Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ ·...
Transcript of Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ ·...
![Page 1: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/1.jpg)
Effective Proactive Detection of Network Security Incidents
Piotr Kijewski ([email protected]) CERT Polska Congreso Seguridad en 2011 Mexico City, 25th November 2011
![Page 2: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/2.jpg)
ABOUT CERT POLSKA
![Page 3: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/3.jpg)
History of CERT Polska
CERT NASK
1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008
Transformation
into CERT Polska
Start of cooperation with ABW
Accreditation
SCP (Microsoft Security
Cooperation Program)
2011
ABUSE FORUM established
Anti-‐Phishing Working Group
2009
A part of NASK Research Institute plnationwide ISP)
2010
Honeynet Project Member
![Page 4: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/4.jpg)
CERT POLSKA Activities Qualified incident
response
Education and awareness activities in IT security area
Research and reports
IT security projects
Helping users and institutions
Contact with media
Cooperation with CERTs and security
organisations
Organisation of SECURE Conference
Registration and handling of incidents affecting
security
![Page 5: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/5.jpg)
Structure
Core IRT Team Security Projects Team
CERT Polska 13 employees
![Page 6: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/6.jpg)
Sample technical projects
Early warning system based on server honeypots
Global system for monitoring and analyzing
Internet threats A Framework for Information
Sharing and Alerting
Client honeypot system
![Page 7: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/7.jpg)
Case study: HoneySpider Network
![Page 8: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/8.jpg)
Case study: HoneySpider Network
![Page 9: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/9.jpg)
Case study: HoneySpider Network
![Page 10: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/10.jpg)
Initiatives
Cooperation between Polish
CERTs
ABUSE-‐FORUM
Support in establishing new CERTs in Former Soviet Republics
CLOSER
Contact point for illegal content
now outside CERT
National and international trainings for
different entities
![Page 11: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/11.jpg)
Case study: CLOSER Project
2 -‐ year programme, funded by NATO 2007-‐2009
Primary goals: help in setting up CERTs in former Soviet republics
assistance in the first phases of their existence
New CERTs in Armenia, Azerbaijan, Georgia, Moldova, Ukraine
Assistance in joining international forums: TERENA TF-‐CSIRT, FIRST
Operational level forwarding relevant incidents
help in incident handling
monitoring progress of incidents being handled
![Page 12: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/12.jpg)
Current & future research areas
Looking at algorithms for
meaningful analysis of large security
datasets
Analysis of large security datasets
Research into ways of automating
analysis of botnets
DNS research
Looking at ways to detect malicious domains at the registry level
Botnet research Mobile threats
Research into automating ways of
detection and analysis of malware on smartphones
![Page 13: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/13.jpg)
STUDY ON PROACTIVE DETECTION OF NETWORK INCIDENTS
![Page 14: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/14.jpg)
About the study
ENISA commisioned study: Proactive Detection of Network Security Incidents Focused on CERTs (national/governmental) but also other security teams Major goals:
do a stocktacking of measures used by CERTs to proactively detect incidents identify shortcomings and provide recommendations on how to mitigate them
![Page 15: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/15.jpg)
What is meant by proactive detection?
Detection of malicious activity in a constituency before constituents become aware of the problem and report it themselves Effectively early warning for constituents Can be achieved by using external data feeds that report incidents or by deploying internal monitoring tools
![Page 16: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/16.jpg)
Survey overview
Surveyed 105 different CERTs, primarily from Europe but also a few outside of Europe. Never heard from 11 CERTs, 5 refused to answer Overall, 45 CERTs responded (despite four rounds of requests) 96 questions in all, a small (but key) sample presented here
![Page 17: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/17.jpg)
Respondent Organization Profile
33%
32%
14%
12%
7% 2% Government/public administration Academic
ISP
Other(please specify)
Commercial Company
Financial
![Page 18: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/18.jpg)
How do you obtain incident data about your constituency?
0
20
40
60
80
100
120
140
160
180
200
Internal monitoring
Monitoring of external public sources
Monitoring of commercial sources
Monitoring of closed sources
Primary source
Auxiliary source
Not used
numbe
r of respo
nses
Incoming incident reports (reactive)
![Page 19: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/19.jpg)
Feelings regarding info sources
4%
49% 47%
We are fully satisfied with information sources we currently have
We would consider to try other sources to improve
We feel information deficit in general we think there are significantly more incidents we do not know about We feel we have too many information sources
![Page 20: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/20.jpg)
What would you like to improve?
30%
26%
22%
12%
10%
Accuracy
Coverage
Timeliness
Ease of use
Resources required
![Page 21: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/21.jpg)
Do you use closed sources that you cannot disclose?
Yes 61%
No 39%
![Page 22: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/22.jpg)
Most often used sources of information
22
18 18 17
15 14
12 12 11 11 11
7 6
4 4 3 3 3
2 2 1 1 1
0 0 0 0 0
5
10
15
20
25
* -‐ including non-‐public sources which respondents could not disclose
![Page 23: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/23.jpg)
40%
![Page 24: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/24.jpg)
Top rated sources of information
0 10 20 30 40 50 60 70 80 90
Num
ber o
f respo
nses excellent good fair poor
![Page 25: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/25.jpg)
Most often used internal tools
0
5
10
15
20
25
30
35
40
45
50
No answer I never used it and will not use it. I used it in the past, but dropped it. I don't use it but plan to use it in future. I use it
![Page 26: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/26.jpg)
Do you collect data about other constituencies?
45%
43%
7% 5%
yes
no
cannot tell
not sure
![Page 27: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/27.jpg)
Do you share this information?
Yes 52%
No 48%
![Page 28: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/28.jpg)
23,4%
![Page 29: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/29.jpg)
In what form?
38%
32%
24%
6% Preprocessed data (for example, to lower false positives) Interpreted data (for example, attribution to a threat) Raw data
Other
![Page 30: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/30.jpg)
Under what rules?
56% 18%
15%
7% 4%
Limited access
Other
Anyone (public)
Commercial
Public subscription based
![Page 31: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/31.jpg)
SO WHAT HAPPENS IF YOU DO COLLECT ALL THIS
![Page 32: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/32.jpg)
Scale of incidents Poland 1h2011 (automated submissions)
![Page 33: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/33.jpg)
![Page 34: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/34.jpg)
Resources available
45%
31%
13%
11%
We do process all incoming information, but only higher priority incidents are further handled, more input information would leave even more lower priority incidents without attention
We can fully handle current amount of incident information. We could handle even more incident information
We can fully handle current amount of incident information, but would not be able to handle more
We cannot properly handle even the amount of incident related information currently available
![Page 35: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/35.jpg)
Do you correlate?
Yes 80%
No 20%
![Page 36: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/36.jpg)
How do you correlate?
56% 26%
18%
Adhoc
Automated system
Adhoc and automated system
![Page 37: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/37.jpg)
35,2%
![Page 38: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/38.jpg)
SOME TOOLS TO HELP?
![Page 39: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/39.jpg)
Tools for correlation & sharing
Abuse Helper (http://www.abusehelper.be/) Megatron (contact SITIC/CERT.se) Collective Intelligence Framework (http://code.google.com/p/collective-‐intelligence-‐framework/ )
currently in beta)
![Page 40: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/40.jpg)
n6 PLATFORM
n6 = Network Security Incident eXchange Current situation: lots of different sources of information, need to be handled individually Goal: gather as much as possible and provide an unified service For now, focus on incidents, not other types of data
![Page 41: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/41.jpg)
n6 PLATFORM
n6 ENGINE
files by SMTP files by HTTP
ISPs
CSPs
CERTs
Banks
Security Data Providers H
TTPS
URLs
Domains
IPs
Malware
Credentials
![Page 42: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/42.jpg)
n6 Assumptions
We provide raw data, as obtained from the original source No normalization or transformation Sometimes enhanced by additional information: e.g. IP and ASN data for domains Sources may differ in quality we can only control our own systems
![Page 43: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/43.jpg)
n6 Who to share with
Who do we share with ISP content providers public administration financial institutions
Each entity gets filtered (relevant) data
ASN / IP addresses URLs more!
![Page 44: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/44.jpg)
n6 What to share
Aggregated sources: our systems (ARAKIS, HSN, ...) external organizations -‐ major data providers and less known ones
infected hosts (bots)
malicious URLs scanning
Types of data
malicious artifacts
DDoS
fast flux
brute force
phishing
C&C servers
![Page 45: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/45.jpg)
n6 How to share (requirements)
Simple format => easily processing Easy access => quick on-‐boarding Secure access Tailored data
![Page 46: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/46.jpg)
n6 How to share (solution)
All data published as flat files Secure transfer over HTTPS, certificate-‐based authentication of clients (own CA) Files grouped by date Every client gets an individual view
![Page 47: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/47.jpg)
n6 Example
Go to -‐ https://N6.cert.pl/ [Valid CRT needed!] Directory listing ./2011-‐10-‐09: bots-‐drone-‐poland.csv bots-‐infected.txt cnc-‐ip-‐poland.csv ddos-‐poland.csv malurl-‐1.txt malurl-‐2.txt malurl-‐hsn scanning-‐arakis-‐pl-‐1.txt scanning-‐arakis-‐pl-‐2.txt ... ./2011-‐10-‐10: ...
![Page 48: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/48.jpg)
n6 Examples of Content "IP Address","Port","Channel","Country","Region","State","Domain", "ASN","AS
"141.213.238.252 194.109.129.220 217.17.33.10 193.109.122.77 195.140.202.142
6667,
"BAY CITY | AMSTERDAM | WARSAW | AMSTERDAM | STOCKHOLM | -‐ | PARIS | -‐ |
"TEXAS | NOORD-‐HOLLAND | MAZOWIECKIE | NOORD-‐HOLLAND | STOCKHOLMS LAN | -‐ | ILE-‐DE-‐FRANCE | -‐ "UMICH.EDU XS4ALL.NL ATMAN.PL UNDERNET.ORG PEER-‐IX.NET ABOVE.NET HARMEL.IN MZIMA.NET YANIR.CO.IL -‐
"UMICH-‐AS-‐5 XS4ALL ATMAN NL PORT80 MFNX BSOCOM GTT SMILE COLOSOLUTIONS", "University of Michigan | NL XS4ALL Internet BV | ATMAN Autonomous System | BIT BIT BV | Phonera Networks AB | MFN -‐ Metromedia Fiber Network | BSO Communication Network | Global Telecom & Technology ASN | ASN Euronet
2011-‐10-‐09 08:09:02+00:00;64.37.60.15;;??;22;6;12 2011-‐10-‐09 08:09:40+00:00;70.79.1.126;AS6327;CA;445;6;12 2011-‐10-‐09 08:09:51+00:00;79.77.211.244;AS9105;GB;23;6;6
![Page 49: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/49.jpg)
n6 Future Development
Looking for new sources Comments / suggestions are welcome Contact us if you want to participate! e-‐mail: [email protected]
![Page 50: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/50.jpg)
SO WHAT ELSE IS MISSING?
![Page 51: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/51.jpg)
Are some incidents underreported?
Yes 75%
No 25%
![Page 52: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/52.jpg)
Takeaways
It is possible to proactively detect many incidents in a network by using just external sources Expanding your own network monitoring capabilities not only leads to better detection but also allows you to reciprocate to data providers Automation and correlation are critical there are tools appearing that can help
![Page 53: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/53.jpg)
And finally
ENISA report on Proactive Detection of Network Security Incidents will be published Q4 2011 30 different data providers listed and assessed 16 shortcomings identified (both technical & legal/organizational) Tips on how to start and improve (both on the data provider and consumer side
![Page 54: Effective(Proactive(Detection(of NetworkSecurity Incidents((€¦ · Effective(Proactive(Detection(of NetworkSecurity Incidents(((Piotr Kijewski (piotr.kijewski@cert.pl) CERT Polska](https://reader030.fdocuments.in/reader030/viewer/2022041113/5f1d3488f1257d3bc52b2114/html5/thumbnails/54.jpg)
THANK YOU!
Web: www.cert.pl Facebook: facebook.com/cert.polska Twitter: @CERT_Polska_en Contact: [email protected]