the wombat api
play

THE WOMBAT API handling incidents by querying a world-wide network - PowerPoint PPT Presentation

Sep 04, 2023 •378 likes •518 views

THE WOMBAT API handling incidents by querying a world-wide network of advanced honeypots Piotr Kijewski, Adam Kozakiewicz 15th June 2010 22nd Annual FIRST Conference, Miami WOMBAT Project EU 7th FRAMEWORK PROGRAMME (2008-2010)

  1. THE WOMBAT API handling incidents by querying a world-wide network of advanced honeypots Piotr Kijewski, Adam Kozakiewicz 15th June 2010 22nd Annual FIRST Conference, Miami

  2. WOMBAT Project  EU 7th FRAMEWORK PROGRAMME (2008-2010)  Worldwide Observatory of Malicious Behaviour and Attack Threats ( http://www.wombat-project.eu )  Cyber-crime becomes harder to battle  Malware specifically designed to defeat today's best practices  Organization is consolidating malicious activity into a profitable professional endeavour  Data collection and sharing is limited  Collection initiatives are heterogeneous  Privacy or confidentiality limits sharing  Data structure and analysis remains private  No investigation framework exists for consistent and systematic malware analysis

  3. The WOMBAT approach Malware analysis Data Context analysis enrichment (WP4) M e A e t a g n s - a i a d s l r y a y o l s t t a a i S n s A New security Honeypots technologies Data Threat acquisition analysis Crawlers New security practices (WP3) (WP5) New collection External feeds Knowledge practices

  4. Participants

  5. Existing datasets in WOMBAT C LIENT HONEYPOTS S ERVER HONEYPOTS SGNet Shelia HSN HARMUR FORTH Wepawet NoAH + extras BlueBat M ALWARE O THERS COLLECTIONS VirusTotal Anubis WAPI API

  6. WOMBAT API (or WAPI for short)  What the WAPI is :  A SOAP-based API to easily allow a client to traverse a hierarchy of objects, characterized by attributes, methods and references.  What the WAPI is not :  An ontology  A detailed specification of how a security related dataset should look like  Language-specific. Reference implementation in python, but accessible from any programming language offering a SOAP library (C,C++,Java,PHP,…)

  7. Accessing the datasets  Mandatory services:  get_objects()  get_documentation()  get_methods(object)  get_references(object)  get_attributes(object)  exists(object,identifier)  call_method(object,identifier,method,atts)  follow_reference(object,identifier,method,atts)  Mandatory objects:  Dataset, must have a unique identifier (for example: "hsn")

  8. What else?  Apart from the previous, hardly any standardization:  IP addresses should be specified in dotted decimal format,  if one IP address is associated with each object of a given type then the corresponding attribute should be named IPAddress,  dates should be specified in the ISO 8601 format, etc.  SSL-based (certificate) authentication  Currently only one privilege level (multiple ones will be supported in the future)

  9. CLI __ __ _____ _____ \ \ / /\ | __ \_ _| \ \ /\ / / \ | |__) || | \ \/ \/ / /\ \ | ___/ | | \ /\ / ____ \| | _| |_ \/ \/_/ \_\_| |_____| The WOMBAT API (version 1.0) Connecting to the WAPI datasets -> harmur : success -> virustotal : success -> wepawet : success -> anubis : success -> hsn : success -> shelia : success -> sgnet : success -> forth : success You are connected to 8 WAPI datasets!

  10. Example usage … > f=virustotal.get_file(md5="3228c641929bb40475c44a26bda8531a")[0] > print f.first_seen '2009-05-27 15:38:11' > an=f.get_first_analysis() > print an.av_positives_report {'GData': ['Exploit.PDF-JS.Gen', '19', '2009.05.27'], 'AntiVir': ['HEUR/HTML.Malware', '7.9.0.168', '2009.05.27'], 'McAfee-GW-Edition': ['Heuristic.HTML.Malware', '6.7.6', '2009.05.27'], 'Sophos': ['Troj/PDFJs-AX', '4.42.0', '2009.05.27'], 'ClamAV': ['Exploit.PDF-63', '0.94.1', '2009.05.27'], 'Authentium': ['PDF/Obfusc.B!Camelot', '5.1.2.4', '2009.05.27'], 'BitDefender': ['Exploit.PDF-JS.Gen', '7.2', '2009.05.27'], Sunbelt': ['Exploit.PDF-JS.Gen (v)', '3.2.1858.2', '2009.05.27'], 'VirusBuster': ['JS.Shellcode.AD', '4.6.5.0', '2009.05.26']}

  11. WAPI DEMO (First performed by the WOMBAT consortium at the 2nd WOMBAT Workshop in St. Malo, France in September 2009) In this scenario, the participants take on the role of CERT responders from a bank. The bank needs to conduct a (forensics) investigation of the machine of a client that has reported a fraud case via electronic banking. The bank up to now has excluded that the fraud was related to phishing or any other physical swindle. A brief analysis of the infected client does not show any clear evidence of infection, no suspicious BHO is detected and no suspicious registry entries are found in the system…

  12. WAPI DEMO The client affected by the fraud is connected to the Internet through an HTTP proxy, and has agreed to give you the list of the HTTP activity of the infected machine in the last week. After a brief look at such activity, you notice a large amount of HTTP requests towards a suspicious domains. Such requests are performed every 20 minutes approximately, during working hours but also during night and weekends. All the queried URLs are similar to the following one : http://ijmkkyjves.net/iE=eQBHE8cNe8DRM So, what happened???

  13. piotr.kijewski@cert.pl QUESTIONS?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Rooming Houses Womens Housing Ltd and Wombat Housing and Support Services Partnership

Rooming Houses Womens Housing Ltd and Wombat Housing and Support Services Partnership

wombat housing and support services Rooming Houses Womens Housing Ltd and Wombat Housing and Support Services Partnership Women's Housing Limited and Wombat Partnership 27/03/13 Wombat Housing and Support Services WHSS provides services

539 views • 31 slides
Wombat: one more Bleichenbacher attack toolkit Olivier Levillain Aina Toky Rasoamanana Tlcom

Wombat: one more Bleichenbacher attack toolkit Olivier Levillain Aina Toky Rasoamanana Tlcom

Wombat: one more Bleichenbacher attack toolkit Olivier Levillain Aina Toky Rasoamanana Tlcom SudParis GreHack 2019 15 novembre 2019 Levillain & Rasoamanana Wombat 1/27 Plan RSA and PKCS#1 v1.5 in a nutshell Bleichenbacher : the

845 views • 48 slides
Domesticating survey data Thomas Lumley University of Auckland @tslumley wombat by

Domesticating survey data Thomas Lumley University of Auckland @tslumley wombat by

Domesticating survey data Thomas Lumley University of Auckland @tslumley wombat by Flicker user Neerav Bhatt 1970s: 1-2/year Now: ~1/day continues to provide a highly readable, practical treatment of the subject. Keeping

760 views • 33 slides
WOMBAT: towards a Worldwide Observatory of Malicious Behaviors and Attack Threats Fabien Pouget

WOMBAT: towards a Worldwide Observatory of Malicious Behaviors and Attack Threats Fabien Pouget

WOMBAT: towards a Worldwide Observatory of Malicious Behaviors and Attack Threats Fabien Pouget Institut Eurcom January 24th 2006 TF-CSIRT 2006 Observations There is a lack of valid and available data The understanding of Internet

778 views • 49 slides
Real Data Real Issues what they never told me at Uni Phil Brierley WOMBAT 18 th February

Real Data Real Issues what they never told me at Uni Phil Brierley WOMBAT 18 th February

Real Data Real Issues what they never told me at Uni Phil Brierley WOMBAT 18 th February 2016 Data Prep v Predictive Modelling Time wise 80% - Data Prep 5% - Model Building 50% - Explaining results Data Scientists like to over

910 views • 44 slides
The Joy of Text Andrew Robinson CEBRA / School of Mathematics & Statistics University of

The Joy of Text Andrew Robinson CEBRA / School of Mathematics & Statistics University of

The Joy of Text Andrew Robinson CEBRA / School of Mathematics & Statistics University of Melbourne February 19, 2016 Centre of Excellence for Biosecurity Risk Analysis WOMBAT Making Data Analysis Easier WOMBAT Making Data

757 views • 38 slides
Week 11 -Wednesday What did we talk about last time? Exam 2 Before that: Review

Week 11 -Wednesday What did we talk about last time? Exam 2 Before that: Review

Week 11 -Wednesday What did we talk about last time? Exam 2 Before that: Review Before that: Networking What if you want to hold a lot of int values, or String values, or Wombat values? You make an array! But

318 views • 20 slides
Be Be a Hawk not a Tu Turkey How a Birds Eye View of your Data Can Streamline Data Analysis

Be Be a Hawk not a Tu Turkey How a Birds Eye View of your Data Can Streamline Data Analysis

Be Be a Hawk not a Tu Turkey How a Birds Eye View of your Data Can Streamline Data Analysis Nicholas Tierney PhD Candidate QUT WOMBAT, Melbourne Zoo 19/02/2016 The Project 2 C Can you have a look at the data? What does that

616 views • 34 slides
Twitter Data Analysis with R Yanchang Zhao RDataMining.com Making Data Analysis Easier

Twitter Data Analysis with R Yanchang Zhao RDataMining.com Making Data Analysis Easier

Twitter Data Analysis with R Yanchang Zhao RDataMining.com Making Data Analysis Easier Workshop Organised by the Monash Business Analytics Team (WOMBAT 2016), Monash University, Melbourne 19 February 2016 1 / 40 Outline Introduction

976 views • 40 slides
P2 ENGLISH LANGUAGE 2015 OUTLINE MISSION APPROACH TO EL TEACHING P2 ENGLISH

P2 ENGLISH LANGUAGE 2015 OUTLINE MISSION APPROACH TO EL TEACHING P2 ENGLISH

P2 ENGLISH LANGUAGE 2015 OUTLINE MISSION APPROACH TO EL TEACHING P2 ENGLISH CURRICULUM HOW PARENTS CAN PROVIDE SUPPORT EXAM MATTERS MISSION To equip our pupils with literacy skills that enable them to be linguistically

347 views • 31 slides
2018 Networking AGENDA 2018 Subject Teachers School Goals School Rules &

2018 Networking AGENDA 2018 Subject Teachers School Goals School Rules &

2018 Networking AGENDA 2018 Subject Teachers School Goals School Rules & Discipline Issues Attendance & Communication Homework Policy Assessment Details Subject Expectation OUR GOALS To instill values in

867 views • 63 slides
The Honorable Nathan Deal, Governor September 24, 2015 8/25/2015 1 Welcome Approval of

The Honorable Nathan Deal, Governor September 24, 2015 8/25/2015 1 Welcome Approval of

The Honorable Nathan Deal, Governor September 24, 2015 8/25/2015 1 Welcome Approval of Minutes from August 25, 2015 Meeting Report of Progress by each Sub-Committee Funding Early Childhood Move on When Ready Teacher

1.01k views • 65 slides
Multi Language Support for Virtual Assistants Arabic/Spanish case study Sierra Kaplan-Nelson,

Multi Language Support for Virtual Assistants Arabic/Spanish case study Sierra Kaplan-Nelson,

Multi Language Support for Virtual Assistants Arabic/Spanish case study Sierra Kaplan-Nelson, Max Farr, Mehrad Moradshahi Motivation People expect to be able to talk to their VA

135 views • 11 slides
Welcom e to Year Three! Year 3 Induction Overview Support and Key Contacts Student

Welcom e to Year Three! Year 3 Induction Overview Support and Key Contacts Student

Welcom e to Year Three! Year 3 Induction Overview Support and Key Contacts Student Representation Health and Safety Curriculum and Assessment Empirical Project in Detail Coursework Submission, Marking, and

591 views • 46 slides
& HANDBOOK As of 11 May 2020 S C H O O L O F M U S I C A N D T H E A R T S ABOUT OUR

& HANDBOOK As of 11 May 2020 S C H O O L O F M U S I C A N D T H E A R T S ABOUT OUR

W R I T E H E R E S O M E T H I N G STUDENT ORIENTATION & HANDBOOK As of 11 May 2020 S C H O O L O F M U S I C A N D T H E A R T S ABOUT OUR SCHOOL C P E R e g i s t r a t i o n N u m b e r : 199103776M Va l i d i t y P e r

823 views • 64 slides
Agenda 10.30 Summer update on key EFA and SFA funding and data changes for 2014/15 and beyond Nick

Agenda 10.30 Summer update on key EFA and SFA funding and data changes for 2014/15 and beyond Nick

26 Jun 14 Summer Data Conference 26 June 2014 Twitter #SDC14 Nick Linford Director at Lsect Agenda 10.30 Summer update on key EFA and SFA funding and data changes for 2014/15 and beyond Nick Linford, author of www.fundingguide.co.uk

1.03k views • 29 slides
Lecture 0X Careers Prof. Katherine Gibson www.umbc.edu Todays Objectives To introduce

Lecture 0X Careers Prof. Katherine Gibson www.umbc.edu Todays Objectives To introduce

CMSC201 Computer Science I for Majors Lecture 0X Careers Prof. Katherine Gibson www.umbc.edu Todays Objectives To introduce careers in Computer Science To explore using Computer Science with other fields (interdisciplinary) To

594 views • 31 slides
Proposed Teacher Compensation Model September 4, 2014 highly e ff e ct ive Jeffco has five

Proposed Teacher Compensation Model September 4, 2014 highly e ff e ct ive Jeffco has five

Proposed Teacher Compensation Model September 4, 2014 highly e ff e ct ive Jeffco has five different licensed salary schedules Entry level salary should be determined for each effective Model does not outline proposed salary

217 views • 8 slides
B U I L DI NG CO M M U NI T Y CAPACIT Y TH RO UG H TH E S U P ERF U ND J O B T RA I NI NG I

B U I L DI NG CO M M U NI T Y CAPACIT Y TH RO UG H TH E S U P ERF U ND J O B T RA I NI NG I

B U I L DI NG CO M M U NI T Y CAPACIT Y TH RO UG H TH E S U P ERF U ND J O B T RA I NI NG I NI T I AT I V E M E L I S S A F R I E D L A N D, S U P E R J T I P R O G R A M M A N AG E R , R E G I O N S 1 - 5 V I O L A C O O P E R , S U P E

658 views • 33 slides
Chapte pter 9: 9: Re Reporting Chapte pter 6: 6: Equal qual Opportunity Opportunity, Fa Fair

Chapte pter 9: 9: Re Reporting Chapte pter 6: 6: Equal qual Opportunity Opportunity, Fa Fair

Chapte pter 9: 9: Re Reporting Chapte pter 6: 6: Equal qual Opportunity Opportunity, Fa Fair Housi Housing, and and Secti Section 3 DEHCR Bureau of Community Development Required Reports 145 Reporting Process Construction (Your Project)

632 views • 52 slides
Lecture 10 Equality and Hashcode Leah Perlmutter / Summer 2018 Announcements Announcements

Lecture 10 Equality and Hashcode Leah Perlmutter / Summer 2018 Announcements Announcements

CSE 331 Software Design and Implementation Lecture 10 Equality and Hashcode Leah Perlmutter / Summer 2018 Announcements Announcements This coming week is the craziest part of the quarter! Quiz 4 due tomorrow 10 pm HW4 due tomorrow

750 views • 58 slides
Contributions to Diversity and Inclusion Statement Debbie Hatke The Initiative In December

Contributions to Diversity and Inclusion Statement Debbie Hatke The Initiative In December

Contributions to Diversity and Inclusion Statement Debbie Hatke The Initiative In December 2015, President Ono announced that UC will be requesting that ALL job applicants include a Contribution to Diversity and Inclusion statement that

367 views • 14 slides
Discussion on "Long-Term Trends of Income and Wage Inequality in China" Authors: Shi

Discussion on "Long-Term Trends of Income and Wage Inequality in China" Authors: Shi

Discussion on "Long-Term Trends of Income and Wage Inequality in China" Authors: Shi Li, Terry Sicular and Zhong Zhao Discussant: Chao Fu June 17th, 2013 Contribution of the Paper This paper enhances our understanding of inequality

771 views • 47 slides
How a Human Rights Act would work in prac6ce Chloe Wood, Solicitor in the Civil Law and Human

How a Human Rights Act would work in prac6ce Chloe Wood, Solicitor in the Civil Law and Human

How a Human Rights Act would work in prac6ce Chloe Wood, Solicitor in the Civil Law and Human Rights Unit at the Aboriginal Legal Service of WA Key objec6ves of a Human Rights Act Require parliament and Provide people whose the public sector

330 views • 9 slides

More recommend