Threat Map

the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
Let me start by saying that I understand, to us (IT people), maps are a joke. The Norse Map is notorious for freaking people out, but showing things that might or might not be attacks. Typically I avoid such things since it tends to cause me headaches, but their effectiveness cannot be understated.

The Director of my agnecy loves to get upset when a pindrop map (Google Map with pins that drop when people connect), made by an outside vendor, stops working. Typically it is just a matter of refreshing the page, but it always grinds my gears when I get a call about it. Each time I'd explain that it doesn't mean activity has stopped and in the grand scheme of everything we display it is the least important. Yet, I'd still get calls about it.

One day I was speaking with the Director of my agency and what he said summed up perfectly why it is "important". He said, "Listen I know that map isn't important and that when it stops working it doesn't mean activity is 0. But, unfortunately for you, it is the thing that people talk about constantly during and after tours. When I travel, people come up to me and specifically talk about seeing the map when they are in town. To them it displays that we have some semblance of an idea of what we are doing." I don't think anyone could put it better. After that he told me I had an unlimited budget for which to use to put up more screens and have things to display.

Of course I thought, "I'm collecting all of this data on networks some of which is clearly attacks so I should show it". Writing it from scratch isn't an option so I figured there has to be an open source project that I could modify for my use. I stumbled across PewPew (https://github.com/hrbrmstr/pewpew) and thought I finally had what I'm looking for! But, alas, it was for not. It is setup as a "joke" to poke fun at the stupidity of these maps, but it's decently done. As I looked at the code I noted that it utilizes randomly generated IP addresses. Since I have IP's I want to work to with, I decided to modify it and it was proving difficult. My coworker noted that under the "Issues" tab someone had suggested allowing the use of real data and another had wrote something.

https://github.com/joshftx/maps - this one was modified to allow you to send an IP to it and it would perform the look up then plot it. I thought perfect and went about deploying it (fairly simple). It requires you registering with a company and obtaining an API key (free) to perform the look ups. I did this, but low and behold they never sent me the key (been 36 hours now with no reply). So I thought, well I could write my own software to do the lookup and feed the JSON to the map. As I began to write the code (in Python) I thought maybe I should look to see if there is a company providing the look up (why reinvent the wheel).

So I look and I come across FreeGeoIP.net, which allows for up to 10000 queries per hour and returns the results in JSON format. Also, they provide the source code so you can deploy your own server to do the look ups and not deal with the 10000 query limit. So I modified the code in two spots and bam I have a working map. Last piece is to write a program to pull out the data from Elasticsearch in real time so I can plot it.

I was showing some coworkers the work I had done and our HR person walks in. He asked what it was and I said they represent all of the places that are actively attack some of the systems. Fear instantly set it and he stayed for 30 minutes to talk about what was happening. Effective ;)
WIP:
PHP
Kotlin
Intro to Discrete Math
Programming Languages
Work stuff

Comments

  • NetworkNewbNetworkNewb Member Posts: 3,298 ■■■■■■■■■□
    Sounds like a cool little program. icon_thumright.gif
  • KalabasterKalabaster Member Posts: 86 ■■□□□□□□□□
    The only threat map that's worth a real InfoSec professional's time is this one here.
    Certifications: A+, Net+, Sec+, Project+, Linux+/LPIC-1/SUSE CLA, C|EH, eWPT, GMON, GWAPT, GCIH, eCPPT, GPEN, GXPN, OSCP, CISSP.
    WGU, BS-IT, Security: C178, C255, C100, C132, C164, C173, C172, C480, C455, ORA1, C182, C168, C394, C393, C451, C698, C697, C176, C456, C483, C170, C175, C169, C299, C246, C247, C376, C179, C278, C459, C463, C435, C436.
    Legend: Completed, In-Progress, Next
  • PJ_SneakersPJ_Sneakers Member Posts: 884 ■■■■■■□□□□
    Wow, that site is awesome.

    I'd never heard of Clown Strike before, but I'm impressed that it can defend against local, APT, and even Advanced APT Threats. Sounds like good stuff right there.
  • YFZbluYFZblu Member Posts: 1,462 ■■■■■■■■□□
    If you're already sending log data to Elasticsearch, why not leverage Kibana as a front-end for visualization?
  • the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    We do utilize Kibana for our visualizations. The issue is there is no "pop" to the interface. So while for me it's great to view issues and then dig deeper into what matters, from a management standpoint there is no flair to it. I won't be staring that the Threat Map, but on tours it is something that will wow the crowds as it were. Kibana's geolocation map is alright, but PewPew is definitely better.
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • YFZbluYFZblu Member Posts: 1,462 ■■■■■■■■□□
    I understand this is a thing that is done, and it's not unique to your group. I've always thought it sounds sort of terrible, to be honest. At some point the person handling the tours need to look internally if the biggest value add to visitors is a fake dashboard that operational people don't look at.

    I probably sound grumpy - but there is plenty that can be done with real operational information and custom visualizations in Kibana to make it interesting IMO.
  • the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    I have to, respectfully, disagree about Kibana visualizations being interesting. Effective, most definitely. Kibana 4 definitely made some strides, but without some heavy customization (i.e. a web developer) you'd be hard pressed to get any wow factor out of it. On typical tours, I'll speak to the technical people (if any come) and go over what we see, how we see it, and how we investigate it. In those cases, the standard Kibana visualizations work and help to draw attention to a needle in a haystack of data.
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
Sign In or Register to comment.