HIROKI TAKAKURADIRECTOR, CENTER FOR CYBERSECURITY RESEARCH AND DEVELOPMENTNATIONAL INSTITUTE OF INFORMATICS

Establishment of Secure Academic Cyberspaceby Collaboration among Universities

- NII-SOCS (NII Security Operation Collaboration Services) -

1

Academic backbone network in Japan

2

• -(0 95 5 6 1 9 -(0E – 5 1 54 F -– 1 5 9– 9 5 E55 1 5 9– 5 51 5 9– 9 5 9 95 1 4 5 51 9 9 5

• •

– ) 5 1 E9 5• ( 5 5 1 F• 9 9• 5 9 9

To Los Angels (100Gbps)

To New York (100Gbps)

To London (100Gbps)

To Singapore (10Gbps)

Leased line

Access point

Optical fiber

Characteristics of academic network

3

• C FD A D G 6 D C 6 6– 1C 6 AF CD

• . D CG CD . D C A DI– D C6 BF A D

• 1 D6 A 6CD6 A D D CD!!!– 0 C BF GF C

– F 6 D• 1!!!

– , D C 6 6 6 C» C C D C6 6 G D

• C DA– G C AD D D DD ! ! DFA C6 AF

• 6 FCD .G1 A 6 D 6FC D D D 6 6 G C !

Never worry

about it

• Basic Low for Cyber Security (2015)• All incorporated national universities should maintain adequate cyber security level on their network.• All incorporated administrative agencies must be monitored by Japanese gov.

– Including all national research institutes.

• But, in universities– There are many students.

• The Constitution of Japan prohibits governmental censorship.• Mixed traffic with researchers, faculties, students…and so on

– Academic freedom must be preserved.– Too expensive cost is expected.

• Wide bandwidth connection to SINET, e.g., 100Gbps

• Incorporated national universities have to protect by themselves– Capability to take proper action against cyber incident (in 5 years)

4

Cyber security becomes mandatory for universities

Adoption new countermeasure by Japanese government (2014)

5

•– ,

• ,

– , ,•

• �������������• ����������������� ��

1. Planning 2. Preparation 3. First attack

���"�������������

���� ��������������

4. Setup 5. Recon &penetration

6. Hazardous activities

%��������������������

%����� �����%��������

�����������������������"��� �����������$���

�"��� �������� ������!��������

���������

http://www.ipa.go.jp/security/vuln/newattack.html (in Japanese)

• �����$����• ��������������� �����������������

% �������������� %��������

%�������

%��"���������!���

%�������!����%�#��������

�����

Requirement for adopting New countermeasure

6

• ( CDB D A B D C B D B– - D B C D D CC DB C DC

• .B D B IC D D C C D B• .B A B B B A B D DB

• 2B AC– ) H DC D B– HA DC AD

• ) D D– , CD D

• , D H DC CC D HA DC• BDC B C B DH C C BC

– DB HC C• H D D B DH HC C D DHA ( D

• D D– C DD– DD BIC D B D

• ( D D– / B D D C– ( D C

NII-SOCS

Universities

Universities

Universities and NII-SOCS

NII-SOCS

Universities and NII-SOCS

• Japanese gov. will require all national universities– Ability for cybersecurity management

• Not incident response capability• CISO should have ability as a coordinator– Act as a commander

• Gives proper command to department• Negotiates with external companies, e.g., forensics

• CSIRT should support CISO– Act as an advisor

• Provides several countermeasure candidates with pros/cons.

• Also supports incident response and recovery • Our goal– cultivate management capability for cybersecurity– not train security engineers

7

NII-SOCS provides education and training on cybersecurity by OJT

Board Members

CISO

Department

ForensicsCompanies

Command ReportReport

Request

CSRIT

Information sharing

• About 7M USD/year– 102 national universities– NII-SOCS (24/365)

• Investigates alerts and sessions from security appliances– 171k alert/day, 860M session/day

• Notifies dangerous alerts to universities• Provide advice for further investigation• Collaboration with security agencies

– 4 types of security appliances• Paloalto: IDS with sandbox• Cisco FirePower: Signature-based IDS• Damballa CSP: DNS query investigation• LookingGlass: Reputation, e.g., ETPRO, AIS(NCCIC)…

• Analysis System and Web portals– Elasticsearch+Kibana, Splunk

8

Basic Concept of NII-SOCS

������� �������

���

Analysis System

Monitor betweenSINET and Internet

�������

Security Appliances@2 locations

Web Portal Site

Collaboration

�������

�����������������������������������������������

��������

Collaboration

9

Basic Flow of Alert/Session Analysis

ElasticsearchLogstash

Cassandra

(KVS)

PostgreSQL

(RDB)

Payload

Sessions

Kibana

Traffic

Traffic

DNS

File

s

Alerts

Alerts

Malw

ares with

analysis rep

orts

Alerts

Palo Alto

PA-7080

Cisco

Firepower

Damballa

CSP

Palo Alto

WildFire

Internet

Sensors # of alerts/sessions

Palo Alto 84,976

Cisco 60,451

Damballa 26,405

Sessions by Palo Alto 861,960,726

16 repots

Daily statistics (average)

SINET

40Gbpsx2

40Gbpsx2

20Mbpsx2

Splunk

Payload, mail sender/receiver are encrypted

Analysis & Visualization

••– --

•–

• -•

10

Example of Analysis

• NII-SOCS– Security alerts may contain a part of contents of communication.– The contents are automatically encrypted by a common key and stored in DB.– The common key in DB is encrypted by university’s public key.

• Common key is replaced periodically (1 week - 1 month).

11

Consideration on secrecy of communication

Common key

Public key

Secrete key

NII-SOCSAnalysis systemportal site

A Univ.

alerts

�Decryption by Mail client

�Permission(send common key)

� Both key and decrypted contents are stored only on main memory.

� On expiration, they are automatically deleted.

� Request by mail

�Request for decryption

�Display the contents

Of course, it raises mis-judgement ratio

• .7CM 7A 7 7 I– C ME IC 7 C % C .7M %– E C -IC % %

• % J I– 4 AA C C A I J– E E7CMO J

• A M I– C CM N IC 7 C

• 31 E C E M C C I C• .7A 7 C C– . AM I I IC J

• ,, 20 2 J PE7 C 7J 7A 7 M M E• , C 7CM C C IA 7C I AM– 4 7J 7 C E M 7 IC 7 I 7 7 C

• J AM I A I E CC A C

12

We need pay attention to sessions

(1) https://blogs.cisco.com/security/detecting-encrypted-malware-traffic-without-decryption(2) https://www.cyren.com/blog/articles/over-one-third-of-malware-uses-https

Onion routing protocol seems to piggyback on SMTP server

13

Example (1)

src IP dst IP Application src port dst port protocol bytes sentbytes received packets sent

packets received

A.A.A.74 SMTP server in an university incomplete One way communication by malware

• .–

14

Example (2)

1A E KC 6: 1L 6: KC :IK 1L :IK :KI ICIG EH B E EC B E KC 0I H K 1L 0I H K

( P . / 0 1 CJ ( ) 7AJAH LLFAH 3EDEKA FIH

( P ) 2 3 4 5 ) ) CJ ( ( 7AJAH LLFAH 3EDEKA FIH

( P 2 3 4 5 ( ) CJ ( ( 7AJAH LLFAH 3EDEKA FIH

( P ) ( 2 3 4 5 ( CJ ( ( 7AJAH LLFAH 3EDEKA FIH

( P ( (2 3 4 5 ) CJ ( ( 7AJAH LLFAH 3EDEKA FIH

( P ( 2 3 4 5 ) CJ ( ( 7AJAH LLFAH 3EDEKA FIH

( P ( 2 3 4 5 ( ) CJ ( ( 7AJAH LLFAH 3EDEKA FIH

( P ) 2 3 4 5 ( CJ ))7AJAH LLFAH 3EDEKA FIH

( P )6 7 8 9 ) CJ ))7AJAH LLFAH 3EDEKA FIH

( P 6 7 8 9 ( CJ ))7AJAH LLFAH 3EDEKA FIH

Example (3)

15

•– .

• ,– .

• AB– A .,

• ,–

» . A– A

–•• . AB

sandboxC2

Example (4)

• - 3 2– , D ? 5 AA A 2 D 3 2 A A

• A A 31 F 3 2 3 5– A . 2 3 3 2 5

• 2 A 1 5 . A-• A A– , D . 2 3 2 5

• , ? 5 A 1 A 1 3 53 2 ?– 3 3 A 1 5

• A 3 A A AA5

16

1 hour later

12hour later

25hour later

• ,• 7– ,

• , , , , 7

17

Trace Several Activities

Port/Protocol Count81/tcp 639317

102/tcp 638848

444/tcp 637993

2222/tcp 637040

82/tcp 636701

9000/tcp 636534

6666/tcp 636482

80/tcp 358167

443/tcp 351648

53/udp 345561

8080/tcp 324982

3749/tcp 320330

25/tcp 320149

4782/tcp 3200070

50100150200250300350400

2015

0101

2015

0120

2015

0208

2015

0227

2015

0318

2015

0406

2015

0425

2015

0514

2015

0602

2015

0621

2015

0710

2015

0729

2015

0817

2015

0905

2015

0924

2015

1013

2015

1101

5007/tcp

5006/udp

Why do they want to find…

IoT devices?

0

20

40

60

80

100

120

140

160

180

200

2018/4/10 2018/5/30 2018/7/19 2018/9/7 2018/10/27 2018/12/16 2019/2/4 2019/3/26

Shel

lcode

ID

Date

Lifetime of Shellocde/Decoder

18

We also trace shellcodes and decoders used by remote attacks

• 3A C ).2– (- – (- – ,(– -,.– ..)– .( )

• A3CD C

3CDA AA D C D 66

– , , 3 ACG A 63 3CC33 4 6 C C 6

2013

206

7

3

3

4

2

3

2

2

23

Information Sharing

• , -&– DC EC DIA C D

• , D A CE– C EC DIA C D D

• .& / && , & C E DI C D:– D I DC

– C D: IC C A D E C D C• : C: E :• ECA EC• & E D CE D D D D

• : C C D– CE J– A D E C D C

• , -& DC C :E & D E C D C

19

NISC: National center for Incident response and Strategy for Cybersecurity

Benchmark Data and Malware Samples to Universities

• A H C G GG DC C D B H DC– 1 C HD I A

• C H N -2 GG G C H B GH B G• G AI D C M H DCH CHG K C AI A HG• -C D C K H .MDHD H C B

– K G C D H M DIG G G– DI H O + M

• / AK G B A G– C G H G K H H HD 0-- 1

• 2 D G DC 0 C H IA H DC D 6 GG C C B CH– / AK A G– C AMG G D HG M DI G C D

• D GH BIA H G H HM DC M G I HM

2016/10/28

• - 0 0– D 2 6 D E6 C 6 C 62 I6 6 D 6 6CF– 0 2 6 6 2CC2 2C F C C 6E6– D 2CC2

• 66 2 2 2 6 C 2 6– 1 2 6 D D 2 C E C 6 C 62 I6 62 F2

• 0 6 2 6 6 6 6– / E 6 6 2 2C2 6 62 D C

• C6 C 2 6 62 6• ,2 F2 6 2C - 0 0 6 6

21

Conclusion