This document summarizes Charles Lim's presentation on the design of a malware attack monitoring system for Indonesia. It proposes a distributed honeynet sensor system with sensors placed around Indonesia to monitor actual malware attacks. The data would be sent to a National Monitoring Center to analyze malware threats. Setting up a monitoring system could help Indonesia gain knowledge of malware behaviors and better protect its networks.
AWS Community Day CPH - Three problems of Terraform
Design of Indonesia Malware Attack Monitoring Center - Charles Lim
1. Design of Indonesia Malware Attack
g
Monitorin Center
ng
7th Ma 2012
ay
Indonesia Security Conference 2012
y
Markassar Indonesia
r,
Charles Lim, Msc., ECSA ECSP, ECIH, CEH, CEI
A,
Indonesia Honeynet Project Chapter Lead
2. AGEN
NDA
Problem Statement
Honeynet – capturin autonomous
ng
spreading malware
Distributed Honeynet Sensors
System Architecture
e
National Monitoring Center
g
Conclusion and Rec
commendation
2
3. Problem S
Statement
IDSIRTII has experime t d with h
h i ented ith honeypot
t
using nepenthes and ddionaea
Swiss German Univers sity, independently, has
also experimented hon neypot using nepenthes
and dionaea for at leas 2 years
st
No existing grand des
sign to place sensors
around Indonesia and monitor actual malware
attacks around Indone
esia
3
4. Hone
eynet
Honeynet is a collectio of honeypots
on
“Is a decoy that is use to lured malware or
ed
attacker (hacker).”
(hacker) ”
“It is a computer that h
have no production
value, so if it is compr
romised or destroyed
should not affect the aactivities of the
companies.”
p
4
5. Honeypot Based on Interaction
d
Two kinds of honeypo :
ot
Low Interaction Honeypo
ot
High Interaction Honeyp
pot
5
6. Low Interactio Honeypot
on
Do not implements actual service
Disguise as a real s
system
Good for finding known attack and
g
expected behavior
Usually automated
Lower cost needed
Example : Nepenthe Amun, Dionaea
es,
6
7. High Interaction Honeypot
It is a “real” system usually with
m
different configuration than the real
g
system.
Riskier than Low-Interacti it d e to
Lo Interactivity due
“Allow all” configur
ration
Difficult to maintain and manually
n
configure
Higher cost needed
Example : Physical HIH, Virtual HIH
7
8. Table of Co
omparison
Low-inte
eraction High-interaction
Degree of interaction Lo
ow High
Real operating system No
N Yes
Risk Lo
ow High
Knowledge gain Connectio
on/Request Everything
Can be conquered No
N Yes
Maintenance time Lo
ow High
8
15. National Monitoring Center
Design for National Mo
onitoring Center for
Malware Attack proposal is work in progress
KEMKOMINFO has committed to the work and
the first pilot will invol about 10 nodes
lve
within this year in diffeerent cities in Indonesia
16. National Conference
1st Academy CERT on Malware Research
http://www.sgu.ac.id/aca
ademy cert meeting
ademy-cert-meeting
2nd Academy CSIRT on Malware Lab Setup
n
http://www.slideshare.net/ h l li /
htt // lid h et/charles.lim/workshop-on-
k h
setting-up-malware-lab
3rd A d
d Academy CSIRT on M l
n Malware Reporting
R ti
To be held on 30th May t 2nd June 2012,
to
http://csirt.itmaranatha.o
org/event/201205/
17. International Conference
SecureAsia 2011, Jaka
arta, Indonesia
http://www.informationse
ecurityasia.com/2011/confere
nce/agenda.html
FIRST 2012 Conferenc Bali, Indonesia
ce,
http://event.idsirtii.or.id/w
wp-
content/uploads/2011/10 0/FIRST-TC-PROGRAMS-
LATEST-UPDATE1.pdf