Brianne Fahey

Applied Security

When a List Won’t Do

by

A Microsoft Technet article by John Lambert from 2 years ago includes this quote, and I’ve seen it used many times since then:

“Defenders think in lists. Attackers think in graphs.”

To me, this statement means that there are multiple possible paths available to get to an end if you can pivot and reorient while working through an environment. The environment may have been designed in a systematic hierarchy to maximize organization efficiency, but that doesn’t mean a wily actor can’t create their own circuitous route.

I mentioned in a previous post that I’ve been learning to dabble in Graph Databases. In fact, I am working to build a graph representation of the connections and pivots available in the logs and data typically available to an analyst in an investigation (inspired by one of my favorite parts of the Investigation Theory course).

Unlike a relational database, a graph database uses nodes, edges, and properties to build and describe relationships. Wikipedia describes the graph theory behind a graph database better than I can, but I put together the visualization below before my free trial of MindJet MindManager expired. If you can determine your nodes, labels, properties, and relationships – you can connect and visualize the net of assets and relationships in your scope. Let’s use the sample graph visualization of two colleagues names Bob and Cathy.

  • Nodes contain properties and are tagged with labels.
    • The person is a node, the property is their name and the labels are their position and their prestige.
  • Relationships connect nodes, have direction, and contain properties.
    • The relationships describe how the nodes (persons) are working and hiring.

I’ve been learning Neo4j to build a graph database.  Download this free Graph Databases ebook from O’Reilly to get started.  I’ve also watched some videos in an Intro to Neo4j course hosted by Lynda (which normally has a cost but can be accessed with my library card for free via the elearning offerings on my local library’s website). I’d also like to buy Learning Neo4j Graphs and Cypher book and video from Packt Publisher in the future.

In the starter use case I’m building out in my own Neo4j instance, the nodes are both data sources and data elements, and the relationships describe where the data elements are contained. The idea behind this is that if an analyst had one piece of data and wanted to get to another piece of data, they could explore the graph to see which nodes they have available to traverse in order to pivot the data from what you have to what you want.

For instance, if you have the IDS Alert available providing you a signature and protocol, but you need to know the details of the certificate used in the transaction, you can pivot fro the IDS alert through the PCAP and SSL Transaction to get to your destination.

I am still experimenting, I know my test data is imperfect.  Ideally, you could research the sources and elements available within your enterprise to create your Cypher code and output a visual database that allows you to look or query for a solution path. Somehow it feels much more impressive when you look at the connections for the data elements of a dozen or so different data sources at once.

This is a solid idea for a learning opportunity and a rough first implementation try. I’ll think on it some more and work to eventually hone something useful and repeatable that doesn’t take much effort to keep up to date. If you have any input, feel free to use the contact form on my website and reach out.

Reputation by Site

by

Websites can get a reputation from the material they contain, the company they feature or attract, as well as from the internet reputation machines that scan and crawl them. My hypothesis is that if I can do some legwork to positively impact the machines and databases of the internet, it will help buy goodwill and trust that helps bridge into a more positive personal reputation.

What do the internet respectability engines think about BrianneFahey.com?

I like to come to a conclusion from an aggregate of data, so let’s check a few different options and put together a story of my website’s reputation. Two of the common sources of website safety information are included in the anti-virus and computer protection packages from McAfee and Symantec/Norton.  Having one of these programs installed allows you to see some immediate feedback when you search for a website before you go to that site. It’s like looking through the peephole before deciding whether to open the door.

I would definitely be more comfortable visiting a site with a green check mark than a grey question mark or that evil red x. I installed the browser extension for both McAfee WebAdvisor and Norton Safe Search and navigated to BrianneFahey.com.  Both plugins are greyed out, and when I mouse over them, they indeed say they are registering no reputation feedback. I’m relieved to not have to overcome any negative reputation marks, but to get to green we need to fill in this blank slate with facts.

The good news is that my reputation is mine to influence at this point.

Web crawlers can use the information posted on the site including text and images and other files to rank you, but they are not sentient so they may not be able to determine the intent of your site.  It’s up to you to convince them that you have good intent and wish no harm on the people of the internet and you deserve a green check mark. My plan to establish a good reputation involves visiting the machines that are generating, collecting, and providing this information to make sure they are understanding my intent.

Review and Correct the Reputation and Categorization

Internet filters and proxies can rely on website categorization to determine what blocks of URLs to allow and what block to deny. You can review what the engines have categorized your site as and suggest a more appropriate category.  If you start a small business and create a quick website – you need to be aware of whether entire enterprises are being blocked form viewing your website inside their corporate network because it is misclassified as Gambling or Adult/Mature Content or worse. There is some risk in being unclassified as well because some filters might be set to default block unclassified or very new sites to protect themselves from domain generating algorithms (DGA) that spin up and disappear within weeks to facilitate phishing attacks. You’re going to want to review the available categories and their definitions to make the most appropriate choice as any petitions to recategorize a site will be reviewed before they are accepted.

  • Symantec Norton SafeWeb
    • I registered as the owner of my site and Norton sent me an email with a method to validate.
  • Symantec BlueCoat Web Pulse
    • BrianneFahey.com was initially categorized as “Search Engines/Portals”.  I submitted a request to have it classified as “Personal Sites” and “Computer/Information Security”.
  • WebSense ForcePoint
    • BrianneFahey.com was initially uncategorized. I submitted a request to have it classified as “Societies and Lifestyles: Blogs and Personal Sites”
  • Trend Micro Site Safety Center
    • BrianneFahey.com was initially categorized as “Untested” and “Newly Observed Domain”. I requested the site be retested and submitted that it be classified as “Personal Sites” and “Computers/Internet”.

Check the Pulse

Websites change and reputations evolve.  It’s a good idea to regularly check in on your site’s ratings and feedback. A simple way to generically have the web checked for you is to setup Google Alerts for your domain and name.

Beyond the sites and tools mentioned above, here are a few other open sources of intelligence (OSINT) tracking website reputation and safety.

Website Name Potential Feedback
URL Void
Virus Total
Google Safe Browsing
RiskIQ Passive Total

Good luck protecting your web domain’s reputation!

I like to go through an exercise of putting thoughts into a visual model that makes sense while I’m working through something.  Time does not always allow (and alert queues are not always forgiving) but it leaves me with clarity and the easier ability to repeat a procedure if needed.  I’m utilizing a 30-day free trial of Mindjet MindManager 2018.  It is fantastic, but pricey for individual home use so I’ll evaluate my needs and priorities and I will miss it when it’s gone.  Made use of MindManager by assembling a visual procedure to summarize the steps described in this post.

 

Find a Flow

by

If you can see it, you can get to it.

When I think through the parts of an event analysis, I look to put things in order and in perspective on my way from a hypothesis to a conclusion. Putting together a thought outline that works for me was a good excuse to test out LucidChart.

In my example, I start by enumerating the actor’s profile and the activity that generated a signal.  If I can source, trace, and verify the details pulled out of the logs to connect activities to an IP or a piece of hardware or an application or a procedure or an owner, I can work to build out the story and resolve my questions. When the case requires input from an investigation partner like human resources, you’ll have a solid frame of notes and findings to rely on for that discussion.

One of the reasons I chose this scenario as an example is because I believe a successful analysis is a complete analysis. Thorough, of course – to your personal quality level, but not necessarily ending the the proving out of malicious activity. Vetting that activity can be anomalous and still acceptable is a decent outcome.

You don’t have to catch a bad guy to do a good job.

Build a structure that works for you.  Once you establish your flow and create a template, you’ll start to save some time without sacrificing quality. Find your flow and go catch yourself some answers.

EXIF Interview

by

I realized what I did immediately.

Upon publishing my previous blog entry and viewing the refreshed page in my browser, one of my plug-ins alerted me to a personal operational security (OPSEC) lapse. I took that picture of my visual training map on my phone and did not bother to check the image for any personal or descriptive information before posting it.

Blog Image with Browser EXIF Viewer

What is my EXIF Telling the World?

I have an EXIF viewer plug-in installed in my browser which shows me available EXIF data for any image I mouse over.  EXIF stands for exchangeable image file format (per the Wikipedia article) and is basically an image standard for digital cameras. EXIF data attached to a digital photo can include quite a lot of information about the camera settings, date and time, and image attributes.

To find out more about the EXIF in my image, I needed to dig into some Open Source Intelligence (OSINT).  I utilized the fantastic OSINT Framework site.

OSINTFramework.com for Research

The OSINT Framework led me to Jeffrey’s Image Metadata Viewer. I entered the URL for the image on my site and took a look at the results.  The results are detailed, and not particularly overwhelming except for the details about the camera itself.

Jeffrey Image Viewer Results

Hiding in Plain Sight

The EXIF data clearly shows that my camera is a Samsung, which you can extrapolate is likely a mobile phone.  In fact, if you look up the model and software on Google, it will tell you exactly which model of phone I am using and which version of firmware is installed. This might not seem like much, but if someone was looking to target me, they could certainly customize their exploit to take advantage of something I have exposed that I use.

So What’s the Learning Opportunity?

You can’t remove all EXIF metadata from images, but you certainly can cleanup some of it.  Right click on the image file o your computer and go to the properties menu, then look at the details.

  • See the listing of the data embedded in the image file.
  • Select the link to “Remove Properties and Personal Information”.
Right Click Image to Cleanup EXIF Data

I cleaned up the camera model and software from my file and replaced the initial image in my blog post.

People Are Very Creative

One of the reasons I am aware of EXIF data is because of an online project called Stolen Camera Finder. This site uses uploaded images to create a database of EXIF attributes and then crawls the web to match images taken to the EXIF data.  Let’s say you leave your camera on vacation in Key West, someone picks it up, uses it to take some photos of their friends, and posts them with a location tag to Instagram. When you upload the image EXIF from a photo on your computer taken with your camera, Stolen Camera Finder crawls Instagram and attempts to match the EXIF data.  In some cases, the match can yield location data as well.

 

Stolen Camera Finder Map

Everyone knows that once information is available online, it can and will be used.  I believe there is good in the world and that data can be used to do positive things – like helping people reunite with a lost camera.  It doesn’t take much for someone to use the same information for nefarious purposes though.

Think Before You Click

The oldest advice is the best advice.  This was an excellent reminder for me to be careful with my personal operational security.  For some reminders on ways to protect your online presence, visit the National Cyber Security Alliance’s Stay Safe Online website.