Unveiling the Open Source Visualization Engine for Busy Hackers

Presented at Black Hat USA 2014, Aug. 6, 2014, 2:15 p.m. (60 minutes).

The way a human efficiently digests information varies from person-to-person. Scientific studies have shown that some individuals learn better through the presentation of visual/spatial information compared to simply reading text. Why then do vendors expect customers to consume presented data following only the written word method as opposed to advanced graphical representations of the data? We believe this approach is dated. To help the neglected visually inclined masses, we decided to create a free and Open Source engine to remove the complexity of creating advanced data visualizations. The ultimate goal of the project was to allow for the visualization of any loosely related data without having to endlessly reformat that data. For the visual/spatial learners, the engine will interpret their own data, whether it be a simple or complex system, and present the results in a way that their brains can understand. Learning, for visual-spatial learners, takes place all at once, with large chunks of information grasped in intuitive leaps, rather than in the gradual accretion of isolated facts or small steps. For example, a visual-spatial learner can grasp all of the multiplication facts as a related set in a chart much easier and faster than memorizing each fact independently. We believe that some security practitioners might be able to better utilize their respective data sets if provided with an investigative model that their brains can understand. During this presentation, we will show you how you can take any relational data set, quickly massage the format, and visualize the results. We will also share some observations and conclusions drawn from the results of the visualization that may not have appeared in simple text form. We have used this engine within OpenDNS to track CryptoLocker and CryptoDefense ransomware, Red October malware, and the Kelihos botnet. Additionally, specific Syrian Electronic Army (SEA) campaigns, carding sites, and even a map of the Internet via Autonomous Systems have been visualized using the engine. Interesting data can also be isolated through the use of Python and JavaScript-based plugins that can be easily added to the engine's framework. These plugins affect the way the data is visualized and allow analysts to make sense of their data as it relates to the question they're trying to answer. The "big picture" model will help visually inclined incident responders, security analysts, and malware researchers visually stitch together complex data sets without needing a PhD in math or particle physics.

Presenters:

  • Thibault Reuille - OpenDNS
    Thibault is a Security Researcher at OpenDNS, Inc. His research is mainly focused on big data visualization. At a very young age, Thibault fell in love with the demo scene and everything related to computer generated art. He started to teach himself 3D graphics and went to EPITA school in Paris, France. He later joined the LSE, the computer security laboratory, for a total period of four years where he spent a lot of time breaking everything he could. He built a solid knowledge of reverse engineering, pen-testing, secure programming, exploit writing and many other (in)security related techniques. After obtaining his master's degree in 2010, Thibault decided to move to California to accept a position at Nvidia Corporation. This is where he had the chance to refine his 3D graphics knowledge and to dig deep inside the GPU mechanisms and the OpenGL API. He stayed at this position for four years. Finally, Thibault found a new job at OpenDNS, Inc. as a Security Researcher and has been working there since June 2013. He is developing a 3D engine capable of rendering large amount of data to extract intelligent patterns from it using advanced graph theory. He believes the combination of visualization, distributed computing, and machine learning is the key to take computer intelligence to the next level. Thibault has given several presentations in world renowned conferences, such as :CanSecWest Vancouver (March 14, 2014), BSides SF (February 23, 2014), BayThreat 4 (December 6, 2013). You can consult some of his work here :http://labs.umbrella.com/author/thibault and some of his artsy work here :http://thibaultreuille.tumblr.com.
  • Andrew Hay - OpenDNS, Inc.
    Andrew Hay is the Senior Security Research Lead & Evangelist at OpenDNS where he leads the Umbrella research team and its efforts. Prior to joining OpenDNS, Andrew served as the Director of Applied Security Research and Chief Evangelist at CloudPassage, Inc. where he lead the security research efforts for the company. Prior to joining CloudPassage, Andrew served as a Senior Security Analyst for 451 Research's Enterprise Security Practice (ESP) providing technology vendors, private equity firms, venture capitalists, and end users with strategic advisory services. Through his work at 451 Research, Andrew was instrumental in securing tens of millions of dollars in equity investment for numerous security product vendors. He is a veteran strategist with more than a decade of experience related to endpoint, network, and security management across various product sectors. Andrew was honored with the title of Security Thought Leader in May 2008 by the SANS Institute; named an IT Knowledge Exchange blogger of the week in June 2009; listed as one of the Most Powerful Voices in Security by SYS-CON Media's Jim Kaskade in September 2011; and named one of Tripwire Inc.'s Top 25 Influencers in Security in December 2011. He is frequently approached to provide expert commentary on security-industry developments, and has been interviewed by members of the press for such publications as The Sacramento Bee, eWeek, TechTarget, Wired Magazine, Network World, and CSO Magazine, in addition to podcasts such as the Data Security Podcast, Forensic4Cast, SecuraBit, PaulDotCom, Security.Exe, Beyond The Perimeter, The Risk Hose, Security Roundtable, and Tenable Network Security.

Links:

Similar Presentations: