My Security is a Graph –Your Argument is Invalid
Who am I
2
INTR
OD
UC
TIO
N
Gabe
• @gdbassett
• https://github.com/gdbassett
• http://blog.infosecanalytics.com/
• http://www.infosecanalytics.com/
• Information Security Analytics LLC
• Security Architect
• I love solving problems with graphs
3
INTR
OD
UC
TIO
N
HERE’S THE PLAN
4
INTR
OD
UC
TIO
N
Infosec + Graph Theory = Sexy Defense
5
INTR
OD
UC
TIO
N
Graph Theory and Infosec
• What are Graphs
• What can you do with them (the math stuff)
• Kill chains, attack paths, and attack paths
• How to work with graphs
• What Can you do with them (the infosec stuff)
• What I’m doing with them
6
INTR
OD
UC
TIO
N
WTF is a Graph
7
WH
AT
AR
E G
RA
PH
SWhat are Graphs
What can you do with them (the math stuff)
Kill chains, attack paths, and attack paths
How to work with graphs
What Can you do with them (the infosec stuff)
What I’m doing with them
DATABASES ARE ABOUT RECORDS.GRAPHS ARE ABOUT RELATIONSHIPS.8
WH
AT
AR
E G
RA
PH
S
Graphs/Networks is EasyNodes/Vertexes Edges/Lines
9
WH
AT
AR
E G
RA
PH
S
When you put them together, you get a graph
10
WH
AT
AR
E G
RA
PH
S
Words
• Actor: Some with free will
• Threat: A mean actor
• Risk: A potential future negative situation. Likelihood and Impact
• Vulnerability: A vulnerable condition. Something that increases risk likelihood
• Mitigation: A mitigating condition. Something that decreases risk likelihood
• Consequence: A negative event or condition
• Impact: Just how bad a consequence is
11
WH
AT
AR
E G
RA
PH
S
Math Happens Here
12
GR
AP
H M
ATH
What are Graphs
What can you do with them (the math stuff)
Kill chains, attack paths, and attack paths
How to work with graphs
What Can you do with them (the infosec stuff)
What I’m doing with them
THE COOL THING ABOUT GRAPHS IS THAT MATH HAPPENS ALL UP IN THEM13
GR
AP
H M
ATH
Depth First Search
http://en.wikipedia.org/wiki/File:Depth-first-tree.svg14
GR
AP
H M
ATH
Breath First Search
http://en.wikipedia.org/wiki/File:Breadth-first-tree.svg15
GR
AP
H M
ATH
PageRank – The Drunken Walk
http://upload.wikimedia.org/wikipedia/commons/f/fb/PageRanks-Example.svg16
GR
AP
H M
ATH
Hot Infosec Pro in Pony Tails
17
GR
AP
H M
ATH
Shortest Path
http://www.cs.sunysb.edu/~skiena/combinatorica/animations/dijkstra.html18
GR
AP
H M
ATH
Centrality
http://en.wikipedia.org/wiki/File:Centrality.svg19
GR
AP
H M
ATH
Communities / Modularity
20http://en.wikipedia.org/wiki/Community_structurehttp://en.wikipedia.org/wiki/Modularity_(networks)
GR
AP
H M
ATH
Bipartite Networks
21
GR
AP
H M
ATH
Monopartite Networks
22
GR
AP
H M
ATH
Monopartite Networks
23
GR
AP
H M
ATH
Bayesian Math
http://en.wikipedia.org/wiki/Bayes%27_formula24
GR
AP
H M
ATH
Kill Chains and Attack Graphs
25
ATTA
CK
GR
AP
HS
What are Graphs
What can you do with them (the math stuff)
Kill chains, attack paths, and attack graphs
How to work with graphs
What Can you do with them (the infosec stuff)
What I’m doing with them
Quick Example
26http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf
ATTA
CK
GR
AP
HS
Lockheed Martin Kill Chains
http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf
27
ATTA
CK
GR
AP
HS
ATTACK PATHS
Need
A threat
Events
Conditions
28http://infosecanalytics.blogspot.com/2013/07/cyber-attack-graph-schema-cags-10.html
ATTA
CK
GR
AP
HS
Attack Paths – Dave’s a FB Hacker
29
Dave (a threat)
wants to embarrass me by posting our
honeymoon photos on my FB account
Attempts to brute force my FB
password (event)
I have a weak FB password
(condition)
FB has password brute force detection
(condition)
FB doesn’t notice the brute force
(event)
Dave finds my FB password (event)
Dave has my FB login credentials (condition)
Dave uses it to authenticate to FB
(event)
Dave is authenticated as me
(condition)
Dave posts our honeymoon photos
on my FB page (event)
Our bromance is outted! (condition)
ATTA
CK
GR
AP
HS
9/2
8/2
01
3G
rap
hs
in In
fose
c
30
Attack Paths – FB Password Brute Force
31
Dave (a threat)
wants to embarrass me by posting our
honeymoon photos on my FB account
Attempts to brute force my FB
password (event)
I have a weak FB password
(condition)
FB has password brute force
detection (condtion)
FB doesn’t notice the brute force
(event)
Dave finds my FB password (event)
Dave has my FB login credentials (condition)
Dave uses it to authenticate to FB
(event)
Dave is authenticated as me
(condition)
Dave posts our honeymoon photos
on my FB page (event)
Our bromance is outted! (condition)
Impact
Mitigation
Vulnerability
Likelihood
Consequence
ATTA
CK
GR
AP
HS
ATTACK PATH
Kinda looks like a risk…
32
ATTA
CK
GR
AP
HS
ATTACK PATHS
Dave has Options
33
ATTA
CK
GR
AP
HS
Attack Paths – Email Password Brute Force
Events and Conditions thanks to An Attack Graph-Based Probabilistic Security Metric – Wang et al
34
Dave (a threat)
wants to embarrass me by posting our
honeymoon photos on my FB account
Attempts to brute force my email
password (event)
I have a strong email password (kind of)
(condition)
Dave finds my Email password (event)
Dave has my email login credentials
(condition)
Dave resets my FB password (event)
Dave gets the reset email and sets my FB
password (event)
Dave uses it to authenticate to FB
(event)
Dave is authenticated as me
(condition)
Dave posts our honeymoon photos
on my FB page
Our bromance is outted! (condition)
ATTA
CK
GR
AP
HS
Attack Paths – Phishing with a Link
Events and Conditions thanks to An Attack Graph-Based Probabilistic Security Metric – Wang et al
35
Dave (a threat)
wants to embarrass me by posting our
honeymoon photos on my FB account
Emails me a link to a malicious website
(event)
I open the mail, click sh*t, and get
pwned (event)
My computer is infected (condition)
The malware takes my FB
authentication cookie (event)
Dave uses it to authenticate to FB
(event)
Dave is authenticated as me (condition)
Dave posts our honeymoon photos
on my FB page
ATTA
CK
GR
AP
HS
Attack Paths – Phishing with Malware
Events and Conditions thanks to An Attack Graph-Based Probabilistic Security Metric – Wang et al
36
Dave (a threat)
wants to embarrass me by posting our
honeymoon photos on my FB account
Emails me some custom pentestmalware from
Raphael (event)
I open the mail, click sh*t, and run
the malware (event)
My computer is infected (condition)
The malware takes my FB
authentication cookie (event)
Dave uses it to authenticate to FB
(event)
Dave is authenticated as me (condition)
Dave posts our honeymoon photos
on my FB pageOnly these 2
changed
ATTA
CK
GR
AP
HS
ATTA
CK
GR
AP
HS
Attack Path Attributes
Events and Conditions thanks to An Attack Graph-Based Probabilistic Security Metric – Wang et al
37
wants to embarrass me by posting our
honeymoon photos on my FB account
(attribute)
Dave (a threat)
Emails me some custom pentest malware from
Raphael (event)
I open the mail and run the malware (event)
My computer is infected (condition)
The malware takes my FB authentication
cookie (event)
Dave uses it to authenticate to FB
(event)
Dave is authenticated as me (condition)
Dave posts our honeymoon photos on
my FB page
Has Raphael’s uberpentest malware
(attribute)
So Graphs are cool. How do I get me one?
38
What are Graphs
What can you do with them (the math stuff)
Kill chains, attack paths, and attack paths
How to work with graphs
What Can you do with them (the infosec stuff)
What I’m doing with them
WO
RK
ING
WIT
H G
RA
PH
S
Tools and Stuff• Maltego: www.paterva.com• An infosec graph tool for threat modeling
• Gephi: www.gephi.org• A visual graph manipulation tool
• Neo4j: www.neo4j.org• A graph database• Cypher: A graph query language for neo4j
• Networkx: networkx.github.io• A python module for storing and using graphs
• Py2neo: py2neo.org• An easy python to neo4j binding
• Ubigraph: http://ubietylab.net/ubigraph/• Simple python binding to visualize graphs in 3D
• RDF: www.w3.org/RDF/• An easy way to describe graphs. (until you try and use it.)
• SPARQL: www.w3.org/TR/sparql11-overview/• Another graph query language, primarily associated with RDF
39
WO
RK
ING
WIT
H G
RA
PH
S
DEMO TIME
Lets make an attack graph out of those attack paths.
40
WO
RK
ING
WIT
H G
RA
PH
S
Attack Path SummaryActor(threat)
Motive Narrative Consequence
DaveKennedy…
wants to embarrass me by posting our honeymoon photos on my FB account. He…
Brute force’s my Facebook password, avoiding FB’s detection, gets my password, authenticates as me, logs into my account, and posts our honeymoon photos.
Our bromance is outted!
DaveKennedy…
wants to embarrass me by posting our honeymoon photos on my FB account. He…
Brute force’s my email password. Resets my FB password & collects the new login from my email, authenticates as me, logs into my account, and posts our honeymoon photos.
Our bromance is outted!
DaveKennedy…
wants to embarrass me by posting our honeymoon photos on my FB account. He…
Has some leet PT malware from Raphael that he emails to me. I run it and infect my computer. He steals my FB cookie, authenticates as me, logs into my account, and posts our honeymoon photos.
Our bromance is outted!
DaveKennedy…
wants to embarrass me by posting our honeymoon photos on my FB account. He…
He sends me a malicious link. I click it and infect my computer. He steals my FB cookie, authenticates as me, logs into my account, and posts our honeymoon photos.
Our bromance is outted!
41
WO
RK
ING
WIT
H G
RA
PH
S
THIS PREDICTS HUMAN BEHAVIOR
It doesn’t just predict infosec risks
42
CO
NC
LUSI
ON
Think Psychohistory
http://en.wikipedia.org/wiki/File:Isaac_Asimov_on_Throne.png43
CO
NC
LUSI
ON
Infosec Things to do with Graphs
44
What are Graphs
What can you do with them (the math stuff)
Kill chains, attack paths, and attack paths
How to work with graphs
What Can you do with them (the infosec stuff)
What I’m doing with them
GR
AP
HS
AN
D IN
FOSE
C
Make Pretty Pictures
45
GR
AP
HS
AN
D IN
FOSE
C
46
Make Pretty PicturesG
RA
PH
S A
ND
INFO
SEC
47
Make Pretty PicturesG
RA
PH
S A
ND
INFO
SEC
48
Make Pretty PicturesG
RA
PH
S A
ND
INFO
SEC
49
Make Pretty PicturesG
RA
PH
S A
ND
INFO
SEC
Risk Management
50
GR
AP
HS
AN
D IN
FOSE
C
Threat Modeling
51 http://www.secureworks.com/cyber-threat-intelligence/threats/chasing_apt/
GR
AP
HS
AN
D IN
FOSE
C
Data Sharing(A)ID:
<value>
(D)WHOIS: <value>
(H)DNS QUERY:
<value 2>
(I)DNS RECORD: <value 2>
(J)RECORD TYPE:
<value 2>
(C)DOMAIN: <value>
(B)URL: <value> (E)DNS
QUERY: <value>
(F)DNS RECORD: <value>
(G)RECORDTYPE:
<value>
http://infosecanalytics.blogspot.com/2013/03/defensive-construct-exchange-standard-03.html
GR
AP
HS
AN
D IN
FOSE
C
Intrusion Detection
53
GR
AP
HS
AN
D IN
FOSE
C
Incident Investigation
54
GR
AP
HS
AN
D IN
FOSE
C
Incident Documentation
55
GR
AP
HS
AN
D IN
FOSE
C
My Tools
56
What are Graphs
What can you do with them (the math stuff)
Kill chains, attack paths, and attack paths
How to work with graphs
What Can you do with them (the infosec stuff)
What I’m doing with them
MY
STU
FF
57
https://github.com/gdbassett/odds_and_ends/tree/master/minionshttp://despicableme.com/post/1807http://ihdwallpapers.com/minions_in_despicable_me_2-wallpapers.html#
MY
STU
FF
MY MINIONS
DCES – Defensive Construct Exchange Standard
58
DB Record
Graph (networkx)
XML
Dictionary (JSON)
DCES
http://infosecanalytics.blogspot.com/2013/03/defensive-construct-exchange-standard-03.html
MY
STU
FF
Moirai
59
Neo4J
Moirai (Autobahn, py2neo neo4j connection)
RPC PubSub
Log Search Client
Visualization Client
GUI ClientSecurity
ProxyIDS Client
https://github.com/gdbassett/moirai
MY
STU
FF
Visualization
60
http://linkurio.us/ http://keylines.com/
http://sigmajs.org/Ghost in the Shell: Innocence
MY
STU
FF
Moirai
61Neo4J
Moirai (Autobahn, py2neo neo4j connection)
RPC PubSub
Log Search Client
Visualization Client
GUI ClientSecurity
ProxyIDS Client
MY
STU
FF
Other Ideas
• Offense:
• Auto-attack down an attack graph
• Automatic Pen Test Documentation
• Network Analysis
• Collect information about your network, the devices on it and their attributes using a graph database.
62
MY
STU
FF
In Summary
63
CO
NC
LUSI
ON
Bla Bla Bla Evil Haxors
(Credit to @451wendy)64
CO
NC
LUSI
ON
Threats. Vulns.
Scary
(Credit to @451wendy)65
CO
NC
LUSI
ON
BIGNUM
BIGNUM
Hundreds of Threats
Thousands
Of Attacks
Millions of Logs
Solution: Graphs solve everything
(Credit to @451wendy)66
CO
NC
LUSI
ON
Solution: ATTACK GRAPHS
(Credit to @451wendy)67
CO
NC
LUSI
ON
Best & Unique Because…
(Credit to @451wendy)68
CO
NC
LUSI
ON • Is not antivirus
• Is not firewall
Best & Unique Because…
(Credit to @451wendy)69
CO
NC
LUSI
ON
BIG DI DATA
Fastest Realest Time Because…
(Credit to @451wendy), http://giraph.apache.org/70
CO
NC
LUSI
ON
•Cloud
•Analytics
•Giraph (Hadoop but better)
(Credit to @451wendy)71
CO
NC
LUSI
ON
CYBER
CYBER
CYBER
CYBER CYBER CYBER CYBER CYBER CYBER
CYBER
CONCLUSION
Infosec + Graph Theory = Sexy Defense
Now you try!
72
CO
NC
LUSI
ON
73
CO
NC
LUSI
ON
LINKS
74
• My Blog: http://infosecanalytics.blogspot.com/• Has DCES, CAGS, Attack Path, CPT standards
• My Code: https://github.com/gdbassett/• Maltego: www.paterva.com• Gephi: www.gephi.org• Neo4j: www.neo4j.org• Networkx: networkx.github.io• Py2neo: py2neo.org• Ubigraph: http://ubietylab.net/ubigraph/• RDF: www.w3.org/RDF/• SPARQL: www.w3.org/TR/sparql11-overview/• Visualization: http://linkurio.us/, http://keylines.com/,
http://sigmajs.org/• Lockheed Martin paper: http://goo.gl/pU2KXF• Giraph: http://giraph.apache.org/• Wikipedia Articles: Community structure, Graph theory, Depth-first
search, Breath-first search, Shortest path problem, Dijkstra's algorithm, Modularity (networks), Centrality, Bayesian inference, Bipartite graph, Psychohistory (fictional), PageRank
CO
NC
LUSI
ON