% Full instructions available at: % https://github.com/elauksap/focus-beamertheme \documentclass{beamer} \usetheme[numbering=progressbar]{focus} \usepackage{tikz} \usetikzlibrary{positioning} \usetikzlibrary{shapes,arrows} \usepackage{transparent} \usepackage{fancyvrb} \usepackage{listings} \usepackage[utf8]{inputenc} \definecolor{main}{RGB}{47, 161, 219} %\definecolor{textcolor}{RGB}{128, 128, 128} \definecolor{background}{RGB}{240, 247, 255} \definecolor{textcolor}{RGB}{85, 87, 83} \title{D4 Project} \subtitle{Open and collaborative network monitoring} \author{Aurélien Thirion, Jean-Louis Huynen} \titlegraphic{\includegraphics[scale=0.20]{d4-logo.pdf}} \institute{Team CIRCL \\ \url{https://www.d4-project.org/}} \date{20190307} \begin{document} \begin{frame} \maketitle \end{frame} \begin{frame} \frametitle{Problem statement} \begin{itemize} \item CSIRTs (or private organisations) build their {\bf own honeypot, honeynet or blackhole monitoring network} \item Designing, managing and operating such infrastructure is a tedious and resource intensive task \item {\bf Automatic sharing} between monitoring networks from different organisations is missing \item Sensors and processing are often seen as blackbox or difficult to audit \end{itemize} \end{frame} \begin{frame} \frametitle{Objective} \begin{itemize} \item Based on our experience with MISP\footnote{\url{https://github.com/MISP/MISP}} where sharing played an important role, we transpose the model in D4 project \item Keeping the protocol and code base {\bf simple and minimal} \item Allowing every organisation to {\bf control and audit their own sensor network} \item Extending D4 or {\bf encapsulating legacy monitoring protocols} must be as simple as possible \item Ensuring that the sensor server has {\bf no control on the sensor} (unidirectional streaming) \item Don't force users to use dedicated sensors and allow {\bf flexibility of sensor support} (software, hardware, virtual) \end{itemize} \end{frame} \begin{frame} \frametitle{(short) History} \begin{itemize} \item D4 Project (co-funded under INEA CEF EU program) started - 1st November 2018 \item D4 encapsulation protocol version 1 published - 1st December 2018 \item v0.1 release of the D4 core\footnote{\url{https://www.github.com/D4-project/d4-core}} including a server and simple D4 C client - 21st January 2018 \item First version of a golang D4 client\footnote{\url{https://www.github.com/D4-project/d4-goclient/}} running on ARM, MIPS, PPC and x86 - January 2018 \end{itemize} \end{frame} \begin{frame} \frametitle{D4 Overview} \includegraphics[scale=0.41]{d4-overview.pdf} \end{frame} \begin{frame} \frametitle{Roadmap (next 2 months)} \begin{itemize} \item Passive DNS analyzer (alpha version released) \item Passive SSL collector and analyzer \item Backscatter DDoS traffic analyzer \item {\bf Default server} (blackhole monitoring or Passive DNS collector) at CIRCL for organisations willing to contribute without running their own D4 server \end{itemize} \end{frame} \begin{frame} \frametitle{D4 encapsulation protocol} \includegraphics[scale=0.38]{d4-protocol-encapsulation.png} \end{frame} \begin{frame} \frametitle{D4 server - main interface} \includegraphics[scale=0.18]{d4-4.png} \end{frame} \begin{frame} \frametitle{D4 server - server management} \includegraphics[scale=0.18]{d4-3.png} \end{frame} \begin{frame} \frametitle{D4 server - sensor overview} \includegraphics[scale=0.18]{d4-1.png} \end{frame} \begin{frame} \frametitle{D4 server - sensor management} \includegraphics[scale=0.18]{d4-2.png} \end{frame} \begin{frame} \frametitle{D4 client example : A passive SSL fingerprinter} History of links between: \begin{itemize} \item x509 certificates (And therefore their fields) \item Ports \item IP address \item Client (ja3) \item Server (ja3s) \end{itemize} \end{frame} \begin{frame} \frametitle{D4 client example : A passive SSL fingerprinter} CSIRT's rationale for collecting TLS handshakes: \begin{itemize} \item Pivot on additional data points \item Find owners of IP addresses \item Detect usage of CIDR blocks \item Detect vulnerable systems \item Detect compromised services \end{itemize} \end{frame} \begin{frame} \frametitle{D4 client example : A passive SSL fingerprinter} \begin{columns} \begin{column}{0.5\textwidth} \begin{center} \includegraphics[scale=0.2]{monitor.png} \end{center} \end{column} \begin{column}{0.5\textwidth} \begin{center} \includegraphics[scale=0.2]{orangepi.png} \end{center} \end{column} \end{columns} \hspace{20pt} \begin{itemize} \item 1 desktop monitored during 15 days \item 3327 TLS sessions fingerprinted \item 600 unique certificates collected \end{itemize} \end{frame} \begin{frame} \frametitle{Get in touch if you want to join the project, host a sensor or contribute} \begin{itemize} \item Collaboration can include research partnership, sharing of collected streams or improving the software. \item Contact: info@circl.lu \item \url{https://github.com/D4-Project} - \url{https://twitter.com/d4_project} \end{itemize} \end{frame} \end{document}