Enemy spotted

Applying infovis at security field

Created by Felipe Pr0teus
blog || @Pr0teusBR

$whois Felipe.Pr0teus

Não trabalho na Proteus.

  • Works for TJRJ
  • Security Researcher(Independent)
  • Love coffee!
  • Like to Help

Disclaimer

The data, or the results found here were tested in controled environment, may or may not correspond to a real life situations. My employer has nothing to do with it =D

Motivation

  • Know were our enemies are.
  • Understand the field and create an strategy.
  • We can't fight what we can't see.
Fog of War

Not convinced?!

13 14,16,17,18,21...

Why the NEED of visualization

How this help us?!

  • We have to analyze lots of data
    • Images sumarize lot of then
  • Who doesn't love a graphics?!

At least help us to sell.!

Why visualization works?!

  • Vision trumps all other senses
  • We evolved to look for:
    food, water & reproduction!
  • Recognition doubles for a picture compared with a text !
  • Context & Pattern recognition
Remind this!(Sorry Girls!)

We are really good with Pattern Recognition!

  • :)
  • Pareidolia

How it works ?

Cores, formatos padrões

<

Tree Map

Display data Hierarchy

Chord diagram

Display inter-relationships(Matrix)

Parallel Coodinates

Display lots of data dimensions

Patterns

Data & Data

Data & Data

Remember...

  1. Get a problem (Ask me how)
  2. Collect the data
  3. Parse & Correlate
  4. Visualize & Interact
  5. Back to Step 1 or 3

An image worth more than a thousand words!

An image worth more than a thousand logs!

Can be applied into security field?!

  • Guess what?! sure ! (Retorical at this point)
  • Just use security data

Believe me ! Me & You have Tons of data!

  • App LogsApache(acess,error),[My,Maria,Postgre or no]SQL,PHP,Python, ASPX,Memcached,
  • NetworkFirewall Logs, routers logs, netflow, raw packtes, IPS/IDS, NIDS
  • ServersCPU, memory, disk utilization, connections, process,
  • Security tools, CVE's, Exploits, Twitter, news, community....
  • BuzzWord: BigData

Are we able to read/understand all of then?

Information visualization !

DaViX

(Your next Linux vm)

  • PicViz
  • AfterGlow
  • Gephi, GraphViz, MRTG/RRD ...
  • Parsers
  • ELK stack

Toolkits

Example:Data Breach

fonte:http://www.harvest.ai

Data breach

Demo 1

Aleph - Malware Analysis Pipeline System

Some Brazilian malwares

About Aleph Project

Get Aleph at github.

Demo 2

Netflow, Alert from zabbix - Where is the enemy?!

Demo 2

Netflow, Alert from zabbix - Where is the enemy?!

C:\Users\Pr0teus\hl.exe -game cstrike

## Conclusion - We can visualy correlate data - We are plenty of data LOL (Lots of Logs) - There are a lot of Kits to start playing with infovis. - We can use it to defend, attack or make money =D - Go further !

See Further, Go further !

Obrigado!

Dúvidas?

felipeaesposito (a) gmail [.] com
@Pr0teusBR