Polish Chapter Status Report 2014

Organization

The Polish Chapter of the Honeynet Project was founded in November 2011. It consists of ten people:

  • Tomasz Grudziecki
  • Paweł Jacewicz
  • Łukasz Juszczyk
  • Piotr Kijewski
  • Adam Kozakiewicz
  • Krzysztof Lasota
  • Paweł Pawliński
  • Tomasz Sałaciński
  • Łukasz Siewierski
  • Maciej Szawłowski

The Polish Chapter of the Honeynet Project (find us at http://pl.honeynet.org) consists mostly of people whose daily job is focused on analysing new threats, designing and developing tools and researching methods for efficient mitigation of observed attacks.

Areas of research conducted by the members:

  • Anomaly detection
  • Reverse engineering
  • Honeypot technology
  • Web threats
  • Novel methods for threat tracking and identification

You can read more about them in the Members section of our Chapter web page.

Honeynet Workshop

In 2014 Polish Chapter, along with NASK, organized Honeynet Workshop in Warsaw. This took most of our time and we were responsible for many different aspects, ranging from purely organizational tasks (like reserving a place) to more artistic tasks (like recording every presentation). Overall, we got an overwhelmingly positive response from the Workshop participants.
During the workshop Paweł Pawliński and Łukasz Juszczyk prepared a “Capture the Flag” contest for all participants. There were over 15 tasks, which varied in the difficulty level. Most of the tasks could have been resolved by browsing the web server for files with obfuscated or encoded flags. There was also another part of the CTF that required the participants to set up their own honeypots and intercept chained attacks. Overall, over 40 people connected to the dedicated CTF network and 9 of them solved at least one task.
There was also a CrackMe prepared before the Workshop in which there were two prizes - one free entry for Polish resident and another one for a foreigner. Both contests were described as entertaining and challenging.
During the Workshop we also did a short talk detailing the findings from our honeypot network and a workshop presenting Heisenberg - debugger written by two of our members - Maciej Szawłowski and Tomasz Sałaciński.
Public talks and presentation were recorded and are available on the Honeynet Project Youtube channel thanks to Tomasz Grudziecki.

Heisenberg

Heisenberg is a project started in late 2012. It is an attempt to create a debugging framework for a whole operating system which will not be affected by such issues as debugger detection by malware or heisenbugs, which are popular among conventional debuggers. Additionally, we wanted to provide unified approach for debugging for different systems on different security levels (userland and kernel space). We also wanted to separate responsibilities of particular elements of a framework in order to conform fundamental principles of UNIX programming.
During the year 2014 we prepared a Heinsberg workshop - which was a part of 2014 Honeynet Workshop - and further advanced the development. Heisenberg should now work on Windows 7 (adding to the previous Windows XP support). Graphical User Interface was also added. While there are some challenging tasks and problems ahead, we are positive that one day it will become a convenient and useful tool for community to use and develop.

Honeypots

In 2014 our honeypot network underwent another restructurization and several new honeypots were added. This additions were a result of the presentation during the Honeynet Workshop. We now operate honeypots in 6 different Autonomous Systems and we have plans to add a few others. All of the honeypots report to Elastic Search and the data is presented using Kibana. Every honeynet member can get access to this data and use it as he or she finds it fitting. Our results are compared and contrasted with the results Czech Chapter is getting and then were presented during the Computer Networks 2014 conference.
Our goal for this year is to grow the network further and provide analysis of the threats there we detect.

Goals

  • Provide honeypot data analysis using the network that is already in place.
  • Further develop Heinseberg.
  • Reorganize internal systems - mailing lists, website - to be more suitable for our current needs.
  • Research and development of tools in regards to honeypots as well as malware analysis