Never has the role of Threat Intelligence analyst and Community Emergency Response Team (CERT) been so meaningful. More connected devices, larger storage capacity, and faster connections have resulted in an explosion of available information. The problem facing the intelligence community (IC) is no longer how to get more data; it’s understanding how to turn the data they have into answers. That’s where CERT/ Threat intelligence comes in.
What it is?
Threat intelligence, or cyber threat intelligence is the analysis of data using tools and techniques to generate meaningful information about existing and future or emerging threats targeting the organization that helps mitigate risks that could cause financial and reputational damage. This information is used to identify, prepare and prevent cyber threats looking to take advantage of valuable resources. Therefore, Threat Intelligence helps organizations make faster, more informed security decisions and change their behavior from reactive to proactive to combat cyber-attacks.
What work have we done so far?
Emails analysis for threats Profiling
Phishing scams attempt to get users to hand over personal information such as login credentials, bank details, or credit card numbers via email and involve scammers posing as legitimate users or companies. These emails can look authentic, with similar branding and typography, and may have a similar contact address to the company they’re impersonating.
We have been collecting and analysing phishing emails and their attachments in order to produce Cyber Threat Intelligence that can be used for better threats profiling. Our threat intelligence’s output comprises malicious Domains, IPs, historical and current who is, ASN, FQDN, URL and Files Hashes. We used several tools and platforms such as Virus Total and Phish tank. Through static and dynamic analysis of emails attachment in our sandboxes, we provide relevant information that can help protect the company’s assets.
Network monitoring ( Deployment of honeypots)
Network monitoring is an IT Process whereby all networking components like Routers, Switches, Virtual Machines, Firewalls, and Servers are monitored and evaluated continuously for any anomalies using various techniques.
Conventional security controls such as the use of security tools, Intrusion Detection and Prevention Systems, Demilitarized Zones (DMZ), bastion hosts, penetration and vulnerability testing, have done a commendable job in enhancing the security of infrastructures used in information security.
However, in today’s world of constant cybersecurity threats and incidents, organizations still need to live with an expectation that weaknesses exist in their cybersecurity programs and frameworks, adversaries are lurking around looking for anomalies that sooner or later will be exploited or that have already been breached. Therefore, there is a need to remain vigilant and continuously innovate ways of countering these threats. One method that we’ve done so far is the deployment of a honeypot.
What it is.
In computer terminology, a honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. Wikipedia
A honeypot is either high-interaction or low-interaction;
Low-interaction honeypots use fewer resources and collect basic information about the level and type of threat and where it is coming from, while high-interaction aim to get hackers to spend as much time as possible within the honeypot, giving plenty of information about their intentions and targets, as well as the vulnerabilities they are exploiting.
For a honeypot to be effective, one has to do the following:
How it works.
A honeypot looks like a real computer system having all the basic applications and software. A good example is it should mimic an organization’s HR system. When attackers manipulate the system thinking, it’s a real one; this gives the IT Security team harden the existing system as per the attackers’ behaviors.
Types of Honeypots.
Most honeypots are usually named after what they are used for or doing.
By using cyber honeypots to create a threat intelligence framework, a business can ensure that it’s targeting its cybersecurity budget at the right places and can observe where it has weak security points.
Benefits of Using Honeypots.
Honeypots can be a useful means of detecting/monitoring and exposing attacks and vulnerabilities before actualizing in a production environment.
One can be able to spot intrusions and how to prevent it.
They are not very much resource-demanding since they handle minimal resources.
Have a low false-positive rate. That’s in contrast to traditional intrusion-detection systems (IDS), which can produce a high level of false alerts.
Dangers of Honeypots.
While honeypots help curb security threats, they also have their loopholes and weaknesses; they are only limited to the specific task assigned. One cannot see the other threats occurring on the system.
Being able to imitate the real system, when an attacker manages to find out it’s a fake system, they’ll go ahead and attack the actual system.
Overall the benefits outweigh the dangers hence making it very useful in the cybersecurity world.
Distributed Ledgers/ Blockchain
A Blockchain is a distributed ledger that provides a way of recording and sharing information by a community. In this community, each member can access the most updated copy of the information and all members validate any updates collectively, or assign the role of validation to a few trusted members among them to quicken the process.
The information could represent transactions, contracts, assets, identities or practically anything else that can be described in digital form. Entries are permanent, transparent and searchable, which makes it possible for community members to view transaction histories in their entirety. Each update is stored in a “block” added to the end of a “chain of blocks”. A protocol manages how new edits or entries are initiated, validated, recorded and distributed.
With Blockchain, cryptology replaces third- party intermediaries as the keeper of trust, with all blockchain participants running complex algorithms to certify the integrity of the whole.” (Piscini, Guastella, Rozman, & Nassim, 2016).
As research into and adoption of this new technology progresses worldwide, @iLabAfrica’s blockchain research team is also engaging in activities to establish the technology’s applicabilities in resolving current problems in the country. It is also engaging in training activities as a form of building capacity and expanding the technology’s knowledge among the students and IT professionals.
What have we done so far?
Developed a blockchain system for issuing and maintaining academic certificates using
What is in the pipeline
Yes. From the KENET
Child Online Protection (COP)
The explosion of Information and Communication Technologies (ICTs) has created unprecedented opportunities for children and young people to learn, communicate and exchange ideas on matters that interest them through the Internet and mobile technologies. Widened access to the Internet in Africa and specifically Kenya has allowed local children and youth access to a wide array of beneficial information which is hosted online. While all this has brought on a lot of great benefits, we must also be cognisant of the risks associated with unfiltered access to the Internet and mobile technologies by children and the youth, who form a vulnerable group among the internet users.
Protecting children and youth online is a global problem that requires the joint effort of parents, teachers, guardians, governments and child centric organizations. All the parties involved need to work hand in hand with the children and youth to sensitize them on responsible digital citizenship.
It is with this awareness in mind that @iLabAfrica, in collaboration with the different industry partners is working on a variety of initiatives in the line of Child online protection like research, trainings, content development etc,
What have we done so far?
What is in the pipeline
Yes. From the Norwegian Embassy.
Cybersecurity Smart Academy
This three-month program is intended to provide cutting edge skills in cybersecurity to participants who have shown a desire to specialize in cybersecurity as a profession. @iLabAfrica understands that not all the required technical skills in different verticals of cybersecurity are acquired in regular Information Technology (IT) training.
Because of this, we have developed the cybersecurity smart factory program to help shape the mindsets of the program participants and build their capacity in developing the challenging skills associated with being a cybersecurity professional such as reverse engineering, malware analysis, penetration testing, incident response and vulnerability research.
Initially, the program is open to participants from the School of Computing and Engineering Sciences drawn from undergraduate, masters (MSc. ISS, MSc. IT) and PhD programs. Undergraduate participants from the 2nd & 3rd year onwards ideally should be going for their industrial attachment.
The vision of the program is to take the participants through an initial 1-month program where the participants will undergo intensive capacity building in preparation for the next phase. Participants who successfully complete the first phase based on passing the various assessment criteria will be admitted into phase two of the program. This phase involves applying the participants to various projects that are carried out by the @iLabAfrica IT Security unit.
We believe that cybersecurity innovation and solutions can not only drive the economy of our nation but also act as a powerful force in safeguarding our national critical infrastructures and businesses that rely on technology. The positive ripple effect of breeding cybersecurity talent from academia is beneficial across all other sectors of industry.