View
214
Download
0
Category
Tags:
Preview:
Citation preview
The National Plateforme for Tracking Cyber Attacks :
« SAHER »
By Hafidh EL FalehHafidh.faleh@gmail.com
NACS - 2012
Perimeter of the project
The NACS is member of :
• Make a dashbord ( Alert Level) of National Cyberspace.
• Take a platforme support for incident handling, investigation and legal forensics.
• Devellopement of solutions for traking cyber attacks with DIDS, Honeypots and deploying many sensors.
• Monotoring criticals infrastrcture and detect anomalies into her systems.
SAHER Objectifs
• Supervise Web sites to detects defacements attacks.
• Maintain a system for malware detection (virus, botnets, torjans) , and use cordination to cleanup the National Cyberspace.
• Build an information database for types of attack, leaks of vulnerability and blackliste.
SAHER Objectifs
Couche WORKFLOWCouche WORKFLOW
Couche analyse et corrélationCouche analyse et corrélation
Couche de collecte et de détectionCouche de collecte et de détection
SAHER est une plateforme à trois couches
5
CEWS Architecture
7
• SAHER-WEB: ce sont des routines qui ont pour bute de vérifier l’intégrité des sites Web.
• SAHER-SRV: ce sont des routines qui ont pour bute de vérifier la disponibilité des serveurs Web, MAIL et DNS
• Les IDS: des Snorts qui sont généralement installés dans les espaces d’hébergement WEB.
• Les honeynets: plusieurs solutions de déférentes types sont disponibles dans le monde du logiciels libres.
Détection
We need to exchange security events and collaboration to handle incidents:
Incidents: Phishing Web defacement Scan Intrusion Spam / Scam DoS / DDoS
Malware: Worm spread Botnet / C&C HoneyNet detection
Vulnerabilities Exploit Zero days Product vulnerability
Collecte
ISAC: Information Sharing and Analysis Center
A CSIRT is a team that responds to computer security incidents by providing all necessary services to solve the problem(s) or to support the resolution of them
Workflow interne
Autres CERT tunCERT
mail mail
TEL SMTP Server
USER USER USER
S1
S2
S3
CentralDB
Sensors
IDSDB
Workflow: Plateforme de coordination
TELIncident pentest
Watch Veille
SNORT
Tel, mail
ISP
Saher-Web: Detection
Saher-IDS: Statistiques
Saher-Honeynet: Architecture et Outils
2500 Public IP
Saher-HoneynetAnnually evolution of attacks
Saher-Honeynet Website: Online statisticswww.honeynet.tn
Saher-Honeynet Website: « Dashboard »www.honeynet.tn/dashboard
Ideas For Projects
IP Reputation Dadabase Designing and specifying a tool to interface with a lot of
honeypot tools (dionaea, glastopf, kippo ..) and provide an update database to cheeck a reputation of any IP address related with her historic logs.
Provide an web access (web services) to this tool , automatic getting Ip source and providing information related her reputation historic and sending necessary instructions for cleanning process.
Ideas For GSoc 2012
Black-List Generator Create an updated list for malicious domains and
hosts from malwares offred. Select Profile of equipments to generate ACL
(Firewall, IDS/IPS, Proxy ..) . Designing and specifying techniques for black-list
tool. Online sharing of black-list.
ISP 1
IDS
ISP 2
IDSISP 3
IDS
Extract List ofMalicious Domains
Update D-IDS Rules
Watch for logs
1
2
3 Save passive DNS Detection
THANKShttp://www.honeynet.tn
honeynet@ansi.tnHafidh.faleh@gmail.com
http://twitter.com/SaherHoneyNet
http://www.linkedin.com/groups/The-Honeynet-Project-Tunisia-chapter
Recommended