What is the Timewell?
The timewell was invented so an operator can see patterns of activity across
many paths at once. This allows for some of the following classes of use:
- "lateral" movement: there may not be a contiguous network connection between
a hacker and her target, but if I can see that some traffic comes in some
place at the same time a similar pattern is going out to some place else, I
can tell there is an agent on a host that is relaying
- outages: if I wire up the timewell to monitor all my ISP connections in real
time, and one of them goes out, I will see it instantly
- DDOS: traffic from a DDOS will overwhelm everything else in the timewell,
making it easy to see if there are any places where the DDOS is NOT coming
from or going to
- changes in behavior: the timewell, when wired up to feeds properly, can show
me a higher level of detail of activity generated by all my hosts and other
systems, live; if I learn what normal is, then when it changes, I know right
There are many more ways to use the timewell. It wasn't built with specific
use cases in mind; rather, it was built to maximize visibility and comprehension.
The timewell starts on its outer edge as a big collection of "paths" arranged
in a circle alphabetically. As you move INTO the screen (the Z axis), two
things happen: time compresses, and the paths clump together into a tree
structure... until you end up at root (the deep node) at the bottom of the
well (farthest point on the Z axis). The benefit of this is that the time
axis of this graph is the same for all the paths.
When you start up a feed such as the sniffer feed or honeypot feed, it will
attempt to open a TCP socket to the "console" (the timewell software) every
ten seconds. Once you start up the console, this socket succeeds in
connecting, and the feed will start to send messages to the console over it.
The console doesn't have any knowledge of network structure or any other
arrangement of nodes until a feed sends messages to it. Every message
contains a source and destination, each of which is a four-level hierarchy of
strings. The console simply adds "paths" that correspond to every source and
destination that comes into it. Moving along these paths, down toward root,
are what we call "blips". Each blip represents the set of messages received
by the console during a specific slice of time, coming from or going to a
specific path. As time progresses, all the blips move into the screen at the
The most counterintuitive aspect of the timewell is that all blips move INTO
the screen, regardless of directionality of the communication being monitored.
Each blip can contain two cones: one pointing outward (toward the operator),
and one pointing inward (toward root). The outward pointing cone represents
messages which had the path the blip is on as their SOURCE address; the inward
pointing cone represents messages that had the blip's path as their
If a feed only sends a few different endpoints to the console, the timewell is
very narrow and can be a bit difficult to see. Just wait until you get more
endpoints. The main thing you will want to do is zoom in (x key) and out (z
key) of the well, looking at the tree structure deeper down and then at the
live activity on the outside.