Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
N I C T E R
Network Incident analysis Center for Tactical Emergency Response
What is NICT?
l
Bio/Nano ICT
(Self-organizing bio molecule)
Optical Communication
(10 Pbps class multi-core fiber)
Brain ICT
(Brain-machine Interface)
Satellite Communication
Internet Satellite WINDS
Science Cloud
Reai-time Web of Himawari-8
Remote Sensing
Pi-SAR2 image after 3.11
Cybersecurity
(DAEDALUS)
N I C T E R
Network Incident analysis Center for Tactical Emergency Response
D A E D A L U S
Livenet Monitoring
N I R V A N A
Darknet Monitoring
N I C T E R
N I R V A N A
3
N I C T E R
Network Incident analysis Center for Tactical Emergency Response
N I C T E R
Network Incident analysis Center
for Tactical Emergency Response
N I C T E R
Network Incident analysis Center for Tactical Emergency Response
Strategy:
Darknet monitoring
+
Malware analysis
N I C T E R Operation Room
5
N I C T E R
Network Incident analysis Center for Tactical Emergency Response
N I C T E R System Overview
MacS: Macro analysis System
Visualization
Virus
Darknet
Traffic
Bot
Analysis Engine
Tiles
Atlas
300,000 darknet
(dark IP addresses)
7,000 samples
can be analyzed
per day
Malware
Samples
Honeypot
Root Cause
Worm
Phenomena
Cube
N I C T E R
NemeSys:
IHS: Incident
Handling System
30 seconds
for a correlation
analysis
!
Incident
Alert
Correlation
Engine
Analysis
Work
Bench
Government
Internet Service
Providers (ISPs)
Behavior Analyzer
End Users
N I C T E R
Network Incident analysis Center for Tactical Emergency Response
What is Darknet?
l Darknet: Unused IP addresses space
l In theory: any packets should NOT arrive at the darknet
because they are not connected to any hosts.
Scans by malwares
Backscatter (reflection of DDoS attack)
Miss configurations
etc.
Darknet
N I C T E R
Network Incident analysis Center for Tactical Emergency Response
N I C T E R
N I C T E R
Network Incident analysis Center for Tactical Emergency Response
0.31 billion
16 thousands
19,066
2006
0.81 billion
100 thousands
17,231
2007
1.99 billion
100 thousands
19,118
2008
2.29 billion
120 thousands
22,710
2009
3.57 billion
120 thousands
36,190
2010
5.65 billion
120 thousands
50,128
2011
4.54 billion
120 thousands
40,654
2012
7.79 billion
190 thousands
53,085
2013
12.9 billion
210 thousands
63,655
2014
25.7 billion
240 thousands
115,323
2015
54.5 billion
280 thousands
213,523
250,000
200,000
150,000
100,000
50,000
0
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
N I C T E R
Network Incident analysis Center for Tactical Emergency Response
24%
23/tcp
48%
Other Ports
445/tcp
8%
22/tcp
5%
80/tcp
3%
2%
2%
2%
2%
2%
2%
10
N I C T E R
Network Incident analysis Center for Tactical Emergency Response
IoT
11
N I C T E R
Network Incident analysis Center for Tactical Emergency Response
Practical Use of
l ICT-ISAC Japan
ACTIVE (www.active.go.jp)
12
N I C T E R
Network Incident analysis Center for Tactical Emergency Response
Practical Use of
13
N I C T E R
Network Incident analysis Center for Tactical Emergency Response
D A E D A L U S
Direct Alert Environment for
Darknet And Livenet Unified Security
Ikaros
Daedalus
14
N I C T E R
Network Incident analysis Center for Tactical Emergency Response
D A E D A L U S
N I C T E R
complementary
15
N I C T E R
Network Incident analysis Center for Tactical Emergency Response
Goal:
Utilize the darknet monitoring results
for securing the livenet.
Mechanism:
if (N I C T E R receives packets
from a cooperative organization)
alert;
16
N I C T E R
Network Incident analysis Center for Tactical Emergency Response
D A E D A L U S - V I Z
17
N I C T E R
Network Incident analysis Center for Tactical Emergency Response
47
Organizations
(Nov, 2 0 1 3 )
601
Response
Manual
Organizations
(Sep, 2 0 1 6 )
18
N I C T E R
Network Incident analysis Center for Tactical Emergency Response
D A E D A L U S for ASEAN
JASPER: security partnership between Japan and
ASEAN initiated by the Ministry of Internal Affairs and
Communications (MIC) since 2013.
JASPER
Japan-ASEAN Security Partnership
PRACTICE
Proactive Response Against Cyber-attacks
Through International Collaborative Exchange
D A E D A L U S
Direct Alert Environment for
Darknet And Livenet Unied Security
19
N I C T E R
Network Incident analysis Center for Tactical Emergency Response
D A E D A L U S for Enterprise
l SiteVisor: Commercial alert service (clwit, inc.)
l SiteVisor Professional: Incident response service (dit Co., Ltd.)
l NS HARUKA: Commercial alert service (NS Solutions Corps.)
Clwit
SiteVisor
dit
SiteVisor Professional
NS Solutions
NS HARUKA
20
N I C T E R
Network Incident analysis Center for Tactical Emergency Response
N I R V A N A
NICTER Real-network Visual ANAlyzer KAI
21
N I C T E R
Network Incident analysis Center for Tactical Emergency Response
intrusion
hiding out
establishing
bridgehead
searching
penetration
occupation
stealing
pullout
22
N I C T E R
Network Incident analysis Center for Tactical Emergency Response
APT Countermeasure
N I R V A N A
N I R V A N A (livenet monitoring) + Security
23
N I C T E R
Network Incident analysis Center for Tactical Emergency Response
N I R V A N A
24
N I C T E R
Network Incident analysis Center for Tactical Emergency Response
N I R V A N A
for
Enterprise
l WADJET: Commercial security solution (dit Co., Ltd.)
l NS MIHARU: Commercial security solution (NS Solutions Corps.)
NS Solutions Corps.
NS MIHARU
25
N I C T E R
Network Incident analysis Center for Tactical Emergency Response
Conclusion
l NICT is conducting...
Cutting edge R&D on
Cybersecurity
Large-scale monitoring and
analysis based on our
neutrality
International/domestic
information sharing with
government, academia and
industry
Tech transfer to industry
26
Hardening Project
N IInternational
CDarknetTSharing
Eof R
Data