Indian Honeynet Project : Chapter Status Report For 2011/2012

ORGANIZATION

IHP has an open membership call and at last count there are 280 members. The members are a unique mix of people who are students, academics, professionals and researchers. We add a few interested members every month through submissions via our website and the chapter is well known in security circles in the country.

DEPLOYMENTS

Over the past year a number of members have set up honeypots in their office or home, voluntarily and we realized that this would happen when there was a high level of interest (for whatever reason) and then the HP would go offline without reports coming in. Usually this would happen as members moved location due to change in their jobs.
In view of this high turnover which leads to a picture of inactivity, IHP kicked off the India Honeynetwork with a goal of (at least) 20 sensors across the country by the end of the year.
Presently the following deployments are in place or coming up (number of sensors indicated in brackets alongside):

City: Pune (Mah)
Kippo (1); Glastopf (1); Email trap(1); Honeysense (in testing) (1)

City: Mumbai (Mah)
Glastopf / Honeysense (1)

City: Delhi (ND)
Glastopf (1); Honeebox (1)

City: Ranchi (JH)
Kippo (1)

RESEARCH AND DEVELOPMENT

1. Project India Honeynetwork
As explained above this all India network of honeypots will be set up in volunteer locations in offices, homes, police data centers and universities. The goal is to have (at least) 20 sensors up by the end of the year.
Activity monitoring / report collections, analysis and distribution will be carried out from a C & C being established at Cyber Defence Research Center in Ranchi (Jharkhand) India with a secondary C & C at iSight facility in Pune (Mah) India.
The network will provide opportunity to study a countrywide pattern and projects relating to spam, botnet activity are being planned.
2. Honeysense
In order to facilitate the honeypot deployment across the country, a pre-configured distro has been prepared and is in beta testing at the time of submission of this report. This has been christened Honeysense and IHP will make a public announcement inviting testing and comment later in the month of November.
The distribution, comprising of few open source honeypots, aims at gathering information about the motives and tactics of attacks launched either automatically by botnets or manually by malicious individuals against various well known services. Capabilities of honeypots included allow researcher to analyze the attack vectors and capture malicious binaries used during attacks. In this current distribution, following honeypots have been installed and preconfigured.
1. Dionaea – a low interaction honeypot used to capture network based attacks on various protocols like ftp, http, tftp, smb, mssql, mysql etc. Its intention is to trap malware exploiting vulnerabilities exposed by services offered to a network with ultimate goal of gaining a copy of the malware.
2. Glaspot v3 – a low interaction honeypot used to capture web based attacks such as SQLi, LFI, RFI, XSS etc. It emulates thousands of vulnerabilities to gather data from attacks targeting web applications.
3. Kippo – a medium interaction honeypot used to capture SSH based attacks. It is designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker.

3. Honeysense Reporting and Management
Efforts are underway to build the reporting and management interface and process to be implemented at the C & C. It is proposed to have one full time administrator who will be responsible for the maintenance of the network and for reporting.

4. SCADA Honeypot
Presently being studied by the IHP members and discussion is being initiated with power distribution organizations in the state of Jharkhand and a major distribution company in Mumbai to place the HP in their network ! This seems to be a tall order but then if we do not ask we will not get the opportunity to setup in a real utility network.

Collaboration / help we are interested in:
Primarily in the development / deployment of SCADA honeypot and building capability for the same. There is an urgent need for creating capability and knowledge for protection of critical infrastructure and this can be a first step / contribution from IHP to the national effort. In addition, we need help for data analysis and configuring reporting systems. We also want to create a high level of interest within the student / academic community and want to collaborate with chapters or individuals who have done some work in this direction.

PAPERS, PRESENTATIONS AND COMMUNITY ENGAGEMENTS

List published papers and presentations.
List interactions with the security community.

IHP is closely associated with most security community organizations in the country like OWASP India, ClubHack, nullcon, Malcon, c0c0n, IS-RA, National Anti Hacking Group, National Security Database, ISAC India, Cloud Security Alliance, PCI-DSS Conference and others.

List possibilities to interact with your chapter (e.g. chapter web page).
The chapter website is on www.honeynet.in and chapter members communicate via a mailing list set up on Google groups. The website is being redesigned and will provide a higher level of interactivity and information resources once complete. Monthly community meetings in Mumbai include updates about the Honeynet Project in the country.

GOALS

Chapter goals for the past year and for the next year.
Goal for the current year is to set up 20 sensors and have the India Honeynetwork up and running and to harvest and share the activity and information from this network. The network will use Honeysense and we will have two C & C operations in place.

MISC ACTIVITIES

Rahul Sasi is a regular presenter at conferences and can be seen / heard at HITB Amsterdam, BlackHat Europe and US, Ekoparty plus a host of engagements in India and overseas. He is also a key member of the team that has developed Honeysense.
A couple of links to his talks are given below:
http://www.youtube.com/watch?v=-y7aIKLgMoM
https://media.blackhat.com/bh-eu-12/Sasi/bh-eu-12-Sasi-IVR_Security-Tool.zip
https://www.blackhat.com/html/bh-us-12/speakers/Rahul-Sasi.html

MENTORING

We are working with students in various universities and have been mentoring interested people in their career goals. One of our members is Prakhar Prasad based in Ranchi who has been quite active in researching vulnerabilities and has been recognized by Google and Twitter.