rildo souza - first.org · malwares 236,985 ddos attack (protocol snmp) 102,478 . statistics...
TRANSCRIPT
![Page 1: Rildo Souza - first.org · Malwares 236,985 DDoS Attack (protocol SNMP) 102,478 . Statistics –Types of detected events. Statistics - Botnets nicaze.net Zeus XcodeGhost Feodo DealPly](https://reader033.vdocuments.us/reader033/viewer/2022050221/5f667b680a07485d2d022a25/html5/thumbnails/1.jpg)
![Page 2: Rildo Souza - first.org · Malwares 236,985 DDoS Attack (protocol SNMP) 102,478 . Statistics –Types of detected events. Statistics - Botnets nicaze.net Zeus XcodeGhost Feodo DealPly](https://reader033.vdocuments.us/reader033/viewer/2022050221/5f667b680a07485d2d022a25/html5/thumbnails/2.jpg)
Rildo Souza
Implementing a country-wide sensor infrastructure for proactive detection of
malicious activity
![Page 3: Rildo Souza - first.org · Malwares 236,985 DDoS Attack (protocol SNMP) 102,478 . Statistics –Types of detected events. Statistics - Botnets nicaze.net Zeus XcodeGhost Feodo DealPly](https://reader033.vdocuments.us/reader033/viewer/2022050221/5f667b680a07485d2d022a25/html5/thumbnails/3.jpg)
Regarding the RNP
• Brazilian National Research and Education Network (RNP).
• Created in 1989.
• Implemented the first Latin American fiber network in 2005.
![Page 4: Rildo Souza - first.org · Malwares 236,985 DDoS Attack (protocol SNMP) 102,478 . Statistics –Types of detected events. Statistics - Botnets nicaze.net Zeus XcodeGhost Feodo DealPly](https://reader033.vdocuments.us/reader033/viewer/2022050221/5f667b680a07485d2d022a25/html5/thumbnails/4.jpg)
Regarding CAIS
• Coordination CSIRT of Brazilian research and education network since 1997.
• CAIS works in detection, resolution and prevention of network security incidents.
Information Security
Awareness
Security IncidentHandling
CSIRT Development
Security Vulnerability
handling
![Page 5: Rildo Souza - first.org · Malwares 236,985 DDoS Attack (protocol SNMP) 102,478 . Statistics –Types of detected events. Statistics - Botnets nicaze.net Zeus XcodeGhost Feodo DealPly](https://reader033.vdocuments.us/reader033/viewer/2022050221/5f667b680a07485d2d022a25/html5/thumbnails/5.jpg)
Motivations to create a network CAIS Sensor
• Increasing our capacity to detect malicious activities.
• Understanding and support better the security actions from our clients .
• Highly diversified environment, networks, technologies and maturity of customer’s security teams.
![Page 6: Rildo Souza - first.org · Malwares 236,985 DDoS Attack (protocol SNMP) 102,478 . Statistics –Types of detected events. Statistics - Botnets nicaze.net Zeus XcodeGhost Feodo DealPly](https://reader033.vdocuments.us/reader033/viewer/2022050221/5f667b680a07485d2d022a25/html5/thumbnails/6.jpg)
CAIS Sensor Requirements
![Page 7: Rildo Souza - first.org · Malwares 236,985 DDoS Attack (protocol SNMP) 102,478 . Statistics –Types of detected events. Statistics - Botnets nicaze.net Zeus XcodeGhost Feodo DealPly](https://reader033.vdocuments.us/reader033/viewer/2022050221/5f667b680a07485d2d022a25/html5/thumbnails/7.jpg)
What is CAIS Sensor ?
![Page 8: Rildo Souza - first.org · Malwares 236,985 DDoS Attack (protocol SNMP) 102,478 . Statistics –Types of detected events. Statistics - Botnets nicaze.net Zeus XcodeGhost Feodo DealPly](https://reader033.vdocuments.us/reader033/viewer/2022050221/5f667b680a07485d2d022a25/html5/thumbnails/8.jpg)
How does the CAIS Sensor analyze traffic ?
![Page 9: Rildo Souza - first.org · Malwares 236,985 DDoS Attack (protocol SNMP) 102,478 . Statistics –Types of detected events. Statistics - Botnets nicaze.net Zeus XcodeGhost Feodo DealPly](https://reader033.vdocuments.us/reader033/viewer/2022050221/5f667b680a07485d2d022a25/html5/thumbnails/9.jpg)
How does the CAIS Sensor analyze traffic ?
![Page 10: Rildo Souza - first.org · Malwares 236,985 DDoS Attack (protocol SNMP) 102,478 . Statistics –Types of detected events. Statistics - Botnets nicaze.net Zeus XcodeGhost Feodo DealPly](https://reader033.vdocuments.us/reader033/viewer/2022050221/5f667b680a07485d2d022a25/html5/thumbnails/10.jpg)
How does the CAIS Sensor Works ?
Sensor (Suricata)
Master Server
Engine(Suricata)
Engine(Suricata)
Engine(Suricata)
+ + Query
![Page 11: Rildo Souza - first.org · Malwares 236,985 DDoS Attack (protocol SNMP) 102,478 . Statistics –Types of detected events. Statistics - Botnets nicaze.net Zeus XcodeGhost Feodo DealPly](https://reader033.vdocuments.us/reader033/viewer/2022050221/5f667b680a07485d2d022a25/html5/thumbnails/11.jpg)
What does the Master Server do ?
• Sensor’s system updates management
• Sensor management
• Statistics on malicious activities detected
• Information about sensor’s “health”
• System general administration
Master
Engines(Suricata)
![Page 12: Rildo Souza - first.org · Malwares 236,985 DDoS Attack (protocol SNMP) 102,478 . Statistics –Types of detected events. Statistics - Botnets nicaze.net Zeus XcodeGhost Feodo DealPly](https://reader033.vdocuments.us/reader033/viewer/2022050221/5f667b680a07485d2d022a25/html5/thumbnails/12.jpg)
Regarding Engines(Suricata)
• Friendly user interface
• Plug and play
• Less technical knowledge required
• Low maintenance and support
• Send detections by email
• Send statistics and status data
• Update requests
Engines(Suricata)
![Page 13: Rildo Souza - first.org · Malwares 236,985 DDoS Attack (protocol SNMP) 102,478 . Statistics –Types of detected events. Statistics - Botnets nicaze.net Zeus XcodeGhost Feodo DealPly](https://reader033.vdocuments.us/reader033/viewer/2022050221/5f667b680a07485d2d022a25/html5/thumbnails/13.jpg)
The CAIS Sensor (Screenshots)
Main menu
Quick access tasks
Quick Information dashboard
![Page 14: Rildo Souza - first.org · Malwares 236,985 DDoS Attack (protocol SNMP) 102,478 . Statistics –Types of detected events. Statistics - Botnets nicaze.net Zeus XcodeGhost Feodo DealPly](https://reader033.vdocuments.us/reader033/viewer/2022050221/5f667b680a07485d2d022a25/html5/thumbnails/14.jpg)
The CAIS Sensor(Screenshots)
![Page 15: Rildo Souza - first.org · Malwares 236,985 DDoS Attack (protocol SNMP) 102,478 . Statistics –Types of detected events. Statistics - Botnets nicaze.net Zeus XcodeGhost Feodo DealPly](https://reader033.vdocuments.us/reader033/viewer/2022050221/5f667b680a07485d2d022a25/html5/thumbnails/15.jpg)
Engine(Screenshots) – Installation Menu
• Restart Services.
• Network interface configuration.
• Select network pickup interface.
• Put the token.
![Page 16: Rildo Souza - first.org · Malwares 236,985 DDoS Attack (protocol SNMP) 102,478 . Statistics –Types of detected events. Statistics - Botnets nicaze.net Zeus XcodeGhost Feodo DealPly](https://reader033.vdocuments.us/reader033/viewer/2022050221/5f667b680a07485d2d022a25/html5/thumbnails/16.jpg)
Implementation of CAIS Sensor
27 RNP Points of Presence
17 Customers
44 Sensors Installed
![Page 17: Rildo Souza - first.org · Malwares 236,985 DDoS Attack (protocol SNMP) 102,478 . Statistics –Types of detected events. Statistics - Botnets nicaze.net Zeus XcodeGhost Feodo DealPly](https://reader033.vdocuments.us/reader033/viewer/2022050221/5f667b680a07485d2d022a25/html5/thumbnails/17.jpg)
Statistics – Average Analyzed Traffic
![Page 18: Rildo Souza - first.org · Malwares 236,985 DDoS Attack (protocol SNMP) 102,478 . Statistics –Types of detected events. Statistics - Botnets nicaze.net Zeus XcodeGhost Feodo DealPly](https://reader033.vdocuments.us/reader033/viewer/2022050221/5f667b680a07485d2d022a25/html5/thumbnails/18.jpg)
Statistics
91%
9%
Incoming Outgoing
Malicious activity flow Most attacked ports
![Page 19: Rildo Souza - first.org · Malwares 236,985 DDoS Attack (protocol SNMP) 102,478 . Statistics –Types of detected events. Statistics - Botnets nicaze.net Zeus XcodeGhost Feodo DealPly](https://reader033.vdocuments.us/reader033/viewer/2022050221/5f667b680a07485d2d022a25/html5/thumbnails/19.jpg)
Statistics - Main types of malicious activitydetected
DDoS Attempts(protocol xdmcp) 702,345
DDoS Attack (protocol NTP) 535,204
Malwares 236,985
DDoS Attack (protocol SNMP) 102,478
![Page 20: Rildo Souza - first.org · Malwares 236,985 DDoS Attack (protocol SNMP) 102,478 . Statistics –Types of detected events. Statistics - Botnets nicaze.net Zeus XcodeGhost Feodo DealPly](https://reader033.vdocuments.us/reader033/viewer/2022050221/5f667b680a07485d2d022a25/html5/thumbnails/20.jpg)
Statistics – Types of detected events
![Page 21: Rildo Souza - first.org · Malwares 236,985 DDoS Attack (protocol SNMP) 102,478 . Statistics –Types of detected events. Statistics - Botnets nicaze.net Zeus XcodeGhost Feodo DealPly](https://reader033.vdocuments.us/reader033/viewer/2022050221/5f667b680a07485d2d022a25/html5/thumbnails/21.jpg)
Statistics - Botnets
nicaze.net Zeus XcodeGhost
Feodo
DealPly
PCRat/Gh0st
Palevo
Bladabindi/njrat
Beacon
Kelihos
![Page 22: Rildo Souza - first.org · Malwares 236,985 DDoS Attack (protocol SNMP) 102,478 . Statistics –Types of detected events. Statistics - Botnets nicaze.net Zeus XcodeGhost Feodo DealPly](https://reader033.vdocuments.us/reader033/viewer/2022050221/5f667b680a07485d2d022a25/html5/thumbnails/22.jpg)
Next Steps
• Optimize reports
• Integrate with other sources (URLs blacklist, IPs blacklist, others)
• Increase number of sensors in educational institutions and RNP customers
• Finalize and expand the partnership model
![Page 23: Rildo Souza - first.org · Malwares 236,985 DDoS Attack (protocol SNMP) 102,478 . Statistics –Types of detected events. Statistics - Botnets nicaze.net Zeus XcodeGhost Feodo DealPly](https://reader033.vdocuments.us/reader033/viewer/2022050221/5f667b680a07485d2d022a25/html5/thumbnails/23.jpg)
Questions ?