Brianne Fahey

Technology

Defending with Graphs

by

Visualizations are powerful. When talking about data relationships, graphs are of keen interest. This spring I spent 4 months building out an idea and writing a whitepaper that is now published on the SANS Reading Room.

The paper is called Defending with Graphs: Create a Graph Data Map to Visualize Pivot Paths.

How about a two sentence synopsis?

The tl;dr is that there are several well developed examples of attackers thinking in graphs (see John Lambert’s article) and room for more ideas for how to defend with graphs. I wanted to demonstrate a use case for security defenders building a graph data map representation of their environment and querying it to improve their ability to respond quickly and directly to an incident.

A look at an image from my results.

I hope you will peruse this work and find it useful. It builds on the work of several researchers, developers, and thought leaders including Chris Sanders’ pivotmap tool, Colin O’Brien’s grapl platform, and Olaf Hartong’s ATTACK datamap tool.

EXIF Interview

by

I realized what I did immediately.

Upon publishing my previous blog entry and viewing the refreshed page in my browser, one of my plug-ins alerted me to a personal operational security (OPSEC) lapse. I took that picture of my visual training map on my phone and did not bother to check the image for any personal or descriptive information before posting it.

Blog Image with Browser EXIF Viewer

What is my EXIF Telling the World?

I have an EXIF viewer plug-in installed in my browser which shows me available EXIF data for any image I mouse over.  EXIF stands for exchangeable image file format (per the Wikipedia article) and is basically an image standard for digital cameras. EXIF data attached to a digital photo can include quite a lot of information about the camera settings, date and time, and image attributes.

To find out more about the EXIF in my image, I needed to dig into some Open Source Intelligence (OSINT).  I utilized the fantastic OSINT Framework site.

OSINTFramework.com for Research

The OSINT Framework led me to Jeffrey’s Image Metadata Viewer. I entered the URL for the image on my site and took a look at the results.  The results are detailed, and not particularly overwhelming except for the details about the camera itself.

Jeffrey Image Viewer Results

Hiding in Plain Sight

The EXIF data clearly shows that my camera is a Samsung, which you can extrapolate is likely a mobile phone.  In fact, if you look up the model and software on Google, it will tell you exactly which model of phone I am using and which version of firmware is installed. This might not seem like much, but if someone was looking to target me, they could certainly customize their exploit to take advantage of something I have exposed that I use.

So What’s the Learning Opportunity?

You can’t remove all EXIF metadata from images, but you certainly can cleanup some of it.  Right click on the image file o your computer and go to the properties menu, then look at the details.

  • See the listing of the data embedded in the image file.
  • Select the link to “Remove Properties and Personal Information”.

Right Click Image to Cleanup EXIF Data

I cleaned up the camera model and software from my file and replaced the initial image in my blog post.

People Are Very Creative

One of the reasons I am aware of EXIF data is because of an online project called Stolen Camera Finder. This site uses uploaded images to create a database of EXIF attributes and then crawls the web to match images taken to the EXIF data.  Let’s say you leave your camera on vacation in Key West, someone picks it up, uses it to take some photos of their friends, and posts them with a location tag to Instagram. When you upload the image EXIF from a photo on your computer taken with your camera, Stolen Camera Finder crawls Instagram and attempts to match the EXIF data.  In some cases, the match can yield location data as well.

 

Stolen Camera Finder Map

Everyone knows that once information is available online, it can and will be used.  I believe there is good in the world and that data can be used to do positive things – like helping people reunite with a lost camera.  It doesn’t take much for someone to use the same information for nefarious purposes though.

Think Before You Click

The oldest advice is the best advice.  This was an excellent reminder for me to be careful with my personal operational security.  For some reminders on ways to protect your online presence, visit the National Cyber Security Alliance’s Stay Safe Online website.

Weak Connections

by

Maybe the source of the problem is not where there is the most noise…

I’ve got an idea percolating but I’m not sure how to model it yet. Apologies up front for not being super-specific, if I can reason out enough pieces of this idea I will hopefully harness it for a paper I’m planning to write later this year.

Some types of attacks have so much human behavior in them that there is no system rule you can put in place to detect.  I was watching some videos from the Association of Certified Fraud Examiners (ACFE) and I stopped on Kathy Lavinder’s “Power of Weak Connections” on YouTube. She says that it is not always your strong, personal connections in your professional network that help you get news jobs – it is the weak connections with people who know you just enough to help move a resume or an inquiry into the right hands.

There is energy and opportunity in the kinetic connections between two sources. But what if the crux of the opportunity is in the weak connection rather than the strong connection? Does this idea carry into the cyber attacks and fraud detection?

Visualize

I’d like to analyze that data, and see the strengths of the connections.  Does the hypothesis of the weak connection providing a strong vector hold up under the math?  I’m reading about UML and graph databases to look for a way to re-categorize some existing data in order to redraw and reexamine the connections.  It seems soft to compare a fraud or cyber attack to a business process modeling method, although I am certain I will learn something and I’m looking forward to applying some old techniques in a slightly different way.

 

Learning is Living

by

There are so many things I want to know…

I regularly scan for stories and use cases that will inspire good work and sharpen what I can offer.  As a result, I read about a lot of tools and theories that I am not familiar with.  Knowledge requires information and growth requires experience.  I’ve always been a fan of the idea of writing down any term or acronym you see or hear in use and if you don’t have a chance to ask about it immediately – Google it later.

Today is always a good day to start.

Personally I keep a running list of things I want to lean more about.  That way when I see an opportunity to pick up an ebook, watch some recorded convention talks on YouTube or take advantage of a training deal, I know where to start. Because the list is sometimes overwhelming, I use a priority system that keeps me focused. Chris Sanders offered a fantastic discount on his Applied Network Defense courses at the end of 2017 and I could not pass up the opportunity to learn from him.  I saw Chris speak at BSides Cincy this summer about Curiosity as a necessary analyst skill. He is intelligent and inspiring.  Plus he knows what the heck he’s doing and I love his philanthropy goals for the Rural Tech Fund.

All this is shaping my early 2018 personal learning plan around these 3 Applied Network Defense Courses:

Some of Chris Sanders’ Applied Network Defense Courses

Keep building yourself.

I know I have a lot to learn.  I keep pushing myself to ask questions, admit when I need to do more research, and listen to the inputs of my friends and colleagues.  Listen to the experts and those willing to teach, like Chris Sanders. It will stoke your curiosity and possibly even inspire you.