Project Results

TEAM 1: The Search for Emerging Threat Intelligence (SETI) is moving to the next level

Pilot project: Deploying honeypots in the cloud will allow large-scale undertakings to collect sophisticated malicious artefacts and emerging threats. Attracting these sophisticated and emerging threats will give organizations information on how to prepare for tomorrow.

1.1 Internet of Things (IoT) Malware Sandboxing


• Developed the concept of specialized IoT sandbox. It is built on top of a generic IoT sandbox by applying the firmware of specific IoT devices.

• Developed a specialized sandbox for analyzing VPNfilter IoT malwares.

• Analyzed Mirai and VPNfilter malware samples in generalized and specialized IoT sandboxes respectively.

• Developed the capability to do both generalized and specialized IoT malware analysis in the automated sandbox.

• Provided a list of recommendations on the current Android sandbox for countering anti-evasion.

• Developed Android device finger-printing techniques that can be applied to the sandbox.

• Enhanced Android Sandboxing capabilities

1.2 BareMetal: Improve Capabilities of Physical Host used for Malware Analysis


• Developed a REST API service.

• Assembled Windows XP, 7, and 10 and Ubuntu 18.04 COW images with instrumentation.

• Developed the start of an AssemblyLine service using the Cuckoo agent.

• Developed the ability to network boot a Raspberry Pi using customizable images, and the ability to programmatically power cycle a Raspberry Pi.

• Developed key building blocks towards an automated BareMetal IoT analysis environment.

1.3 Minks: Low-Cost Honeypot on a Network using Raspberry Pi


• Extended honeytrap framework to implement Zigbee and Wifi honeypots.

• Extended honeytrap framework to implement ICS protocol (modbus, bacnet, dnp3).

• Added capability to tunnel traffic to another source.

• Wrapped most items within Docker for easier deployment.

• Created remote control management (web based) for the honeypots to change or edit their current capability.

1.4 HoneyNet: Large-Scale Honeypots in the Cloud


• Automated infrastructure deployment of HoneyNet on Azure using Gitlab-CI and Terraform.

• Deployed two honeypots running Cowrie, which can then be customized with Ansible scripts.

• Deployed customized Cowrie instances (Samsung S6 AARCH / Ubiquity).

• Built OpenVPN tunnel to use darknet.

• Provided IoT (MIPS) samples to other teams.

• Developed a PHP Overload honeypot named Overlord.

• Developed a logic of sample classification by infection routine.

• Developed Kibana dashboards to show world map of incoming connections.

1.5 Open Source: For the Community to Contribute


• Open sourced the Automated Experiment Systems (AES) project to the GeekWeek community.

• Developed a Virtualbox-based desktop malware analysis solution with the open sourced AES.

• Allowed the community to work on the AES project to help enhance and enrich it.

TEAM 2: Information Sharing Systems (ISS), collaboration at machine speed

Pilot project: Allowing partners to access available services, tools, organization scorecards, assessment results, and alerts in one central location.

2.1 ISS Mission Control Service Catalog: Satisfying the cyber community sharing appetite


• Created a central portal with a web-based catalog of services, tools and data provided by the Canadian Center for Cyber Security (CCCS).

• Built for policy and legal compliance to be enforced for every interaction with the partner.

• Developed a maturity questionnaire to evaluate the cyber security posture of an organization, and their ability to ingest and use the information made available by CCCS.

2.2 Mitigation and Sharing Platforms (ArcticHub and MISP): Sharing is caring


• Developed a client deployable DNS blocking module that validates the queries against known DGAs, DNSTwist, PunyCode, various threat feeds and reported sightings via TAXII.

• Developed Pihole, a client deployable DNS blackhole with MISP indicators.

• Integrated ArticHUB with MISP, Pihole and TAXII.

• Developed a domain reputation service API that integrates various sources such as ArcticHub, PunyCode, CCCS Threat stream, Alexa top 1M.

• Allowed sightings to be programmatically interacted with and controlled, allowing external tools to add sightings to MISP events.

• Created a module to translate from CCCS CKB format to MISP formats (beyond the CKB model representation in MISP) and vice versa. Any MISP user in the world can enable the CKB taxonomy in their MISP instance to be able to use or add CKB context.

• Allowed QRadar users to import MISP events directly in the system, including feeding sightings automatically to MISP using the newly added PyMisp calls.

• Modified MISP to convey CCCS CKB data in a MISP compliant format. Partners can ingest CKB data without any source code being shared, and model their event in CKB format.

2.3 Assessment Tools


• Developed an external assessment tool to provide an assessment from an externally positioned entity. Leverages data from ArticHub, Shodan, Censys and CCCS.

• Developed a client deployable internal assessment tool that installs Sysmon and WinLogBeat on the endpoints, logs data back towards their SIEM and runs analytics to see and assess the endpoints and the network traffic generated from within the perimeter.

• Allowed partners to request assistance and share information with the CCCS directly from the Mission Control portal.

2.4 Malware Intake


• Created a portal for partners to submit files to be automatically analyzed by the CCCS systems and AssemblyLine and receive a report.

• Added the option of having it analyzed by a human, given an explanation of what is expected.

2.5 Client Telemetry and Actions


• Developed a client-deployable agent allowing to retrieve host based telemetry, as well as taking actions on controlled hosts.

• Developed a client-deployable script that can task a Microsoft Azure Firewall to block/drop traffic based on CYBERDECK analytics of IPFlow and HTTP. This includes bad hashes detection in HTTP traffic.

• Developed a client-deployable HTTP proxy that feeds info into ELK SIEM for indicators.

• Allowed the partner to visualize all of the issued alerts by its SIEM as well as external assessment tools in a central location. Used in conjunction with dynamic defence tools, the security team of an organization could automate the process to take direct actions.

3. TEAM 3: Evaluating Cyber Health with Notification, exploration and observation of objects of online origin (NEO4):

Pilot project: Improving ability for company to easily visualize and assess their cyber-health, connecting them to remediation measures. Improving phishing and spam analysis for better prevention.

3.1 Phishing and SPAM


• Developed a logo recognition and HTML tag clustering algorithm that detects similar phishing patterns for timely action.

• Developed algorithms that detect malicious IP and domains in emails, allowing users to decide a course of action with full awareness of risk.

• Implemented a Redis caching system for URL and file type identification, increasing the ingestion performance significantly.

3.2 Office Documents and Macro Analysis


• Added the ability to deobfuscate a subset of ActiveX controls. An interface was produced to help with future work and discovering controls that are not currently defined.

• Added an AssemblyLine service to deobfuscate VBA macros on the fly when obfuscation is encountered and pass this to all other tools to extract useful Indicators of Compromises (IOCs).

• Added an AssemblyLine service to detect and classify macro using machine learning to assess a confidence score and maliciousness.

• Implemented an algorithm to improve the ingestion speed of a system based on regular expressions. This increased the ingestion performance by over 20%.

• Used NiFi to handle large amount of SPAM data and to send it to the right parsing systems. This increased the performance dramatically.

• Leveraged a Spark cluster to scale the parsing of SPAM data.

• Used natural language processing to detect topics used in SPAM campaigns.

3.3 Dashboard and Data Visualization Tools


• Created a live Tableau dashboard to show a company’s cyber health in relation to its sector. Various metrics and predictive analytics are displayed to inform a company about their cyber-health.

• Created a Tableau dashboard with customized malware and vulnerability remediation profiles for companies. Allows a client to retrieve customized remediation plans to improve their cyber health.

TEAM 4: Hunting Cyber Threats - Let’s follow the hints left behind by attackers (Malfinder)

Pilot project: Improving malware analysis to better follow the trail of the hackers. Collaborating with law enforcement agencies to build cases and prosecute malicious actors.

4.1 Joint Collaborative Research with Law Enforcement Agencies


• Identified and researched mobile threats impacting Canadians (SMS Phishing and SIM Jacking), with the goal of creating cases that can be handed over to law enforcement.

• Created a traceable database for sample analysis respective of multi-organizational input from which a visualization could be created.

• Wrote a short whitepaper on the issue.

• Coded a forensically sound phishing site harvesting tool.

• Developed three potential cases that are in the process of being documented for RCMP intake.

• Developed processes for private sector engagement with law enforcement agencies.

4.2 Collaborate with Malpedia


• Added support for Apivector (a Malpedia service) in AssemblyLine's Cuckoo sandbox.

• Added Malpedia Yara rules in AssemblyLine.

• Added the ability to identify malicious executables and automatically pull out IOCs from memory.

4.3 Infiltration of Necurs Botnet


• Enhanced our ability, knowledge and capabilities of tracking botnets and their operational activities.

• Reversed engineered Necurs in order to get insight into how it operates.

• Created library for encrypting/decrypting traffic generated from the botnet.

• Created a framework to automate the communication and logging of botnet activity.

• Used machine learning to classify and potentially identify malware families and botnet ID based of the DGA domains.

4.4 Behavioral Malware Clustering


• Helped reduce the malware landscape by detecting zero-day malware and sharing their signatures at machine speed.

• Shared their Yara signatures through MISP.

4.5 Built Memory Analysis Capacities


• Built sandbox system for config parsing.

• Built Assemblyline service for apivector.

• Build Assemblyline service for pyREBox.

• Extended config decoder service.