Workshop on “India’s 5G Vision: 2020” jointly with ... on Cyber Security... · Workshop on...

CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or other professional advice) without the prior written consent of KDDI, Inc.

1

Workshop on “India’s 5G Vision: 2020” jointly with

Twentieth GISFI Standardization Series Meeting (GSSM)

“Collaboration on Cyber Security”

Detailed Results

Security Operations Center, KDDI Corporation, Japan

Takemasa Kamatani

2015/3/14

CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or other professional advice) without the prior written consent of KDDI , Inc.

activities toward the next GSFI meeting

2

1. PRACTICE project overview 2. Cyber attacks recently monitored by PRACTICE system 3. Activities and outcomes of the PRACTICE project



3

3/21/2015

Overview of the PRACTICE Project

Sensor

Honey Pot

Infected host

Cyber-attacks

Collaborating Partners (outside of Japan)

Japan

Cyber-attack data

We’re trying to build a world-wide threat monitoring system in collaboration with our partners outside of Japan.

○Goal ： The final goal is to protect users from malware infection and malicious activities in cyberspace proactively and reduce the damage.

○Outline ： In cooperation with ISPs, universities and security organizations, we’re trying to implement research and practical development of technologies on a cyber-security which enable early detection of cyber-attacks.

Malwares

・Sharing of cyber-attacks and malwares information ・Collaboration on implementation & improvement of abilities to quickly respond ・Development of countermeasure against cyber- attacks



4

3/21/2015

Collaboration with India

Oct 3, 2013 Japan-India ICT Public-Private Partnership Dialogue

Aug 22, 2014

Sensor implementation at NEC India (Chennai) and started cyber-attacks data sharing

Sep 1, 2014

Brainstorming Workshop on 5G Standardization: WISDOM

Mar 13, 2015 This meeting (second joint-workshop of GISFI & PRACTICE)



Implementing Organizations Supporting Organization

• Institute of Systems, Information Technologies and Nanotechnologies

• Japan Datacom Co., Ltd. • KDDI R&D Laboratories • SecureBrain Corporation • Yokohama National University

- Technical support based on NICT’s excellent expertise; - NICT provides darknet sensor - Providing captured data and the results of analysis by NICT.

Research and practical development of technologies which investigate symptoms of cyber attacks.

Demonstration test of developed technologies toward quick and proactive response based on the cooperation among ISPs.

Visualization of cyber-attacks

Partner countries

Data & Alert

Data & expertise

Data & analysis results

5

3/21/2015

Organization - MIC organizes the PRACTICE, which has Implementing Organizations and Supporting Organization. - Implementing Organizations are ISP association(i.e. Telecom ISAC Japan) and related companies as a “field trial” part, and research institutes or security related companies as an “R&D” part.



6

3/21/2015

Methods of cyber-attacks Types of cyber-attacks

Malware DDoS attack

Large scale of spam

Information leakage

Targeted attack

fishing

Malware／ Social Engineering

Social engineering

Botnet (C&C, P2P) Worm diffusion Web defacement（malware distribution site） Malware attached E-mail Induction to the malware distribution sites via e-mail or SNS

Web defacement hacking

ISP’s facilities ISP customers






Objects that should be protected by ISP

This project is focused on cyber attacks caused by malware that have significant impact on ISP services.

Project Scope



7




Japanese governmental web site “japan.kantei.go.jp” that introduce activities of both prime minister of Japan and his cabinet had been attacked on January 2, 2015.

PRACTICE team could monitor and make alerts of these attacks using their own DRDoS attacks monitoring system named “DRDoS Honeypot”.

8

3/21/2015

Network Information: a. [Network Number] 202.32.211.128/25 b. [Network Name] KANTEI25 g. [Organization] Cabinet Secretariat m.[Administrative Contact] ST10240JP n.[Technical Contact] ST10240JP p.[Nameserver] [Assigned Date] 2013/06/25 [Return Date] [Last Update] 2013/06/25 12:08:04(JST)

http://japan.kantei.go.jp/

DDoS attacks against Japanese Government web site (1)



【detect time】 during January 2, 19:00:42-20:00:45 (1hour) 【monitoring system】 DRDoS Honeypots 【types of attack】 NTP Amp attack 【target】 202.32.211.142/port80 (Kantei Web site http://japan.kantei.go.jp)

9

3/21/2015

Time-series data (pps) against targeted host

Approximately 1,000pps size of NTP Amp attacks were monitored by our DRDoS Honeypots.

DDoS attacks against Japanese Government web site (2)


PRACTICE project activities summary

Many network security researchers say that not only a few network protocols are utilized to execute DDoS attacks. Huge number of forwarders that have open services of network protocols listed below exist on the internet. DoS attackers utilize these forwarders to execute DRDoS attack.

10

DRDoS attacks infrastructure

Christian Rossow: Amplification Hell: Revisiting Network Protocols for DDoS Abuse, NDSS2014



11

There are many open SSDP service provided by PCs or servers on the internet, as shown in the figure below, in Japan now.

These PCs or servers can be the forwarders of DRDoS attacks. This situation is serious for ISPs in Japan.

We already finished configuring our DRDoS Honeypot to monitor this type of attacks. SSDP Amp attacks alert service started on February 19, 2015.

Open Simple Service Discovery Protocol (SSDP) Scanning Project https://ssdpscan.shadowserver.org/

Open SSDP service on the internet



【detect time】 during Feb 23, 21:17:54-22:49:03 (1.5hour) 【monitoring system】 DRDoS Honeypots 【types of attack】 SSDP Amp attack 【target】 203.153.47.251 (National Informatics Centre(R12-AFIN), DNS server)

12

3/21/2015

Approximately more than 1,00pps size, 1.5 hours of SSDP Amp attacks monitored by our DRDoS Honeypots.

DDoS attacks against Indian governmental DNS server



Japanese Cyber security forces of the Metropolitan Police Department shows that economic damage caused by financial malware that target online banking service keeps rising. It reached to 1,100 million yen by the end of 2013.

We’re trying to reduce this growing economic damage putting our countermeasure techniques into practice and respond to this types of attacks in the very early stage.

13

Economic damage of financial malware in Japan

fishing malware

Year:2011 Target 56 bank Number of incidents:165 Damage cost:300million yen

Year:2013 Target 25 bank Number of incidents:1,125 Damage cost:1,100million yen



14

3/21/2015

Updates of configuration information are confirmed through a long term monitoring & analysis of the financial malware named VAWTRACK → we’re preparing for sending alerts of these types of updates

Date Topics (updated information)

July, 2014 Started monitoring & analyzing VAWTRAK malware

July 15 Configuration information that are used to target 20 Japanese credit card cooperation

July 18, Configuration information that are used to target 11 Domestic regional banks

July 29、31 Information that invalidate anti-unauthorized remittance software functions

Aug 13 Update of domain name of external hosts with which this malware communicate

Aug 13 Delete of attack information to targeted domestic credit card cooperation (Bank remains of attack)

Sep 19 Configuration information that are used to target Yahoo auction and large online shopping sites

Financial malware activities monitored by PRACTICE



15




16

3/21/2015

DRDoS attacks detection

Email alerts Victim host’s IP Detected time

Protocol Domain name

・・・ Network operators

DDoS attackers Reflectors

Victim host

DDoS counter measure system

Backbone

DRDoS Honeypot

Counter measuring against DDoS attacks

・DRDoS attacks detection by utilizing DRDoS Honeypots ・DRDoS Honeypots are implemented as forwarders to get early information ・Operators will be notified early alerts of DRDoS attacks ⇒ 86% of alerts were notified earlier than existing systems

DRDoS Honeypots (alerting system)



17

3/21/2015

Early alerts for ISP operators (2014/10 ~) DRDoS attacks start time & end time notification

DRDoS attacks detection notification

This e-mail is a notification of a DRDoS attack to the victim host in your country. [Victim host IP] XXX.XXX.XXX.XXX [detection time] 2014-11-13 23:57:37 [protocol] DNS : port 53 [Detail data] AS number : "AS2516 KDDI KDDI CORPORATION" country : "Japan" pps(max) : 2.2 pps(average) : 1.1416666666666666 [domain name] "wradish.com ANY IN":137

DRDoS attacks end time notification

This e-mail is tells you termination of a previously notified DRDoS attack to the victim host in your country. [Victim host IP] XXX.XXX.XXX.XXX [end time] 2014-11-13 23:57:37 [protocol] DNS : port 53 [Detail data] AS number : "AS2516 KDDI KDDI CORPORATION" country : "Japan" pps(max) : 2.2 pps(average) : 1.1416666666666666 [domain name] "wradish.com ANY IN":137

DRDoS attack e-mail alert example



We carried out evaluation about how this DRDoS Honeypot system could detect real DRDoS attacks. Honeypot could detect real DRDoS attacks with more than 56 percent accuracy. More than 86% real DRDoS attacks were detected earlier than existing DoS

attack detection system.

18

3/21/2015

Results (Aug – Dec 2014, 4 months)



19

P2P network on the internet

Long-term analysis of malware activities

Sandbox

malicious traffic

Zero Access

Plug-in (DLL)

Other malware

Internet

Malware samples Malware

samples Malware samples

Collect &

analyze

• Capturing Malware samples • We use (Server/Client) type Honeypot

• Carry out Long-term malware analysis in our sandbox that is connected to the internet • Parallel execution of approximately 100

sandboxes on a single HW • P2P type malware, financial malware,

botnet type malware • Make early alerts which help quick response

against cyber-attacks that are originated from same types of malware in the sandbox

Honeypot

Malware analysis using sandbox (P2P)

Malware detail analysis using sandboxes



Growing financial malware in Japan is a newer type that try to bypass secure information technologies. Not only a few financial malware use MITB (man in the browser) method in order to steal money from online banking customers.

This type of financial malware usually communicate with several kind of malicious servers on the internet. (you can see VAWTRACK malware’s case below)

20

3/21/2015

C&C servers Distribute configuration information to

infected hosts as follows URL of targeted financial organizations

Malicious scripts that are activated

when online banking customers access to the above URL

Manipulation servers Distribute following information to

infected hosts JavaScript Payee's account information to be used

to gain unauthorized remittance Collect below information information associated with financial

transactions

What is a financial malware?



3/21/2015

Behavior of the financial malware



22

3/21/2015

Updates of configuration information are confirmed through a long term monitoring & analysis of the financial malware named VAWTRACK → we’re preparing for sending alerts of these types of updates

Date Topics (updated information)

July, 2014 Started monitoring & analyzing VAWTRAK malware

July 15 Configuration information that are used to target 20 Japanese credit card cooperation

July 18, Configuration information that are used to target 11 Domestic regional banks

July 29、31 Information that invalidate anti-unauthorized remittance software functions

Aug 13 Update of domain name of external hosts with which this malware communicate

Aug 13 Delete of attack information to targeted domestic credit card cooperation (Bank remains of attack)

Sep 19 Configuration information that are used to target Yahoo auction and large online shopping sites

Alert

Alert

Alert

Alert

Financial malware activities monitored by PRACTICE



23

3/21/2015

Alerts from malware analysis (draft)



24

Basic data to be shared with our collaborative partner's country: 1) Cyber attack information captured in Japan by LEU located in Japan (/20 network) 2) Cyber attack information captured in our partner’s country

Results of Analysis can also be shared with our collaborative partner's country: 3) Symptoms of attack behavior

4) Attack similarity and specificity

■UDP ■TCP SYN ■TCP SYN/ACK ■TCP Other ■ICMP

Information is visualized by means of the tool developed by NICT. Using this information, cyber-attack behaviors (mainly SCANs) to Japan can be observed. Each country could interestingly compare the trend of attacks with your own country (see below 2)).

Cyber-Attack Information targeted to your own country is visualized by means of the tool developed by NICT based on the captured data from darknet space in your country.

Based on data mining and other analysis methods, you will get symptoms of cyber-attack which will be very early stage of attack behavior. For example, “a new type of scan is getting observed in a synchronized manner among several sensors” will be informed.

Based on several analysis engines, your country can grasp similar attack behaviors observed by many sensors located all over the world. This information can be shared among our all collaborative partners. Therefore, your country should be aware of this similar propagation of attack for your proactive response. On the other hand, attack behavior specificity in your country can be reported. In this case, your country will be required to take a special measure against specific attack only observed in your country (only shared with your country).

Outcomes from darknet analysis



25

3/21/2015

Detail results of analysis

In 2014, there were many vulnerabilities related to specific software and port numbers Heartbleed, Shellshock…etc

By means of the international darknet monitoring, we found a specific port scanning behavior simultaneously increasing in many countries.

This part shows a method that detects such scans with simple analysis.



26

3/21/2015

How to detect the specific port scan behavior The method is carried out in the following

steps: 1. Comparing with the number of port attack in

one month ago, the method detects 10 times port attack for each country and then make a country-level alert.

2. If the same country-level alerts are issued from 3 or more countries, then issue a global alert.



27

3/21/2015

Country-level alert We defined Amp_rate to evaluate increase of

scanning hosts.

Calculating the Amp_Rate for each destination port and protocol

If an Amp_Rate reaches 10 then issuing an country-level alert

Number of unique IP addresses that scan the

same port in 24h

An average of number of unique IP addresses per a

day that scanned the same port between 24 –

30 days ago



28

3/21/2015

Global alert If country-level alerts are issued on the same port from 3 or more countries in 7 days then issue a global alert.

Example:

In current implementation, the system processes dakrnet traffic every 1 minute issues only 1 alert per 1 day on each port

t

Country A

Country B

Country C

Global Alert



29

3/21/2015

Alerts in 12 months (2014/2-2015/1) Our system issued alerts on 90 distinct tcp ports 1,113 alerts were issued in last 5 months

40

20

0

01/Oct/’14 01/Dec/’14

01/Feb/’15



3/21/2015

SHODAN, Rapid7, Shadow Server... There are several security projects, such as SHODAN, Rapid 7, and shadow server, that perform port scan to search vulnerable devices.

x.x.x.x

IP address of scanning host

DNS Reverse Lookup

censusY.shodan.io



31

3/21/2015

SHODAN scans 58 ports in 12 months (2014/2-2015/2) 71% alerts were caused by SHODAN

Sometimes SHODAN scanned the same port persistently. -> We found alerts issued over 20 times on the same port.

Not SHODAN

By SHODAN



3/21/2015

We found some alerts on IoT(Internet of Things) related ports.

Example 32764/tcp -> Router’s unofficial backdoor 58455/tcp -> backdoor used by IoT worm

(Linux.Darlloz) 10000/tcp -> used by webmin, Shellshock related

port. 5000/tcp -> Vulnerability on Web UI for NAS

device.



3/21/2015

Vulnerability of Synology’s NAS (5000/TCP)

Vulnerability on Web UI on 5000/TCP of Synology’s NAS

First send HTTP GET /webman/info.cgi?host= to check the version and then send exploits

Using this vulnerability, it is possible to remotely

send and execute arbitrary codes



3/21/2015

Scans on Synology’s NAS (5000/TCP)

Detected on Country A, C, E

5 days later

Reached peak on country D 3 days later

Am

p_R

ate



35

3/21/2015

Input cyber attack detection technologies to the Field Trial part & carry out some trials of security measures in Japan

Establishment of cyber attack information & analysis result sharing and collaborative relationship

Trial of prevention & minimization of the damage based on the R&D technologies

Deploying our cyber-attack monitoring system to outside of Japan. Information sharing with our partners

Step Ⅰ

Step Ⅱ

Step Ⅲ

Step Ⅴ

【Step Ⅰ】 Cyber-attacks information sharing started on Aug 22 【Step Ⅱ】 E-mail alerts system for ISPs in Japan started operation on Oct 2 【Step Ⅲ】 Outcomes will be shared to our partners outside of Japan 【Step Ⅳ】 Outcomes from other analysis system will be utilized to carry out field trial

Schedule

Workshop on “India’s 5G Vision: 2020” jointly with ... on Cyber Security... · Workshop on...

Documents

Transcript of Workshop on “India’s 5G Vision: 2020” jointly with ... on Cyber Security... · Workshop on...