AIL Framework for Analysis of Information Leaks From a CSIRT use-case towards a generic analysis open source software

Similar documents
AIL Framework for Analysis of Information Leaks

AIL Framework for Analysis of Information Leaks

Current procedures, challenges and opportunities for collection and analysis of Criminal Justice statistics CERT-GH

ThaiCERT Incident Response & Phishing cases in Thailand. By Kitisak Jirawannakool Thai Computer Emergency Response team (ThaiCERT)

Getting Security Operations Right with TTP0

software.sci.utah.edu (Select Visitors)

Access Control and Physical Security Management. Contents are subject to change. For the latest updates visit

This report is based on sampled data. Jun 1 Jul 6 Aug 10 Sep 14 Oct 19 Nov 23 Dec 28 Feb 1 Mar 8 Apr 12 May 17 Ju

Fluidity Trader Historical Data for Ensign Software Playback

Web Gateway Security Appliances for the Enterprise: Comparison of Malware Blocking Rates

June 2012 First Data PCI RAPID COMPLY SM Solution

Getting in Gear with the Service Catalog

Detecting Lateral Movement in APTs ~Analysis Approach on Windows Event Logs~ June 17, 2016 Shingo ABE ICS security Response Group JPCERT/CC

Jordan Levesque Making sure your business is PCI compliant

COURSE LISTING. Courses Listed. with SAP Hybris Marketing Cloud. 24 January 2018 (23:53 GMT) HY760 - SAP Hybris Marketing Cloud

TLD-OPS Standing Committee Meeting cctld Security and Stability Together

MSRS Roadmap. As of January 15, PJM 2019

DAS LRS Monthly Service Report

IoT - Next Wave of DDoS? IoT Sourced DDoS Attacks A Focus on Mirai Botnet and Best Practices in DDoS Defense

ICT PROFESSIONAL MICROSOFT OFFICE SCHEDULE MIDRAND

COURSE LISTING. Courses Listed. with Governance, Risk and Compliance (GRC) SAP BusinessObjects. 19 February 2018 (15:13 GMT) GRC100 -

FREQUENTLY ASKED QUESTIONS

JPCERT/CC Incident Handling Report [January 1, March 31, 2018]

COURSE LISTING. Courses Listed. Training for Database & Technology with Modeling in SAP HANA. 20 November 2017 (12:10 GMT) Beginner.

Sophos Central for partners and customers: overview and new features. Jonathan Shaw Senior Product Manager, Sophos Central

SCI - software.sci.utah.edu (Select Visitors)

SOLUTION BRIEF. RiskSense Platform. RiskSense Platform the industry s most comprehensive, intelligent platform for managing cyber risk.

Certificate in Security Management

The Scenes of Cyber Crime

A strategy for Inexpensive Automated Containment of Infected or Vulnerable Systems

Powering Your Website Content with Magento PageBuilder

Asks for clarification of whether a GOP must communicate to a TOP that a generator is in manual mode (no AVR) during start up or shut down.

e-sens Nordic & Baltic Area Meeting Stockholm April 23rd 2013

Next Steps for WHOIS Accuracy Global Domains Division. ICANN June 2015

SqueakSource Smart Monticello Repository ESUG Innovation Technology Awards 2005

IBM Security Systems IBM X-Force 2012 Annual Trend and Risk Report

Dan Lobb CRISC Lisa Gable CISM Katie Friebus

Jordan Levesque - Keeping your Business Secure

Annex A to the DVD-R Disc and DVD-RW Disc Patent License Agreement Essential Sony Patents relevant to DVD-RW Disc

Certified Cyber Security Specialist

SECURE YOUR APPLICATIONS, SIMPLIFY AUTHENTICATION AND CONSOLIDATE YOUR INFRASTRUCTURE

Obtaining and Managing IP Addresses. Xavier Le Bris IP Resource Analyst - Trainer

Maintaining Trust: Visa Inc. Payment Security Strategy

MHBE Compliance Program SECOND QUARTER FY 2019 REPORT. TO MHBE BOARD OF TRUSTEES January 22, 2019

Grade 4 Mathematics Pacing Guide

YOUR BUSINESS Networking Lunch & Vendor Fair

Intrusion Attempt Who's Knocking Your Door

Prescriptive Security Operations Centers. Leveraging big data capabilities to build next generation SOC

Polycom Advantage Service Endpoint Utilization Report

All King County Summary Report

Polycom Advantage Service Endpoint Utilization Report

COURSE LISTING. Courses Listed. Training for Cloud with SAP Cloud Platform in Development. 23 November 2017 (08:12 GMT) Beginner.

COURSE LISTING. Courses Listed. Training for Database & Technology with Development in SAP Cloud Platform. 1 December 2017 (22:41 GMT) Beginner


Monthly SEO Report. Example Client 16 November 2012 Scott Lawson. Date. Prepared by

Qualys Indication of Compromise

UAE PUBLIC TRAINING CALENDAR

SCI - NIH/NCRR Site. Web Log Analysis Yearly Report Report Range: 01/01/ :00:00-12/31/ :59:59.

Section 1.2: What is a Function? y = 4x

Seattle (NWMLS Areas: 140, 380, 385, 390, 700, 701, 705, 710) Summary

Virtual Product Fair. Protect your agency data protect your business

New Concept for Article 36 Networking and Management of the List

For Official Use Only

HIGH RISK REPORT J.CREW GROUP, INC. September 14, 2017

Decision Making Information from Your Mobile Device with Today's Rockwell Software

Seattle (NWMLS Areas: 140, 380, 385, 390, 700, 701, 705, 710) Summary

CBERS-2. Attitude Control and its Effects on Image Geometric Correction. Follow up to TCM-06 INPE CBERS TEAM

San Joaquin County Emergency Medical Services Agency

Seattle (NWMLS Areas: 140, 380, 385, 390, 700, 701, 705, 710) Summary

HPE Security Data Security. HPE SecureData. Product Lifecycle Status. End of Support Dates. Date: April 20, 2017 Version:

North American Portability Management, LLC LNPA Transition Contingency Rollback. Industry Working Session January 16 th, 2018

Cyber security tips and self-assessment for business

Grid Security Policy

Annex A to the MPEG Audio Patent License Agreement Essential Philips, France Telecom and IRT Patents relevant to DVD-Video Disc - MPEG Audio - general

Automatic Renewal Using DIY Technology to Create an Improved Patron Experience

Imputation for missing observation through Artificial Intelligence. A Heuristic & Machine Learning approach

More Binary Search Trees AVL Trees. CS300 Data Structures (Fall 2013)

Optimizing Field Operations. Jeff Shaner

Customer Forum. Access to Data. Author, Department. 26 April 2018

Quatius Corporation - FTP Site Statistics. Top 20 Directories Sorted by Disk Space

JPCERT/CC Incident Handling Report [October 1, 2015 December 31, 2015]

Cybersecurity is a Team Sport

More BSTs & AVL Trees bstdelete

North American Portability Management, LLC LNPA Transition Contingency Rollback. Industry Discussion July 12 th, 2017

AUTHENTICATION. Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response

Kaspersky Security for Microsoft Office 365

CSE 341 Section Handout #6 Cheat Sheet

Budget Transfers. To initiate a budget transfer, go to FGAJVCM (Journal Voucher Mass Entry). FGAJVCM

18050 (2.48 pages/visit) Jul Sep May Jun Aug Number of visits

ISE Cyber Security UCITS Index (HUR)

Markets Gateway Roadmap

Intellectual Property Constituency (IPC)

SFC strengthens internet trading regulatory controls

Blockstack, a New Internet for Decentralized Apps. Muneeb Ali

Yield Reduction Due to Shading:

For personal use only. Update Event & nearmap Solar

Extended INCident Handling Working Group (INCH)

Registrar Stakeholder Mee2ng Tuesday, 25 March 2014

Cyber Threat Intelligence Standards - A high-level overview

Previous Intranet Initial intranet created in 2002 Created solely by Information Systems Very utilitarian i Created to permit people to access forms r

Transcription:

AIL Framework for Analysis of Information Leaks From a CSIRT use-case towards a generic analysis open source software Team CIRCL - TLP:WHITE info@circl.lu FIRST 2017

Leaks and CSIRT day-to-day operations Analysing and notifying about information leaks can be time consuming (e.g. national/sectoral CSIRT level) Notification can be challenging (e.g. what kind of trusted channels do you have to communicate with a victim?) When leaks are publicly known, interaction with media/press can be significant Analysis of mixed structured and unstructured data from untrusted sources (e.g. fake and duplicate leaks) 2 of 29

A source of leaks: Paste monitoring Example: http://pastebin.com/ Easily storing and sharing text online Used by programmers and legitimate users Source code & configuration information Abused by attackers to store: List of vulnerable/compromised sites Software vulnerability (e.g. exploits) Database dumps User data Credentials (3rd party) Credit card details... more and more... 3 of 29

Paste monitoring at CIRCL: Key numbers Monitored paste sites: 27 Keywords - Search terms: 420 Keywords - Constituency related: 90 Time for one ticket: 5 min - 1 hour Table : Key numbers for 2016 Pastes 2016 Jan Feb Mar Apr Mai Jun Jul Aug Sep Oct Nov Dec Fetched pastes 1 439 453 1537 186 1719 646 1 622674 1 595 881 1 561 700 1422 628 1 443938 1 519026 1 581 793 1656 985 1464 214 Keywords hits 5394 4407 4072 11 455 4722 4158 4083 3796 4235 3970 4155 4350 Constituency hits 1792 1402 741 1273 1146 795 598 644 717 953 736 643 Security related (TR-46) 30 22 28 19 15 13 16 8 13 22 38 28 Incidents & investigations 65 55 76 44 31 36 40 21 39 59 104 79 4 of 29

Paste monitoring: Statistics Table : Statistics for 2016 Pastes 2016 Monthly average Total Fetched pastes 1 547 094 18 565 124 Keywords hits 4900 58 797 Constituency hits 953 11 440 Security related (TR-46) 21 252 Incidents & investigations 54 649 5 of 29

Paste monitoring: TR-46 approach https://www.circl.lu/pub/tr-46 6 of 29

Paste monitoring: TR-46 approach How to deal with numerous requests from press/media or potential victims. The TR-46 document includes: Risks with stolen email addresses Risks with stolen (hashed) passwords How to mitigate the risks How to prevent collateral damage How do we find leaks Reference of leaks (with the number of affected users in CIRCL s constituency) We don t provide any form for validation of email/credential leaks. This can be conflictual with general security awareness (e.g. entering email/credentials on unknown websites). 7 of 29

Paste monitoring: TR-46 approach 8 of 29

AIL Framework AIL initially started as an internship project (2014) to evaluate the feasibility to automate the analysis of (un)structured information to find leaks. In 2017, AIL framework is an open source software in Python. The software is actively used (and maintained) 1 by CIRCL. Extending AIL to add a new analysis module can be done in 50 lines of Python. The framework supports multi-processors/cores by default. Any analysis module can be started multiple times to support faster processing during peak times or bulk import. 1 To follow our mantra: to eat our own dogfood 9 of 29

AIL Framework 10 of 29

AIL 11 of 29

AIL 12 of 29

AIL 13 of 29

AIL 14 of 29

AIL 15 of 29

AIL 16 of 29

AIL 17 of 29

AIL 18 of 29

AIL 19 of 29

AIL 20 of 29

AIL 21 of 29

AIL - Sentiment Analysis 22 of 29

AIL - Run your own instance https://github.com/circl/ail-framework 23 of 29

AIL - Run your own instance: With pystemon https://github.com/circl/pystemon 24 of 29

AIL - Run your own instance: Use CIRCL feed Request access at: info@circl.lu 25 of 29

AIL - Add your own module Choose where to locate your module in the data flow: 26 of 29

AIL - A sample module structure 27 of 29 import time import re from pubsublogger import publisher from packages import Paste from Helper import Process if name == main : # Port of the redis instance used by pubsublogger publisher. port = 6380 # Script is the default channel used for the modules. publisher. channel = Script # Section name in bin / packages / modules. cfg config_section = Cve # Setup the I/O queues p = Process ( config_section ) # Sent to the logging a description of the module publisher. info (" Run CVE module ") # Endless loop getting messages from the input queue while True : message = p. get_from_set () if message is None : publisher. debug ("{} queue is empty, waiting ". format ( config_section )) time. sleep (1) continue cveextract ( message )

Conclusion Building AIL helped us to find additional leaks which cannot be found using manual analysis and improve the time to detect duplicate/recycled leaks. Therefore quicker response time to assist and/or inform proactively affected constituents. Separating collection and analysis parts allowed us to extend the models in the CSIRT services. The modular architecture helped us to use the extracted data to feed Passive DNS or crawl Tor.onion. Ongoing work: Integrating AIL leak into MISP to curate, share and collaborate on leaks. 28 of 29

Q&A https://github.com/circl/ail-framework Don t hesitate to contact us for feed access/exchange or ideas at mailto:info@circl.lu 29 of 29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback