الابتكار والفعالية في الأمن السيبراني
ملخص الدراسة
نشر مركز بحوث تعزيز الحماية السيبرانية في لبنان CERT بالتعاون مع جامعة العلوم والآداب اللبنانية (USAL) دراسته التحليلية الأولى عن الهجمات الإلكترونية في فضاء لبنان السيبراني. تهدف هذه الدراسة إلى الكشف عن حجم الاختراقات التي تتعرض لها الأنظمة المعلوماتية في القطاعات اللبنانية المختلفة، وبشكل مستمر، اضافة الى مصادر هذه الاختراقات.
قامت الدراسة بجمع وتحليل بيانات اختراق لعيّنة مؤلفة من 10 خدمات تنتشر في العديد من أنظمة المعلومات الرقمية في لبنان. استخدمت الدراسة تقنية ال Honeypots وهي عبارة عن برامج يتم من خلالها اصطياد مخترقي الشبكات او من يحاولون اختراقها.
كشفت الدراسة عن تعرّض هذه الخدمات المعلوماتية الالكترونية لأكثر من مليونين وخمسمائة ألف محاولة اختراق خلال الأسابيع الثلاثة الأخيرة من شهر كانون الثاني 2022 أي ما بين 10-01-2022 وحتى 30-01-2022، ما يُهدد خسارة بيانات الأنظمة التي تستخدم هذه الخدمات في حال عدم تحديثها وحمايتها سيبرانيا. كما وأظهرت الدراسة عن أنّ بعض المخترقين يعمدون في هجومهم على استغلال الثغرات الأمنية الموجودة في الخدمات المعلوماتية المستخدمة، والبعض الآخر يحاول استغلال ضعف كلمات السر للحسابات خلال محاولات الاختراق.
إنّ خلاصة هذه الدراسة هي إظهار الازدياد الملفت للنشاط الأمني الهجومي في الفضاء السيبراني اللبناني حيث ينبغي لمالكي الأنظمة والتطبيقات ضمن النطاق الرقمي اللبناني الاستفادة من نتائج التحليل لتحسين خططهم الأمنية لضمان استمرار عمل أنظمتهم، والحد من فتح المنافذ، ومراقبة حركة المرور غير المرغوب فيها والتي يُبلّغ عنها بواسطة أنظمة المراقبة السيبرانية الخاصة ، اضافة بناء آلية قوية لتحديد هوية المستخدمين والمصادقة على دخولهم وعلى كافة أنشطتهم.
إن الدراسات التي يجريها المركز انسجاماً مع رسالته وأهدافه تهدف إلى رفع للصوت عالياً للالتفات الى خطورة الواقع الأمني الرقمي في لبنان وهي دعوة مباشرة لكل المعنيين في القطاعين الحكومي والخاص للتواصل والتكامل مع هذه الجهود المبذولة في سبيل بناء منظومة حماية أمنية سيبرانية متكاملة على المستوى الوطني.
Introduction
The rapid growth of internet usage paved the way for the evolution of interconnected systems leading to a fully connected world of devices. Such devices as smart TV, smart fridge, baby monitor, and so on, are mostly targeted due to their low-cost values, lack of adequate security hardening, poor vendor focus on security aspects, and they can be easily used as a source to attack further systems or networks.
Traditional defensive controls in cyberspace are no longer efficient for protecting networks and data of interest due to many unexpected emerging flaws progressively in the IT protocols and digital systems. Matured intelligent security strategies consider orchestration of tools to cover the entire security posture across the protected scope. Key element within the set of tools is an early warning system as of Honeypots. Honeypots simulate vulnerable systems or services and trap threat actors , which help estimate their behavior to strengthen the deployed defensive strategy. In our study, we aim to understand the cyber-attacks that roam around the Lebanese perimeter. To this end, we deployed as a first step several honeypots on one public system located in the capital city area. The deployed system has a main goal to detect automated attacks where threat actors apply large scans to identify vulnerabilities and exploit these.
This study will discuss and visualize the result of 10 honeypots devices that mimic the T-Pot implementation originally created by Deutsche Telekom [1]. T-Pot is a ready-to-deploy system running on Linux which comprises multiple honeypots each is configured to track specific services and vulnerabilities. The systems are designed with a friendly graphical user interface that can be accessed through the web beside other access methods, which provides a meaningful option for viewing the captured logs in different formats. The traffic was collected by Honeypots over 21 days from January 8th – February 1st, 2022 . Throughout our study, we focused on answering the following:
- What are the most attractive services for attackers?
- Where do most attacks originate from?
- How are attacks distributed over time?
- What username/password are mostly attempted by threat actors?
Selected Honeypots
The following table shows a brief description of the deployed honeypots.
| Honeypot | Description |
|---|---|
| Dionaea | A python script using libemu to detect shellcodes, supporting IPv6 and TLS |
| RDPy | A python implementation of Microsoft Remote Desktop Protocol (RDP), client and server side |
| Mailoney | An SMTP email honeypot that provides custom modes to fit the needs |
| Cowrie | A medium interaction SSH and Telnet honeypot designed to log brute force attacks and shell interaction performed by an attacker |
| Honeytrap | A network security tool that observes attacks against TCP or UDP services |
| CiscoASA | Cisco ASA component capable of detecting CVE-2018-0101, a DoS and remote code execution vulnerability |
| ADBHoney | The Android Debug Bridge (ADB) is a protocol made to control and track connected android devices (phones, tablets…) using several tools and commands |
| Heralding | Simple honeypot logger that collects credentials |
| SNARE/TANNER | SNARE is a web application honeypot sensor, TANNER is SNARES "brain". Every event is sent from SNARE to TANNER, gets evaluated and TANNER decides how SNARE should respond to the client |
| Citrix | Honeypot for CVE-2019-19781 (Citrix ADC), detects and logs CVE-2019-19781 scans and exploitation attempts |
Number of Attacks
The selection of the honeypots is based on the criticality of the services they simulate. For example, the Cisco ASA is deployed in all Cisco firewalls deployed in most Cisco based networks. The RDPY is the python implementation of the Microsoft RDP protocol widely used in windows servers.
The analytics showed that within 21 days more than 2,500,000 attacks had been performed , as depicted in the next figure. Hereby, Cisco ASA and Citrix ADC had been tackled by 16,268 and 667 attacks, respectively. Pointing these two aforementioned services is because it has been previously proven in [2] that many systems in the Lebanese perimeter are vulnerable due to these services.
To identify the activeness of attackers over the Lebanese perimeter, the next figure presents the distribution of the attacks over the time, per honeypot. It can be noticed that for most of the deployed honeypots, the attacks are quasi-uniformly distributed, which might indicate a periodic scan performed over the perimeter. However, for some honeypots like Cisco ASA, one can realize that there are some specific periods where the attackers were very active, such as on 25-01-2022 with more than 15,000 attacks. This leads to a conclusion that the perimeter is exposed to the whole world and any existing vulnerability is actually known to thousands of attackers.
Origin of Attacks
Looking at the origin of attacks, it was noticed that the United States is ranked on top with more than 60% of the attacks . Other countries in the ranking scale are Lebanon, Vietnam, and Russia. It is unusual to count so many attacks from the origin country of Lebanon, therefore it is planned to further investigate the analysis results that are sourced from Lebanon as the assumption is that other countries have more powerful scanning capabilities in cyberspace.
The next figure shows that 95% of the attackers are mainly classified in the “known attacker” category, whereas 2% are classified in the bad reputation category. The remaining attacks are classified as of crawling, mass scanning, and spamming activities. Such results highlight the high risk level of being exposed online and stresses more the importance of our work in [2] on uncovering unpatched critical vulernabilities..
Top Username Password Used by Hackers
The figure below illustrates the main used combination of usernames/passwords. It is obvious that trivial built-in accounts such as root, administrator, guest, beside other derivations and known service accounts, are the primary targets. Password provided attempts for the targeted accounts are basics from any password dictionary files as of admin, sequence of numbers, or default password set by product/application providers. The results demonstrate the need for a stronger password policy and the implementation of advanced authentication methods as of MFA (Multi-factor authentication) .
Conclusion
The main purpose of this study is to demonstrate how threat actors are very active in the lebanese cyberspace and how system and application owners within the Lebanese perimeter scope should benefit from the analysis results to improve their security plans to assure continuous system patching, limit open ports, monitor unsolicited traffic reported by their monitoring systems, and build a strong identification & Authentication mechanism.
References
[1] T-Pot, Deutsche Telekom, Apr. 2022, https://github.com/telekom-security/tpotce[1] Lebanon CERT, Jan. 2022, https://lebanoncert.org/en/blog/vulnerabilities_study
