Hawaii Honeynet Project Chapter Status Report For 2011

ORGANIZATION

1. Changes in the structure of your organization.
There were no changes in the structure of the organization for 2011

2. List current chapter members and their activities
- Mark Ryan Talabis
- Anton Chuvakin
- Jason Martin
- Jeremy Nommensen
- Darryl Higa (contributor)
- Vince Hoang (contributor)
- Dwayne Yuen (contributor)
- James Occhman (contributor)

DEPLOYMENTS

1. List current technologies deployed.
No new technologies but we did have one significant improvement this year. We were able to get support from one of the biggest managed security services in Hawaii. They now contribute anonymized attack data (date, time, attacker IP and some signature information of attacks) from across all the networks that they monitor across Hawaii. This gives us a huge database of attack data wherein we can crunch statistics. We have been given 7 months of initial data.

2. Activity timeline: Highlight attacks, compromises, and interesting information collected.
Below is a breakdown of the anonymized attack data that we currently have:

Aug 2010 - 7582 attack sessions
Sep 2010 - 15774 attack sessions
Oct 2010 - 13461 attack sessions
Nov 2010 - 19237 attack sessions
Dec 2010 - 34241 attack sessions
Jan 2010 - 26493 attack sessions
Feb 2010 - 9892 attack sessions
Mar 2010 (currently processing)
Apr 2010 (currently processing)
May 2010 (currently processing)
Jun 2010 (currently processing)

More about the actual trends in the findings section.

RESEARCH AND DEVELOPMENT

1. List any new tools, projects or ideas you are currently researching or developing.
Our chapter focuses on crunching attack data rather than tools and infrastructure. What we are focusing on right now is to creating a database (hopefully shareable to the community) to hold all the attack data that we receive that we can easily query and create a standard set of statistical items that we can report on regularly.

2. List tools you enhanced during the last year
We did not enhance any tools during the last year.

3. Would you like to integrate this with any other tools, or you looking for help or collaboration with others in testing or developing the tool?
Unfortunately, we don't focus much on tools but if someone wants to collaborate on a database that would be great. We use a community MySQL version right now but if we can somehow move everything to a more robust database that would be great.

4. Explain what kind of help or tools or collaboration you are interested in.
Same as above. More on data collection, data analysis, and statistics. Not really much on tools.

FINDINGS

1. Highlight any unique findings, attacks, tools, or methods.
We mainly look at trends but some of our contributors (Darrly and Vince) provide attack research here:
http://www.kahusecurity.com/
We also have a mailing list that provides the same information to the Hawaii infosec community.

2. Any trends seen in the past year?
We are still working on standardizing our trends database but here are some initial trends we are picking up based on a 7 month data:

Top 10 Countries Attacker Source
China - 70779 attack sessions
Taiwan - 15744 attack sessions
Turkey - 5399 attack sessions
Republic of Korea - 15744 attack sessions
Mexico - 4285 attack sessions
Brazil - 4055 attack sessions
Russian Federation - 3769 attack sessions
Canada - 3739 attack sessions
Peru - 2673 attack sessions
Germany - 2051 attack sessions
Note: We removed the US because I feel they are false positives but I'm looking into it.

Some interesting notes on Attacker Source over time:
a. Overall, China and Taiwan are fairly consistent throughout the 6 month period. Also US too but I think a lot of US ones are false positives.
b. Overall, Russia and Korea are next. Not as consistent but occurs in the top 20% in most months
c. August 2010 appears to have a spike in South American countries: Brazil, Mexico, and Peru. There was a spike in Canada, India and UK too this month. Actually a lot of spikes in other countries. Not sure why. But August seems to be a busy month. The only thing I could think of was DEFCON was around this time. (ok blame Defcon for everything!)
d. September 2010 was relatively quiet.
e. October 2010 was status quo as well
f. November 2010 had a weird spike.. of all places the British Virgin Islands. Also noted minor increase from attacks from Italy.
g. December 2010 had a huge spike from China. There was also a sudden increase in HongKong and Taiwan is consistently high. Not sure but around this time there was a lot of news from Wikileaks insinuating that China was to blame for hacking Google.
h. January 2011 had a spike in France, Germany, and to a lesser degree Spain. These countries are pretty close to each other. Something must be going on but I can’t find any news about them.
i. February 2011 still had a residual spike of Germany and Spain but tapering off it seems.

Attacks by Days of the Week:
2 - 39718
3 - 32342
7 - 30155
4 - 30081
6 - 23115
1 - 20320
5 - 18387
Note: Looks like attackers are most active in the early part of the week. =)

Top 10 Hours of Attack (HST)
20 - 13467
3 - 12861
8 - 12034
11 - 11600
13 - 9729
9 - 9439
4 - 9328
10 - 9176
5 - 8945
Note: Might be useful if we correlate which hours correspond with which attacker country source for better context. We can actually break this down per country (e.g. what time which country attacks most of the time)

Top 10 Days of the Month
23 - 12922
3 - 12108
25 - 10414
7 - 10244
31 - 8775
30 - 8578
14 - 8420
18 - 8264
8 - 8021
24 - 7791
Note: Not really sure what value this gives but since we can get it... =)

3. What are you using for data analysis?
We are using a MySQL database and Excel.

4. What is working well, and what is missing, what data analysis functionality would you like to see developed?
Maybe if we can upgrade to MS-SQL or Oracle, our queries might go faster.

PAPERS AND PRESENTATIONS

1. Are you working on or did you publish any papers or presentations, such as KYE or academic papers? If yes, please provide a description and link (if possible)

a. I am currently under contract to write a security book for Syngress. Expected publication date is April 2012
b. Presented in FBI/INFRAGARD regarding Stuxnet (they were the one who initially requested us to do this)
c. Presented in ISSA regarding Stuxnet
d. Presented in ISACA regarding Stuxnet (yep auditors wanted to know about malware too) =)

As you can see, our Stuxnet deconstruction was a pretty popular talk. Ever since we presented for INFRAGARD, we got so many requests to present it again. I actually got a lot of help from the guys in the mailing list who pointed me to really good resources. I also got the binaries from the mailing list. Really helpful.

2. Are you looking for any data or people to help with your papers?
Does the Honeynet Project "endorse" books? Though I think the topic that I am writing is a little bit far off our area. I'm writing something about information security risk assessments. =)

3. Where did you present honeypot-related material? ( selected publications )
a. INFRAGARD
b. ISSA
c. ISACA

GOALS

1. Which of your goals did you meet for the past year?
We finally managed to get a constant source of data because of the data feed from the Managed Security Services company that is contributing attack information to us. This is a really big thing for us since our chapter really focuses on data analysis and trending rather than infrastructure.

2. Goals for the next year.
We are hoping to get our database running smoothly, finalize our statistics so we have standard items to trend. For example, our next steps here is to identify attacker IPs that are common to different attack targets (organizations), what IPs attack during a long duration, which IPs have sudden spikes in activities, etc. Also we would like to visualize the data. Maybe nice looking graphs and heat maps and then share it publicly.

MISC ACTIVITIES

None at the moment.