How My Bro the Elk Obtains Context from Security Events

To properly identify and manage security incidents, organizations need to collect data in real time, analyze the data in real time, and store that data so it can be used later to correlate against more real-time data as it arrives on the scene.


The challenge is, storing data costs money – plus the management and usage of the data for security management purposes can be a real problem as well. As you collect more data and try to make sense of it, the complexity increases. As time passes, the context of the data erodes and the context of new data captured is difficult to apply to the old data. To succeed, the right data captures are needed and the right tools and analysis must be applied.


“Collecting and analyzing security logs is just the tip of the iceberg,” said Travis Smith of Tripwire during his presentation at the Blackhat USA 2015 conference in Las Vegas. The real meat is in full packet capture – not the logs.

Once you have the means to capture full packet data (using tools like TCPDUMP or Wireshark – essentially anything that uses the pcap format), “feed it into Bro,” said Smith. Bro is an open source IDS that inspects the OSI layer traffic (layer 1 to layer 7) in real time.

With Bro, it’s possible to feed in previously-captured packet data so you can use it after the fact for forensic analysis. As you do this, you can take advantage of date/time matches to get a log of the time stamp as the packet data was captured, not the date/time the packet capture information was imported. This gives you the option to replay and view the historical activity so you can find anomalies in the traffic.

Still, organizations are quickly realizing that security data is far more significant than big data. “Security data is morbidly obese data,” said Smith. Adding more data doesn’t help the situation, of course. Smith suggests that “threat intelligence can help with this problem.”

Critical Stack represents one option to tie in threat intelligence feeds for known bad actor addresses,” said Smith. “Critical Stack aggregates threat intelligence information and can write it to Bro code so Bro can read it,” he added. At the time of Smith’s session, Critical Stack pulls in 100 different threat feeds with over 1 million indicators of compromise (IoC).

Once the feeds are in place in Bro, alongside the packet capture data collected in Bro, security teams can use custom pattern matches and create rules for each of the devices being monitored. “These patterns and rules dramatically clean up the data, making it easier to view,” said Smith.

Viewing the real-time data set is just part of the security management process. “One problem with real-time attack monitoring is that an IP address may not be flagged as malicious at the time the analysis is being performed,” said Smith. “An hour later, an IP address that was previously considered safe could later get flagged as malicious, but your security team won’t know that you’ve been compromised – it’s too late,” Smith added.

To address this after-the-fact analysis challenge, Smith and the team at Tripwire introduced the TARDIS framework, announcing its availability on GitHub and featuring demonstrations during Blackhat’s Arsenal.

With TARDIS, a framework that ingests IoC data like STIX or CybOX and correlates it along with vulnerability scan data, security analysts are able to detect if any of the organization’s assets are vulnerable to an attack and whether or not they have been previously exploited. TARDIS lets security teams use the details of an attack only recently discovered mapped to previously-captured packet and vulnerability data to see how and where it has affected their environment.

View the full video of Smith presenting here: