AIL Framework for Analysis of Information Leaks

workshop - A generic analysis information leak open source software

Alexandre Dulaunoy
alexandre.dulaunoy@circl.lu
Sami Mokaddem
sami.mokaddem@circl.lu
Aurélien Thirion
aurelien.thirion@circl.lu

info@circl.lu

@SUNET 20180207
 Objectives of the workshop

2 of 70
Our objectives of the workshop

• Demonstrate why data-analysis is critical in information security

• Explain challenges and the design of the AIL framework
• Learn how to install and start AIL
• Learn how to properly feed AIL with custom data
• Learn how to manage current modules
• Learn how to create new modules
• Practical part: Workshop

3 of 70
 Sources of leaks

4 of 70
Sources of leaks: Paste monitoring

• Example: http://pastebin.com/
◦ Easily storing and sharing text online
◦ Used by programmers and legitimate users
→ Source code & information about configurations

5 of 70
Sources of leaks: Paste monitoring

• Example: http://pastebin.com/
◦ Easily storing and sharing text online
◦ Used by programmers and legitimate users
→ Source code & information about configurations
• Abused by attackers to store:
◦ List of vulnerable/compromised sites
◦ Software vulnerabilities (e.g. exploits)
◦ Database dumps
→ User data
→ Credentials
→ Credit card details
◦ More and more ...

5 of 70
Examples of pastes
Sources of leaks: Others
• Mistakes from users
◦ https://github.com/search?q=remove password&type=Commits&ref=searchresults

7 of 70
Sources of leaks: Others
• Mistakes from users
◦ https://github.com/search?q=remove password&type=Commits&ref=searchresults

8 of 70
Why so many leaks?

• Economical interests (e.g. Adversaries promoting services)

• Political motives (e.g. Adversaries showing off)
• Collaboration (e.g. Criminals need to collaborate)
• Operational infrastructure (e.g. malware exfiltrating information on
a pastie website)
• Mistakes and Errors

9 of 70
Are leaks frequent?

Yes!
and we have to deal with this as a CSIRT.
• Contacting companies or organisations who did specific
accidental leaks
• Discussing with media about specific case of leaks and how to
make it more practical/factual for everyone
• Evaluating the economical market for cyber criminals (e.g. DDoS
booters1 or reselling personal information - reality versus media
coverage)
• Analysing collateral effects of malware, software vulnerabilities or
exfiltration
→ And it’s important to detect them automatically.
1
10 ofhttps://github.com/D4-project/
70
Paste monitoring at CIRCL: Statistics

• Monitored paste sites: 27

◦ pastebin.com
◦ ideone.com
◦ ...

2016 2017 08.2018

Collected pastes 18,565,124 19,145,300 11,591,987
Incidents 244 266 208
Table: Pastes collected and incident2 raised by CIRCL

2
http://www.circl.lu/pub/tr-46
11 of 70
Privacy, AIL and GDPR

• Many modules in AIL can process personal data and even special
categories of data as defined in GDPR (Art. 9).
• The data controller is often the operator of the AIL framework
(limited to the organisation) and has to define legal grounds for
processing personal data.
• To help users of AIL framework, a document is available which
describe points of AIL in regards to the regulation3 .

3
https:
//www.circl.lu/assets/files/information-leaks-analysis-and-gdpr.pdf
12 of 70
Potential legal grounds

• Consent of the data subject is in many cases not feasible in

practice and often impossible or illogical to obtain (Art. 6(1)(a)).
• Legal obligation (Art. 6(1)(c)) - This legal ground applies mostly
to CSIRTs, in accordance with the powers and responsibilities set
out in CSIRTs mandate and with their constituency, as they may
have the legal obligation to collect, analyse and share information
leaks without having a prior consent of the data subject.
• Art. 6(1)(f) - Legitimate interest - Recital 49 explicitly refers to
CSIRTs’ right to process personal data provided that they have a
legitimate interest but not colliding with fundamental rights and
freedoms of data subject.

13 of 70
 AIL Framework

14 of 70
From a requirement to a solution: AIL Framework

History:
• AIL initially started as an internship project (2014) to
evaluate the feasibility to automate the analysis of
(un)structured information to find leaks.
• In 2018, AIL framework is an open source software in
Python. The software is actively used (and maintained) by
CIRCL.

15 of 70
AIL Framework: A framework for Analysis of
Information Leaks

”AIL is a modular framework to analyse potential information

leaks from unstructured data sources like pastes from Pastebin.”

Other leaks

16 of 70
AIL Framework: Current capabilities

• Extending AIL to add a new analysis module can be done in 50

lines of Python
• The framework supports multi-processors/cores by default.
Any analysis module can be started multiple times to support
faster processing during peak times or bulk import
• Multiple concurrent data input

17 of 70
AIL Framework: Current features
• Extracting credit cards numbers, credentials, phone numbers,
...
• Extracting and validating potential hostnames
• Keeps track of duplicates
• Submission to threat sharing and incident response platform
(MISP and TheHive)
• Full-text indexer to index unstructured information
• Tagging for classification and searches
• Terms, sets and regex tracking and occurences
• Archives, files and raw submission from the UI
• Sentiment/Mood analyser for incoming data
• And many more
18 of 70
 Live demo!

19 of 70
Example: Following a notification (0) - Dashboard

20 of 70
Example: Following a notification (1) - Searching

21 of 70
Example: Following a notification (2) - Metadata

22 of 70
Example: Following a notification (3) - Browsing
content

23 of 70
Example: Following a notification (3) - Browsing
content

24 of 70
 Setting up the framework

25 of 70
Setting up AIL-Framework from source or virtual
machine
Setting up AIL-Framework from source

1 git clone https://github.com/CIRCL/AIL-framework.git

2 cd AIL-framework
3 ./installing_deps.sh
4 cd var/www/
5 ./update_thirdparty.sh

Using the virtual machine:

1. Download https://www.circl.lu/assets/files/
ail-training/AIL_v@4986352.ova
2. Start virtualbox
3. File → import appliance → select AIL June.ova
4. (for now) Prevent the automatic launch and git pull the changes
26 of 70
 AIL ecosystem - Challenges and design

27 of 70
AIL ecosystem: Technologies used

Programing language: Full python3

Databases: Redis and ARDB
Server: Flask
Data message passing: ZMQ, Redis list and Redis
Publisher/Subscriber

28 of 70
AIL global architecture 1/2
Flask web interface

Redis
ZMQ feed
ARDB (RocksDB)
import dir.py ZMQ
Via GUI

AIL framework
Credentials credit-cards

CVEs API keys

Emails Bank account

Onions ···
29 of 70
AIL global architecture 2/2
Redis PubSub 1: port 6380, channel queuing
Redis PubSub 2: port 6380, channel script Pystemon import dir.py

ZMQ

AIL Mixer

Redis set 1 Redis set 2 Redis set 3

Modulex Modulex Moduley Modulez

Redis PubSub

Flask server
30 of 70
Data feeder: Gathering pastes with pystemon
Pystemon global architecture
Redis PubSub 1: port 6380, channel queuing
Redis PubSub 2: port 6380, channel script

Org Org Org

Org
Pystemon1 Org SOCAT:5555

Pystemon2 Redis set Dispatcher ZMQ:5555

Pystemon3

AIL Subscriber
31 of 70
AIL global architecture: Data streaming between
module

32 of 70
AIL global architecture: Data streaming between
module (Credential example)

33 of 70
Message consuming

Modulex

SADD

Redis set

SPOP SPOP

Moduley Moduley

→ No message lost nor double processing

→ Multiprocessing!
34 of 70
Web crawler
• Web crawler is used to crawl regular website as well as .onion
addresses
• Splash (scriptable browser) is rending the pages (including
javascript) and produce screenshots (HAR archive too)

...
Docker container Docker container

Splash Splash

AIL-framework

35 of 70
Figure: Architecture of AIL and its hidden services crawler
 Starting the framework

36 of 70
Running your own instance from source

Make sure that ZMQ Global→address =

tcp://crf.circl.lu:5556,tcp://127.0.0.1:5556 in bin/package/config.cfg

Accessing the environment and starting AIL

1 # Activate the virtualenv

2 . ./AILENV/bin/activate
3
4 # Launch the system
5 cd bin/
6 ./LAUNCH -l
7

8 # Will also start the web interface

37 of 70
 Running your own instance using the virtual machine

Login and passwords:

1 Web i n t e r f a c e ( d e f a u l t n e t w o r k s e t t i n g s ) :
2 http ://192.168.56.51:7000/
3 S h e l l /SSH :
4 a i l / Password1234
5

38 of 70
 Feeding the framework

39 of 70
Feeding AIL

There are differents way to feed AIL with data:

1. Be a trusted partner with CIRCL and ask to get access to our feed
info@circl.lu

2. Setup pystemon and use the custom feeder

◦ pystemon will collect pastes for you
3. Feed your own data using the import dir.py script
4. Feed your own file/text using the UI (/PasteSubmit/)

40 of 70
Feeding AIL

There are differents way to feed AIL with data:

1. CIRCL trusted partners can ask to access our feed info@circl.lu

B You already have access

2. Setup pystemon and use the custom feeder
◦ pystemon will collect pastes for you
3. Feed your own file/text using the UI (/PasteSubmit/)
4. Feed your own data using the import dir.py script

41 of 70
Plug-in AIL to the CIRCL feed

You can freely access the CIRCL feed during this workshop!
• In the file bin/package/config.cfg,
• Set ZMQ Global->address to tcp://crf.circl.lu:5556

42 of 70
Via the UI (1)

43 of 70
Via the UI (2)

44 of 70
Feeding AIL with your own data - import dir.py (1)

/!\ 2 requirements:

1. Data to be fed must have the path hierarchy as the following:

1.1 year/month/day/(textfile/gzfile)
1.2 This is due to the inner representation of paste in AIL

2. Each file to be fed must be of a raisonable size:

2.1 ∼ 3 Mb is already large
2.2 This is because some modules are doing regex matching
2.3 If you want to feed a large file, better split it in multiple ones

45 of 70
Feeding AIL with your own data - import dir.py (2)

1. Check your local configuration bin/package/config.cfg

◦ In the file bin/package/config.cfg,
◦ Add 127.0.0.1:5556 in ZMQ Global
◦ (should already be set by default)

46 of 70
Feeding AIL with your own data - import dir.py (2)

1. Check your local configuration bin/package/config.cfg

◦ In the file bin/package/config.cfg,
◦ Add 127.0.0.1:5556 in ZMQ Global
◦ (should already be set by default)
2. Launch import dir.py with de directory you want to import
◦ import dir.py -d dir path

46 of 70
Feeding AIL with your own data - import dir.py (2)

1. Check your local configuration bin/package/config.cfg

◦ In the file bin/package/config.cfg,
◦ Add 127.0.0.1:5556 in ZMQ Global
◦ (should already be set by default)
2. Launch import dir.py with de directory you want to import
◦ import dir.py -d dir path
3. Watch your data being feed to AIL

46 of 70
 Creating new features

47 of 70
Developping new features: Plug-in a module in the
system
Choose where to put your module in the data flow:

Then, modify bin/package/modules.cfg accordingly

48 of 70
 Writing your own modules - /bin/template.py
1 import time
2 from pubsublogger import publisher
3 from Helper import Process
4 if __name__ == ’ __main__ ’:
5 # Port of the redis instance used by pubsublogger
6 publisher . port = 6380
7 # Script is the default channel used for the modules .
8 publisher . channel = ’ Script ’
9 # Section name in bin / packages / modules . cfg
10 conf ig_section = ’ < section name > ’
11 # Setup the I / O queues
12 p = Process ( config_section )
13 # Sent to the logging a description of the module
14 publisher . info ( " < description of the module > " )
15 # Endless loop getting messages from the input queue
16 while True :
17 # Get one message from the input queue
18 message = p . get_from_set ()
19 if message is None :
20 publisher . debug ( " {} queue is empty , waiting " . format ( config_section ) )
21 time . sleep (1)
22 continue
23 # Do something with the message from the queue
24 s o m e t h i n g _ h a s _ b e e n _ d o n e = do_something ( message )
25 49 of 70
AIL - Add your own web interface

1. Launch var/www/create new web module.py

2. Enter the module’s name
3. A template and flask skeleton has been created for your new
webpage in var/www/modules/
4. You can start coding server-side in:
var/www/modules/your module name /Flask your module name.py
5. You can start coding client-side in:
var/www/modules/your module name /templates/your module name.html

var/www/modules/your module name /templates/header your module name.html

50 of 70
 Case study: Push alert to MISP

51 of 70
Push alert to MISP

−→

Goal: push tags to MISP.

52 of 70
Push alert to MISP

−→

1. Use infoleak taxonomy4

2. Add your own tags
3. Create an event on a paste

4
https://www.misp-project.org/taxonomies.html
53 of 70
Case study: Finding the best place in the system

Best place to put it?

54 of 70
Case study: Finding the best place in the system

Best place to put it?

55 of 70
 Case study: Updating Flask server.py
Flask server.py
1 [...]
2 # ========== INITIAL tags auto export ============
3 r_serv_db = redis . StrictRedis (
4 host = cfg . get ( " ARDB_DB " , " host " ) ,
5 port = cfg . getint ( " ARDB_DB " , " port " ) ,
6 db = cfg . getint ( " ARDB_DB " , " db " ) ,
7 d e c o d e_responses = True )
8 infoleak_tags = taxonomies . get ( ’ infoleak ’) . machinetags ()
9 i n f o l e a k _ a u t o m a t i c _ t a g s = []
10 for tag in taxonomies . get ( ’ infoleak ’) . machinetags () :
11 if tag . split ( ’= ’) [0][:] == ’ infoleak : automatic - detection ’:
12 r_serv_db . sadd ( ’ l i s t _ e x p o r t _t a g s ’ , tag )
13
14 r_serv_db . sadd ( ’ list_exp o r t _ t ag s ’ , ’ infoleak : submission =" manual " ’)
15 r_serv_db . sadd ( ’ list_exp o r t _ t ag s ’ , ’ < your_tag > ’)
16

56 of 70
Auto Push Tags

57 of 70
Create an event

58 of 70
Create an event

59 of 70
 Practical part

60 of 70
Practical part: Pick your choice

1. Update support of docker/ansible

2. Graph database on Credential.py
◦ Top used passwords, most compromised user, ...
3. Webpage scrapper
◦ Download html from URL found in pastes
◦ Re-inject html as paste in AIL
4. Improvement of Phone.py
◦ Way to much false positive as of now. Exploring new ways to validate
phone numbers could be interesting
5. Your custom feature

61 of 70
 Contribution rules

62 of 70
How to contribute

63 of 70
Glimpse of contributed features

• Docker
• Ansible
• Email alerting
• SQL injection detection
• Phone number detection

64 of 70
How to contribute

• Feel free to fork the code, play with it, make some patches or add
additional analysis modules.

65 of 70
How to contribute

• Feel free to fork the code, play with it, make some patches or add
additional analysis modules.
• Feel free to make a pull request for your contribution

65 of 70
How to contribute

• Feel free to fork the code, play with it, make some patches or add
additional analysis modules.
• Feel free to make a pull request for your contribution
• That’s it!

65 of 70
Final words

• Building AIL helped us to find additional leaks which cannot be

found using manual analysis and improve the time to detect
duplicate/recycled leaks.

→ Therefore quicker response time to assist and/or inform

proactively affected constituents.

66 of 70
 Annexes

67 of 70
 Managing the framework

68 of 70
Managing AIL: Old fashion way
Access the script screen

1 screen -r Script

Table: GNU screen shortcuts

Shortcut Action
C-a d detach screen
C-a c Create new window
C-a n next window screen
C-a p previous window screen

69 of 70
Managing your modules: Using the helper

70 of 70