GULP Grand Unified Logging Program

Do you REALLY know who your users are

LockDown 2018July 15, 2018

Joel RosenblattDirector, Computer & Network security

Columbia University, CISO

Copyright (c) 2018 The Trustees of Columbia

University in the City of New York

Columbia Network Environmentl Large research university

l Decentralized management structure

l Over 250,000 network nodes

l Over 100,000 MAC addresses active on average

l Decentralized computer support

l No sniffing traffic or scanning machines allowed

l “Free Love” IP address assignments

l No university wide, corporate like, firewalls

l 130,000 email accounts

Copyright (c) 2018 The Trustees of Columbia University in the City of New York

Initial problems to solvel We wanted to offer pain free use of our

network to visiting peoplel We needed to reduce the overhead of

registering machines

Copyright (c) 2018 The Trustees of Columbia University in the City of New York

The solution is ….

FreeLove

Copyright (c) 2018 The Trustees of Columbia University in the City of New York

What is “Free Love”l From http://www.educause.edu/ir/library/pdf/erm0266.pdf

“Free Love” and Secured Services, by Vace Kundakci

“Free love” allowed all computers, whether public or private, wired or wireless, in residence halls, at the libraries, in faculty and staff offices, or anywhere else on campus to connect directly to the network, and thereby to the world, without further ado.

Copyright (c) 2018 The Trustees of Columbia University in the City of New York

NEW Problems to solve

l How do you answer the question…l Who is using a certain IP address?l Who is using a certain MAC address?l When was a certain IP address being used by

a certain user?

Copyright (c) 2018 The Trustees of Columbia University in the City of New York

The NEW solution is …

GULP

Copyright (c) 2018 The Trustees of Columbia University in the City of New York

Grand Unified Logging Program - GULPl Problem – How do you know who is using an

IP/MAC address without registration?l GULP processes the logs from 14+ different

services that require authenticationl GULP includes information from LENELl It processes information from DHCP and the ARP

cache to associate MAC address with IP addressl GULP correlates all informationl A user can be tracked by IP, MAC, or UNI – even

if the IP is not on the Columbia networkl The data is kept for 28 days and then purged

Copyright (c) 2018 The Trustees of Columbia University in the City of New York

Basic GULP workflowl Pull all logs that associate an authenticated

user, process, timestamp and IP addressl Dump information into a databasel Pull information from the network that

associates IP address, MAC address and time (DHCP and ARP cache)

l Add network information into appropriate records in the database

l Includes ID Card transactions – “Door Swipes”

Copyright (c) 2018 The Trustees of Columbia University in the City of New York

Network securityvs

Public Safetyl What machine used

that IP address at 3:00pm

l Was the machine with MAC address XX connected to the network yesterday

l How many MACs used that jack

l Who used that IP address at 3:00pm

l Did the person named John Doe log in to the network yesterday

l How many people used that IP address – and when

Sample GULP for UNI Joel

Gulp for IP 68.197.91.126

Sample GULP for audrey0

Copyright (c) 2018 The Trustees of Columbia University in the City of New York

Questionl No one has seen this

student for 10 days, can you tell me anything?

Lost person procedurel Look up ID of missing person using GULPl Analyze login records for location and timesl Work with Public Safety to establish if this

information matches up with missing person report

Copyright (c) 2018 The Trustees of Columbia University in the City of New York

Copyright (c) 2018 The Trustees of Columbia University in the City of New York

Questionl A (faculty, staff,

student) received this anonymous email from Yahoo – can you tell me who sent it?

Procedure to track down some anonymous email senders l Get IP address of email sender from headers

(this does not work easily with Gmail)l Pop into GULPl See what comes upl We have found that, quite often, the offender

will fire off the nasty email, then login to our systems to check on their own email, once they authenticate, GULP has them

Copyright (c) 2018 The Trustees of Columbia University in the City of New York

Copyright (c) 2018 The Trustees of Columbia University in the City of New York

Questionl We got a call from LE

that someone is applying for Credit Cards using the identities of employees, can you help?

Procedure to help Law Enforcement find Bad Guysl Get some data from LE – in this case, we got

the IP address that the applications were being submitted from

l Pop into GULP and see what you getl P.S. The person is currently in jail

Copyright (c) 2018 The Trustees of Columbia University in the City of New York

Copyright (c) 2018 The Trustees of Columbia

University in the City of New York

Questionl (Department that runs

their own network – I

know you have them

J)

We can’t find this

machine anywhere. All I

know is the IP address,

can you help?

Procedure to find lost computersl Take the IP address and pop into GULPl The user or users of that computer will be

displayed – then it is a simple matter of calling them and asking where they are

Copyright (c) 2018 The Trustees of Columbia University in the City of New York

GULP data miningl Use GULP data to discover compromised

passwordsl Use GULP data to satisfy Audit requirementsl Use GULP data to expose MAC spoofers

Copyright (c) 2018 The Trustees of Columbia University in the City of New York

Compromised Password Discoveryl Create a daily process that looks at the last few days of

GULP data (we use 72 hours)

l Look at the location information of the logins (We use

ASN data)

l If a user logs in from “x” locations or more (we use 6

ASNs) in the time period, there is a strong possibility that

the password has been compromised

l We also look for logins from more than 2 countries

l Using Lenel data allows pinning physical location to

campus

Copyright (c) 2018 The Trustees of Columbia

University in the City of New York

User login by country

Copyright (c) 2018 The Trustees of Columbia University in the City of New York

GULP of users account

Copyright (c) 2018 The Trustees of Columbia University in the City of New York

China & Taiwan

Swipe at CU

Notes on GULP of userl Use Start/End to limit size of reportl Colors make it easy to see jumps in CIDR

ranges

Copyright (c) 2018 The Trustees of Columbia University in the City of New York

Look up first suspicious IP address Click on it in Hostname column - China

Copyright (c) 2018 The Trustees of Columbia University in the City of New York

218.27.82.114

Copyright (c) 2018 The Trustees of Columbia University in the City of New York

Check of second IP shows it is from Taiwan

Copyright (c) 2018 The Trustees of Columbia University in the City of New York

103.98.74.117

Copyright (c) 2018 The Trustees of Columbia University in the City of New York

Now look at the timestamps

Copyright (c) 2018 The Trustees of Columbia

University in the City of New York

• New York swipe at 10:32

• Taiwan login at 07:30

• China login at 05:21

•That is China to NY in about 5 hours

• Either this person has their own Transporter, or more than 1 person is using the

account J

Copyright (c) 2018 The Trustees of Columbia University in the City of New York

Summaryl GULP is a powerful and useful tool for

bringing together disparate pieces of information.

l GULP can be used in a “free love” or a managed environment.

l Once you have GULP, it will quickly become the “go to” tool for any question that involves WHO or WHERE

To get your Build your own GULP kit, send email to me

Make sure to include GULP Kit in the subject line

Copyright (c) 2018 The Trustees of Columbia University in the City of New York

Questions?

Copyright (c) 2018 The Trustees of Columbia University in the City of New York

Joel RosenblattJoel at columbia.edu

212 854 3033