hsb - advanced cyber defense center - michel van eeten
DESCRIPTION
Ook in Europees verband werkt Nederland aan oplossingen. Het ACDC project is een samenwerking tussen 14 europese landen en beoogd het toenemende gevaar van botnets te keren en deze waar mogelijk onschadelijk te maken.TRANSCRIPT
ACDC General Overview Michel van Eeten, TU Del7 (Work Package Leader)
Quick Facts ACDC – Advanced Cyber Defence Centre • Project type: European Pilot Project under CIP-‐PSP programme • Project duraMon: 30 months (Feb 2013 -‐ Jul 2015) • Project Volume: 15,5M EUR, co-‐funded by the European Commission. • 28 Partners from 14 European Countries • Project Lead: eco e.V. -‐ AssociaMon of the German Internet Industry • Unique consorMum unites:
• CERTs • Internet Service Providers • AnMvirus and IT-‐Security Companies • Academia and Research • Industry (CriMcal Infrastructure Providers, Financial InsMtuMons) • Law Enforcement
ACDC General Overview 2
Project Goals • Cross-‐border fight against Botnets (and other threats) • End-‐to-‐End approach against Botnets • 1 Central Database (Centralized Data Clearing House) • 1 Community Portal • 8 NaMonal AnM-‐Botnet-‐Support Centre • 5 Experiments as a Proof of Concept • Open ACDC Community for external Stakeholders and Partners • Sustainability Plan for ConMnuaMon of the Project • PrevenMon strategies & Awareness raising to End-‐users • Free MiMgaMon tools and service for End-‐users across Europe
ACDC General Overview 3
ACDC – a service approach Detec1on
Spam campaign
Stolen credenMals Drive-‐by-‐download
DDoS traffic detected
Centralised reports of botnet behaviour
Support – no1fying affected customer
Mi1ga1on – helping affected customer
Security vendor HosMng provider
Mobile network provider
Bank of customer
Standardized report findings
Centralised Data Clearing House
Redirect to boBree.eu
Internet Service Providers
ACDC – central Data Clearing House
Central Data Clearing House
Sensor
Sensor
Concentrator
Concentrator Sensor
Sensor Sensor Sensor Sensor
Sensor
ACDC NaMonal Support Centres
Anonymisa1on
Law Enforcement Agencies
Research
Industry
Detec1on Suppor1ng
ACDC – Central Data Clearing House
Central Data Clearing House
Sensor
Sensor
Concentrator
Concentrator Sensor
Sensor Sensor Sensor Sensor
Sensor
Detec1on ü Sensors delivering data
directly or through concentrators
ü Sensors can request addiMonal feeds to work with
ü Data input in any format ü Data output in JSON or
YAML ü Central Clearing House
facility correlates data ü Data flagging for special
purposes q Experiments, q Research or q InvesMgaMons
ACDC Community Portal
ACDC General Overview 7
• Entry point to ACDC • Handling of Data Sharing Policies • Connects users to soluMons • Inter-‐connecMng stakeholders to fight
botnets • Plahorm to create and deploy
soluMons • Open Knowledge Exchange Plahorm • Open RegistraMon to intl. stakeholders
https://communityportal.acdc-project.eu
(NaMonal) Support Centres
ACDC General Overview 8
• Bohree.eu as central point of entry • 8 NaMonal End-‐User Support Centres
• DE, BE, IT, ES, RO, PT, HR, FR • Three columns of support
• Prevent • Clean • Inform
• Free miMgaMon tools like • EU-‐Cleaner by Avira • Check-‐and-‐Secure.com
• Twijer, Blogs, Forum, Email-‐Support
Does it really help?
ACDC General Overview 9
• Similar intervenMons are being tried everywhere: • naMonal support centers • data clearing houses • ISP customer noMficaMons • global C&C takedowns
• Resources are limited in Mme and magnitude • Which of these measures are most effecMve?
• This requires robust compara1ve botnet metrics and careful staMsMcal analysis
• Metrics also inform all stakeholders how well (or poorly) network operators are performing in miMgaMng botnet threats
• Metrics incenMvize miMgaMon and reward the efforts of good ISPs
Global takedown of Zeus C&C
18
Figure 12 - Entrance of new Zeus attackers (botnet keys) per month
Looking at the country of the attacked domains also confirms the pattern. Figure 13 shows the overlap between the targeted countries across four years (2009-2012). Out of the total 92 attacked countries, seven were only attacked in 2009, and seventeen only in 2012. This shift in the variety of the attacked countries, despite the overall stability in the size of the attacks, points to a trial and error process with finite resources and players; i.e., the attacks are not spreading like mushrooms.
Figure 13 - Venn diagram of location of attacked domains accross the years
8 Attack code development
8.1 Descriptive analysis Our dataset contains 1,146,860 target URLs with associated inject codes. These inject codes are by new means all unique. In fact, on average each inject is repeated 27 times. Figure 14 shows the number of times a specific piece of code is used in different configuration files. Note that virtually all injected code is reused two or more times among the different configuration files.
Zeus source code leakage
QuesMons?
ACDC General Overview 11
ACDC Main contact: Peter Meyer, eco e.V. ([email protected]) Project Coordinator – ACDC
Project Website: hjps://acdc-‐project.eu Community Portal: hjps://communityportal.acdc-‐project.eu Support Centres: hjps://bohree.eu Twijer: hjps://twijer.com/AnMBotnet Facebook: hjps://www.facebook.com/bohree.eu