Cyber security and attack analysis : how Cisco uses graph analytics

1. SAS founded in 2013 in Paris | http://linkurio.us | @linkurious
Cyber security and
attack analysis :
how Cisco use
graph analytics.

2. Introduction.
Software Engineer
Engineer (La Belle
Assiette)
CS at Epitech and
Beijing University
CMO
>5 years in consulting
MSc Political sciences
and Competitive
Intelligence
Jean
Villedieu
Sébastien
Heymann
Romain
Yon
Pierrick
Paul
CEO
Gephi Founder
Phd in Computer
Science and Complex
Systems
CTO
Engineer (Microsoft,
Spotify)
Machine Learning at
Georgia Tech
Linkurious is a French
startup founded in 2013.

3. Father Of
Father Of
Siblings
What is a graph ?
This is a graph.

4. Father Of
Father Of
Siblings
This is a node
This is a
relationship
What is a graph ? / Nodes & relationshipsWhat is a graph : nodes and relationships.
A graph is a set of nodes
linked by relationships.

5. Some of the domains in which
our customers use graphs.
People, objects, movies,
restaurants, music…
Suggest new contacts, help
discover new music
Antennas, servers, phones,
people…
Diminish network outages
Supplier, roads, warehouses,
products…
Diminish transportation cost,
optimize delivery
Supply chains Social networks Communications
Differents domains where graphs are important.

6. Source : http://www.reuters.com/article/2014/06/09/us-cybersecurity-mcafee-csis-idUSKBN0EK0SV20140609
$445 billion
The cost of cyber criminality.
Cyber crime costs the global economy $445 billion per year.

7. Some of the latest victims.
No company is immuned from cyber criminality.

8. A data problem.
IP logs, network logs,
communications logs, web
server logs, etc.

9. The IT systems generate new
data constantly.
The data is coming from
different sources, is
incomplete and evolves. Hard
to use a structured data
model.
For big organizations, storing
years of raw data means a
total volume in high TBs or
low PBs.
The IT security data is
complex.
The challenges of working with complex data.
Large Unstructured Dynamic

10. How to make sense of complex data.
Can IT security teams
answer that
challenge?

11. Graphs are perfect to extract
insights from complex data.
Graphs help make sense of complex data.

12. How to use graph analytics to
fight back against a cyber
attack?
A concrete example.
Inspired by a real use case demonstrated by Cisco.

13. In April 2014, a zero-day
vulnerability in IE is identified.
A zero-day vulnerability.
A newly discovered vulnerability in Internet Explorer allows an unauthenticated,
remote attacker to execute arbitrary code.

14. The vulnerability is known in
the security community. A
group of hackers decide to
use it before a patch fixes the
vulnerability.
The identification information
is captured by the hackers.
They can use it to penetrate
the company IT.
The hackers send mails to a
few people in one company.
They are asked to login into a
seemingly innocuous
website.
The vulnerability
is known
A phishing
attack uses it
A company is immediately
targeted by a phishing attack.
The 3 steps of the attack.
Computers are
compromised

15. A not so innocent mail.
The mail sent by the hackers.

16. The hackers used the domain inform.bedircati.com + profile.sweeneyphotos.com,
web.neonbilisim.com and web.usamultimeters.com.
The domain names used in the attack.
The domains names used in
the attack are identified.

17. Information about one domain.
Information about these
domains are publicly available.

18. Modelling information as a graph.
That data can be modeled as a
graph.

19. The graph model reveals the connections in the data.
This helps streamline the
identification of connections.
Domain A is connected to Domain C through a Name Server or a MX Record, Domain
B and Host B.

20. Can we prevent
more attacks?
How to use the information.

21. The traditional approach.
The 7 sins of looking for
connections with tabular
tools.

22. It helps human interpret the
data and make smart
decisions.
Graph
analytics?
Graph
visualization?
It helps to analyse large
datasets to find interesting
data.
Combining graph analysis and graph visualization.
Combine automatic analysis
and human interpretation.

23. A query to get all the domains
connected to the attackers.
Step 1 : graph analysis.
MATCH (baddomain:Domain_name)-[r*2]-(suspiciousdomains:Domain_name)
WHERE baddomain.reputation = 'Very negative reputation'
RETURN DISTINCT suspiciousdomains
This query is written with Cypher the Neo4j query language. It returns us 25 results.

24. Step 2 : graph visualization.
First, we identify the attackers.
The initial domain names
identified as rogues.
A public registrar.
Good domains.

25. Then we identify the domains
they are connected to.
Step 2 : graph visualization.
In pink are previously
unknown domains
connected to the known
attackers.

26. Cyber security at Cisco.
Cisco uses graphs to prevent
cyber attacks.
Cisco maintain a list of the compromised domains and IP
addresses. Through its data collection program, Cisco has good
information on 25 to 30 million Internet domains.
Graph analytics enable Cisco to use data collected via its
customers to maintain this list up to date. The information is the
used to block known malicious domains and thwart cyber
attacks.
Behind the scenes.
Cisco’s Global Security Intelligence Operations (SIO) group
operates a 60-node, 1,000-core Hadoop cluster. Every day it
receives about 20 TB of new raw log data.
To store and anlyse the data, Cisco uses a few graph
technologies like GraphLab (a machine learning solution
specialized in graph data), Titan (an open-source graph database)
and Faunus (an open-source graph analytics engine).

27. You can do it too!
Try Linkurious.

28. Contact us to discuss your projects
at contact@linkurio.us
Conclusion

29. GraphGIst : http://gist.neo4j.org/?40caddf1d7537bce962e
Blog post on attack analysis :
Sample dataset : https://www.dropbox.com/s/7vburpnl4yik8z1/Attack%
20Analysis.zip
Original CIsco article : http://blogs.cisco.com/security/attack-analysis-with-a-fast-
graph/
Additional resources.