What do you notice when you walk into a mature organisation built upon large networks consisting of tens of thousands of machines that provide a wide range of services? Especially when these networks have been built over decades by many experts and are being maintained and managed by many more.
Among the endless (often incomplete) spreadsheets, Word documents, and administrative procedures to keep track of all that is happening in these networks, with these machines, and with these people, you may sometimes notice a lack of in-depth understanding and oversight of what the true situation is.
Keeping track of what is truly going on, for a large organisation that has been changing and growing for over 30 years, is nonetheless probably one of the hardest sysadmin things to do. It is not surprising that when you enter such an organisation, all you notice is an intricate cluster inside layers of more intricacy. And having this lack of in-depth understanding and oversight can pose a very high risk, especially when the darker parts of the network, the old, outdated systems from a time of dinosaurs, could as well be an easy target, and no one knows about it.
So how do we begin to fix this?
On the application layer, we have thousands of people in this organisation who have access to thousands of systems with different permissions. On the network layer, we have this myriad of machines somehow communicating with each other through different protocols, with different access rules defined by many firewalls.
This presentation is a description of how we are switching our information models more and more from spreadsheets to graph representations of relationships between people and machines, and between machines and other machines. How we for example can use shortest path algorithms to map out attack vectors from one machine to another and PageRank algorithms to identify critical systems in our networks, the systems the most machines or people depend on. Identifying critical systems helps us with our targeted defence strategies, what we should defend and where we should put the focus on. Identifying attack vectors, paths from one machine to another, helps us determine who, what, and how access to these machines should be defined and protected. This also helps us identify the weak spots in our networks for a strategic approach in security monitoring and incident response.
These representations are made by converting our lists to graphed relationships using Neo4j, a powerful graph-based database management system and visualisation tool. We explain how we built our models on top of Neo4j to draw these representations, with information from identity and access management records, firewall configurations, system-specific network information, etc. We describe how valuable these representations have proven to be in our daily purple teaming operations. This new approach to redefining our models guides us to strengthen our security posture and has given us a chance to be better defenders!