1 / 24

AbuseHelper Case Studies: Functionality and Use Cases of AbuseHelper

Explore the functionality and various use cases of AbuseHelper through live demos in this presentation. Learn about automated systems, data mining, correlation, mapping, and more.

marrone
Download Presentation

AbuseHelper Case Studies: Functionality and Use Cases of AbuseHelper

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AbuseHelper Case Studies Jussi Eronen CERT-FI

  2. The material in this file is given to you for reference. I will probably not use much of this in the presentation In the presentation, I will explain the functionality and use cases of AbuseHelper by showing you live demos of the different use cases. Note on the presentation

  3. Autoreporter, grandfather of AbuseHelper

  4. Autoreporter • Since 2006, CERT-FI adopted Autoreporter, an automated system to systematically collect Incident Reports (mostly malware infections) from various monitoring projects • That opened our eyes!! • We probably still only see the tip of the iceberg.. In 2006, weenhancedautomation

  5. Detecting Abuse Receiving reports (email, phone, fax..) Stalking badness through data mining Scraping feeds Normalizing data Correlating data Dealing with badness Mapping events to address space/netblocks Finding right contacts and their contact preferences Customer expectation management Reporting Statistics, trends, chronic cases Responding Abuse Handling Process

  6. Incoming feeds wide and varied in format, formalism and transports Availability (downtime, missed reports, etc) Integrity of the information Bugs Update frequency: near-real-time, hourly, daily.. Report de-duplication (overlapping refreshes) Timespan: last n days, specific date Provided details Terminology Formatting (csv, xml, etc) Transports (HTTP, SMTP, IRC, etc) Working with Data

  7. The goal of the AbuseHelper project is to provide common understanding, framework and tools for handling abuse To bring further focus to somewhat scattered Internet Abuse handling scene: documenting and unifying abuse related terminology, documenting assumptions, taking into account different needs, enabling the creation of processes and workflows To take the next step in maturity, from works-for-me information systems to modular, scalable (with regards to performance and usability), commonly developed, and shared one. AbuseHelper

  8. HAVARO – using bots and sensors to protect CNI

  9. Network Monitoring and Early Warning System for Critical Infrastructure Providers (HAVARO) Done in co-operation with the National Emergency Supply Agency Participation is voluntary Scope of the first phase is approximately 10 organisations Aim is to enhance the operational picture on the computer security incidents Havaro

  10. Tap Aggregates the monitored traffic Removes the payload if necessary Probe IDS component raises alerts based on reduced and customized ruleset Flow processor detects behavioral anomalies Analysis Data is analyzed by CERT-FI Incident Handlers Both specific and general reports are sent to the organisations Technical Components

  11. Architecture

  12. Organisation can determine the depth of monitoring Payload can be removed Organisation maintains ownership of the monitored data Monitoring and analysis are within the CERT-FI mandate CERT-FI is responsible for the management of the system and the analysis of the data Reports specific to an organisation and nation wide general assesments are written by the analysts Alerting mechanism during office hours Operational Model

  13. Collabro System overview Information Collaboration ProjectCollabro

  14. Collabro is a System tool A set of software Enabling LE to use intelligence/information available in the Internet Cybercrime prevention Collabro - What is it?

  15. Project for European Commissions Specific Programme "Prevention of and Fight against Crime 2010". Purpose Enhance information exchange concerning cyber space between LE, national CERTs and private communities Raise awareness of new threats and modus operandi Automatically collect and normalize intelligence information from cyber space Decision making for human, mechanical information processing for computers Project Overview

  16. Main objectives Enhance information exchange between LE, national CERTs and IT security communities (industries, universities, and non-profit foundations) Raise knowledge around cooperation partners Improve active cooperation Expected results CERT / Security community based information will become usable for LE Information collection automation Main objectives & expected results

  17. Most of information sources defined Not all implemented Wiki based control interface Virtual Situation Room Enhancements New information sources and experts (bots) A tool for offline storage investigation Visualization fine tuning Achieved Results - so far

  18. Collabro Building Blocks WIKI APACHE AH EJABBERD BOTS VSR IDIOKIT PYTHON

  19. System configuration Own configuration page for each bot Bot may have two kind of parameters Startup params Clear text or encrypted Runtime params Runtime params could be changed during execution Wiki Based Control Interface

  20. The Collabro System key required Access information are encrypted with aes256 System Configuration Wiki XMPP server System configuration fetched from Wiki Bots started with startup parameters Bots are joining to the system lobby room Runtime parameters delivered for each bot Bots starts their tasks Collabro System Startup

  21. VSR is used to give a visual view of Collabro System status in certain moment of time Connects to predefined rooms Few visualization types Adjustable, in some level Virtual Situation Room

  22. Collabro System status Virtual Situation Room

  23. Pros Flexible Bot based system Data sources are not limited Asynchronous XMPP communication Build on open source software Cons Require some programming skills Open source software Lack of documentation Pros and cons

More Related