design of indonesia malware attack monitoring center - charles lim
DESCRIPTION
TRANSCRIPT
Design of IndonesgMonitorin
7th Ma
Indonesia SecurityIndonesia SecurityMarkassar
Charles Lim, Msc., ECSA
Indonesia Honeynet
ia Malware Attack ng Center
ay 2012
y Conference 2012y Conference 2012r, Indonesia
A, ECSP, ECIH, CEH, CEI
Project Chapter Lead
AGEN
Problem StatementHoneynet capturinHoneynet – capturinspreading malwareDistributed HoneynSystem ArchitectureSystem ArchitectureNational MonitoringgConclusion and Rec
NDA
ng autonomousng autonomous
et Sensorsee
g Centergcommendation
2
Problem SIDSIRTII h iIDSIRTII has experimeusing nepenthes and d
Swiss German UniversSwiss German Universalso experimented honand dionaea for at leasand dionaea for at leas
No existing grand desaround Indonesia and attacks around Indone
Statementt d ith h tented with honeypot
dionaea
sity, independently, hassity, independently, has neypot using nepenthes st 2 yearsst 2 years
sign to place sensors monitor actual malware
esia
3
Hone
Honeynet is a collectio
“Is a decoy that is useattacker (hacker) ”attacker (hacker).”
“It is a computer that hvalue, so if it is comprvalue, so if it is comprshould not affect the acompanies.”p
eynet
on of honeypots
ed to lured malware or
have no production romised or destroyedromised or destroyed activities of the
4
Honeypot Based
Two kinds of honeypoTwo kinds of honeypo
Low Interaction Honeypo
High Interaction Honeyp
d on Interaction
ot :ot :
ot
pot
5
Low Interactio
Do not implements Disguise as a real sDisguise as a real sGood for finding kngexpected behaviorUsually automatedUsually automatedLower cost neededExample : Nepenthe
on Honeypot
actual servicesystemsystem
own attack and
es, Amun, Dionaea
6
High Interacti
It is a “real” systemdifferent configuratgsystem.Riskier than Lo InRiskier than Low-In“Allow all” configurDifficult to maintainconfigureconfigureHigher cost neededExample : Physical
on Honeypot
m usually with ion than the real
teracti it d e toteractivity due to rationn and manually
HIH, Virtual HIH
7
Table of Co
Low-inte
Degree of interaction Lo
Real operating system N
Risk Lo
Knowledge gain ConnectioKnowledge gain Connectio
Can be conquered NCan be conquered N
Maintenance time Lo
omparison
eraction High-interaction
ow High
No Yes
ow High
on/Request Everythingon/Request Everything
No YesNo Yes
ow High
8
SGU Honeyynet Project
9
SGU Honeyynet Report
10
SGU Honeyynet Report
11
SGU Honeyynet Report
12
Distributed Hon
IndoneMalwar
neynet Sensors
sia Honeynetre Repository
13
System Ar
In ProIn Pro
rchitecture
gressgress
National Moni
Design for National MoMalware Attack propo
KEMKOMINFO has coKEMKOMINFO has cothe first pilot will involwithin this year in diffewithin this year in diffe
toring Center
onitoring Center for sal is work in progress
mmitted to the work andmmitted to the work and lve about 10 nodes erent cities in Indonesiaerent cities in Indonesia
National C
1st Academy CERT on http://www.sgu.ac.id/acahttp://www.sgu.ac.id/aca
2nd Academy CSIRT onhtt // lid hhttp://www.slideshare.nesetting-up-malware-lab
3 d A d CSIRT3rd Academy CSIRT onTo be held on 30th May thttp://csirt.itmaranatha.o
onference
Malware Researchademy-cert-meetingademy cert meetingn Malware Lab Setupt/ h l li / k het/charles.lim/workshop-on-
M l R tin Malware Reportingto 2nd June 2012,
org/event/201205/
International
SecureAsia 2011, Jakahttp://www.informationsehttp://www.informationsence/agenda.html
FIRST 2012 ConferencFIRST 2012 Conferenchttp://event.idsirtii.or.id/wcontent/uploads/2011/10content/uploads/2011/10LATEST-UPDATE1.pdf
Conference
arta, Indonesiaecurityasia.com/2011/confereecurityasia.com/2011/confere
ce, Bali, Indonesiace, Bali, Indonesiawp-0/FIRST-TC-PROGRAMS-0/FIRST-TC-PROGRAMS-
ThThank Yk You
Questtions
19