Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Cazando cibercriminales con:
OSINT + Cloud Computing + Big Data
Chema Alonso
(@chemaalonso)
Problem: Cybercrime in Android
Problem: Cybercrime in Google Play
OSINT (Open Source Intelligence)
• OSINT is the art and science of creating
ethical, evidence-based decision support using...
Tacyt
• Goal: Build an OSINT platform
–Android Markets
• Google Play Included
• Process all data related to apps &
markets...
Tacyt
• Real Time integration of apps
• Real Time processing of filters
• Interactive Console
• Cross-Market analysis
• Cr...
Tacyt Demo 1:
Fake Apps + Fake Devs
Shuaban Botnet
Shuaban Botnet
Tacyt Demo 2:
Shuabang Botnet
Tacyt
• Apply some intelligence to the way attackers
work on Google Play. Anomalies & Singularities.
• Do not concentrate ...
Tacyt
• We need to know our enemies and what
makes them singular.
• Android apps are APK, which are just Java files, which...
Gremlin App
Gremlin App
Buying Gremlin Apps
• But…. What apps make sense to mutate?
APT Providers: Gremlin apps for
targeted attacks
• Lets find some applications that fit with different
target profile.
• T...
“Perfet” Target Apps
• How to select the perfect set of applications for an APT
once the reconnaissance of the victim has ...
APT Providers: Gremlin apps for
targeted attacks
permissionName:"android.permission.GET_ACCOUNTS" permissionName:"android....
Tacyt Demo 3:
Profiling Attack - Clicker
Examples: Research and
clusterization
• We can correlate data and cluster apps:
– From an app, we can include the person o...
Tacyt Demo 4:
JSDialers
Tacyt
• Allows to correlate data and detect
–Anomalies
–Singularities
• Helps to search quickly in a Big Data of
apps
• He...
“Apache Storm is a free and open source distributed
realtime computation system. Storm makes it easy to
reliably process u...
DRAIN
BOLT
SPOUT
BOLT
DRAIN
DRAIN
SPOUT
Sinfonier
+ + =
Drag & Drop
Interface
Automatic
Deploy API
(Nightly version)
Storm
Cluster
How It works
Sinfonier Topologies
Tacyt + Sinfonier
Faast (Vamps)
Conclusions
• Cybercrime in Apps is huge
• Research in Google Play is not easy
• Tacyt allows to
– Discover and Investigat...
Summary
• Cybercrime in Apps is huge
• Research in Google Play is not easy
• Tacyt (Path 5) allows to
– Discover and Inves...
¿Questions?
• If you want give a try to
TACYT, contact me!
• http://www.elevenpaths.com
• Chema Alonso
• @chemalonso
• che...
Cazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Upcoming SlideShare
Loading in …5
×
Upcoming SlideShare
New Paradigms of Digital Identity: Authentication & Authorization as a Service (AuthaaS)
Next
Download to read offline and view in fullscreen.

4

Share

Download to read offline

Cazando Cibercriminales con: OSINT + Cloud Computing + Big Data

Download to read offline

Diapositivas de la presentación impartida por Chema Alonso durante el congreso CELAES 2015 el 15 de Octubre en Panamá. En ella se habla de cómo en Eleven Paths y Telefónica se utilizan las tecnologías Tacyt, Sinfonier y Faast para luchar contra el e-crime.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Cazando Cibercriminales con: OSINT + Cloud Computing + Big Data

  1. 1. Cazando cibercriminales con: OSINT + Cloud Computing + Big Data Chema Alonso (@chemaalonso)
  2. 2. Problem: Cybercrime in Android
  3. 3. Problem: Cybercrime in Google Play
  4. 4. OSINT (Open Source Intelligence) • OSINT is the art and science of creating ethical, evidence-based decision support using only open sources and methods, legal and ethical in every respect. – Big data to store & process – Analytic toolkits to detect patterns and anomalies • Beyond that, OSINT is all about humans- analysts who can think, and deciders who can listen. Robert David Steele on OSINT - 2014
  5. 5. Tacyt • Goal: Build an OSINT platform –Android Markets • Google Play Included • Process all data related to apps & markets –Build up a Big Data –Build a real time processing tool for analyst –Create connections to other security tools
  6. 6. Tacyt • Real Time integration of apps • Real Time processing of filters • Interactive Console • Cross-Market analysis • Cross-Time results (Dead apps) • API
  7. 7. Tacyt Demo 1: Fake Apps + Fake Devs
  8. 8. Shuaban Botnet
  9. 9. Shuaban Botnet
  10. 10. Tacyt Demo 2: Shuabang Botnet
  11. 11. Tacyt • Apply some intelligence to the way attackers work on Google Play. Anomalies & Singularities. • Do not concentrate on DETECTING, but on CORRELATING data. Detecting is difficult, but once you know your enemy and with the right amount of information and data, correlating is easy. • We try to find singularities • Avoid code. Code is a wall you go against again and again. Attackers know how to avoid being detected.
  12. 12. Tacyt • We need to know our enemies and what makes them singular. • Android apps are APK, which are just Java files, which are just ZIP files signed with a selfsigned certificate. We have identified and dissected most of the technical characteristics. • Android apps are hosted in Google Play, with a developer, comments, descriptions, images, versions, categories… • There is plenty of information. Almost 50 “checkpoints”.
  13. 13. Gremlin App
  14. 14. Gremlin App
  15. 15. Buying Gremlin Apps • But…. What apps make sense to mutate?
  16. 16. APT Providers: Gremlin apps for targeted attacks • Lets find some applications that fit with different target profile. • These apps needs to be attractive but don’t seem to provide a critical functionality because It is needed that once they are installed, keep under the radar. • We need a rich porfolio of applications.
  17. 17. “Perfet” Target Apps • How to select the perfect set of applications for an APT once the reconnaissance of the victim has been achieved.
  18. 18. APT Providers: Gremlin apps for targeted attacks permissionName:"android.permission.GET_ACCOUNTS" permissionName:"android.permission.INTERNET" permissionName:"android.permission.READ_EXTERNAL_STORAGE" permissionName:"android.permission.READ_PHONE_STATE" permissionName:"android.permission.ACCESS_NETWORK_STATE
  19. 19. Tacyt Demo 3: Profiling Attack - Clicker
  20. 20. Examples: Research and clusterization • We can correlate data and cluster apps: – From an app, we can include the person or company who made it and correlate it with other developers in which account they hide. – We can detect anomalies: developers uploading 50 apps in a row? Developers sharing exactly the same files in their APK? Developers sharing images? APKs with just a second of developing time?...
  21. 21. Tacyt Demo 4: JSDialers
  22. 22. Tacyt • Allows to correlate data and detect –Anomalies –Singularities • Helps to search quickly in a Big Data of apps • Helps to avoid code in detecting cybercrime • Provides an API to be an OSINT and integrate with other tools.
  23. 23. “Apache Storm is a free and open source distributed realtime computation system. Storm makes it easy to reliably process unbounded streams of data, doing for realtime processing what Hadoop did for batch processing. Storm is simple, can be used with any programming language, and is a lot of fun to use! “ Sinfonier
  24. 24. DRAIN BOLT SPOUT BOLT DRAIN DRAIN SPOUT Sinfonier
  25. 25. + + = Drag & Drop Interface Automatic Deploy API (Nightly version) Storm Cluster How It works
  26. 26. Sinfonier Topologies
  27. 27. Tacyt + Sinfonier
  28. 28. Faast (Vamps)
  29. 29. Conclusions • Cybercrime in Apps is huge • Research in Google Play is not easy • Tacyt allows to – Discover and Investigate anomalies & singularities – Cross-Market – Cross-Time • Synfonier helps to – integrate other sources – Automate Intelligence Generation • Faast help us to reduce security Windows – Managing vulnerabilites in a persistent way
  30. 30. Summary • Cybercrime in Apps is huge • Research in Google Play is not easy • Tacyt (Path 5) allows to – Discover and Investigate anomalies & singularities – Cross-Market – Cross-Time • Security Enforcement en Markets is NECESSARY
  31. 31. ¿Questions? • If you want give a try to TACYT, contact me! • http://www.elevenpaths.com • Chema Alonso • @chemalonso • chema@11paths.com • http://www.elladodelmal.com
  • DiegoEspitia6

    May. 10, 2016
  • biosoundsystems

    Dec. 5, 2015
  • willymtx

    Nov. 4, 2015
  • tyr747148

    Oct. 18, 2015

Diapositivas de la presentación impartida por Chema Alonso durante el congreso CELAES 2015 el 15 de Octubre en Panamá. En ella se habla de cómo en Eleven Paths y Telefónica se utilizan las tecnologías Tacyt, Sinfonier y Faast para luchar contra el e-crime.

Views

Total views

3,292

On Slideshare

0

From embeds

0

Number of embeds

92

Actions

Downloads

105

Shares

0

Comments

0

Likes

4

×