Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Copyright© 2016 ICT-ISAC Japan. All Rights Reserved.
Trend of Cyber Attacks and Introduction of Cyber Security Activities in ICT-ISAC Japan
September 12, 2016
Koji Nakao
ICT-ISAC - Japan Executive Board Member,
Distinguished Researcher - NICT,
Advisor - KDDI
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
Botnets: Core of problems...
Remote
Exploits
Web
Exploits
Malware
Download
Servers
DDoS
http:// welcome
www
Exploit Sites
$
SPAM Fake SNS
Search Engines
Upload malicious
contents
SNS
Fake Priv Message
to Friends of Victims
www
Web Admin
Login
Blackhat SEO
Access
Search
C&C Infra C&C Infra
$ $
shellcode shellcode
infected
Virus
shellcode
Drive-
by-DL
id/
password
infected
Phishing
id/
password
DNS
Pay-Per-Click
Advertisement
$
Search
Engine
Users
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
SCANs behavior by ATLAS-NICT
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
Contents for Today
1. Overview of ICT-ISAC
2. PRACTICE project (in relation to ISAC)
3. ACTIVE project (in relation to ISAC)
4. CAE WG (Cyber Attack Defense Exercise)
5. New area for IoT security
6. Views from ICT-ISAC
4
Copyright© 2016 ICT-ISAC Japan. All Rights Reserved.
Overview of
“ICT-ISAC Japan”
(previously called as
“Telecom-ISAC Japan”)
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
● Telecom-ISAC Japan (predecessor) was Launched in July 2002 as Japan’s first ISAC; ● After 14 years, ICT-ISAC was expansively established in July 1, 2016 as predecessor of Telecom-
ISAC Japan; ● Members of the new ISAC are settled to extensively cover not only Telecom-Orgnizations but also
Broadcasters, SI Vendors and Security Vendors; ● Objective is to collaboratively protect ICT infrastructures such as Internet and Broadcasting
system against cyber threats in global cyberspace; ● Encourage partnerships and mutual assistance among ICT industry members so as to stand
together against large-scale cyber threats which individual corporations cannot face alone; ● Structure of WGs and SiGs is still under considerations, however the WGs conducted under the
previous Telecom-ISAC Japan will be basically continued.
Overview of ICT-ISAC Japan
President: Tadao SAITO Executive Board Member: Hiromichi SHINOHARA (NTT Corp.), Koji NAKAO (KDDI Corp.) Member corporations Telecom/Mobile/ISP: NTT, KDDI, NTT Communications, Internet Initiative Japan, NTT DoCoMo, K-Opticom, SONY Network Communications, Softbank, NTT West, NIFTY, NTT East, BIGLOBE, Internet Multifeed, NTT DATA INTELLILINK, KDDI R&D Labs Broadcaster: NHK, TBS, tv asahi, TV TOKYO, FUJI TV, NIPPON TV SI Vendor: NEC, Hitachi, Oki Electric Industry, Fujitsu Security Vendor: FFRI, NRI SecureTechnologies, NTT Com Security Observers: Ministry of Internal Affairs and Communications (MIC), National Institute of Information and Communications Technology (NICT), JAPAN INTERNET PROVIDERS ASSOCIATION (JAIPA),TELECOM SERVICES ASSOCIATION, Telecommunications Carriers Association (TCA), Japan Data Communications Association(JDCA), The Japan Commercial Broadcasters Association(JBA)
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
Structure of ICT-ISAC Japan membership
Telecom-ISAC
・Telecom carriers
・ISPs
Scope of ICT-ISAC members
・Broadcasters
・IoT Vendors
・CATV operators
・関連団体
・Router Vendors
・AVS Vendors
<Broadcaster>
<Security Vendor>
・Security Consulting firms
<SIer/Vendor>
+ ・FW/NAT Vendors
・Consumer Electronics Manufacturers
7
+ ・SIers
・Network Equipment Manufacturers
・Mobile operators
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
ICT-ISAC Japan’s Activities
1) Working Groups (WGs) activities to share and analyze (discuss) ICT industry’s issues about Cybersecurity
MIC R&D of Cyber-Attack Prediction and Rapid Response Technology Through International Partnership, etc.
Overseas institutions ICT Corps, ISAC Security-related institutions
Domestic institutions ICT Corps (non-ISAC members) Security-related institutions
NISC CEOPTAR Council
3) Collaboration and cooperation with security institutions in Japan and overseas with partnerships (Ministry of Internal Affairs and Communications (MIC), National center of
Incident readiness and Strategy for Cybersecurity (NISC), CEPTOAR Council , JPCERT/CC, IPA et al.)
4) Works for MIC’s (governmental) projects against cyber attacks *) ACTIVE has launched since Nov. 2013, PRACTICE since Apr. 2011
2) Holding workshops, cyber-attack exercise and seminars, etc.
5) Others (propagation and advancement of security technologies, and contribution to the educational activities)
8
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
Categories of WG Activities
※ SONAR: Society of Network Abuse Response WG activities are still under considerations.
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
List of WGs’ activities (in Previous ISAC)
Copyright© 2016 ICT-ISAC Japan. All Rights Reserved.
Detection of Symptoms
of Attacks:
PRACTICE Project
Proactive Response Against Cyber-attacks
Through International Collaborative Exchange
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
• PRACTICE project
– Proactive Response Against Cyber-attacks Thorough International Collaborative Exchange
– Launched in 2011 by MIC Japan
• Objectives
– To construct a world-wide threats monitoring system
– To detect symptoms of cyber-attacks and respond against cyber-attacks proactively in early stage
Outline of PRACTICE
12
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
Organizations for PRACTICE
Implementing Organizations Supporting Organization
• Technical support
based on NICTER
collective
expertise
• Providing data
which has been
stored by NICT’s
technology.
R&D of technologies which help to forecast cyber
attack trends.
and partners
• Yokohama National University
• Institute of Systems, Information
Technologies and Nanotechnologies
• SecureBrain Corporation
• KDDI R&D Laboratories
• Japan Datacom Co., Ltd.
Field trial of the technologies and quick response.
13
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
Darknet traffic statistics
2015/10/20 6th APT Cybersecurity Forum 14
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
Monitor data through Dark-Net
• Dark-Net: Unassigned IP addresses space and they are not connected to the Real Servers/PCs.
• Types of Packets arrived to the Dark-Net: – Scans by means of Malwares;
– Malwares infection behaviors;
– DDoS attacks by Backscatter;
– Miss configurations/mistakes
• It is very useful to Observe the serious attacks behavior over the Internet.
Darknet
15
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
ATLAS - Darknet visualization
16
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
International Darknet Sensors
• Sensors in 10 countries (as collaborative partners) in 2015
FY 2013
Indonesia
Maldives
Philippine
Singapore
FY 2011 FY 2012 FY 2013 FY 2014 FY 2015
FY 2012
Malaysia
Thailand
FY 2014
India
Netherlands
France
17
FY 2015
US
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
Darknet Statistics (1)
2015/10/20 6th APT Cybersecurity Forum 18
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
Darknet Statistics (2)
Seeking vulnerability for embedded devices (Linux)
• 23/TCP scans on Darknet have been increasing
Wireless Router Solid State Recorder
Web Content Load Balancer
19
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
20
Comparison among countries
Top 15 Source Country Count
cn 533,262
us 232,590
tw 66,337
nl 48,768
hk 30,854
kr 23,333
fr 23,000
de 22,388
jp 17,043
ru 15,589
pl 12,804
ca 11,515
br 8,615
se 7,873
ua 7,453
Top 15 Source Country Count
cn 3,079,777
us 725,992
pl 173,928
nl 119,774
hk 74,305
th 69,901
tw 69,679
kr 65,420
fr 63,913
de 57,347
ru 47,186
jp 31,156
ca 28,904
br 24,063
ua 19,670
Country J Country T
• Source countries of hosts observed by "Country J" and "Country T".
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
Early Detection of DR-DoS attack and its alerting
2015/10/20 6th APT Cybersecurity Forum 21
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
DRDoS Attack
1. Bots send reflectors a lot of queries whose source IP addresses are spoofed to TARGET.
2. Reflectors reply the amplified responses to the TARGET.
3. The communication bandwidth of the TARGET is flooded with the amplified packets.
Amplified response
Query whose source IP address is spoofed
TARGET
Reflectors
Botnet
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
Protocols that can be used for DRDoS Attacks
[1] Christian Rossow: "Amplification Hell: Revisiting Network Protocols for DDoS Abuse," In the Proceedings of Network and Distributed System Security Symposium (NDSS), 2014. [2] Marc Kuhrer, Thomas Hupperich, Christian Rossow, Thorsten Holz: "Exit from Hell? Reducing the Impact of Amplification DDoS Attacks," In the Proceedings of Usenix Security Symposium (2014).
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
Reflectors distribution on world map
24
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
DR-DoS honeypots
Response
Queries spoofed to be from host x.y.z.w
DDoS Target
botnet
x.y.z.w
watch!
DRDoS Honeypots
STOP
Open Servers (Reflectors)
PRACTICE setup (open but bandwidth-controlled) servers to monitor DR-DOS attacks
25
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
DR-DoS detection statistics
DNS-Amp attacks are increasing
26
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
0
10000
20000
30000
40000
50000
60000
70000
Date
bitstress.com Queries YLAB-DNS
MKT-DNS
Darknet
DOS Alert at Backbone
Honeypot
Darknet
Honeypot1
Honeypot2
Darknet (65536IP)
Early collection of malicious domains-1
6 days
Domains with maliciously large response are observed by honeypot before used for actual attacks (Attackers test their domain before using it for attack)
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
Over 50% of the malicious domains prepared for DNS AMP attacks are collected by honeypot/darknet two days or more before the actual attacks.
Days prior to attacks #domains
0 day 4 (12.1%)
within 1 day 5 (15.2%)
2~7 days 7 (21.2%)
8~30 days 6 (18.2%)
31~ days 4 (12.1%)
After the attacks 3 ( 9.1%)
Not detected 4 (12.1%)
Early collection of malicious domains-2
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
• DR-DoS alert sample (e-mail)
Utilization of DR-DoS alert
START of DR-DoS attack [Target IP] XXX.XXX.XXX.XXX [Detection time] 2014-11-13 23:57:37 [Protocl] DNS : port 53 [DRDoS Honeypot detail datea] AS num : "AS2516 KDDI KDDI CORPORATION" country : "Japan" pps(MAX) : 2.2 pps(AVG) : 1.1416666666666666 [Domain] "wradish.com ANY IN":137
END of DR-DoS attack [Target IP] XXX.XXX.XXX.XXX [Detection time] 2014-11-13 23:57:37 [Protocol] DNS : port 53 [DRDoS Honeypot detail data] AS num : "AS2516 KDDI KDDI CORPORATION" country : "Japan" pps(MAX) : 2.2 pps(AVG) : 1.1416666666666666 [Domain] "wradish.com ANY IN":137
29
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
Activities against DDoS in Japan
DRDoS attacks (DNS, NTP, SSDP, CHARGEN, QOTD ,SNMP) detection
DR-DoS Alert
Victim host’s IP Detected time Protocol End time・・・
DDoS attackers Reflectors
Victim host
DDoS counter measuring system
Backbone
DRDoS Honeypot system
Counter measuring against DRDoS attacks using DRDoS Honeypot alerts
・DR-DoS alerts are delivered to Telecom-ISAC Japan (now ICT-ISAC).
・Network operators can manage and respond DRDoS through these alerts
⇒ 86% of alerts were notified earlier than those detected by existing DDoS counter measuring systems
⇒ Realize early response in about 2 minutes earlier than normal operation
Network operators of ISP
Send email alerts to ISP operators
30
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
Malware sandbox analysis and alerting
2015/10/20 6th APT Cybersecurity Forum 31
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
internet
Long-term analysis of malware activities
Sandbox
malicious traffic
Botnet type
malware
P2P type malware malware
data source
Malware analysis using sandbox
Financial malware
Malicious servers
1)Traffic monitoring
2) Malware detail analysis
・location of C&C servers
・location of manipulation servers
・location of DNS servers
・location of SMTP servers
・port number
・・・
1) Traffic monitoring
・plug-in information
・configuration information
・URL information
・malware bodies (hash value)
received from malicious servers
・・・
2) Malware detail analysis
Alerts will be sent by utilizing these information
Malware sandbox analysis
32
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
Example: Growing financial malware
33
National Police Agency (Japanese) https://www.npa.go.jp/cyber/pdf/H270903_banking.pdf
• Threats of financial malware, using MITB (man in the browser) method in order to steal money from online banking customers, are growing.
Banking Site
Web
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
Long-term analysis in Sandbox
34
• The project has monitored following financial malware continuously.
– Aibatook
– ZeuS (P2P)
– VAWTRAK
– Ice IX
– Citadel
– Chthonic
– Dyre
– Win32/Spy.Shiz
– Shifu
– WERDLOD
– Win32/Farfli.BTH
– Dridex
• Alerts are provided as outcomes of the analysis.
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
Behavior of VAWTRAK (an example of Banking Malware)
Access to the normal Banking server
Manipulated Content
Access
Malicious Script (attack) Illegal Access from VAWTRAK
Request Password (normal) Faked Password Req. Window
Input Password
Information Leakage (ID/Password, etc) Request for sending money
Progress Bar
Manipulation Server
User VAWTRAK (malware) Banking Server
(Normal) C&C Server
Execute
Access to C&C
Environmental information for malicious access to the bank
Normal Content
Observation
Blowsier initiation
Input Password
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
Alert by malware analysis
JSON alert (Sample) • Header part
- hash value - malware name
• Data part - C&C info - target URL - DNS info, etc.
36
The alerts are provided to
police, financial sectors, etc.
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
Summary
• Our awareness on ongoing botnet activities has improved with following approaches:
• Long-term sandbox analysis of bot samples reveals their microscopic behavior (e.g. characteristic DNS queries) for detecting infected hosts as well as understanding the details of threats (e.g. Spam, PPC).
• Multiple sensors (cache DNS, darknet, livenet, and honeypots) are complementary to each other enabling us to grasp macroscopic picture of various botnet activities.
Copyright© 2016 ICT-ISAC Japan. All Rights Reserved.
ACTIVE Promotion-WG (Advanced Cyber Threats response InitiatiVE)
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
○ Public-Private Partnership project for around 30 million Internet users, which prevents malware infection and removes malware through the collaboration among ISPs.(ACTIVE: Advanced Cyber Threats response InitiatiVE)
○ Starting from November, 2013. There are now 12 companies participating. ○ World first challenge which implements comprehensive countermeasures against
malware infection, and eyes International collaboration in the future.
①Collection of URL
②Warning (End user)
③Warning (Administrator of Web site)
①Prevention of Malware Infection ②removal of Malware
①Detention
②Warning
③Removal
① Specification of individual users whose PCs are infected with malware
②Issue of warning statements to the users to take appropriate measures
③ Removal of malware in accordance with the warning statements
①Collection of malware embedded websites to be compiled into the list
② Issue of warning statements to users who are going to access malware-embedded websites
③Issue of warning statements to administrators of malware-embedded websites to remove malware form their websites
ACTIVE – Aim for Prevention of Malware Infection and Removal of Malware
39
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
Prevention of Malware Infection: Efforts
Total number of alerts issued
March 2015 :84
Accumulated Total:22,867
Total number of times each ISP issued warnings (e.g., popping up a warning message by a tool)
Information of malicious sites (number of URLs)
March 2015: 13,351
Number of times information of malicious sites was provided to ISPs
★Number of URLs about which warnings were issued (duplicated URLs are counted as one URL)
March 2015 : 66
Accumulated Total:4,843
Number of URLs about which warnings were issued. Duplicated URLs are not included.
Efforts for Prevention of Malware Infection
Prompting to remove malware on a site Malicious site
ISP business operator, etc.
Providing information of the malicious site to an ISP
Decoy machine (Crawling HoneyPot)
Issuing a warning statement using a tool to the Internet user accessing a malicious site
Internet user
40
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
External Organizations
Removal of Malware: Efforts
Efforts for Removal of Malware
Decoy machine (Standby HoneyPot)
Terminal infected with malware
Sending of a warning email ISP business operators
1
Infection logs
User whose terminal has been
infected with malware
2
3
Removal of malware 4
Number of users who received warnings (total number among all ISPs) March 2015
Accumulated Total:1,418
Number of users to whom warnings were issued
Number of warnings (total number among all ISPs)
March 2015 Accumulated Total:7,018
Total number of warnings issued by each ISP (Multiple warnings issued to a single user are counted as the multiple times)
Total number of collected samples March 2015 Accumulated Total:1,093,097 Total number of samples that were collected by the decoy machine
Number of identified samples (number of samples where duplicated samples are counted as one sample)
March 2015 Accumulated Total:16,228
Number of samples where duplicated samples are counted as one, out of the total number of collected samples
Identification of users from the infection logs
Accessing the site that provides information for removing malware
Obtaining information needed for removing malware
Detection/capture of infection behaviors using HoneyPot
Web Server Infection logs
41
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
Take Down of Game Over Zeus
Take down of C&C Server and their proxy Monitor the C&C server activity and notify the user for infection.
(出典) http://www.fbi.gov/news/stories/2014/june/gameover-zeus-botnet-disrupted
(出典) http://www.npa.go.jp/cyber/goz/
Game over Zeus bots been use by ring of cybercriminal for steeling the internet banking As Game over Zeus (GoZ) is taking major role in cybercrime around the world, FBI and Europol has organize the large scale take down which involved a law enforcement agency around the world including the Japan. With this operation, goal is to confiscating the servers that is used by criminal and finding out PC that is infected by malware and notify the user.
Operational Detail
42
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
Participation to VAWTRAK Botnet Takedown Operation
Call for attention and request for disinfection to users using infected terminals
Incapacitation of VAWTRAK on the infected terminals
(Source)
http://www.keishicho.metro.tokyo.jp/
haiteku/haiteku/haiteku504.htm
Details of the operation
Infection of 44,000 terminals within Japan (82,000 globally) to "VAWTRAK" which is a malware for unauthorized money
transfer of internet banking was confirmed. It was judged that Japan was the main target from the number ratio of infected
terminals within Japan and configuration files of VAWTRAK.
As countermeasures, an internet banking virus incapacitation operation which was the first of such operation in Japan as a
large scale botnet takedown operation was deployed. The Ministry of Internal Affairs and Communications and Telecom-ISAC
Japan collaborated to call users’ attention and carry out disinfection operations together with member ISPs.
(Apr. 2015)
(Source) http://www.soumu.go.jp/menu_news/snews/
01ryutsu03_02000092.html
(Source) https://www.telecom-
isac.jp/news/news20150410.html
(Source)
http://www.active.go.jp/activ
e/news/release/entry-
231.html
43
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
US-CERT
Approach of each ISP through ACTIVE (T-ISAC-J)
44
Internet
System constructed
by FBI etc.
General flow of call for attention to malware infected terminals
GOZ infected
terminal user
ISPs participating in ACTIVE
the Metropolitan
Police Department
VAWTRAK infected
terminal user C & C server
(Remotely controlled by the
Metropolitan Police Department)
Unauthorized
communication
1 Capture infected
terminals
(1) Capture
infected terminals
2 Send information on
infected terminals
(2) Send information
on infected terminals
(3) Send information on infected terminals to each ISP
[Total number of list] 155,000 terminals (GOZ) 44,000 terminals (VAWTRAK)
(4) Prompt users using infected
terminals to disinfect the
malicious program
Call for attention
Telecom-ISAC Japan (ACTIVE project) provided contact person and arrangements of these projects through consultations
with the Metropolitan Police Department, the National Police Agency, and the Ministry of Internal Affairs and Communications.
Regarding calls for attention, Telecom-ISAC Japan first received information from related organizations (JPCERT/CC and the
Metropolitan Police Department) as a contact for both "GOZ" and "VAWTRAK" projects before sending the information to each
ISP utilizing delivery line of ACTIVE.
Each ISP called for attention and requested the disinfection of virus to users based on the received information on infected
terminals.
2014
Responding to
GOZ
2015
Responding to
VAWTRAK
Unauthorized
communication
Log investigation
and comparison
Contact to users
ISP
ACTIVE provides “infra” to reach the end-users through ISPs
Copyright© 2016 ICT-ISAC Japan. All Rights Reserved.
Cyber Attack Defense Exercise-WG(CAE-WG)
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
Background and Purposes of the Exercise
Responses to attacks by one company are reaching its capacity limit due to the increase of threats
Provision of environment for prompt responses to incidents even when cooperating with other companies
Minimization of damage when receiving attacks
Shortage of personnel with sophisticated skills on the defense side
Shortage of opportunities for personnel development
Shortage of trainers for personnel development
Prompt responses even at incidents
Confirmation of contact point
To confirm if companies can cooperate at incidents, and, at the same time, to train how to cooperate
Personnel development
Experience through exercise what cannot be experienced with normal operations
Recognition of issues and improvement
Recognize the issues of own organization for improvements
Background
Purposes
46
To build relationship capable of responding to cyber attacks, Cyber Attack Exercise ( CAE ) –WG has been conducted since May 2009.
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
Image of the Exercise
ISP company A ISP company B
Evaluator
Player
Evaluator
Controller
Player
Discussion Discussion
Director
Inquiry
/ Answer
"Cannot access famous
sites"
Issuing event
Controller
Evaluation
Inquiry
and
Answer
Evaluation
Director
(Each theme:
(example) one person
for DNS, NW, Web,
etc.: examiner)
• Decisions and implementation of the start and end of the exercise
• Supervises the whole exercise and grasp the situations of each participating
group
• Distributes events to each group
Controller
(One person for each
team: advisor during
the exercise )
• Promotes the understanding of message from events and/or other
organizations, and given incidental information among the group players
• Promotes the discussions among players and help deciding actions
• If player asks for information outside the event or isolated results, answer
according to the "Controller material" which is distributed beforehand, or
escalate to director if necessary.
Players
(Executor of the
exercise)
• Participants who are the center of the exercise
• Make decisions and discuss in accordance with the post, role, and
experience of himself/herself in the situation given by the event. Decides the
actions of the organization as a result of the discussion within the group
• Declare the decided actions to the controller and evaluator
• Exchange messages with the players of other organizations when
necessary
Evaluator
(Coach, leader)
• Records the contents of discussions and decided actions • Writes a evaluation report at a later date after the exercise
MSEL
"Currently, access to famous
sites is not possible. As a result
of investigations,
communication is cut off within
your network. Can I ask for a
checkup?"
Request / inquiry
47
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
Cyber-Attack Exercise(CAE2015)
48
Date January 19, 2016
Location Ota City Industrial Plaza (Kamata, Tokyo Japan)
Participating Companies
Major ISPs, communications companies, etc.
Participants 218 participants
Copyright© 2016 ICT-ISAC Japan. All Rights Reserved.
New area for IoT security (in relation to Investigating
Vulnerability-Network device-WG)
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
Scanning observation by nicter-Atlas
50
Atlas All view
Atlas only port23
Recently, “scanning to Port 23 (telenet)” is getting larger!!
•Capturing packets
through dark-net in
real time basis.
•Color indicates the
protocol types.
■UDP ■TCP SYN ■TCP SYN/ACK ■TCP Other ■ICMP
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
Telnet (23) attacks on Darknet have rocketed
51
0
10,000,000
20,000,000
30,000,000
40,000,000
50,000,000
60,000,000
70,000,000
0
50,000
100,000
150,000
200,000
250,000
300,000
350,000
400,000
Pac
ket
Co
un
t
Ho
st C
ou
nt
Time
# of UniqueHosts# of Packets
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
Attacking hosts are IoT devices
150,000 attacking
IPs
361 models
observed
in 4 months
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
Why IoT devices?
• 24/7 online
• No AV
• Weak/Default login passwords
• with global IP address and open
to Internet
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
We would like to know..
Malware Targets Monetization
• What kind of malware? • How many different kinds?
• What IoT devices are targeted? • What the attackers do after compromising these devices?
We propose the first honeypot for IoT
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
Challenges
Honeypot Sandbox: IoTBOX IoT malware of different CPU Architecture
IoT devices listening on Telnet
ARM
PPC
SUPERH
X86
MIPSEL
MIPS
• Emulating diverse IoT devices • Handling to capture malware of
different CPU architectures
• Handle to run malware of different CPU architectures
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
Emulating different devices
3-way handshake
(Options)
Welcome message & Login prompt
id/pass Authentication
Command
Response
.........
Do Echo, Do NAWS, Will Echo
ADSL Router login:
root 12345
cat /bin/sh
corresponding responses
Banner Interaction
Authentication
Command Interaction cat /bin/sh
ARM
MIPS
PPC
Response 2
Device Profile Different Banner
Interactions
Different User
ID/Pass
Different Responses
NAWS (Negotiate About Window Size) • Different Banner Interactions
• Scanning Internet on port 23 to get different banners
• Different User ID/Pass
• Obtain weak/default ID/Pass by web search
• Different Interactions/Responses
• Learn from actual devices
• System with general configuration for embedded devices (e.g. OpenWRT…)
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
IoTPOT results
0
50,000
100,000
150,000
200,000
250,000
Visit Login Download Malware
Un
iqu
e H
ost
Co
un
t
• During 122 days of operations [ April 01 to July 31 - 2015]
• 900,394 Malware Download Attempts • Malware of 11 different CPU architectures • 93% of downloaded binaries are new to Virus Total (2015/09)
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
Attack Example1: DNS Water Torture
attacks
Infected devices
Cache DNS server at ISP
9a3jk.cc.zmr666.com? elirjk.cc.zmr666.com? pujare.cc.zmr666.com? oiu4an.cc.zmr666.com?
Authoritative DNS for“zmr666.com”
9a3jk.cc.zmr666.com? elirjk.cc.zmr666.com? pujare.cc.zmr666.com? oiu4an.cc.zmr666.com?
Delayed
reply
No
resource
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
Attack Example-2: Click fraud
Infected Devices
Infected devices imitates user clicks to advertising
web sites
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
Attack Example-3: Stealing credential
from PPV
cred
enti
al Particular set top boxes are
being targeted (such as
dreambox)
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
Looking back on devices visiting IoTPOT
10734
4856
1391 787 430 411 337 206 206 174 60 20 19 15 11 10 10 9 6 6
0
2000
4000
6000
8000
10000
12000
Nu
mb
er
of
IP A
dd
ress
es
Device Types
More than 60 different types (361 models) of devices visit IoTPOT
• We scan back on port 23/TCP and 80/TCP • More than 60 type of devices visit us
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
Web interfaces of devices attacking
us
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
Categorizing IoT device types
• Surveillance Group • IP Camera • DVR
• Networking Related Devices • Router • Gateway • Modem • Bridge • Security Appliance
• Telephone System • VoIP Gateway • IP Phone • GSM Router • Analog Phone Adapter
• Infrastructure • Parking Management System • LED display control system
• Industrial Control System • Solid State Recorder • Internet Communication Module • Data Acquisition Server • BACnet I/O Module
• Personal • Web Camera • Personal Video Recorder • Home Automation Gateway
• Broadcasting Facility • Digital Video Broadcaster • Digital Video Scaler • Video Encoder/Decoder • Set Top Box
• Other • Heat Pump • Fire Alarm System • Disk Recording System • Optical Imaging Facility • Fingerprint Scanner
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
AS with more than 1,000 infected Devices
China
Turkey
Russia
Korea
India
USA
Brasil
HongKong
Vietnum
Taiwan
Mexico
MalaysiaArgen na
Phillipine
ThailandIsrael
Italy
France Colombia GermanyBritain
Libya UkraineSpain
Hong Kong
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
Smart+Connected City
Parking
Smart+Connected City
Traffic
Smart+Connected City
Lighting
Smart+Connected City
Location Services
Our Target IoT Devices
Well-managed IoT devices controlled by IoT Services
Less-Controlled IoT devices (Nora-IoT) owned by Individuals
Our Target IoT devices
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
Security Controls for less-controlled IoT devices
1. Awareness for IoT device owner (individual) Use of appropriate ID and Password Guideline
2. IoT devices venders - Stop using Telenet (port 23)” in order to avoid infections of malwares for new purchase of IoT devices; - Implement module/function for updating software/firmware.
3. Less-controlled IoT devices already in use - Removing malwares from infected IoT, or stop activating malwares (deletion of registry, exe, or scheduler); - Providing remote software update functions.
Copyright© 2016 ICT-ISAC Japan. All Rights Reserved.
Views from ICT-ISAC Japan
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
Views from ICT-ISAC Japan
1. Activities in ICT-ISAC Japan will be expanding to global ICT environment (not only for Telecom-Sector but also for Broadcasters, IT vendors, Security vendors);
2. Best Practices for Security Responses from the members should be collected and shared;
3. Through Working Groups in ICT-ISAC, knowledge and ideas should be investigated in order to provide security solutions in collaborative manner;
4. Common issues among all the members and Specific issues for the specific sector (members) should be clearly identified and properly managed;
5. International Collaboration should be actively promoted.
68
Copyright© 20XX ICT-ISAC Japan. All Rights Reserved.
Thank you for your kind attention.
ICT-ISAC Japan
https://www.ict-isac.jp/ (in Japanese only)