Real time evaluation of national network exposure to emerging threats - fyodor yarochkin

763 views

Published on

Real-Time Evaluation of National Network Exposure to Emerging Threats - Fyodor Yarochkin - OWASP India Conference 2012

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
763
On SlideShare
0
From Embeds
0
Number of Embeds
36
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Real time evaluation of national network exposure to emerging threats - fyodor yarochkin

  1. 1. ASP InfoSec India Conference 2012gust 24th – 25th, 2012 The OWASP Foundati el Crowne Plaza, Gurgaon http://www.owasp.orgp://www.owasp.in Real-Time Evaluation of National Network Exposure to Emerging Threats Fyodor Yarochkin Academia Sinica P1Sec fy@iis.sinica.edu.tw OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  2. 2. Yarochkin Fyodor?  10+ years infosec & dev experience  Phd Candidate (NTU & Academia Sinica  Open source enthusiast  http://www.o0o.nu  Research interests: intrusion detection, correlation, vulnerability researchOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  3. 3. Also... This research is part of ●The Cloud Security Intelligence Project and numerous open source projects...OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  4. 4. IntroductionOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  5. 5. Infosec community vs. …● Graphics http://recipeforlowhangingfruit.com/ Research crime
  6. 6. What makes these things interesting:● Globalization of the crime scene (local laws dont matter)● Volumes of micro-transactions. → Stealing a $1USD from 1,000,000 still makes a $1,000,000USD – also makes AML measures useless● There are other means of taking control over wealth than stealing cash..OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  7. 7. Variations of a “wallet”
  8. 8. Getting the global picture● Colect and analyze massive amounts of data● Be able to catch lowest hanging fruitsOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  9. 9. Challenges● Getting the raw data is non trivial (and requires some social engineering ;-))● Amounts of data is massive. Not suitable for single machine processing. Often, not even suitable for store in original form due to volumeOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  10. 10. HoneyNet/SCIC “Know yer Internet” projectOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  11. 11. Disclaimer● This is research in progress● Semi-public access possible, talk to me● Contributions highly anticipated● Each of particular ideas isnt that novel (portscanning and banner grabbing is very 1997 ;-)) but hopefully the fusion of concepts is interestingOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  12. 12. Motivation● Answer questions like: – “What is the risk of Taiwan networks being owned, now” – New worm outbreak: identify potential victims and enforce patching through automated notification – Identify regional threats – i.e. what are the most exploited vulnerabilities in Taiwan networks. – Cooperation with CERT, etc etc..OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  13. 13. Motivation● Real-time understanding of exposure levels at large scale● Threats to “pop and mom” machines as “low-hanging fruit”● Making use of data from honeypots to evaluate level of exposure, emerging threats etc etc..● Have some fun responding to abuse emails ;-)OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  14. 14. Understanding the threat● Server honeypots (mainly python scripts, simulating services)● Client side honeypots (VM farms)● Static analysis (crawling, pattern mining etc)OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  15. 15. “low hanging fruit” simulation● Have VM farms running.● Have server-honeypots (with some romanian kids bruteforcing ssh passwords all the time ;))● Crawl networks at large (alexa top 1,000,000 but not only)● Exploit detection via payload/behavior analysis● Additional enhancements to detect variations (user behavior simulation, hop-ing through VPN end points to detect local threats etc)OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  16. 16. Not really a full-fedged Cuckoobox● Focus on detecting exploitation● Lightweight version of browser● Heavily bundled with static analysis toolsOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  17. 17. VM farm capacity● We can do at average 10-20 secs per URL render per VM. Average 10+15 Vms/machine.● Off-load VM farm load by doing lots of pattern matching (use VM as last resource)OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  18. 18. So..● We have some data of whats going on in the net. How do we map this to the network infrastructure were trying to protect (at organization, or country level side)...●● Or maybe see what “*unamed-country*” is up to :)OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  19. 19. Inspirations● LHKF → “Low Hanging Kiwi Fruit” talk/aftetalk by Adam “MetlStorm” → geo-targeted net recon – internet Shodan-HQ wide scanning on 4 ports Some academic papersOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  20. 20. Scanning whole internet.. rly?OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  21. 21. Take home notes● Targets seeded from BGP routes.● At average takes a day to complete Internet-wide scan on a single protocol● Potentially generates large number of abuse reportsOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  22. 22. Architecture● Network port discovery (agents)● Banner collection (agents)● Backend Store: SOLR● Collectibles: services and ports, OS fingerprints,● ASN/OWNER/netblock/Country, geographical location● Risk evaluation → honeypots (VMs, Service simulation)OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  23. 23. Architecture(2)● Roughly something like thatOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  24. 24. Approach● Scan slow (avoid abuse reports)● Index time● Passive “mapper” (simple sniffer + browser fingerprinting at the moment)● Larger range of ports (account port numbers, which are actively being scanned from firewall log analysis, honeypot machines etc)OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  25. 25. Sample searchOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  26. 26. A word on spatial search http://www.mhaller.de/archives/156-Spatial-search-with-Lucene.htmlOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  27. 27. Seeding for Targets: random? ● ASN/whois data to mine targets seems like a good start Xkcd.net again :pOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  28. 28. Some stats from VM farms Call-back Source (by country) Browser vuln distribution (as detected)OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  29. 29. Unanswered questions● Threat detection results are very specific to the VM farm environment● Realistic survey of client machines – need passive agents at large ISPs● Honeypot useability questionable● .. throw yours :)OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  30. 30. HoneyNet● Lets see the videoz●● We get hits like that every day :pOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  31. 31. Cat and mouse game● Of course all of this is easy to evade. Once you know the method. But security is always about cat-n-mouse game ;-)OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  32. 32. Demo time ●lets look at some videos :)OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  33. 33. Conclusions contact us: benson.wu@gmail.com fygrave@gmail.comOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)

×