Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
HIROKI TAKAKURADIRECTOR, CENTER FOR CYBERSECURITY RESEARCH AND DEVELOPMENTNATIONAL INSTITUTE OF INFORMATICS
Establishment of Secure Academic Cyberspaceby Collaboration among Universities
- NII-SOCS (NII Security Operation Collaboration Services) -
1
Academic backbone network in Japan
2
• -(0 95 5 6 1 9 -(0E – 5 1 54 F -– 1 5 9– 9 5 E55 1 5 9– 5 51 5 9– 9 5 9 95 1 4 5 51 9 9 5
• •
– ) 5 1 E9 5• ( 5 5 1 F• 9 9• 5 9 9
To Los Angels (100Gbps)
To New York (100Gbps)
To London (100Gbps)
To Singapore (10Gbps)
Leased line
Access point
Optical fiber
Characteristics of academic network
3
• C FD A D G 6 D C 6 6– 1C 6 AF CD
• . D CG CD . D C A DI– D C6 BF A D
• 1 D6 A 6CD6 A D D CD!!!– 0 C BF GF C
– F 6 D• 1!!!
– , D C 6 6 6 C» C C D C6 6 G D
• C DA– G C AD D D DD ! ! DFA C6 AF
• 6 FCD .G1 A 6 D 6FC D D D 6 6 G C !
Never worry
about it
• Basic Low for Cyber Security (2015)• All incorporated national universities should maintain adequate cyber security level on their network.• All incorporated administrative agencies must be monitored by Japanese gov.
– Including all national research institutes.
• But, in universities– There are many students.
• The Constitution of Japan prohibits governmental censorship.• Mixed traffic with researchers, faculties, students…and so on
– Academic freedom must be preserved.– Too expensive cost is expected.
• Wide bandwidth connection to SINET, e.g., 100Gbps
• Incorporated national universities have to protect by themselves– Capability to take proper action against cyber incident (in 5 years)
4
Cyber security becomes mandatory for universities
Adoption new countermeasure by Japanese government (2014)
5
•– ,
• ,
– , ,•
• �������������• ����������������� ��
1. Planning 2. Preparation 3. First attack
���"�������������
���� ��������������
4. Setup 5. Recon &penetration
6. Hazardous activities
%��������������������
%����� �����%��������
�����������������������"��� �����������$���
�"��� �������� ������!��������
���������
http://www.ipa.go.jp/security/vuln/newattack.html (in Japanese)
• �����$����• ��������������� �����������������
% �������������� %��������
%�������
%��"���������!���
%�������!����%�#��������
�����
Requirement for adopting New countermeasure
6
• ( CDB D A B D C B D B– - D B C D D CC DB C DC
• .B D B IC D D C C D B• .B A B B B A B D DB
• 2B AC– ) H DC D B– HA DC AD
• ) D D– , CD D
• , D H DC CC D HA DC• BDC B C B DH C C BC
– DB HC C• H D D B DH HC C D DHA ( D
• D D– C DD– DD BIC D B D
• ( D D– / B D D C– ( D C
NII-SOCS
Universities
Universities
Universities and NII-SOCS
NII-SOCS
Universities and NII-SOCS
• Japanese gov. will require all national universities– Ability for cybersecurity management
• Not incident response capability• CISO should have ability as a coordinator– Act as a commander
• Gives proper command to department• Negotiates with external companies, e.g., forensics
• CSIRT should support CISO– Act as an advisor
• Provides several countermeasure candidates with pros/cons.
• Also supports incident response and recovery • Our goal– cultivate management capability for cybersecurity– not train security engineers
7
NII-SOCS provides education and training on cybersecurity by OJT
Board Members
CISO
Department
ForensicsCompanies
Command ReportReport
Request
CSRIT
Information sharing
• About 7M USD/year– 102 national universities– NII-SOCS (24/365)
• Investigates alerts and sessions from security appliances– 171k alert/day, 860M session/day
• Notifies dangerous alerts to universities• Provide advice for further investigation• Collaboration with security agencies
– 4 types of security appliances• Paloalto: IDS with sandbox• Cisco FirePower: Signature-based IDS• Damballa CSP: DNS query investigation• LookingGlass: Reputation, e.g., ETPRO, AIS(NCCIC)…
• Analysis System and Web portals– Elasticsearch+Kibana, Splunk
8
Basic Concept of NII-SOCS
������� �������
���
Analysis System
Monitor betweenSINET and Internet
�������
Security Appliances@2 locations
Web Portal Site
Collaboration
�������
�����������������������������������������������
��������
Collaboration
9
Basic Flow of Alert/Session Analysis
ElasticsearchLogstash
Cassandra
(KVS)
PostgreSQL
(RDB)
Payload
Sessions
Kibana
Traffic
Traffic
DNS
File
s
Alerts
Alerts
Malw
ares with
analysis rep
orts
Alerts
Palo Alto
PA-7080
Cisco
Firepower
Damballa
CSP
Palo Alto
WildFire
Internet
Sensors # of alerts/sessions
Palo Alto 84,976
Cisco 60,451
Damballa 26,405
Sessions by Palo Alto 861,960,726
16 repots
Daily statistics (average)
SINET
40Gbpsx2
40Gbpsx2
20Mbpsx2
Splunk
Payload, mail sender/receiver are encrypted
Analysis & Visualization
••– --
•–
• -•
10
Example of Analysis
• NII-SOCS– Security alerts may contain a part of contents of communication.– The contents are automatically encrypted by a common key and stored in DB.– The common key in DB is encrypted by university’s public key.
• Common key is replaced periodically (1 week - 1 month).
11
Consideration on secrecy of communication
Common key
Public key
Secrete key
NII-SOCSAnalysis systemportal site
A Univ.
alerts
�Decryption by Mail client
�Permission(send common key)
� Both key and decrypted contents are stored only on main memory.
� On expiration, they are automatically deleted.
� Request by mail
�Request for decryption
�Display the contents
Of course, it raises mis-judgement ratio
• .7CM 7A 7 7 I– C ME IC 7 C % C .7M %– E C -IC % %
• % J I– 4 AA C C A I J– E E7CMO J
• A M I– C CM N IC 7 C
• 31 E C E M C C I C• .7A 7 C C– . AM I I IC J
• ,, 20 2 J PE7 C 7J 7A 7 M M E• , C 7CM C C IA 7C I AM– 4 7J 7 C E M 7 IC 7 I 7 7 C
• J AM I A I E CC A C
12
We need pay attention to sessions
(1) https://blogs.cisco.com/security/detecting-encrypted-malware-traffic-without-decryption(2) https://www.cyren.com/blog/articles/over-one-third-of-malware-uses-https
Onion routing protocol seems to piggyback on SMTP server
13
Example (1)
src IP dst IP Application src port dst port protocol bytes sentbytes received packets sent
packets received
A.A.A.74 SMTP server in an university incomplete One way communication by malware
• .–
14
Example (2)
1A E KC 6: 1L 6: KC :IK 1L :IK :KI ICIG EH B E EC B E KC 0I H K 1L 0I H K
( P . / 0 1 CJ ( ) 7AJAH LLFAH 3EDEKA FIH
( P ) 2 3 4 5 ) ) CJ ( ( 7AJAH LLFAH 3EDEKA FIH
( P 2 3 4 5 ( ) CJ ( ( 7AJAH LLFAH 3EDEKA FIH
( P ) ( 2 3 4 5 ( CJ ( ( 7AJAH LLFAH 3EDEKA FIH
( P ( (2 3 4 5 ) CJ ( ( 7AJAH LLFAH 3EDEKA FIH
( P ( 2 3 4 5 ) CJ ( ( 7AJAH LLFAH 3EDEKA FIH
( P ( 2 3 4 5 ( ) CJ ( ( 7AJAH LLFAH 3EDEKA FIH
( P ) 2 3 4 5 ( CJ ))7AJAH LLFAH 3EDEKA FIH
( P )6 7 8 9 ) CJ ))7AJAH LLFAH 3EDEKA FIH
( P 6 7 8 9 ( CJ ))7AJAH LLFAH 3EDEKA FIH
Example (3)
15
•– .
• ,– .
• AB– A .,
• ,–
» . A– A
–•• . AB
sandboxC2
Example (4)
• - 3 2– , D ? 5 AA A 2 D 3 2 A A
• A A 31 F 3 2 3 5– A . 2 3 3 2 5
• 2 A 1 5 . A-• A A– , D . 2 3 2 5
• , ? 5 A 1 A 1 3 53 2 ?– 3 3 A 1 5
• A 3 A A AA5
16
1 hour later
12hour later
25hour later
• ,• 7– ,
• , , , , 7
17
Trace Several Activities
Port/Protocol Count81/tcp 639317
102/tcp 638848
444/tcp 637993
2222/tcp 637040
82/tcp 636701
9000/tcp 636534
6666/tcp 636482
80/tcp 358167
443/tcp 351648
53/udp 345561
8080/tcp 324982
3749/tcp 320330
25/tcp 320149
4782/tcp 3200070
50100150200250300350400
2015
0101
2015
0120
2015
0208
2015
0227
2015
0318
2015
0406
2015
0425
2015
0514
2015
0602
2015
0621
2015
0710
2015
0729
2015
0817
2015
0905
2015
0924
2015
1013
2015
1101
5007/tcp
5006/udp
Why do they want to find…
IoT devices?
0
20
40
60
80
100
120
140
160
180
200
2018/4/10 2018/5/30 2018/7/19 2018/9/7 2018/10/27 2018/12/16 2019/2/4 2019/3/26
Shel
lcode
ID
Date
Lifetime of Shellocde/Decoder
18
We also trace shellcodes and decoders used by remote attacks
• 3A C ).2– (- – (- – ,(– -,.– ..)– .( )
• A3CD C
3CDA AA D C D 66
– , , 3 ACG A 63 3CC33 4 6 C C 6
2013
206
7
3
3
4
2
3
2
2
23
Information Sharing
• , -&– DC EC DIA C D
• , D A CE– C EC DIA C D D
• .& / && , & C E DI C D:– D I DC
– C D: IC C A D E C D C• : C: E :• ECA EC• & E D CE D D D D
• : C C D– CE J– A D E C D C
• , -& DC C :E & D E C D C
19
NISC: National center for Incident response and Strategy for Cybersecurity
Benchmark Data and Malware Samples to Universities
• A H C G GG DC C D B H DC– 1 C HD I A
• C H N -2 GG G C H B GH B G• G AI D C M H DCH CHG K C AI A HG• -C D C K H .MDHD H C B
– K G C D H M DIG G G– DI H O + M
• / AK G B A G– C G H G K H H HD 0-- 1
• 2 D G DC 0 C H IA H DC D 6 GG C C B CH– / AK A G– C AMG G D HG M DI G C D
• D GH BIA H G H HM DC M G I HM
2016/10/28
• - 0 0– D 2 6 D E6 C 6 C 62 I6 6 D 6 6CF– 0 2 6 6 2CC2 2C F C C 6E6– D 2CC2
• 66 2 2 2 6 C 2 6– 1 2 6 D D 2 C E C 6 C 62 I6 62 F2
• 0 6 2 6 6 6 6– / E 6 6 2 2C2 6 62 D C
• C6 C 2 6 62 6• ,2 F2 6 2C - 0 0 6 6
21
Conclusion