UNAM-Chapter - Status Report For 2014

ORGANIZATION
 
The UNAM Chapter is part of UNAM-CERT, an organization established within the National Autonomous University of Mexico (UNAM).
Current chapter members:
·  Roberto Sanchez - Chapter lead.
·  Ruben Aquino – Chapter member.
·  Pablo Lorenzana – Chapter member.
·  Anduin Tovar – Chapter member.
·  Xocoyotzin Zamora – Chapter member.
·  Javier Santillan – Chapter member.
·  Miguel Bautista - Chapter member.
 
The Chapter members are interested in research projects covering the following topics:
·  Darknets
·  Low interaction honeypots
·  Spampots
·  Intrusion detection
·  Malware Analysis
·  Computer forensics
 
DEPLOYMENTS
 
We're using the following infrastructure as an early warning and intrusion detection system to feed into our incident response process, and also to identify emerging threats in the University’s network and Internet in order to share this knowledge with the security community.
 
We have 15 Raspberry Pi’s and 3 HonEeeBox, running Conpot and Thug. One server with 9000 public IP addresses running Kippo, Dionaea and Glastopf, and a new deployement of a Spampot tool which has been developed by UNAM-Chapter.
 
All data about Kippo, Dionaea and Glastopf is being shared to hpfeeds.
 
We are developing a web page to show our data, which is available in the statistics section in http://www.honeynet.unam.mx
 
We're also running a centralized and staggered architecture for network monitoring based on Snort, Argus, tcpflow and several other tools for data capture and analysis.
 
A central system called “UNAM Security Telescope” processes all the information gathered by our honeypots and the centralized monitoring architecture.
 
RESEARCH AND DEVELOPMENT
 
We’ve also developed and implemented a spampot tool for collecting and analyzing spam content (such as URL, attachments, source IP address, etc.). It generates statistics about spam data collected by our honeypots in the University’s Network.
 
A distributed sandbox, based on the Cuckoo platform, is used to automate malware analysis for Windows XP and 7. The virtual machines used in the infrastructure were configured and modified to diminish the anti-VM tricks that malicious samples could use to avoid analysis. The necessary software was installed to allow the analysis of different types of files, not just executables. Additional modules, such as Snort, standalone antivirus engines, one to generate charts and one to display a process tree, are also being implemented.
 
We are continually improving all these projects to stay current with the ever changing threats.
 
PAPERS, PRESENTATIONS AND COMMUNITY ENGAGEMENTS
 
During the last days of November and at the beginning of December, we taught honeypot training to the community interested in honeypots and intrusion detection in Mexico City, as a part of UNAM’s Security Conferences 2014.
 
As part of UNAM-CERT one of our main activities is incident detection and handling within our University and our country, that’s why we are in close contact with CSIRTs of the main ISPs of Mexico, sharing them information about security incidents coming from their networks that we are detecting in the University network.
 
FINDINGS
 
No particular findings yet.
 
GOALS
 
· Migrate all detection infrastructure to virtual environments in our new, recently acquired, infrastructure.
· Identify new attack trends in Mexico through statistics and charts, generated with the data collected by our honeypots and tools, and publish them in our web page.
· Increase the number of honeypot deployments within our University and Mexican academic networks.
· Deployment and improvement of our spampot and sandbox tools.
 
MISC
 
Every year we organize a Computer Security Conferences. It's a balanced meeting which includes technical and non-technical talks. Its main purposes are: to share experiences, to discuss trends and to give attendees a better perspective of computer security around Mexican networks and the world.
 
Our web page: 
·  www.honeynet.unam.mx

Groups: