SAS founded in 2013 in Paris | http://linkurio.us | @linkurious

Cyber security and attack analysis : how Cisco use graph analytics.

Introduction.

Software Engineer

Engineer (La Belle Assiette)

CS at Epitech and Beijing University

CMO

>5 years in consulting

MSc Political sciences and Competitive

Intelligence

JeanVilledieu

SébastienHeymann

RomainYon

PierrickPaul

CEO

Gephi Founder

Phd in Computer Science and Complex

Systems

CTO

Engineer (Microsoft, Spotify)

Machine Learning at Georgia Tech

Linkurious is a French startup founded in 2013.

Father Of

Father Of

Siblings

What is a graph ?

This is a graph.

Father Of

Father Of

Siblings

This is a node

This is a relationship

What is a graph ? / Nodes & relationshipsWhat is a graph : nodes and relationships.

A graph is a set of nodes linked by relationships.

Some of the domains in which our customers use graphs.

People, objects, movies, restaurants, music…

Suggest new contacts, help discover new music

Antennas, servers, phones, people…

Diminish network outages

Supplier, roads, warehouses, products…

Diminish transportation cost, optimize delivery

Supply chains Social networks Communications

Differents domains where graphs are important.

Source : http://www.reuters.com/article/2014/06/09/us-cybersecurity-mcafee-csis-idUSKBN0EK0SV20140609

$445 billion

The cost of cyber criminality.

Cyber crime costs the global economy $445 billion per year.

Some of the latest victims.

No company is immuned from cyber criminality.

A data problem.

IP logs, network logs, communications logs, web server logs, etc.

The IT systems generate new data constantly.

The data is coming from different sources, is incomplete and evolves. Hard to use a structured data model.

For big organizations, storing years of raw data means a total volume in high TBs or low PBs.

The IT security data is complex.

The challenges of working with complex data.

Large Unstructured Dynamic

How to make sense of complex data.

Can IT security teams answer that challenge?

Graphs are perfect to extract insights from complex data.

Graphs help make sense of complex data.

How to use graph analytics to fight back against a cyber attack?

A concrete example.

Inspired by a real use case demonstrated by Cisco.

In April 2014, a zero-day vulnerability in IE is identified.

A zero-day vulnerability.

A newly discovered vulnerability in Internet Explorer allows an unauthenticated, remote attacker to execute arbitrary code.

The vulnerability is known in the security community. A group of hackers decide to use it before a patch fixes the vulnerability.

The identification information is captured by the hackers. They can use it to penetrate the company IT.

The hackers send mails to a few people in one company. They are asked to login into a seemingly innocuous website.

The vulnerability is known

A phishing attack uses it

A company is immediately targeted by a phishing attack.

The 3 steps of the attack.

Computers are compromised

A not so innocent mail.

The mail sent by the hackers.

The hackers used the domain inform.bedircati.com + profile.sweeneyphotos.com, web.neonbilisim.com and web.usamultimeters.com.

The domain names used in the attack.

The domains names used in the attack are identified.

Information about one domain.

Information about these domains are publicly available.

Modelling information as a graph.

That data can be modeled as a graph.

The graph model reveals the connections in the data.

This helps streamline the identification of connections.

Domain A is connected to Domain C through a Name Server or a MX Record, Domain B and Host B.

Can we prevent more attacks?

How to use the information.

The traditional approach.

The 7 sins of looking for connections with tabular tools.

It helps human interpret the data and make smart decisions.

Graphanalytics?

Graph visualization?

It helps to analyse large datasets to find interesting data.

Combining graph analysis and graph visualization.

Combine automatic analysis and human interpretation.

A query to get all the domains connected to the attackers.

Step 1 : graph analysis.

MATCH (baddomain:Domain_name)-[r*2]-(suspiciousdomains:Domain_name)

WHERE baddomain.reputation = 'Very negative reputation'

RETURN DISTINCT suspiciousdomains

This query is written with Cypher the Neo4j query language. It returns us 25 results.

Step 2 : graph visualization.

First, we identify the attackers.

The initial domain names identified as rogues.

A public registrar.

Good domains.

Then we identify the domains they are connected to.

Step 2 : graph visualization.

In pink are previously unknown domains connected to the known attackers.

Cyber security at Cisco.

Cisco uses graphs to prevent cyber attacks.Cisco maintain a list of the compromised domains and IP addresses. Through its data collection program, Cisco has good information on 25 to 30 million Internet domains.Graph analytics enable Cisco to use data collected via its customers to maintain this list up to date. The information is the used to block known malicious domains and thwart cyber attacks.

Behind the scenes.Cisco’s Global Security Intelligence Operations (SIO) group operates a 60-node, 1,000-core Hadoop cluster. Every day it receives about 20 TB of new raw log data.

To store and anlyse the data, Cisco uses a few graph technologies like GraphLab (a machine learning solution specialized in graph data), Titan (an open-source graph database) and Faunus (an open-source graph analytics engine).

You can do it too!

Try Linkurious.

Contact us to discuss your projects at contact@linkurio.us

Conclusion

GraphGIst : http://gist.neo4j.org/?40caddf1d7537bce962eBlog post on attack analysis :Sample dataset : https://www.dropbox.com/s/7vburpnl4yik8z1/Attack%20Analysis.zip

Original CIsco article : http://blogs.cisco.com/security/attack-analysis-with-a-fast-graph/

Additional resources.