Quick & Dirty Palo Alto Log Analysis

OK, so I needed to do some quick and dirty traffic analysis on Palo Alto text logs for a project I was working on. The Palo Alto is great and their console tools are nice. Panorama is not too shabby. But, when I need quick and dirty analysis and want to play with data, I dig into the logs. 
 
That said, for my quick analysis, I needed to analyze a bunch of text logs and model the traffic flows. To do that, I used simple command line text processing in Unix (Mac OS, but with tweaks also works in Linux, etc.)
 
I am sharing some of my notes and some of the useful command lines to help others who might be facing a similar need.
 
First, for my project, I made use of the following field #’s in the text analysis, pulled from the log header for sequence:
  • $8 (source IP) 
  • $9 (dest IP)
  • $26 (dest port)
  • $15 (AppID)
  • $32 (bytes)
 
Once, I knew the fields that corresponded to values I wanted to study, I started using the core power of command line text processing. And in this case, the power I needed was:
  • cat
  • grep
    • Including, the ever useful grep -v (inverse grep, show me the lines that don’t match my pattern)
  • awk
    • particularly: awk ‘BEGIN { FS = “,”} ; {print $x, $y}’ which prints specific columns in CSV files 
  • sort
    • sort -n (numeric sort)
    • sort -r (reverse sort, descending)
  • uniq
    • uniq -c (count the numbers of duplicates, used for determining “hit rates” or frequency, etc.)
 
Of course, to learn more about these commands, simply man (command name) and read the details. 😃 
 
OK, so I will get you started, here are a few of the more useful command lines I used for my quick and dirty analysis:
  • cat log.csv | awk ‘BEGIN { FS = “,”} ; {print $8,$9,$26}’ | sort | uniq -c | sort -n -r > hitrate_by_rate.txt
    • this one produces a list of Source IP/Dest IP/Dest Port unique combinations, sorted in descending order by the number of times they appear in the log
  • cat log.csv | awk ‘BEGIN { FS = “,”} ; {print $8,$9}’ | sort -n | uniq -c | sort -n -r > uniqpairs_by_hitrate.txt
    • this one produces a list of the uniq Source & Destination IP addresses, in descending order by how many times they talk to each other in the log (note that their reversed pairings will be separate, if they are present – that is if A talks to B, there will be an entry for that, but if B initiates conversations with A, that will be a separate line in this data set)
  • cat log.csv | awk ‘BEGIN { FS = “,”} ; {print $15}’ | sort | uniq -c | sort -n -r > appID_by_hitrate.txt
    • this one uses the same exact techniques, but now we are looking at what applications have been identified by the firewall, in descending order by number of times that application identifier appears in the log
 
Again, these are simple examples, but you can tweak and expand as you need. This trivial approach to command line text analysis certainly helps with logs and traffic data. You can use those same commands to do a wondrous amount of textual analysis and processing. Learn them, live them, love them. 😃 
 
If you have questions, or want to share some of the ways you use those commands, please drop us a line on Twitter (@microsolved) or hit me up personally for other ideas (@lbhuston). As always, thanks for reading and stay safe out there! 

3 Ways Clients are Benefiting from Our TigerTrax Platform Today

OK, so by now most folks know that we spent the last few years building out our own analytics platform, called TigerTrax™. Some folks know that we have been using it as a way to add impressive value to our traditional security offerings for the last couple of years. If you are a traditional assessment client, for example, you are likely seeing more threat data that is pinpoint accurate in your reports or you have been the beneficiary of some of the benefits of our passive technologies based on the platform, perhaps. If your organization hasn’t been briefed yet on our new capabilities and offerings, please let us know and we will book a time to sit down and walk you through what we believe is a game changing new approach to information security!

But, back to the message at hand. TigerTrax is already benefitting our clients in three very specific ways, and I wanted to take a moment to discuss them.

  • First, as I alluded to above, many clients are now leveraging our Targeted Threat Intelligence (TTI) offerings in a variety of ways. TTI engagements come in two flavors, Comprehensive and Baseline. You can think of this as a passive security assessment that identifies threats against your organization based on a variety of meta data analysis, tracks your brand presence across the online world and identifies where it might be present in a vulnerable state, correlates known and unknown attack campaigns against your online presence, and has been hugely successful in finding significant risks against networks/applications and intellectual property. The capability extends to findings across the spectrum of risks, threats and vulnerabilities – yet does the work without sending a single packet to the target network environments! That makes this offering hugely popular and successful in assisting organizations with supply chain, vendor management security validation and M&A research. In fact, some clients are actively using this technique across vendors on a global scale.
  • Second, TigerTrax has enabled MSI to offer security-focused monitoring of key employees and their online behaviors. From professional sports to futures/stock traders and even banking customer support teams – TigerTrax has been adapted to provide code of conduct monitoring, social media forensics and even customized mitigation training in near-real-time for the humans behind the keyboard. With so much attention to what your organization and your employees do online, how their stories spread and the customer interactions they power – this service has been an amazing benefit to customers. In some cases, our social media forensics have made the difference in reputational attacks and even helped defend a client against false legal allegations!
  • Thirdly, TigerTrax has powered the development of MachineTruth™, a powerful new approach to network mapping and asset discovery. By leaning on the power of analytics and machine learning, this offering has been able to organize thousands of machine configurations and millions of lines of log files and a variety of other data source to re-create a visual map of the environment, an inventory of the hosts on the network, an analysis of the relationships between hosts/network segments/devices and perform security baselining “en masse”. All offline. All without deploying any hardware or software on the network. It’s simply amazing for organizations with complex networks (we’ve done all sizes – from single data centers to continent-level networks), helps new CIOs or network managers understand their environment, closes the gap between “common wisdom” of what your engineers think the network is doing and the “machine truth” of what the devices are actually doing, aids risk assessment or acquisition teams in their work and can empower network segmentation efforts like no other offering we have seen.

Those are the 3 key ways that TigerTrax customers are benefiting today. Many many more are on the roadmap, and throughout 2016 we will be bringing new offerings and capability enhancements to our clients – based on the powerful analytics TigerTrax provides. Keep an eye on the blog and our website (which will be updated shortly) for news and information. Better yet, give us a call or touch base via email and schedule a time to sit down and discuss how these new capabilities can best assist you. We look forward to talking with you! 

— info (at) microsolved /dot/ com will get you to an account rep ASAP! Thanks for reading.

MSI Launches TigerTrax Network Discovery, Mapping & Analysis Service

We are proud to announce the immediate availability of an entirely new service offering in our security tool kit, made possible by TigerTrax™.

This service offering leverages the power of MSI’s proprietary TigerTrax analytics platform to parse, correlate and visualize the configurations (and packet logs (if desired)) from the routers, switches and firewalls of your network “en masse”. 

Our security and analytics teams then create detailed maps of the network as seen from the eyes of the machines, document the various network segments and their relationships, build a hierarchy of powerful machines and segments, identify hardening techniques that could help your organization better secure your network and provide insights into the gap between your organization’s “common wisdom” versus the real environment.

We can even teach “Close The Gap” sessions to help re-align your team’s “common wisdom” with “machine truth” and to help socialize the new knowledge to other groups.

How it works:

  • The client delivers the configuration and log files as needed for the service. MSI can assist with this step, if needed, at an additional hourly consulting fee.
  • The offering uses TigerTrax to perform automated analysis of the configuration and log files as needed – holistically, systemically and “en masse”. 
  • Various data points are delivered to the analysts and security team who then create the documentation, maps and reports. Visualized data is also generated using the TigerTrax platform where appropriate.
  • Any professional services, such as interviews/questionnaires, gap analysis and training are provided by MSI team members using our proprietary delivery methodologies.
  • Completely passive, offline analysis is perfect for critical networks.
Three different levels of service are available, as is single – one time engagements (perfect for M&A activities, and new IT management) or ongoing subscriptions that allow organizations to track changes and maintain knowledge over time. The highest level of service also includes 30 days worth of packet analytics to identify overtly compromised hosts and to determine “normal operating conditions”, which is often quite useful for incident response activities in the future.
 
Give is a call today at (614) 351-1237 or email us at info@microsolved.com to start a conversation about how we can help you know the truth about your network!

Benefits of using TigerTrax to Monitor Your Industry

Have you ever wanted to know what is being said in regards to your business or product line on social media? How about getting the scoop on a company prior to your big merger or acquisition? Perhaps you have a need for continual code of conduct monitoring for your business or franchise. These are but a few of the things that we at MicroSolved, Inc can provide for you and your company! MicroSolved has a whole host of proprietary software including TigerTrax, that will give your company an edge over your competition!

With our TigerTrax platform we can help provide you with a competitive advantage by receiving actionable intelligence about your product line from the social media hemisphere. Imagine scouring the entire population of Twitter, which boasts some 645 million registered users with over 115 million active users monthly. That is an enormous market that you can tap into with our help. A market where you can see where you think that your product line may be heading versus what people are actually talking about in regards to your product line. Imagine being able to fine-tune your marketing campaign based on our intelligence gathering ability!

In every business there are times whether for a short duration or a long term one where you may want us to provide you with code of conduct information about your employees. Perhaps their contracts clearly state what sort of things they may or may not post on social media and the internet; but also and more importantly you may want to know what everyone else is posting about them. We can help provide you that information. Our TigerTrax platform does in minutes what takes a roomful of employees days or weeks to do and in a very short time you can have actionable information that may be used to help protect your companies brand!

As you can see TigerTrax is a wonderful tool in your arsenal for providing actionable data that will enable you to adjust your marketing campaign or perform ongoing code of conduct monitoring. We can also perform threat intelligence, assess whether your intellectual property has been leaked online, and of course perform brand intelligence. As you can imagine we are only scratching the surface of what we at MicroSolved, Inc and the TigerTrax platform can do for you. So please if you need any assistance for your company feel free to contact us by sending an email to: info@microsolved.com.

This post by Preston Kershner.

5 Ways My Medical Background Makes Me a Better Intelligence Analyst

When I first started for MicroSolved, Inc.(MSI), I wasn’t sure what to think, but now that I have been here for nearly three months I feel I am starting to get the hang of  what it is to be an intelligence analyst. At least a little bit anyhow. Now mind you I am not your typical intelligence analyst, nor am I a new college graduate, but rather I am coming to MSI from the health care industry with over twenty years of work experience in that industry. This was a completely different mindset, with a whole host of new things for me to experience and learn. For me this was totally refreshing and exactly what I wanted and more importantly, needed! There are a few things that I have noticed in my short time here that could be considered pearls of wisdom rather than actual characteristics of a good employee that I feel make me a good intelligence analyst for MSI. Perhaps they are one and the same. At least that is my hope 😉

First, while I am not a seasoned IT professional like so many others that I work with, I am not naive to the fact that there are deadlines and expectations thrust upon all of us. This in my opinion is no different than in being in the hospital setting where people expect you to act quickly and in the best interests of your patient at all times. Couldn’t we say the same is true working for a company like MSI?  In that it is the expectation to be professional, performing your best at all times, and the like? I would like to think that is what I strive for.

After thinking a bit longer perhaps it is that we share a tenacity for getting to the bottom of whatever mystery that we are looking at. Whether it is a series of questions that we may be asking our patients in an effort to try to figure out what ailment they be suffering from. This is not unlike when we are looking for a key bit of code for an algorithm to help us do our work more efficiently. Regardless, it is this mentality of never giving up! To keep fighting, keep looking, to keep trying. Just keep chipping away at it. 

I think the next characteristic would have to be patience. Something that we all have often heard from our grandparents growing up as children. Something that in my mind and in my experience has played a provocative role in both my dealings with patients, their families and with challenging projects in the IT world. Now while as I previously stated in the above paragraph that tenacity plays a role, I also think having a measure of patience does too. There are times in the medical world where even the most experienced physician stands there for a moment and scratches his or her head and says “I don’t know”. Now to a patient that is the last thing that they want to here, but sometimes we truly have to “wait and see”. Sometimes grandma was right! There have been times while working on projects with MSI, where sitting back even if it’s just a few moments, allowed me to gain a better “bird’s eye view” of a given project and really helped me figure out what it was that I was looking for and ultimately aided the project.

Another area that I think gives me an edge would be that I am willing to go the extra mile and I am not afraid to work hard to attain my goals. It isn’t enough to just punch a clock or be mediocre! I have told this to my children, my patients and my friends. Never give up, always work your butt off for what you want in life! It may take time for what you want to come to fruition, but if you’re willing to put the time, energy and effort into it, then it will come!  It takes sacrifice to get to your goals. Others will recognize your efforts and aid you in your path. That’s what I feel MSI has done and is continuing to do for me!

Lastly, laugh! I have not laughed so hard in any of my previous work experiences as compared to working for MSI these past few months. Don’t get me wrong there were plenty of wonderful times, but here at MSI it is a whole new animal! Yes, we work hard, but I think having a healthy sense of humor and a desire to see others laugh is what really sets MSI apart. If you are down, they help pick you up! So often we spend our work lives with people that aren’t our family for hours on end. Shouldn’t we have some fun while we work? If you are lucky enough you do. Then, by choice those people that aren’t your family start to become them and find a place in your heart. Then, your work doesn’t seem like work anymore. 

Yes it’s true that I am new to the world of information technology as a career choice, but that doesn’t mean that I don’t have some very real life experiences to draw upon. Remember, it is a combination of work ethic, tenacity, patience, a sense of humor and ultimately a willingness to never give up. These are the things that will make you successful, not only in your career path, but in life as well. These are my little pearls of wisdom, just a few tidbits of information to help you get to where you want to be in life. Who knows it might even be right here at MSI.

This post by Preston Kershner.

Topic Analysis with TigerTrax

Recently, my team was asked to use our TigerTrax platform to observe a body of social media content around a specific topic for 12 hours and extract meaningful data. The topic chosen by the client was “fracking”.

As you might expect, there was quite a bit of conversation on the Internet about fracking during that period. The client wanted specifically to focus on a specific set of data and to identify potential activism or criminal activities that might be gathered from the data set. So, mission in hand, we engaged the TigerTrax platform and after 12 hours of data gathering, began our analysis.

The data we extracted was pretty amazing to the client. They were quite interested in some of the findings. For example, we identified and presented the client with:

  • A word cloud of specific topics found in the data set and their relationships
  • A list and frequency count of the keywords used in the data
  • A ranked list of hash tags used to communicate
  • The top retweeted/reposted posts during the period
  • Profiles and demographics of the most influential posters during the period
  • Analysis of a variety of multimedia content for “virality” and potentially dangerous impacts
  • We identified an emerging damaging PR issue that the client was able to get in front of
  • Details of an organized campaign to damage the reputation and safety of executives
  • Videos and diagrams educating activists in vandalism and other aggressive techniques

The client was able to use this information to help educate their membership, strengthen their security during protest events and to better understand some of the emerging PR concerns around their operations. They also began to work with ISPs and other service providers to begin takedown requests for the more illicit content.

This is just a sample of some of the ways that clients are leveraging the new TigerTrax platform to assist them with business needs. Get in touch and let us know your ideas or specific problems and we will see how we can help. If you want to know what the world is saying and how it affects you, TigerTrax just might be the solution you are looking for.

Topic analysis can be performed with TigerTrax as a single deep dive event with a customized report delivered and open for re-use with other clients, or can be completely customized to the client organization and solely for their use. Ongoing monitoring and analysis of topics and events can also be done as a part of the TigerTrax services. If you would like to hear more about the TigerTrax platform, or Topic Analysis, please give us a call at (614) 351-1237 extension 206. You can also reach out to me on Twitter (@lbhuston), and we can arrange a discussion. 

As always, thanks for reading and until next time, stay safe out there.

OpUSA:: Feint or Fail?

So, yesterday was the date of the much awaited OpUSA, originally proclaimed to be a decisive attack on the US banking and government infrastructures. Thankfully, there seemed to be little impact on US banking or government, and while some commercial and even government sites did get attacked, the sustained impact seemed to be fairly well contained.

Below are a few thoughts on OpUSA and observations made from the data we saw around the Internet (in no particular order):

  • Anonymous groups seemed to be alluding to some infighting, with some groups mocking others and some fragments calling the entire operation a fake. There does seem to be some form of power struggle or competition going on inside the loose alignment of cells, at least from what conversations could be reviewed on Twitter, other social media and the paste bin releases.
  • Many of our team considered the possibility that OpUSA was a feint, designed to attract media attention and recruit new talent, even as primary groups and forces remained on the side lines. From a strategic point, this might make sense, though the in-fighting argument above seems more likely.
  • There seemed to be a large focus on attacking sites primarily powered by PHP. Certainly there are groups and cells inside the movement where their primary focus is PHP attacks and their exploits and tools are solely geared to PHP compromises. Other platforms are likely to remain in scope and within reach, but the majority of the attacks and compromises released yesterday seemed to revolve around PHP.
  • The 10,000 credit card release was MOSTLY a bust. All of the cards we saw were already expired. HOWEVER, it should be noted that SSNs, security questions and other PII was included in that release, so the impacts are broader than just credit card information.
  • Lots of released account credentials, software licenses and such also came out with associated tag lines during the operation. Additionally, many of the folks posting released data to the paste bins and on Twitter also usually release a good deal of pirated software, media and music from what we could tell. It is likely that some of the actors involved in the movement also participate in software and media piracy.
  • At least 3 credit unions were included in the released target lists. This was interesting, especially given the previous Anonymous stance that citizens should replace banks with credit unions. One has to wonder why these three particular CUs were targeted or if they were merely tokens. 

Other than the usual chatter and jeers, there seemed to be little unique about OpUSA and the efforts identified with the campaign. The media is picking up on some additional items here and there, but largely, the operation was seen as being a smaller or less successful campaign than previous attack sets.