[Fed-Talk] Don't get Snowden-ed
[Fed-Talk] Don't get Snowden-ed
- Subject: [Fed-Talk] Don't get Snowden-ed
- From: Todd Heberlein <email@hidden>
- Date: Thu, 11 Jul 2013 13:20:22 -0700
On Jul 11, 2013, at 12:01 PM, Doug Kruth <email@hidden> wrote:
> I've had a few inquiries about how quiet the list has been. 1-Jul being the last dated post. I want to make sure that things are running as expected.
LOL! I've wanted to post some material for a while, but I haven't gotten enough R&D done (well, enough 'D' anyways). I'll go ahead and chime in now with a status update on the audit analysis work.
(My goal is to get people to start collecting useful audit data now because you can always use these tools to go back in time and analyze your archived audit data)
Regarding the Snowden issue, that is the exact problem I've been working on for years (today I fixed a bug from some code written during Mac OS 10.3 days!). Unfortunately, I've never gotten any government agencies to pony of some R&D money, so the work has been going *much* slower than I hoped.
To remind people, I do audit trail analysis (I started my career writing the original Air Force ASIM and DISA JIDS network monitors). Here are two video demos from 3 years ago on what you can do with audit trail data, both dealing with insiders exfiltrating data (the first one, while using Windows data, is shorter and better production value):
Windows 7 Audit Trails
Exfiltration of the Swift
(6:30 min)
http://www.netsq.com/Podcasts/Data/2010/TheSwift/
A Few More Flags
Making NISPOM Auditing Useful
(21:48 min)
http://www.netsq.com/Podcasts/Data/2010/Few_More_Flags/
Over the last 9 months or so I've been trying to "enterprise up" the audit analysis. About 6 months ago I released a beta of the Free Audit Aggregation System (FAAS) to collect all your Mac BSM logs on a single server. And since then I've been working on the back-end analysis of that audit data.
It has taken a lot of tweaks and tricks to process, profile, and insert into a database all the relevant information into a database (SQLite no less!). That seems to largely be done now. In my test widow I see I've just finished analyzing 345 audit trail files (Yay!)
Some of the things the back-end analysis does:
(1) Stitches together analysis of processes that cross multiple audit trail files. (This was a *huge, huge* limitation with Audit Explorer)
(2) Records each program that was executed, what were the processes that created that process, and what children processes it created.
(3) Records for each process all file reads, writes, deletes, and moves.
(4) Records for each process all network connections, connection accepts, and UDP send & receives
(2-4) are also profiled in multiple ways, and each action is compared against that profile and recorded in the database. The actions are often compared from multiple perspectives, and each perspective is tested for against the specific host behavior and against site-wide behavior.
For example, the execution of a program is compared against:
(A) whether that program typically runs (on both that host and within your network as a whole)
(B) whether that program is typically being executed from the parent program in the same process space (e.g., an exec() call on the same process)
(C) whether that program is typically executed from the program in the parent process (fork-exec or posix_spawn())
These are all useful for looking at malicious code that was dropped on your system somehow and executed.
You can search for any file and look for how it was accessed (read, write, moved, deleted) and how typical that was accessed. For example, a keynote document read by the Keynote program is common, but a keynote document being read by the tar program (e.g., someone is bundling it up to move off host) is unusual.
You can specify any moment in time and find out what programs were executing on any host at that time.
You can specify a remote IP address and port and time and determine which host it came from (an issue of you have NAT running inside your network), what process and program was responsible for that network traffic, and what files that program read from or wrote to on your host.
If testing continues to go well, next week I'll start working on the front-end client code (initially Mac OS X, maybe later iOS) to access the analysis.
Wish me luck on my testing!!!
Todd
PS. I am plum out of money, so if any funding agencies out there want to fund any of this, please feel free to contact me (ASAP).
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden