Using circos to map our sensornet
Following up on our quest for better data analysis techniques, I've been playing for a couple of weeks with a product called Circos. This useful tool (written by Martin Krzywinski) is designed to visualize two-dimensional tabular data, and was originally written to map genome relationships! However it is very extensible, so I put it to use on the SensorNET data.
The following maps are some of the many I've built with circos, and represent about 18 months worth of our data from the SensorNET. Once you get used to reading this style of map, they are quite trivial to understand but they can take some getting used to. If you don't 'get it' straight away, please stick with it and you will see the beautiful simplicity soon enough.
On the right hand side of the circle are our Australian based nepenthes sensors. These are the 'business end' of our SensorNET, as they collect network-borne malware, and also log where it comes from. The sensors are spread throughout the Australian IP space. On the left hand side is the attribute we are exploring, which in these examples is the attacking country, ASN, or MD5 of the malware. The color ribbons between the sensor and the attribute relate to the strength of the relationship. The thicker the ribbon, the more prominent the relationship.
Top 15 attacking countries
The first thing that jumps out here is the large proportion of attacks coming out of the Japanese IP space. This backs up the results of our geographic heatmap analysis. Note that all of the sensors almost without exception showed the most activity from Japan, and secondly from local Australian IP space.
Top attackers from overseas
This shows the top countries (excluding Australia). Note the dominance of Asian countries, in fact the top 6 countries are Japan, China, India, Taiwan, Cambodia and Mongolia, and only then comes the US. We are thinking this is attributable to the closeness and faster inter-country network links, and potentially to the 'closeness' in terms of IP space, particularly the first and second octet as some bots may scan local/adjacent subnets first, but we need to research this further.
Top 15-30 attacking countries
This is the top 15-30 attacking countries.
Most attacking ASN's
This shows the ASN (Autonomous System Number) network which attacked this set of sensors. You'll notice that one of our nodes (node 19) had a very busy time being attacked repeatedly by one particular ASN. We actually considered this an anomaly in terms of it's statistical relevance, and suspect the sensor may have been playing up, so this sensor/ASN pair was mostly dismissed from the rest of the analysis at this stage. I included this graph here simply to show how easily these anomalies show up with this visualization technique.
Most commonly seen malware
Here we see some of the more prevalent malware files being captured by the SensorNET. These are actually the files that will be infecting unprotected computers in Australia right now! I've abbreviated the MD5's to what I consider to be human readable for this graph.
For reference, here are some links to the Virustotal results for the top 5 pieces of malware (nominal name taken from F-Secure/Kaspersky)
Detection Result: 39 out of 40 Antivirus vendors (97.50%)
Detection Result: 38 out of 39 Antivirus vendors (97.44%)
Detection Result: 6 out of 36 Antivirus vendors (16.67%) ***
Detection Result: 40 out of 40 Antivirus vendors (100.00%)
Detection Result: 40 out of 40 Antivirus vendors (100.00%)
So there you have it, although a lot of network-borne malware has great AV coverage, some do not ***. This means that a 'defense in depth' strategy is still required. Do not rely solely on any one of the main technical security controls (Antivirus, Patching, Firewall) - use them ALL for the best protection !
What can you see in these diagrams ? Do you have any suggestions or observations ? let me know at ben@honeynet.org.au