UNAM Chapter Status Report for 2011

ORGANIZATION

1. UNAM Chapter is part of UNAM-CERT, organization based in Mexico. Host organization for UNAM Chapter and UNAM-CERT in National Autonomous University of Mexico.
2. Current chapter members and their activities
Javier Santillan - Chapter leader
Roberto Sanchez - Member
Ivan Alvarado - Member
Pablo Lorenzana - Member
Ruben Aquino - Member

The Chapter members are currently working on network traffic analysis, intrusion detection, deployment of darknet and honeypot technologies, developing of automated processing system for incident response, malware analysis and sandnet systems.
We had the honor and exciting opportunity of organize The Honeynet Project Annual Workshop in Mexico City on April 2010 at UNAM facilities. We learned some lessons about logistics and now we feel with the responsability of share experiences and feedback for future workshops.

DEPLOYMENTS

1. We've deployed our Security Telescope through University Network (RedUNAM) and some mexican universities. We have a central system to process all information gathered by honeypots and network sensors.
2. Our sensors are running different tools and technologies:
Honeypot : Dionaea, Kippo, Honeytrap, Qebek, Sebek, Phoneyc, Cuckoo, Honeyc,
IDS: Snort
Flow analysis: Argus, netflow and sflow data.
3. We have been working on developing some perl scripts to process, clasify and analyze data.
4. We have designed and developed our ISO image with honeypot, ids, flow analysis, and processing tools, in order to capture data compatible with UNAM-ST (UNAM Security Telescope). All this information (malware samples, pcap files, payload data, stats, etc.) is available to The Honeynet Project and other organizations partners of UNAM-CERT.
5. We deployed a malware lab for automated analysis.

RESEARCH AND DEVELOPMENT

1. We are developing Xibalbá, our automated sandnet. This system is based on Truman and other tools wich provide features of monitoring, behavior analysis, queue system, multi-client, support for Windows platform and so on. Some tools have been adapted for specific purposes.
2. UNAM-ST has been deployed. It have some information sources such as UNAM-darknet, Core-sensors, Universities-sensors, etc. It can share information with organizations focused on computer security and incident response.
3. We have been working with some tools such as Qebek, Cuckoo, Glastopf, Phoneyc, Dionaea, Honeytrap, Kippo, Honeywall, Honeyd, Honeyc, etc. on low/high interaction honeypots.
4. We have improving web interfaces for UNAM-ST and Xibalbá. The focus of such improvements are visualization, sharing and automatization.
5. We just started research on virtual enviroments for malware labs using XEN and Qemu.
6. We are just starting design of a detection and tracking system for botnet activities with capabilities of evidence gathering, simulation and compatibility with UNAM-ST. This year it will be one of our developments.

FINDINGS

We have identified and clasified common attacks in order to generate useful stats. We are using different techniques such as statistical, behavior and signature analysis.
Some attacks have specific behaviors, many systems are attacked in specific times (holidays and free days) running ssh bruteforce attemps, some of them with GBs of logs and duration up to week. Using kippo honeypot we can make stats to know more common login attemps, some of our sensors report "alpine" as the top used password. It could be a kind of bot looking for mobile devices.
Main suspicious activities includes common ports such as 445, 1433, 1434, 22, 135, 80, etc. We can analyze information and take advantage of other tools like honeyclients in order to get information of suspicious URL, domains, blacklisted IP, etc.
UNAM-ST let us share information easily with many organizations, and we can combine or use tools like hpfeeds.
Improvements on visualization can help to more easily determine trends and behavior. It's the reason we are planning it as one of our focus areas during this year.
We had some troubles with sensor deployment on a big scale (academic). The first reason is type of analysis and number of IP addresses asigned for honeypots.

PAPERS AND PRESENTATIONS

1. "UNAM Security Telescope", Computer Security Congress, Mexico 2010. (Spanish).

GOALS

1. We completed one of our goals related with deployment of UNAM Security Telescope, and now we can share information.
2. This year and next, we are planning to get involved on visualization and botnet monitoring. Focus will be at tool development, plugins or improvements for specific tasks.
3. We will working on automated processing system of high interaction honeypot deployment. (installation,gathering,analysis,cleaning,restoring,switching)

MISC ACTIVITIES
Every year we organize a Computer Security Congress. It's a balanced meeting wich includes technical and non-technical talks. Main purposes are: to share experiences, to discuss trends and to give attendees a better perspective of computer security around mexican networks and around the world.

Groups: