Beyond Attack Signatures: Leveraging Real-time Security Analytics to Pinpoint Threats

Check out this on demand webinar by Neal Hartsell, Click’s VP of Marketing & Product Management.

Webinar graphic: Leveraging Security Analytics to Pinpoint Threats

Today’s security event monitoring and correlation tools are under enormous pressure. Security Analysts are inundated with data, but rather than being given insight, it is more difficult than ever to sort through and locate the real events that need attention. The next generation of security tools purports to process much larger and a greater variety of data sets, run deep-dive security analytics in real-time, and rely more on intelligence than attack signatures. But what does this actually mean?

  • How do I collect the right data?
  • What kinds of new detections can I do?
  • How do I get enough context to overcome false positives?
  • How do I automate more of my security intelligence, or the intelligence of others?
  • What should I look for in a solution?
  • How is this different from my SIEM, IDS/IDS, and Advanced Malware Detection products?

These, and other questions, will be addressed to shed light on what has quickly become a market space of tremendous promise, but which is currently shrouded in confusion.

Finding a Heartbleed…maybe I have a future as a Cardiothoracic Surgeon.

Screen Shot 2014-04-11 at 3.28.53 PM

We here at Click Labs are pretty passionate about finding interesting patterns in data, especially when these patterns lead to finding a compromise or other interesting type of activity. In light of the recent Heartbleed announcement, we have been playing with data to see if we could find any patterns that might indicate attempts at using the Heartbleed vulnerability. Our restraints were: we could use only IDS signatures to verify findings, and we had to use data that we already had. We also tried to come up with a technique that would be applicable across several types of data and was not tied directly to a specific product (although we only used one source of data for our analysis).

For the basis of this analysis, we looked for a common Heartbleed pattern: significantly less information is sent to a server than is received. Most of the attacks reference a small heartbeat packet producing a response up to 64k. That’s a huge discrepancy that we can take advantage of.

Our first step was to see if our hunch was correct. We gathered a handful of PCAP files that contained known exploit attempts and made some basic observations. The following records are from a Bro connection log:

Screen Shot 2014-04-11 at 11.50.42 AM.png

We can see there’s often less information sent (450, 233) vs. received (1971, 17871). This type of information is generally available via flow logs as well, meeting our requirement to not be tied to a specific product. The next step was gathering more information for bigger and better patterns.

3 million flow records of SSL traffic were gathered. That’s not a lot of records, but it seemed like a good number to start with. We narrowed the data down to records that were coming into the various organizations from external IPs. This left us with about 60,000 flows (ahh, the powers of data reduction). From the remaining data we removed six sessions that had 6 bytes sent and 0 bytes received, calculated the ratio of bytes sent to bytes received, calculated the ratio of packets sent to packets received, and then looked at the distribution of data.

Screen Shot 2014-04-11 at 12.14.06 PM.png

Next we retrieved all the extreme outlying flows that had a smaller ratio, that is, flows that had significantly more bytes and packets received than sent.

Screen Shot 2014-04-11 at 1.42.03 PM.png

This left us with 724 flows and 264 unique source IP addresses that could be exhibiting Heartbleed scanning. We grabbed PCAP data for all the suspect IPs in the list and ran those PCAPs through Snort with the signatures found at Emerging Threats and FOX IT. Out of our sample PCAPs, 263 hit on the Snort signatures we used. The full list of IPs we found exhibiting the suspicious behavior is available here:

From an analysis perspective, we were able to narrow our scope from 3 million records to 724 by asking a few simple questions of the data. From that 724 (264 unique IPs) we were able to confirm 263 IP addresses were trying to take advantage of a recently disclosed vulnerability (via Snort signature fire). All with a few simple shell scripts, PCAP and flow data.

While far from a silver bullet for detection, this kind of procedure can help point you in the right direction before you update the rest of your detection infrastructure. 

Data Science Weekend in Austin, Texas

We are keeping Mike Sconzo busy.  He will be speaking at two security conferences in Austin the first weekend in April.

InfoSec Southwest  April 4th – 6th, 2014

Screen Shot 2014-03-26 at 1.11.29 PM

Mike will be presenting,”Is there a Pony in that Pile of Sh*t?”, discussing the importance of incorporating statistics, data analysis and graph algorithms into the incident response and forensics toolbox. Most datasets are opaque ‘piles’ and the challenge is often about quickly understanding what you have and how it can be leveraged for a particular set of use cases. He will present a simple set of python modules that allow quick data analysis of log files and PE files with a set of statistical and machine learning techniques. The presentation will be focused on the practical usage of the analytic techniques and not the formal mathematical underpinnings. All code and datasets covered in the presentation will be provided through Click’s github ‘data_hacking’ repository.




Global Big Data Conference : Big Data BootCamp  April 4th – 6th, 2014

Screen Shot 2014-03-26 at 1.23.38 PM

“Using Machines to Make Security Smarter”

The mark of a great security analyst is wanting to work smarter, not harder. We all struggle with trying to find meaning in data, and as a security analyst we struggle to figure out which of the 1000′s of alerts processed daily are the important ones. In this session, Mike will be covering some of the tools and techniques Click has been employing to make our analysts more effective. The basis of some of our SQL Injection detection, malware command and control alerting, as well as one of the techniques we use to identify interesting files will be covered.

Click, Data Science & You at BSides Austin

Mike Sconzo & Brian Wylie of Click Security will be presenting, “Windows Executable Analysis and Clustering & Pcap Exploration” at BSides Austin on Thursday, March 20th.  There is still time to register!  A good group of folks from Click will be there – come hang out!

Bsides logo