A new generation of Indonesia cyber security threats Intelligence

1. IDSECCONF 2016
Charles Lim, Msc., ECSA, ECSP, ECIH, CEH, CEI
Mario Marcello, Mkom, BEng
24 Sep 2016 | UIN Maulana Malik Ibrahim | Malang, Indonesia
Sistem Pemantauan Ancaman
Serangan Siber di Indonesia
Generasi Baru

2. Agenda
• About Honeynet
• Indonesia Honeynet Project
• The Threat Intelligence
• The New Generation Threat Intelligence
• Research & Publications
• Statistics
• Conclusion

3. Introduction to Honeynet

4. About Honeynet
• Volunteer open source computer security
research organization since 1999 (US 501c3
non-profit)
• Mission: ¨learn the tools, tactics and motives
involved in computer and network attacks,
and share the lessons learned¨ -
http://www.honeynet.org

5. About Indonesia Honeynet Project
• Mycert introduces honeypot in OIC-CERT in
2009
• Explore honeypot in 2010, due to students’
interest in learning data mining on:
– Cyber terrorism
– Malware behavior
• Cecil (Singapore Chapter lead) introduced us
to Honeynet global

6. About Indonesia Honeynet Project
• 15 passionate security
professionals, academicians
and government officials
met signed a petition in 25
November 2011
• Indonesia Chapter officially
recognized 9 January 2012
• Current members: 178 (25
active members)

7. About Indonesia Honeynet Project

8. About Indonesia Honeynet Project
• Attended Honeynet Workshop 2012
• With support from KOMINFO, we conducted
yearly seminar and workshops
– Focus on Security Awareness and Security Research
• Honeynet communities: Jakarta, Semarang,
Surabaya, Yogya, Denpasar, Palembang,
Lampung
• Research Topics: Incident handling,
Vulnerability Analysis, Malware, Digital
Forensics, Penetration Testing, Threats
Intelligence

9. About Indonesia Honeynet Project
Honeynet Seminar & Workshop | 10-11 Juni 2015 | Lampung, Indonesia

10. About Indonesia Honeynet Project
Incident Response & Analysis Challenge | 24 Aug 2015 | Jakarta, Indonesia

11. Honeypots Research & Deployment
2009 2011 2013 2015
Learning
Period
Early
Period
Growing
Period
Expanding
Period
Honeypot:
Nepenthes
Honeypot:
Nepenthes, Dionaea
Honeypot:
Dionaea
Honeypot:
Dionaea, Kippo,
Glastopf, Honeytrap
Learning How to
install and configure
Deployed 1st
Honeypot in SGU
Target: Academic,
Government, ISP
Coverage: Java, Bali,
Sumatera,
# Honeypots
deployed: None
# Honeypots
deployed: 1
# Honeypots
deployed: 5
# Honeypots
deployed: 20
Hardware: Client Hardware: Simple
Client and Server
Hardware: Mini PC
and Server
Hardware:
Raspberry Pi and
Dedicated servers

12. List of contributors
• Amien H.R.
• Randy Anthony
• Michael
• Stewart
• Glenn
• Mario Marcello
• Joshua Tommy
• Andrew Japar
• Christiandi
• Kevin Kurniawan

13. The Threat Intelligence

14. What is Darknets?
Darknet – portion of routed, allocated IP
space in which no active servers reside.
— Team CYMRU

15. What is Darknets?
Livenet Darknet
Live IP Address (used) Unused IPs

16. Darknets and Honeypots
Goal
• To understand cyber activities in our
institutions in Indonesia (Government,
Education and Industry)
How
• Honeypot servers put in the unused IP address
across the above organizations

17. First Step – Distributing Sensors
Mini PC Raspberry Pi

18. First Step – Collecting sensors’ data
Repository Server
Raspberry Pi
Raspberry Pi
Raspberry Pi

19. Second Step – Analysis
Repository
Server
Analysis
Server
Raspberry Pi
Raspberry Pi
Raspberry Pi

20. Third Step – User Experience
Repository
Server
Analysis
Server
Web
Server
USERSRaspberry Pi
Raspberry Pi
Raspberry Pi

21. Honeypots Implemented
• Dionaea – capturing attack patterns and
malware involved via port 21, 42, 69, 80, 135,
445, 1433, 3306 dan 5060 & 5061
• Glastopf – capturing attack pattern on web
application attacked
• Kippo – capturing traffic pattern on SSH port
• Honeytrap – capturing other misc. ports not
captured above

22. Why not IDS? Why Honeypots?
IDS
HONEYPOT
A
T
T
A
C
K
S
Detection based
on
KNOWN ATTACK
rules
Record ALL attacks
directed toward
the monitored IP
add
UNKNOWN
ATTACK

23. Current Architecture
Repository
Server
Analysis
Server
Web Server
+ Web Service
USERS
Pots
Pots
Pots

24. The New Generation
Threat Intelligence

25. New Data Source
Repository
Server
Analysis
Server
USERS
System
Logs
DNS
Traffic Log
Pots
Web Server
+ Web Service

26. MALWARE ANALYSIS
ENGINE
New Analysis Engine
Static Dynamic
Risk
Scoring
Reverse Engineer
Malware code
To find “hidden”
code
Run Malware
In a sandbox; dump
malware code
Provide Risk Score
based on the static
& behavior analysis

27. DNS TRAFFIC
ANALYSIS
DNS Analysis Target
Domain
Botnet
Anomaly
Extract Malicious Domain
from the DNS traffic
captured
Identifying Botnet from
Domain names Botnet
visited
Identify anomaly traffic
from DNS traffic

28. Architecture DNS Traffic Analysis

29. Attack Connection Analysis
ATTACK
CONNECTION
ANALYSIS
Domain/IP
Analysis
Traffic Pattern
Analysis
Produce
Malicious Domain List
(Publicly usable)
New Knowledge on
Attack pattern

30. New Generation Capabilities
• Dynamic Analysis (with Static Analysis) using
Binary Instrumentation to obtain critical
malware hidden code
• Risk Scoring on malware captured
• Malware Domain List based on DNS traffic and
Attack Traffic to Honeypots
• Traffic Attack Pattern knowledge

31. Some Statistics

32. Our Contribution

33. Our Contribution
Attacker Statistics: Attacker IP, Malware, Targeted Ports, Provinces attacked

34. Our Contribution
Attacker Statistics: Attacker IP, Malware, Targeted Ports, Provinces attacked

35. Our Statistics

36. Our Statistics

37. Our Statistics (malware found)

38. Our Statistics

39. Our Statistics

40. Our Statistics

41. Our Statistics (other malware)
2013 2014
Virus naming by AhnLab-V3 (Virustotal)

42. Our Statistics (other malware)
2015 2016
Virus naming by AhnLab-V3 (Virustotal)

43. More Statistics

44. More Statistics

45. More Statistics

46. More Statistics

47. More Statistics

48. More Statistics (who are they?)

49. More Statistics (who are they?)

50. More Statistics (who are they?)

51. More Statistics (who are they?)

52. Research & Publications

53. Our Research & Publications
Malware | Data Mining | Behavior Analysis | Cyber Terrorism

54. Other Research
Second Hand USB Forensics and Publications

55. Mapping Research Roadmap
Deception Technology | Malware | Data Mining | Cyber Crime
Deception
Technology
Malware
Data Mining Cyber Crime
Tools

56. Join Us
• http://www.ihpcon.id
• Indonesia Honeynet Project
• idhoneynet
• http://www.honeynet.or.id
• http://groups.google.com/group/id-honeynet

57. Related Publications
• Joshua Tommy Juwono, Charles Lim, Alva Erwin, A Comparative Study
of Behavior Analysis Sandboxes in Malware Detection, The 3rd
International Conference on New Media 2015, Jakarta, Indonesia, 2015
• Charles Lim, Nicsen, Mal-EVE Static Detection Model for Evasive
Malware, 10th EAI International Conference on Communications and
Networking in China, Shanghai, China, 2015
• Charles Lim, Darryl Y. Sulistyan, Suryadi, and Kalamullah Ramli,
Experiences in Instrumented Binary Analysis for Malware, The 3rd
International Conference on Internet Services Technology and
Information Engineering 2015 (ISTIE 2015), Bali, 2015
• Charles Lim, Meily, Nicsen, and Herry Ahmadi, Forensics Analysis of USB
Flash Drives in Educational Environment, The 8th International
Conference on Information & Communication Technology and Systems,
Surabaya, 2014
• Charles Lim, and Kalamullah Ramli, Mal-ONE: A Unified Framework for
Fast and Efficient Malware Detection, 2014 2nd International
Conference on Technology, Informatics, Management, Engineering &
Environment, Bandung, 2014.

58. Call for Research Collaboration
• Research Champion for each university
• Research collaboration across different
universities to foster rapid research growth
in Cyber security
• Generate more research publications ==>
easier to get funding for research as well

59. Our Partners

60. THANK YOU
Ministry of Communication and Informatics of
Republic of Indonesia