SlideShare a Scribd company logo

Real time evaluation of national network exposure to emerging threats - fyodor yarochkin

O
owaspindia

Real-Time Evaluation of National Network Exposure to Emerging Threats - Fyodor Yarochkin - OWASP India Conference 2012

Technology
1 of 33
ASP InfoSec India Conference 2012 gust 24th – 25th, 2012 The OWASP Foundati el Crowne Plaza, Gurgaon http://www.owasp.org p://www.owasp.in Real-Time Evaluation of National Network Exposure to Emerging Threats Fyodor Yarochkin Academia Sinica P1Sec fy@iis.sinica.edu.tw OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Yarochkin Fyodor?  10+ years infosec & dev experience  Phd Candidate (NTU & Academia Sinica  Open source enthusiast  http://www.o0o.nu  Research interests: intrusion detection, correlation, vulnerability research OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Also... This research is part of ●The Cloud Security Intelligence Project and numerous open source projects... OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Introduction OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Infosec community vs. … ● Graphics http://recipeforlowhangingfruit.com/ Research crime
What makes these things interesting: ● Globalization of the crime scene (local laws don't matter) ● Volumes of micro-transactions. → Stealing a $1USD from 1,000,000 still makes a $1,000,000USD – also makes AML measures useless ● There are other means of taking control over wealth than stealing cash.. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Variations of a “wallet”
Getting the global picture ● Colect and analyze massive amounts of data ● Be able to catch 'lowest hanging fruits' OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Challenges ● Getting the raw data is non trivial (and requires some social engineering ;-)) ● Amounts of data is massive. Not suitable for single machine processing. Often, not even suitable for store in original form due to volume OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
HoneyNet/SCIC “Know yer Internet” project OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Disclaimer ● This is research in progress ● Semi-public access possible, talk to me ● Contributions highly anticipated ● Each of particular ideas isn't that novel (portscanning and banner grabbing is very 1997 ;-)) but hopefully the fusion of concepts is interesting OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Motivation ● Answer questions like: – “What is the risk of Taiwan networks being owned, now” – New worm outbreak: identify potential victims and enforce patching through automated notification – Identify regional threats – i.e. what are the most exploited vulnerabilities in Taiwan networks. – Cooperation with CERT, etc etc.. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Motivation ● Real-time understanding of exposure levels at large scale ● Threats to “pop and mom” machines as “low-hanging fruit” ● Making use of data from honeypots to evaluate level of exposure, emerging threats etc etc.. ● Have some fun responding to abuse emails ;-) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Understanding the threat ● Server honeypots (mainly python scripts, simulating services) ● Client side honeypots (VM farms) ● Static analysis (crawling, pattern mining etc) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
“low hanging fruit” simulation ● Have VM farms running. ● Have server-honeypots (with some romanian kids bruteforcing ssh passwords all the time ;)) ● Crawl networks at large (alexa top 1,000,000 but not only) ● Exploit detection via payload/behavior analysis ● Additional enhancements to detect variations (user behavior simulation, hop-ing through VPN end points to detect local threats etc) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Not really a full-fedged Cuckoobox ● Focus on detecting exploitation ● Lightweight version of browser ● Heavily bundled with static analysis tools OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
VM farm capacity ● We can do at average 10-20 secs per URL render per VM. Average 10+15 Vms/machine. ● Off-load VM farm load by doing lots of pattern matching (use VM as last resource) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
So.. ● We have some data of what's going on in the net. How do we map this to the network infrastructure we're trying to protect (at organization, or country level side)... ● ● Or maybe see what “*unamed-country*” is up to :) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Inspirations ● LHKF → “Low Hanging Kiwi Fruit” talk/aftetalk by Adam “MetlStorm” → geo-targeted net recon – internet Shodan-HQ wide scanning on 4 ports Some academic papers OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Scanning whole internet.. rly? OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Take home notes ● Targets seeded from BGP routes. ● At average takes a day to complete Internet-wide scan on a single protocol ● Potentially generates large number of abuse reports OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Architecture ● Network port discovery (agents) ● Banner collection (agents) ● Backend Store: SOLR ● Collectibles: services and ports, OS fingerprints, ● ASN/OWNER/netblock/Country, geographical location ● Risk evaluation → honeypots (VMs, Service simulation) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Architecture(2) ● Roughly something like that OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Approach ● Scan slow (avoid abuse reports) ● Index time ● Passive “mapper” (simple sniffer + browser fingerprinting at the moment) ● Larger range of ports (account port numbers, which are actively being scanned from firewall log analysis, honeypot machines etc) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Sample search OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
A word on spatial search http://www.mhaller.de/archives/156-Spatial-search-with-Lucene.html OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Seeding for Targets: random? ● ASN/whois data to mine targets seems like a good start Xkcd.net again :p OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Some stats from VM farms Call-back Source (by country) Browser vuln distribution (as detected) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Unanswered questions ● Threat detection results are very specific to the VM farm environment ● Realistic survey of client machines – need passive agents at large ISPs ● Honeypot useability questionable ● .. throw yours :) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
HoneyNet ● Lets see the videoz ● ● We get hits like that every day :p OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Cat and mouse game ● Of course all of this is easy to evade. Once you know the method. But security is always about 'cat-n-mouse' game ;-) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Demo time ●lets look at some videos :) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Conclusions contact us: benson.wu@gmail.com fygrave@gmail.com OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)

Recommended

Vyasan Mukti Bestseller For Deaddiction Dr. Shriniwas Kashalikar
Vyasan Mukti Bestseller For Deaddiction Dr. Shriniwas KashalikarVyasan Mukti Bestseller For Deaddiction Dr. Shriniwas Kashalikar
Vyasan Mukti Bestseller For Deaddiction Dr. Shriniwas Kashalikarshivsr5
 
Tejaswi Drushti Bestseller For Super Eyesight Dr. Shriniwas Kashalikar
Tejaswi Drushti Bestseller For Super Eyesight Dr. Shriniwas KashalikarTejaswi Drushti Bestseller For Super Eyesight Dr. Shriniwas Kashalikar
Tejaswi Drushti Bestseller For Super Eyesight Dr. Shriniwas Kashalikarshivsr5
 
29 09-2014 power point
29 09-2014 power point29 09-2014 power point
29 09-2014 power pointanjustaff
 
Cockburnspath Primary School presentation on Obstacle Course Racing Presentat...
Cockburnspath Primary School presentation on Obstacle Course Racing Presentat...Cockburnspath Primary School presentation on Obstacle Course Racing Presentat...
Cockburnspath Primary School presentation on Obstacle Course Racing Presentat...David Burgess
 
Eca 11
Eca 11Eca 11
Eca 11Ness Rendon
 
Cybergloss
CyberglossCybergloss
CyberglossStella Stath
 
Ita a2 ms 20 3-2013
Ita a2 ms 20 3-2013Ita a2 ms 20 3-2013
Ita a2 ms 20 3-2013SpaanIt
 
From app sec to malsec malware hooked, criminal crooked alok gupta
From app sec to malsec malware hooked, criminal crooked alok guptaFrom app sec to malsec malware hooked, criminal crooked alok gupta
From app sec to malsec malware hooked, criminal crooked alok guptaowaspindia
 

Recommended

Vyasan Mukti Bestseller For Deaddiction Dr. Shriniwas Kashalikar
Vyasan Mukti Bestseller For Deaddiction Dr. Shriniwas KashalikarVyasan Mukti Bestseller For Deaddiction Dr. Shriniwas Kashalikar
Vyasan Mukti Bestseller For Deaddiction Dr. Shriniwas Kashalikarshivsr5
 
Tejaswi Drushti Bestseller For Super Eyesight Dr. Shriniwas Kashalikar
Tejaswi Drushti Bestseller For Super Eyesight Dr. Shriniwas KashalikarTejaswi Drushti Bestseller For Super Eyesight Dr. Shriniwas Kashalikar
Tejaswi Drushti Bestseller For Super Eyesight Dr. Shriniwas Kashalikarshivsr5
 
29 09-2014 power point
29 09-2014 power point29 09-2014 power point
29 09-2014 power pointanjustaff
 
Cockburnspath Primary School presentation on Obstacle Course Racing Presentat...
Cockburnspath Primary School presentation on Obstacle Course Racing Presentat...Cockburnspath Primary School presentation on Obstacle Course Racing Presentat...
Cockburnspath Primary School presentation on Obstacle Course Racing Presentat...David Burgess
 
Eca 11
Eca 11Eca 11
Eca 11Ness Rendon
 
Cybergloss
CyberglossCybergloss
CyberglossStella Stath
 
Ita a2 ms 20 3-2013
Ita a2 ms 20 3-2013Ita a2 ms 20 3-2013
Ita a2 ms 20 3-2013SpaanIt
 
From app sec to malsec malware hooked, criminal crooked alok gupta
From app sec to malsec malware hooked, criminal crooked alok guptaFrom app sec to malsec malware hooked, criminal crooked alok gupta
From app sec to malsec malware hooked, criminal crooked alok guptaowaspindia
 
Взломать Web-сайт на ASP.NET? Сложно, но можно!
Взломать Web-сайт на ASP.NET? Сложно, но можно!Взломать Web-сайт на ASP.NET? Сложно, но можно!
Взломать Web-сайт на ASP.NET? Сложно, но можно!Vladimir Kochetkov
 
Ita a2 ms 16 9-15
Ita a2 ms 16 9-15Ita a2 ms 16 9-15
Ita a2 ms 16 9-15SpaanIt
 
Class 2
Class 2Class 2
Class 2Alexandre Linhares
 
30 días de bilingüismo: Episodio 2
30 días de bilingüismo: Episodio 230 días de bilingüismo: Episodio 2
30 días de bilingüismo: Episodio 2SpaanIt
 
NRC Course on Motor Operated Valves and Limitorque
NRC Course on Motor Operated Valves and LimitorqueNRC Course on Motor Operated Valves and Limitorque
NRC Course on Motor Operated Valves and LimitorqueMead O'Brien, Inc.
 
Erasmus plus - school presentation
Erasmus plus - school presentationErasmus plus - school presentation
Erasmus plus - school presentationAlina Orasan
 
Quantifying petrophysical Uncertainties Spe 93125-ms
Quantifying petrophysical Uncertainties Spe 93125-msQuantifying petrophysical Uncertainties Spe 93125-ms
Quantifying petrophysical Uncertainties Spe 93125-msAli .Y.J
 
Public exploit held private – penetration testing the researcher’s way tama...
Public exploit held private – penetration testing the researcher’s way tama...Public exploit held private – penetration testing the researcher’s way tama...
Public exploit held private – penetration testing the researcher’s way tama...owaspindia
 
Public exploit held private : Penetration Testing the researcher’s way
Public exploit held private : Penetration Testing the researcher’s wayPublic exploit held private : Penetration Testing the researcher’s way
Public exploit held private : Penetration Testing the researcher’s waytitanlambda
 
The magic of passive web vulnerability analysis lava kumar
The magic of passive web vulnerability analysis lava kumarThe magic of passive web vulnerability analysis lava kumar
The magic of passive web vulnerability analysis lava kumarowaspindia
 
Mobile Application Scan and Testing
Mobile Application Scan and TestingMobile Application Scan and Testing
Mobile Application Scan and TestingBlueinfy Solutions
 
Spring one 2012 Groovy as a weapon of maas PaaSification
Spring one 2012 Groovy as a weapon of maas PaaSificationSpring one 2012 Groovy as a weapon of maas PaaSification
Spring one 2012 Groovy as a weapon of maas PaaSificationNenad Bogojevic
 
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015CODE BLUE
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 
Resume_Manvendra_1
Resume_Manvendra_1Resume_Manvendra_1
Resume_Manvendra_1Manvendra Singh Lodhi
 
NCI School of Computing Project Showcase 2014
NCI School of Computing Project Showcase 2014NCI School of Computing Project Showcase 2014
NCI School of Computing Project Showcase 2014ckennedynci
 
Resume somnath sinha
Resume somnath sinhaResume somnath sinha
Resume somnath sinhaSomnath Sinha
 
Full-stack Web Development with MongoDB, Node.js and AWS
Full-stack Web Development with MongoDB, Node.js and AWSFull-stack Web Development with MongoDB, Node.js and AWS
Full-stack Web Development with MongoDB, Node.js and AWSMongoDB
 
Ankit_CV13
Ankit_CV13Ankit_CV13
Ankit_CV13Ankit Bansal
 
Sanjay_shaw
Sanjay_shawSanjay_shaw
Sanjay_shawSanjay Shaw
 
Who owns Software Security
Who owns Software SecurityWho owns Software Security
Who owns Software SecuritydevObjective
 
Who Owns Software Security?
Who Owns Software Security?Who Owns Software Security?
Who Owns Software Security?ColdFusionConference
 

More Related Content

Viewers also liked

Взломать Web-сайт на ASP.NET? Сложно, но можно!
Взломать Web-сайт на ASP.NET? Сложно, но можно!Взломать Web-сайт на ASP.NET? Сложно, но можно!
Взломать Web-сайт на ASP.NET? Сложно, но можно!Vladimir Kochetkov
 
Ita a2 ms 16 9-15
Ita a2 ms 16 9-15Ita a2 ms 16 9-15
Ita a2 ms 16 9-15SpaanIt
 
30 días de bilingüismo: Episodio 2
30 días de bilingüismo: Episodio 230 días de bilingüismo: Episodio 2
30 días de bilingüismo: Episodio 2SpaanIt
 
NRC Course on Motor Operated Valves and Limitorque
NRC Course on Motor Operated Valves and LimitorqueNRC Course on Motor Operated Valves and Limitorque
NRC Course on Motor Operated Valves and LimitorqueMead O'Brien, Inc.
 
Erasmus plus - school presentation
Erasmus plus - school presentationErasmus plus - school presentation
Erasmus plus - school presentationAlina Orasan
 
Quantifying petrophysical Uncertainties Spe 93125-ms
Quantifying petrophysical Uncertainties Spe 93125-msQuantifying petrophysical Uncertainties Spe 93125-ms
Quantifying petrophysical Uncertainties Spe 93125-msAli .Y.J
 

Viewers also liked (7)

Взломать Web-сайт на ASP.NET? Сложно, но можно!
Взломать Web-сайт на ASP.NET? Сложно, но можно!Взломать Web-сайт на ASP.NET? Сложно, но можно!
Взломать Web-сайт на ASP.NET? Сложно, но можно!
 
Ita a2 ms 16 9-15
Ita a2 ms 16 9-15Ita a2 ms 16 9-15
Ita a2 ms 16 9-15
 
Class 2
Class 2Class 2
Class 2
 
30 días de bilingüismo: Episodio 2
30 días de bilingüismo: Episodio 230 días de bilingüismo: Episodio 2
30 días de bilingüismo: Episodio 2
 
NRC Course on Motor Operated Valves and Limitorque
NRC Course on Motor Operated Valves and LimitorqueNRC Course on Motor Operated Valves and Limitorque
NRC Course on Motor Operated Valves and Limitorque
 
Erasmus plus - school presentation
Erasmus plus - school presentationErasmus plus - school presentation
Erasmus plus - school presentation
 
Quantifying petrophysical Uncertainties Spe 93125-ms
Quantifying petrophysical Uncertainties Spe 93125-msQuantifying petrophysical Uncertainties Spe 93125-ms
Quantifying petrophysical Uncertainties Spe 93125-ms
 

Similar to Real time evaluation of national network exposure to emerging threats - fyodor yarochkin

Public exploit held private – penetration testing the researcher’s way tama...
Public exploit held private – penetration testing the researcher’s way tama...Public exploit held private – penetration testing the researcher’s way tama...
Public exploit held private – penetration testing the researcher’s way tama...owaspindia
 
Public exploit held private : Penetration Testing the researcher’s way
Public exploit held private : Penetration Testing the researcher’s wayPublic exploit held private : Penetration Testing the researcher’s way
Public exploit held private : Penetration Testing the researcher’s waytitanlambda
 
The magic of passive web vulnerability analysis lava kumar
The magic of passive web vulnerability analysis lava kumarThe magic of passive web vulnerability analysis lava kumar
The magic of passive web vulnerability analysis lava kumarowaspindia
 
Mobile Application Scan and Testing
Mobile Application Scan and TestingMobile Application Scan and Testing
Mobile Application Scan and TestingBlueinfy Solutions
 
Spring one 2012 Groovy as a weapon of maas PaaSification
Spring one 2012 Groovy as a weapon of maas PaaSificationSpring one 2012 Groovy as a weapon of maas PaaSification
Spring one 2012 Groovy as a weapon of maas PaaSificationNenad Bogojevic
 
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015CODE BLUE
 
NCI School of Computing Project Showcase 2014
NCI School of Computing Project Showcase 2014NCI School of Computing Project Showcase 2014
NCI School of Computing Project Showcase 2014ckennedynci
 
Resume somnath sinha
Resume somnath sinhaResume somnath sinha
Resume somnath sinhaSomnath Sinha
 
Full-stack Web Development with MongoDB, Node.js and AWS
Full-stack Web Development with MongoDB, Node.js and AWSFull-stack Web Development with MongoDB, Node.js and AWS
Full-stack Web Development with MongoDB, Node.js and AWSMongoDB
 
Who owns Software Security
Who owns Software SecurityWho owns Software Security
Who owns Software SecuritydevObjective
 
WebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in DepthWebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in Depthyalegko
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment Sergey Gordeychik
 
An Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSMario Heiderich
 
Globant Week Cali - Entendiendo el desarrollo Front-end del mundo moderno.
Globant Week Cali - Entendiendo el desarrollo Front-end del mundo moderno.Globant Week Cali - Entendiendo el desarrollo Front-end del mundo moderno.
Globant Week Cali - Entendiendo el desarrollo Front-end del mundo moderno.Globant
 

Similar to Real time evaluation of national network exposure to emerging threats - fyodor yarochkin (20)

Public exploit held private – penetration testing the researcher’s way tama...
Public exploit held private – penetration testing the researcher’s way tama...Public exploit held private – penetration testing the researcher’s way tama...
Public exploit held private – penetration testing the researcher’s way tama...
 
Public exploit held private : Penetration Testing the researcher’s way
Public exploit held private : Penetration Testing the researcher’s wayPublic exploit held private : Penetration Testing the researcher’s way
Public exploit held private : Penetration Testing the researcher’s way
 
The magic of passive web vulnerability analysis lava kumar
The magic of passive web vulnerability analysis lava kumarThe magic of passive web vulnerability analysis lava kumar
The magic of passive web vulnerability analysis lava kumar
 
Mobile Application Scan and Testing
Mobile Application Scan and TestingMobile Application Scan and Testing
Mobile Application Scan and Testing
 
Spring one 2012 Groovy as a weapon of maas PaaSification
Spring one 2012 Groovy as a weapon of maas PaaSificationSpring one 2012 Groovy as a weapon of maas PaaSification
Spring one 2012 Groovy as a weapon of maas PaaSification
 
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
Resume_Manvendra_1
Resume_Manvendra_1Resume_Manvendra_1
Resume_Manvendra_1
 
NCI School of Computing Project Showcase 2014
NCI School of Computing Project Showcase 2014NCI School of Computing Project Showcase 2014
NCI School of Computing Project Showcase 2014
 
Resume somnath sinha
Resume somnath sinhaResume somnath sinha
Resume somnath sinha
 
Full-stack Web Development with MongoDB, Node.js and AWS
Full-stack Web Development with MongoDB, Node.js and AWSFull-stack Web Development with MongoDB, Node.js and AWS
Full-stack Web Development with MongoDB, Node.js and AWS
 
Ankit_CV13
Ankit_CV13Ankit_CV13
Ankit_CV13
 
Sanjay_shaw
Sanjay_shawSanjay_shaw
Sanjay_shaw
 
Who owns Software Security
Who owns Software SecurityWho owns Software Security
Who owns Software Security
 
Who Owns Software Security?
Who Owns Software Security?Who Owns Software Security?
Who Owns Software Security?
 
WebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in DepthWebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in Depth
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
 
An Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJS
 
Sandeep bharti
Sandeep bhartiSandeep bharti
Sandeep bharti
 
Globant Week Cali - Entendiendo el desarrollo Front-end del mundo moderno.
Globant Week Cali - Entendiendo el desarrollo Front-end del mundo moderno.Globant Week Cali - Entendiendo el desarrollo Front-end del mundo moderno.
Globant Week Cali - Entendiendo el desarrollo Front-end del mundo moderno.
 

Recently uploaded

Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 

Recently uploaded (20)

Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 

Real time evaluation of national network exposure to emerging threats - fyodor yarochkin

  • 1. ASP InfoSec India Conference 2012 gust 24th – 25th, 2012 The OWASP Foundati el Crowne Plaza, Gurgaon http://www.owasp.org p://www.owasp.in Real-Time Evaluation of National Network Exposure to Emerging Threats Fyodor Yarochkin Academia Sinica P1Sec fy@iis.sinica.edu.tw OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 2. Yarochkin Fyodor?  10+ years infosec & dev experience  Phd Candidate (NTU & Academia Sinica  Open source enthusiast  http://www.o0o.nu  Research interests: intrusion detection, correlation, vulnerability research OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 3. Also... This research is part of ●The Cloud Security Intelligence Project and numerous open source projects... OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 4. Introduction OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 5. Infosec community vs. … ● Graphics http://recipeforlowhangingfruit.com/ Research crime
  • 6. What makes these things interesting: ● Globalization of the crime scene (local laws don't matter) ● Volumes of micro-transactions. → Stealing a $1USD from 1,000,000 still makes a $1,000,000USD – also makes AML measures useless ● There are other means of taking control over wealth than stealing cash.. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 7. Variations of a “wallet”
  • 8. Getting the global picture ● Colect and analyze massive amounts of data ● Be able to catch 'lowest hanging fruits' OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 9. Challenges ● Getting the raw data is non trivial (and requires some social engineering ;-)) ● Amounts of data is massive. Not suitable for single machine processing. Often, not even suitable for store in original form due to volume OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 10. HoneyNet/SCIC “Know yer Internet” project OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 11. Disclaimer ● This is research in progress ● Semi-public access possible, talk to me ● Contributions highly anticipated ● Each of particular ideas isn't that novel (portscanning and banner grabbing is very 1997 ;-)) but hopefully the fusion of concepts is interesting OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 12. Motivation ● Answer questions like: – “What is the risk of Taiwan networks being owned, now” – New worm outbreak: identify potential victims and enforce patching through automated notification – Identify regional threats – i.e. what are the most exploited vulnerabilities in Taiwan networks. – Cooperation with CERT, etc etc.. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 13. Motivation ● Real-time understanding of exposure levels at large scale ● Threats to “pop and mom” machines as “low-hanging fruit” ● Making use of data from honeypots to evaluate level of exposure, emerging threats etc etc.. ● Have some fun responding to abuse emails ;-) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 14. Understanding the threat ● Server honeypots (mainly python scripts, simulating services) ● Client side honeypots (VM farms) ● Static analysis (crawling, pattern mining etc) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 15. “low hanging fruit” simulation ● Have VM farms running. ● Have server-honeypots (with some romanian kids bruteforcing ssh passwords all the time ;)) ● Crawl networks at large (alexa top 1,000,000 but not only) ● Exploit detection via payload/behavior analysis ● Additional enhancements to detect variations (user behavior simulation, hop-ing through VPN end points to detect local threats etc) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 16. Not really a full-fedged Cuckoobox ● Focus on detecting exploitation ● Lightweight version of browser ● Heavily bundled with static analysis tools OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 17. VM farm capacity ● We can do at average 10-20 secs per URL render per VM. Average 10+15 Vms/machine. ● Off-load VM farm load by doing lots of pattern matching (use VM as last resource) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 18. So.. ● We have some data of what's going on in the net. How do we map this to the network infrastructure we're trying to protect (at organization, or country level side)... ● ● Or maybe see what “*unamed-country*” is up to :) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 19. Inspirations ● LHKF → “Low Hanging Kiwi Fruit” talk/aftetalk by Adam “MetlStorm” → geo-targeted net recon – internet Shodan-HQ wide scanning on 4 ports Some academic papers OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 20. Scanning whole internet.. rly? OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 21. Take home notes ● Targets seeded from BGP routes. ● At average takes a day to complete Internet-wide scan on a single protocol ● Potentially generates large number of abuse reports OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 22. Architecture ● Network port discovery (agents) ● Banner collection (agents) ● Backend Store: SOLR ● Collectibles: services and ports, OS fingerprints, ● ASN/OWNER/netblock/Country, geographical location ● Risk evaluation → honeypots (VMs, Service simulation) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 23. Architecture(2) ● Roughly something like that OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 24. Approach ● Scan slow (avoid abuse reports) ● Index time ● Passive “mapper” (simple sniffer + browser fingerprinting at the moment) ● Larger range of ports (account port numbers, which are actively being scanned from firewall log analysis, honeypot machines etc) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 25. Sample search OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 26. A word on spatial search http://www.mhaller.de/archives/156-Spatial-search-with-Lucene.html OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 27. Seeding for Targets: random? ● ASN/whois data to mine targets seems like a good start Xkcd.net again :p OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 28. Some stats from VM farms Call-back Source (by country) Browser vuln distribution (as detected) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 29. Unanswered questions ● Threat detection results are very specific to the VM farm environment ● Realistic survey of client machines – need passive agents at large ISPs ● Honeypot useability questionable ● .. throw yours :) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 30. HoneyNet ● Lets see the videoz ● ● We get hits like that every day :p OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 31. Cat and mouse game ● Of course all of this is easy to evade. Once you know the method. But security is always about 'cat-n-mouse' game ;-) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 32. Demo time ●lets look at some videos :) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 33. Conclusions contact us: benson.wu@gmail.com fygrave@gmail.com OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)