OCERT Honeynet Chapter Report for 2013

OCERT - Chapter Status Report For 2013

ORGANIZATION:

OCERT Honeynet is Oman National CERT (OCERT). OCERT chapter was officially launched in April 2010 to analyze risks and security threats that may be present in Oman cyberspace. The members of OCERT Chapter are:

• Yousuf Alsiyabi
• Suliman Al Hinai
• Nasser Salim Al Hadhrami

DEPLOYMENTS:

low interaction honey pot technology are deployed as follows :
-Dionaea :A number Dionaea sensors were deployed to capture the malware and find the infected systems in country cyber space. The feeds from sensors is collected through xmpp server
-Cuckoo : The version of cuckoo sandbox (version 0.6) is deployed .
-Glastopf : It was deployed as web application honeypot .
-SurfIDS : SurfIDS collects the data picked up from different sensors placed within the network, of malware , webattack .

RESEARCH AND DEVELOPMENT:

Cyber Threat Intelligence Gathering System – Phase.1: The project aims to collect the cyber threats which target the world wide cyber space such as spam , phishing ….etc . In additions, the project aims to identify the infected systems and enhance the mitigation capability of the botnet risks that infect citizens .
Web Attacks Detector System Phase.1: is an intelligent system that used to detect and protect some national web applications from many kinds of attacks. Web Attacks Detector is to analyze all users’ Requests (can be customized to some certain requests to avoid Server load) and recognize whether safe or not. In case of unsafe Request, the system has the ability to recognize what kind of attack it could cause (SQL, XSS, and uploading file … etc). Additionally, a notification will be send to CERT Team so the request can be analyzed deeply and assess its severity [Low, Medium, High].

PAPERS, PRESENTATIONS AND COMMUNITY ENGAGEMENTS:

• Honeynet Project Annual Workshop 2013, Dubai
• OIC-CERT Cyber Security Drill 2013
• ITU Regional Cybersecurity workshop -2013, Muscat

FINDINGS:

• An increment in the number of compromised IP addresses collected from around 68 countries.
• Most of those compromised IP addresses are infected by one of the following C&C:
o ZeroAccess
o pushdo
o zeus
o GameOver_Zeus
o zeus-p2p
o Pushdo_SpamBot
o Sality_Virus
o Neurevt
o Ransomware

• There is an increment of about 85% in the number of received phishing URL.
• Top phishing URLs targeting PayPal, Apple, Google, and Amazon.
The high level statics is shown in OCERT chapter website : http://cert.gov.om/honeynet

GOALS:

Our goal in 2014 are enhancing the current systems that are monitoring the cyber threats . In additions, we are planning to deploy the HoneEeBox .