Skip to content
/ neo4j-connections-cyber-2021 Public

Cybersecurity demo for Neo4j's Connections: Graphs in Cybersecurity 2021

10 stars 11 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

voutilad/neo4j-connections-cyber-2021

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
bloom
bloom
 
 
cypher
cypher
 
 
Cybersecurity_Connections-2021.pdf
Cybersecurity_Connections-2021.pdf
 
 
README.md
README.md
 
 
ad-auditing.dump
ad-auditing.dump
 
 
bloom.gif
bloom.gif
 
 

Repository files navigation

Neo4j Connections: Graphs for Cybersecurity

Demo as presented on 31 Mar, 2021.

bloom animation

Background

This demo is based on the data and themes from the BloodHound[1] project. I recommend looking into BloodHound or reading the very comprehensive handbook[2] on it to learn more about Active Directory attack paths and auditing techniques.

In this demo, the BloodHound Tools project was used to populate a fictitious Active Directory graph in Neo4j.

Prerequisites

Install the following:

  • Neo4j 4.4.x
  • Neo4j Graph Data Science Library 2.0 or newer
  • Neo4j Bloom 2.0 or newer
  • APOC (for Neo4j v4.4)

Neo4j Memory Settings

For the neo4j instance, you can use the same neo4j.conf memory settings I used. They might be overkill, but are safe:

dbms.memory.heap.initial_size=1G
dbms.memory.heap.max_size=2G
dbms.memory.pagecache.size=256m

Populating the Graph

Follow the README.md in the DBCreator directory. In effect, it's as simple as running:

$ pip install -r requirements.txt
$ python DBCreator.py

Use the dbconfig command to set up your connection url, username, and the password to the database.

Then run clear_and_generate to wipe and populate the database.

NOTE: it will default to the neo4j database until I (or someone else) update the DBCreator.py to support specifying alternative database names!

The GDS Cypher

I've provided the GDS cypher queries in ./cypher. However, the one you should keep handy is the one to "reset" or initialize the system for giving the demo:

// Attack Path - Prep
// Drop graphs
CALL gds.graph.list() YIELD graphName
CALL gds.graph.drop(graphName) YIELD graphName AS dropped
RETURN count(*);

// Drop attack paths
MATCH ()-[r:ATTACK_PATH]->() DELETE r;

// Rebuild projection
CALL gds.graph.project.cypher("attackPaths",
    "MATCH (n) RETURN id(n) AS id",
    "MATCH (a)-[r]->(b) WHERE type(r) <> 'PATH' AND type(r) <> 'RAW_PATH' " +
    "  AND type(r) <> 'PATH_0' RETURN id(a) AS source, id(b) AS target"
);

Installing the Bloom Perspectives

The provided Bloom perspectives (in ./bloom) can be imported[4] very easily. Make sure to import them both.

They contain all the cypher statements used by Bloom, so unless you want to try the GDS queries, you're good to explore the graph!

Make sure that you run the initialization cypher mentioned in the previous section first!

Keep in mind that if you generate your own data, you may need to tweak the user accounts used for the queries.

Presentation Materials

Slides are available here.

You can also skip some steps and load this dump file.

More of a video person? The recording is available on YouTube.

Footnotes

Github typically doesn't render these well.

[1] https://github.com/BloodHoundAD/BloodHound

[2] https://ernw.de/download/BloodHoundWorkshop/ERNW_DogWhispererHandbook.pdf

[3] https://github.com/voutilad/BloodHound-Tools/tree/update-to-neo4j4

[4] https://neo4j.com/docs/bloom-user-guide/current/bloom-perspectives/

About

Cybersecurity demo for Neo4j's Connections: Graphs in Cybersecurity 2021

Resources

Readme
Activity

Stars

10 stars

Watchers

3 watching

Forks

11 forks
Report repository

Releases

No releases published

Packages

No packages published