silkweb – analyze silk data through api and javascript frameworks · 2017-05-19 · javascript...
TRANSCRIPT
© 2016 Carnegie Mellon University
SilkWeb – Analyze silk data through API and Javascript frameworks
Silkweb – Flocon Jan 2017
2© This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.
Copyright and license
3© This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.
Presentation agendaØ Introduction and BackgroundØ SilkWeb in a nutshellØ SilkWeb componentsØ Silkweb in a world of frameworksØ Silk CLI capabilities in SilkWebØ Use cases from NOC and SOCØ Demo on live dataØ Limitations and way forward
4© This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.
Introduction and BackgroundØ Authors : Vijay Sarvepalli & Dwight BeaverØ Sponsors : DOD, DISAØ Collaborators : MPW (ISP)Ø Recognition of roles and support
1 TTL – Time To Learn.
Architecture== can go either way
Automation== needs API
Visualization== lower TTL
5© This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.
SilkWeb in a nutshellØ SilkWeb is a web application software.ØSilkWeb is designed to simplify access to a SiLKdata repository through network data access (JSON/XML over webservices)
ØSilkWeb is built with the modern design patterns (AJAX, View-Controller)
Ø SilkWeb is NOT a standalone web-UI for Silk, it is designed to work with multiple modern software frameworks (SIEM/Dashboards etc.)
1 SiLK - the System for Internet-Level Knowledge built by SEI CERT division.
6© This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.
Web server
Components of SilkWeb (3-tier)
Silkapi
Proxy/Cache Proxy/Cache
API clients
Web server
Silkapi
SiLK data
BrowserInterpretedDynamicUntypedHigh-levelContent-oriented
CachingAuthenticationReuseScale
Class-orientedConfig-basedLambda-calculusCommon-GatewayApp engine model
Scalable dataFile-basedBinary-optimizedCompressed
XML-over-HTTPJSON-over-HTTP
XMLJSONCSV
Binary
Presentation
Caching
Processing
Data
7© This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.
SilkWeb in a world of frameworks
Data-DrivenDocuments
8© This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.
SilkWeb in DISA lab at SEI
Ø Modes of integrating SilkWeb to DashboardØ iFrame, IWC widget, component widget, JSON API, XML API
ØConsideration browser XSS and authentication
9© This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.
Silk CLI capabilities built into SilkWebØ Rwfilter simple searches
Ø Rwstats group by searches
Ø
Ø Rwstats with time-bin
10© This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.
Use cases and live demo Ø DDOS workflow (MPW use case)Ø Build entity graphs of compromised home routersØ Dyn DDOS analysisØ Building qualifiers to move to “Analysis Pipeline”Ø Find unauthorized port/protocolsØ Call JSON/XML data from APIØ Call JSON data from CLI
11© This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.
DDOS workflow
12© This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.
Compromised home routers – entity graph
13© This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.
Dyn DDOS analysis
Ø The day that your tweets died
14© This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.
Screenshots basic search
15© This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.
Screenshot pivoting from D3 graph
16© This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.
Demo of Stats and summary by time
17© This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.
JSON/XML API for other widgets to consume
18© This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.
Limitations and Way forwardØ JSON/XML is noisy throttle and use wiselyØ Test with command line and understand limitationsØ Be careful with calculus
Ø In-memory IPSets are used in lambda functions
Ø Move to your graphics platform once you understand D-3
Ø Use asynchronous to keep user engaged not to fool the analysis.
Ø Try it!