Jared Naude (140)
Attack Mining: How to use distributed sensors to identify and take down adversaries by Lars König
Buckle up for a deep dive into the constant battle to protect systems on the internet against adversaries gaining access, and how you can help make the internet a safer place!
Adversaries will often brute force well known user names (Root, admin, user, test, etc). However, they will also create a list that is specific to a domain and site. The next set of users that are targeted are accounts created by applications that are installed (e.g. postgres) #38c3
From the data, Lars has created these 2 diagrams. The first diagram shows where the attacks come from. The second diagram shows the map of IOT devices. #38c3
Lars has a setup that has 250 sensors that logs ~ 12.5 million events per day. #38c3
The speaker investigated these passwords and found devices that were being targeted. One example was a Raspberry Pi in South Korea. The speaker was able to get access to the instance and was able to investigate further by using netstat -apn and pstree -a. #38c3
The speaker went through a forensic process to understand how the Pi was compromised and found a number of IP addresses which looks like a Tor exit node however that doesn't make sense as traffic did not go through the Tor network. #38c3
Working with law enforcement is tricky as end users wouldn't know what to do if they receive a notification. Sending letters to ISPs may be helpful but is not scalable to thousands or even millions of reports. #38c3
The speaker has automated this process by monitoring IP addresses, identifying the ISP contact, send abuse notification and then monitors for replies which goes to a LLM which will respond with any additional information as needed. #38c3
This still has a big problem as it requires a human to look at. XARF is a common format to create these reports which parsers can be built to parse these reports. XARF reports have several attributes that can be included such as date, time and logs that can be attached to an abuse report. #38c3
