Today I'm writing from Arlington, VA, site of the 2018 Bro Conference, also known as BroCon. For those not familiar with Bro, it is a network analysis tool intended to give teams and companies more visibility into their network traffic. There are a lot of network analysis tools out there, but Bro differentiates itself by providing its own scripting language (a language framed around the analysis of network traffic) and enabling stateful analysis. This means that you can correlate events together that in isolation aren't suspicious but combined together signal unusual activity.
Keynote: Finding Abnormal Behavior
The keynote speaker was Marcus Ranum. His talk wasn't necessarily centered around any particular topic, but if you had to label it, it would probably be a topic on finding abnormal behavior. In a lot of ways, that is exactly what security is. The way he described it was with a metaphor of a sergeant directing a bunch of privates who are doing the actual security. You see things coming in and you check a list to see if it is something that you are aware of and have seen before. If you have seen it before (it's on the whitelist), you let it through. If it's on the list of stuff you definitely don't want coming in (it's on the blacklist), you shoot it (just kidding). If it's something you haven't seen before, you check with the sergeant and he shoots it.
His point, though, was rather simple. Over time, you start to build up a list of expected behaviors and although there will always be stuff that you haven't seen before, you should get to a place where the normal stuff is cleared quickly, the bad stuff on the blacklist is dealt with immediately, and you can focus your attention on the unusual stuff that either needs to be whitelisted or blacklisted. The trick of course is figuring out which list things belong on.
He then presented an idea about looking at the shape of messages rather than the actual content. Take logging messages and convert them to format strings - every word gets replaced with %s, every number with %d, etc. The idea being that with this simple technique, you can quickly see unusual log messages because they won't have the same format as the messages that are much more common, and you can focus on those. Not only that, this technique is simple to build and will run much faster than complicated (wut wut wootsie unicorn magic fairy dust - his words) machine learning and AI systems.
The second idea he presented was on the idea of simple scoring systems that attribute simple scores to events and then keep a running tally of the score. If you have a login attempt start, you score that a 1. If the login attempt succeeds, you score that a -1, and the sum total of the event is 0. If things are progressing normally, the score should remain close to 0. Login failures would get a higher score of 10. A few login failures wouldn't necessarily cause you alarm, but it will draw your notice quickly if it starts happening frequently. These score jumps also show up on visual graphs in a noticeable way. Again, this is really simple to build and will run fast.
The third concept that he talked about was fairly simple, and he called it a Goat. The idea behind a Goat is that is a baseline for a system that you wish to monitor in its most simple state. By analyzing the system with all its software installed in this baseline state (for example, capturing the system calls that are made), you get a starting point for the natural traffic that you would expect to see. You can then compare this baseline with other systems that have activity on them and then see the outliers. Some of that will obviously be expected behaviors and then you can update your baseline, but the idea is to quickly see if you see unusual behaviors that are clearly not part of your baseline and don't make sense for normal usage.
There were a number of sessions throughout the day, some just touching on interesting network traffic monitoring challenges and some diving into the internals of Bro and writing Plugins. As a software developer by trade, some of this was easy to grasp but some of it was a little beyond me. What is undeniable is the ability of Bro to address a wide range of challenges.
One session talked about the interesting challenge of monitoring DHCP traffic, as it has elements of broadcast traffic (server broadcast) and unicast traffic (client/server exchange), and how they basically wrote improvements to make gathering data on this traffic much simpler. Another session talked about the complexity of some network protocols such as SMB which can create significant challenges trying to differentiate legitimate traffic from malicious traffic.
The most interesting session of the day was by some folks at Salesforce where they created a tool called JA3 for calculating signatures for various SSL/TLS clients based on some data in the client hello packet that get transmitted as part of the SSL/TLS handshake. A lot of this kind of traffic has unique signatures for different clients such as different web browsers, malware agents, etc. There is a similar tool called JA3S (included in the same repo as JA3) that does the same calculation for the server side, and another tool called HASSH that does the same for ssh connections.
Today was just the first of three days, but I've already seen some of the incredible stuff that Bro can do. For folks that are actively looking for a way to gain visibility into various network traffic issues and resolve them, there can be little doubt that Bro should be one of the tools that you consider. Looking forward to more great stuff tomorrow.