Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
GULP Grand Unified Logging Program
Do you REALLY know who your users are
LockDown 2018July 15, 2018
Joel RosenblattDirector, Computer & Network security
Columbia University, CISO
Copyright (c) 2018 The Trustees of Columbia
University in the City of New York
Columbia Network Environmentl Large research university
l Decentralized management structure
l Over 250,000 network nodes
l Over 100,000 MAC addresses active on average
l Decentralized computer support
l No sniffing traffic or scanning machines allowed
l “Free Love” IP address assignments
l No university wide, corporate like, firewalls
l 130,000 email accounts
Copyright (c) 2018 The Trustees of Columbia University in the City of New York
Initial problems to solvel We wanted to offer pain free use of our
network to visiting peoplel We needed to reduce the overhead of
registering machines
Copyright (c) 2018 The Trustees of Columbia University in the City of New York
The solution is ….
FreeLove
Copyright (c) 2018 The Trustees of Columbia University in the City of New York
What is “Free Love”l From http://www.educause.edu/ir/library/pdf/erm0266.pdf
“Free Love” and Secured Services, by Vace Kundakci
“Free love” allowed all computers, whether public or private, wired or wireless, in residence halls, at the libraries, in faculty and staff offices, or anywhere else on campus to connect directly to the network, and thereby to the world, without further ado.
Copyright (c) 2018 The Trustees of Columbia University in the City of New York
NEW Problems to solve
l How do you answer the question…l Who is using a certain IP address?l Who is using a certain MAC address?l When was a certain IP address being used by
a certain user?
Copyright (c) 2018 The Trustees of Columbia University in the City of New York
The NEW solution is …
GULP
Copyright (c) 2018 The Trustees of Columbia University in the City of New York
Grand Unified Logging Program - GULPl Problem – How do you know who is using an
IP/MAC address without registration?l GULP processes the logs from 14+ different
services that require authenticationl GULP includes information from LENELl It processes information from DHCP and the ARP
cache to associate MAC address with IP addressl GULP correlates all informationl A user can be tracked by IP, MAC, or UNI – even
if the IP is not on the Columbia networkl The data is kept for 28 days and then purged
Copyright (c) 2018 The Trustees of Columbia University in the City of New York
Basic GULP workflowl Pull all logs that associate an authenticated
user, process, timestamp and IP addressl Dump information into a databasel Pull information from the network that
associates IP address, MAC address and time (DHCP and ARP cache)
l Add network information into appropriate records in the database
l Includes ID Card transactions – “Door Swipes”
Copyright (c) 2018 The Trustees of Columbia University in the City of New York
Network securityvs
Public Safetyl What machine used
that IP address at 3:00pm
l Was the machine with MAC address XX connected to the network yesterday
l How many MACs used that jack
l Who used that IP address at 3:00pm
l Did the person named John Doe log in to the network yesterday
l How many people used that IP address – and when
Sample GULP for UNI Joel
Gulp for IP 68.197.91.126
Sample GULP for audrey0
Copyright (c) 2018 The Trustees of Columbia University in the City of New York
Questionl No one has seen this
student for 10 days, can you tell me anything?
Lost person procedurel Look up ID of missing person using GULPl Analyze login records for location and timesl Work with Public Safety to establish if this
information matches up with missing person report
Copyright (c) 2018 The Trustees of Columbia University in the City of New York
Copyright (c) 2018 The Trustees of Columbia University in the City of New York
Questionl A (faculty, staff,
student) received this anonymous email from Yahoo – can you tell me who sent it?
Procedure to track down some anonymous email senders l Get IP address of email sender from headers
(this does not work easily with Gmail)l Pop into GULPl See what comes upl We have found that, quite often, the offender
will fire off the nasty email, then login to our systems to check on their own email, once they authenticate, GULP has them
Copyright (c) 2018 The Trustees of Columbia University in the City of New York
Copyright (c) 2018 The Trustees of Columbia University in the City of New York
Questionl We got a call from LE
that someone is applying for Credit Cards using the identities of employees, can you help?
Procedure to help Law Enforcement find Bad Guysl Get some data from LE – in this case, we got
the IP address that the applications were being submitted from
l Pop into GULP and see what you getl P.S. The person is currently in jail
Copyright (c) 2018 The Trustees of Columbia University in the City of New York
Copyright (c) 2018 The Trustees of Columbia
University in the City of New York
Questionl (Department that runs
their own network – I
know you have them
J)
We can’t find this
machine anywhere. All I
know is the IP address,
can you help?
Procedure to find lost computersl Take the IP address and pop into GULPl The user or users of that computer will be
displayed – then it is a simple matter of calling them and asking where they are
Copyright (c) 2018 The Trustees of Columbia University in the City of New York
GULP data miningl Use GULP data to discover compromised
passwordsl Use GULP data to satisfy Audit requirementsl Use GULP data to expose MAC spoofers
Copyright (c) 2018 The Trustees of Columbia University in the City of New York
Compromised Password Discoveryl Create a daily process that looks at the last few days of
GULP data (we use 72 hours)
l Look at the location information of the logins (We use
ASN data)
l If a user logs in from “x” locations or more (we use 6
ASNs) in the time period, there is a strong possibility that
the password has been compromised
l We also look for logins from more than 2 countries
l Using Lenel data allows pinning physical location to
campus
Copyright (c) 2018 The Trustees of Columbia
University in the City of New York
User login by country
Copyright (c) 2018 The Trustees of Columbia University in the City of New York
GULP of users account
Copyright (c) 2018 The Trustees of Columbia University in the City of New York
China & Taiwan
Swipe at CU
Notes on GULP of userl Use Start/End to limit size of reportl Colors make it easy to see jumps in CIDR
ranges
Copyright (c) 2018 The Trustees of Columbia University in the City of New York
Look up first suspicious IP address Click on it in Hostname column - China
Copyright (c) 2018 The Trustees of Columbia University in the City of New York
218.27.82.114
Copyright (c) 2018 The Trustees of Columbia University in the City of New York
Check of second IP shows it is from Taiwan
Copyright (c) 2018 The Trustees of Columbia University in the City of New York
103.98.74.117
Copyright (c) 2018 The Trustees of Columbia University in the City of New York
Now look at the timestamps
Copyright (c) 2018 The Trustees of Columbia
University in the City of New York
• New York swipe at 10:32
• Taiwan login at 07:30
• China login at 05:21
•That is China to NY in about 5 hours
• Either this person has their own Transporter, or more than 1 person is using the
account J
Copyright (c) 2018 The Trustees of Columbia University in the City of New York
Summaryl GULP is a powerful and useful tool for
bringing together disparate pieces of information.
l GULP can be used in a “free love” or a managed environment.
l Once you have GULP, it will quickly become the “go to” tool for any question that involves WHO or WHERE
To get your Build your own GULP kit, send email to me
Make sure to include GULP Kit in the subject line
Copyright (c) 2018 The Trustees of Columbia University in the City of New York
Questions?
Copyright (c) 2018 The Trustees of Columbia University in the City of New York