honeytarg Chapter Activities

Similar documents
Preventing your Network from Being Abused by Spammers

DNS Amplification Attacks as a DDoS Tool and Mitigation Techniques

SpamPots Project: Using Honeypots to Measure the Abuse of End-User Machines to Send Spam

Phishing and Banking Trojan Cases Affecting Brazil

Development of an IPv6 Honeypot

CERT.br: Mission and Services

Cybersecurity and Incident Response Initiatives: Brazil and Americas

LACNIC 25 CSIRTs Meeting Havana, Cuba May 4 th, 2016

Incident Response and Early Warning Initiatives in Brazil

The Importance of a Multistakeholder Approach to Cybersecurity Effectiveness

Fraud and Phishing Scam Response Arrangements in Brazil

The Brazilian Internet Steering Committee CGI.br Internet Governance Model in Brazil

AbuseHUB: a national Abuse Report. Clearing House. Phons Bloemen. ISD Congress September 24,

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

About Botnet, and the influence that Botnet gives to broadband ISP

_Firewall. Palo Alto. How Logtrust works with Palo Alto Networks

What legal aspects are needed to address specific ICT related issues?

CERT.AZ description as per RfC 2350

CERT-GOV-GE Activities & International Partnerships

Port evolution: a software to find the shady IP profiles in Netflow. Or how to reduce Netflow records efficiently.

CALNET 3 Category 7 Network Based Management Security. Table of Contents

D m i t r y S l i n k o v, C I S M SWISS C Y B E R S TO R M Black market of cybercrime in Russia

Description: Objective: Attending students will learn:

Global Network Pandemic The Silent Threat Darren Grabowski, Manager NTT America Global IP Network Security & Abuse Team

UNMASKCONTENT: THE CASE STUDY

Malicious Network Traffic Analysis

On and off premises technologies Which is best for you?

Intrusion Forecasting Framework for Early Warning System against Cyber Attack

Denial of Service Attacks

Introduction of Intrusion Detection Systems

Indian Computer Emergency Response Team (CERT-In) Annual Report (2010)

How To Perform A Large Scale Attack On A Large Network

Organizational internal computer security incident responding structure : CSIRT

Analysis of Network Beaconing Activity for Incident Response

Phone Fax

Report on Cyber Security Alerts Processed by CERT-RO in 2014

Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík

ThreatSTOP Technology Overview

Cisco IPS Tuning Overview

Network Security Incident Analysis System for Detecting Large-scale Internet Attacks

Cyber Security ( Lao PDR )

Tunisia s experience in building an ISAC. Haythem EL MIR Technical Manager NACS Head of the Incident Response Team cert-tcc

RID-DoS: Real-time Inter-network Defense Against Denial of Service Attacks. Kathleen M. Moriarty. MIT Lincoln Laboratory.

Project Proposal Active Honeypot Systems By William Kilgore University of Advancing Technology. Project Proposal 1

Threat Intelligence for Dummies. Karen Scarfone Scarfone Cybersecurity

How To Protect A Network From Attack From A Hacker (Hbss)

EMERGING THREATS & STRATEGIES FOR DEFENSE. Stephen Coty Chief Security

CERT Polska operates within the framework of the Research and Academic Computer Network CERT POLSKA REPORT

Developing Cyber Threat Intelligence or not failing in battle.

Dynamic Honeypot Construction

CERT-GOV-GE Activities & Services

Proxy Blocking: Preventing Tunnels Around Your Web Filter. Information Paper August 2009

aecert Roadmap Eng. Mohammed Gheyath Director, Technical Affairs TRA

1. Exercise: Triage and Basic Incident Handling

19. Exercise: CERT participation in incident handling related to the Article 13a obligations

EINSTEIN 3 - Accelerated (E 3 A)

Cyber Security & Role of CERT-In. Dr. Gulshan Rai Director General, CERT-IN Govt. of India grai@mit.gov.in

Security Solutions for the New Threads

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

The role of JANET CSIRT

Country Case Study on Incident Management Capabilities CERT-TCC, Tunisia

TECHNICAL NOTE 01/2006 ENGRESS AND INGRESS FILTERING

10. Exercise: Automation in Incident Handling

Network attack and defense

Introduction to Computer Security Benoit Donnet Academic Year

Global Cybersecurity Index Good Practices

DDoS Protection on the Security Gateway

Information Security Threat Trends

Transcription:

honeytarg Chapter Activities Marcelo Chaves mhp@cert.br! Computer Emergency Response Team Brazil - CERT.br Network Information Center Brazil - NIC.br Brazilian Internet Steering Committee - CGI.br

Agenda Our Organization and Mission Chapter activities! Distributed Honeypots Project! SpamPots Project

CERT.br Activities http://www.cert.br/about/

CGI.br and NIC.br Structure GOVERNMENT (Appointed) I. E. CIVIL SOCIETY (Elected) Executive Branch Administrative Support Legal Counsel Pubic Relations Domain Registration IP Assignment Studies and Surveys About ICT use Internet Engineering and New Projects W3C Brazilian Office 1 Ministry of Science and Technology (Coordination) 2 Ministry of Communications 3 Presidential Cabinet 4 Ministry of Defense 5 Ministry of Development, Industry and Foreign Trade 6 Ministry of Planning, Budget and Management 7 National Telecommunications Agency 8 National Council of Scientific and Technological Development 9 National Forum of Estate Science and Technology Secretaries 10 Internet Expert 11 Internet Service Providers 12 Telecommunication Infrastructure Providers 13 Hardware and Software Industries 14 General Business Sector Users 15 Non-governmental Entity 16 Non-governmental Entity 17 Non-governmental Entity 18 Non-governmental Entity 19 Academia 20 Academia 21 Academia

The Brazilian Internet Steering Committee - CGI.br CGI.br is a multi-stakeholder organization created in 1995 by the Ministries of Communications and Science and Technology to coordinate all Internet related activities in Brazil. Among the diverse responsibilities reinforced by the Presidential Decree 4.829, has as the main attributions: to propose policies and procedures related to the regulation of Internet activities to recommend standards for technical and operational procedures to establish strategic directives related to the use and development of Internet in Brazil to promote studies and recommend technical standards for the network and services security in the country to coordinate the allocation of Internet addresses (IP) and the registration of domain names using <.br> to collect, organize and disseminate information on Internet services, including indicators and statistics http://www.cgi.br/english/

Use of Honeypots for Network Monitoring

Brazilian Distributed Honeypots Project Goal: to increase the capacity of incident detection, event correlation and trend analysis in the Brazilian Internet space! 51 sensors distributed in 22 cities! Hosted by 41 Partners in government, energy, telecom, ISPs, academia! Based on voluntary work! Transparent configuration no black-box! No production data is captured! Each partner can use its sensor as a complement to its own IDS Data collected is used to! Notify networks that originate attacks! Donate data to other National CSIRTs! Generate public statistics/trends http://honeytarg.cert.br/honeypots/

Architecture of the Network of Honeypots Anonymized data sent to CSIRTs and trusted partners Detailed reports just for members

Uses of the Data to Help the Community Individual Incident Notifications Only for IPs allocated to Brazil Sent to whois contacts and CSIRTs (when one exists) With anonymized logs Includes a description of the problem, how to identify compromised machines, how to recover, etc Daily donation of anonymized data To CSIRTs with national responsibility! All traffic coming from IPs allocated to the given country To organizations that share data with ISPs! Team Cymru (SSH brute force attacks and some botnet traffic)! Shadowserver Foundation (SSH brute force attacks)! Arbor ATLAS (SSH brute force attacks)

Public Statistics: Flows - Top TCP Destination Ports

Public Statistics: Port Summary

Public Statistics: Heat Maps (future work) Daily image based on flows directed to the honeypots Daily animated GIF based on syn packets seen by the honeypots (1-hour frame)

Public Statistics: Hilbert Map (future work)

SpamPots Project

SpamPots Project Network of Honeypots emulating open proxies and SMTP servers Capturing 11 million spams/day, on average Active sensors: AT (CERT.at), AU (AusCERT), BR (CERT.br and CSIRT-USP), CL (CLCERT), EC (CSIRT UTPL), NL (SURFcert), TW (TWCERT/CC), UY (CSIRT Antel) Sensor candidates: AE (aecert), AR (CSIRT Banelco and Univ. de La Plata), DE (Telekom-CERT), GR (FORTH, ICS), MY (MyCERT), PL (CERT Polska), TH (ThaiCERT), TN (TunCERT), UK (OX-CERT), US (UAB) and ZA (via SURFcert) Objectives: Measure the problem from a different point of view: abuse of infrastructure X spams received at the destination Measure the abuse of end-user machines to send spam Develop better ways to! identify phishing and malware! identify botnets via the abuse of open proxies and relays

SpamPots Project Overview of the Architecture

Spampots Project: Infrastructure monitoring

Spampots Project: Data Mining Portal (1/2) February 2012: top 15 country codes

Spampots Project: Data Mining Portal (2/2) February 2012: top 10 ASNs per country code

Improving cooperation in spam fighting Provide data to trusted parties Help their constituency to identify infected machines Identify malware and scams targeting their constituency Currently providing data about spams coming from networks assigned to! JP: to JADAC / IIJ / JPCERT/CC / Min. of Communications! TW: to NCC-TW

Links! CGI.br Brazilian Internet Steering Committee http://www.cgi.br/! NIC.br Network Information Center Brazil http://www.nic.br/! CERT.br Computer Emergency Response Team Brazil http://www.cert.br/! honeytarg honeypots for Threats and Abuse passive Reconnaissance and information Gathering http://honeytarg.cert.br/

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information