M. Dacier Director Symantec Research Labs Europe

Similar documents
Leurré.com. a worldwide distributed platform to study Internet threats. Deployed and Managed by The Eurecom Institute

A Framework for Attack Patterns Discovery in Honeynet Data

Firewall Identification: Banner Grabbing

THE WOMBAT API handling incidents by querying a world-wide network of advanced honeypots

WOMBAT: towards a Worldwide Observatory of Malicious Behaviors and Attack Threats. Fabien Pouget Institut Eurécom January 24th 2006

Usage of Honeypot to Secure datacenter in Infrastructure as a Service data

DarkNOC. Dashboard for Honeypot Management

Large Scale Attacks on the Internet Lessons learned from the LOBSTER project

Virtual CMS Honey pot capturing threats In web applications 1 BADI ALEKHYA, ASSITANT PROFESSOR, DEPT OF CSE, T.J.S ENGINEERING COLLEGE

Demystifying Service Discovery: Implementing an Internet-Wide Scanner

Network Forensics Prefix Hijacking Theory Prefix Hijacking Forensics Concluding Remarks. Network Forensics:

Avoiding Information Overload: Automated Data Processing with n6

n Given a scenario, analyze and interpret output from n A SPAN has the ability to copy network traffic passing n Capacity planning for traffic

HONEYNET SOLUTIONS. A deployment guide 1. INTRODUCTION. Ronald C Dodge JR, Richard T Brown, Daniel J Ragsdale

THE RISE OF GLOBAL THREAT INTELLIGENCE

Novetta Cyber Analytics

Worm Detection, Early Warning and Response Based on Local Victim Information

The Mimecast Security Risk Assessment Quarterly Report May 2017

Honeynet Weekly Report Canadian Institute for Cybersecurity (CIC)

CE Advanced Network Security Honeypots

An Analysis of Correlations of Intrusion Alerts in an NREN

Introduction to Honeypot Technologies

Cyber Vigilantes. Rob Rachwald Director of Security Strategy. Porto Alegre, October 5, 2011

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

Limitation of Honeypot/Honeynet Databases to Enhance Alert Correlation

3-2 GHOST Sensor: Development of a Proactive Cyber-attack Observation Platform

Honeynet Weekly Report Canadian Institute for Cybersecurity (CIC)

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

Data Collection and Incident Analysis: IT-ISAC Perspective. ENISA Workshop March 17, 2010

Comparative Study of Different Honeypots System

Statistics Clearinghouse function Infrastructure Alert function

CYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta

TIME FOR CHANGE: Migrating From Windows XP to Windows 8.1 Pro

ENISA & Cybersecurity. Dr. Udo Helmbrecht Executive Director, European Network & Information Security Agency (ENISA) 25 October 2010

: Administration of Symantec Endpoint Protection 14 Exam

The NextGen cyber crime battlefield. Why organizations will always lose this battle

SOLUTION MANAGEMENT GROUP

Honey Pot Be afraid Be very afraid

Mapping Internet Sensors with Probe Response Attacks

Honeynet Weekly Report Canadian Institute for Cybersecurity (CIC)

Automated technique to reduce positive and negative false from attacks collected through the deployment of distributed honeypot network

Ethical Hacker Foundation and Security Analysts Course Semester 2

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

CCNA Cybersecurity Operations 1.1 Scope and Sequence

Fundamentals of Information Systems Security Lesson 8 Mitigation of Risk and Threats to Networks from Attacks and Malicious Code

4-Port Router. Share your broadband Internet connection. E Wired. Ethernet. Ethernet. User Manual. F5D5231-4_uk

Penetration Testing with Kali Linux

CCNA Cybersecurity Operations. Program Overview

Un SOC avanzato per una efficace risposta al cybercrime

Advanced Threat Hunting:

Database Discovery: Identifying Hidden Risks and Sensitive Data

PROTECTION SERVICE FOR BUSINESS. Datasheet

Jan Nys GM Cyber Security

Hands-On Activity. Firewall Simulation. Simulated Network. Firewall Simulation 3/19/2010. On Friday, February 26, we will be meeting in

Darknet Traffic Monitoring using Honeypot

Honeyconf: Automated Script for generating Honeyd Configuration to Detect Intruders

Deploying File Based Security on Dynamic Honeypot Enabled Infrastructure as a Service Data Centre

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

Characterizing Dark DNS Behavior

Honeynet Weekly Report Canadian Institute for Cybersecurity (CIC)

SGNET: a worldwide deployable framework to support the analysis of malware threat models

A Novel Approach to Detect and Prevent Known and Unknown Attacks in Local Area Network

StreamWorks A System for Real-Time Graph Pattern Matching on Network Traffic

Honeypot Hacker Tracking and Computer Forensics

Tracking Evil with Passive DNS

Institutional Disaster Plan

Overview of nicter - R&D project against Cyber Attacks in Japan -

Cisco Networking Academy CCNA Cybersecurity Operations 1.1 Curriculum Overview Updated July 2018

Mapping Internet Sensors with Probe Response Attacks

Introduction to Data Management for Ocean Science Research

Data Mining for Intrusion Detection: from Outliers to True Intrusions

The YAKSHA Cybersecurity Solution and the Ambassadors Programme. Alessandro Guarino YAKSHA Innovation Manager CEO, StudioAG

When does it work? Packet Sniffers. INFO Lecture 8. Content 24/03/2009

INF5290 Ethical Hacking. Lecture 3: Network reconnaissance, port scanning. Universitetet i Oslo Laszlo Erdödi

Call for Interest for the INTERPOL Digital Crime Centre 2 nd round (area of advanced technology required for the Malware/BotNet analysis)

The DNS. Application Proxies. Circuit Gateways. Personal and Distributed Firewalls The Problems with Firewalls

INTERNATIONAL TELECOMMUNICATION UNION

PALANTIR CYBERMESH INTRODUCTION

Network Security. Kitisak Jirawannakool Electronics Government Agency (public organisation)

You will discuss topics related to ethical hacking, information risks, and security techniques which hackers will seek to circumvent.

Symantec Antivirus Manual Removal Tool Corporate Edition 10.x

How enterprises can use cyber threat information effectively? Shimon Modi,

Wi-Net Window and Rogue Access Points

Application Firewalls

A. Carcano, I. Nai Fovino, M. Masera, A. Trombetta European Commission Joint Research Centre Critis 2008, Rome, October 15, 2008

Incident Response Tools

THE RTOS AS THE ENGINE POWERING THE INTERNET OF THINGS

CEH: CERTIFIED ETHICAL HACKER v9

Monitoring and 3D Visualization of the Internet Threats

Symantec Security Monitoring Services

Managing Latency in IPS Networks

Securing CS-MARS C H A P T E R

Network Security: Firewall, VPN, IDS/IPS, SIEM

Cyber War Chronicles Stories from the Virtual Trenches

ArcSight Activate Framework

LaBrea p. 74 Installation and Setup p. 75 Observations p. 81 Tiny Honeypot p. 81 Installation p. 82 Capture Logs p. 83 Session Logs p.

Computer Network Vulnerabilities

NoAH Honeynet Project. 17 th TF-CSIRT Event 23/24 January 2006 DFN-CERT Services GmbH

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

CNIT 121: Computer Forensics. 9 Network Evidence

Transcription:

Leurré.com: a worldwide distributed honeynet, lessons learned after 4 years of existence M. Dacier Director Symantec Research Labs Europe marc_dacier@symantec.com

Foreword M. Dacier joined Symantec on the first of April 2008 as the director of Symantec Research Labs Europe.» These slides present work done with partners while he was at the Eurecom Institute.» The views expressed here are the ones of the author and are not necessarily shared by Symantec

Overview Introduction» Leurré.com V1.0 set up and lessons learned» Leurré.com V2.0 set up» WOMBAT Conclusions

Overview Introduction» Leurré.com V1.0 set up and lessons learned» Leurré.com V2.0 set up» WOMBAT Conclusions

Dahu: definition The Dahu is an extremely shy animal living in the Alps of France and Switzerland.[ ] It has adapted to its steep environment by having legs shorter on the uphill side and longer on the downhill side [ ]» The Dahu, An endangered Alpine species, Science, 2568, November 1996, pp.112:» http://www.vidonne.com/html/dahu-reignier.htm

Food for thoughts Dahus are rare, bizarre, stimulating from an intellectual point of view but...» Does it justify the existence of Dahusian research?» How can we make sure we are not building tools against Dahusian hackers?» How can we avoid inventing Dahusian solutions?

Data, data and more data Experimental validation is at the core of every scientific discipline.» Computer security should not be different» Data collected in a rigorous way may reveal interesting actionable knowledge

Overview Introduction» Leurré.com V1.0 set up and lessons learned» Leurré.com V2.0 set up» WOMBAT Conclusions

Leurré.com V1.0 Ongoing effort since 2003» Almost 50 platforms in 30 countries today» Uses low interaction honeypot (based on honeyd)» Stores all enriched tcpdump (os fingerprinting, geographical location, etc.) in an Oracle DB open to all partners.» Collection of tools, interfaces (java, matlab, python, etc.) and documentation available for free to all partners.

Experimental Set Up (based on honeyd) Internet R e v e r s e F i r e w a l l V i r t u a l S w I t c h Observer (tcpdump) Mach0 Windows 98 Workstation Mach1 Windows NT (ftp + web server) Mach2 Redhat 7.3 (ftp server)

50 sensors in 30 countries (5 continents)

Win-Win Partnership The interested partner provides» One old PC (pentiumii, 128M RAM, 233 Mhz ) and 4 routable IP addresses, EURECOM offers» Installation CD Rom» Remote logs collection and integrity check.» Access to the whole SQL database by means of a secure GUI and a wiki (over https) + an automated alerting system

Leurré.com V1.0: Lessons learned (1/3) Leurré.com, a collaborative effort:» Partially funded by the European RESIST NoE (www.resist-noe.org)» Key element of the new European WOMBAT Project.. (www.wombat-project.eu)» More information is available in the publications listed on the www.leurrecom.org web page.

Leurré.com V1.0: lessons learned (2/3) Data used in this presentation:» Collected between March 14, 2004 and March 14, 2008» Aggregated on a monthly basis.» Names and localizations of the platforms have been anonymized (as imposed by the NDA).» Available by means of dynamic applets at www.leurrecom.org after the conference.

Leurré.com V1.0: lessons learned (3/3) 1. The observed attack strategy 2. Safe havens 3. Good and bad neighborhoods

Reality vs. Representation This is not a pipe René Magritte (1898-1967)

1. The observed Attack Strategy Different groups of compromised machines are used for specific tasks.» Some do scan the network without attacking anyone» Others do take advantage of this accumulated knowledge to attack vulnerable targets.

1. The observed attack strategy (ctd.) Once a human being eventually logs into a compromised machine, this is achieved from a third, distinct, set of machines.» In the ssh experimentation carried out with LAAS-CNRS (E. Alata et al.), all of these machines came from a specific country, Romania.

«Scanners» 100% 80% 60% closed 47% closed 48% closed 77% 40% 20% 0% open 53% open 52% open 23% mach0 mach1 mach2

«Attackers» 100% 80% closed 5% closed 3% closed 4% 60% 40% open 95% open 97% open 96% 20% 0% mach0 mach1 mach2

The changing observed attack strategy A supplementary step seems to have emerged:» ICMP scans precede the two other steps.» New modus operandi has appeared rapidly, worldwide. Actionable Knowledge:» Machines that do not respond to ICMP echo packets will be less attacked than others» Early discovery of pingers and/or scanners help protecting your network.

ICMP vs TCP vs UDP over the last 4 years

2. Safe Havens Some attacks do come from a very limited number of countries» sometimes from only one» They target a, sometimes very, small fraction of the Internet» This is not limited to the ssh case explained before. Actionable knowledge:» Enables behavior-based protection paradigms.

Platforms targeted by country of origin

Ports sequence targeted by country of origin

3. Good and bad neighborhoods Your IP matters:» The amount of attacks is more a function of where you are than of who you are.» Other sites in the same environment exhibit similar attack profiles as yours Actionable knowledge:» Pick the quieter places for your servers» Others can tell you if you are subject to a targeted attack

Overview Introduction» Leurré.com V1.0 set up and lessons learned» Leurré.com V2.0 set up» WOMBAT Conclusions

Leurrécom V2.0, SGNET: Goals Continue the conversation with the attacker up to the point where a malware is downloaded (resp. uploaded). Avoid using high interaction honeypots Data collected with V2.0 enrich the ones obtained with V1.0

Means Scriptgen: a novel 'medium-interaction' honeypot SGNET =» Scriptgen (Eurecom) + Argos (VU Amsterdam) + Nepenthes (TU Manheim) + Anubis (TU Wien) + Virustotal (Hispasec).

Scriptgen Basic idea (see ACSAC05, RAID06, NOMS08, EDDC08):» Learn protocol semantics from the interactions with a real server Represent learnt behavior in a state machine» Protocol agnostic approach No assumption is done neither on protocol structure, nor on its semantics.

Operational setup SG Sample SG SSH SSH GW factory Argos Shellcode handler SG Anubis Malware

Current status A couple of SG sensors deployed to study the feasibility of the approach. Important contribution to the newly funded WOMBAT European project.

Overview Introduction» Leurré.com V1.0 set up and lessons learned» Leurré.com V2.0 set up» WOMBAT Conclusions

IST-216026-WOMBAT Worldwide Observatory of Malicious Behaviors and Attack Threats 3 Years research project See www.wombat-project.eu for more information

The WOMBAT Consortium

Main objectives and principles

Project results and innovation New data gathering tools» Advanced features (high interaction, real-time analysis)» New targets (wireless, bluetooth, RFID, ) Tools and techniques for characterization of malware» Malware-based analysis AND Contextual analysis Framework and tools for qualitative threat analysis» Early warning systems

The WOMBAT is welcoming you The philosophy of the WOMBAT project is to join forces to address the current and future threats If you are interested in being involved in this effort or in learning more about it, feel free to contact me: marc_dacier@symantec.com

Overview Introduction» Leurré.com V1.0 set up and lessons learned» Leurré.com V2.0 set up» WOMBAT Conclusions

Data, data and more data Collecting threats-related data all over the world in such a way that a systematic and rigorous analysis can be carried out is a key element to help us all fight cybercrime as it leads to the discovery of actionable knowledge.

Data, data and more data (ctd.) The Leurrécom dataset has contributed to this task over the last four years. Trends are changing and highlight the need for novel sources of data The WOMBAT project is looking forward to address these issues. Feel free to be part of it.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback