1
YAKSHA Ambassadors Webinar| Alessandro Guarino
The YAKSHA Cybersecurity Solution and the Ambassadors’ Programme
Alessandro GuarinoYAKSHA Innovation Manager – CEO, StudioAG
1st Webinar – December 17, 2018
2
YAKSHA Ambassadors Webinar| Alessandro Guarino
IV.II.
III.I.Introduction to the YAKSHA project YAKSHA Cybersecurity Solution
What does it mean to be a YAKSHA
ambassador?
Q & A
Agenda
3
YAKSHA Ambassadors Webinar| Alessandro Guarino
IV.II.
III.I.Introduction to the YAKSHA project YAKSHA Cybersecurity Solution
What does it mean to be a YAKSHA
ambassador?
Q & A
Agenda
4
YAKSHA Ambassadors Webinar| Alessandro Guarino
YAKSHA ResultsEnhance cybersecurity readiness levels for its end users,
help better prevent cyber-attacks, reduce cyber risks
and better govern the whole cybersecurity process.
The Concept
YAKSHA MotivationDevelop and implement a software toolkit to
improve Cybersecurity of organisations in the
ASEAN region
Process & StrategyFocus on adapting & integrating other domain
technologies into innovative solutions
WHAT
WHY
HOW
5
YAKSHA Ambassadors Webinar| Alessandro Guarino
Data Collection
Data collection methodology and
architecture
Ontology definition and interoperability
Research and Innovations in
malware collection & detection
YAKSHA Methodology
6
YAKSHA Ambassadors Webinar| Alessandro Guarino
Design and Software Development
Sandbox and Honeypot development environment
Malware Sample DB and sharing
Data Analytics Correlation Engine
Integrated Threat Intelligence
YAKSHA Methodology
7
YAKSHA Ambassadors Webinar| Alessandro Guarino
Pilots – 2019 Projects in Viet Nam, Malaysia, Greece
Pilots results evaluation
Pilot projects deployment,
execution and support
Pilot Planning
Trial Protocols
YAKSHA Methodology
8
YAKSHA Ambassadors Webinar| Alessandro Guarino
IV.II.
III.I.Introduction to the YAKSHA project YAKSHA Cybersecurity Solution
What does it mean to be a YAKSHA
ambassador?
Q & A
Agenda
9
YAKSHA Ambassadors Webinar| Alessandro Guarino
YAKSHA Ambassadors
Purpose
The initiative presents an opportunity for everyone willing to CONTRIBUTE to
▪ Enhancing cybersecurity readiness levels
▪ Better preventing cyber-attacks
▪ Reducing cyber risks
▪ Better governing the whole cybersecurity process
The NetworkSpecial toolkits and trainings will beprovided
What’s Next
10
YAKSHA Ambassadors Webinar| Alessandro Guarino
YAKSHA Ambassadors’ Benefits
A chance toget funding toattend events
Free trials andearly access tothe YAKSHAsoftware
Access the latest news in Cybersecurity
Gain visibilityon the YAKSHAwebsite
Become partof a Network
Receivespecial toolkitsand trainings
What’s Next
11
YAKSHA Ambassadors Webinar| Alessandro Guarino
IV.II.
III.I.Introduction to the YAKSHA project YAKSHA Cybersecurity Solution
What does it mean to be a YAKSHA
ambassador?
Q & A
Agenda
12
YAKSHA Ambassadors Webinar| Alessandro Guarino
YAKSHA is a distributed system which
allows the automated deployment of
honeypots, data collection and
analysis as well as reporting andinformation sharing with affiliated
YAKSHA installations.
YAKSHA enables organisations,
companies and government
agencies to deploy custom honeypots
meeting their own specifications,
monitor attacks in real time and
analyse them.
YAKSHA Concept
13
YAKSHA Ambassadors Webinar| Alessandro Guarino
The technical solution chosen for
YAKSHA is a blend of existing software
tools and software modules written
for the project
YAKSHA Prototype
The YAKSHA prototype is being released in
December 2018. The ambassadors’ community
will be keep current on the possibility of access
to demos, dedicated versions and information
14
YAKSHA Ambassadors Webinar| Alessandro Guarino
• Designed taking into account several relevant perspectives such as cybersecurity
challenges of YAKSHA end users, latest threat trends, assumptions and limitations ofhoneypots, as well as use cases’ perspectives and data collection needs.
• The data collection methodology established a baseline of activities that leads to
determining what data YAKSHA collects regarding remote interactions and
malware analysis, what assumptions, limitations and legal ground are relevant,
what methods and tools to adopt for data collection, and what referencearchitecture design is suitable for YAKSHA data collection, management and
processing.
YAKSHA Data Collection Methodology
15
YAKSHA Ambassadors Webinar| Alessandro Guarino
Data collection high
level view
YAKSHA Data Collection Methodology
16
YAKSHA Ambassadors Webinar| Alessandro Guarino
Source: ENISA Threat Landscape Report 20173Why
Why Honeypots are Relevant
Cyber threat Description Honeypot potential
Malware Malicious software remains the most frequently
encountered cyber threat. Evolved techniques
(including click-less and file-less infections, worm-
based spreading, hybrid attacks, wiping of traces,
different infection vectors, and obfuscation based
resistance against heuristic blocking) make malware
difficult to resist.
Honeypots have an important role in detecting new
malware. By playing the role of a vulnerable host to
be infected, honeypots can collect and observe
malware in action.
Web-based attacks Attacks against web servers or web application
servers are often used in combination with attacks.
For example, compromised servers enable malware
infections and provide control points for other
compromised nodes.
Honeypots can study attack vectors against and
from honeypot web servers. For instance, honeypots
can monitor adversary’s reconnaissance techniques
and adversary’s control channels. Honeypots may
also discover previously unknown vulnerabilities -
zero-day attacks - by real-time monitoring and quick
fingerprinting of successful attacks.
Web application
attacks
Phishing Phishing is a social engineering attack that often
relates to different technical means. Adversaries may
e.g. utilize malware to mislead victims or capture
web servers for to send mass phishing e-mails or to
provide fake sites.
As phishing typically involves sophisticated end-user
actions, honeypots cannot represent the adversaries’
primary targets the users. Instead, honeypots’ role lies
in secondary phases of the attack e.g. in luring
adversaries to compromise honeypot server to
deploy phishing sites.
17
YAKSHA Ambassadors Webinar| Alessandro Guarino
Source: ENISA Threat Landscape Report 20173Why
Why Honeypots are Relevant 2
Spam Unsolicited emails have recently reduced in
numbers but still more than half of the emails
are spam. Spam has also improved in quality
as better obfuscation techniques have made
it more difficult to detect. Adversaries often
utilize captured devices (also honeypots) for
spamming.
Honeypots provide a mean to track
adversaries (by following where the control
messages come) as well as to learn how the
spam is generated in order to create
effective filtering solutions.
Denial of service Denial and Distributed Denial of Service (DoS,
DDoS) attacks are a major threat against
different online businesses. They have also
been taken more seriously e.g. due to recent
large botnet attacks and emergence of
DDoS-as-a-service providers.
As availability related attacks are typically
executed from captured devices, honeypots
are a good tool for learning and mitigating
them. Honeypots can e.g. find control servers
and channels as well as identify targeted
victims to enable early warnings and
mitigation actions.
Ransomware Malware that encrypts victims data for
blackmailing has become a prominent threat
in the recent years.
A honeypot may have a role e.g. in exploring
ransomware’s distribution servers.
18
YAKSHA Ambassadors Webinar| Alessandro Guarino
Source: ENISA Threat Landscape Report 20173Why
Why Honeypots are Relevant 3
Botnets Botnets - a network of captured nodes
running automated attack software
(robots) - is a threat that is utilized e.g. in
DoS or fake advertisement hits. Recent IoT
botnets like Mirai and Reaper have
demonstrated how massive amounts of
vulnerable low cost things can be
captured and harnessed into a malicious
botnet. A recent trend is that also
virtualized nodes are being captured.
Honeypots, which pretend to be
vulnerable things or nodes, are captured
into botnets and can provide valuable
information on how devices are captured
and what the adversary’s purposes are.
Insider threat Persons with privileges and inside
organisation are high-severe and difficult
to protect threat as the focus is typically
on the perimeter defence.
Honeypots can provide defence against
misbehaving or inadvertent users as they
may catch insiders snooping and
accessing on targets where they should
not be.
19
YAKSHA Ambassadors Webinar| Alessandro Guarino
YAKSHA Architecture Traits
• Distributed: The architecture is inherently distributed. YAKSHA makes
possible to deploy easily and cost-effectively hundreds of honeypots
through its interconnected nodes. The distributed nature of the YAKSHA
system allows also to leverage information and knowledge gathered by
nodes outside of one’s organisation, improving its readiness and defensive
capabilities.
• Modular: It allows both opportunistic and continuous sample collection,
as well as selective information sharing with other entities when necessary.
Users can upload custom honeypots, monitor attacks in real time and
analyse them
• Scalable: It is easy to scale up installations by adding nodes to the
network, up to national and international scale.
20
YAKSHA Ambassadors Webinar| Alessandro Guarino
YAKSHA Architecture Traits
• Systems and Tools: YAKSHA will provide hooks for IoT devices, Android
and SCADA systems, as well as regular Windows and Linux. In addition,
YAKSHA provides machine learning tools and AI algorithms that can detect
malware more accurately, correlate the information with other samples,
and extract attack vectors and patterns.
• Automation: the platform allows the automated creation of nodes and
honeypots deployment, data collection and analysis as well as reporting
and information sharing with affiliated YAKSHA installations.
• Policies: since honeypots may expose stakeholder’s specific
vulnerabilities, each YAKSHA node has the capability of specifying policies
for information sharing: the ability to limit the sharing of information outside
a single organisation (if the user choses to), as well as anonymization and
data protection by default.
21
YAKSHA Ambassadors Webinar| Alessandro Guarino
Use Case and Pilot Project
• Smart Home IoT Platform Testbed - OTE
The goal of the use case is to use a YAKSHA node within a
pre-commercial environment (infrastructure and settings)
provided by OTE to collect real data of potential attacks
against the smart home IoT platform (pre-commercial)
product. YAKSHA analytics capability will be used to raise
awareness and provide decision support in strengthening
the cybersecurity posture of the product.
Using YAKSHA in a pre-commercial environment will make
OTE aware of potential attacks in the wild against OTE’s
products and services.
22
YAKSHA Ambassadors Webinar| Alessandro Guarino
Use Case and Pilot Project
23
YAKSHA Ambassadors Webinar| Alessandro Guarino
Use Case and Pilot Project
The back-end system provides data analytics, as well as real-time data visualisation
to the end users. Users are also allowed to create customised figures and data
visualisation.
24
YAKSHA Ambassadors Webinar| Alessandro Guarino
The Prototype environment is composed of:
• Methods, interfaces and tools to configure, develop and deploy
the necessary sandbox environments for trapping the malware
• Monitoring tools, including specialised environments like SCADA, IoT,
ICSs.
• Automation of procedures to deploy honeypots and collect the
necessary information from them
• Development of the database which will store all the collected
information from the honeypots based on the ontology that has been
designed
YAKSHA Prototype
25
YAKSHA Ambassadors Webinar| Alessandro Guarino
The platform is composed of open source tools that have been
customized and software developed by the project to automateseveral procedures.
The YAKSHA platform will be released under a permissive licence for
most of its components, the long term sustainability being based on
complementary services, including paying access to threat intelligence
collected from the YAKSHA nodes.
YAKSHA Prototype
26
YAKSHA Ambassadors Webinar| Alessandro Guarino
• UBUNTU 16.04 as the OS to host hypervisor provider
• KVM/QEMU as platform hypervisor provider (https://www.linux-kvm.org/)
• CUCKOO as sandbox (https://cuckoosandbox.org/) It was chosen based on its characteristics – it is a sandbox
environment which also works on docker. Android sandbox and honeypot environments have been
implemented through cuckoo.
• Cuckoo does not support SCADA and IoT environments hence partners developed the necessary VMs for
SCADA / IOT honeypots, collecting data and integration with above installations has taken place
through a web service (REST API) supporting Linux, Windows and Android operating systems
• Vagrant (https://www.vagrantup.com/)
• Virtual Box as internal virtualization platform for honey pots VMs (https://www.virtualbox.org)
• Connecting users to these virtual machines is allowed through SSH (Linux) and WinRM (Windows) and
Android so that the end users can remotely install the necessary software that they want and customize
their honeypot according to their needs is in progress.
• cloudstack to manage Infrastructure (https://cloudstack.apache.org)
• The YAKSHA database is developed on MongoDB and PostgreSQL is the repository for users data (roles etc)
and extracted data from malware + reports generated
• OSSEC (https://www.ossec.net/)
• Fabric (http://www.fabfile.org/)
• Conpot (http://conpot.org/)
• Logstash (https://www.elastic.co/products/logstash)
• Elasticsearch (https://www.elastic.co/products/elasticsearch)
• Kibana (https://www.elastic.co/products/kibana)
YAKSHA Prototype Stack
27
YAKSHA Ambassadors Webinar| Alessandro Guarino
IV.II.
III.I.Introduction to the YAKSHA project YAKSHA Cybersecurity Solution
What does it mean to be a YAKSHA
ambassador?
Q & A
Agenda
28
YAKSHA Ambassadors Webinar| Alessandro Guarino
Q & A
Thanks for Your TimeWhat are your questions?
Contacts:
@alexsib17
www.yaksha-project.eu
StudioAG – Consulting & Engineeringwww.studioag.eu
We hope to see you all at the next YAKSHA webinar!
29
YAKSHA Ambassadors Webinar| Alessandro Guarino
This project has received funding from the European Union´s Horizon 2020 research and innovation programme under grant agreement Nº 780498
YAKSHA Consortium