ZA Honeynet Chapter report 2014

Overview

2014 was a rather disruptive year as people moved around the country and the previous core of Students working towards honeynet related projects at Rhodes University graduated and have moved off into industry. Subsequent re-organisation leaves the chapter in a much stronger position going forward. With this in mind, Renier van Heerden has taken over as chapter lead. Despite this a number of publications were released, and there has been a renewed interest in the use of honeynet and honeypot technologies in South Africa. Advice and consultations have been had with a number of public and private sector organisations around deployments of both low and high interaction sensors. The Chapter has will be having significant interaction with the new Academic sector CSIRT, being established by the SANREN and TENET organisations, particularly with the provision of hosting and IP address space for a substantial number of additional high interaction sensors in coming months.
Hosting of public facing and internal web content and mailing list will be relocated to new infrastructure

Membership

Core membership of the Chapter is:

  • Renier van Heerden – Chapter Chair
  • Barry Irwin
  • Adam Schoeman
  • Roderick Mooi
  • Samuel Hunter

This is augmented by a number of postgraduate students at Rhodes University within the Security and Networks Research Group, many of which use data collected by the sensors.

Deployments

Our primary deployment is a series of network telescopes comprising 5 /24 netblocks. A number of smaller full function sensors have been deployed and discussions are underway to enlarge this substantially (see future plans).
One of the more interesting deployments done was traffic capture on networks with NTP servers at the time vulnerable to the MONLIST exploitation. Three datasets were collected over a 4 month period, two in ZA and one from a sensor in Germany. Analysis of the two ZA datasets accounted for ~150 million packets and has given some interesting insight into DDOs activities. This is the first time we have been able to obtain DDos Traffic sets.

Research and Development

Most of the research has focused around data analysis and analysis pipelines. Notable research theses completed which either relied on or made use of honeynet/telescope sensor data were:

  • Lauren Rudman Honours Thesis.Analysis of NTP based Amplifiction DDoS Attacks Honours Thesis (download PDF)
  • Ignus van Zyl Honours Thesis. Towards a flexible packet capture analysis and reporting framework (download PDF)
  • David Yates Honours Thesis. A System for Characterising Internet Background Radiation (download PDF)
  • Thizwilondi Nkhumeleni Masters Thesis.Correlation and comparative analysis of traffic across five network telescopes (download PDF)
  • Renier Van Heerden PhD Thesis.A formalised ontology for network attack classification. (download PDF)
  • Ignus Swart PhD Thesis. Proactive visualization of cyber security on a national level: A South African case study.

Going forward we are looking at the correlation of various open source intelligence data ( Shodan, Open resolver, RBLs, scans.io etc) with our own sensor data.

Papers, Presentations and Engagements

In addition to the above theses, a number of formal publications were produced, which used elements of the datasets collected in recent years: <

  • Irwin B, Standing Your Ground:Current and Future Challenges in Cyber Defense . pp 100-108 In. Information Security in Diverse Computing Environments. Eds: Kayem A & Meinel C. Information Science Reference. Hershey PA, USA
  • van Heerden R, Malan MM, Mouton F & Irwin B, Human Perception of the Measurement of a Network Attack Taxonomy in Near Real-Time. ICT and Society, 2014 pp 280-292. Springer Berlin Heidelberg.
  • Swart I, Irwin B & Grobler M. On the viability of pro‐active automated PII breach detection: A South African case study. In proceedings of SAICSIT 2014.
  • Pennefather S & Irwin B. Design of a Network Packet Processing platform. In proceedings of SATNAC 2014. Boardwalk Conference Center. Port Elizabeth.
  • Wrench P & Irwin B. Towards a Sandbox for the Deobfuscation and Dissection of PHP-based Malware. In proceedings of Information Security South Africa (ISSA) 2014. Johannesburg, Gauteng, South Africa.
  • Pennefather S & Irwin B. An Exploration of Geolocation and Traffic Visualisation Using Network Flows. In proceedings of Information Security South Africa (ISSA) 2014. Johannesburg, Gauteng, South Africa.
  • Swart IP, Irwin B & Grobler M. Towards a platform to visualize the state of South Africa’s information security. In proceedings of Information Security South Africa (ISSA) 2014. Johannesburg, Gauteng, South Africa.
  • Haffajee J & Irwin B. Testing antivirus engines to determine their effectiveness as a security layer. In proceedings of Information Security South Africa (ISSA) 2014. Johannesburg, Gauteng, South Africa.

Engagements , discussions and presentations have been held with a number of governmental and private sector organisations in the last year around aspects of honeynet and passive security sensors. The most significant of these has been the engagement with the national Research Network (NREN) team which will be providing substantial support to the chapter activities in coming years. One of the most interesting outcomes from this process is the level of misunderstanding of what honeynet technologies can actually do for an organisation, and that these are part of a layered security strategy rather than a ‘silver bullet’.

2015 Activities

A number of activities have already been confirmed for 2015.

  • Barry will present NTP amplification attacks from the view of the network reflectorsat the ITweb Security Summit in Johannesberg in May
  • Adam and Samuel will present thier research Explosive Honey: Improving intelligence collected by HoneypotsBrucon 0x07 in Ghent, Belgium in October.

2015 Goals

  1. Transition to more active honeynet deployments, to provide data to compliment the extensive 10 year old dataset of passive records we have. Hopes are to deploy sensors across select IP addresses in 15-20 /24 netblocks within ZA IP space.
  2. Strengthen engagement with the private sector and provide assistance in understanding what honeynets and honeypot systems can and cannot do for an organisation.
  3. Assist with existing initiatives for promoting cyber security at universities, though activities such as the National Cyber Defense competition.
  4. Prepare a selection of our substantial datasets for public release in conjunction with the other parties having an interest in them.
  5. Continue to grow membership and formalize Chapter processes
  6. Send representation to, and present at the Honeynet workshop in 2016!