Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2007-09-16 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Cyber Security Awareness Month - We Need Your Ideas

Published: 2007-09-16
Last Updated: 2007-09-16 19:42:17 UTC
by Marcus Sachs (Version: 1)
0 comment(s)

As many of you know, October is Cyber Security Awareness Month in the USA (and perhaps in other countries?)  We'd like to do a repeat of our popular "Tip of the Day" series we did last year but we need your help. 

With four full weeks (October 1st is on a Monday) and a half-week at the end, this year's plan is to have a common theme each week with a specific topic each day.  For example, we might decide that the first week is for a theme like traditional security measures, and subjects like firewalls, anti-virus software, intrusion detection, etc. become the daily topics  Then the second week might be something like wireless security, with daily themes covering encryption, limiting the range of APs, etc. 

What we need now are some ideas on the weekly themes.  We'll get to the daily topics later.  If you have suggestions please send them to us via the contact page.  Remember, right now we just need weekly themes, so pick five that would make good high level weekly areas and we'll ask for the daily topics later.  Next weekend we'll let everybody know what the top five themes are and will ask for topics.  Once we get the daily topics settled, we'll start asking for specific tips.  Each day we'll publish the tips we've received and give credit to the submitter if you want your name published.  Otherwise we'll let you stay anonymous.

Marc Sachs
Director, SANS Internet Storm Center

Keywords:
0 comment(s)

Learning about Bots

Published: 2007-09-16
Last Updated: 2007-09-16 16:00:15 UTC
by Marcus Sachs (Version: 1)
0 comment(s)

Pedro's diary entry yesterday on malicious file names reminded me that I wanted to point everybody again at the BotHunter honeynet web site.  There's a lot of new information there, beyond just the lists of evil IP addresses and DNS look-ups.  Check out Behavorial Clusters, where you'll see that with over 6000 infections caught in the honeynet there are only about a dozen bot profiles.  If you look at the daily catch (for example, September 15 vs September 14) you'll see that the behavorial cluster doesn't show up immediately but eventually gets updated.  On September 14 the majority of the infections are "Aug-Sept-A" clusters and all are easily detected by various Snort rules and AntiVirus signatures.

Another interesting tool is the geographic distribution of infection sources for a particular malware binary.  For example, the first infection for September 15 has a malware hash of a12cab51ef.  In the column labeled "Packed Malware Binary" you'll see a link to [Firefox:203 hits: 05-01 to 09-02].  If you follow that link you'll see a Google map that shows the infection sources for this particular piece of malware over the past few months.  Of course, the accuracy of the dots on the Google map depends on the accuracy of the ARIN, RIPE, APNIC, AFNIC, and LACNIC databases which as we know are all highly accurate and dependable.   :)

If you enjoy looking at the automated output of the honeynet, be sure to download a copy of the BotHunter program itself and run it inside your own environment.  This is a government funded research project so there is no charge for the public distribution.

Marc Sachs
Director, SANS Internet Storm Center

Keywords:
0 comment(s)
Diary Archives