20160713 2016 the honeynet projct annual workshop focus and global trends
-
Upload
yi-lang-tsai -
Category
Presentations & Public Speaking
-
view
55 -
download
2
Transcript of 20160713 2016 the honeynet projct annual workshop focus and global trends
2016 Honeynet Project Annual Workshop Focus and Global TrendsThe Honeynet Project Taiwan Chapter Yi-Lang Tsai
Google Me. Yi-Lang Tsai
The Honeynet Project Taiwan Chapter Leader
1st 5th 6th
3rd 4th 1st
1st Cloud Security Alliance Taiwan Chapter Founder and Director of Research
http://blog.yilang.org Facebook: Yi-Lang Tsai
34
Information Security( ) Linux Guide NetAdmin 80
RHCE CCNA CCAI CEH CHFI ACIA ITIL Foundation ISO 27001 LAC ISO 20000 LAC BS10012 LAC CSA STAR Auditing
OutlineThe Honeynet Project
Honeynet Project Tools
Honeynet in Taiwan
2016 Annual Workshop update
The Honeynet Project introductionNon-profit (501c3) organization with Board of Directors.
Funded by sponsors
Global set of diverse skills and experiences.
Open Source, share all of our research and findings at no cost to the public.
Deploy networks around the world to be hacked.
Everything we capture is happening in the wild.
We have nothing to sell.
Honeynet Project MissionA community of organizations actively researching, developing and deploying Honeynets and sharing the lessons learned.
Awareness: 增進企業與組織對存在於現⾏網路上的威脅與弱點之了解,進⼀步思考如何去減輕威脅的⽅法
Information: 除了提供基本的攻擊活動外,進⼀步提供更關鍵性的資料,如: 攻擊動機,駭客間如何聯絡,駭客攻破主機後下⼀步的攻擊動作
Tools: Honeynet Project 致⼒於發展 Open Source Tools,藉由這些Tools,我們可以更有效率的佈建誘捕系統了解網路環境攻擊威脅現況
The Honeynet Project Website
http://www.honeynet.org/
45 (Chapters)
Honeypot/Honeynet Technology What is a Honeynet ?
Low-Interaction / High-interaction Honeypot It is an architecture, not a product or software Populate with live systems Once compromised, data is collected to learn the tools, tactics, and motives of the Blackhat community
Value of Honeynet Research : Identify new tools and new tactics, Profiling Blackhats Early warning and prediction Incident Response / Forensics Self-defense
HoneypotsA honeypot is an information system resource whose value lies in
unauthorized or illicit use of that resource.
Has no production value, anything going to or from a honeypot is likely a
probe, attack or compromise.
Primary value to most organizations is information.
Advantage and RiskAdvantage
Collect small data sets of high value. Reduce false positives Catch new attacks, false negatives Work in encrypted or IPv6 environments Simple concept requiring minimal resources
RiskLimited field of view (microscope) Risk (mainly high-interaction honeypots)
HoneynetsHigh-interaction honeypot designed to capture in-depth informa(on.
Information has different value to different organizations.
Its an architecture you populate with live systems, not a product or software.
Any traffic entering or leaving is suspect.
2016 Annual Workshop UpdateSan Antonio, TX, USA. May 9-11th, 2016
1 Day Briefing, 2 Days Hands-on Workshop and 2 Days Private Meeting
About 120+ Attendee Join this year
Briefing Topic17 Years of Community Leadership Lessons Learned (Lance Spitzner) Keynote: Control Systems Cyberattacks (Kevin Owens) ICS/SCADA Threats: What Matters and Where Honeypots Can Help (Robert Lee) Deep-Packet Inspection in Industrial Control Networks (Alvaro Cardenas) Behavioral Analysis of large amounts of Unknown Files (Lukas Rist) Shadowserver: Updates and highlights from recent activities (David Watson) Advancements in Computational Digital Forensics (Nicole Beebe) Creating Your Own Threat Intel Through Hunting and Visualization (Raffael Marty) Targeted attacks by Dubnium (Christian Seifert) Integrating Human Behavior into the Development of Future Cyber terrorism Scenarios(Max Kilger)
Security and Deception in Industrial Control Systems (Lukas Rist)
Summary17 Years of Community Leadership Lessons Learned
Lance Spitzner / The Honeynet Project Founder Why join community projects
meet people smarter then you a network of friends turns into a network of opportunities gain new, international perspectives make a difference and build your reputation
Motivation we underestimate the power of recognition create a positive culture ensure people have a voice help build their reputation / exposure enable people to learn and grow from others
SummaryKeynote: Control Systems Cyberattacks (Kevin Owens)
Iranians Hacked From Wall Street to New York Dam, U.S. Says
http://www.bloomberg.com/news/articles/2016-03-24/u-s-charges-iranian-hackers-in-wall-street-cyberattacks-im6b43tt
New wave of cyberattacks against Ukrainian power industry
http://www.welivesecurity.com/2016/01/20/new-wave-attacks-ukrainian-power-industry/
Updated BlackEnergy Trojan Grows More Powerful
https://blogs.mcafee.com/mcafee-labs/updated-blackenergy-trojan-grows-more-powerful/
SummaryICS/SCADA Threats: What Matters and Where Honeypots Can Help (Robert Lee)
ThreatStream
https://www.anomali.com/
Mysterious ’08 Turkey Pipeline Blast Opened New Cyberwar
http://www.bloomberg.com/news/articles/2014-12-10/mysterious-08-turkey-pipeline-blast-opened-new-cyberwar
The growing cyberthreat from Iran: The initial report of Project Pistachio Harvest
https://www.aei.org/publication/growing-cyberthreat-from-iran/
No, Israel's power grid wasn't hacked, but ransomware hit Israel's Electric Authority
http://www.computerworld.com/article/3026609/security/no-israels-power-grid-wasnt-hacked-but-ransomware-hit-israels-electric-authority.html
ICS-CERT
https://ics-cert.us-cert.gov/
SummaryDeep-Packet Inspection in Industrial Control Networks (Alvaro Cardenas) Key Questions
where to deploy network monitors how deep to look DFA network protocol,communication patterns, command codes, enough? protocol specification correct but false info exact value of sensor and control commands(Can’t model with DFA)
SummaryBehavioral Analysis of large amounts of Unknown Files (Lukas Rist) database cloud bridge sandbox cluster sample workflow
multiple sample sources flow together chain of workers with increasing processing cost or time known/unknown, static analysis FRS, multi AV, emulated sandbox, iVM plug&analysis system, write your own worker result based routing rules cloud watch, TSD, probabilistic data structures
SummaryShadowserver: Updates and highlights from recent activities (David Watson)
https://www.shadowserver.org/
The Shadowserver Foundation is continually seeking to provide timely and relevant information to the security community at large. We also seek to increase our level of research and investigation into the activity we discover.
SummaryCreating Your Own Threat Intel Through Hunting and Visualization (Raffael Marty)
a new architecture -the security data lake
context, IOCs, any data —> Rules —> big data lake —>Hunting —> data sci
Hunting creates internal threat intelligence
Data science in security
simple approaches work
dc(dest), dc(d_port)
what is normal?
use data science / data mining to prepare data. then visualize the output for the human analyst.
Honeypot UpdateMonitoring DDoS attacks with DDoSPot (Luka Milković)
criterial:
no dummy services
rate limiting
db storage, state restore and passable logs
simple and note resource-intiensive
statistics
hp feeds
Smart XXX Risk in Future
Google Self-Driving Car on City Streets
ICT/SCADA High Risk
Conpot
Malware Knowledge Base in Taiwan owl.nchc.org.tw
Malware Knowledge Base, hosted by the National Center for High-performance Computing, is a malware analysis platform that observes and records system behaviors conducted by analysis objects in a controlled environment with various types of dynamic analysis tools.
The mission of Malware Knowledge Base is to strengthen malware research and promote security innovations in both academia and industry.
By providing malware-related resources, Malware Knowledge Base can contribute to security research and make the Internet a safer place.
Next session… Honeypot Flash Live Show.
Kean Song Tan (Malaysia Chapter) Ching Hsiung Hsu (Taiwan Chapter)