Welcome and Introduction

Adam Slagell received an M.S. in computer science from the University of Illinois at Urbana-Champaign in 2003, a masters degree in mathematics from Northern Illinois University (NIU) in 2000, and a B.S. in mathematics from NIU in 1999. He currently serves as the director of the Cybersecurity Division and Chief Information Security Officer at the National Center for Supercomputing Applications (NCSA) where he co-leads the security team for the NSF-funded XSEDE federation, serves as liaison for the Bro Project at the Software Freedom Conservatory, and is a co-PI for the NSF Bro Center of Expertise, which brings its network security monitoring expertise and support to NSF-funded cyber-infrastructure and Higher Ed.

Robin Sommer is a Senior Researcher in the Networking and Security Group at the International Computer Science Institute, an independent non-profit research institute affiliated with the University of California, Berkeley. Robin leads the Bro development team and is the CTO, and a co-founder, of Corelight, a startup offering professional Bro solutions to enterprise customers. Robin is an affiliate member of the Data Science and Technology Department at Berkeley Lab, and works with the Lab’s cyber security team. Robin was a research assistant at TU München, Germany. He received his diploma in Computer Science from University of Paderborn, Germany.

Keynote Address

Michael Bailey is an associate professor of electrical and computer engineering. His research interests lie in the areas of the security and performance of complex distributed systems. His work informs both the development of such systems as well as the sciences of computer security, networking, and distributed systems.

SSL Research with Bro

Bro Team’s Johanna Amann will present on SSL research in the past year.

A Bro Primer

This talk aims to help those new to Bro get more familiar with its core concepts and gain a better understanding of the various ways it can be used. Many of those working in the cybersecurity field have little to no software development background when they are introduced to Bro. Many can immediately recognize the forensic and network defense value Bro’s network traffic logs provide, but learning the programming language can seem like a daunting task. Unfortunately, a sound understanding of the Bro programming language and how it can be used to interact with captured network traffic is necessary to begin to realize Bro’s full potential. This talk seeks to provide attendees with some of the foundational knowledge and understanding that can help get up to speed quickly with the language. Functional code samples, with direct applications for practitioners will be used to illustrate core Bro language concepts, scripting tasks common to network monitoring and some helpful scripting techniques that leverage built-in functionality. Emphasis will be on real-world scenarios that new Bro users can apply to support their own monitoring objectives and all code will be made available for download (or referenced) after the presentation.

Speaker Bio: Adam Pumphrey

Data Analysis, Machine Learning, Bro, and You!

Python has a fantastic set of libraries for statistics, data analysis, and machine learning. Modules like pandas, statsmodels, and scikit-learn provide a broad set of techniques and algorithms that are formally researched and well tested. Although Bro provides a flexible, powerful scripting language we’d like to offload more complex tasks to decoupled Python processes so that Bro can focus on the efficient processing of high volume network traffic.

In this presentation we will give live demonstrations of a new open source project called BroThon: Bro + Python (https://github.com/Kitware/BroThon). With a simple ‘pip install’ and a few lines of Python we can dynamically monitor any active Bro log and easily convert the log data into a Pandas DataFrame. We can also turn that DataFrame into a numpy ndarray (matrix/tensor) ready for the statsmodels and scikit-learn libraries. The BroThon package has classes for these transformations that handle all the details:

• Streaming generators (zero copy) into DataFrames
• Type conversion (int, float, str, datetimes, timedeltas)
• Automatic numerical normalization (serialized properly for train/eval)
• Automatic categorical detection and ‘one-hot’ encoding (with proper serialization)

Example: DNS logs have mixed categorical and numeric data, with a few lines of code the data is properly encoded into a numpy matrix with normalization for the numerical variables and one-hot encoding for the categorical ones. The scikit transform class can then be serialized and used later for evaluation against the trained models. See the Bro_to_Scikit IPython notebook below.

We’ll run through several example use cases as part of the presentation:

• Bro to Pandas

  • One line conversion
  • Streaming/Cached DataFrames
  • Functionality within the Pandas library

• Bro to Scikit

  • General transformations and BroThon class usage
  • Simple Machine Learning: KMeans and PCA
  • Real Use Case: Streaming Anomaly Detection, Clustering and Narration

Reference Notebooks: Bro to Pandas, Bro to Scikit

Speaker Bio: Brian Wylie

Justin Azoff’s laBROtory

The latest custom solutions Justin created to make his day-to-day job easier.

Justin is a security engineer at NCSA and is a member of the Bro Project.

Using awk to analyze Bro logs

While bro-cut is certainly an important tool in your toolbox, you can expand on your ability to analyze logs and detect a variety of interesting network events through the use of the awk program. In this talk Mark will give an intro to the syntax of the awk command and then show several examples of how awk can be used directly on logs or in a pipeline with other programs. He hopes that you find the examples provided as useful takeaways from BroCon whether you are a beginner or advanced user.

Speaker Bio: Mark Krenz is the Lead Security Analyst at Indiana University’s Center for Applied Cybersecurity Research where he has participated on projects such as the Center for Trustworthy Scientific Cyberinfrastructure (CTSC) and the Software Assurance Marketplace (SWAMP). In addition to using Bro at work on a small enterprise network, he also uses Bro at home to monitor IoT devices. Mark is also the creator/host of the popular Twitter account @climagic, which provides useful Unix command tips to over 100 thousand command line enthusiasts

Unconstrained Endpoint Security System (UEPtSS)

Modern information security management best practices dictate that an enterprise assume full configuration control of end user computer systems (laptops, desksides, etc.). The benefit of this control yield lower support costs since there are less variation of machines, operating systems, and applications to provide support on, but more importantly today, dictating what software, hardware, and security configurations on an end user’s machine will reduce the occurrence of infection by malicious software significantly.

Some organizations cannot control some or all of their end user computer systems. Examples include: universities, shared startup spaces, sites offering public Internet access (e.g. restaurants), and conferences.

If the data pertaining of end user systems is organized and cataloged as part of normal information security logging activities, an extended picture of what the end system actually is may be available to the investigator at a moment’s notice.

Normally there are two techniques that can be used for detecting the end user systems on the network and fingerprinting them: active scan and passive scan method.

It’s easy and quick to fingerprint the devices with active scanning techniques such as nmap, nessus etc, however there are some drawbacks of active scanning, first the device have to be online during the scanning process to get fingerprinted, and secondly the free versions have limited usability on the network, that limits the number of IPs/devices that can be scanned. Also, to cover all the devices that come and go on the network, the scans need to be pretty frequent.

Hence, due to these limitations, passive scan methods do well in detecting unconstrained end-points and fingerprinting them, as just monitoring the network traffic reveals pretty good information about the client machines.

And this is one of our major use-cases of Bro. We use Bro as a passive scanning device, of course with its basic features of NSM.

The presentation would cover how we use Bro as a fingerprinting scanner and build the inventory of end-points that might contain:

• Machine type (PC, Mac, smartphone, access point, printers, odd stuff)
• Operating system and version (Windows 7, OS X)
• Browsers in use (User Agent strings)
• Open ports (services)
• Applications and versions
• Dangerous behavior history (prior loads of known malware)
• Different Plugins (Flash, Openssh)
• TLS Client software

This works great with Bro as, as soon as the device connects to the network it starts generating network traffic that can be monitored using Bro to know more about the device. We have written few custom scripts to collect some useful stats, as well as Bro already ships with some useful scripts that could be used to achieve this goal, for example software-plugins detection script, helps in detecting the client software to some extent, windows OS detection, known-services and open-ports (gets generated when Scan-NG is used). All these logs can then be correlated with the IPs that can further be correlated with DHCP logs to map all the information collected from the network to the corresponding devices.

Also, the presentation will talk about our recent addition to the software inventory, the TLS clients, by using TLS fingerprinting with Bro, and detection and blocking some of the offensive TLS clients (like BurpSuite etc).

I will try to make a package of the Bro scripts used for the fingerprinting of different systems, and the scripts should be posted on the github account as well, from where they can be downloaded individually and can be enabled in the Bro environment. The presentation will also cover the screenshots of the results of the outdated software being detected by Bro, and how it can be used to enforce the policy compliance in the University. And if time permits, will cover some other kind of anomaly detection as well, like detecting “fake” googlebots scrawling the websites of the network, that can right-away be turned into an operational solution.

Speaker Bio: Fatema Bannat Wala received her undergraduate degree in Electronics and Instrumentation Engineering from Institute of Engineering and Technology division of DAVV University in India. She began her professional career as a software engineer for Accenture. She came to the US in 2013 to pursue a MS in Computer Engineering from University of Delaware. Fatema currently works as a Security Engineer in UD’s Technical Security Group with a focus on IDS/IPS devices and is also pursuing her PhD at UD.

Using Bro to Hunt Persistent Threats

In this presentation, we demonstrate how Bro can be used to successfully detect malicious traffic from compromised machines to a remote command and control (C2) server. Specifically, our team focused on detecting Cobalt Strike, a popular penetration tool. Cobalt Strike possesses a sophisticated callback mechanism that uses common protocols to beacon back to a remote C2 server and fetch instructions. From the remote server, attackers can send C2 instructions to processes running on the compromised hosts. This stored-and-forward architecture is designed to avoid detection, blending in with ordinary traffic. Our team will present how we used Bro and other tools to discover indications of compromise (IOCs) from past datasets, and then used this insight to develop Bro scripts that detected those IOCs on a live network. Our techniques were evaluated during the 2017 Cyber Defense Exercise, where undergraduates compete against the Nation Security Agency (NSA) Red Team. Additionally, we will provide observations how Bro performed as part of a greater security architecture, which included the Snort Intrusion Detection System and an implementation of an Elasticsearch, Logstash, Kibana monitoring suite.

Speaker Bio: Benjamin Klimkowski

The Bro Package Manager and You

The Bro Package Manager was announced a year ago and has been under continual development since then. I will give an update on the current state of the package manager and the set of available packages in addition to a quick tutorial in how easy it is to turn scripts into packages. There will be public plea for people to convert existing scripts into packages!

Speaker Bio: Seth Hall

Protocol Parser Development to Inspect Malware Command and Control Traffic

This presentation describes work that MITRE is performing to dissect malware command-and-control (C2) network protocols, which is currently a blind-spot for many cybersecurity defenders, using the Bro Network Security Monitor parser-generator framework. Many cybersecurity teams across industry, academia, and the U.S. Government are involved in the development of parsers for this type of network traffic. Currently, this type of work is implemented with hand-crafted programs/scripts written in general-purpose high-level languages, which are generally not extensible or re-useable. This research seeks to show that the publicly available Spicy/BinPAC framework for generating protocol parsers can be used to more effectively develop parsers for malware C2 protocols for use in Bro, Wireshark, and other cybersecurity applications. It is expected that using this tool will: (1) significantly reduce the time to develop these parsers; (2) provide greater scalability for processing this type of network traffic from large volumes of data; (3) provide greater flexibility in updating parsers as new information is acquired about particular protocols or as they evolve; and (4) allow for greater sharing of these parsers across the communities of interest.

The first phase of this research was to select candidate C2 protocols. One of the criteria used to select candidate protocols was the availability of existing sample network traffic for analysis. The team chose the Turkojan malware and the Gh0st malware as the first two candidates, given the simplicity of either protocol. Turkojan C2 is plain-text, and Gh0st uses ZLIB compression but is plain-text otherwise.

The second phase of this research was to develop protocol parsers using the Bro Spicy/BinPAC framework. Spicy is still a prototype and is proving to be stable and robust enough for this application, using packet capture files as input (the team has not tested Spicy on live traffic yet). The Turkojan C2 parser is 100% completed; and it is estimated that development of this parser took approximately 50% of the time it would have taken to develop with other tools (accounting for issues associated with the learning curve). The Gh0st C2 parser is 65% completed.

Subsequent phases of this research will include selection of additional C2 protocols of greater complexity, such as the utilization of basic encryption; and if time and resources permit, challenging C2 protocols of significant complexity. Preliminary candidates are for phases three and four include (in alphabetical order): Bifrost, Cybergate, DarkCommet, jRAT, PoisonIvy, and XtremeRat.

Integration of these protocol parsers would be focused initially on Bro. Integration into Wireshark would be possible via the HILTI/Spicy framework, but it is beyond the initial scope of this work.

Speaker Bios: Kevin McMahon is a cybersecurity engineer at the MITRE Corporation. He has been using Bro for network traffic analysis for the last four years.

Mark Fernandez is a cybersecurity engineer at the MITRE Corporation. His first interaction with Bro was in 2015 to develop a new protocol analyzer via BinPAC for the Internet Content Adaptation Protocol (ICAP) which he presented at BroCon 2016.

Following the Packets: A Walk Through Bro’s Internal Processing Pipeline

A low-level software presentation by The Bro Team’s Robin Sommer.

Detecting Credential Spear-phishing Attacks at LBNL

We present our work on detecting credential spearphishing attacks at the Lawrence Berkeley Lab using Bro. We showcase the process of developing this detection, the intricacies of implementation in bro script land, challenges and success of keeping state persistent using postgres backend and deployment details. We further show the the kind of alerts and capabilities of this new phishing detector. We intend to release the detection heuristics and all the code as a bro-package as well for community to benefit from.

Speaker Bio: Aashish Sharma is a member of the Cybersecurity Team at Berkeley Lab.

Lightning Talks

Have you contributed a package to the new Bro Package Manager? Or do you have something interesting to share related to Bro that doesn’t fit into a traditional presentation? Great! We’d love to hear from you. We have scheduled a 45-minute session for lightning talks. Be prepared to quickly identify your point, demonstrate it, and provide a link or contact info for later follow-up. We’d like to accommodate as many talks as possible so please limit your talk to less than 5 minutes. No commercially incentivized presentations, please.

Spark and Bro: When Bro-Cut Won’t Cut It

Our team operates Bro in a massive enterprise environment that generates > 1.5 billion connection records per day, plus associated service logs. At this scale, using bro-cut and other standard text munging tools for analysis is untenable, as are many of the single-machine data science toolkits like Pandas/NumPy/SciPy or R. Instead, we use Apache Spark and the Hadoop ecosystem as our analysis toolkit in order to process the > 750 billion connection records we have collected since the inception of our program.

In this discussion, we will discuss the tooling we have developed around Apache Spark to support analysis of Bro logs. These tools include ingest applications for converting standard Bro log files to Apache Parquet for more efficient reuse, an interface that allows analysts to query data using standard SQL syntax, and queue management strategies for data pipelining and basic access control. We will also show working analytics well-known to the security analysis community (e.g., port/protocol histograms, producer/consumer ratios, etc.) as examples to demonstrate the speed and ease of use of Spark’s Scala and Python APIs. We will also discuss future work that makes use of Bro scripts to augment computation and use of Spark’s streaming functionality.

Speaker Bios: Eric Dull is a Specialist Leader at Deloitte & Touche LLP, and the Chief Data Scientist of Deloitte’s Cyber Reconnaissance and Analytics practice. Eric has over fifteen years of experience in the areas of threat analysis, computing network security, high-performance computing, and graph analysis.

Joseph Mosby is a Specialist Master and software engineer at Deloitte & Touche LLP, working on Deloitte’s Cyber Reconnaissance team. He has engineered several large-scale analytic and data pipelining systems for organizations in the security, health care, and marketing domains. Joseph has also implemented several statistical analysis systems using Bro on the architecture under discussion.

Brian Sacash is a Specialist Senior and data scientist at Deloitte & Touche LLP, working on Deloitte’s Cyber Reconnaissance team. His work focuses on the analysis of network data through the use of big data tools and various data science disciplines such as natural language processing, statistical analysis, and machine learning.

Running Bro in the Cloud at Scale

Whether you build your own Bro cluster or you use a commercial Bro appliance, most of the existing Bro deployments have traditionally focused on physical hardware infrastructure. In this talk we plan to share our experiences on running Bro in the cloud. Specifically, our talk will cover the following three areas:

• Tapping traffic in the cloud efficiently. This will include descriptions and demonstrations of recent cloud based tapping infrastructure developments including Tap as a Service (TaaS) used in OpenStack deployments or Gigamon Visibility Platform for Amazon AWS.
• Accelerating the data path in the VM. While hardware solutions to accelerate the data path are well-known (e.g., Myricom, PF_RING, netmap, AF_PACKET, etc.), in this segment we will describe architectures and workflows to efficiently deliver packets to Bro in a virtualized environment, including features such as receive-side scaling (RSS), BPF filters, and virtual switch load balancing.
• Measuring performance. When working in a virtual environment packets flow through many stages of a pipeline containing both physical and virtual components which can impact both performance and correctness. One advantage of cloud scale processing comes with elasticity and the ability to expand or contract processing elements when needed. The key question then is how and where to measure packet processing throughout the pipeline to determine if packets are being dropped and hence the need to increase processing resources.

To facilitate a productive open discussion, our presentation will include both descriptions of the various workflows and architectural frameworks, putting emphasis on the various trade-offs found in each of the above mentioned components, as well as a live (or recorded) demonstration of running Bro in the cloud.

Speaker Bio: Alan Commike

The Intelligence Framework Update

In the endeavor of securing networks, Threat Intelligence (TI) has become a key component. TI can be roughly described as data that allows the identification of threats to your IT system respectively network. This data is available on strategic, tactical and operational levels. The Bro Network Security Monitor supports operational integration of TI with the Intelligence Framework.

In 2016, the Intelligence Framework was refactored. In this context, a couple of new features like removal and expiration of intelligence items (also referred to as Indicators of Compromise, IoCs) as well as a new way of extending the framework have been introduced. Nevertheless, to exploit the Intelligence Framework’s full potential, it is essential to understand the underlying concepts. Last year’s blog post has been a first attempt to shed some light on the framework’s data model and has introduced the new features. The proposed talk will revisit these foundations. In particular, the three different representations/manifestations of intelligence data will be elaborated, i.e. items for ingestion, their internal representation and seen data for matching. Furthermore, common pitfalls that have been encountered in the past will be discussed including developments regarding input reader resilience.

In addition, the talk will present the intel-extensions as an example on how the Intelligence Framework can be customized. Focusing on per-item-expiration, the Framework’s extension mechanisms will be described. To complete the picture, a use case will be introduced that employs per-item-expiration to ingest feeds, which contain domains generated by Domain Generation Algorithms (DGA). This includes experiences gathered during a test deployment at the Karlsruhe Institute of Technology, a German research and education institution.

As Bro basically serves as an in-memory database for intelligence data, it is easy to lose track on the actual working set of indicators, because the files usually used for ingestion not necessarily represent the internal state of Bro. Another problem are the limited possibilities to interact directly with the system in case a feed contains incorrect information and the “intel.log” is flooded with hits. The talk will present small Python scripts that can be used from the command line to insert, delete or query intelligence data managed by Bro. Making use of Bro’s new communication library broker, these scripts represent only one way of dynamically interacting with the Intelligence Framework.

Finally, there will be an outlook on future work that is concerned with the integration of Cuckoo Filters into the Intelligence Framework as suggested by Matthias Vallentin. Overall, the talk aims at providing a thorough overview on the current state of Bro’s Intelligence Framework as well as ideas on how to use it in practice.

Speaker Bio: Jan Grashoefer

Broadmap

Our annual review of recent developments as well as planning for the future.

This talk is presented by The Bro Team’s Robin Sommer & Seth Hall.

Travails of running Bro IDS on the Embedded Platform

Much attention has been paid to ‘large’ sensors in the Bro community. But there are many important network infrastructure situations that have topological complexity AND physical porosity. Consider for example a typical hospital company, operating 5 campuses with 5 buildings per campus, each with 5 floors, each floor with 5 wards per floor, and wireless connectivity for authorized personnel and equipment. By their very nature, these networks can be porous, with attackers able to readily gain a degree of physical access to points deep within the network.

Intrusion detection sensors are often placed only at the perimeter of the network, and there have been many reports here of such deployments. The kinds of sensor being deployed at the perimeter cannot be afforably deployed at every critical point within such critical infrastructure.

We investigated the feasibility of placing a complete Bro deployment on a diskless, fanless sensor platform that can be manufactured for approximately $100, enabling the possibility of Bro deployments not only at the perimeter, but at critical points within the infrastructure.

This talk details what we had to do to "stock Bro" to achieve the goal of a Bro sensor platform under constraints of performance and memory pressure.”

Speaker Bio: Vijay Pasapuleti is the Director of Embedded Systems Development at Acumera, Inc. He has over 25 years of experience is embedded network software development and media streaming technologies.