Deep Node

The Concept

The Concept

When you are looking into the screen (along the z-axis), you are looking into the past at a record of communication across network data streams. We combine multiple feeds (NetFlow, PCAP, logs, IDS alerts, threat intelligence, etc.) into a single, time-based 3D / VR visualization, so you can quickly recognize anomalous patterns and activities, and hunt down the most sophisticated hackers embedded in your network. 


The Timewell Manifesto

Deep Node's "timewell" was invented so an operator can see patterns of activity across many paths at once. This allows for some of the following classes of use: 

- "lateral" movement: there may not be a contiguous network connection between a hacker and her target, but if I can see that some traffic comes in some place at the same time a similar pattern is going out to some place else, I can tell there is an agent on a host that is relaying

- outages: if I wire up the timewell to monitor all my ISP connections in real time, and one of them goes out, I will see it instantly

- DDOS: traffic from a DDOS will overwhelm everything else in the timewell, making it easy to see if there are any places where the DDOS is NOT coming from or going to

- changes in behavior: the timewell, when wired up to feeds properly, can show me a higher level of detail of activity generated by all my hosts and other systems, live; if I learn what normal is, then when it changes, I know right away

There are many more ways to use the timewell. It wasn't built with specific use cases in mind; rather, it was built to maximize visibility and comprehension across the common set of questions asked by analysts during investigation. 

The timewell starts on its outer edge as a big collection of "paths" arranged in a circle alphabetically. As you move INTO the screen (the Z axis), two things happen: time compresses, and the paths clump together into a tree structure... until you end up at root (the deep node) at the bottom of the well (farthest point on the Z axis). The benefit of this is that the time axis of this graph is the same for all the paths. 

When you start up a feed such as the sniffer feed or honeypot feed, it will attempt to open a TCP socket to the "console" (the timewell software) every ten seconds. Once you start up the console, this socket succeeds in connecting, and the feed will start to send messages to the console over it. 

The console doesn't have any knowledge of network structure or any other arrangement of nodes until a feed sends messages to it. Every message contains a source and destination, each of which is a four-level hierarchy of strings. The console simply adds "paths" that correspond to every source and destination that comes into it. Moving along these paths, down toward root, are what we call "blips". Each blip represents the set of messages received by the console during a specific slice of time, coming from or going to a specific path. As time progresses, all the blips move into the screen at the same rate. 

The most counterintuitive aspect of the timewell is that all blips move INTO the screen, regardless of directionality of the communication being monitored. Each blip can contain two cones: one pointing outward (toward the operator), and one pointing inward (toward root). The outward pointing cone represents messages which had the path the blip is on as their SOURCE address; the inward pointing cone represents messages that had the blip's path as their DESTINATION address. 

If a feed only sends a few different endpoints to the console, the timewell is very narrow and can be a bit difficult to see. Just wait until you get more endpoints. The main thing you will want to do is zoom in (x key) and out (z key) of the well, looking at the tree structure deeper down and then at the live activity on the outside.