20160713 2016 the honeynet projct annual workshop focus and global trends
-
Upload
yi-lang-tsai -
Category
Presentations & Public Speaking
-
view
55 -
download
2
Transcript of 20160713 2016 the honeynet projct annual workshop focus and global trends
![Page 1: 20160713 2016 the honeynet projct annual workshop focus and global trends](https://reader031.fdocuments.net/reader031/viewer/2022021921/58e88eb31a28abf8658b613f/html5/thumbnails/1.jpg)
2016 Honeynet Project Annual Workshop Focus and Global TrendsThe Honeynet Project Taiwan Chapter Yi-Lang Tsai
![Page 2: 20160713 2016 the honeynet projct annual workshop focus and global trends](https://reader031.fdocuments.net/reader031/viewer/2022021921/58e88eb31a28abf8658b613f/html5/thumbnails/2.jpg)
Google Me. Yi-Lang Tsai
The Honeynet Project Taiwan Chapter Leader
1st 5th 6th
3rd 4th 1st
1st Cloud Security Alliance Taiwan Chapter Founder and Director of Research
http://blog.yilang.org Facebook: Yi-Lang Tsai
34
Information Security( ) Linux Guide NetAdmin 80
RHCE CCNA CCAI CEH CHFI ACIA ITIL Foundation ISO 27001 LAC ISO 20000 LAC BS10012 LAC CSA STAR Auditing
![Page 3: 20160713 2016 the honeynet projct annual workshop focus and global trends](https://reader031.fdocuments.net/reader031/viewer/2022021921/58e88eb31a28abf8658b613f/html5/thumbnails/3.jpg)
OutlineThe Honeynet Project
Honeynet Project Tools
Honeynet in Taiwan
2016 Annual Workshop update
![Page 4: 20160713 2016 the honeynet projct annual workshop focus and global trends](https://reader031.fdocuments.net/reader031/viewer/2022021921/58e88eb31a28abf8658b613f/html5/thumbnails/4.jpg)
The Honeynet Project introductionNon-profit (501c3) organization with Board of Directors.
Funded by sponsors
Global set of diverse skills and experiences.
Open Source, share all of our research and findings at no cost to the public.
Deploy networks around the world to be hacked.
Everything we capture is happening in the wild.
We have nothing to sell.
![Page 5: 20160713 2016 the honeynet projct annual workshop focus and global trends](https://reader031.fdocuments.net/reader031/viewer/2022021921/58e88eb31a28abf8658b613f/html5/thumbnails/5.jpg)
Honeynet Project MissionA community of organizations actively researching, developing and deploying Honeynets and sharing the lessons learned.
Awareness: 增進企業與組織對存在於現⾏網路上的威脅與弱點之了解,進⼀步思考如何去減輕威脅的⽅法
Information: 除了提供基本的攻擊活動外,進⼀步提供更關鍵性的資料,如: 攻擊動機,駭客間如何聯絡,駭客攻破主機後下⼀步的攻擊動作
Tools: Honeynet Project 致⼒於發展 Open Source Tools,藉由這些Tools,我們可以更有效率的佈建誘捕系統了解網路環境攻擊威脅現況
![Page 6: 20160713 2016 the honeynet projct annual workshop focus and global trends](https://reader031.fdocuments.net/reader031/viewer/2022021921/58e88eb31a28abf8658b613f/html5/thumbnails/6.jpg)
The Honeynet Project Website
http://www.honeynet.org/
45 (Chapters)
![Page 7: 20160713 2016 the honeynet projct annual workshop focus and global trends](https://reader031.fdocuments.net/reader031/viewer/2022021921/58e88eb31a28abf8658b613f/html5/thumbnails/7.jpg)
Honeypot/Honeynet Technology What is a Honeynet ?
Low-Interaction / High-interaction Honeypot It is an architecture, not a product or software Populate with live systems Once compromised, data is collected to learn the tools, tactics, and motives of the Blackhat community
Value of Honeynet Research : Identify new tools and new tactics, Profiling Blackhats Early warning and prediction Incident Response / Forensics Self-defense
![Page 8: 20160713 2016 the honeynet projct annual workshop focus and global trends](https://reader031.fdocuments.net/reader031/viewer/2022021921/58e88eb31a28abf8658b613f/html5/thumbnails/8.jpg)
HoneypotsA honeypot is an information system resource whose value lies in
unauthorized or illicit use of that resource.
Has no production value, anything going to or from a honeypot is likely a
probe, attack or compromise.
Primary value to most organizations is information.
![Page 9: 20160713 2016 the honeynet projct annual workshop focus and global trends](https://reader031.fdocuments.net/reader031/viewer/2022021921/58e88eb31a28abf8658b613f/html5/thumbnails/9.jpg)
Advantage and RiskAdvantage
Collect small data sets of high value. Reduce false positives Catch new attacks, false negatives Work in encrypted or IPv6 environments Simple concept requiring minimal resources
RiskLimited field of view (microscope) Risk (mainly high-interaction honeypots)
![Page 10: 20160713 2016 the honeynet projct annual workshop focus and global trends](https://reader031.fdocuments.net/reader031/viewer/2022021921/58e88eb31a28abf8658b613f/html5/thumbnails/10.jpg)
HoneynetsHigh-interaction honeypot designed to capture in-depth informa(on.
Information has different value to different organizations.
Its an architecture you populate with live systems, not a product or software.
Any traffic entering or leaving is suspect.
![Page 11: 20160713 2016 the honeynet projct annual workshop focus and global trends](https://reader031.fdocuments.net/reader031/viewer/2022021921/58e88eb31a28abf8658b613f/html5/thumbnails/11.jpg)
2016 Annual Workshop UpdateSan Antonio, TX, USA. May 9-11th, 2016
1 Day Briefing, 2 Days Hands-on Workshop and 2 Days Private Meeting
About 120+ Attendee Join this year
![Page 12: 20160713 2016 the honeynet projct annual workshop focus and global trends](https://reader031.fdocuments.net/reader031/viewer/2022021921/58e88eb31a28abf8658b613f/html5/thumbnails/12.jpg)
Briefing Topic17 Years of Community Leadership Lessons Learned (Lance Spitzner) Keynote: Control Systems Cyberattacks (Kevin Owens) ICS/SCADA Threats: What Matters and Where Honeypots Can Help (Robert Lee) Deep-Packet Inspection in Industrial Control Networks (Alvaro Cardenas) Behavioral Analysis of large amounts of Unknown Files (Lukas Rist) Shadowserver: Updates and highlights from recent activities (David Watson) Advancements in Computational Digital Forensics (Nicole Beebe) Creating Your Own Threat Intel Through Hunting and Visualization (Raffael Marty) Targeted attacks by Dubnium (Christian Seifert) Integrating Human Behavior into the Development of Future Cyber terrorism Scenarios(Max Kilger)
Security and Deception in Industrial Control Systems (Lukas Rist)
![Page 13: 20160713 2016 the honeynet projct annual workshop focus and global trends](https://reader031.fdocuments.net/reader031/viewer/2022021921/58e88eb31a28abf8658b613f/html5/thumbnails/13.jpg)
Summary17 Years of Community Leadership Lessons Learned
Lance Spitzner / The Honeynet Project Founder Why join community projects
meet people smarter then you a network of friends turns into a network of opportunities gain new, international perspectives make a difference and build your reputation
Motivation we underestimate the power of recognition create a positive culture ensure people have a voice help build their reputation / exposure enable people to learn and grow from others
![Page 14: 20160713 2016 the honeynet projct annual workshop focus and global trends](https://reader031.fdocuments.net/reader031/viewer/2022021921/58e88eb31a28abf8658b613f/html5/thumbnails/14.jpg)
SummaryKeynote: Control Systems Cyberattacks (Kevin Owens)
Iranians Hacked From Wall Street to New York Dam, U.S. Says
http://www.bloomberg.com/news/articles/2016-03-24/u-s-charges-iranian-hackers-in-wall-street-cyberattacks-im6b43tt
New wave of cyberattacks against Ukrainian power industry
http://www.welivesecurity.com/2016/01/20/new-wave-attacks-ukrainian-power-industry/
Updated BlackEnergy Trojan Grows More Powerful
https://blogs.mcafee.com/mcafee-labs/updated-blackenergy-trojan-grows-more-powerful/
![Page 15: 20160713 2016 the honeynet projct annual workshop focus and global trends](https://reader031.fdocuments.net/reader031/viewer/2022021921/58e88eb31a28abf8658b613f/html5/thumbnails/15.jpg)
SummaryICS/SCADA Threats: What Matters and Where Honeypots Can Help (Robert Lee)
ThreatStream
https://www.anomali.com/
Mysterious ’08 Turkey Pipeline Blast Opened New Cyberwar
http://www.bloomberg.com/news/articles/2014-12-10/mysterious-08-turkey-pipeline-blast-opened-new-cyberwar
The growing cyberthreat from Iran: The initial report of Project Pistachio Harvest
https://www.aei.org/publication/growing-cyberthreat-from-iran/
No, Israel's power grid wasn't hacked, but ransomware hit Israel's Electric Authority
http://www.computerworld.com/article/3026609/security/no-israels-power-grid-wasnt-hacked-but-ransomware-hit-israels-electric-authority.html
ICS-CERT
https://ics-cert.us-cert.gov/
![Page 16: 20160713 2016 the honeynet projct annual workshop focus and global trends](https://reader031.fdocuments.net/reader031/viewer/2022021921/58e88eb31a28abf8658b613f/html5/thumbnails/16.jpg)
SummaryDeep-Packet Inspection in Industrial Control Networks (Alvaro Cardenas) Key Questions
where to deploy network monitors how deep to look DFA network protocol,communication patterns, command codes, enough? protocol specification correct but false info exact value of sensor and control commands(Can’t model with DFA)
![Page 17: 20160713 2016 the honeynet projct annual workshop focus and global trends](https://reader031.fdocuments.net/reader031/viewer/2022021921/58e88eb31a28abf8658b613f/html5/thumbnails/17.jpg)
SummaryBehavioral Analysis of large amounts of Unknown Files (Lukas Rist) database cloud bridge sandbox cluster sample workflow
multiple sample sources flow together chain of workers with increasing processing cost or time known/unknown, static analysis FRS, multi AV, emulated sandbox, iVM plug&analysis system, write your own worker result based routing rules cloud watch, TSD, probabilistic data structures
![Page 18: 20160713 2016 the honeynet projct annual workshop focus and global trends](https://reader031.fdocuments.net/reader031/viewer/2022021921/58e88eb31a28abf8658b613f/html5/thumbnails/18.jpg)
SummaryShadowserver: Updates and highlights from recent activities (David Watson)
https://www.shadowserver.org/
The Shadowserver Foundation is continually seeking to provide timely and relevant information to the security community at large. We also seek to increase our level of research and investigation into the activity we discover.
![Page 19: 20160713 2016 the honeynet projct annual workshop focus and global trends](https://reader031.fdocuments.net/reader031/viewer/2022021921/58e88eb31a28abf8658b613f/html5/thumbnails/19.jpg)
SummaryCreating Your Own Threat Intel Through Hunting and Visualization (Raffael Marty)
a new architecture -the security data lake
context, IOCs, any data —> Rules —> big data lake —>Hunting —> data sci
Hunting creates internal threat intelligence
Data science in security
simple approaches work
dc(dest), dc(d_port)
what is normal?
use data science / data mining to prepare data. then visualize the output for the human analyst.
![Page 20: 20160713 2016 the honeynet projct annual workshop focus and global trends](https://reader031.fdocuments.net/reader031/viewer/2022021921/58e88eb31a28abf8658b613f/html5/thumbnails/20.jpg)
Honeypot UpdateMonitoring DDoS attacks with DDoSPot (Luka Milković)
criterial:
no dummy services
rate limiting
db storage, state restore and passable logs
simple and note resource-intiensive
statistics
hp feeds
![Page 21: 20160713 2016 the honeynet projct annual workshop focus and global trends](https://reader031.fdocuments.net/reader031/viewer/2022021921/58e88eb31a28abf8658b613f/html5/thumbnails/21.jpg)
Smart XXX Risk in Future
![Page 22: 20160713 2016 the honeynet projct annual workshop focus and global trends](https://reader031.fdocuments.net/reader031/viewer/2022021921/58e88eb31a28abf8658b613f/html5/thumbnails/22.jpg)
Google Self-Driving Car on City Streets
![Page 23: 20160713 2016 the honeynet projct annual workshop focus and global trends](https://reader031.fdocuments.net/reader031/viewer/2022021921/58e88eb31a28abf8658b613f/html5/thumbnails/23.jpg)
ICT/SCADA High Risk
![Page 24: 20160713 2016 the honeynet projct annual workshop focus and global trends](https://reader031.fdocuments.net/reader031/viewer/2022021921/58e88eb31a28abf8658b613f/html5/thumbnails/24.jpg)
Conpot
![Page 25: 20160713 2016 the honeynet projct annual workshop focus and global trends](https://reader031.fdocuments.net/reader031/viewer/2022021921/58e88eb31a28abf8658b613f/html5/thumbnails/25.jpg)
Malware Knowledge Base in Taiwan owl.nchc.org.tw
Malware Knowledge Base, hosted by the National Center for High-performance Computing, is a malware analysis platform that observes and records system behaviors conducted by analysis objects in a controlled environment with various types of dynamic analysis tools.
The mission of Malware Knowledge Base is to strengthen malware research and promote security innovations in both academia and industry.
By providing malware-related resources, Malware Knowledge Base can contribute to security research and make the Internet a safer place.
![Page 26: 20160713 2016 the honeynet projct annual workshop focus and global trends](https://reader031.fdocuments.net/reader031/viewer/2022021921/58e88eb31a28abf8658b613f/html5/thumbnails/26.jpg)
Next session… Honeypot Flash Live Show.
Kean Song Tan (Malaysia Chapter) Ching Hsiung Hsu (Taiwan Chapter)