Magic exist by Marta Loveguard - presentation.pptx
Sistem pemantauan ancaman serangan siber di indonesia generasi baru public
1. IDSECCONF 2016
Charles Lim, Msc., ECSA, ECSP, ECIH, CEH, CEI
Mario Marcello, Mkom, BEng
24 Sep 2016 | UIN Maulana Malik Ibrahim | Malang, Indonesia
Sistem Pemantauan Ancaman
Serangan Siber di Indonesia
Generasi Baru
2. Agenda
• About Honeynet
• Indonesia Honeynet Project
• The Threat Intelligence
• The New Generation Threat Intelligence
• Research & Publications
• Statistics
• Conclusion
4. About Honeynet
• Volunteer open source computer security
research organization since 1999 (US 501c3
non-profit)
• Mission: ¨learn the tools, tactics and motives
involved in computer and network attacks,
and share the lessons learned¨ -
http://www.honeynet.org
5. About Indonesia Honeynet Project
• Mycert introduces honeypot in OIC-CERT in
2009
• Explore honeypot in 2010, due to students’
interest in learning data mining on:
– Cyber terrorism
– Malware behavior
• Cecil (Singapore Chapter lead) introduced us
to Honeynet global
6. About Indonesia Honeynet Project
• 15 passionate security
professionals, academicians
and government officials
met signed a petition in 25
November 2011
• Indonesia Chapter officially
recognized 9 January 2012
• Current members: 178 (25
active members)
8. About Indonesia Honeynet Project
• Attended Honeynet Workshop 2012
• With support from KOMINFO, we conducted
yearly seminar and workshops
– Focus on Security Awareness and Security Research
• Honeynet communities: Jakarta, Semarang,
Surabaya, Yogya, Denpasar, Palembang,
Lampung
• Research Topics: Incident handling,
Vulnerability Analysis, Malware, Digital
Forensics, Penetration Testing, Threats
Intelligence
9. About Indonesia Honeynet Project
Honeynet Seminar & Workshop | 10-11 Juni 2015 | Lampung, Indonesia
10. About Indonesia Honeynet Project
Incident Response & Analysis Challenge | 24 Aug 2015 | Jakarta, Indonesia
11. Honeypots Research & Deployment
2009 2011 2013 2015
Learning
Period
Early
Period
Growing
Period
Expanding
Period
Honeypot:
Nepenthes
Honeypot:
Nepenthes, Dionaea
Honeypot:
Dionaea
Honeypot:
Dionaea, Kippo,
Glastopf, Honeytrap
Learning How to
install and configure
Deployed 1st
Honeypot in SGU
Target: Academic,
Government, ISP
Coverage: Java, Bali,
Sumatera,
# Honeypots
deployed: None
# Honeypots
deployed: 1
# Honeypots
deployed: 5
# Honeypots
deployed: 20
Hardware: Client Hardware: Simple
Client and Server
Hardware: Mini PC
and Server
Hardware:
Raspberry Pi and
Dedicated servers
12. List of contributors
• Amien H.R.
• Randy Anthony
• Michael
• Stewart
• Glenn
• Mario Marcello
• Joshua Tommy
• Andrew Japar
• Christiandi
• Kevin Kurniawan
16. Darknets and Honeypots
Goal
• To understand cyber activities in our
institutions in Indonesia (Government,
Education and Industry)
How
• Honeypot servers put in the unused IP address
across the above organizations
17. First Step – Distributing Sensors
Mini PC Raspberry Pi
18. First Step – Collecting sensors’ data
Repository Server
Raspberry Pi
Raspberry Pi
Raspberry Pi
19. Second Step – Analysis
Repository
Server
Analysis
Server
Raspberry Pi
Raspberry Pi
Raspberry Pi
20. Third Step – User Experience
Repository
Server
Analysis
Server
Web
Server
USERSRaspberry Pi
Raspberry Pi
Raspberry Pi
21. Honeypots Implemented
• Dionaea – capturing attack patterns and
malware involved via port 21, 42, 69, 80, 135,
445, 1433, 3306 dan 5060 & 5061
• Glastopf – capturing attack pattern on web
application attacked
• Kippo – capturing traffic pattern on SSH port
• Honeytrap – capturing other misc. ports not
captured above
22. Why not IDS? Why Honeypots?
IDS
HONEYPOT
A
T
T
A
C
K
S
Detection based
on
KNOWN ATTACK
rules
Record ALL attacks
directed toward
the monitored IP
add
UNKNOWN
ATTACK
26. MALWARE ANALYSIS
ENGINE
New Analysis Engine
Static Dynamic
Risk
Scoring
Reverse Engineer
Malware code
To find “hidden”
code
Run Malware
In a sandbox; dump
malware code
Provide Risk Score
based on the static
& behavior analysis
27. DNS TRAFFIC
ANALYSIS
DNS Analysis Target
Domain
Botnet
Anomaly
Extract Malicious Domain
from the DNS traffic
captured
Identifying Botnet from
Domain names Botnet
visited
Identify anomaly traffic
from DNS traffic
30. New Generation Capabilities
• Dynamic Analysis (with Static Analysis) using
Binary Instrumentation to obtain critical
malware hidden code
• Risk Scoring on malware captured
• Malware Domain List based on DNS traffic and
Attack Traffic to Honeypots
• Traffic Attack Pattern knowledge
55. Mapping Research Roadmap
Deception Technology | Malware | Data Mining | Cyber Crime
Deception
Technology
Malware
Data Mining Cyber Crime
Tools
56. Join Us
• http://www.ihpcon.id
• Indonesia Honeynet Project
• idhoneynet
• http://www.honeynet.or.id
• http://groups.google.com/group/id-honeynet
57. Related Publications
• Joshua Tommy Juwono, Charles Lim, Alva Erwin, A Comparative Study
of Behavior Analysis Sandboxes in Malware Detection, The 3rd
International Conference on New Media 2015, Jakarta, Indonesia, 2015
• Charles Lim, Nicsen, Mal-EVE Static Detection Model for Evasive
Malware, 10th EAI International Conference on Communications and
Networking in China, Shanghai, China, 2015
• Charles Lim, Darryl Y. Sulistyan, Suryadi, and Kalamullah Ramli,
Experiences in Instrumented Binary Analysis for Malware, The 3rd
International Conference on Internet Services Technology and
Information Engineering 2015 (ISTIE 2015), Bali, 2015
• Charles Lim, Meily, Nicsen, and Herry Ahmadi, Forensics Analysis of USB
Flash Drives in Educational Environment, The 8th International
Conference on Information & Communication Technology and Systems,
Surabaya, 2014
• Charles Lim, and Kalamullah Ramli, Mal-ONE: A Unified Framework for
Fast and Efficient Malware Detection, 2014 2nd International
Conference on Technology, Informatics, Management, Engineering &
Environment, Bandung, 2014.
58. Call for Research Collaboration
• Research Champion for each university
• Research collaboration across different
universities to foster rapid research growth
in Cyber security
• Generate more research publications ==>
easier to get funding for research as well