Incident Response and Early Warning Initiatives in Brazil

Similar documents
Distributed Honeypots Project: How It s Being Useful for CERT.br

Incident Handling and Internet Security in Brazil

CERT.br: Mission and Services

Cybersecurity and Incident Response Initiatives: Brazil and Americas

Incident Handling in Brazil

CERT.br Incident Handling and Network Monitoring Activities

honeytarg Chapter Activities

Use of Honeypots for Network Monitoring and Situational Awareness

SpamPots Project: Using Honeypots to Measure the Abuse of End-User Machines to Send Spam

Information Security Awareness Videos

Monitoring the Abuse of Open Proxies for Sending Spam

Challenges and Best Practices in Fighting Financial Fraud in Brazil

Development of an IPv6 Honeypot

Preventing your Network from Being Abused by Spammers

Spampots Project First Results of the International Phase and its Regional Utilization

Spampots Project Mapping the Abuse of Internet Infrastructure by Spammers

Phishing and Banking Trojan Cases Affecting Brazil

The Global ecrime Outlook CERT.br National Report

Fraud and Phishing Scam Response Arrangements in Brazil

The Importance of a Multistakeholder Approach to Cybersecurity Effectiveness

DNS Amplification Attacks as a DDoS Tool and Mitigation Techniques

LACNIC 25 CSIRTs Meeting Havana, Cuba May 4 th, 2016

A Multistakeholder Effort to Reduce Spam The Case of Brazil

IX.br - Brasil Internet Exchange - Participants Diversity - 27th Euro-IX - 27 Oct Berlin, Germany IX.br Engineering Team <eng@ix.

PTTMetro - PTT.br The Brazilian Metropolitan IXP Project

BEST PRACTICES FOR LOCAL MULTISTAKEHOLDER INTERNET GOVERNANCE STRUCTURES. Hartmut Richard Glaser Executive-Secretary of CGI.br

Evolution of Financial Fraud in Brazil

HoneyBOT User Guide A Windows based honeypot solution

The Brazilian Internet Steering Committee CGI.br Internet Governance Model in Brazil

Peering in Brazil - Americas Interconnection Summit - April 7-10, 2015 in San Diego, CA - PTT.br <eng@ptt.br> - 1

Project Proposal Active Honeypot Systems By William Kilgore University of Advancing Technology. Project Proposal 1

Mauro Andreolini University of Modena Michele Colajanni. unimore.

CLARA: Security in Latin American Academic Networks

Country Case Study on Incident Management Capabilities CERT-TCC, Tunisia

Cyber security Country Experience: Establishment of Information Security Projects.

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

CALNET 3 Category 7 Network Based Management Security. Table of Contents

How To Protect A Network From Attack From A Hacker (Hbss)

RNP Experiences and Expectations in Future Internet R&D

Security Management. Keeping the IT Security Administrator Busy

Dynamic Honeypot Construction

Traffic Monitoring : Experience

Second-generation (GenII) honeypots

Honeypot as the Intruder Detection System

THE ROLE OF IDS & ADS IN NETWORK SECURITY

How to build and use a Honeypot. Ralph Edward Sutton, Jr. DTEC 6873 Section 01

PROFESSIONAL SECURITY SYSTEMS

IDS / IPS. James E. Thiel S.W.A.T.

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

INTRUSION DETECTION SYSTEMS and Network Security

HONEYPOT SECURITY. February The Government of the Hong Kong Special Administrative Region

Securing the system using honeypot in cloud computing environment

Simplicity Value Documentation 3.5/5 5/5 4.5/5 Functionality Performance Overall 4/5 4.5/5 86%

Securing Web Applications...at the Network Layer

Palo Alto Networks. October 6

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak CR V4.1

Tunisia s experience in building an ISAC. Haythem EL MIR Technical Manager NACS Head of the Incident Response Team cert-tcc

Networking for Caribbean Development

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

Firewalls & Intrusion Detection

Εmerging Ways to Protect your Network

Security Toolsets for ISP Defense

Internet Security Firewalls

How To Stop A Ddos Attack On A Network From Tracing To Source From A Network To A Source Address

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Intrusion Detection Systems (IDS)

Configuring Security for SMTP Traffic

Network Service, Systems and Data Communications Monitoring Policy

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DR V2.0

Network reconnaissance and IDS

Application Firewalls

HONEYD (OPEN SOURCE HONEYPOT SOFTWARE)

8. Firewall Design & Implementation

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

Erasmus Mundus External Cooperation Windows. EU-BRAZIL STARTUP Call for applications outcome 08/02/2010

Glasnost or Tyranny? You Can Have Secure and Open Networks!

How to build and run a Security Operations Center

Xerox Multifunction Devices. Network Configuration. Domain 2. Domino Server 2. Notes. MIME to Notes. Port. Domino. Server 1.

Taxonomy of Intrusion Detection System

Managed Intrusion, Detection, & Prevention Services (MIDPS) Why Sorting Solutions? Why ProtectPoint?

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Server Protection Policy 1 1. Rationale 1.1. Compliance with this policy will help protect the privacy and integrity of data created by and relating

Cisco Security Intelligence Operations

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

C. Universal Threat Management C.4. Defenses

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

SESA Securing with Cisco Security Appliance Parts 1 and 2

DDoS Protection on the Security Gateway

Chapter 9 Firewalls and Intrusion Prevention Systems

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak Capture Link Server V1.00

VIRUS TRACKER CHALLENGES OF RUNNING A LARGE SCALE SINKHOLE OPERATION

Firewalls and Intrusion Detection

CIT 480: Securing Computer Systems. Incident Response and Honeypots

The Information Security Problem

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Configuration Example

Transcription:

Incident Response and Early Warning Initiatives in Brazil Marcelo H. P. C. Chaves mhp@cert.br Computer Emergency Response Team Brazil CERT.br http://www.cert.br/ Brazilian Internet Steering Committee http://www.cgi.br/ Conferencia Internacional sobre Seguridad Informática Buenos Aires October/2005 p.1/35

Overview CERT.br The CERT.br Sponsor Mission, constituency and services Initiatives Early Warning Motivation The honeypots network public and private statistics and use in incident response Advantages, disadvantages and future work Conferencia Internacional sobre Seguridad Informática Buenos Aires October/2005 p.2/35

CGI.br / CERT.br Conferencia Internacional sobre Seguridad Informática Buenos Aires October/2005 p.3/35

CGI.br The CERT.br Sponsor The Brazilian Internet Steering Committee (CGI.br) created by the Interministerial Ordinance Nº 147, of May 31st 1995 altered by the Presidential Decree Nº 4,829, of September 3rd 2003 It is a multistakeholder organization composed of: sector Federal Government Corporate sector representatives number Ministries of Science and Technology, Communications, Defense, Industry, etc, 9 and Telcos Regulatory Agency (ANATEL) Industry, Telcos, ISPs, users 4 NGO s Sci. and Tech. Community Non profit organizations, etc Academia Internet expert 4 3 1 Conferencia Internacional sobre Seguridad Informática Buenos Aires October/2005 p.4/35

CGI.br The CERT.br Sponsor (cont.) Brazilian Internet Steering Committe s main attributions: to propose policies and procedures related to the regulation of Internet activities; to recommend standards for technical and operational procedures for the Internet in Brazil; to establish strategic directives related to the use and development of Internet in Brazil; to promote studies and technical standards for the network and services security in the country; to coordinate the allocation of Internet addresses (IPs) and the registration of domain names using <.br>; to collect, organize and disseminate information on Internet services, including indicators and statistics. Conferencia Internacional sobre Seguridad Informática Buenos Aires October/2005 p.5/35

CGI.br The CERT.br Sponsor (cont.) Brazilian Internet Steering Committee Network Information Center Computer Emergency Response Team Brazil Domain Registration Internet Exchange Points Conferencia Internacional sobre Seguridad Informática Buenos Aires October/2005 p.6/35

CERT.br Mission: An organization that is responsible for receiving, reviewing, and responding to computer security incident reports and activity related to networks connected to the Brazilian Internet. Constituency: Brazil - Internet.br domain and IP addresses assigned to Brazil. Conferencia Internacional sobre Seguridad Informática Buenos Aires October/2005 p.7/35

CERT.br (cont.) Services: provide a focal point for reporting incidents related to Brazilian networks; provide coordinated support in incident response; establish collaborative relationships (law enforcement, service providers, telephone companies, financial sector, etc); increase security awareness and help new CSIRTs to establish their activities; CERT.br is a member of FIRST http://www.first.org/ Conferencia Internacional sobre Seguridad Informática Buenos Aires October/2005 p.8/35

CERT.br Initiatives Produce technical documents in Portuguese Maintain statistics (incidents and spam) Anti-Phishing Working Group Research Partner detect malware enabled fraud notify hosting sites send samples to 20+ AV vendors Honeypots and Honeynets research Honeynet Research Alliance Member Brazilian Honeypots Alliance - Distributed Honeypots Project Conferencia Internacional sobre Seguridad Informática Buenos Aires October/2005 p.9/35

CERT.br Initiatives (cont.) CSIRT Development: Training: SEI Partner for 4 CERT /CC courses * Creating a Computer Security Incident Response Team * Managing Computer Security Incident Response Teams * Fundamentals of Incident Handling * Advanced Incident Handling for Technical Staff 140+ people trained Help new teams creation Maintain a list of Brazilian CSIRTs Conferencia Internacional sobre Seguridad Informática Buenos Aires October/2005 p.10/35

Brazilian CSIRTs http://www.cert.br/contact-br.html Conferencia Internacional sobre Seguridad Informática Buenos Aires October/2005 p.11/35

CGI.br Initiatives sponsors 2 meetings/conferences free of charge per year, to the security and network communities (GTS/GTER) inoc-dba BR project to stimulate Brazilian networks to join the inoc-dba global network 100 IP phones were provided to ASNs 20 IP phones were provided to CSIRTs recognized by CERT.br inoc-dba global hotline phone system which directly interconnects the Network Operations Centers and Security Incident Response Teams Conferencia Internacional sobre Seguridad Informática Buenos Aires October/2005 p.12/35

CGI.br Initiatives (cont.) Task Force on Spam (CT-Spam) to propose a national strategy to fight spam to articulate the actions among the different actors documents created Technologies and Policies to Fight Spam technical analysis of international antispam laws and brazilian proposals of new laws Conferencia Internacional sobre Seguridad Informática Buenos Aires October/2005 p.13/35

Early Warning Initiative Conferencia Internacional sobre Seguridad Informática Buenos Aires October/2005 p.14/35

Motivation Have a national early warning capability with the following characteristics: Widely distributed across the country in several ASNs and geographical locations Based on voluntary work of research partners High level of privacy for the members Useful for Incident Response Conferencia Internacional sobre Seguridad Informática Buenos Aires October/2005 p.15/35

The Honeypots Network Brazilian Honeypots Alliance Distributed Honeypots Project Coordination: CERT.br Computer Emergency Response Team Brazil Brazilian Internet Steering Committee CenPRA Research Center Ministry of Science and Technology Conferencia Internacional sobre Seguridad Informática Buenos Aires October/2005 p.16/35

The Honeypots Network (cont.) Technical requirements: secure configuration follow the project s standards (OS, configurations, updates, etc) no data pollution Privacy concerns (in a NDA): don t disclose IP/network information don t collect production network traffic don t exchange any information in clear text Conferencia Internacional sobre Seguridad Informática Buenos Aires October/2005 p.17/35

The Honeypots Network (cont.) The architecture: low interaction honeypots OpenBSD + Honeyd using a netblock range emulating services (HTTP, SMTP, malwares backdoors, etc) a central server collects logs and uploaded malware performs a status check in all honeypots Conferencia Internacional sobre Seguridad Informática Buenos Aires October/2005 p.18/35

The Honeypots Network (cont.) 31 research partner s institutions: Academia, Government, Industry, Military and Telcos networks They provide: hardware and network blocks (usually a /24) maintenance of their own honeypots Use the data for intrusion detection purposes less false positives than traditional IDSs Several have more than one honeypot Conferencia Internacional sobre Seguridad Informática Buenos Aires October/2005 p.19/35

The Honeypots Network (cont.) # City Institutions 01 São José dos Campos INPE, ITA 02 Rio de Janeiro CBPF, Fiocruz, IME, PUC-RIO, RedeRio, UFRJ 03 São Paulo ANSP, CERT.br, Diveo, Durand, UNESP, USP 04 Campinas CenPRA, ITAL, HP Brazil, UNICAMP, UNICAMP FEEC 05 São José do Rio Preto UNESP 06 Piracicaba USP 07 Brasília Brasil Telecom, Ministry of Justice, TCU, UNB LabRedes 08 Natal UFRN 09 Petrópolis LNCC 10 Porto Alegre CERT-RS 11 Ribeirão Preto USP 12 São Carlos USP 13 Taubaté UNITAU 14 Florianópolis UFSC DAS 15 Americana VIVAX 16 Manaus VIVAX 17 Joinville UDESC 18 Lins FPTE 19 Uberlândia CTBC Telecom Conferencia Internacional sobre Seguridad Informática Buenos Aires October/2005 p.20/35

The Honeypots Network (cont.) As of October, 2005 Conferencia Internacional sobre Seguridad Informática Buenos Aires October/2005 p.21/35

Early Warning Private Statistics summaries including: specific information for each honeypot most active IPs, OSs, ports, protocols and Country Codes correlated activities (ports and IPs) Public Statistics: combined daily flows seen in the honeypots most active OSs, TCP/UDP ports and Country Codes (CC) * the top ports, OSs and CCs are calculated every day Conferencia Internacional sobre Seguridad Informática Buenos Aires October/2005 p.22/35

Early Warning (cont.) Usefulness: observation of trends detect scans for potential new vulnerabilities partner institutions are detecting promptly: outbreaks of new worms/bots compromised servers network configuration errors collect new signatures and new malware Conferencia Internacional sobre Seguridad Informática Buenos Aires October/2005 p.23/35

Public Statistics Generation convert the raw network data into flow data compute the amount of bytes/packets received by each port (or OS or CC) select the top 10 to plot the remaining will be displayed as others use RRDtool and ORCA to generate the flows graphics stack area graphics logarithmic scale Conferencia Internacional sobre Seguridad Informática Buenos Aires October/2005 p.24/35

Public Statistics Generation (cont.) make pflog2flows.pl pflog files fprobe network flows flow capture flow files flow files flow print ascii flow files cidrgrep ascii flow files (filtered) ascii flow files (filtered) flow2ports.pl flow2cc.pl flow2srcos.pl TOP 10 tcp, TOP 10 udp, TOP 10 cc, TOP 10 srcos files Conferencia Internacional sobre Seguridad Informática Buenos Aires October/2005 p.25/35

Public Statistics Generation (cont.) TOP 10 tcp TOP 10 udp TOP 10 cc TOP 10 srcos make honeyd stats.pl for each TOP 10 <type> file make orca stats.pl for each 4 hour data run ORCA feed RRDTool database PNG file PNG file store image for 4 hour period store daily image HTML files HTML file create HTML files store TOP 10 <type> files store daily file Conferencia Internacional sobre Seguridad Informática Buenos Aires October/2005 p.26/35

Public Statistics Top UDP Ports September 17, 2005 Conferencia Internacional sobre Seguridad Informática Buenos Aires October/2005 p.27/35

Public Statistics Top TCP Ports September 21, 2005 Conferencia Internacional sobre Seguridad Informática Buenos Aires October/2005 p.28/35

Public Statistics Top Country Codes September 21, 2005 Conferencia Internacional sobre Seguridad Informática Buenos Aires October/2005 p.29/35

Public Statistics Top Source OS September 13, 2005 Conferencia Internacional sobre Seguridad Informática Buenos Aires October/2005 p.30/35

Incident Response Identify signatures of well known malicious/abusive activities worms, bots, scans, spam and other malware Notify the responsible networks of the Brazilian IPs with recovery tips Donate sanitized data of non-brazilian IPs to other CSIRTs (e.g. Team Cymru) Conferencia Internacional sobre Seguridad Informática Buenos Aires October/2005 p.31/35

Architecture advantages Few false positives Ability to collect malware samples specific listeners: mydoom, kuang, subseven, etc. Ability to implement spam traps Permits the members expertise s improvement in several areas: honeypots, intrusion detection, PGP, firewalls, OS hardening Conferencia Internacional sobre Seguridad Informática Buenos Aires October/2005 p.32/35

Architecture disadvantages It s more difficult to maintain Usually don t catch attacks targeted to production networks Need the partners cooperation to maintain and update the honeypots Conferencia Internacional sobre Seguridad Informática Buenos Aires October/2005 p.33/35

Future Work Continuously expand the network 4 new partners in installation phase 17 partner candidates Have more frequent private summaries Provide monthy, weekly, and hourly public statistics Increase data donation to trusted parties Conferencia Internacional sobre Seguridad Informática Buenos Aires October/2005 p.34/35

Related Links This presentation http://www.cert.br/docs/palestras/ Computer Emergency Response Team Brazil CERT.br http://www.cert.br/ Brazilian Internet Steering Comittee CGI.br http://www.cgi.br/ Brazilian Honeypots Alliance Distributed Honeypots Project http://www.honeypots-alliance.org.br/ Brazilian Honeypots Alliance Statistics http://www.honeypots-alliance.org.br/stats/ The Honeynet Research Alliance http://project.honeynet.org/alliance/ Conferencia Internacional sobre Seguridad Informática Buenos Aires October/2005 p.35/35

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information