1 / 22

The National Plateforme for Tracking Cyber Attacks  : « SAHER » By Hafidh EL Faleh

The National Plateforme for Tracking Cyber Attacks  : « SAHER » By Hafidh EL Faleh Hafidh.faleh@gmail.com. Perimeter of the project. The NACS is member of :. SAHER Objectifs. Make a dashbord ( Alert Level ) of National Cyberspace.

mimi
Download Presentation

The National Plateforme for Tracking Cyber Attacks  : « SAHER » By Hafidh EL Faleh

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The National Plateforme for Tracking Cyber Attacks : « SAHER » By Hafidh EL Faleh Hafidh.faleh@gmail.com NACS - 2012

  2. Perimeter of the project The NACS is member of :

  3. SAHER Objectifs • Make a dashbord ( AlertLevel) of National Cyberspace. • Take a platforme support for incident handling, investigation and legalforensics. • Devellopement of solutions for traking cyber attackswith DIDS, Honeypots and deployingmanysensors. • Monotoringcriticalsinfrastrcture and detect anomalies intohersystems.

  4. SAHER Objectifs • Supervise Web sites to detectsdefacementsattacks. • Maintain a system for malware detection(virus, botnets, torjans) , and use cordination to cleanup the National Cyberspace. • Build an information database for types of attack, leaks of vulnerability and blackliste.

  5. SAHER est une plateforme à trois couches Couche WORKFLOW Couche analyse et corrélation Couchede collecte et de détection

  6. CEWS Architecture

  7. Détection • SAHER-WEB: ce sont des routines qui ont pour bute de vérifier l’intégrité des sites Web. • SAHER-SRV: ce sont des routines qui ont pour bute de vérifier la disponibilité des serveurs Web, MAIL et DNS • Les IDS: des Snorts qui sont généralement installés dans les espaces d’hébergement WEB. • Les honeynets: plusieurs solutions de déférentes types sont disponibles dans le monde du logiciels libres. 7

  8. Collecte We need to exchange security events and collaboration to handle incidents: • Incidents: • Phishing • Web defacement • Scan • Intrusion • Spam / Scam • DoS / DDoS • Malware: • Worm spread • Botnet / C&C • HoneyNet detection • Vulnerabilities • Exploit • Zero days • Product vulnerability

  9. ISAC: Information Sharing and Analysis Center

  10. Workflow interne A CSIRT is a team thatresponds to computer security incidents by providing all necessary services to solve the problem(s) or to support the resolution of them

  11. Workflow: Plateforme de coordination USER USER USER Sensors TEL SMTP Server S1 Central DB Autres CERT tunCERT S2 TEL mail mail S3 IDS DB

  12. Saher-Web: Detection

  13. Saher-IDS: Statistiques

  14. Saher-Honeynet: Architecture et Outils 2500 Public IP

  15. Saher-Honeynet Annuallyevolution of attacks

  16. Saher-Honeynet Website: Online statistics www.honeynet.tn

  17. Saher-Honeynet Website: « Dashboard » www.honeynet.tn/dashboard

  18. Ideas For Projects IP ReputationDadabase • Designing and specifying a tool to interface with a lot of honeypottools (dionaea, glastopf, kippo ..) and provide an update database to cheeck a reputation of any IP addressrelatedwithherhistoric logs. • Provide an web access (web services) to thistool , automaticgettingIp source and providing information relatedherreputationhistoric and sendingnecessary instructions for cleanningprocess.

  19. Ideas For GSoc 2012 Black-List Generator • Create an updatedlist for maliciousdomains and hosts from malwares offred. • Select Profile of equipments to generate ACL (Firewall, IDS/IPS, Proxy ..) . • Designing and specifying techniques for black-list tool. • Online sharing of black-list.

  20. ISP 2 ISP 1 ISP 3 IDS IDS IDS 2 Update D-IDS Rules 3 Save passive DNS Detection 1 Extract List of MaliciousDomains Watch for logs

  21. THANKS http://www.honeynet.tn honeynet@ansi.tn Hafidh.faleh@gmail.com http://twitter.com/SaherHoneyNet http://www.linkedin.com/groups/The-Honeynet-Project-Tunisia-chapter

More Related