For example, after an attack against a Sydney-based company that Baker worked with, he studied a 2.5 TB set of pcaps that had been gathered over a two-week period during which the attack occurred. The data involved 3 billion packets, from which 420,000 security events had been analyzed, involving 1,890 different sources of attack, meaning they had unique IP addresses.
In his Black Hat Europe presentation, Baker relayed the Packetpig results to a map of the globe, using Google WebGL Globe, from which lines emanated, indicating attack severity (with severity from green to red) and frequency (height). "When we try to visualize big data sets, it's important to let the brain explore," said Baker.
Two immediately obvious hotspots were in South Africa and Australia. Accordingly, Baker decided to triangulate his data, to provide more insights into the attackers. So Baker and his team wrote a script that crawled Torrent search site The Pirate Bay, which tracks the IP addresses of all seeders and leechers associated with a specific torrent file, and he captured two weeks' worth of that information for the top 100 torrents.
He made an interesting discovery: "Seventeen IP addresses matched the attacks and the torrents, which I was very surprised by. We never thought we'd get that," he said.
Another surprise was attackers' choice in movies, which included 7 Weeks To 100 Pushups as well as the 2011 remake of Footloose. Those two specific movie downloads, in fact, pointed to one user, who'd downloaded parts of each movie via two different IP addresses. Likewise, a single download of The Adventures of Tintin matched another two IP addresses.
No one, however, had anonymized their attacks, which they could do by routing their traffic via the Tor network, for example. "Not one single Tor address was linked to an attack against that data set, which is pretty interesting; I would have probably expected at least one," said Baker.
Based on the analysis, what did Baker learn? Primarily, that he didn't need to take action, and he was able to reach that conclusion quite quickly, after ascertaining that both of the attacks he reviewed appeared to have been the result of PCs that were infected with misbehaving browser-bar software called iWon.
"A lot of times in security analysis, you just want to get over it quickly--in the sense of I want to understand everything about that attack, and move on," he said. But if he'd uncovered evidence of a larger-scale attack--such as an advanced persistent threat, then he could have initiated an incident-response program to clean up the attack and taken steps to prevent a recurrence.
Packetpig has some limits, including performance issues as the amount of data to be analyzed increases, which Baker said have to do with the architectural limits of Pig.
Within the next couple of months, however, his company plans to introduce a cloud-based service--and later, an on-premise tool--for analyzing pcaps, for example by allowing users to run them through cloud-based intrusion detection and prevention systems. The tool, Packetloop, which is now in beta (and not written in Pig) will offer better performance, he said, as well as better reports, more statistical analysis capabilities, and machine learning capabilities to give incident-response teams greater insights into suspicious network traffic.
SSL is widely deployed, yet enterprises still struggle to manage it and ensure its effectiveness. Companies must understand the threats, know how to use SSL internally, and assure it functions properly and protects their data. In our SSL Authentication report, we show you how to address the security and operational issues inherent in creating and managing internal SSL certificate authorities. (Free registration required.)
