Think In Graph!

Defcon is one of world’s largest hacker conference, often referred to as “hacker summer camp”. It is usually hosted in the summer time in Las Vegas, right after the Black Hat conference.

This was my first Defcon attendance, so it was exciting to race between the villages and many talk tracks. There were so many hacking techniques, new vulnerabilities, and even cool lock picking stuff in the shows.

Besides hackers, many attendees were security professionals and corporate security decision makers. Blue team village, in its second year, attracted a lot of InfoSec people.

I went to a few talks in the Blue team village, including one about having a cyber threat intelligence mindset, a talk about using open source tools to do malware analysis, and another about using a tool called bloodhound to utilize Active Directory data to trace attack paths.

One quote that was mentioned in several different talks got my attention. The quote was “Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.” by John Lambert from Microsoft.

The idea is very true from my experience. I have worked for Hillstone Networks, a renowned network security company, for several years. Yes, it is right— when developing security defense applications, we do think in lists. A list of assets, a list of users, a list of vulnerabilities, a list of threats, and we show all those lists to customers.

So what do those threats actually mean? What systems are they on? Who uses those systems? What is the attack path? A list-based mentality doesn’t answer those questions. We need to connect the dots, and a graph obviously can help.

Defenders have to change. We can see that the graph-based thinking is now an industrial trend. For example, Virustotal, the malware search tool we use every day, has developed the VirusTotal Graph tool. It connects the dots and makes it clear to see the connections between many data nodes (files, URLs, domains and IP addresses).

Changes are being made in Hillstone’s products, as well. I am glad to see the move to the right direction. A graph visualization (topo graph view) to show network assets, and network/service connections. This is not only pleasing to the eyes, it can also help network admins quickly understand how networks perform, and potential, hot risky critical assets. Detected threats between nodes can help investigators find attack path, recon and collateral movement at the perimeter or inside the network.

The cloud threat intelligence we are developing are naturally built on top of graph thinking. The whole dataset and models are built using native graph database, which makes relation-edges the first class citizen in the dataset. So I am happy to see that we defenders can think in the same way our adversaries do, which I surely hope will give us an edge to win in the attacker-defender cat-and- mouse game.