Polish Chapter Status Report 2012 (Nov 2011 - Nov 2012)

ORGANIZATION
The Polish Chapter of the Honeynet Project was founded in November 2011. It consists of eight people:

  • Tomasz Grudziecki
  • Paweł Jacewicz
  • Łukasz Juszczyk
  • Piotr Kijewski
  • Adam Kozakiewicz
  • Krzysztof Lasota
  • Paweł Pawliński
  • Tomasz Sałaciński

The Polish Chapter of the Honeynet Project (find us at http://pl.honeynet.org) consists mostly of people employed at NASK and its department - CERT Polska. Our daily job is focused on analysing new threats, designing and developing tools and researching methods for efficient mitigation of observed attacks. Being part of the Honeynet Project gives us an unique opportunity to draw ideas and use tools produced by the community of excellent researchers and developers. But we also aim to provide back to the community as much as possible, both new tools and ideas in form of reports and presentations. Many of the activities described below are associated with our daily job.

Areas of research conducted by the members:

  • Anomaly detection,
  • Reverse engineering,
  • Honeypot technology,
  • Web threats,
  • Novel methods for threat tracking and identification.

There were no changes in the structure of the Chapter during last 12 months.

DEPLOYMENTS

  • We have recently deployed two Honeeebox sensors. Gathered data is posted to hpfeeds.
  • We are in the process of deployment of HoneySpider Network 2. 0 with a public interface allowing URL submission.

RESEARCH AND DEVELOPMENT
The Chapter released an open source honeypot - HSN Capture-HPC NG, which can work with HoneySpider Network 2.0. This version of Capture is based on the original one by Christian Seifert but adds new functionality - for example: extended logging format, ability to work with VirtualBox or KVM, simplified management and configuration, etc. More information can be found on the project's web page at http://pl.honeynet.org/HoneySpiderNetworkCapture.
We are currently finishing the second version of the HoneySpider Network which is planned to be released as open source in Nov/Dec 2012. More information on the new version of the system will be available soon on the project's web page at http://pl.honeynet.org/HSN2.
This year CERT Polska opened a new data sharing system called n6 (Network Security Incident eXchange) for public. The system allows network owners to get various data about incidents observed by different monitoring services around the globe. More information on the project is available at http://n6.cert.pl.
In the near future we plan to develop an advanced interface for HoneySpider Network 2.0 especially designed for incident response teams (supporting dashboards, different visualizations, data querying and correlation).

FINDINGS
All of our current findings and analysis results are posted on CERT Polska blog at http://cert.pl.

PAPERS, PRESENTATIONS AND COMMUNITY ENGAGEMENTS
Last year we wrote a report on "Proactive detection of network security incidents" available at http://www.enisa.europa.eu/activities/cert/support/proactive-detection. It was focused mostly on CERTs and how they can improve their methods of incident detection. The report was created for CERT community in mind but we recommend it as a good source of information even if you do not deal with incidents on a daily basis. The paper was presented on various security events including Honeynet Project Security Workshop, SF 2012.
This year a follow-up report was finished, titled "Proactive Detection of Security Incidents - Honeypots". This is a comprehensive study on current state-of-the-art honeypot solutions. It aims to give modern CERTs an outline on how to improve their early warning capabilities. The report is yet to be published by ENISA. The expected date is mid-December 2012.

Members of our Chapter presented their work on various conferences including annual FIRST Conference.

GOALS
We are a young chapter, finishing our first year of official operation within the Honeynet Project. Our goal is to find new methods of efficient detection and fighting malware by conducting research on various security topics. We share our knowledge with the community by creating open source tools, publishing papers and giving presentations. We are also partly involved in creating awareness raising materials, like SANS OUCH! in Polish language and our members are engaged in creating security-related workshops and trainings.
During the next year of our operation we would like to continue our work and improve tools we already created and build an international community of their users.

MISC ACTIVITIES
As mentioned in the GOALS section we are involved in creation of various security workshops and trainings, security awareness materials and, as CERT Polska, we host an annual conference - SECURE.

MENTORING
Adam Kozakiewicz and Paweł Jacewicz were mentors for GSoC Project 15 - "Further extend Capture-HPC with possibility of detecting malicious behavior on Linux Machines" (more info at http://honeynet.org/gsoc/slot15). The student successfully finished the assignment and presented it during lightning talks session at SECURE 2012 conference.