ORGANIZATION
Active members:
– Sébastien Tricaud
– Guillaume Arcas
– Anthony Desnos
– Franck Guénichot
– François-René Hamelin
– Christophe Grenier
DEPLOYMENTS
We have following technologies deployed:
– Kippo on honeycloud. Goal of this deployment is to provide a centralized instance of Kippo & share findings, logs, collected data.
– HoneyProxy on honeycloud.
– Honeeebox
RESEARCH AND DEVELOPMENT
* New tools
=> HoneyProxy as part of GSoC 2012.
=> FAUP (formerly furl)
=> OpenNormalizer
=> PhotoRec/TestDisk
=> A.R.E. / AndroGuard
Enhanced tools:
=> minor HPfeeds patches.
=> TestDisk & PhotoRec: Too many improvements to list them (More than 150 commits)
=> minor (not-yet-committed) modifications for Kippo: make kippo randomly accept/reject login/passwords & work without prepopulated password database.
PROJECTS
=> Centralized Kippo Honeypot
This project’s goal is to provide members with a standard Kippo server and allow them to redirect incoming SSH scan to this server instead of dropping them.
FINDINGS
=> Analysis of country wide DNS Traffic
=> Analysis of HTTP usage by malware
PAPERS AND PRESENTATIONS
=> S. Tricaud – Hack.lu 2011 – How Visualization makes it possible
=> S. Tricaud – HES – Capture me if you can
=> S. Tricaud / CIRCL LU – CanSecWest 2012 – Scrutinizing a country using passive DNS and PicViz
=> Honeynet Worksho, Network Training, Visualization Training
=> S. Tricaud, FIRST Malte 2012
=> A. Desnos, Android: Static Analysis Using Similarity Distance (HICSS)
=> A. Desnos,Android : from reversing to decompilation (Blackhat Abu Dhabi)
=> A. Desnos,Analyzing Android Applications (Computer Security Congress – Mexico City)
=> A. Desnos,Android Malwares: is it a dream ? (EICAR)
GOALS
=> GSoC mentoring
=> Workshop
=> Enhancing tools
=> Focus on analysis: OSINT, dedicated tools including Timeline Builder.
=> “HoneyCIF” based on HPFeeds. As described here[http://threatthoughts.com/2012/05/07/introduction-to-the-collective-intelligence-framework/], “CIF allows you to run queries against many data sources at once. If you have other private data sources available, particularly via XML (RSS), JSON, or in a file (e.g. CSV), you can incorporate those, as well as additional OSINT sources.”
MISC ACTIVITIES
=> A.R.E. / AndroGuard funded by Rapid7
=> Franck Guénichot co-authored Forensic Challenge #9 (Mobile malware)
=> ongoing discussion with french botnets.fr community on collaboration on specific areas
=> new website, twitter account
MENTORING
=> HoneyProxy – G. Arcas – GSoC 2012
=> Automated Attack Community Graph Construction #1 & #2 – F.Guénichot (Backup mentor) – GSoC 2012