Italian Chapter Status Report 2014

ORGANIZATION
Calogero Lupo joined our team by supporting the development and maintenance of our honeynet .

  • Marco Riccardi is the Chapter leader. He is mainly involved in the development/improvement of the Dorothy framework (dorothy2.), among mentoring all the graduating students of the University of Milan who decide to focus their final project Thesis on some of the Chapter's research areas.
  • Marco Cremonini is an assistant professor at the University of Milan, where he is currently teaching and researching in the field of security & privacy, economics and complex systems. He is the academic supervisor of students collaborating to the Chapter's activity and scientific advisor for the Chapter.
  • Luigi D’Amato is currently a CTO at Partner Security Lab and a member of Zone-H. He is providing support to our IT infrastructure and he is actively involved in developing/maintaining our honeynet.
  • Patrizia Martemucci is currently a former IT teacher at the high school of Imola. She is in charge of the main development of the JDrone -the Dorothy's module for botnet infiltration- as well as maintaining and improving the overall DB architecture of Dorothy. She is also mentors graduating students from the University of Milan.
  • Domenico Chiarito is a senior software architect who is mainly in charge of the DB architecture of Dorothy.
  • Calogero Lupo is a senior IT system administrator in charge of maintaining our IT environment (sandboxes, honeypots, etc) 

 
DEPLOYMENTS

  • The last release of the Dorothy monitoring and analysis framework: dorothy2.
  • Low interaction honeypots:
    Dionaea (Ubuntu) (2)
    Dionaea (honeeebox) (1)
    Kippo (3)
  • noSQL database: Apache CouchDb

 
RESEARCH AND DEVELOPMENT

During 2014 the Italian Chapter has completed the development of the final dorothy2 malware analysis framework. The final release was announced on October 27 2014. This is the result of a major redesign and implementation of the whole framework aimed at improving its modular architecture. The system is now more customisable and a new webgui based on Sinatra has been integrated. The development of an advanced webgui for security analysts is a long term goal of the project, whose development we aim to push in the future.
As in past years, the Chapter continued to mentor graduating students, both at Bachelor (laurea Triennale in the Italian academic system) and at Master (i.e., Laurea Magistrale) level, from the Computer Science Department of the University of Milan. The Dorothy project, since years, is one of the preferred research project by students of information security classes of the department for completing their final laurea thesis.
During 2014, we had three students that successfully completed their laurea thesis project by contributing to the overall Chapter progress.
One of them made a very useful extension for Splunk in order to permit us to better monitor our infrastructure among the logs generated by our sensors, and provided interesting insights on the data collected. Another produced a module to process emails containing attachments and to determine if those could be categorised as Phishing. Finally, the third student did an outstanding job by improving the overall project’s honeypot infrastructure. His work aimed at developing an honeynet based on Kippo by leveraging the powerful and flexible Amazon Web Service (AWS). His work illustrates how any willing researcher/analyst could easily setup a wide honeynet implemented among several countries around the world with minimal costs. 
Progress details follow
 
Mentored Final degree Projects @ UNIMI

  • Progetto Dorothy: Security Information and Event Management (SIEM) per il monitoraggio di Botnet (ITA)– Andrea Cavenago [link]
  • Sviluppo di un modulo di mail inspection per il framework Dorothy2 (ITA) - Salvatore Gerbino [link]
  • Alla ricerca del malware perduto - Progettazione e realizzazione di una Virtual Honeypot distribuita - Calogero Lupo [link]

Dorothy2
The new complete release of the Dorothy framework (Dorothy2) has been finally released in October 2013. The announce was given in the Italian Chapter’s blog and on the Honeynet Project website.  The complete software is released under the GPL 3.0 license, and comes through a ruby Gem. The released software is now stable and present not just a full redesign and implementation with respect to the previous release, but also several new features and functionalities. More info can be found on the project's Git page.
 
FINDINGS
1. Highlight any unique findings, attacks, tools, or methods.

None
2. Any trends seen in the past year?

None
3. What are you using for data analysis?

We are currently using VMWare ESXi for malware sandboxing, and Splunk for analysing all the data coming from our sensors/drones.
4. What is working well, and what is missing, what data analysis functionality would you like to see developed?

Dorothy2 is finally up&running, however, new honeypots are needed in order to fetch and analyse as much malwares as possible. We also need to analyse massive bunch of malwares and phishing emails to test the system under heavy load and in real critical conditions. Current works are actually spending efforts in this direction. Although a first PoC has been implemented in 2013, the development of an advanced WebGUI fully tailored for security analysts is still missing, basically for lack of developers.
 
PAPERS AND PRESENTATIONS
1. Are you working on or did you publish any papers or presentations, such as KYE or academic papers? If yes, please provide a description and link (if possible).
None
2. Are you looking for any data or people to help with your papers?
Yes.
3. Where did you present honeypot-related material?
Our research was presented at:
In 2014 no presentations were made, except for laurea thesis academic presentations at the University of Milan and the new version of dorothy presented at FIRST 2014.
 
GOALS
1.Which of your goals did you meet for the past year?

Keeping the Chapter up and running was the main one and to maintain an enlarged team around the original Dorothy project was the strictly consequence.
Currently we are maintaining a discrete analysis infrastructure at UNIMI, which relies on two ESXi environments that provide the requested resources to dorothy2 and our honeynet. This is probably the biggest achievement we reached last year.
Furthermore, an important goal consisted in providing full support to any undergraduate students of the UNIMI that wanted to develop their final graduation project on honeypot/botnet related technologies.
Up to now, thanks to the cooperation with the Università deli Studi di Milano - DI, we have successfully provided (and still providing) support to several students that are working on Dorothy to improve/optimise its inner functionalities.
2. Goals for the next year.

The main goal for the next year is keep maintaining and developing the current analysis infrastructure at UNIMI. Spreading and developing the knowledge about Malware analysis and Honeypots to the Italian community will yet represent our first goal. We aim at achieving this by keep mentoring graduating students from UNIMI and publishing their results.   
Lastly, the Italian project will continue to freely provide support to any Italian .gov institutions (or national ISP) about honeypot implementation and cyber attacks detections.
 
 
MISC ACTIVITIES
NA