Cybersecurity Malaysia Honeynet Project
Home
ABOUT | REPORT | MEMBERS | CONTACT US | LIVE
 
Report

Jan - June 2008 | Graphs

1.0 DEPLOYMENTS

1.1 Current technologies deployed. Describe anything that you have deployed that is collecting information, including honeynets, client honeypots, honeyd, mwcollect, or anything else honeypot related.

Lebahnet current has the following components:

  • Roo and Nfsen for collecting traffic in and out of the honeynet
  • Sguil for managing the IDS alerts
  • VMware running different instances of Operating Systems
  • Multiple deployment Nepenthes and Amun for collecting malware, at least 3 nepenthes sensors are submitting to mwcollect alliance and the usual sanboxes (norman, anubis, sunbelt)
  • Honeyd
  • HIHAT for observing attack trends to web applications

 

2.0 FINDINGS

2.1 Highlight any unique findings, attacks, tools, or methods.

  • Malware collection from Nepenthes continues to grow from January to August 2008, the total unique inaries acquired via our nepenthes sensors were more than 15,000. Most of the nepenthes sensors are configured to submit the binaries to Norman Sandbox, Anubis and Sunbelt and a few other partners. We are particularly interested to look at samples that are unique within to .MY
  • We treat attempts to our honeypots as incidents and report them to the respective CERTs, ISPs and relevant parties via MyCERT


2.2 Any trends seen in the past six months?

The relevant trends targeting our Nepenthes sensors are available here:

 

3.0 LESSONS LEARNED

3.1 What new positive things can you share with the community, so they can replicate your success?
Certain tools are not suitable for distributed deployment even after tweaking. We basically learned that getting software work in a large and distributed manner requires a lot of patience and of course time.
Hanging out and asking questions in the right irc channel in #freenode certainly helps.

3.2 What new mistakes can you share with the community, so they don't make the same
mistakes?
None at this point.

3.3 Are there any research ideas you would like to see developed?

None at this point

4.0 TECHNOLOGY

4.1 What tools or functionality are we lacking, what do we need to work on?
Roo might be more useful if it could be deployed for a distributed architecture out of the box. 
However, we manage to ask around for custom scripts.

4.2 What new tools or technology are you working on?
Nothing specific, we are currently hacking solutions for processing data gathered so that they could be used or presented better

4.3 Would you like to integrate this with any other tools, or you looking for help or collaboration with others in testing or developing the tool?

 

5.0 PAPERS AND PRESENTATIONS

5.1 Are you working any papers to be published, such as KYE or academic papers?
None at the moment

5.2 Are you looking for any data or people to help with your papers?
No.

5.3 Where did you publish/present honeypot-related material?

  • We shared some information on this project at the FIRST NM-SIG meeting at GovCERT.NL last year (2007)
  • We had conducted some hands-on training/workshops on some of the tools we used like Nepenthes (FIRST-TC in Doha 2007), Honeywall (FIRST-TC KL in 2007) and Sguil at FIRST Technical Colloquium in Tokyo (2008) and Asia Pacifc CERT Conference in Hongkong (2008)

6.0 ORGANIZATIONAL

6.1 Changes in the structure of your organization.
None

6.2 Your feedback on Alliance activities.

6.3 Any suggestions for improving the Alliance?

 

7.0 GOALS

7.1 Which of your goals did you meet for the last six months?
Honeynet infrastructure expanded according to our plan for the first 6 months.


7.2 Which of your goals did you not meet for the last six months?
None

7.3 Goals for the next six months

  • Replacing stand alone nepenthes deployments with SURF-IDS
  • Started to work on a reporting and visualization of data to the honeynet
  • More automatation in terms of visualization of the data acquired and integration with our incident managemement tools

8.0 MISC ACTIVITIES

8.1 Anything else not covered you would like to share.
None

 
tail