Pakistan Chapter Status Report For 2012

ORGANIZATION

  • Faiz Ahmad Shuja is founder and chapter lead of Pakistan Chapter and an active member since 2003. He is responsible for the management and maintenance of HP infrastructure as Chief Infrastructure Officer.
  • Muhammad Omar Khan is an active member and assists in various Honeynet deployment efforts.
  • Rehan Ahmed is our active member. He assists in the management of Pakistan chapter and HP infrastructure.
  • Omar Khan has been involved in attacks analyses and reporting.
  • Muhammad Ahmed Siddiqui is an active member involved in attacks research and analysis.
  • Adnan Ansari is our new and active member. He assists in various Honeynet deployment efforts.
  • Tahir Soomro is our new and active member.

DEPLOYMENTS
We have following technologies deployed:

  • Three Honeebox sensors
  • Two Low-interaction honeypots using Nepenthes

RESEARCH AND DEVELOPMENT

  • We work with Pakistan's CERT and various organizations to deploy sensors for collecting and correlating attack data.
  • We continue improving our internal data analysis and reporting platform to fetch data from diverse log sources and import into our central database. This enables us to help various organizations across Pakistan to defend attacks towards their networks.
  • We are recently working on analyzing attacks towards Pakistan's critical infrastructures, specifically focusing on analyzing attacks towards industrial deployments (SCADA).

FINDINGS

  • We have been monitoring and analyzing attacks being initiated from Pakistan’s IP ranges. We have identified large number of IPs/nodes part of botnets and being used in various attacks. Most of the groups operating from Pakistan are targeting users outside the country and are part of international blackhat groups.
  • With recent global political situation and various attacks towards Middle Eastern organizations, we are seeing attacks towards Pakistan's critical infrastructures.
  • Today (24th November, 2012), google.com.pk was redirected to a malicious IP addresses through DNS attack. PKNIC experienced a serious attack.
  • We have seen a drastic increase in phishing attacks against Pakistani banks being launched by local and international groups both. We also investigated a few targeted DDoS attacks towards financial institutions and helped them mitigate those.

PAPERS AND PRESENTATIONS

  • Presented on Honyenets at ISS World Dubai 2012
  • Presented on Blended Malware at CISO Conference at ITCN Asia 2012
  • Faiz Ahmad Shuja and Rehan Ahmed presented on Windows Exploitation at InfoSec Conference 2012
  • Presented on Honeyents at CBM University

GOALS

  • Organize the Annual Workshop 2013 in Dubai
  • Contribute to the distributed Honeeebox deployment
  • Expand our sensors country-wide
  • Enhance our data analysis capabilities
  • Publish articles and papers of our research
  • Improve HP's infrastructure capabilities

MISC ACTIVITIES

  • We have also been actively involved in managing and monitoring the Honeynet Project infrastructure which consists of official website, internal portal, mail server, mailing lists, IRC, trac, svn and few others.
  • Recently we migrated HP's entire infrastructure to new hosting provider and HoneyCloud.
  • For past few months, we are busy in organizing HP's Annual Workshop 2013 in Dubai.