\item D4 Project (co-funded under INEA CEF EU program) started - {\bf 1st November 2018}
\item D4 encapsulation protocol version 1 published - {\bf 1st December 2018}
\item v0.1 release of the D4 core\footnote{\url{https://www.github.com/D4-project/d4-core}} including a server and simple D4 C client - {\bf 21st January 2019}
D4 header includes an easy way to {\bf extend the protocol} (via type 2) without altering the format. Within a D4 session, the initial D4 packet(s) type 2 defines
the custom headers and then the following packets with type 254 is the custom data encapsulated.
\small
\input{meta.tex}
\end{frame}
\begin{frame}
\frametitle{D4 server}
\begin{itemize}
\item D4 core server\footnote{\url{https://github.com/D4-project/d4-core}} is a complete server to handle clients (sensors) including the decapsulation of the D4 protocol, control of sensor registrations, management of decoding protocols and dispatching to adequate decoders/analysers.
\item D4 server is written in Python 3.6 and runs on standard GNU/Linux distribution.
\item{\bf provide} various points of observation in non contiguous address space,
\item{\bf aggregate} and {\bf mix} backscatter traffic collected from D4 sensors,
\item{\bf perform} analysis on big amount of data.
\end{itemize}
D4 - from a end-user perspective:
\begin{itemize}
\item{\bf provide} backscatter analysis results,
\item{\bf provide} daily updates,
\item{\bf provide} additional relevant (or pivotal) information (DNS, BGP, etc.),
\item{\bf provide} an API and search capabilities.
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{First release}
\begin{itemize}
\item[\checkmark]
analyzer-d4-pibs\footnote{\url{https://github.com/D4-project/analyzer-d4-pibs}}, an analyzer for a D4 network sensor:
\begin{itemize}
\item{\bf processes} data produced by D4 sensors (pcaps),
\item{\bf displays} potential backscatter traffic on standard output,
\item{\bf focuses} on TCP SYN flood in this first release.
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\begin{center}
{\bf Passive DNS}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Problem statement}
\begin{itemize}
\item CIRCL (and other CSIRTs) have their own passive DNS\footnote{\url{https://www.circl.lu/services/passive-dns/}} collection mechanisms
\item Current {\bf collection models} are affected with DoH\footnote{DNS over HTTPS} and centralised DNS services
\item DNS answers collection is a tedious process
\item{\bf Sharing Passive DNS stream} between organisation is challenging due to privacy
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Potential Strategy}
\begin{itemize}
\item Improve {\bf Passive DNS collection diversity} by being closer to the source and limit impact of DoH (e.g. at the OS resolver level)
\item Increasing diversity and {\bf mixing models} before sharing/storing Passive DNS records
\item Simplify process and tools to install for {\bf Passive DNS collection by relying on D4 sensors} instead of custom mechanisms
\item Provide a distributed infrastructure for mixing streams and filtering out the sharing to the validated partners
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{First release}
\begin{itemize}
\item[\checkmark]
analyzer-d4-passivedns\footnote{\url{https://github.com/D4-project/analyzer-d4-passivedns}}, an analyzer for a D4 network sensor:
\begin{itemize}
\item{\bf processes} data produced by D4 sensors (in passivedns CSV format\footnote{\url{https://github.com/gamelinux/passivedns}}),
\item{\bf ingests} these into a {\bf Passive DNS server} which can be queried later to search for the Passive DNS records,
\item{\bf provides} a lookup server (using on
redis-compatible backend) that is a Passive DNS REST server compliant to the Common Output Format\footnote{\url{https://tools.ietf.org/html/draft-dulaunoy-dnsop-passive-dns-cof-04}}.
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\begin{center}
{\bf Passive SSL revamping}
\end{center}
\end{frame}
\begin{frame}
\frametitle{A passive SSL fingerprinter}
CSIRT's rationale for collecting TLS handshakes:
\begin{itemize}
\item{\bf pivot} on additional data points,
\item{\bf find} owners of IP addresses,
\item{\bf detect} usage of CIDR blocks,
\item{\bf detect} vulnerable systems,
\item{\bf detect} compromised services,
\item{\bf detect} key material reuse,
\item{\bf detect} weak keys.
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Objectives - TLS Fingerprinting}
{\bf Keeping} a log of links between:
\begin{itemize}
\item x509 certificates,
\item ports,
\item IP address,
\item client (ja3),
\item server (ja3s),
\end{itemize}
\begin{displayquote}
``JA3 is a method for creating SSL/TLS client fingerprints that should be easy to produce on any platform and can be easily shared for threat intelligence.''\footnote{https://github.com/salesforce/ja3}
\end{displayquote}
\end{frame}
\begin{frame}
\frametitle{Objectives - Mind your Ps and Qs}
{\bf Collect} and {\bf store} x509 certificates and TLS sessions:
\begin{itemize}
\item Public keys type and size,
\item moduli and exponents,
\item curves parameters.
\end{itemize}
{\bf Detect} anti patterns in crypto:
\begin{itemize}
\item Shared Public Keys,
\item Moduli that share one prime factor,
\item Moduli that share both prime factor,
\item Small factors,
\item Nonces reuse / common preffix or suffix, etc.
\item{\bf Mixing models for passive collection streams} (for privacy) in next version of D4 core server
\item{\bf Interconnecting private D4 sensor networks} with other D4 sensor networks (sharing to partners filtered stream)
\item{\bf Previewing datasets} collected in D4 sensor network and providing {\bf open data stream} (if contributor agrees to share under specific conditions)
\item{\bf Leverage MISP sharing communities} to augment Threat
Intelligence, and provide accurate metrology.
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Get in touch if you want to join the project, host a sensor or contribute}
\begin{itemize}
\item Collaboration can include research partnership, sharing of collected streams or improving the software.
