20160713 2016 the honeynet projct annual workshop focus and global trends

2016 Honeynet Project Annual Workshop Focus and Global TrendsThe Honeynet Project Taiwan Chapter Yi-Lang Tsai

Google Me. Yi-Lang Tsai

The Honeynet Project Taiwan Chapter Leader

1st 5th 6th

3rd 4th 1st

1st Cloud Security Alliance Taiwan Chapter Founder and Director of Research

http://blog.yilang.org Facebook: Yi-Lang Tsai

34

Information Security( ) Linux Guide NetAdmin 80

RHCE CCNA CCAI CEH CHFI ACIA ITIL Foundation ISO 27001 LAC ISO 20000 LAC BS10012 LAC CSA STAR Auditing

OutlineThe Honeynet Project

Honeynet Project Tools

Honeynet in Taiwan

2016 Annual Workshop update

The Honeynet Project introductionNon-profit (501c3) organization with Board of Directors.

Funded by sponsors

Global set of diverse skills and experiences.

Open Source, share all of our research and findings at no cost to the public.

Deploy networks around the world to be hacked.

Everything we capture is happening in the wild.

We have nothing to sell.

Honeynet Project MissionA community of organizations actively researching, developing and deploying Honeynets and sharing the lessons learned.

Awareness: 增進企業與組織對存在於現⾏網路上的威脅與弱點之了解，進⼀步思考如何去減輕威脅的⽅法

Information: 除了提供基本的攻擊活動外，進⼀步提供更關鍵性的資料，如: 攻擊動機，駭客間如何聯絡，駭客攻破主機後下⼀步的攻擊動作

Tools: Honeynet Project 致⼒於發展 Open Source Tools，藉由這些Tools，我們可以更有效率的佈建誘捕系統了解網路環境攻擊威脅現況

The Honeynet Project Website

http://www.honeynet.org/

45 (Chapters)

Honeypot/Honeynet Technology What is a Honeynet ?

Low-Interaction / High-interaction Honeypot It is an architecture, not a product or software Populate with live systems Once compromised, data is collected to learn the tools, tactics, and motives of the Blackhat community

Value of Honeynet Research : Identify new tools and new tactics, Profiling Blackhats Early warning and prediction Incident Response / Forensics Self-defense

HoneypotsA honeypot is an information system resource whose value lies in

unauthorized or illicit use of that resource.

Has no production value, anything going to or from a honeypot is likely a

probe, attack or compromise.

Primary value to most organizations is information.

Advantage and RiskAdvantage

Collect small data sets of high value. Reduce false positives Catch new attacks, false negatives Work in encrypted or IPv6 environments Simple concept requiring minimal resources

RiskLimited field of view (microscope) Risk (mainly high-interaction honeypots)

HoneynetsHigh-interaction honeypot designed to capture in-depth informa(on.

Information has different value to different organizations.

Its an architecture you populate with live systems, not a product or software.

Any traffic entering or leaving is suspect.

2016 Annual Workshop UpdateSan Antonio, TX, USA. May 9-11th, 2016

1 Day Briefing, 2 Days Hands-on Workshop and 2 Days Private Meeting

About 120+ Attendee Join this year

Briefing Topic17 Years of Community Leadership Lessons Learned (Lance Spitzner) Keynote: Control Systems Cyberattacks (Kevin Owens) ICS/SCADA Threats: What Matters and Where Honeypots Can Help (Robert Lee) Deep-Packet Inspection in Industrial Control Networks (Alvaro Cardenas) Behavioral Analysis of large amounts of Unknown Files (Lukas Rist) Shadowserver: Updates and highlights from recent activities (David Watson) Advancements in Computational Digital Forensics (Nicole Beebe) Creating Your Own Threat Intel Through Hunting and Visualization (Raffael Marty) Targeted attacks by Dubnium (Christian Seifert) Integrating Human Behavior into the Development of Future Cyber terrorism Scenarios(Max Kilger)

Security and Deception in Industrial Control Systems (Lukas Rist)

Summary17 Years of Community Leadership Lessons Learned

Lance Spitzner / The Honeynet Project Founder Why join community projects

meet people smarter then you a network of friends turns into a network of opportunities gain new, international perspectives make a difference and build your reputation

Motivation we underestimate the power of recognition create a positive culture ensure people have a voice help build their reputation / exposure enable people to learn and grow from others

SummaryKeynote: Control Systems Cyberattacks (Kevin Owens)

Iranians Hacked From Wall Street to New York Dam, U.S. Says

http://www.bloomberg.com/news/articles/2016-03-24/u-s-charges-iranian-hackers-in-wall-street-cyberattacks-im6b43tt

New wave of cyberattacks against Ukrainian power industry

http://www.welivesecurity.com/2016/01/20/new-wave-attacks-ukrainian-power-industry/

Updated BlackEnergy Trojan Grows More Powerful

https://blogs.mcafee.com/mcafee-labs/updated-blackenergy-trojan-grows-more-powerful/

SummaryICS/SCADA Threats: What Matters and Where Honeypots Can Help (Robert Lee)

ThreatStream

https://www.anomali.com/

Mysterious ’08 Turkey Pipeline Blast Opened New Cyberwar

http://www.bloomberg.com/news/articles/2014-12-10/mysterious-08-turkey-pipeline-blast-opened-new-cyberwar

The growing cyberthreat from Iran: The initial report of Project Pistachio Harvest

https://www.aei.org/publication/growing-cyberthreat-from-iran/

No, Israel's power grid wasn't hacked, but ransomware hit Israel's Electric Authority

http://www.computerworld.com/article/3026609/security/no-israels-power-grid-wasnt-hacked-but-ransomware-hit-israels-electric-authority.html

ICS-CERT

https://ics-cert.us-cert.gov/

SummaryDeep-Packet Inspection in Industrial Control Networks (Alvaro Cardenas) Key Questions

where to deploy network monitors how deep to look DFA network protocol,communication patterns, command codes, enough? protocol specification correct but false info exact value of sensor and control commands(Can’t model with DFA)

SummaryBehavioral Analysis of large amounts of Unknown Files (Lukas Rist) database cloud bridge sandbox cluster sample workflow

multiple sample sources flow together chain of workers with increasing processing cost or time known/unknown, static analysis FRS, multi AV, emulated sandbox, iVM plug&analysis system, write your own worker result based routing rules cloud watch, TSD, probabilistic data structures

SummaryShadowserver: Updates and highlights from recent activities (David Watson)

https://www.shadowserver.org/

The Shadowserver Foundation is continually seeking to provide timely and relevant information to the security community at large. We also seek to increase our level of research and investigation into the activity we discover.

SummaryCreating Your Own Threat Intel Through Hunting and Visualization (Raffael Marty)

a new architecture -the security data lake

context, IOCs, any data —> Rules —> big data lake  —>Hunting  —> data sci

Hunting creates internal threat intelligence

Data science in security 

simple approaches work

dc(dest), dc(d_port)

what is normal?

use data science / data mining to prepare data. then visualize the output for the human analyst.

Honeypot UpdateMonitoring DDoS attacks with DDoSPot (Luka Milković)

criterial:

no dummy services

rate limiting

db storage, state restore and passable logs

simple and note resource-intiensive

statistics

hp feeds

Smart XXX Risk in Future

Google Self-Driving Car on City Streets

ICT/SCADA High Risk

Conpot

Malware Knowledge Base in Taiwan owl.nchc.org.tw

Malware Knowledge Base, hosted by the National Center for High-performance Computing, is a malware analysis platform that observes and records system behaviors conducted by analysis objects in a controlled environment with various types of dynamic analysis tools.

The mission of Malware Knowledge Base is to strengthen malware research and promote security innovations in both academia and industry.

By providing malware-related resources, Malware Knowledge Base can contribute to security research and make the Internet a safer place.

Next session… Honeypot Flash Live Show.

Kean Song Tan (Malaysia Chapter) Ching Hsiung Hsu (Taiwan Chapter)