Burying Stumps

Recently I've been planning and executing a plan to fix some of the landscaping around my house (as a side note, try not to plan this to happen in the middle of July when it’s 90 degrees). In talking with people who have experience with landscaping projects we seem to always hit the topic of digging up and burying stumps, and whether this is a good idea or a bad idea. For the short term, it seems like a good idea. The stumps take up space in the ground so you need less fill (which saves money), burying is cheaper than grinding them down or having them hauled away, and you don't have to look at an ugly stump. The downside is that 7-10 years down the road, the stumps begin to rot and you are left with sinkholes in your yard.

Tenable’s 3D Tool v2.0 is a Windows application that queries data from a SecurityCenter 4 server and presents it in an interactive visual console to facilitate presentations and security analysis.

It can help better communicate different types of information available in SecurityCenter, such as:

• Nessus vulnerability data


• Network topologies


• PVS data, including passively discovered vulnerabilities, network connections and new network devices


• Event data discovered and normalized by the Log Correlation Engine (LCE), including intrusion detection, firewall, NetFlow and syslog data

For more information, see Ron Gula's post to the Nessus Discussion Portal titled "3D Tool Creation and Walk-Through" (login required).

The following screenshot shows hosts on the network and their operating system type:

It's 4:55 PM on a Friday and you are looking forward to an enjoyable dinner with your family. Your Blackberry starts buzzing from across your desk while your inbox starts filling up with alerts from your SecurityCenter along with frantic emails from Human Resources. It seems a disgruntled employee named Jack Black quit today and nobody remembered to tell the IT group to disable his accounts until after important files started disappearing. Suddenly, you are stuck in Incident Response mode, gathering data on the user's activities. Do you cancel your reservations?

Fortunately, you have deployed Tenable Network Security's Unified Security Monitoring products, and have a wide array of resources[1] at hand to streamline the response process. These resources include SecurityCenter, the Passive Vulnerability Scanner (PVS) and Log Correlation Engine (LCE). At a high level, what can these resources do for you?

SecurityCenter

SecurityCenter provides a unified view of both vulnerability and event data along with the alerting, ticketing and reporting required for thorough user forensics.

Passive Vulnerability Scanner

PVS not only tracks vulnerabilities, but logs user and network activities detected in real-time on the wire. These activities include:

The following video is a demonstration of Tenable's latest 3D Tool Beta, visualizing network topology and security events:

The 3D Tool reads data from SecurityCenter and allows you to present it in an interactive visual console. For more information see Ron Gula's post to the Nessus Discussion Portal titled "3D Tool Creation and Walk-Through" (Login required). The 3D Tool beta works with SecurityCenter 4 and can be used to visualize Nessus information and topologies, passively discovered vulnerabilities and communications with the Passive Vulnerability Scanner and any series of connections or events from intrusion detection, firewall, netflow and other sources normalized by the Log Correlation Engine.

Recently, several images were uploaded to the SecViz - Security Visualization web site which visualize how hard the Nessus, Saint and Retina vulnerability scanners actually work. Default scans for each scanner were performed in full view of a Snort sensor and the alerts from Snort were sent to Prelude for visualization with "pig". The visualization allows understanding of how many different and unique techniques are performed by each scanner. Below are screen shots for the results from each scanner:

Saint Results	Retina Results	Nessus Results

When I first saw these results, I didn't think they were entirely relevant. The visualization is using Snort events, which means that all of the scanners might be trying techniques that Snort might not detect. For example, when Nessus performs a variety of non-credentialed Windows checks over ports 445 and various Windows RPC services, Snort generates some events, but it does not generate a unique event for every custom probe. However, after the author of these posts to SecViz contacted me and pointed out some of the test results, I thought it was a good blog topic. The raw results for Nessus included 1019 alerts, 166 alerts for Saint and 76 alerts for Retina which was fairly significant.

Since I didn't perform this test and did not duplicate it, I am not asking readers to draw any specific conclusions from these numbers. However, I strongly hope that readers perform their own tests of this nature to gain an understanding of how hard your assessment technology is working.

If you have multiple scanner technologies and various methods (NIDS, HIDS, SIM, NBAD, .etc) of detecting these probes, then doing comparison scans of the same targets can have interesting results. You may find that your default scanning policies aren't aggressive enough. Looking at how scanning can generate IDS events, netflow, logs and other types of data from scanner to scanner can help you understand what the scanner is doing and when. Keep in mind that if you are performing credentialed audits, ideally your security monitoring shouldn't see much other than an agent's processes working or remote logins via the Windows domain, Secure Shell or SNMP.

To illustrate this concept, I performed a scan of my target network with a remote Nessus scan and a free Qualys scan. Below are screen shots of from the Security Center and Log Correlation Engine I use for testing. The targets had http, https, ftp, vnc, ssh and several other protocols open during the scan. The results were both "zoomed" to the start and stop time of the scans.

Nessus Results	Qualys Results

If you are not familiar with the LCE, each log, flow or event gets a name. Something like an Apache 404 error log will be normalized as an "Apache-404_Error" name. The graphs above show a time line from left to right. So for the Nessus scan, there are some initial surges in events of SnortET-Scanning (a normalized name for Emerging Threats Snort port scan rules), a Snort-TCP_Scan event and a bunch of NetGear-Blocked_TCP events. What follows are a variety of Snort and system logs that get mapped into a variety of normalized web events. The Nessus scan also had 765 VNC login and logoff events.

Being able to take these types of activity summaries and compare them is very useful. For example, the Qualys scan performed far many fewer VNC logins than the Nessus scan did. Does this mean the user running the scans configured the scans incorrectly, or does this mean there were less actual checks being performed?

Lastly, performing this type of analysis can not only help you understand how hard your scanning technology is working, but you can make sure that your logging infrastructure is also working. When I started this blog entry, I realized I was getting Snort port 80 web events, but the actual logs from my web servers were not being sent to my Log Correlation Engine. I had reverted a target virtual machine which was sending syslogs to the wrong Log Correlation Engine.

Conclusions and Recommendations

I'm sure some readers will interpret this blog as slight against non-Nessus vulnerability scanners, but the point I'm really trying to make is that if you look at the effects of a scan through some sort of network monitoring solution, you may be able to learn not only how your scanner works, but how it interacts with your network.

This technique can be used for several different tasks:

• If you are evaluating a vulnerability scanning technology that is not leveraging credentials, looking at the logs generated by your SIM, NBAD or NIDS might help you see some differences in the scanner's performance for your environment.
• If you are evaluating an MSP scanner offering (regardless if it is PCI certified or not), using your NIDS, SIM or NBAD solution can show how these services might be performing different types of checks. I've seen a great deal of variety in the techniques and implementations of MSPs that use Nessus for their scanning and they all do things much different and unique than I would have thought.
• If you are evaluating a SIM or NBAD solutions, the solution should be able to look at all of the data generated by a scan and show very detailed analysis of how the scan took place and what steps it went through.

Version 1.2 of the 3D Tool is now available. This version is much faster then the previous version. It makes use of Security Center 3.2's ability to obtain data as a .csv spreadsheet. Those types of queries are much faster against Security Center 3.2 than the previous method with Security Center 3.0. A list of new features includes:

• A legend has been added for color-coded datasets.
• Pre-defined queries, setting a default query, and the ability to save query filters has been added.
• Enhanced visual effects that include mirroring and camera animation for the 3D topology view.

To upgrade to version 1.2, the prior version 1.0, should be completely removed. Original data left over from 1.0 will not be available for version 1.2, as there have been some changes in the underlying data-store to increase stability and performance. Tenable customers should contact support to obtain download instructions for the 3D Tool.

Below are screen shots of the new "mirror effect" in the topology view and the latest vulnerabilities vs. IP address graphs:

There are many ways to visualize raw data in graphical form. This blog entry will consider network topology visualization, trust relationship graphing and security event analysis. We will use a combination of Tenable products to procure the event and vulnerability data, the Tenable 3D Tool and AfterGlow.

Network Topology

For viewing how network components are connected, Tenable's 3D Tool can use the traceroute data collected by one or more Nessus scanners. The 3D Tool connects to the Security Center where all topology data is stored.

For large enterprise networks, attempting to place all of the nodes on a single 2D graph can be very complicated. By representing the same data in 3D, analysis of how networks are connected can be more easily understood. Below is a screen shot of such a topology as viewed in the 3D Tool.

All nodes are connected to a router, and all routers are placed on a helix. This type of view lets users see which routers have more hosts on them. It also lets users see how the routers are connected to each other.

Previously, Tenable's Lightning Console used a 2D display to show the topology as shown below:

This "hub and spoke" view is still useful, but had limitations in the number of nodes that can be displayed at one time. Viewing this data in 3D is more efficient than working with a 2D model.

Afterglow - Trust Relationships with Passive Vulnerability Scanner

The Passive Vulnerability Scanner (PVS) can detect when a certain host connects to another host at least once. For example, consider this report from a PVS:

192.168.20.199|unknown (22/tcp)|3|Security Note|192.168.20.199 -> 192.168.20.200:22
192.168.20.199|unknown (37/tcp)|3|Security Note|192.168.20.199 -> 0.0.0.0:37

The first line says that host 192.168.20.199 connects to 192.168.20.200 on port 22. The second line says that the same host connects to 0.0.0.0 on port 37 (time). The IP 0.0.0.0 represents a destination "outside" of the PVS's immediate network, i.e., someplace on the Internet.

These logs are "permanent" in that if the PVS sees a connection, it adds this to the database.  For  a realtime understanding of what the PVS can generate, read this blog entry which details the type of alerts that can be generated on the fly.

Using the the Security Center's ability to save queries as a .csv spread sheet file,  it is possible to create an AfterGlow image of these trust relationships. Below is a screen shot of small number of hosts which "connect" to each other:

The nodes that have more "destinations" (such as 10.10.131.37 in the lower right) are used by many remote clients. For this rendering, the center location is a "null" node that connects disparate nodes to a central place. If a more complete PVS data set were uses, the 0.0.0.0 node would have been a common destination for everyone, as this represents an Internet destination.

Knowing where your clients go on the internal network can help identify critical internal systems and systems that have sensitive data.

AfterGlow - ICMP Flood

Sometimes 2D visualization doesn't shed light or offer insight to what is going on. Consider this example. An ICMP flood is observed on a large enterprise network with the Log Correlation Engine (LCE):

Using the Security Center to extract a very large sample of records in the "spike" of ICMP traffic, AfterGlow generates the following type of display:

There are so many nodes on the graph that it is virtually unreadable. This is not any fault of AfterGlow or the underlying Graphviz rendering engine. It's just that attempting to display more than 10,000 unique IP addresses on a bitmap becomes very crowded. If you look closely, you can see IP addresses in there. The black IPs are the "internet" and the yellow IPs was our network. Basically, there are a lot of IP addresses sending ICMP traffic to a lot of our network.

Also, in this case, we used the wrong tool to try and understand what is going on. Consider a simple list of "Top IP Addresses" for the same ICMP flood data (with our network IP addresses obscured):

Most of the ICMP traffic came from one host. What we ended up graphing out in AfterGlow was all of the background ICMP traffic along with the actual ICMP flood. The point of this example is to always keep in mind what you are graphing.

AfterGlow - Port Scan Example

For the last example, we'd like to see if we can correlated pairs of "sources" and "destinations" for port scans. The PVS can detect when an internal system begins port scanning. We could have used Snort, Tipping Point, or any other sort of log data. With the Log Correlation Engine, five days of port scan events graph out this way on a large demo network:

It would be interesting to use the Security Center and ask it to summarize the top IP addresses involved in this traffic. However, this would not show the real distribution of a host that may have scanned 50 unique targets once as compared to a host scanning a single host 50 times. Visualizing this data with AfterGlow generates the following image:

The external "Yellow" hosts are actually from our test network. All of the nodes in the center are target nodes for the port scans. What this graph shows is hosts that have a large number of unique targets. In the lower left of this display, several nodes have scanned several dozen unique targets whereas, there are many other port scan sources that only targeted one host.

Working With AfterGlow

To create the above displays, data was downloaded from the Security Center as comma separated variables. It was then sanitized (i.e. replacing certain live IP addresses with something else). Lastly, the data was modified from the .csv format to something that AfterGlow can consume. The following PERL script can be used to convert a .csv file from the Security Center that listed IDS or Log events:

#!/usr/bin/perl
open(FH,"source.csv");
open(WH,">afterglow.csv");
$line = <FH>;
while (<FH>)
        {
        $line = $_;
        #$line =~ s/xxx/yyy/g;
        $line =~ s/\"//g;
        @stuff = split(",",$line);
        print WH ("$stuff[2],$stuff[3]\n");
        }
close(FH); close(WH);

It takes a file named source.csv and creates afterglow.csv. The new file will simply have the source IP and the destination IP on the same line separated by a comma. On the commented out line, the 'xxx' and 'yyy' could be replaced with various octets to obscure your IP network ranges. For example, if you wanted to replace all IP addresses that started with 10.10 to be  20.20, you would use a statement like:

$line =~ s/^10\.10\./20.20/g;

Please refer to the AfterGlow web site for more information on how to create these sorts of graphs.

For more info

The Tenable 3D Tool is available for the Security Center and can visualization topologies, IP vs. Port relationships and IP vs. Vulnerability ID relationships. A video of how the tool is used is available here. The video includes a display of a network with more than 400 routers and 10,000 nodes.

The SecViz web site also has very good discussions and example images of security data visualization.