LongTail Log Analysis with Eric Wedaa

Facebooktwitterredditpinterestlinkedintumblrmail

Eric Wedaa is currently senior system administrator at Marist College in Poughkeepsie, New York. He has been involved in UNIX system administration since 1987 and UNIX security since 1992. He began the LongTail Log Analysis project in 2014 and released it in 2015. LongTail is an SSH Honeypot and set of tools for brute force attack analysis. The LongTail Log Analysis project is open to IEEE-affiliated, cybersecurity students and professionals and, in May 2016, it became one of 11 cybersecurity containers to be accepted by the IEEE Try-CybSI project.

Question: Would you describe the LongTail project and its relevance to IEEE Cybersecurity Initiative readers?

Wedaa: This project has major implications for all cybersecurity practitioners and students. The LongTail data lives on a website hosted by Marist. Marist has a strong tradition of mixing its IT department with student and educational environments. As part of our mission we’re using LongTail to teach students about honey pots and cybersecurity and it’s one of the foundations of a recent National Science Foundation grant that we’ve received for software-defined networking.

Cybersecurity professionals know that Linux and other UNIX operating systems are the OSs of choice for super computers, data centers and Web servers and it runs as a virtual machine on almost all mainframe computers. Some studies show that 80 percent of all financial transactions pass through a UNIX system at some point. UNIX-like OSs are the basis of Android-based mobile phones and iPhones. Without Linux and the other UNIX-like operating systems, there’d be no Internet, no World Wide Web, no Google, no Facebook. In short, it is foundational and ubiquitous.

Question: What are the LongTail project’s practical benefits to cybersecurity?

Wedaa: By keeping track of cyber attackers with tools like LongTail, cybersecurity professionals can more accurately and efficiently block attacks. By analyzing attacks, we can figure out when new attacks occur and what new vulnerabilities are being exploited by the bad guys. It’s an important, essentially unique tool for cybersecurity practitioners.

Question: Would you define a few terms relevant to your project, for an audience that includes non-cybersecurity experts?

Wedaa: “LongTail” is the name of the project and its website, analytics software and the different honeypots. A physical “honeypot” left in the forest will attract bears, so a computer honeypot is a computer system decoy to lure cyber attackers for detection and study of their attempts to gain access to our systems.

For instance, in an “SSH honeypot,” SSH is the program used to log into a Linux or UNIX computer. When someone tries to log into an SSH honeypot, we’re recording the IP address they’re using, the accounts they’re attacking, the passwords they’re trying and the software they’re using. We log each attempt. Unique to LongTail, among other analytics tools, is that we can analyze “brute force attacks” and group the attackers into “botnets.” A brute force attack is an automated attempt to use every possible permutation of passwords to gain access into your computer network. A botnet is a short form for “robot network” – a bunch of computers controlled by a bad guy or organization that can attack thousands of servers on the Internet with the push of a button.

Question: What sort of results do you get from analyzing attacks?

Wedaa: Grouping our analyses into botnets helps us on cybersecurity defense, tactically and strategically. We can identify with reasonable certainty that certain Internet servers are controlled by the bad guys, and that helps Internet service providers shut them down. When attackers have DNS (Domain Name System) entries, we can give the DNS provider proof and request they be shut down.

In general, our LongTail findings indicate that these attacks occur constantly against every computer on the Internet. These attacks are a real problem and LongTail reveals that harsh fact. We see a lot of attacks coming from Asia and, on a smaller scale, countries like Brazil and India. The United States is very good about shutting down offenders.

Some attackers generate a million attacks every day. Others are trying to fly under the radar and doing slow attacks, and sometimes they can stay on a computer system for years. LongTail also gives us insight into new vulnerabilities in terms of default accounts and default passwords. LongTail’s HTTP honeypot has captured some of the attackers’ programs, which reveals the sorts of programs the attackers are downloading onto vulnerable servers.

Question: We’ve focused on Linux. Is your project relevant to other OSs?

Wedaa: Right now, LongTail is only running on UNIX systems but attacks are coming in against Microsoft Windows servers as well. Marist students are helping us set up honeypots on Windows servers. From studies I’ve seen, Windows servers are attacked just as much as UNIX servers. UNIX happens to be a golden apple because that’s where a lot of financial transactions take place and that’s where most mail servers are being run.

Question: What should IEEE Cybersecurity Initiative and Try-CybSI readers know about using LongTail data for educational purposes or to thwart attacks?

Wedaa: Consumers need to install and update virus detection software on their home PCs. People turn off virus checking because it’s annoying. Another step is using strong passwords. If you don’t take these steps, your system is going to get taken over sooner or later. For IT professionals, there’s actually a link on the LongTail website talking about the ten basic steps to implement for defense in depth.

If the bad guys can’t get in the yard, they can’t try keys to your front door. I’d advise everyone to use that checklist.