VISUALIZATION OF NETWORK SECURITY CONFIGURATION

Scott Lee - Central Alabama Electric Cooperative

Jacek Szamrej – SEDCGreg Gray - SEDC

Agenda

• Data visualization concepts

• Using graphs for configuration visualization

• Use cases:• Enterprise Application• Active Directory• BloodHound

Examples of Text and Tabular Data

https://www.active-directory-security.com/2016/08/how-to-easily-dump-export-active-directory-security-permissions-acls.html

Energy Usage Visualization

Data Visualization Examples

Visualization Using Graphs

Benefits of Security Configuration Visualization• See the “big picture” of

• Physical or logical structure of network• System and application permissions

• Discover Misconfigurations

• Analyze Attack Paths – Blue<>Red Team

• On-boarding and off-boarding employees

Graph Databases Node1

Node2

Node3

Edge

Edge

Graph Databases

Group

Member of

Permissions to object

(Edge)

(Edge)

User(Node)

Folder(Node)

Group(Node)

Graph Databases

TCP

TCP

10.10.15.21

10.10.15.23

10.10.15.25

UDP

Why graph databases?

• Graph databases are much faster than relational databases for connected data

• Schema is not needed

• SQL lacks the syntax to easily perform graph traversal

• SQL performance degrades quickly as we traverse the graph

Visualization Use Cases

•Enterprise application

•Active Directory

•Configuration inventory

Enterprise Application Visualization

Made of several thousands of report lines

Enterprise Application Visualization

Enterprise Application Visualization

Demo

Custom visualization of permissions structure in enterprise application

-RBAC

-Discover similarities and anomalies in groups

-How can this help Central Alabama EC?

Microsoft Active Directory

• #1 Directory Services implemented by Coops and many other companies as well…

•Integrated with other applications or IAM

•How Central Alabama EC is using AD?

Demo

BloodHound

- Intro

-Pre-define queries for analysis

-Custom queries

-Can Central Alabama EC use BloodHound?

Demo

Graph visualization:

Active Directory + Enterprise Application

Network DependencyGraph

Demo

Network Dependency Graph

Graph DatabasesRanking (first 20)

https://db-engines.com/en/ranking/graph+dbms

Testing BloodHound1. Install Java on designated computer without admin to AD

2. Install Community edition of Neo4jhttps://neo4j.com/download-center/#releases

3. Install BloodHound – (Linux, Windows or OSX)https://github.com/BloodHoundAD/BloodHound/wiki/getting-started

4. Check that neo4j ports (7474, 7687) are limited to localhost

Testing BloodHound5. Run BloodHound

6. Use sample database or generate new one with DBCreatorhttps://github.com/BloodHoundAD/BloodHound-Tools (Python)

7. Import your AD data into Neo4j/BloodHoundhttps://github.com/BloodHoundAD/Bloodhound/wiki/Data-Collection-Intro

Use SharpHound (.ps1 or .exe) to collect AD data.SharpHound enumerates AD and collect information about current sessions.

Testing BloodHound8. Play with default queries in BloodHound

9. Learn about Cypher and create your own queriesMany sources: https://blog.cptjesus.com/posts/introtocypher

10. Import other data into Neo4j

11. Shutdown Neo4j if not using, may encrypt folder with collected data

Q&A

jaceks@sedata.com