Monitoring indonesia darknets - Revealing the unseen security intrusion

Monitoring Indonesia Darknets –

Revealing the Unseen Security

Intrusion

CodeBali International Cyber Security Conference

Bali, 22 September 2015

Charles Lim

Speakers

• Charles Lim, Msc., ECSA, ECSP, ECIH,

CEH, CEI

• More than 20+ year in IT services industry

• IP networking, Software Automation,

• Led Indonesia Chapter (2012)

• Lecturer and Researcher at Swiss German

University (Information Security Group) –

http://people.sgu.ac.id/charleslim

Agenda

• Introduction to Honeynet

• Introduction to Honeynet - Indonesia

Chapter

• What is darknets?

• Honeypots

• Attack Statistics

• The New Dashboard

• Conclusion

Introduction to The Honeynet

Project

• Volunteer open source computer security research organization since 1999 (US 501c3 non-profit)

• Mission: ¨learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned¨ -http://www.honeynet.org

Brief Introduction to The

Honeynet Project

Honeynet Workshop 2015 @ Stavanger

Indonesia Chapter

• 25 November 2011, about 15

people from academia, security

professionals and government

made the declaration during

our yearly malware workshop

at SGU (Swiss German

University)

• 19 January 2012 accepted as

part of Honeynet Chapter

• Members: 109 (today)

Indonesia Chapter

• Indonesia Honeynet Project

• Id_honeynet

• http://www.honeynet.or.id

• http://groups.google.com/group/id-honeynet

Indonesia Honeynet Project

Seminar & Workshop

Honeynet Workshop 10-11 Juni 2015, Lampung

How we start?

• Four students of SGU in 2010 wanted to explore how to use Data Mining to understand Cyber Security Threats:

• 2 students focusing on Malware Threats

• 2 students focusing on Cyber Terrorism

• 1 Student SGU focused on capturing malware using Honeypots (Nepenthes)

• We also invited Malware Expert, Pak Aat to share his experience

Honeypot Deployment History

2009 2011 2013 2015

Learning

Period

Early

Period

Growing

Period

Expanding

Period

Honeypot:

Nepenthes

Honeypot:

Nepenthes,

Dionaea

Honeypot:

Dionaea

Honeypot:

Dionaea, Kippo,

Glastopf,

Honeytrap

Learning How to

install and

configure

Deployed 1st

Honeypot in SGU

More Honeypots

deployed

Coverage: Java,

Bali, Sumatera,

# Honeypots

deployed: None

# Honeypots

deployed: 1

# Honeypots

deployed: 5

# Honeypots

deployed: 13

Hardware: Client Hardware: Simple

Client and Server

Hardware: Mini PC

and Server

Hardware:

Raspberry Pi and

Dedicated servers

List of contributors

• Amien H.R.

• Randy Anthony

• Michael

• Stewart

• Glenn

• Mario Marcello

• Joshua Tommy

• Andrew Japar

• Christiandi

• Kevin Kurniawan

What is Darknets?

Darknet – portion of routed, allocated IP

space in which no active servers reside.

— Team CYMRU

What is Darknets?

Livenet Darknet

Live IP Address (used) Unused IPs

Darknets and Honeypots

Goal

• To understand cyber activities in our institutions in Indonesia (Government, Education and Industry)

How

• Honeypot servers put in the unused IP address across the above organizations

Honeypots

Currently deployed

• Dionaea

• Kippo

• Glastopf

• Honeytrap

Future

• SPAMpots

Previous Works

• Nano PC with Atom processors

• Pull Protocol

Today

• Raspberry PI

• ARM processor

• RAM 512 MB, 8 GB SD Card

• Push Protocol

Near Future

• 1 U Rack Case

• 5 Raspberry PI

• 5 different honeypots: dionaea, glastopf, kippo, etc.

Monitoring Results

Monitoring Results

Monitoring Results

Monitoring Results

Monitoring Results

Monitoring Results (Ports Attacked)





Monitoring Results (Malware)








New Dashboard

Further Information

• The Honeynet Project

(http://www.honeynet.org)


(http://www.honeynet.or.id)

• Swiss German University

(http://www.sgu.ac.id)

• My Blog

(http://people.sgu.ac.id/charleslim)

Indonesia Chapter


• Id_honeynet

• http://www.honeynet.or.id

• http://groups.google.com/group/id-honeynet

Questions ???

Monitoring indonesia darknets - Revealing the unseen security intrusion

Internet