Transcript Why F-Secure?

Internet threat monitoring and reporting service
Idar Kvernevik
Senior Researcher, Network Security
Security Research
Protecting the irreplaceable | f-secure.com
Olli Salminen,
Senior Manager, Lab Development
F-Secure Labs
Project idea
• F-Secure has sensors that collect data about
infected computers and suspicious activity on the
Internet
• There is no easy way to mine and share this data
with the network owners
Create a system for processing and
sharing infection data with partners
2
April 6, 2016
© F-Secure
Technologies
• Preferably Python, Java (etc.) acceptable
• MySQL / PostgreSQL
• Django or some other similar framework can be used
• Linux Server (Debian)
3
April 6, 2016
© F-Secure
Most important areas and our expectations
• User experience
• Interfaces with existing and future systems
• Collecting data from different sources into one system
• Security
• Data confidentiality, non-exploitable system, securing
the shared data, etc.
• Prototype of the system and documentation
4
April 6, 2016
© F-Secure
Why F-Secure?
• Interesting, real-life project
• F-Secure provides dedicated people for follow-up
• F-Secure is a professional software development
organization, and will help make this project a success
… but at the same relaxed and nice atmosphere
• We have done T4115 project many times and succeeded
always: Result has been 4 or 5 every time
• F-Secure has hired people after T4115 project earlier, this
might be your chance
• We will arrange project kick-off party and project post-mortem
party with food, snacks, beer, etc.
5
April 6, 2016
© F-Secure
What kind of information do we have?
• Compromised computers (IP address and time stamp)
• Botnet controllers and other malicious servers (IP
addresses, DNS names)
• Sites distributing high-risk malware (URLs)
• DNS domain registration information (who registers what,
known bad guys?)
→ stored to SQL database
6
April 6, 2016
© F-Secure
System overview - TKK project work
Sinkhole
system
Response
systems
Honeypots
etc.
Web Portal
Normaliser
Database
administration
interface
Host ID
Account
management
database
DNS mining
Data subscription GUI
Other
systems
Locator
External
systems
7
April 6, 2016
© F-Secure
Report
mailer
Visualisation
tool
Report
generator
User story: infected host
1. A home user gets infected with malware
2. His computer tries to connect back to the malware
command server
3. The connection hits the F-Secure sinkhole
4. F-Secure systems collect the host’s IP address, a
timestamp, and type of infection
5. This information is passed on to the user’s service
provider
6. The service provider informs the user and provides him
with correct disinfection instructions
8
April 6, 2016
© F-Secure
User story: suspect DNS domain
1. Salli Olminen has registered many malicious domains in
the past
2. He registers a new domain called malware-r-us.com
3. Our systems discover that this new domain is owned by
Salli Olminen
4. The info sharing system passes this information to the
domain registrar
1. The domain registrar disables the domain
9
April 6, 2016
© F-Secure
User story: impending phishing attack
1. F-Secure Labs discover that a new malware is targeting
customers of one particular bank.
2. They register this information in the ITMRS
3. The bank receives a notification from the system
4. The bank notifies its customers and hardens the net
banking system ahead of the attack
5. The attack fails
10
April 6, 2016
© F-Secure
Thank you!
Idar Kvernevik
[email protected]
040-506 5137