SlideShare a Scribd company logo

Real time evaluation of national network exposure to emerging threats - fyodor yarochkin

O
owaspindia

Real-Time Evaluation of National Network Exposure to Emerging Threats - Fyodor Yarochkin - OWASP India Conference 2012

Technology
1 of 33
ASP InfoSec India Conference 2012 gust 24th – 25th, 2012 The OWASP Foundati el Crowne Plaza, Gurgaon http://www.owasp.org p://www.owasp.in Real-Time Evaluation of National Network Exposure to Emerging Threats Fyodor Yarochkin Academia Sinica P1Sec fy@iis.sinica.edu.tw OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Yarochkin Fyodor?  10+ years infosec & dev experience  Phd Candidate (NTU & Academia Sinica  Open source enthusiast  http://www.o0o.nu  Research interests: intrusion detection, correlation, vulnerability research OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Also... This research is part of ●The Cloud Security Intelligence Project and numerous open source projects... OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Introduction OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Infosec community vs. … ● Graphics http://recipeforlowhangingfruit.com/ Research crime
What makes these things interesting: ● Globalization of the crime scene (local laws don't matter) ● Volumes of micro-transactions. → Stealing a $1USD from 1,000,000 still makes a $1,000,000USD – also makes AML measures useless ● There are other means of taking control over wealth than stealing cash.. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Variations of a “wallet”
Getting the global picture ● Colect and analyze massive amounts of data ● Be able to catch 'lowest hanging fruits' OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Challenges ● Getting the raw data is non trivial (and requires some social engineering ;-)) ● Amounts of data is massive. Not suitable for single machine processing. Often, not even suitable for store in original form due to volume OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
HoneyNet/SCIC “Know yer Internet” project OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Disclaimer ● This is research in progress ● Semi-public access possible, talk to me ● Contributions highly anticipated ● Each of particular ideas isn't that novel (portscanning and banner grabbing is very 1997 ;-)) but hopefully the fusion of concepts is interesting OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Motivation ● Answer questions like: – “What is the risk of Taiwan networks being owned, now” – New worm outbreak: identify potential victims and enforce patching through automated notification – Identify regional threats – i.e. what are the most exploited vulnerabilities in Taiwan networks. – Cooperation with CERT, etc etc.. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Motivation ● Real-time understanding of exposure levels at large scale ● Threats to “pop and mom” machines as “low-hanging fruit” ● Making use of data from honeypots to evaluate level of exposure, emerging threats etc etc.. ● Have some fun responding to abuse emails ;-) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Understanding the threat ● Server honeypots (mainly python scripts, simulating services) ● Client side honeypots (VM farms) ● Static analysis (crawling, pattern mining etc) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
“low hanging fruit” simulation ● Have VM farms running. ● Have server-honeypots (with some romanian kids bruteforcing ssh passwords all the time ;)) ● Crawl networks at large (alexa top 1,000,000 but not only) ● Exploit detection via payload/behavior analysis ● Additional enhancements to detect variations (user behavior simulation, hop-ing through VPN end points to detect local threats etc) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Not really a full-fedged Cuckoobox ● Focus on detecting exploitation ● Lightweight version of browser ● Heavily bundled with static analysis tools OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
VM farm capacity ● We can do at average 10-20 secs per URL render per VM. Average 10+15 Vms/machine. ● Off-load VM farm load by doing lots of pattern matching (use VM as last resource) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
So.. ● We have some data of what's going on in the net. How do we map this to the network infrastructure we're trying to protect (at organization, or country level side)... ● ● Or maybe see what “*unamed-country*” is up to :) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Inspirations ● LHKF → “Low Hanging Kiwi Fruit” talk/aftetalk by Adam “MetlStorm” → geo-targeted net recon – internet Shodan-HQ wide scanning on 4 ports Some academic papers OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Scanning whole internet.. rly? OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Take home notes ● Targets seeded from BGP routes. ● At average takes a day to complete Internet-wide scan on a single protocol ● Potentially generates large number of abuse reports OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Architecture ● Network port discovery (agents) ● Banner collection (agents) ● Backend Store: SOLR ● Collectibles: services and ports, OS fingerprints, ● ASN/OWNER/netblock/Country, geographical location ● Risk evaluation → honeypots (VMs, Service simulation) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Architecture(2) ● Roughly something like that OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Approach ● Scan slow (avoid abuse reports) ● Index time ● Passive “mapper” (simple sniffer + browser fingerprinting at the moment) ● Larger range of ports (account port numbers, which are actively being scanned from firewall log analysis, honeypot machines etc) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Sample search OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
A word on spatial search http://www.mhaller.de/archives/156-Spatial-search-with-Lucene.html OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Seeding for Targets: random? ● ASN/whois data to mine targets seems like a good start Xkcd.net again :p OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Some stats from VM farms Call-back Source (by country) Browser vuln distribution (as detected) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Unanswered questions ● Threat detection results are very specific to the VM farm environment ● Realistic survey of client machines – need passive agents at large ISPs ● Honeypot useability questionable ● .. throw yours :) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
HoneyNet ● Lets see the videoz ● ● We get hits like that every day :p OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Cat and mouse game ● Of course all of this is easy to evade. Once you know the method. But security is always about 'cat-n-mouse' game ;-) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Demo time ●lets look at some videos :) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Conclusions contact us: benson.wu@gmail.com fygrave@gmail.com OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)

Recommended

Vyasan Mukti Bestseller For Deaddiction Dr. Shriniwas Kashalikar
Vyasan Mukti Bestseller For Deaddiction Dr. Shriniwas KashalikarVyasan Mukti Bestseller For Deaddiction Dr. Shriniwas Kashalikar
Vyasan Mukti Bestseller For Deaddiction Dr. Shriniwas Kashalikar
shivsr5
 
Tejaswi Drushti Bestseller For Super Eyesight Dr. Shriniwas Kashalikar
Tejaswi Drushti Bestseller For Super Eyesight Dr. Shriniwas KashalikarTejaswi Drushti Bestseller For Super Eyesight Dr. Shriniwas Kashalikar
Tejaswi Drushti Bestseller For Super Eyesight Dr. Shriniwas Kashalikar
shivsr5
 
29 09-2014 power point
29 09-2014 power point29 09-2014 power point
29 09-2014 power point
anjustaff
 
Cockburnspath Primary School presentation on Obstacle Course Racing Presentat...
Cockburnspath Primary School presentation on Obstacle Course Racing Presentat...Cockburnspath Primary School presentation on Obstacle Course Racing Presentat...
Cockburnspath Primary School presentation on Obstacle Course Racing Presentat...
David Burgess
 
Eca 11
Eca 11Eca 11
Eca 11
Ness Rendon
 
Cybergloss
CyberglossCybergloss
Cybergloss
Stella Stath
 
Ita a2 ms 20 3-2013
Ita a2 ms 20 3-2013Ita a2 ms 20 3-2013
Ita a2 ms 20 3-2013
SpaanIt
 
From app sec to malsec malware hooked, criminal crooked alok gupta
From app sec to malsec malware hooked, criminal crooked alok guptaFrom app sec to malsec malware hooked, criminal crooked alok gupta
From app sec to malsec malware hooked, criminal crooked alok gupta
owaspindia
 

Recommended

Vyasan Mukti Bestseller For Deaddiction Dr. Shriniwas Kashalikar
Vyasan Mukti Bestseller For Deaddiction Dr. Shriniwas KashalikarVyasan Mukti Bestseller For Deaddiction Dr. Shriniwas Kashalikar
Vyasan Mukti Bestseller For Deaddiction Dr. Shriniwas Kashalikar
shivsr5
 
Tejaswi Drushti Bestseller For Super Eyesight Dr. Shriniwas Kashalikar
Tejaswi Drushti Bestseller For Super Eyesight Dr. Shriniwas KashalikarTejaswi Drushti Bestseller For Super Eyesight Dr. Shriniwas Kashalikar
Tejaswi Drushti Bestseller For Super Eyesight Dr. Shriniwas Kashalikar
shivsr5
 
29 09-2014 power point
29 09-2014 power point29 09-2014 power point
29 09-2014 power point
anjustaff
 
Cockburnspath Primary School presentation on Obstacle Course Racing Presentat...
Cockburnspath Primary School presentation on Obstacle Course Racing Presentat...Cockburnspath Primary School presentation on Obstacle Course Racing Presentat...
Cockburnspath Primary School presentation on Obstacle Course Racing Presentat...
David Burgess
 
Eca 11
Eca 11Eca 11
Eca 11
Ness Rendon
 
Cybergloss
CyberglossCybergloss
Cybergloss
Stella Stath
 
Ita a2 ms 20 3-2013
Ita a2 ms 20 3-2013Ita a2 ms 20 3-2013
Ita a2 ms 20 3-2013
SpaanIt
 
From app sec to malsec malware hooked, criminal crooked alok gupta
From app sec to malsec malware hooked, criminal crooked alok guptaFrom app sec to malsec malware hooked, criminal crooked alok gupta
From app sec to malsec malware hooked, criminal crooked alok gupta
owaspindia
 
Взломать Web-сайт на ASP.NET? Сложно, но можно!
Взломать Web-сайт на ASP.NET? Сложно, но можно!Взломать Web-сайт на ASP.NET? Сложно, но можно!
Взломать Web-сайт на ASP.NET? Сложно, но можно!
Vladimir Kochetkov
 
Ita a2 ms 16 9-15
Ita a2 ms 16 9-15Ita a2 ms 16 9-15
Ita a2 ms 16 9-15
SpaanIt
 
Class 2
Class 2Class 2
Class 2
Alexandre Linhares
 
30 días de bilingüismo: Episodio 2
30 días de bilingüismo: Episodio 230 días de bilingüismo: Episodio 2
30 días de bilingüismo: Episodio 2
SpaanIt
 
NRC Course on Motor Operated Valves and Limitorque
NRC Course on Motor Operated Valves and LimitorqueNRC Course on Motor Operated Valves and Limitorque
NRC Course on Motor Operated Valves and Limitorque
Mead O'Brien, Inc.
 
Erasmus plus - school presentation
Erasmus plus - school presentationErasmus plus - school presentation
Erasmus plus - school presentation
Alina Orasan
 
Quantifying petrophysical Uncertainties Spe 93125-ms
Quantifying petrophysical Uncertainties Spe 93125-msQuantifying petrophysical Uncertainties Spe 93125-ms
Quantifying petrophysical Uncertainties Spe 93125-ms
Ali .Y.J
 
Public exploit held private – penetration testing the researcher’s way tama...
Public exploit held private – penetration testing the researcher’s way tama...Public exploit held private – penetration testing the researcher’s way tama...
Public exploit held private – penetration testing the researcher’s way tama...
owaspindia
 
Public exploit held private : Penetration Testing the researcher’s way
Public exploit held private : Penetration Testing the researcher’s wayPublic exploit held private : Penetration Testing the researcher’s way
Public exploit held private : Penetration Testing the researcher’s way
titanlambda
 
The magic of passive web vulnerability analysis lava kumar
The magic of passive web vulnerability analysis lava kumarThe magic of passive web vulnerability analysis lava kumar
The magic of passive web vulnerability analysis lava kumar
owaspindia
 
Mobile Application Scan and Testing
Mobile Application Scan and TestingMobile Application Scan and Testing
Mobile Application Scan and Testing
Blueinfy Solutions
 
Spring one 2012 Groovy as a weapon of maas PaaSification
Spring one 2012 Groovy as a weapon of maas PaaSificationSpring one 2012 Groovy as a weapon of maas PaaSification
Spring one 2012 Groovy as a weapon of maas PaaSification
Nenad Bogojevic
 
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
CODE BLUE
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
Resume_Manvendra_1
Resume_Manvendra_1Resume_Manvendra_1
Resume_Manvendra_1
Manvendra Singh Lodhi
 
NCI School of Computing Project Showcase 2014
NCI School of Computing Project Showcase 2014NCI School of Computing Project Showcase 2014
NCI School of Computing Project Showcase 2014
ckennedynci
 
Resume somnath sinha
Resume somnath sinhaResume somnath sinha
Resume somnath sinha
Somnath Sinha
 
Full-stack Web Development with MongoDB, Node.js and AWS
Full-stack Web Development with MongoDB, Node.js and AWSFull-stack Web Development with MongoDB, Node.js and AWS
Full-stack Web Development with MongoDB, Node.js and AWS
MongoDB
 
Ankit_CV13
Ankit_CV13Ankit_CV13
Ankit_CV13
Ankit Bansal
 
Sanjay_shaw
Sanjay_shawSanjay_shaw
Sanjay_shaw
Sanjay Shaw
 
Who owns Software Security
Who owns Software SecurityWho owns Software Security
Who owns Software Security
devObjective
 
Who Owns Software Security?
Who Owns Software Security?Who Owns Software Security?
Who Owns Software Security?
ColdFusionConference
 

More Related Content

Viewers also liked

Viewers also liked (7)

Взломать Web-сайт на ASP.NET? Сложно, но можно!
Взломать Web-сайт на ASP.NET? Сложно, но можно!Взломать Web-сайт на ASP.NET? Сложно, но можно!
Взломать Web-сайт на ASP.NET? Сложно, но можно!
 
Ita a2 ms 16 9-15
Ita a2 ms 16 9-15Ita a2 ms 16 9-15
Ita a2 ms 16 9-15
 
Class 2
Class 2Class 2
Class 2
 
30 días de bilingüismo: Episodio 2
30 días de bilingüismo: Episodio 230 días de bilingüismo: Episodio 2
30 días de bilingüismo: Episodio 2
 
NRC Course on Motor Operated Valves and Limitorque
NRC Course on Motor Operated Valves and LimitorqueNRC Course on Motor Operated Valves and Limitorque
NRC Course on Motor Operated Valves and Limitorque
 
Erasmus plus - school presentation
Erasmus plus - school presentationErasmus plus - school presentation
Erasmus plus - school presentation
 
Quantifying petrophysical Uncertainties Spe 93125-ms
Quantifying petrophysical Uncertainties Spe 93125-msQuantifying petrophysical Uncertainties Spe 93125-ms
Quantifying petrophysical Uncertainties Spe 93125-ms
 

Similar to Real time evaluation of national network exposure to emerging threats - fyodor yarochkin

Public exploit held private : Penetration Testing the researcher’s way
Public exploit held private : Penetration Testing the researcher’s wayPublic exploit held private : Penetration Testing the researcher’s way
Public exploit held private : Penetration Testing the researcher’s way
titanlambda
 
Spring one 2012 Groovy as a weapon of maas PaaSification
Spring one 2012 Groovy as a weapon of maas PaaSificationSpring one 2012 Groovy as a weapon of maas PaaSification
Spring one 2012 Groovy as a weapon of maas PaaSification
Nenad Bogojevic
 
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
CODE BLUE
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
Sergey Gordeychik
 
Sandeep bharti
Sandeep bhartiSandeep bharti
Sandeep bharti
Sandeep Bharti
 

Similar to Real time evaluation of national network exposure to emerging threats - fyodor yarochkin (20)

Public exploit held private – penetration testing the researcher’s way tama...
Public exploit held private – penetration testing the researcher’s way tama...Public exploit held private – penetration testing the researcher’s way tama...
Public exploit held private – penetration testing the researcher’s way tama...
 
Public exploit held private : Penetration Testing the researcher’s way
Public exploit held private : Penetration Testing the researcher’s wayPublic exploit held private : Penetration Testing the researcher’s way
Public exploit held private : Penetration Testing the researcher’s way
 
The magic of passive web vulnerability analysis lava kumar
The magic of passive web vulnerability analysis lava kumarThe magic of passive web vulnerability analysis lava kumar
The magic of passive web vulnerability analysis lava kumar
 
Mobile Application Scan and Testing
Mobile Application Scan and TestingMobile Application Scan and Testing
Mobile Application Scan and Testing
 
Spring one 2012 Groovy as a weapon of maas PaaSification
Spring one 2012 Groovy as a weapon of maas PaaSificationSpring one 2012 Groovy as a weapon of maas PaaSification
Spring one 2012 Groovy as a weapon of maas PaaSification
 
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
Resume_Manvendra_1
Resume_Manvendra_1Resume_Manvendra_1
Resume_Manvendra_1
 
NCI School of Computing Project Showcase 2014
NCI School of Computing Project Showcase 2014NCI School of Computing Project Showcase 2014
NCI School of Computing Project Showcase 2014
 
Resume somnath sinha
Resume somnath sinhaResume somnath sinha
Resume somnath sinha
 
Full-stack Web Development with MongoDB, Node.js and AWS
Full-stack Web Development with MongoDB, Node.js and AWSFull-stack Web Development with MongoDB, Node.js and AWS
Full-stack Web Development with MongoDB, Node.js and AWS
 
Ankit_CV13
Ankit_CV13Ankit_CV13
Ankit_CV13
 
Sanjay_shaw
Sanjay_shawSanjay_shaw
Sanjay_shaw
 
Who owns Software Security
Who owns Software SecurityWho owns Software Security
Who owns Software Security
 
Who Owns Software Security?
Who Owns Software Security?Who Owns Software Security?
Who Owns Software Security?
 
WebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in DepthWebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in Depth
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
 
An Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJS
 
Sandeep bharti
Sandeep bhartiSandeep bharti
Sandeep bharti
 
Globant Week Cali - Entendiendo el desarrollo Front-end del mundo moderno.
Globant Week Cali - Entendiendo el desarrollo Front-end del mundo moderno.Globant Week Cali - Entendiendo el desarrollo Front-end del mundo moderno.
Globant Week Cali - Entendiendo el desarrollo Front-end del mundo moderno.
 

Recently uploaded

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 

Recently uploaded (20)

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 

Real time evaluation of national network exposure to emerging threats - fyodor yarochkin

  • 1. ASP InfoSec India Conference 2012 gust 24th – 25th, 2012 The OWASP Foundati el Crowne Plaza, Gurgaon http://www.owasp.org p://www.owasp.in Real-Time Evaluation of National Network Exposure to Emerging Threats Fyodor Yarochkin Academia Sinica P1Sec fy@iis.sinica.edu.tw OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 2. Yarochkin Fyodor?  10+ years infosec & dev experience  Phd Candidate (NTU & Academia Sinica  Open source enthusiast  http://www.o0o.nu  Research interests: intrusion detection, correlation, vulnerability research OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 3. Also... This research is part of ●The Cloud Security Intelligence Project and numerous open source projects... OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 4. Introduction OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 5. Infosec community vs. … ● Graphics http://recipeforlowhangingfruit.com/ Research crime
  • 6. What makes these things interesting: ● Globalization of the crime scene (local laws don't matter) ● Volumes of micro-transactions. → Stealing a $1USD from 1,000,000 still makes a $1,000,000USD – also makes AML measures useless ● There are other means of taking control over wealth than stealing cash.. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 7. Variations of a “wallet”
  • 8. Getting the global picture ● Colect and analyze massive amounts of data ● Be able to catch 'lowest hanging fruits' OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 9. Challenges ● Getting the raw data is non trivial (and requires some social engineering ;-)) ● Amounts of data is massive. Not suitable for single machine processing. Often, not even suitable for store in original form due to volume OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 10. HoneyNet/SCIC “Know yer Internet” project OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 11. Disclaimer ● This is research in progress ● Semi-public access possible, talk to me ● Contributions highly anticipated ● Each of particular ideas isn't that novel (portscanning and banner grabbing is very 1997 ;-)) but hopefully the fusion of concepts is interesting OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 12. Motivation ● Answer questions like: – “What is the risk of Taiwan networks being owned, now” – New worm outbreak: identify potential victims and enforce patching through automated notification – Identify regional threats – i.e. what are the most exploited vulnerabilities in Taiwan networks. – Cooperation with CERT, etc etc.. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 13. Motivation ● Real-time understanding of exposure levels at large scale ● Threats to “pop and mom” machines as “low-hanging fruit” ● Making use of data from honeypots to evaluate level of exposure, emerging threats etc etc.. ● Have some fun responding to abuse emails ;-) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 14. Understanding the threat ● Server honeypots (mainly python scripts, simulating services) ● Client side honeypots (VM farms) ● Static analysis (crawling, pattern mining etc) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 15. “low hanging fruit” simulation ● Have VM farms running. ● Have server-honeypots (with some romanian kids bruteforcing ssh passwords all the time ;)) ● Crawl networks at large (alexa top 1,000,000 but not only) ● Exploit detection via payload/behavior analysis ● Additional enhancements to detect variations (user behavior simulation, hop-ing through VPN end points to detect local threats etc) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 16. Not really a full-fedged Cuckoobox ● Focus on detecting exploitation ● Lightweight version of browser ● Heavily bundled with static analysis tools OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 17. VM farm capacity ● We can do at average 10-20 secs per URL render per VM. Average 10+15 Vms/machine. ● Off-load VM farm load by doing lots of pattern matching (use VM as last resource) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 18. So.. ● We have some data of what's going on in the net. How do we map this to the network infrastructure we're trying to protect (at organization, or country level side)... ● ● Or maybe see what “*unamed-country*” is up to :) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 19. Inspirations ● LHKF → “Low Hanging Kiwi Fruit” talk/aftetalk by Adam “MetlStorm” → geo-targeted net recon – internet Shodan-HQ wide scanning on 4 ports Some academic papers OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 20. Scanning whole internet.. rly? OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 21. Take home notes ● Targets seeded from BGP routes. ● At average takes a day to complete Internet-wide scan on a single protocol ● Potentially generates large number of abuse reports OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 22. Architecture ● Network port discovery (agents) ● Banner collection (agents) ● Backend Store: SOLR ● Collectibles: services and ports, OS fingerprints, ● ASN/OWNER/netblock/Country, geographical location ● Risk evaluation → honeypots (VMs, Service simulation) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 23. Architecture(2) ● Roughly something like that OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 24. Approach ● Scan slow (avoid abuse reports) ● Index time ● Passive “mapper” (simple sniffer + browser fingerprinting at the moment) ● Larger range of ports (account port numbers, which are actively being scanned from firewall log analysis, honeypot machines etc) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 25. Sample search OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 26. A word on spatial search http://www.mhaller.de/archives/156-Spatial-search-with-Lucene.html OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 27. Seeding for Targets: random? ● ASN/whois data to mine targets seems like a good start Xkcd.net again :p OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 28. Some stats from VM farms Call-back Source (by country) Browser vuln distribution (as detected) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 29. Unanswered questions ● Threat detection results are very specific to the VM farm environment ● Realistic survey of client machines – need passive agents at large ISPs ● Honeypot useability questionable ● .. throw yours :) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 30. HoneyNet ● Lets see the videoz ● ● We get hits like that every day :p OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 31. Cat and mouse game ● Of course all of this is easy to evade. Once you know the method. But security is always about 'cat-n-mouse' game ;-) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 32. Demo time ●lets look at some videos :) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 33. Conclusions contact us: benson.wu@gmail.com fygrave@gmail.com OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)