Ukraine CERT – Chapter Status Report for 2014

INTRO:

Ukraine CERT chapter was created and got its status “The Honeynet Project member” on Feb 25th, 2014. Chapter consists of three members and is formed on the basis of Computer Emergency Response Team of Ukraine. Due to “peculiar conditions” we have in our country currently, all the members are concentrated on the topic of cybercrime prevention. Despite this, having got membership and having visited the HN Workshop (Warsaw) we were able to deploy first Ukrainian Honeynet.

ORGANIZATION:

Nikolay Koval. Mainly involved in the process of computer incidents’ handling. As a chapter lead he does deployment of new honeypots and solves organization questions (which is very vital for our current conditions). Responsible for mentoring students.

Serhii Dushkevych. Developer and reverse-engineer. Responsible for honeypots deployment, automation of feeds parsing and processing.

Andrew Berehuliak. Developer and reverse-engineer. Responsible for automation of malware samples processing and sinkholing. Develop anti-fraud related system.

DEPLOYMENTS:

We managed to deploy 8 servers for honeypot purposes in different geographical locations. Honeypot software: dianaea, glastopf, kippo (we test them in turn). Currently we are taking measures for deploying MHN server.

Apart from “passive” threat monitoring, we deployed system called “IP Guard ASM 1.0” that consist of up to 10 sensors, purposed at active intrusion detection. All the info (alerts) securely passed from sensors to aggregation servers. Signatures (those we do maintain) are also being delivered to sensors by means of VPN.

RESEARCH AND DEVELOPMENT:

As mentioned before, unfortunately, we have lack of time to spare at developing HNP-related software. Though, we try to catch up with things that help to address cyber-threats and build proactive protection. Among our deployed projects we have the following:
1. IP Guard FEEDs – system for passive threat monitoring (we have up to 40 sources to obtain threat-related feeds from). System has its web-interface. As of March 20th, 2015 we gave an access to system to more than 200 users (GOV system administrators, ISPs, banks etc.). Link: http://cert.gov.ua/?p=1878.
2. IP Guard AMS 1.0 – system for active threat monitoring (global intrusion detection). As of March 20th, 2015 we deployed sensors in 9 networks (PEs,GOV entities, ISPs); four more sensors are being deployed currently. Link: http://cert.gov.ua/?p=1996.

Among ongoing research projects – we do currently develop system for automated malware analysis, information exchange and incident handling (IP Guard MAX).

PAPERS, PRESENTATIONS AND COMMUNITY ENGAGEMENTS:

We were kindly provided with the possibility to attend HNW in Warsaw last year. That event not only opened and HN world for us – but gave a good boost to start Project-related activity here in Ukraine. We’d like to thank to Muslim Koser from Indian Chapter who guided us through the concepts of honeypots/hpfeeds in the very beginning of our HP-path.
During year 2014 we took part in 10 international events (organized not only in Ukraine). During seminars/conferences we were presenting CERT-UA achievements, shared practices etc.
Last year we posted up to 40 articles on our main web-site cert.gov.ua. The annual report is accessible from this link: http://cert.gov.ua/?p=2019.

FINDINGS

Ukrainian CERT chapter members took part and made several botnets takedown, along with all good and useful work made toward cyber-threat prevention in Ukrainian cyber-space.

GOALS

Our first victory was to join the HP community. Than we managed to negotiate with ISPs the possibility of deploying honeypots in their networks.
As soon as circumstances get better (and, probably, as CERT-UA we will have less work) we will get down to HP-related research. Of course we will proceed to deploy more honeypots and improve logs analysis, visualization and processing. As a rellatively new HP member we do reassure community that our members are ready (and would be proud) to join and contribute to HP-projects.