This webcast was originally published February 27, 2017
In this video, John and Rob discuss various network monitoring and security tools, highlighting their functionalities and applications in cybersecurity. They demonstrate the use of tools like Rita and LogRhythm’s Network Monitor, explaining how these tools can be used for traffic analysis, threat detection, and incident response. The video provides insights into setting up and customizing these tools to suit specific network environments and security needs.
- The webinar showcased two free tools for network monitoring and analysis, highlighting their capabilities in real-time traffic visualization and anomaly detection.
- The session included live demonstrations of the tools, providing practical insights into their deployment and usage in real-world scenarios.
- The webinar emphasized the importance of using advanced network monitoring tools for effective cybersecurity, especially for detecting suspicious activities and managing network performance.
Highlights
Full Video
Transcript
Rob
Good idea.
John
We only got, like, a couple minutes.
Sierra
hooray.
John
Recording. So. Oh, not bad. Got good. 300 people live. That’s good.
Rob
Rob’s here. I’m here. Yeah, some fun stuff.
John
And, Rob, you are going to talk about your, your free tool, right?
Rob
Absolutely.
John
Okay. Awesome. That is so awesome. Two free tools, one webcast. I’m sure there’s a joke there somewhere, but I’m not going to touch that joke.
Rob
Everyone’s going to be busy after this webcast because they’re going to have to go download both free tools and start playing with them.
John
Just that one, that little box at episode 500 that we got. That was so cool. M. Yeah, that’s really neat.
Sierra
Tim says he’s all giddy for this webinar. Sean says hi.
John
That’s, cool. I like those guys.
Rob
They’re good people.
Sierra
They’re so awesome. so, before we start, I just wanted to. This is Sierra from black, hills information security. So thanks for coming, guys. And I just wanted to let that tickets for Wild west hacking fest, which is going to be this coming October, is going to be the, tickets are going live right after this webcast.
So you can go to, the address in the chat box and check it out. It’s very exciting.
John
So, I hear that Paul Azadorian is coming.
Sierra
Oh, yeah.
Rob
what am I speaking about? Have you picked, a topic for me to.
John
Dude, we’re co presenting.
Rob
We are.
John
Oh, yeah. I don’t know what the hell we’re going to co present on. we’ll have to figure something out. But what? I think we’ll be okay.
Rob
I think so. I think we’re going to flip a coin, or what? We’ll just let the audience pick the presentation from you and I, and then we’ll just present.
I like that.
John
Let them do thumbs up and thumbs down. That’ll be cool. All right, I’m now sharing out my screen, so they can see the title slide.
and we’ll start out with my stuff, and then when I bail, I’ll hand it over to you. Rob. Rob, do you have your slides ready to go, sir?
Oh, audio just went all like, Cylon.
Rob
Because we started the webcast, Rob. So John’s going to present, parmiliata, the open source tool, for hunting network, hunting.
And then Rob McGovern, from logarithm, will present on Netmon, freemium, which is a free software offering, from our friends at logarithm.
That cool hardware device was one that, John was talking about. The, specs for that are buried somewhere in the security weekly wiki. I can dig that up. That’s not a hardware product from logarithm.
That’s a thing, that you buy on Amazon for a couple hundred bucks.
John
Yeah, and it kind of goes to Paul. We absolutely love vendors who give stuff away for free. there are kind of people, especially cool things, network monitoring.
And that’s right up our alley for this particular webcast. So you want me to take over, sir?
Rob
Please do.
John
All right. Well, first off, thank you so much everybody, for attending. This, isn’t the release of Rita. This, is just another iteration, release of Rita. And hopefully you guys will get an opportunity to install it.
In fact, I’m going to jump to the slide with the install instructions right here. So we’re kind of cheating. so if you guys could do me a favor. If you’re on the webcast, take a picture of your screen right now. These are the install instructions to get it up and running and you guys can get it up and running while I’m presenting.
In order for it to work, you need to have a 16.04 linux distribution for Ubuntu. Linux cinnamon works just fine. The system that I’m demonstrating it on, I actually have linux, running cinnamon.
So we got sudo apt get update sudo apt get git. And then we got git clone so you can copy over the code for Rita and you see the end to the Rita directory. Do git checkout, pre release test.
Eventually this line won’t be needed, but this is just basically a pre release. And then you do install sh and then you reboot, make sure mongo is running, and then you too will be able to play along with our fun and games of, playing with Rita and your bro logs here as well.
So let me shut off my screen, go back to the beginning, come back if I get my mouse. There it is. All right, now we’re sharing the screen back again and we’re ready to go.
All right. Rita stands for real intelligence, threat analytics. And the reason we created Rita just for those of you that are new is we created Rita specifically because we had a number of customers, whenever we were doing penetration tests who wanted to be able to detect the types of attacks that we were doing.
When, you’re using backdoors like DNS cat, when you’re using backdoors like Powershell Empire, when you’re using backdoors like custom versus agent, from Black Hills information security, or GCAT from Black Hills Information security.
a lot of security products just don’t detect these things, and there’s a number of reasons why, and we’ll kind of get into that here a little bit later. But the point is that a lot of these products are not able to detect it because of what you have to do mathematically in the background.
So we’re going to be using some math. In this particular webcast, I’ll be sharing with you some websites as far as artificial intelligence and machine, learning, which immediately makes a bunch of you just want to leave, because how many vendors do you have that are like, we’re using artificial intelligence and that’s how we’re securing the web, and it’s a load of crap.
we’re going to talk about what those algorithms actually are, what they actually do, how it actually works, and whether or not it is actually something that is effective at defending your environment or trying to find really bad guys on your network.
So these are some slides that Paul and I give at a lot of presentations. Paul, we talk about current strategies not working, and a lot of the current strategies not working is based upon the fact that we’re doing the exact same things.
We’re doing the exact same things we were doing five, six years ago. We’re doing the exact same technologies again and again and again, again and again, patch AV ids, ips, and a tremendous amount of what’s happening in the industry right now is we have a lot of vendors that are constantly trying to sell a silver bullet, not things that, actually help you make intelligent decisions in your organization, giving you the information that you need to act in your organizations.
And that’s also one of the reasons why we’re very careful about which vendors we pick, to come on to security weekly and talk about their products and stuff on the show. They’ve got to be able to give back to the community as well.
And if we look at these trends for a lot of the silver bullet solutions that are out there, it’s the exact same tools, the exact same trends again and again and again. And we’re not really seeing things improve. We’re seeing the beginning of a bad pattern, show up.
Hey, guys. I would plug it in, but as soon as I do, my audio jumps over to that instead of my headphones. So, I’m sorry. I’m here in Scottsdale. You guys can come hang out. that’s cool.
Maybe you guys can sit behind me. So it makes it look like I have an audience and I got a posse. that would be pretty cool. So this is really what we’re trying to do. We’re trying to break this mold of doing the same thing again and again and expecting different results in the process.
So you have a number of different vendors that are out there. You’ve got ids vendors, you’ve got, av vendors, you’ve got firewall companies, and we see the exact same technologies aligned in the exact same way.
And this conference, it’s been interesting. There’s a couple of students that have came up and talked to me, and they’ve told me that they have management that believes that security is a solved problem, that it’s an issue of just purchasing the right software, putting it in the right configuration, and then we don’t have to worry about ever getting hacked again as well.
So I’m going to actually turn around here. So I’ve got some people here. If you guys come up, sit in this row, I’ll turn around so you guys can see my screen. I know that that seems goofy, but the HDMI takes over the audio, and the, four or 500 people online need to be able to hear this as well.
All right, so now you guys can kind of see my screen a little bit. You guys could also join the webcast and watch it from your computer as well. so that would be good. That’s what you’re doing right there. Okay, that’s awesome.
so it’s our webcast link. All right. So we’re trying to get away from, trying to find vendor specific single shot silver bullet solutions. And this gets back to some key questions. If you look at our adversaries right now, if you look at China, you look at Russia, you look at the NSA.
these particular organizations are frightening. And these are the organizations that we have a lot of students, we have a lot of listeners to the show. We have a tremendous amount of people that we talk to at conferences. This is who they’re afraid of.
And as I like to say, don’t look at Vladimir Putin too long without a shirt or you’ll get pregnant, because he is just that awesome.
I like Pinky and the brain for organized crime as well. So the question is, do you think the adversaries we had on the previous slide have, the ability to bypass the limited technologies that we just mentioned?
And the answer is, absolutely, they do. So if you’re looking for a solution that is a silver bullet and it’s going to stop all advanced attacks, you’re never going to get that, ever. It’s never going to work. If you’re looking for a solution that’s going to give you information, that you can ask questions, you can ask questions effectively of your technologies and get answers, well that’s something that actually gives us a fighting chance.
That’s where we need to start going insofar as being a good security community and how we want to look at the different attacks. So let’s jump in and let’s talk about hunt teaming.
Hunt teaming is actively looking for advanced attackers. And this is one of those areas that Paul and I talk to a lot of CEO’s, CFO’s, CIO’s, and they tend to say things like, unless a tool has automation, orchestration, single point of glass, I’m not interested in, and that’s unfortunate.
We try to be very nice to those organizations, we understand where they’re coming from. But I would also like to have a pony with wings and farts, Skittles. I would like a lot of things in life, I’m not going to get those things.
And the whole idea of orchestration and automation is really thinking that this is a solvable problem. And it kind of hit me earlier today, I was sitting around, I was thinking of this problem of having automated solution all the way across for computer security.
we deal a lot in Bhis with project management. There are tons of project management tools. You have lots of projects, you have lots of people working on those projects, you have lots of projects managers, and it’s a continuous process and very little of it is completely automated.
I mean sure there are certain parts that are automated, but the entire process itself needs to be driven and carried by human individuals because it is dynamic, it is constantly evolving.
If you’re looking at computer security, it’s a lot like project management. The projects that you’re working on now are not the same projects that you’re going to be working on twelve months from now. The security issues you’re working on now are not the same security issues you’re going to be working on three months from now.
So what we need is we need data, we need information so that we can make intelligence decisions as human beings. Last year about this time, Paul called me up and he said, he kind of came to an epiphany.
He was talking about a, tv show or it was an article you read, Paul, I can’t remember, but it had to do with chess, automated programs, and a relatively decent human being working with AI.
Insofar as chess was. And if you just have a computer program trying to play chess, it takes the most powerful computers in the world to be able to defeat a chess master. However, if you have artificial intelligence, really good computers, coupled with a really good human being, it’s almost unbeatable in that situation.
It is that pairing between information and a human being to review that information and getting them relevant information, that becomes so incredibly powerful in everything we do.
Also with, go ahead.
Rob
It’s really kind of what backs, up the mantra of you need people, processes, and technology all working together in order to solve the problems of project management or security.
and I think that that chess playing scenario definitely, backs it up and makes it more compelling than me just saying you need people, processes, and technology.
John
And it’s also hard, right? Because I’m teaching here at a sans conference, and it’s like, what? You guys need? You guys need more training. Why don’t you write us another check? we’ll see you guys in a couple. It’s kind of got some people reaching for their checkbooks already.
They’re addicted. They have a problem. So what we’re going to do is we’re going to be looking for beaconing activity. We’re going to be trying to identify beaconing activity and some other anomalous behavior associated with network, traffic.
And the reason why we look at network traffic and we look for beaconing behavior is because we can create bottlenecks, or more accurately, there are bottlenecks on your network if you look at malware.
and one of the reasons why hate threat intelligence feeds is because they offer this thing that we can create a yara rule, indicators of compromise rule, and we can search that out across our entire environment.
We’re going to find bad guys. And that’s not true. It doesn’t really work that way. However, if you’re looking at certain key points on what malware does, malware is going to try to persist, and malware is going to try to communicate back home.
And we don’t want to get into the persistence and trying to do agent analysis and try to figure out exactly what it’s doing on the endpoint, because there’s vendors that are doing that. Lots of them stay out of that market. That’s crazy.
But we can do choke points at the edge of the network. We can look at what’s leaving the network, the egress traffic that’s heading outbound, for example, we can look at DNS information, we can look at connection information, we can look at, URL’s and we can look at HTTP headers, we can look at x 509 certificates, because those are going to be choke points.
And if we can look at how that activity behaves with malware, instead of trying to write a signature, we can basically do some analysis using some algorithms. And I hate to say it, but artificial intelligence, we can actually be effective in trying to weed out and find potentially anomalous behaviors.
So yeah, there’s math, and I’ll share that math with you here in a little bit. So in short, what we’re trying to say and something that we’re working on really, really, really hard is going out, getting an automated can of spam and taking it home and saying, kids today, I killed this hickory smoke spam and I’m going to mount it on my wall.
It just doesn’t work. This is not hunting. Almost anything that you can do that can be completely quote unquote automated and orchestrated can be easily bypassed as well.
And I just realized something horrifying. In this screen, there’s actually spam spread. Like you can spread it on toast. What is wrong with these people? This is horrible.
But any type of canned solution, any type of solution that’s just packaging up all the answers for you is not hunting. It is also not going to be effective either. So we’re trying to find something that requires a human being to be active.
We’re trying to come up with something that requires a human being to interact, because only whenever it’s coupled with a human being, solid tools that gives them good intelligence do they make right decisions.
And really, honestly, if we’re going to let automated tools and all these things make decisions for us, we’re going to end up with, independence day, from, Terminator. We just don’t want things hunting down.
Sarah Connor. All right, also, what did you think computer security was ultimately going to be? This is a slide that we gave back in derbycon a while ago, and I like this slide just because it makes me smile.
we have Hackerman, and we also have this horrible scene with these two people trying to secure their networks by typing on the, same keyboard at the same time. Once again, I’m sure there’s a joke there, I’m not going to touch it.
But this is what we thought it was going to be like. We thought we were going to be awesome. We thought we were going to be dynamic. We thought we were going to be fighting the bad guys. We thought that, there, would be a relatively attractive person of the opposite sex that could work with us on the same keyboard.
None of that really happens. Instead, in computer security, what we actually got was basically waiting for messes. We’re waiting for the next breach. We’re waiting for the next act, and we have a cleanup on aisle three.
And when you show up to work, they’re like, I’m so glad you’re back. Someone pooped in the hallway. Or rather, somebody clicked a link. And now we have ransomware, on one of our workstations.
This is not what we set out to try to do. This is not what we wanted to have happen. So these are the install instructions for Rita. And the big thing that I want you guys to understand is two couple things.
One, we basically made the installation of reta as easy as possible. And the reason why we did that is because the install instructions were a bit onerous. We basically tell people, go out and get go lang and install.
Rob
Go.
John
Go out and get Mongo and install Mongo. Go out and get bro. And install bro. And it was really hard for a lot of people. I know I went through it a couple of times. If you make one mistake, it was problematic, and you would have these errors.
And it really stopped a lot of people from using our framework to do analysis of beacons, because they just couldn’t get over that initial hurdle. So we wanted to make it as simple as possible. So this version of Rita, our, fantastic team, Joe and Lisa and Logan and Ben and Hannah, and we have a number of people that have been working very hard around the clock to get this to the point where you can run these commands.
And really installing Reta is just like two commands. It’s a git clone, and it’s installed install sh. These other commands for sudo apt get update and Sudo apt get install git are what allow you to actually update your system, of course, which is important.
And also use the git framework to pull the software down and install it easily. Also, we use mongo database. I would recommend, before you put this anywhere, make sure that it’s isolated, it’s on a span port.
You can even use IP tables to lock down access. Just basically block the mongo port. So, remote systems cannot connect to it. But yeah, we use Mongo for the backend database because it can handle large datasets, fairly easily.
So that’s how we actually get the Rita framework. And I want to talk about what Rita is. We’re going to talk a little bit about the mathematics, and we’re going to talk a little bit about doing beaconing analysis and how we really think that what we’re doing is actually fundamentally different than what a lot of people are doing.
And the goal of this, making all of this free and open source is ultimately to try to make the industry better. We’re not trying to, do anything crazy and stupid. We just want to see people get better at computer security.
So let’s start at the beginning. The name of the program, for those of you who don’t know, is Rita. It’s named after my mother. My mother passed away last September of pancreatic, cancer. And as I told the people that attended last night, if you have to choose how to die, do not choose pancreatic cancer.
that is a horrible, horrible, horrible way to go. so my m mom was a big part of Black hills information security, a, huge part of Blackhouse information security.
she did all the accounts payable and receivable, working with my wife for a long time. and she spent a lot of time in the office in rapid, with all of our developers. In fact, they’re the ones that decided to name the tool Rita, not me.
I didn’t choose to name it after my mother. And, they worked with her on a very regular basis, and she was like a mom to the company, just a mom. Everyone has their own mothers, but she was like a mother to the company, took care of people.
I spent a lot of time talking with her about this project, and Paul is a huge part of this as well, because he was part of these conversations. The reason why we release this stuff for free is because we ultimately want the industry to get better.
To be completely blunt, there’s been a number of products out there that have not been effective at trying to sell a product in this arena, insofar as hunt teaming and beaconing analysis, because there’s no solid compliance standard that says that you absolutely must do hunt teaming.
Nothing in the 20 critical controls, nothing in NIsT. Nothing about that at all says that you need to do hunt teaming. You need to do beaconing analysis of that. A large number of vendors don’t make it because there needs to be a business driver.
So we have an opportunity at, security Weekly. If you go back and you look at episode 500 of Security Weekly, which I strongly encourage you to do, it talks about what security weekly means to the people in Security weekly.
And one of the reasons why we do Security weekly, one of the reasons why we do sans conferences, is because we have the opportunity to impact change we are not trying to put our finger to the wind and say, what is the next big thing?
We are making the next big thing. And by we, I mean all of us, the people that are on this webcast, the students of 504, the people that listen to security weekly, we have an opportunity to do that.
And we’d like to think that Rita can be that testbed for the next big opportunity in this industry, not necessarily from financial perspective, but from the perspective of doing the right thing and being intelligent about how we approach doing analysis.
So what we want you to do is install it. We want you to use it, and we want you to give us feedback. We want you to let us know how we can make it more effective for you and what you do.
All right? So that’s how we actually get Rita and set it up. And I’m going to talk about using Rita here in a little bit. But before I do that, I want to talk about what it is we’re actually doing. First things first.
I’m just going to use, PowerPoint as a sketchpad. I’m going to create a new slide that’s blank here first. What I’m going to do is I’m going to install a, let’s just say that we have a firewall here.
Okay? So we have a firewall, slash, switch. It’s in your dmz. On the inside of your network, you have your users.
Okay, let’s do this. Here we go. I’m just going to copy this. You have your users and, their network range is RFC 1918.
This would be your ten network. This would be your one nine, two, dot, one six, eight network. This would be your 172 networks. Those are your users now. Your users and your malware.
Go ahead and put it in. The malware are, trying to get out to the Internet. And I’m just going to have another box for the Internet.
Okay, so your users and your malware are trying to get out to the Internet where you would install Rita. The way that you would set this up as far as on your environment is you would put Rita here.
So you would find a span port on this firewall or this switch, basically hang it off a span port. And if you’re using Gigamon or anything like that, anything that has packet capture that kicks out pcap, that’s what we want to look for.
This would actually be plugged, into a span port before NAt, that’s before network address translation in your environment.
That’s how you want to set this up. This is pretty easy. A lot of the vendors that are out there give you the capability to actually set that up, just like I have here. You have a switch that’s, on a, DMZ or an egress connection.
You have a firewall, you have a network appliance, and that network appliance has a port on it. You can basically span the traffic out and you can drop it down to Rita. And what this is going to show you is going to show you all the traffic that’s leaving your environment or part of existing communication coming back into your environment.
When you have this set up, you want to make sure that the box that you’re using is beefy enough to handle the traffic, because what Rita is going to do is it’s going to install bro, it’s going to install MongoDB, and it’s going to install Rita on it as well.
So we’re going to receive that traffic off that span port, and we need to make sure that bro is configured in such a way that it can grab that traffic and then parse that traffic. We’re not trying to do full packet analysis.
We’re trying to stay away from signature based detection algorithms because those are very, very, very problematic because the signatures go stale very quickly, and it’s very easy for the bad guys to bypass those signature bases as they exist.
So this is the architecture that you need to have. And to be honest, you probably have something very, very similar to this with an intrusion detection system or side chain system for doing analysis. This is how you need to have it set up.
If you already have bro setup that works out really, really, really well. You can basically run Rita right on top of your bro box, or you can have it automatically copy the logs over from your bro sensor over to Rita, and then Rita can do analysis.
If you need help with that, please, please, please shoot an email to Paul and I. This is what we do for our customers to get this stuff set up and configured properly so everyone’s cool with the configuration.
That makes sense to everyone. We’re all good. Awesome. Now, once it’s set up and Rita is actually parsing the logs, what we do then is we do a, type of analysis that you can find online.
It’s, called k means and k clustering. That was really dumb. I didn’t want to use edge. Just felt dirty there. I’m going to use chrome. All right, you want to get an idea of mathematically what’s actually happening?
I’ve kind of got it written out here here we go. K means. K clustering is one of the algorithms associated with artificial intelligence.
And I don’t want to get too terribly crazy into that. I know that people are like freak out associated with, with the algorithms, but, we have the algorithms associated with k means and k clustering here on the Wikipedia article.
And anytime you’re talking to a vendor and they say they use artificial intelligence or they use machine learning, it’s going to be very similar to this. None of their algorithms that they’re using, for the most part, are patented, or they’re special and unique, snowflakes in any way.
It’s stuff that is readily available. So what this particular algorithm does in order to understand it, and I talked about it last night when I gave this presentation to the attendees at San Scottsdale, is, it goes back to some philosophical questions.
So if any of you guys have ever read Plato, you absolutely should read Plato. Plato had this huge problem, that was basically what was a thing, right? So his point was, and it really kind of comes across a lot of people.
It’s like artsy fartsy type of philosophical questions, but it’s actually computer science questions. The question that Plato was asking is, how does a human understand that a thing is a thing? For example, if I have a marker, so how do I know that this is a pen or a marker or a writing utensil?
Because writing utensils can be thinner, they can be a pencil. This one has a little thing that actually pulls it back up and in others don’t. So when we’re looking at something and defining what a pen is, or we’re trying to define what a chair is, how do we actually know that a thing is what it’s supposed to be?
And he had this idea that, there was a perfect form of a chair, there was a perfect form of a pencil or a pen. It was the ideal.
And absolutely everything that we were looking at were merely shadows of that perfect ideal. And he kind of akin to we spend all of our time looking at shadows on a cave, trying to determine what the shadows actually are.
It’s pretty deep and profound. But hey, the dude is Plato. Turns out, like I said, this is a computer science problem. How do we define what a beacon is? How do we have a computer that’s designed in such a way that it can actually identify what a beacon is?
Because a beacon can be multiple different things. That’s k means k clustering. So now let’s jump in to, actually how this works.
So whenever you’re trying to define a beacon, this thing at the center. Let’s say that this thing at the center is a perfect beacon. Let’s imagine that this is, a three dimensional kind of plot.
We have the x, we have the y. We also have a z axis cutting through the middle of it as well. And there’s actually more ways that you can cut it, but we can talk about that more later.
So whenever you’re trying to define what a beacon is, you first have to set out and identify what a perfect beacon is. And the first way that we set out to try to define what a perfect beacon is, is connection interval.
Right? The connection interval is basically whenever, a connection is made. What is the interval between connections? So if you have, let’s say, a million, 2 million, a billion connections in your environment, and they’re all leaving all throughout the day, then we can look at those intervals and we can find pairings between two endpoints, an internal workstation and an external computer system.
And we can see how many times do they communicate with each other? And what is the interval of those communications? If you look at the communication pairings between an internal system and an external system, and it’s paired up in such a way that it always beacons at a perfect 10 seconds, that is a perfect connection interval.
If you look at it and it’s 2 seconds, it’s a perfect connection interval. If it’s five, if it’s 15, if it’s 20, if it’s a minute, as long as it’s consistent, it is a perfect connection interval. And we define that perfect connection interval right down here at the bottom where I have that big circle.
All right? And now I plotted some connections here. I basically created a cluster of little dots. And those clusters of little dots map the connections. And the reason why is because even though we can go out of our way to try to identify an absolutely perfect connection interval, you’re going to have jitter.
You’re going to have situations where that interval is less than perfect. It’s going to vary. It may be 10 seconds, it may be 10.1 second, it may be 10.5 seconds, it may be 10.2 seconds.
And that’s why k means and K clustering is powerful, is it allows you to basically have some variance. So you’re not looking for absolute perfect in machine learning. You’re looking for a cluster.
And as you can see here on the connection interval, we have a cluster. So we have a little bit of a cluster. So we can draw a circle around that and say, this isn’t an absolutely perfect interval, but we have a cluster of imperfect intervals.
This could be something that represents a beacon that’s connecting outbound. Is everyone okay? Everyone, we’re good. If you guys don’t understand what I’m talking about, I’m assuming that they don’t understand either, so we’re doing all right.
So that is a connection.
Rob
Hey, John, I have a question. the interval in, is it a, established TCP connection the whole time, if it’s TCP? Or are you counting the interval between the end of the previous connection and the start of a new connection?
John
So, whenever you’re looking at the interval, we’re using the interval connection time to be the same, that bro establishes connection times. So whenever bro looks at a connection, I believe that bro logs the connection when the connection ends.
That’s whenever the actual connection terminates. So that works well for, like, UDP packets. It works well for TCP packets, and that whole definition of time is very, very, very difficult, because it makes this type of analysis impossible working with a standard, sin vendor.
And the reason why is the sin vendor doesn’t know how the device it’s receiving logs from is handling time. It may be logging at the beginning, it may be logging at the end. It may be logging whenever an agent collects it.
It may be logging it whenever it actually hits the sim. So this is very, very difficult to do, because you need to have that connect, that consistent connection interval. And that’s the reason why we went with bro, is bro has extremely consistent logging of how it handles the connections.
Rob
So.
John
Great question, Paul. All right, Sierra. Paul, do we have any other questions, or do we have people here typing in answers like Matt on the webcast?
Sierra
I left all the ones for you. So we have, a question from Jeff. Is there any way to get Rita working on, ubuntu 14?
John
No, they try to try to run it on a 1604 system. we have tried to use that, but some of the packages now, they point for, like, bro, and some things don’t work so well, so we have to find a distribution and stick with it.
And we decided to stick with Ubuntu and Linux mint and Ubuntu based derivatives.
Rob
I mean, you could. Could you create a docker instance, John, and deploy that pretty much anywhere?
John
You could create a docker instance, but I feel really uncomfortable if people are using, like, ubuntu 14.
Rob
Yeah, I agree.
John
What about, Kali? Never tried it on Kali. as long as it’s 1604, it should work, but Kali has its own packages.
Sierra
Okay.
John
You’re gonna use a hacking distribution, for your beaconing analysis. I like the way you think, sir.
Sierra
Does Rita look through bro logs in an SQL, database?
John
Does Rita look in bro logs through an SQL database? Rita looks through bro logs that are uploaded into a Mongo database or a SQL database. We do that because we can do select star queries on all the data.
And I’ll talk about ingesting the data and doing analysis on the data here in just a few moments.
Sierra
then does. Curious why Mongo versus something like elasticsearch, which has a better reputation.
John
Elastisearch is a flaming turd. Stay away from it. I’m, not going to mince words. You can try to use elastisearch. And I know that someone’s like, well, I can make it work on elastisearch. No, you can’t. Trust me.
I’m sure they’re typing in. Yes, we have. In fact, when we first started typing or, started using and creating Rita, it was an elastisearch. Elastisearch is good for a lot of things, but doing select star from table queries, elastisearch doesn’t like that very much.
it’s very great for asking very pointed questions, but what we’re doing with reto is we’re pulling all of the connections for an entire 24, 48 hours, 36 hours period and doing analysis on every single one of them.
And that’s where elastisearch just doesn’t handle that very well. At about 1.5 billion records, whenever you start making the types of queries that we’re making, elastisearch falls over.
Sierra
How about installing Rita on security onion distro?
John
as long as it’s 1604. Actually, Paul and I had a meeting with Doug Birx, two weeks ago, and we’re currently in negotiations. Not negotiation, but we’re working with Doug on getting it installed as part of security onion at all times.
Sierra
Okay. wow. We have a lot of questions, but.
John
I’m going to have to stop, because we have a sponsor, and I only have so much time, and I want to make sure that he can get his time as well.
Sierra
And like I said before, you guys can email us afterwards, too, if we don’t get your time.
John
Yes, yes, yes, absolutely. Email us afterwards. We like that a lot. We love getting emails about this stuff. So, connection interval is one way that you can look at a beacon, just one. The next way that you can look at a connection interval.
For example, tools like Powershell empire, they randomize their connection interval by introducing jitter. That means that the interval won’t be the exact same every single time. The other way that you can look at a, beacon is you can look at data size.
Okay, that’s just yet another, it’s not that these are the only ways that you can look at beacons, it’s just yet another way to look at a beacon. So if we have a whole cluster of, connections and they’re all two k in size.
So let’s say that every single connection that’s made is two k. Well, at that point we now have a very consistent data size. The interval may be random, but every time it makes a connection it’s two k, ten k or forty five k, I don’t know.
So we can establish a clustered pattern on data size as well. So that would be yet, another way to look at beaconing. I’m going to go through and color code these because I think that’s pretty fun.
So we’ll go ahead and make this red and then we’ll go over here, we’ll make these clusters blue just so you guys can see that there are actually a difference between them. And then over here on this side we have data size.
We also can look at connection time con time. How long is the connection made?
How long is that connection actually made? In each situation it could be that that connection time, every single time it’s made, it stays established for a second or two.
All right, so we can have a cluster of connection times as well. And that’s basically if the randomizing data size, the randomizing connection intervals, well, now we have the possibility of looking at the time that it’s established.
Now there’s some other things that you can add in as well. And this is one of the things that we want people to give us is ideas on what they want us to do. We, can do connection interval, connection time. We’ve got data size.
You could also do number of packets and a bunch of other fun things. Now if you look at my scatter plots, we have some situations where we have some outliers, like this guy right here, he is an outlier.
let me do number of packets here. This guy out right here, he should be red. He’s not red, but he should be.
let’s go through and highlight him and let’s make him a red dot. Okay, I’m giving up on the red dot thing. you have this one connection interval that’s way off the charts. Right. It didn’t match the pattern, but it’s between the IP addresses.
Whenever you’re dealing with k means and k clustering, it’s actually smart enough to say this isn’t a one that actually is perfect, but we have an overwhelming weight of the connection intervals that matches a cluster that matches the pattern that we actually have in place.
So then it’s going to give that a certain score and we score that data as well. So let me show you what it looks like. All right, so this is us running.
this is reta two. I’m going to try my best to make my font size bigger, for this. And this is the output of reta whenever it runs.
I’m going to go up and I’m going to show you what it looks like to ingest the logs here first. this is me just playing with it. Yesterday we had a number of things that we were working on. So this whole entire screen has the installation and it also has the, database import of it as well.
So here I am, showing you beacons and I want to make this a little bit bigger. So let’s go profile preferences. One of the problems with this is you can’t really zoom in really well and go to a webinar that is one of my big shots against it.
I don’t really like that very much, but it’s kind of hard to zoom in. But I can make my fonts bigger. All right, select. There we go. There it is. All right, so this is the output of Rita.
And as it is right now, after it loads it into the database and it does its analysis, it actually kicks out the output and it shows you the different columns. Now this is just the raw comma delimited files.
I wanted to show you guys the comma delimited output simply because I wanted you to know that you could import it into an Excel spreadsheet, you could import it into an access database and you can handle that really, really well.
So that is the comma delimited, data. Now you can also, do this as well. Now what this does is it kicks out the header information for the database fields as well.
So my font is a lot larger, but it actually tells you what the header fields mean. So we have, the score, we have the source IP address, destination ip address, the connections, the average byte interval, range, top interval, interval count.
All that mathematics stuff that we were talking about is actually here and it is present on the left hand side. You can see where we got 0.7, 09686.
That is the score that we’re giving it. We’re spending a lot of time doing that scoring across the three different ways that we look at beacons and we look at doing an analysis. And I’ll show you what it looks like with a little bit better formatting.
So let’s go here, like, so go to profile preferences and I’m going to drop my font back down for a few moments. Let’s go ahead and drop it down to twelve. We do select, and there you can see the columns are actually formatted really, really nice.
And the only reason why it looked ugly was, simply because of, the, way that the font was actually really large. So I’m going to put my font back because I want to actually show you some output right now.
The way Rita is set up is it does the beacons. It can actually show us the beacons and that’s cool. It can also do blacklisted analysis, which is very, very helpful as well. And I have multiple different databases that I’ve imported in this as well.
So these are all kinds of different brow logs that I’ve done analysis on, over the past like 24 hours, haven’t slept much. and you can see that we have a bunch of broadcast information in this output.
That’s because of where we captured the data. For this particular data set that I’m looking at. It was actually capturing data on a local switch. So we got a lot of layer two stuff. You have the ability in Rita.
Also, if you guys look at the readme, it has the ability of specifying a white list. And the whitelist will basically filter these things out. It will also filter out things like the Alexia top 500.
So if you’re not interested in people going to Google or beacons going to gmail or beacons going to office 365, then you can actually filter those out relatively easily. That is a white list capability.
So you have the ability kicking out in a table. You also have the ability of kicking it out in a common limited file.
Rob
Hey, John.
John
So you can see the data?
Rob
Yes, Paul, just, a note on filtering. Some of what I’ve done as well is to make it go even faster when you import your bro logs into anything. I’ll actually do some of the filtering on the bro side.
John
Yeah, that’s a good idea.
Rob
There’s a couple different ways to do it. If you read the bro documentation, it’s all documented in there. But I’m like, I really just don’t ever want to see this traffic? And I find it helps your analysis in general.
John
It does. This particular analysis that I’m looking at now is actually an analysis where we had a beacon going out, but we also had a beacon on the inside of the network as well. So, I wanted to be able to capture that, so I had to cut through a whole bunch of really nasty stuff to get to it.
But it’s pretty quick to do when you have Rita. there’s something else I was going to say, on the analysis side, but if you try to run Rita by itself, just run Rita, it’ll give you some usage information.
It’ll say I can analyze the data that’s been imported, I can delete a database, I can import data, I can reset the analysis, I can show beacons, show blacklisted IP addresses, show scanning data, and show the databases.
So in my instance of Reta right now, the databases that I’m working with now show to databases.
If I could type, it’s awesome. These are all the different imports that I have established, and these are all ad hoc scans. you can import and you can do analysis on ad hoc brolog.
So whenever we’re doing hunt teams for customers, they send us pcaps or they send us bro logs and then we can import them and then we can do analysis on them as well relatively quickly.
So that’s pretty cool. You can also configure Rita to where it automatically goes to a directory where Bro is logging and it will automatically import all of the data automatically loaded into a database, and it will put in effective dates for whenever it imported that data.
So you can do some trending and some analysis on the data as well. So very, very easy to use as far as setting it up, doing the imports, pulling the data, and doing analysis on the data. The whole point of this is to make this as easy as possible for you guys to get started doing some hunt teaming.
and it’s also kind of becoming an analysis engine for bro. There’s bro scripting as far as what you can do, and we found that bro scripting is really powerful, it’s really, really cool. But when we start doing that large scale analysis across all the different connections, it really kind of gets to the point where it doesn’t quite cut it, especially when you’re looking at large datasets.
And that’s what this is for. Another note, my specific virtual machine that I’m using here, I have four cores in the virtual machine and I gave it eight gig of memory when you’re doing this analysis and you’re working with, every single connection, doing data analytics across every single connection, it is very, very, very hard to do it on a computer with one gig of memory and one cpu core.
Give it a lot of cpu cores, give it room to breathe, give it memory, and it’ll treat you very, very, very good. At, least that’s what I found over the past couple of days. So that’s, pretty much it for me.
I have four minutes to handle some more questions if you guys want to hand them over, but I do want to put up a final slide. You guys had the installation of reta and, you have the usage right here.
if you want to use bro, you can use bro and then you can import and analyze the logs. And I’ve given you the command to do Rita. Oops, I got to fix that command real quick.
import and PowerPoint fix to my eye to make it an uppercase. I thank you, PowerPoint. I hate you. Import, give it a path to your bro logs and then you can do d, lowercase d for a new database and it will import that data to a brand new database table.
And then when you’re ready to analyze and you have the data all set up, just dot, forward, slash, Rida, analyze and it’ll go through and do all the math associated with it. And then you do Rita, show beacons and, give it the database and the h is what gives us the header information so it looks all pretty.
If you get rid of that h, it just kicks it out. Kicks it out to a comment delimited file and you can import and analyze it with anything that you want. All right, Sierra, give me a few more questions before I hand it over to our fabulous sponsor.
Sierra
All right, so real quick, where should it be placed? If you have a web proxy in your lan before your firewall?
John
you want to actually put it before that web proxy. And the reason why is because everything that comes from that web proxy is going to look like it’s coming from that web proxy and it’s going to blow all the analysis out of the water. It’s going to look like the web proxy is compromised.
It’s going to look like the web proxy is beaconing because there’s things behind it that are. So we need to be able to get those logs before it actually gets to the proxy.
Sierra
Can you send log data from Apollo Alto threat or traffic log to Rita?
John
It, depends on how you’re actually doing it. If you’re trying to take the Palo Alto and take Netflow data from the Palo Alto or logs from the Palo alto. Absolutely not. The reason why is because the way that they handle logging is all over the place.
Palo Alto and a lot of firewall vendors, they have different timestamp formats for how they handle it. A year and a half ago we thought that we could develop scripts that would ingest logs from Palo Alto for Net Cisco and we would have consistent beaconing on those products.
And we quickly found out that those vendors, within their separate product lines and versions handled data differently and it completely, completely messed up all of our data analytics.
That’s why we went with bro. However, with Palo Alto, you do have the ability on some appliances to actually sidechain the data and drop it down. As long as it’s their own pcap, which any good product that’s out there today should be able to do, you’re going to be able to ingest the data.
Sierra
Is there a way to filter CDN traffic out of reta? It looks a lot like command and control.
John
Yeah, absolutely. And that goes back to the whitelisting. A lot of what you have to do is actually change and pivot and look at the way that you do the data and it does look like command and control, as does Skype, as does Dropbox, which they can actually be command and control channels, but that’s topic for a completely different webcast.
But the point is, yes, you can, you can actually put in those types of filters at the top level domain or by IP address as well.
Sierra
rather than use a full span port, couldn’t you grab the same info using Netflow or IP fix?
John
Once again, it all has to go with how the format works. And when you start going down that path, you come up with 100 different vendors, with 100 different products, with a hundred different formats and how they actually handle that data.
And that was the trap that we were in two years ago. So I feel very, very comfortable answering this question and saying, please don’t do that. And I know that there’s some of you that are like, I’m going to do that because John doesn’t know what he’s talking about.
Someday you’ll try that and then you’ll meet me at a conference and I’ll buy you a beer and we’ll have a long conversation about where you went wrong. Please don’t do that. The reason why you shouldn’t do that is because the log formats are not consistent.
That’s why we went with bro, because it is absolutely consistent. Any good product that’s out there has the ability to throw pcap. Throw pcap at it. Ingest the pcap, and you’re going to do great.
Do anything else, you’re going to be pulling your hair out.
Sierra
okay. And the last comment, that we have time for before Jon has to leave was, how are you so awesome? Jeans, DNA. I need more strand cereal for breakfast. Thank you. Thank you, guys.
John
I think Paul and I need to make it very, very clear. We’re on these webcasts. It is not just Paul and I that are doing this. Paul and I get to fly around. Paul gets to smoke cigars. I get to go to sans conferences.
The reason why we’re awesome is because we surround ourselves with absolutely awesome people. Look at security weekly, the team that Paul has there. Look at the Bhis development team from Joe and Lisa and Logan and, Ben and, Hannah and all these people.
we have awesome people working on this. That’s why this rocks. And really, we’re asking you for help. Go use it, run it if you don’t understand something. By the way, we have an IRC channel on the git page.
Please log in, talk to us, use it, give it feedback. Let us know when it breaks so we can fix it. This is an open source project. This isn’t something that we just give away for free. And if you don’t like it, say, that sucks.
You have to come and help us make it better. All right? And that is it. Paul, I’m going to hand it back over to you guys for the rest of the webcast. I’m going to get out of here because I have students that are going to be filtering back in here. Some never left.
I feel for them. But, thank you so much for this, everybody, and I will talk to you guys all later. I’m looking forward to seeing your feedback on Rita. Thanks again.
Sierra
Bye.
Rob
Thanks, everyone. Sierra, did you want to make Rob the presenter?
Sierra
Sure.
Rob
Okay.
Sierra
so do, you want to introduce Rob again? he has another free tool, I think, to talk about.
Rob
Yes. Rob, McGovern is from logarithm, and logarithm, for some time now, has made available a free tool called Netmon, or network monitor freemium.
It’s, a completely free download from Logarithm’s website. and I’ll, turn it over to rob to, tell you all about it.
Rob
All right, well, thanks. I’m not, as pretty as John, so I don’t have my webcam up network monitor, freemium. Like I said, we’ve had freemium version for a little while now.
We really did a big launch at Black Hat last year. But, network monitor, whether it’s the freemium version or our licensed version, is all about incident, analysis and ultimately incident response.
So I’m going to take the few minutes that I have and do a quick tour of what you would see if you have a network monitor hooked up, and then I’ll wrap it up by showing you where the resources are to go download network monitor, learn more about it and start, playing with it.
I’m also going to do a little bit of a teaser. We are working on launching here in probably four to six more weeks, a contest where not only can you download netmon and play with it, but if you, submit a dashboard or rule back to us, I have some nice big cache prizes coming out.
So pay attention to the contest coming up later. So when you log into network monitor, you start with what we consider our analyze dashboard. And what we’re doing is we’re looking at network traffic off of a tapper span.
We’re classifying it all the way from layer two to layer seven. Right now, we’ll parse out around 3100 different applications, and then depending on the application, we’ll extract as much metadata as we possibly can from that, session.
You also have the ability to save all the pcaps that you’re seeing. So it’s, again, a full security focused network analysis tool. It’s going to give you hunting dashboards, searching dashboards, automation, lots of great use cases.
So we can start with some simple things like I can look for any application, and one of my favorite ones to look at, especially this time of day, is Pandora. So in the last, 15 minutes, I’ve had a couple of Pandora sessions, I can see that the source ip, which is going to be where it is inside of our environment, destination ip is going to be Pandora’s service.
I don’t care about that so much. But if I had a policy, for example, or said, hey, I need to monitor this, it’s really easy to find those. What’s, fun is to expand our timeframe, maybe look at the last 24 hours, and it’s nice to see that nobody’s listening to Pandora from about, what, 06:00 until about 08:00 in the morning.
talking about beaconing, this is a great way to take quick look and see some odd looking traffic, is that if you see, these gaps when you don’t have anybody in your office and they start filling up with interesting traffic.
That’s usually an indicator of something you want to go dive into more. So looking at top applications is fine. It’s kind of fun. I can see that, by volume most of my traffic is HTTPs.
Right now I’ve got a little bit of SMB, some elastic search going on. I know you said it was a flaming turd, appreciate that. Totally depends on the use case and our use case. It’s actually working great for what we’re after, but I actually understand John’s viewpoint very well there.
and we can also look by packet count. So whether it’s by how much bandwidth we’re using or how chatty the sessions are, we can get a pretty good feel just of overall what’s going on in the network. I like a different view.
I like to look at destination port from a network management perspective. You learn an awful lot about what’s going on in your network by looking at where the traffic is going.
So in the last 24 hours I can see that about half my traffic is going port 443, that should be mostly HTTPs. And then I’ve got some others that I’m classifying a little bit differently. So some outlook, HTTP two, google and so on, and then some unclassified tcp traffic there that I might want to dig into because that’s stuff, something, I don’t exactly know what it is.
Next. highest is port 53. Should be 100% DNS. command and control traffic possibly. I’m looking at 99.86% DNS, so something’s odd there.
So let me drill into destination 53 and I’m actually going to say ignore DNS just by clicking on the minus here.
I also have some. What’s that?
Sierra
Can I ask you a question real quick? Is this windows based?
Rob
Sure. No, this is all a Linux based system. when you deploy network monitor we’re doing it on basically a bare virtual machine or bare metal.
And we drop a version of centos 7.3 and then lay everything that we need on top of it.
Sierra
Are you showing the free version or is this the full version that you’re demonstrating with?
Rob
there’s actually very little difference between the free and the full version except some data limits. So my m answer is yes, I’m showing both the free and the full version.
Sierra
Awesome. Okay, sorry.
Rob
No problem. So now I’m looking at port 53, but I’m ignoring DNS traffic and I see that I’ve got some udp, some broadcast data that I might want to take a look at.
I’ve got some kerberos traffic that’s probably okay. And then I’ve got some unclassified TCP. This is potentially a little suspicious, because now I have something unknown happening on a well known port that supports a well known protocol that’s usually very open.
And I can mouse over again and see, well, okay, this is all coming from, or going to basically two or three different destinations. And I can see where the source ips are, and they’re all internal.
So I think this is all lateral traffic inside my own network. Probably not the first thing I’m going to go investigate, but it shows you, how you can drill in and take a look. So let me go back up, to the full traffic here, because not only can I see it in this, donut shipped pie chart, I can see the trends over time, which again, helps me see, odd things like I’ve got a big spike on port 8080 at.
What is that going to be, 01:00 in the morning? Eight, thousand 80, not a normal port. probably some sort of web proxy web traffic. You might want to go take a look at what’s going on in the middle of the night when nobody’s here.
Got another spike here, port 53, another big, kind of up ramp of HTTPs traffic. And now this is at, three in the morning. So some things I might want to look at here in terms of anomalies, just visual anomalies, without necessarily putting the math behind it, I can correlate down here by looking at, bandwidth versus session count.
So this is how many sessions, and this is how many or how much bandwidth. And I see the unusual thing here is I’ve got traffic on 445, not a port I’m familiar with, but it was a huge chunk of bandwidth, and it was all right in the middle of the night.
So this is one where, this is the kind of thing that I pestered Greg Foss, he’s our, office of the CISO, security analyst. All the time is I send them screenshots of this and say, what’s going on?
And then we dig into it and find out, whether it’s, suspicious, malicious, or just operational traffic that we didn’t know was there. And then over on the left, I can see kind of a summary view. How many different applications using port 443?
How many different applications using port 80 do I want big numbers or small numbers, it’s going to depend an awful lot on the port as well as the, total bytes and, traffic count.
Rob
Rob, so how many different, protocols are you able to identify?
Rob
About 3100.
Rob
That’s awesome. So this dashboard, I think is very useful, right. As you can look at what’s a protocol, I should be seeing what’s it not, what’s the distribution of the traffic, and then go by size and also by poor protocol or whatever.
I think that’s a great view of your network that you guys are giving away for free. That’s pretty cool.
Rob
Yeah. That particular dashboard, I have yet to go into a customer site or do a demo where I don’t open that dashboard and find at least something that’s interesting to talk about.
Rob
That’s a great test. I love it. Yeah.
Rob
Hey, Rob, which is kind of the definition of what you want on a hunting dashboard.
Sierra
There was one more question, Rob. it said, can the pCAPs be exported from logarithm to an external machine for a brow analysis, or are they standard in the standard PCAp format?
Rob
They’re absolutely industry standard pcaps. and yes, you can export them. We even have an API tool for that. So one more dashboard, I want to run it real quick.
Just again, from a pure hunting perspective, is our, direction dashboard. So this one we’re using what we call a, Deepak analytics rule to look at the source IP and the destination iPad.
And by looking at the address, whether it’s in the ten dots and 192 dot, those internal lan ranges, or if it’s an externally accessible IP address. And then we look at the bytes in and bytes out.
So which way are the bytes flowing? We can determine whether the network sessions are coming in as ingress moving out as egress or laterally moving between our own internal systems.
Now, generally speaking, I want to look at ingress and egress as a higher risk or higher information value than stuff that’s lateral. Lateral is usually a secondary search, pattern for me. So I’m going to ignore my lateral traffic and see that over the last, hour or so, the vast majority of my traffic inside of this particular view of logarithms data is ingress traffic.
I can see what it is in terms of applications. I’ve got some big spikes of HTTP, I’ve got an awful lot of box, which is kind of normal for us, some HTTPs citrix online, which happens to be the session that I’m on right now.
So I’m seeing myself talking. I can look real quickly at these applications and say, are they normal or are they abnormal? I can also correlate by IP address. So who are the top talkers of that ingress and egress traffic?
And does it cluster to one source? Or is it, 100 applications all at the same time? Or 100 systems all at the same time doing the same things. So, in this case, I can see, this chunk of, HTTP traffic is very likely from this one particular IP address.
And this gives me great, rich information to then go look up what’s going on, have a real conversation, talk, to the user, do whatever I need to do from, an investigation perspective.
Egress, traffic. I can look at the same thing.
Rob
I really like that, Rob, because I think one thing that it does is help you keep the reins in on your sysadmins when they’re like, no, we’re not doing that, cloud deployment.
And then you’re like, well, why did all our servers just send gigabytes of traffic up to s three or something? so it can help with those kind of anomalies where, there’s changes in your it environment that security’s not aware of.
Rob
Absolutely. we run into that all the time, because I’ve basically got a tap on our, engineering and R and D group and the number of times that they’ll run stress tests in the middle of the day, and essentially bring the network to its knees.
And, of course, they won’t admit it. but now you’ve got the timeframe, you’ve got the source IP, the desktop, you’ve got the packets, you’ve got all that rich information to go have a conversation. It’s not assumption and finger pointing.
It’s evidence based.
Rob
I like it.
Rob
Then you can, again take advantage of that classification and the metadata on any of these dashboards. So here I’ve just looked at unclassified TCP traffic, and I start seeing sort of regular patterns.
So I start beginning to think, is this outgoing traffic beaconing or not? And then I can tie or select a subset of this, potentially send it into Rita or another source for, deeper analysis.
I also have this, weird anomaly that all of a sudden, I had a huge chunk of traffic come from this one particular machine at this one spot. It’s always fun stuff to go look at. I can drill into any of these and see all of the data I have available.
So, ips, Mac addresses, ports, duration, if it’s. Depending on the application, I see all kinds of extra metadata. So if it was HTTP example, I would get the user agent, the raw header and so on.
So dashboards are cool. we do want some automation because even though it’s never a perfect world, you definitely don’t want to have to do this over and over again and you want to take advantage of what other people can build and do.
So we actually have a deep Hackett analytics engine that’s a rule based scripting engine. uses Lua as the rules engine and we’ve written a bunch of default system rules that deploy with the machine and you can also write your own and upload your own.
And they range from fairly simple. So let’s take a quick look at this one. This is looking at pastebin as the application and then looking for any curl commands that are being passed to and from pastebin.
This is kind of a well known command and control hacking type tool. It’s kind of a quick check on network behavior. Another one that’s kind of fun since we were talking about all of the Linux work was looking at the dev packages.
So now we’re going to classify all of our debian, FreeBSD, Mandriva, NetBSD, OpenBSD, Red Hat, any of those update channels. And to look at the packages that are being pulled and if they include the word dev, we’re going to raise an alarm on it.
primarily to focus on putting development packages on production machines. But you can tune this or rewrite it however is appropriate. So I’ve got a number of these rules on and go to my alarms dashboard and see what’s firing.
And just in the last 15 minutes I’ve got a couple of cleartext passwords, two different applications going to probably the same system because there’s only one destination and I’ve got a chat file transfer.
So somebody’s using a chat application and pushed a large block of data. That’s very likely a file transfer going on. I can take a look at any of these alarms. So here’s a detect clear text passwords.
this happens to be going from our internal artifactory setup. Our team is doing some migrations and moving things around. It’s the way we store our development artifacts and unfortunately it’s using HTTP with basic authentication.
So we can actually do wonderful things like pull out the username and here’s the server. And oh yes, they used a wonderfully secure password even though we’re blanking it out.
So this is also the great fun one. for us right now, you can see it’s hitting us with, just an internal development environment. But when I run this in customer sites all the time, I see these single, sign on projects that people have done where they are exposing without meaning to their raw active directory credentials, through a basic authentication to whatever that third party site is.
And it’s amazing how often that fires. And you see that case happen.
Rob
That’s awesome. I wish I had tools like this, Rita and, logarithms network model. When I worked at a university, largely, I was scripting everything on my own, based on logs and netflow.
this seems to be, certainly a replacement for that with a whole ton of added functionality. I like the ability to customize rules, as those are going to differ per environment and as you do, incident response.
Going back in and being able to customize a rule and look for certain patterns, is something that I can see people doing a lot of.
Rob
Yeah, and that rule, which is just lua script. So if you’re used to writing pro rules, it’s going to be the same basic structure and syntax, just with different API calls for how we run things.
Sierra
Hey, Rob, someone asked, is there a data limit for the free version?
Rob
For the free version, we cap it at analyzing up to one gigabit per second of network traffic. We cap it at three days of metadata storage, and we cap it at, about one gigabit or gigabyte, excuse me, of, pcap storage.
So those are rolling buffers, basically. the other thing that’s a limit on the freemium version is that everything that you just saw, all of those, alarms, as well as all the metadata and, flow information we’re sending on out of syslog to our SIM environment.
And in a freemium version, all you see are the alarms and alarms and audit events. You don’t see the raw syslog.
Sierra
And what’s the URL to get this tool right?
Rob
About to get there.
Sierra
Okay, cool.
Rob
So, one last thing I want to show, since it stuck in my head, did do a replay. So I replayed some pcaps that I had available, run it back through Netmon, see what happens. That’s a great way to build and run the rules.
You, can see my alarms here in just a second that I’ve got a new spike of alarms that just came in. This is all the pcaps that I just replayed. And so I’m looking at internationalized domain names, credit cards, and cleartext, Social Security numbers and cleartext, a few other things that are triggering because I replayed the PCAP sessions.
we also have, and this is also good to know, a full auto log. So it’s an incredibly powerful tool. You can do amazing things if you’re sniffing network traffic. So we wrote down an audit trail basically for every action you’re taking.
So there’s a good way for watch the watcher control the power that you’re getting out of this. So I can go on and on about the network monitor, but I’m going to run out of time.
So let’s instead show you where you can get it and get more information. So to get network monitor, it’s logarithm.com freemium.
We’ll take you there, or logarithm.com networkmonitorfreemium if you want to, go that route. there’s a download button here at the bottom.
this is kind of a registration tier on it. It’s actually not that different than the ones you go through with splunk or bro or. And then we’ll get a link when you get the links as an email, there’s two choices.
One, choice is to download a virtualbox image that we’ve already set up. It’s designed to run inside of a virtual environment, a virtualbox environment on, a laptop that’s only going to sniff what the laptop is seeing.
So if you just want to get started and play with it, that’s a great way to go. The other download is our full ISO based installer, and you can basically run that on either, equipment they have available or loaded, into a virtual machine.
And what we talked about right at the very beginning was a small footprint, quantum, minicomputer, something that we’ve been playing with a lot.
You can find the blog for that. If you go to logarithm.com blogs and look up the netmon, we’ve got a step by step guide starring again Greg Foss, as well as a number of members of our development team on how to build it.
It has the device we happen to pick. It’s this little five x five mini pc and then, passive tab.
This is a great toy. It really kind of showcased the product in a way that you can learn what’s going on. It’s also nice and instant response toolkit.
And actually, if you happen to be looking at the blog, there was one that we posted recently about a company called, Sarah Britain, who does exactly this. They take one of those mini demons, essentially, as part of their incident response toolkit, they drop it into whichever customer they’re working with, start capturing data, and as they’re doing their digital.
Sierra
I think we’re gonna have to stop you, because your audio. I can hardly understand you. I don’t know what happens.
Rob
Yeah, it’s difficult to hear you, Rob.
Sierra
Your audio, but I think we’re gonna have to, like, end the pod, the webcast. so, Paul, do you want to close it up?
Rob
Sure.
Rob
Yeah.
Rob
and I think what Rob was saying there at the end, was, people use this in their incident response programs, installed on one of those little mini PCs, which I can certainly see an application for that.
So, Rob, thank you very much, for the presentation. Again, you can go to logarithm.com freemium, and play around with the tool, for yourself.
And it looks like you have a community set up. So you have questions. you can go to logarithms community forum, and ask away, or you can just email Greg Foss, which is what I do. But I think if everyone emailed Greg, you might get overwhelmed.
So definitely use the community first. And thank you very much, Rob. Thank you for that demo. And, thanks, everyone, for tuning in. And thanks to John, who is now teaching a whole bunch of students on information security, which is fighting in of itself.
Thanks, everyone, for tuning in. We’ll see everyone next time.
Sierra
Thank you. And remember to go get your wild west hack and fest tickets. They are live now, so we look forward to seeing everybody there. All right, have a great week. Bye.