CSIRT Foundry

Announcing the CSIRT Tools subreddit

2015-05-19T00:00:00+00:00

Things have been quiet on the blogging front, but there’s plenty going on behind the scenes that awaits a future announcement.

In the meantime though, I’m posting regularly to a new subreddit dedicated to software and analysis techniques for IR teams called CSIRT Tools. As well as being a repository of links to tools and articles, discussion about platforms, systems, utilities, analysis techniques is more than welcome.

So, feel free to browse around, bookmark useful articles, add your own (self-promotion of pet projects perfectly okay), and contribute as you like.

CSIRT Tools subreddit

Chris (@Parsify)

The case against map visualisations

2012-01-31T00:00:00+00:00

One of the most abused forms of data visualisation in information security today is the world map. During this post, I’ll explain how making maps our “go to” visualisation limits the insights we can show.

But it’s a natural fit…

Certainly, maps seem like a natural choice for network data. You have a log file containing thousands of IP addresses. You’d like to understand what’s in there better. You geo-locate the IP addresses into country codes then plot it using Google Maps. The data is now visual - visualisation complete!

Or perhaps not.

Visualising your data to increase understanding is a great idea, but I’m going to convince you that a map is often not the best way. I’m going to assume that you want to build a visualisation to gain operational insight, not something that’s flashy but ultimately meaningless (aka “management porn”).

Why not maps?

In the non-Internet, meatspace world, distance matters. The time it takes to travel between two points depends on distance and geography. Outbreaks of disease depend on geography. Which languages are spoken somewhere depend on geography (among other things). The spread of fires, cyclones, and floods all depend on geography too. A map is the perfect choice for any of these, because the primary relationship a map displays is distance and geography.

On the Internet, however, distance is not a factor we’re usually interested in. Every endpoint is only a few routing hops away from every other point. For the purposes of time and reachability, nodes may as well be right next door. Every point is next to every other point. Physical distance means almost nothing.

Once a PC is infected with a new worm, what factors impact its spread? Operating system. Patch level. The presence of network filtering. In many cases, it’s not geographical location. Even if it is related to geography, I’ll show you why we have better options.

But everyone knows what a map is!

Everyone is familiar with maps, but that doesn’t always make them the most effective choice. The goal of a visualisation is to tell a story, or explain a point. How does a map tell your story?

Before you think about that, think about this. Using a map, we burden ourselves with all sorts of unnecessary constraints.

Map constraints

1. Comparisons are difficult to make on a map

Let’s say that you have a worldwide malware infection. You put the data on a map, and it looks like this:

Some questions: * How many countries have infected computers? * Which country has the most infections? * What are the top three infected countries? * How many more infections does China have than Brazil?

Pencils down. Okay, let’s try this another way. Plotting the same data again on a stacked line chart looks like this:

How did your observations compare? On a regular graph, these relationships are far more obvious.

Even though Australia has far fewer infections than Luxembourg, Australia captures much more attention on the map because of its large land mass. Here, we’re giving countries with large land map a disproportionate weighting, when land mass generally has little to do with computer security incidents.

2. Wasted space

If:
a) 78% of the earth’s surface is water; and
b) a very small percentage of computer security incidents occur in the ocean; then
c) we have wasted a large proportion of our visualisation on areas we can’t put data on, other than labels and legends.

When we make a visualisation, a major challenge is fitting everything we want to show in the screen real estate available. Screen real estate is one of the most precious resources we have. Working within the rigidity of a map makes our job that much harder.

3. One relation is already constrained

Visualisations compare different factors looking for trends and relationships. For example, a simple line graph might show time versus infections.

If we use a map, one of those factors, geography, has already been chosen for us. We then have to shoe-horn our data into a map, doing all sorts of workarounds like animations or clicking on data points to display the relationship that’s really important.

Perhaps the country of origin IS important. For example, you want to demonstrate that a politically-motivated DDoS is originating from a single country.

However, the same problems exist. What if the attacks are coming from a tiny country to a larger country? What if there are multiple attacking countries? How do I work out who is contributing the most traffic to the attack?

If the story you want to tell is “Attacks are primarily coming from countries X, Y and Z”, you have lots of simple options. You could use a directed graph, a bar chart, or a treemap for a start. These options will also give you a lot more freedom to incorporate other data. For example, a stacked bar chart will let you break each country’s data into operating system.

No, really, geography is important to my analysis!

Some information security problems really do depend on geography, and these are appropriate to put on a map. For example, a backbone cable cut affects a geographic region. Knowing where the cable cut occurred (e.g. in the Persian Gulf) might give clues to the cause, and to which places were affected.

A rarer case might be something like the spread of a worm via Bluetooth. In this case, a short range technology is used for propagation, so physical distance is an issue. We can track the spread of the Bluetooth worm much like a biological virus. A map helps us predict where it will spread next.

Lobby displays

One area where map-based visualisations dominate is in flashy “defcon” style maps. A flat screen showing a spinning globe with glowing packets racing from one city to another is undeniably attractive - just don’t expect to learn anything. If your goal is to impress VIPs or make a nice backdrop for a television interview, maybe you in fact want to invest in a flashy map display.

Conclusion

Maps are highly overused in information security visualisations. Most of the relationships we want to show in information relating to networks aren’t geographical.

Far better options like the humble bar graph exist that provide more operational insight and demonstrate the point you’d like to make better. Save your maps for that LCD kiosk in your lobby, or problems that are actually affected by geography.

Chris (@Parsify)

CSIRT Foundry specialises in custom data visualisations for information security and network data. Contact us to find out more.

IR vs development - a battle for attention

2011-10-20T00:00:00+00:00

Security teams have lots of itches they need to scratch with software tools, often developed in-house. A project might be a small data parsing scripts, or it may be full-blown database-driven web application. However, there are some big problems with developing software in a highly operations-focused group, and it has to do with the nature of each type of work.

The problem

Fundamentally, IR and development are two very different mindsets. At its core, incident response is about waiting for things to happen, then reacting. Project work, such as software development, is a creative process needing intense amounts of concentration. You make things, rather than react to them. So, how do they get along?

If you’ve ever worked in an operations team, you might have seen this first hand. Programming is about keeping a complex state internally: the order in which nested functions call others; what all your variables are storing; how data flows through the system. A phone call, an email alert, or chirping SMS flushes the inner state the developer has been constructing in their head, and drags them back into the physical world.

It’s a disconcerting experience. Once the part-time developer / part-time incident responder gets back to their development work, it will take a good amount of time to get back in the groove again. Interrupt them enough, and they’ll soon become adverse to even getting into a deep state of concentration, for fear they’re going to be shaken out of it. Procrastination sets in. This is not just the case for incident interruptions: multiple unscheduled meetings or drop-ins to their desk can have the same effect.

The impact

As well as a heightened state of anxiety for your part-time developers, wondering when they’ll be able to get some unbroken development time, there are impacts on the software itself, too. Being unable to predict time schedules with constant interruptions, scopes are undefined or unmet. Alternatively, the software may never reach release quality at all. Software development in such an environment tends to take a more ad-hoc approach, with developers sneaking in what they can in between case handling. Documentation is a luxury, and testing is something that happens after deployment.

So, what should we do?

One strategy might be to divide your staff up into groups based on role. Those working on project roles are out of earshot of phones and conversations, and can get into the state of flow they need to build things. If you need to continually rotate your developers back into the operational pool, try to guarantee how long they have to do project work - a day, a week, or a month. As they say, work fills to meet the amount of time you have, so even short, but dedicated, timeframes can produce a high amount of productivity.

As an additional bonus, your responders can communicate and interrupt each other freely, knowing that they’re not going to irritate anyone trying to concentrate.

Alternatively, you might consider bringing on a dedicated, external developer to help make your operations run smoother with better software. Not without a small amount of bias: if this is the option for you, we’d love to talk to you about how we can help.

Until next time,

Chris

Netgrep - filter files by country code and ASN

2011-08-17T00:00:00+00:00

Here’s a common problem in the life of an incident handler, particularly one responsible for an AS or country code.

You get a big text file full of infected bot IPs, domain names, URLs, or IRC channels. You’re only concerned with network objects in your country code (e.g. .au) or on your Autonomous System (AS).

Let’s say you only wanted to see lines of your log with network objects relating to Australia. You could grep the file for anything containing “.au”. This would catch anything with .au in the domain name, including www.austria.gv.at if you weren’t careful. However, what about IP addresses in Australia? What about domain names ending in .com and hosted in Australia? What about only those domains hosted on your network?

It turns out that looking through a text file for network resources belonging to a particular country code or AS is a little more involved than you might have hoped. With that in mind, CSIRT Foundry would like to present Netgrep: grep for country codes and ASNs. It works like this:

# original file

$ cat addr.txt
abc.net.au,Australian
bbc.co.uk,British
203.2.218.214,Australian
google.com.au,Aus TLD resolving to United States IP address

# show lines related to Australia

$ netgrep AU addr.txt 
abc.net.au,Australian
203.2.218.214,Australian
google.com.au,Aus TLD resolving to United States IP address

# show lines related to the United States

$ netgrep US addr.txt
google.com.au,Australian TLD resolving to US IP address

# show lines related to AS2818, owned by BBC

$ netgrep AS2818 addr.txt
bbc.co.uk,British

# compound filter: match both Aus IPs / domains and AS2818

$ netgrep AU,AS2818 addr.txt
abc.net.au,Australian
bbc.co.uk,British
203.2.218.214,Australian
google.com.au,Aus TLD resolving to United States IP address

You can also pipe input:

# see if 200.200.200.200 is in Brazil

$ echo "200.200.200.200" | netgrep BR
200.200.200.200
# yes, it is

# handles most things containing a hostname or domain

$ cat log.txt | netgrep US
http://slashdot.org
whitehouse.gov
example@hotmail.com
irc://Tampa.FL.US.Undernet.org

In general, you can throw any format of text file you like at it, and netgrep will make a best effort to find any IP addresses and domain names.

Netgrep is available as a Python package on PyPI for installation and on Github if you’d like to check out the code. Installation instructions are contained in the readme. Comments, feedback and requests welcome!

The Great Visualization Technology Bake-Off

2011-07-13T00:00:00+00:00

So, we’ve looked at what a good visualization should do. Next: the how. What type of visualization technologies should we use?

In this article, we’re going to look at a variety of visualization technologies, then make an evaluation about which ones work best in our toolbelt.

Before we get there, let’s talk about what type of visualization we want. We want it to be deep and operational: not style without substance (a.k.a. management porn) or a lightly educational infographic that would appear in The USA Today. This won’t be a one-off - we want something we are going to look at every day and gain new operational insight.

Like any technology decision, let’s start with some requirements for our chosen visualization technology:

Automation: we should be able to generate and update our visualization automatically. This might be periodic via cron, or via a realtime feed of data. The rule is: if any manual effort is needed to maintain the visualization, it’s doomed.
Repeatability: we should be able to take new data, run it through the same algorithm, and get a new visualization with no human involvement. Laziness is a perversely good motivator.
Accessibility: our visualization should be ideally be accessible to anyone without the need for special plugins. Especially when we’re dealing with secure environments or big corporates, our viewers often don’t have the ability to install any new software.
Interactive: this can be as simple as allowing clicks to dig further into information. This is essential for deep understanding of the data presented. For example: what’s the IP address represented by that big, red point?
Animation capable: certain types of visualizations can benefit greatly from appropriate animations. As well as showing an effect over time, it’s a great way to show the effect of filters while allowing the viewer to see the transition take effect. For a great example of this in action, how would the relationship between size and count feel different in this D3 treemap if we had to reload the whole page to switch?
Ease of use: how much work do we need to put in to get a visualization out?

Though it’s not a requirement for everyone, I’m only going to consider tools that are free or low cost.

When it comes to the “how” of visualization, we’ve got multitudes of tools available to us. Here’s a shortlist of contenders:

Static images from command line tools

There’s legions of tools available to generate static graphic files from data. Let’s also consider them together with graphical libraries like GD you can access via programming languages.

One very popular tool in this class is Graphviz, which outputs static images along with more dynamic formats such as SVG. Below is the output from another tool called Circos, an interesting way of displaying 2D tables (as well as bioinformatics, if you’re into that):

Roundup:

Automation: brilliantly cron-able.
Repeatability: after massaging our data to the correct format, we can run it many times. Accessibility: top marks, given that we can view static image files on just about any device you’d want to name. They’re also easy to email and post up to the web.
Interactivity: being static, very little. We can add the static image to a web page and add links and imagemaps to give it some interactivity, but this is starting to become a web visualization at this point. Animation: some static graphic formats give us simple animations, but they're fairly limited.
Ease of use: while some tools just require piping in a packet capture or CSV file, some have arcane config files that must be precisely set before getting a result. Circos, I'm looking at you.

Desktop tools

Desktop tools can let us put together some sophisticated visualisations, make hand-crafted changes, and assist with data import. There’s many tools like this, one of which is Gephi:

Roundup:

Automation: some desktop tools output visualizations which can be plugged into live data feeds, but these tend to be limited to what's supported out of the box.
Repeatability: yes, many have algorithmic means of turning a data feed into a visualization. Accessibility: depends on the output format. A format like PNG is very accessible, but a proprietary format may need a special viewer - a common example would be Excel spreadsheets. Likewise, not every desktop tool runs on every operating system.
Interactivity: once again, very dependent on the output format, but you can create some highly functional visualizations. Animation: some GUI tools are strong here.
Ease of use: while varying from product to product, on the whole, GUIs, inline help and data import wizards can get us up and running fast.

Proprietary development environments

This includes any type of closed plugin enabling visualisation. For the sake of argument, let’s look at one of the biggest, Flash:

Roundup:

Automation: Flash can read in live streams of data, so can be automated quite well.
Repeatability: Flash is code-driven, so highly repeatable. Accessibility: this is where Flash falls down. While being installed on a majority of desktops, thanks to Apple's determined refusal to include Flash in iOS, choosing Flash cuts out a large percentage of the potential viewing population for your visualization.
Interactivity: Flash does a very good job here. Animation: one of the reasons Flash made its mark was for excellent animation capabilities.
Ease of use: Flash can require some programming know-how, but it's backed up by some very nice development suites, too.

HTML + JavaScript

The web used to be text and tables, but now it’s so, so much more. Open development using Canvas and SVG for graphics as well as the DOM itself offer extremely rich functionality. One popular visualization library written in JavaScript is Protovis. It’s highly flexible and capable, as you can see in this example:

Roundup:

Automation: we can output HTML or data files via cron, or stream them into a web browser using JavaScript and JSON. With such a flexible format which is essentially text, there's really not many limits to what we can automate.
Repeatability: JavaScript visualization libraries algorithmically handle lay out, so good marks for this, too. Accessibility: I'd like to give a 90% star to this. Any modern browser on desktops or mobile devices can load a very sophisticated visualisation. Downside: the definition of "modern" varies - some organisations are still stuck with Internet Explorer 6. For the most part though, accessibility is excellent and universal, and distribution is as simple as sending a URL.
Interactivity: web technologies offer from basic hyperlinks all the way to sophisticated event handling and gestures on mobile devices. Animation: Using the right libraries, we can put together some amazing animations with HTML and JavaScript. Libraries like D3 are doing a great job here.
Ease of use: to get started with web based visualizations, you're going to need to get your hands dirty cutting some code. However, there are some fantastic visualization libraries to help you out.

Judgement

The technology you pick is dependent on the specific problem you want to solve and your current skill set. However, you’d need a good reason not to pick HTML + JavaScript for your next visualization.

So, why go HTML and JavaScript? If you’re a technical person looking for a technical visualization, web technologies will give you the most latitude to do some extraordinary, open visualizations, in a way that more people can easily view it. It ticks all our requirements, at the cost of a steeper learning curve, which will get easier over time.

Also assisting with that learning curve is the fact that HTML + Javascript visualisation are, by their very nature, open (in the sense that you can read the source and learn from it, at least). Do you want to see how someone else put a great visualization together? “View source” is your best friend.

Developing our HTML visualization won’t be quite as easy as plugging data into our desktop tool - but not that far off it, as we’ll soon learn. In the next post in the series, we’ll look at the knowledge and tools that will help us get our first HTML visualization off the ground. If you know very little about HTML but can drive a text editor, you’re going to be pleasantly surprised how fast we’re up and running.

Until next time!

Chris

What a good data visualisation should do

2011-06-28T00:00:00+00:00

If there was a list of skills I could encourage every security analyst to pick up, information visualisation would be high up the list. Today, let’s look at visualisation and what a good visualisation should achieve.

What do we mean by visualisation?

Anything that visually communicates information can be termed a visualisation. The humble bar graph:

A treemap:

Source

ASCII output:

Or a slightly flashier, interactive streamgraph:

Source

Educational vs operational visualisation

One type of visualisation might educate, by presenting a broad concept: say, how widely French is spoken:

Source

As well as broad education, visualisations may provide new, deep insights on a data set. Here, we’ll focus on generating these deep insights. We’ll call this operational visualisation.

I’m going to be talking about practical, attractive visualisations we can generate programmatically. If you’re after newspaper-like infographics with clip art and funky layouts like this:

Source

…you’d be better going off to read up on Illustrator. We’ll be looking at visualisations that are generated continuously and used every day.

The most basic thing a visualisation should do

If you remember back to high school when you were learning about journalism, you might remember the expression “write for your audience”. It’s easy to forget that as fun as it is for us, our visualisation is ultimately for those viewing it. More than anything, our viewers need to finish viewing our visualization with some new insight. That new insight should not be “Wow, that’s really complex”:

Source

Some visualisations aim to look overly sophisticated or intricate, without imparting anything in particular to the audience.

The most basic thing a visualisation should do: give the viewer new insights. If we haven’t presented some new insight, we’ve missed the mark.

A visualisation should do at least one of the below:

Tell a story

By visually representing our data, we can paint an overall picture of a trend. For example, here’s Tokyo’s real estate since the 1980’s, clearly showing the bubble and the subsequent crash:

Source

Tell us what to look at next

Visualisations take the clutter of a data set, and help us determine points of interest to dig into. For example, this well-known treemap of the US stock market shows us the overall movement of companies, sectors and the market as a whole, while pinpointing the fast movers in bright green and red:

Source

Our analysts could then pick up from there and dive into data on those specific companies.

Discover new relationships

Reconstructing our data as a graphic can reveal new insights. For example, this node-link diagram maps an API by parent and child relationships:

Source

We get an instant impression of the size of the API, how deep it goes, and which parts have most components. This type of technique proves to be very useful in understanding network topologies and interconnections.

Be attractive

A visualisation should show care and attention to presentation. We say “Don’t judge a book by its cover” for a reason: it’s what we naturally do. If your visualization looks like it was thrown together quickly, people may assume that the underlying data is low quality.

What does attractive mean? It’s subjective, but at a minimum:

Remove clutter: like composing a photo, it’s what you remove that makes the photo great.
Attention to detail: lack of typos count. Clear labels count.
Anti-aliasing: those jaggy edges you see on a lot of graphing tools leave things looking a little “rustic”. Using the right tools, anti-aliasing will be taken care of, giving a more professional result.

Summary

Creating visualisations is an essential tool in any analyst’s toolkit.
Design for your audience; focus on your intended message.
A visualisation should: tell a story; tell an analyst what to look at next; reveal new relationships; be attractive.

Next in the visualisation series: what visualisation technologies should we use?

Free tools for your CSIRT - Etherpad

2011-05-23T00:00:00+00:00

When we look to improve the effectiveness of our security teams with software, analysis or incident response systems are often the natural focus. The unsung heroes, however, are the simple communication and collaboration software tools which can help your team run that much smoother.

Today, I’ll introduce one of my favourite collaboration tools: Etherpad.

Etherpad is a multi-user web-based text editor, allowing simultaneous document editing. This is immensely valuable for:

co-operatively drafting a security advisory;
taking shared minutes in a conference call;
consolidating information about a new vulnerability or attack;
reviewing draft reports.

The ability to see realtime updates from your co-workers is a huge advantage for time-critical and jointly authored documents. Each contributor’s content is highlighted. You’ll see them entering and altering text as they go. While you’re working on the “Vulnerability” section of your security bulletin, you can see your colleague updating “Mitigations”. Then, as new information comes to hand, edit the notes your co-worker added. This beats the lock-edit-release system of many wiki systems hands down.

Another other nice feature is that the entire edit history of each document is stored. You can replay edits back and see exactly when a particular change was introduced, or revert to a previous version.

It should also be noted that Etherpad is slightly different in philosophy to a wiki. A wiki is a highly interconnected, searchable set of documents, while Etherpad is primarily presented as a collection of stand-alone documents. However, many basic features of a wiki, such as inter-document linking, can be replicated in Etherpad. The two can complement each other nicely.

If you’d like to give Etherpad a try, good news: you can download and host your own server today. Following Google’s purchase of the company originally behind Etherpad, the software was released as Open Source shortly afterwards. It’s now being actively developed, with plenty of plugins and features added all the time.

If you want to give it a test run before you set up your own Etherpad server, there are multiple public servers available such as iEtherpad. Give it a shot!

Chris

CSIRT Foundry is go for launch

2011-05-14T00:00:00+00:00

CSIRT Foundry is go for launch! After a sad farewell to Tokyo to move back to sunny Brisbane, we’re open for business.

We’ll have plenty more coming soon, but in the meantime, we’d love to hear from you about how we can help you build and improve your incident response processes using software. Do you need a incident status monitoring system? A better ticketing system? Automated malware analysis? We can help.

In other news, I’ll be flying the flag down at the AusCERT conference on Sunday 15 May, and will also be a panellist at the CERT BoF on Monday 16 May. If you’re on the Gold Coast next week, please track me down and say hi!

Chris

Welcome to CSIRT Foundry

2011-03-21T00:00:00+00:00

I’m excited to announce that CSIRT Foundry will be launching in May 2011.

Over the last six years, I’ve been working at both AusCERT and JPCERT, national-level CSIRTs in Australia and Japan respectively. I’ve done a lot of different things over that time: incident response, phishing takedowns, malware analysis, international collaboration, vulnerability alerting, and many other things that I never expected to be doing.

In all of these endeavours, one thing I’ve noticed is that as analysts, we seem to spend a lot of time doing the menial jobs, and less time doing what we care about: analysing new, interesting attacks, and thinking of creative ways to address the problems confronting us. Just paddling along and keeping up with the flow isn’t quite enough for job satisfaction: wouldn’t it be better if we could actually start thinking of how to make IR more effective?

Before I entered the security world, I was a software developer who took to web applications early on. Throughout my time at AusCERT and JPCERT, I couldn’t shake the software development habit, but generally just as a side job between my incident response duties. Unfortunately, the unpredictable schedules of incident response do not blend well with the extended periods of concentration needed for software development.

While we had access to and developed some great software that helped us, there always felt like more we could do: better engineered apps, rather than tools crafted during late-night hacking sessions as needed.

So, that’s what this new venture is all about. Together with Damon Oehlman, I hope we can help you improve the state of the art in tools for incident response and security teams. We will have more detailed information soon, but please feel free to get in touch with us - we’ve love to work with you.

CSIRT Foundry

Announcing the CSIRT Tools subreddit

The case against map visualisations

But it’s a natural fit…

Why not maps?

But everyone knows what a map is!

Map constraints

1. Comparisons are difficult to make on a map

2. Wasted space

3. One relation is already constrained

But my data IS related to country!

No, really, geography is important to my analysis!

Lobby displays

Conclusion

IR vs development - a battle for attention

The problem

The impact

So, what should we do?

Netgrep - filter files by country code and ASN

The Great Visualization Technology Bake-Off

Static images from command line tools

Desktop tools

Proprietary development environments

HTML + JavaScript

Judgement

What a good data visualisation should do

What do we mean by visualisation?

Educational vs operational visualisation

The most basic thing a visualisation should do

Tell a story

Tell us what to look at next

Discover new relationships

Be attractive

Summary

Free tools for your CSIRT - Etherpad

CSIRT Foundry is go for launch

Welcome to CSIRT Foundry