The YAKSHA Cybersecurity Solution and the Ambassadors Programme. Alessandro Guarino YAKSHA Innovation Manager CEO, StudioAG

Transcription

1 The YAKSHA Cybersecurity Solution and the Ambassadors Programme Alessandro Guarino YAKSHA Innovation Manager CEO, StudioAG 1st Webinar December 17,

2 Agenda I. Introduction to the YAKSHA project III. YAKSHA Cybersecurity Solution II. What does it mean to be a YAKSHA ambassador? IV. Q & A 2

3 Agenda I. Introduction to the YAKSHA project III. YAKSHA Cybersecurity Solution II. What does it mean to be a YAKSHA ambassador? IV. Q & A 3

4 The Concept WHY WHAT HOW YAKSHA Motivation Develop and implement a software toolkit to improve Cybersecurity of organisations in the ASEAN region YAKSHA Results Enhance cybersecurity readiness levels for its end users, help better prevent cyber-attacks, reduce cyber risks and better govern the whole cybersecurity process. Process & Strategy Focus on adapting & integrating other domain technologies into innovative solutions 4

5 YAKSHA Methodology Data Collection Data collection methodology and architecture Ontology definition and interoperability Research and Innovations in malware collection & detection 5

6 YAKSHA Methodology Design and Software Development Sandbox and Honeypot development environment Malware Sample DB and sharing Data Analytics Correlation Engine Integrated Threat Intelligence 6

7 YAKSHA Methodology Pilots 2019 Projects in Viet Nam, Malaysia, Greece Pilot Planning Trial Protocols Pilot projects deployment, execution and support Pilots results evaluation 7

8 Agenda I. Introduction to the YAKSHA project III. YAKSHA Cybersecurity Solution II. What does it mean to be a YAKSHA ambassador? IV. Q & A 8

9 What s Next YAKSHA Ambassadors The Network Special toolkits and trainings will be provided Purpose The initiative presents an opportunity for everyone willing to CONTRIBUTE to Enhancing cybersecurity readiness levels Better preventing cyber-attacks Reducing cyber risks Better governing the whole cybersecurity process 9

10 What s Next YAKSHA Ambassadors Benefits A chance to get funding to attend events Free trials and early access to the YAKSHA software Access the latest news in Cybersecurity Gain visibility on the YAKSHA website Become part of a Network Receive special toolkits and trainings 10

11 Agenda I. Introduction to the YAKSHA project III. YAKSHA Cybersecurity Solution II. What does it mean to be a YAKSHA ambassador? IV. Q & A 11

12 YAKSHA Concept YAKSHA is a distributed system which allows the automated deployment of honeypots, data collection and analysis as well as reporting and information sharing with affiliated YAKSHA installations. YAKSHA enables organisations, companies and government agencies to deploy custom honeypots meeting their own specifications, monitor attacks in real time and analyse them. 12

13 YAKSHA Prototype The YAKSHA prototype is being released in December The ambassadors community will be keep current on the possibility of access to demos, dedicated versions and information The technical solution chosen for YAKSHA is a blend of existing software tools and software modules written for the project 13

14 YAKSHA Data Collection Methodology Designed taking into account several relevant perspectives such as cybersecurity challenges of YAKSHA end users, latest threat trends, assumptions and limitations of honeypots, as well as use cases perspectives and data collection needs. The data collection methodology established a baseline of activities that leads to determining what data YAKSHA collects regarding remote interactions and malware analysis, what assumptions, limitations and legal ground are relevant, what methods and tools to adopt for data collection, and what reference architecture design is suitable for YAKSHA data collection, management and processing. 14

15 YAKSHA Data Collection Methodology Data collection high level view 15

16 Why Honeypots are Relevant Cyber threat Description Honeypot potential Malware Malicious software remains the most frequently Honeypots have an important role in detecting new encountered cyber threat. Evolved techniques malware. By playing the role of a vulnerable host to (including click-less and file-less infections, wormbased spreading, hybrid attacks, wiping of traces, be infected, honeypots can collect and observe malware in action. different infection vectors, and obfuscation based resistance against heuristic blocking) make malware difficult to resist. Web-based attacks Attacks against web servers or web application Honeypots can study attack vectors against and servers are often used in combination with attacks. For example, compromised servers enable malware from honeypot web servers. For instance, honeypots can monitor adversary s reconnaissance techniques Web application infections and provide control points for other and adversary s control channels. Honeypots may attacks compromised nodes. also discover previously unknown vulnerabilities - zero-day attacks - by real-time monitoring and quick fingerprinting of successful attacks. Phishing Phishing is a social engineering attack that often As phishing typically involves sophisticated end-user relates to different technical means. Adversaries may actions, honeypots cannot represent the adversaries e.g. utilize malware to mislead victims or capture Source: primary ENISA targets Threat the Landscape users. Instead, Report 2017 honeypots 3Why role lies web servers for to send mass phishing s or to in secondary phases of the attack e.g. in luring provide fake sites. adversaries to compromise honeypot server to deploy phishing sites. 16

17 Why Honeypots are Relevant 2 Spam Unsolicited s have recently reduced in numbers but still more than half of the s are spam. Spam has also improved in quality as better obfuscation techniques have made it more difficult to detect. Adversaries often utilize captured devices (also honeypots) for spamming. Honeypots provide a mean to track adversaries (by following where the control messages come) as well as to learn how the spam is generated in order to create effective filtering solutions. Denial of service Denial and Distributed Denial of Service (DoS, DDoS) attacks are a major threat against different online businesses. They have also been taken more seriously e.g. due to recent As availability related attacks are typically executed from captured devices, honeypots are a good tool for learning and mitigating them. Honeypots can e.g. find control servers large botnet attacks and emergence of and channels as well as identify targeted DDoS-as-a-service providers. victims to enable early warnings and mitigation actions. Ransomware Malware that encrypts victims data for blackmailing has become a prominent threat in the recent years. A honeypot may have a role e.g. in exploring Source: ENISA Threat Landscape Report Why ransomware s distribution servers. 17

18 Why Honeypots are Relevant 3 Botnets Botnets - a network of captured nodes running automated attack software (robots) - is a threat that is utilized e.g. in DoS or fake advertisement hits. Recent IoT botnets like Mirai and Reaper have demonstrated how massive amounts of vulnerable low cost things can be captured and harnessed into a malicious botnet. A recent trend is that also virtualized nodes are being captured. Honeypots, which pretend to be vulnerable things or nodes, are captured into botnets and can provide valuable information on how devices are captured and what the adversary s purposes are. Insider threat Persons with privileges and inside Honeypots can provide defence against organisation are high-severe and difficult misbehaving or inadvertent users as they to protect threat as the focus is typically may catch insiders snooping and on the perimeter defence. accessing on targets where they should Source: ENISA Threat Landscape Report Why not be. 18

19 YAKSHA Architecture Traits Distributed: The architecture is inherently distributed. YAKSHA makes possible to deploy easily and cost-effectively hundreds of honeypots through its interconnected nodes. The distributed nature of the YAKSHA system allows also to leverage information and knowledge gathered by nodes outside of one s organisation, improving its readiness and defensive capabilities. Modular: It allows both opportunistic and continuous sample collection, as well as selective information sharing with other entities when necessary. Users can upload custom honeypots, monitor attacks in real time and analyse them Scalable: It is easy to scale up installations by adding nodes to the network, up to national and international scale. 19

20 YAKSHA Architecture Traits Systems and Tools: YAKSHA will provide hooks for IoT devices, Android and SCADA systems, as well as regular Windows and Linux. In addition, YAKSHA provides machine learning tools and AI algorithms that can detect malware more accurately, correlate the information with other samples, and extract attack vectors and patterns. Automation: the platform allows the automated creation of nodes and honeypots deployment, data collection and analysis as well as reporting and information sharing with affiliated YAKSHA installations. Policies: since honeypots may expose stakeholder s specific vulnerabilities, each YAKSHA node has the capability of specifying policies for information sharing: the ability to limit the sharing of information outside a single organisation (if the user choses to), as well as anonymization and data protection by default. 20

21 Use Case and Pilot Project Smart Home IoT Platform Testbed - OTE The goal of the use case is to use a YAKSHA node within a pre-commercial environment (infrastructure and settings) provided by OTE to collect real data of potential attacks against the smart home IoT platform (pre-commercial) product. YAKSHA analytics capability will be used to raise awareness and provide decision support in strengthening the cybersecurity posture of the product. Using YAKSHA in a pre-commercial environment will make OTE aware of potential attacks in the wild against OTE s products and services. 21

22 Use Case and Pilot Project 22

23 Use Case and Pilot Project The back-end system provides data analytics, as well as real-time data visualisation to the end users. Users are also allowed to create customised figures and data visualisation. 23

24 YAKSHA Prototype The Prototype environment is composed of: Methods, interfaces and tools to configure, develop and deploy the necessary sandbox environments for trapping the malware Monitoring tools, including specialised environments like SCADA, IoT, ICSs. Automation of procedures to deploy honeypots and collect the necessary information from them Development of the database which will store all the collected information from the honeypots based on the ontology that has been designed 24

25 YAKSHA Prototype The platform is composed of open source tools that have been customized and software developed by the project to automate several procedures. The YAKSHA platform will be released under a permissive licence for most of its components, the long term sustainability being based on complementary services, including paying access to threat intelligence collected from the YAKSHA nodes. 25

26 YAKSHA Prototype Stack UBUNTU as the OS to host hypervisor provider KVM/QEMU as platform hypervisor provider ( CUCKOO as sandbox ( It was chosen based on its characteristics it is a sandbox environment which also works on docker. Android sandbox and honeypot environments have been implemented through cuckoo. Cuckoo does not support SCADA and IoT environments hence partners developed the necessary VMs for SCADA / IOT honeypots, collecting data and integration with above installations has taken place through a web service (REST API) supporting Linux, Windows and Android operating systems Vagrant ( Virtual Box as internal virtualization platform for honey pots VMs ( Connecting users to these virtual machines is allowed through SSH (Linux) and WinRM (Windows) and Android so that the end users can remotely install the necessary software that they want and customize their honeypot according to their needs is in progress. cloudstack to manage Infrastructure ( The YAKSHA database is developed on MongoDB and PostgreSQL is the repository for users data (roles etc) and extracted data from malware + reports generated OSSEC ( Fabric ( Conpot ( Logstash ( Elasticsearch ( Kibana ( 26

27 Agenda I. Introduction to the YAKSHA project III. YAKSHA Cybersecurity Solution II. What does it mean to be a YAKSHA ambassador? IV. Q & A 27

28 Q & A Thanks for Your Time What are your questions? Contacts: StudioAG Consulting & Engineering We hope to see you all at the next YAKSHA webinar! 28

29 YAKSHA Consortium This project has received funding from the European Union s Horizon 2020 research and innovation programme under grant agreement Nº