced online environment. In this presentation, we will not focus on those types of cyber threats. We specifically address Law Enforcement Agencies (LEAs), which need tools to identify and track the faceless criminals posting serious threats in web 2.0 environments (via Facebook, blogs, Twitter, texts, smart phones, tablets etc.) The good news is that government agencies and LEAs have a choice in the technologically advanced tools that they can use to track down individuals making unlawful threats. The bad news is that frankly there are a lot of tools each with its own set of pros and cons.
During this presentation we will demonstrate a technologically advanced Layer 7 data capture solution that speeds the process of online cyber investigations. Plus we'll share the details of a cyber investigation case study involving a serious online threat and the steps taken to identify the individual behind the threat.
Rapidly capturing and analyzing data in order to respond to a complex threat is an enormous task. But with the right tools navigating real-time actionable intelligence can be completed efficiently and quickly.
Sidney Faber
Member of the Technical Staff
Carnegie Mellon University
"Teaching Flow Analysis with Real Data"
Students in the Network Situational Awareness class at Carnegie Mellon University were given access to live flow data from the City of Pittsburgh's public Internet connection. We document the learning process students used to analyze flow data and gain situational awareness of the network the value provided to the city's system administrators during the process and poses this as a model for collaboration between local government and educators.
Joshua Goldfarb
Freelance Security Analyst
Your Cyber Analyst LLC
"Uber Data Source: Holy Grail or Final Fantasy?"
Traditional layer 4 metadata such as network flow data is extremely compact but provides limited context for network forensics investigations. Conversely full packet capture provides full context for network forensics investigations but is extremely voluminous. Because of this both data types are important for an organization to collect and store. In this talk we will ask the question: "Is there a happy medium between these two extremes through which we can reach network forensics nirvana?"
Michael Jacobs
Network Traffic Analyst
US-CERT
"Tracking Indicator Evolution Through DNS and Netflow Analysis"
During this presentation we will demonstrate the value of using multiple DNS sources Whois data and Netflow to track threat evolution. Applying specific methodology and tools, an analyst can continue to successfully identify malicious threats of interest over an extended period of time.
Kazunori Kamiya
Researcher
NTT Communications
"Visualizing Traffic on Routing Topology"
As flow technology is frequently used it becomes an easier task to analyze traffic of a single place. However to analyze what's happening in the network, ,it is important to analyze the traffic of several places simultaneously. For example if traffic increases in one interface, traffic may decrease in other interface, and this suggests traffic fail-over.
In this presentation we will show the method to visualize traffic on routing topology, especially OSPF for internal traffic and BGP for external traffic. We show the effectiveness of visualizing topology with real examples of troubleshooting in our network. We will also discuss the separation of IPv4/IPv6 topology and traffic asymmetric routing analysis.
Vojtech Krmicek
Masaryk University
Faculty of Informatics
"Automatic Detection and Filtering of Network Attacks Using NetFlow"
Protecting a computer network against various types of network attacks is becoming more difficult due to increasing speeds of current computer networks and due to new types of network threats appearing every day. NetFlow monitoring is used with advantage to inspect all incoming traffic and detect attacks against monitored networks.
In this presentation we will describe five scenarios using NetFlow for an automatic protection of a local network: 1) NetFlow monitoring and remotely triggered black hole filtering; 2) NetFlow monitoring and firewalling; 3) NetFlow monitoring and phishing quarantine; 4) NetFlow monitoring and traffic shaping; and 5) NetFlow monitoring and counter-attacking. These scenarios will be illustrated using the example of an SSH brute force attack. Possibilities to use a hardware device for NetFlow monitoring and traffic filtering will be discussed and compared to software alternatives.
John McHugh
Senior Principal and Chief Analyst
RedJack LLC
"Indexing Flow Files to Improve Query Performance"
When an analyst needs flow data to perform an analysis such as the forensic evaluation of events surrounding a compromise or other incident, it may be necessary to search large portions of a SiLK archive to locate relevant records. This is especially true when it is of interest to ask questions like "What else has the attacker (or the victim) been doing in the interval before and after the incident?"
We have been developing a mechanism based on SiLK IP sets for determining which, if any, flow files have information involving the IP addresses of interest. In this talk we will discuss the indexing process and steps that could be used to make it even more effective.
Soumyo Moitra
Senior Member of Technical Staff
CERT/SEI
"Monitoring Trends in Network Flow for Situational Awareness"
In this talk we willl describe a methodology for monitoring network traffic for significant changes through a comprehensive set of metrics. The goal is to provide Information issurance analysts with an additional perspective on their network traffic. Tracking changes is important for situational awareness since certain significant changes may indicate a need for closer attention and these metrics will complement the current methods of monitoring to provide a more detailed view of network traffic patterns. Various time series analysis methods are applied to estimate these metrics. The metrics estimate relative changes in traffic patterns and can alert network security analysts to unusual and suspicious trends. These metrics can be displayed in a dashboard format and provide a dynamic multidimensional view of traffic patterns. This approach has not been used so far in network traffic monitoring for situational awareness.
The talk will discuss the relevance of these metrics the methodology for estimating them and their interpretation. The output of the methodology will be illustrated with an example. The talk is based on publicly available information and the sources will be cited in the references section.
On the other end of the analysis spectrum is packet capture (PCAP), which captures everything about a conversation. This method is rich in detail but is bulky to store and hard to search. The next step in analysis needs to have more detail than straight netflow yet be more amenable to search and analytics then straight PCAP. The only question is: Where do we draw the line? 21st Century Technologies believes that the next step is to incorporate layer 7 metadata with layer 4 netflow. This method is supported by the excellent netflow collector YAF (a part of the CERT NetSA Security Suite). By incorporating layer 7 data we not only get to see who is talking but how they are communicating. Furthermore we can detect whether they are using a given application label for the intended purpose or whether it's a clever ruse disguising a malicious traffic flow. Finally by careful management of the database and the actual data we extract from layer 7, we can minimize the storage hit. In other words we can store many times the germane data that the same conversation record would occupy in PCAP with concomitant search benefits hardware overhead savings and search horizon increase.
Timothy Shimeall
Senior Member of Technical Staff
CERT/NetSA
"Visual Displays of Network Situations"
For rational decisions to be made regarding network defense, managers must be able to build and use appropriate abstractions of information on which to base their decisions. In this talk we willl synthesize together several bodies of work: logical reasoning, event management, and visual explanations of information. The result is a series of visual displays intended to inform decisions made for specific network situations together with the principles and examples used in their synthesis.
Brian Trammell
Researcher
ETH Zurich
"Measurement for Cooperative Network Defense: DEMONS and BlockMon"
Increasing complexity in network security incidents and interconnectivity of applications and networks has led to an environment in which attacks are becoming more coordinated and cooperative. This situation clearly calls for cooperative network defense to leverage the same inter-domain relationships exploited by attackers for detecting and mitigating these attacks. The challenges in building a system to support cooperation in defense are not merely technical but legal and organizational as well. The FP7-DEMONS project is developing an architecture to enable such cooperation in light of these challenges.
One of the key realizations behind the DEMONS architecture is that data sharing is fraught with peril. The increasing scale of network traffic to be monitored has led to advances in packet capture and flow metering, but the flood of data these techniques produce strains our ability to effectively store and analyze it. Storage and analysis of unfiltered traffic data also has serious implications for the privacy and security of the monitored network and is also restricted by privacy laws and regulations. These realities limit "big data" measurement to single administrative domains in jurisdictions with privacy regulations that are favorable to measurement activities.
Instead of centralizing data collection DEMONS seeks to move the code to the data. Within an administrative domain a DEMONS deployment consists of a set of nodes each of which can accept process and export traffic data; each may also have an integrated observation point for capturing packets directly. Each node runs BlockMon a composable measurement system described in more detail below. The DEMONS architecture is limited to on-line processing of data with limited retrospective analysis capabilities enabled through selective replay. The architecture is marked by a strict control-data separation with all data export being pushed from component to component and control interactions to start and stop measurement and export of results to a final collector or presentation layer. Measurement is made collaborative by exposing services provided by BlockMon across administrative domains via a well-known trusted Interdomain Exchange Point (IXP) at each domain. Enterprises or operators sharing intermediate data and results by participating in DEMONS are assumed to be covered by a consortium agreement the terms of which can be enforced and verified by access control and auditing applied by DEMONS at the IXP. We rely on technical means for security and privacy protection where possible but leverage legal and social means to strengthen this protection. In addition to monitored sharing of reduced data the IXP can also host advanced cooperation mechanisms such secure multiparty computation frameworks.
BlockMon is a composable measurement system supporting standards-based parallel streaming traffic data capture and analysis. Each node runs compositions each of which is composed of a set of blocks. Each block implements a small indivisible step of a measurement analysis task. The splitting of processing into blocks achieves code reuse as well as parallelization gains: the connections between blocks are implemented as queues with optimized locking each block can run in its own thread and multiple copies of a block can read messages in parallel from the same source. This leads to much more efficient use of modern multicore hardware by parallelizing processing split into stages and allowing greater parallelization on more difficult stages of the workload. Connections among BlockMon nodes are achieved via IPFIX as record interchange between blocks can be bridged to IPFIX data records through a built-in interface; in this way BlockMon can integrate seamlessly into standards-based streaming measurement infrastructures.
Martin Roesch
