h2020 project on collection of actionable information
TRANSCRIPT
H2020 PROJECT ON COLLECTION OF ACTIONABLE INFORMATION
Edgardo Montes de OcaMontimage, France
SECURE INFORMATION SHARING SENSOR DELIVERY EVENT NETWORK
• Horizon 2020o Call H2020-DS-2015-1
Digital Security: Cybersecurity, Privacy and Trust
o Topic DS-04-2015Information driven Cyber Security Management
o Type: Innovation Action
• Project launch: 2016.05.01
• Project end: 2019.04.30
• Perfect score (15/15)!
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement No 700176.
THE
CONSORTIUMNaukowa i Akademicka SiećKomputerowa
Poland(Coordinator)
Montimage EURL FranceCyberDefcon Limited United KingdomUniversitaet des Saarlandes GermanyDeutsche Telekom AG GermanyEclexys SAGL SwitzerlandPoste Italiane – Sozieta per Azioni ItalyStichting the ShadowserverFoundation Europe
Netherlands
PROJECT OVERVIEW
• Improving the cybersecurity posture of EU entities and end users through development of situational awareness and sharing of actionable information.
• Builds on the experience of Shadowservero non-profit organization well known in the security community
o mitigation of botnet and malware propagation
o free of charge victim notification services
o close collaboration with Law Enforcement Agencies, national CERTs, and network providers.
• The core: a worldwide sensor network for passive threat data collection, complemented by behavioral analysis of malware and multiple external data sources.
PROJECT OVERVIEW
• Actionable information: no‐cost victim notification and remediation via organizations (National CERTs, ISPs, hosting providers, LEAs); benefit SMEs and citizens, not able to resist threats alone.
• Multiple high-quality feeds of actionable security information.
• State-of-the art honeypot/darknet technologies and a high-throughput data processing center.
• In-depth analytics on the collected data and metrics to establish the scale of most important security issues in the EU.
• A curated reference data set as a high-value research resource.
THE SHADOWSERVER MODEL
PROJECT OBJECTIVES
• Create a large, distributed sensor network
• Advancements in attack detection
• Advancements in malware analysis and botnet tracking
• Improving the fight against botnets
• Collect, store, analyse and reliably process Internet scale security data sets
• Share high quality information on a large scale
• Provide objective situational awareness through metrics
• Create and publish a large scale curated reference data set
PROJECT OBJECTIVES IN DETAIL
• Create a large, distributed sensor networko Over 100 sensors, located in all EU countries & outside
o Sensors deployed by third parties (at least 20 by the end of the project)
o Multiple IPs and honeypots for each sensor
• Advancements in attack detectiono New types of honeypots, darknets, probes
o IoT, RDDoS, mobile threats
• Advancements in malware analysis and botnet trackingo Beyond-state-of-the-art sandbox technologies
o Long-term sandboxing
• Improving the fight against botnetso Detailed long-term studies of botnet infrastructures, support for LEA
PROJECT OBJECTIVES IN DETAIL
• Collect, store, analyse and reliably process Internet scale security data setso Explore “big data” approaches
• Share high quality information on a large scaleo Free data feeds for national CERTs, network owners, etc.
• Provide objective situational awareness through metricso Overview of threats, effectiveness of remediation
• Create and publish a large scale curated reference data seto New resource for security research in Europe
Front-end Back-end
ARCHITECTURE
Front-end Back-end
MMT Probe
ARCHITECTURE : MONTIMAGE
Front-end Back-end
MMT Probe
MMT Operator
ARCHITECTURE : MONTIMAGE
ARCHITECTURE : PUBLIC INTERFACES
USE OF DECEPTION TECHNOLOGIES• Easy to deploy solutions : o cowrie : SSH/telnet
o glastopf : Web attacks
o Dionaea : SMB attacks, VoIP, some others
o honeytrap : generic
o honeyd : generic
o conpot : ICS honeypot
• Honeypot advancements : o Internet of Things
o Reflected DDoS attacks
o open source deployment frameworks : DTAH T-POT, MHN
VPS SENSOR MANAGEMENT
SENSOR DEPLOYMENT 2018 (1/3)
SENSOR DEPLOYMENT 2018 (2/3)
SENSOR DEPLOYMENT 2018 (3/3)
• 101 successfully deployed sensors
• 408 IPs
• 39 countries worldwide (23 EU)
• 99 cowrie instances
• 102 elasticpot instances
• 105 spampots
OPEN TO COMMUNITY COLLABORATION• Sign up in advance: sissden.eu
• FREE “threat feeds” to the community o Filters by country, AS, CIDR
o 30K reports and 120K charts each day
• Deploy sensors, provide IP space, VMs, physical servers
• Contribute new honeypot/sensor technologies
• Third party feeds welcome – integrate and help enrich curated data
• Academics willing to do research on the curated data set welcome
OPEN TO COMMUNITY COLLABORATION• Open to collaboration with LE initiatives with data on
malware and botnet activity (existing example –Cuing.org)o 90+ National CERT’s
o 800+ Universities
o 700+ Service Providers
o 300+ Enterprises
o International LEO’s
o Critical Infrastructure Organizations
o Government agencies
EXAMPLE BRUTE FORCE REPORT
EXAMPLE REAL TIME MONITORING
EXAMPLE REAL TIME DETECTION
<property description="Several attempts to connect via ssh (brute force attack).
Source address is either infected machine or attacker (no spoofing is possible)."
type_property="ATTACK" property_id="1" delay_max="5" delay_min="0+"
delay_units="s" value="THEN">
<operator delay_max="3" delay_min="0+" delay_units="s" value="THEN">
<event description="SYN request" value="COMPUTE"
boolean_expression="((tcp.flags == 2)&&((tcp.dest_port == 22)&&(ip.src !=
ip.dst)))“ event_id="1"/>
<event description="SYN ACK reply" value="COMPUTE"
boolean_expression="((tcp.flags == 18)&&((tcp.src_port == 22)&&((ip.dst ==
ip.src.1)&&(ip.src == ip.dst.1))))" event_id="2"/>
</operator>
<operator delay_max="3" delay_min="0+" delay_units="s" value="THEN">
<event description=" SYN request " value="COMPUTE"
boolean_expression="((tcp.flags == 2)&&((tcp.dest_port == 22)&&((ip.src ==
ip.src.1)&&(ip.dst == ip.dst.1))))" event_id="3"/>
<event description=" SYN request " value="COMPUTE"
boolean_expression="((tcp.flags == 2)&&((tcp.dest_port == 22)&&((ip.src ==
ip.src.1)&&(ip.dst == ip.dst.1))))" event_id="4"/>
</operator>
</property>
Brute force
attack
Operator:
THEN
Operator:
THEN
Event:
SYN request
Event:
SYN ACK reply
Event:
SYN request
Event:
SYN request
Detected events : packets, flows, OS, Algorithms, Apps…
Operators : THEN, BEFORE, OR, AND, NOT
Property : ATTACK, EVASION, SECURITY
EUROPEAN PERSPECTIVE• EU-centric security awareness
• Full compliance with EU data protection requirements
• Wide coverage of the EU networko All EU member countries included
• Simple cooperation with European enities
• Support for future EU security research and innovationo Large-scale, publicly available curated data set based on EU sensors
• Not just promiseso Fully operational system
The entire core of the system – data collection and processing – is TRL9
Novel analyses will be TRL7 prototypes.
o Post-project sustainability explicitly considered
WHERE ARE WE NOW?• Analysis phase ongoing according to schedule
• Deliverables cover:o Use cases
o Requirements
o List of external data sources
o Guidelines for data handling and data sharing with partners
• Backend procurement
• Pilot running for tests and analysis
• Next steps:o Technical architecture developed by January 2017
o Activation of the operational pilot in April 2017
H2020 PROJECT ON COLLECTION OF ACTIONABLE INFORMATION
Edgardo Montes de Oca, [email protected]
Coordiator: Adam Kozakiewicz, Naukowa i Akademicka Sieć Komputerowa (NASK)