CIPHERCounterintelligence Penetration
Hazard Evaluation and Recognition
Thomas E. Potok, Ph.D.
Applied Software Engineering Research Group Leader
Computational Sciences and Engineering Division
Oak Ridge National Laboratory
Research Team
Mark Elmore, Joel Reed, Jim Treadwell
2
Oak Ridge National Laboratory
Established in 1943 for the World War II Manhattan Project.
ORNL today pioneers the development of new energy sources, technologies, and materials
The advancement of knowledge in Biological, Chemical, Computational, Engineering, Environmental, Physical, and Social
Sciences. Budget: $870 million, 80% Department of
Energy, 20% work for others. 3800 employees, 1500 scientists and
engineers
3
Background
SNORT network intrusion detection software is placed outside of the ORNL firewall
Packets entering or leaving ORNL that contain information that trips a SNORT rule will result in log entry being created
Roughly 1 million log entries are created per day
4
Four Actual SNORT Records
[**] ftp-000172 IDS152 - PING BSD [**]07/20-00:05:02.815218 0:90:69:9D:B0:3E -> 0:3:6C:42:53:FC type:0x800 len:0x62213.61.6.2 -> 128.219.153.31 ICMP TTL:46 TOS:0x0 ID:19485 ID:8831 Seq:9639 ECHO
[**] misc-000264 IDS247 - MISC - Large UDP Packet [**]07/20-00:05:02.822267 0:90:69:9D:B0:3E -> 0:3:6C:42:53:FC type:0x800 len:0x4F863.76.192.107:23882 -> 160.91.64.211:6970 UDP TTL:119 TOS:0x0 ID:41256 Len: 1238
[**] ftp-000172 IDS152 - PING BSD [**]07/20-00:05:02.832993 0:90:69:9D:B0:3E -> 0:3:6C:42:53:FC type:0x800 len:0x62212.62.17.145 -> 128.219.153.31 ICMP TTL:50 TOS:0x0 ID:2867 ID:18484 Seq:12610 ECHO
[**] ftp-000172 IDS152 - PING BSD [**]07/20-00:05:02.865830 0:90:69:9D:B0:3E -> 0:3:6C:42:53:FC type:0x800 len:0x62211.13.227.66 -> 128.219.153.31 ICMP TTL:54 TOS:0x0 ID:50798 ID:7904 Seq:22732 ECHO
…
5
Step 1: Create Software to Process the Raw Data
From: Raw Log Entry[**] misc-000264 IDS247 - MISC - Large UDP Packet [**]07/20-00:05:03.171193 0:90:69:9D:B0:3E -> 0:3:6C:42:53:FC type:0x800 len:0x52763.76.192.107:23882 -> 160.91.64.211:6970 UDP TTL:119 TOS:0x0 ID:60713 Len: 1285
To: Parsed Log EntryFilter: misc-000264 IDS247 - MISC - Large UDP Packet Date: 07/20TOD: 00:05:03.171193 Source IP: 63.76.192.107Source Port: 23882Target IP: 160.91.64.211Target Port: 6970Length: 1285
6
Step 2: Create Software to Organized the Information by Source IP
Source IP: 192.112.36.5 attacked the following ORNL IPs 07/20 00:01 160.91.77.79 66 misc-000224
IDS118 - MISC-Traceroute ICMP 07/20 00:01 160.91.77.79 66 misc-000224
IDS118 - MISC-Traceroute ICMP 07/20 00:36 160.91.192.107 66 misc-000224
IDS118 - MISC-Traceroute ICMP 07/20 00:36 160.91.192.107 66 misc-000224
IDS118 - MISC-Traceroute ICMP
7
Step 3: Create software to relate Lab Assets to IP addresses
Parsed Log EntryFilter: misc-000264 IDS247 - MISC - Large UDP Packet Date: 07/20TOD: 00:05:03.171193 Source IP: 63.76.192.107User John DoeResearch Area Nuclear PhysicsSource Port: 23882Target IP: 160.91.64.211Target Name: smith.aol.comTarget Port: 6970Length: 1285
NetReg Database63.76.192.107
John DoeBN 123456
CME DatabaseJohnathon Doe
BN 123456Nuclear Physics
DNS Database63.76.192.107
John DoeBN 123456
1
23
8
Finding lab assets not easy
Based on our Collaborative Management Environment (CME) Project One common picture of Laboratory Research Funding
for DOE Funded at $2.4M over 4 years
Dr. Ernest Moniz, Under Secretary of Energy, approves CME based Portfolio Management Environment (PME) Producing approximately $39 million annual
productivity gains for DOE
9
CME System
10
Step 4: Create Software to Find Attacks Against Lab Assets
Philosophy: Look at activity against valuable lab assets, not at packet statistics Find SNORT log entries against funded
researchers Significantly reduces data from 1M records to
approximately 15,000 788 unique source addresses
11
Step 5: Create changes to the original VIPAR tool
Adapt for usage with SNORT records Allow records to be searchable, including
IP address Create folders based on SNORT filters
Can instantly find all the PING, or traceroutes
12
Results: All Attacks
SNORT log entries from 788 source IPs
Failed login errors highlighted
13
Suspicious Patterns Search over
curious PI name
45 Entries from: Czech
Republic, Austria, Hungary, Latvia, France, Chile, and Canada.
Both PI’s work in the same nanoscience area
14
Potential Attack
Hid
den
Hid
den
15
CIPHER Value
This analysis can not be done without CIPHER!
Ability to quickly summarize data Organized around SNORT filters Can quickly find suspicious patterns Search over records Find similar patterns
16
Potential Next Steps
Create interface for tools to work with broader collections of data
Connect CIPHER directly to reduced data Expand to work on multiple days Add IP watch list capability Add data from other sources
Trip reports Sensitive technologies Sensitive countries