The YAKSHA Cybersecurity Solution and the Ambassadors ......• cloudstack to manage Infrastructure...

1

YAKSHA Ambassadors Webinar| Alessandro Guarino

The YAKSHA Cybersecurity Solution and the Ambassadors’ Programme

Alessandro GuarinoYAKSHA Innovation Manager – CEO, StudioAG

1st Webinar – December 17, 2018

2


IV.II.

III.I.Introduction to the YAKSHA project YAKSHA Cybersecurity Solution

What does it mean to be a YAKSHA

ambassador?

Q & A

Agenda

3


IV.II.



ambassador?

Q & A

Agenda

4


YAKSHA ResultsEnhance cybersecurity readiness levels for its end users,

help better prevent cyber-attacks, reduce cyber risks

and better govern the whole cybersecurity process.

The Concept

YAKSHA MotivationDevelop and implement a software toolkit to

improve Cybersecurity of organisations in the

ASEAN region

Process & StrategyFocus on adapting & integrating other domain

technologies into innovative solutions

WHAT

WHY

HOW

5


Data Collection

Data collection methodology and

architecture

Ontology definition and interoperability

Research and Innovations in

malware collection & detection

YAKSHA Methodology

6


Design and Software Development

Sandbox and Honeypot development environment

Malware Sample DB and sharing

Data Analytics Correlation Engine

Integrated Threat Intelligence

YAKSHA Methodology

7


Pilots – 2019 Projects in Viet Nam, Malaysia, Greece

Pilots results evaluation

Pilot projects deployment,

execution and support

Pilot Planning

Trial Protocols

YAKSHA Methodology

8


IV.II.



ambassador?

Q & A

Agenda

9


YAKSHA Ambassadors

Purpose

The initiative presents an opportunity for everyone willing to CONTRIBUTE to

▪ Enhancing cybersecurity readiness levels

▪ Better preventing cyber-attacks

▪ Reducing cyber risks

▪ Better governing the whole cybersecurity process

The NetworkSpecial toolkits and trainings will beprovided

What’s Next

10


YAKSHA Ambassadors’ Benefits

A chance toget funding toattend events

Free trials andearly access tothe YAKSHAsoftware

Access the latest news in Cybersecurity

Gain visibilityon the YAKSHAwebsite

Become partof a Network

Receivespecial toolkitsand trainings

What’s Next

11


IV.II.



ambassador?

Q & A

Agenda

12


YAKSHA is a distributed system which

allows the automated deployment of

honeypots, data collection and

analysis as well as reporting andinformation sharing with affiliated

YAKSHA installations.

YAKSHA enables organisations,

companies and government

agencies to deploy custom honeypots

meeting their own specifications,

monitor attacks in real time and

analyse them.

YAKSHA Concept

13


The technical solution chosen for

YAKSHA is a blend of existing software

tools and software modules written

for the project

YAKSHA Prototype

The YAKSHA prototype is being released in

December 2018. The ambassadors’ community

will be keep current on the possibility of access

to demos, dedicated versions and information

14


• Designed taking into account several relevant perspectives such as cybersecurity

challenges of YAKSHA end users, latest threat trends, assumptions and limitations ofhoneypots, as well as use cases’ perspectives and data collection needs.

• The data collection methodology established a baseline of activities that leads to

determining what data YAKSHA collects regarding remote interactions and

malware analysis, what assumptions, limitations and legal ground are relevant,

what methods and tools to adopt for data collection, and what referencearchitecture design is suitable for YAKSHA data collection, management and

processing.

YAKSHA Data Collection Methodology

15


Data collection high

level view

YAKSHA Data Collection Methodology

16


Source: ENISA Threat Landscape Report 20173Why

Why Honeypots are Relevant

Cyber threat Description Honeypot potential

Malware Malicious software remains the most frequently

encountered cyber threat. Evolved techniques

(including click-less and file-less infections, worm-

based spreading, hybrid attacks, wiping of traces,

different infection vectors, and obfuscation based

resistance against heuristic blocking) make malware

difficult to resist.

Honeypots have an important role in detecting new

malware. By playing the role of a vulnerable host to

be infected, honeypots can collect and observe

malware in action.

Web-based attacks Attacks against web servers or web application

servers are often used in combination with attacks.

For example, compromised servers enable malware

infections and provide control points for other

compromised nodes.

Honeypots can study attack vectors against and

from honeypot web servers. For instance, honeypots

can monitor adversary’s reconnaissance techniques

and adversary’s control channels. Honeypots may

also discover previously unknown vulnerabilities -

zero-day attacks - by real-time monitoring and quick

fingerprinting of successful attacks.

Web application

attacks

Phishing Phishing is a social engineering attack that often

relates to different technical means. Adversaries may

e.g. utilize malware to mislead victims or capture

web servers for to send mass phishing e-mails or to

provide fake sites.

As phishing typically involves sophisticated end-user

actions, honeypots cannot represent the adversaries’

primary targets the users. Instead, honeypots’ role lies

in secondary phases of the attack e.g. in luring

adversaries to compromise honeypot server to

deploy phishing sites.

17



Why Honeypots are Relevant 2

Spam Unsolicited emails have recently reduced in

numbers but still more than half of the emails

are spam. Spam has also improved in quality

as better obfuscation techniques have made

it more difficult to detect. Adversaries often

utilize captured devices (also honeypots) for

spamming.

Honeypots provide a mean to track

adversaries (by following where the control

messages come) as well as to learn how the

spam is generated in order to create

effective filtering solutions.

Denial of service Denial and Distributed Denial of Service (DoS,

DDoS) attacks are a major threat against

different online businesses. They have also

been taken more seriously e.g. due to recent

large botnet attacks and emergence of

DDoS-as-a-service providers.

As availability related attacks are typically

executed from captured devices, honeypots

are a good tool for learning and mitigating

them. Honeypots can e.g. find control servers

and channels as well as identify targeted

victims to enable early warnings and

mitigation actions.

Ransomware Malware that encrypts victims data for

blackmailing has become a prominent threat

in the recent years.

A honeypot may have a role e.g. in exploring

ransomware’s distribution servers.

18



Why Honeypots are Relevant 3

Botnets Botnets - a network of captured nodes

running automated attack software

(robots) - is a threat that is utilized e.g. in

DoS or fake advertisement hits. Recent IoT

botnets like Mirai and Reaper have

demonstrated how massive amounts of

vulnerable low cost things can be

captured and harnessed into a malicious

botnet. A recent trend is that also

virtualized nodes are being captured.

Honeypots, which pretend to be

vulnerable things or nodes, are captured

into botnets and can provide valuable

information on how devices are captured

and what the adversary’s purposes are.

Insider threat Persons with privileges and inside

organisation are high-severe and difficult

to protect threat as the focus is typically

on the perimeter defence.

Honeypots can provide defence against

misbehaving or inadvertent users as they

may catch insiders snooping and

accessing on targets where they should

not be.

19


YAKSHA Architecture Traits

• Distributed: The architecture is inherently distributed. YAKSHA makes

possible to deploy easily and cost-effectively hundreds of honeypots

through its interconnected nodes. The distributed nature of the YAKSHA

system allows also to leverage information and knowledge gathered by

nodes outside of one’s organisation, improving its readiness and defensive

capabilities.

• Modular: It allows both opportunistic and continuous sample collection,

as well as selective information sharing with other entities when necessary.

Users can upload custom honeypots, monitor attacks in real time and

analyse them

• Scalable: It is easy to scale up installations by adding nodes to the

network, up to national and international scale.

20


YAKSHA Architecture Traits

• Systems and Tools: YAKSHA will provide hooks for IoT devices, Android

and SCADA systems, as well as regular Windows and Linux. In addition,

YAKSHA provides machine learning tools and AI algorithms that can detect

malware more accurately, correlate the information with other samples,

and extract attack vectors and patterns.

• Automation: the platform allows the automated creation of nodes and

honeypots deployment, data collection and analysis as well as reporting

and information sharing with affiliated YAKSHA installations.

• Policies: since honeypots may expose stakeholder’s specific

vulnerabilities, each YAKSHA node has the capability of specifying policies

for information sharing: the ability to limit the sharing of information outside

a single organisation (if the user choses to), as well as anonymization and

data protection by default.

21


Use Case and Pilot Project

• Smart Home IoT Platform Testbed - OTE

The goal of the use case is to use a YAKSHA node within a

pre-commercial environment (infrastructure and settings)

provided by OTE to collect real data of potential attacks

against the smart home IoT platform (pre-commercial)

product. YAKSHA analytics capability will be used to raise

awareness and provide decision support in strengthening

the cybersecurity posture of the product.

Using YAKSHA in a pre-commercial environment will make

OTE aware of potential attacks in the wild against OTE’s

products and services.

22



23



The back-end system provides data analytics, as well as real-time data visualisation

to the end users. Users are also allowed to create customised figures and data

visualisation.

24


The Prototype environment is composed of:

• Methods, interfaces and tools to configure, develop and deploy

the necessary sandbox environments for trapping the malware

• Monitoring tools, including specialised environments like SCADA, IoT,

ICSs.

• Automation of procedures to deploy honeypots and collect the

necessary information from them

• Development of the database which will store all the collected

information from the honeypots based on the ontology that has been

designed

YAKSHA Prototype

25


The platform is composed of open source tools that have been

customized and software developed by the project to automateseveral procedures.

The YAKSHA platform will be released under a permissive licence for

most of its components, the long term sustainability being based on

complementary services, including paying access to threat intelligence

collected from the YAKSHA nodes.

YAKSHA Prototype

26


• UBUNTU 16.04 as the OS to host hypervisor provider

• KVM/QEMU as platform hypervisor provider (https://www.linux-kvm.org/)

• CUCKOO as sandbox (https://cuckoosandbox.org/) It was chosen based on its characteristics – it is a sandbox

environment which also works on docker. Android sandbox and honeypot environments have been

implemented through cuckoo.

• Cuckoo does not support SCADA and IoT environments hence partners developed the necessary VMs for

SCADA / IOT honeypots, collecting data and integration with above installations has taken place

through a web service (REST API) supporting Linux, Windows and Android operating systems

• Vagrant (https://www.vagrantup.com/)

• Virtual Box as internal virtualization platform for honey pots VMs (https://www.virtualbox.org)

• Connecting users to these virtual machines is allowed through SSH (Linux) and WinRM (Windows) and

Android so that the end users can remotely install the necessary software that they want and customize

their honeypot according to their needs is in progress.

• cloudstack to manage Infrastructure (https://cloudstack.apache.org)

• The YAKSHA database is developed on MongoDB and PostgreSQL is the repository for users data (roles etc)

and extracted data from malware + reports generated

• OSSEC (https://www.ossec.net/)

• Fabric (http://www.fabfile.org/)

• Conpot (http://conpot.org/)

• Logstash (https://www.elastic.co/products/logstash)

• Elasticsearch (https://www.elastic.co/products/elasticsearch)

• Kibana (https://www.elastic.co/products/kibana)

YAKSHA Prototype Stack

https://www.linux-kvm.org/

https://www.virtualbox.org/

https://cloudstack.apache.org/

http://www.fabfile.org/

27


IV.II.



ambassador?

Q & A

Agenda

28


Q & A

Thanks for Your TimeWhat are your questions?

Contacts:

[email protected]

@alexsib17

www.yaksha-project.eu

StudioAG – Consulting & Engineeringwww.studioag.eu

We hope to see you all at the next YAKSHA webinar!

29


This project has received funding from the European Union´s Horizon 2020 research and innovation programme under grant agreement Nº 780498

YAKSHA Consortium

Date post:	25-Jun-2020
Category:	Documents
Upload:	others
View:	15 times
Download:	0 times

The YAKSHA Cybersecurity Solution and the Ambassadors ......• cloudstack to manage Infrastructure...

Documents