Eric Kapitanski

A free twofer! Get some insight into who's attacking/scanning your systems, and help a grad student collect research data at the same time!

@StevenMusielski We do this now, but this way of doing it may show us new things.

@StevenMusielski For organizations, thousands of firewall log entries distilled down to X scans, Y of which you need to worry about. Detects this quickly, even if scanners change IPs. May identify new botnets if thousands of IOT started doing similar scans, for instance.

Dutch Waterfall scans coming out of the Netherlands, how you can tell over 1,400 IPs are working together, and novel temporal fingerprinting/visualization for scan traffic! My PhD research. lightscope.isi.edu

Fascinating, innovative research tool that allows "clandestine" mass-scans emanating from multiple hundreds (or thousands!) of source IP addresses to be attributed back to a single, coordinated campaign lightscope.isi.edu

LightScope - Turn closed ports into honeypots! What is it? LightScope is free, open source software that gathers data for graduate cybersecurity research at the University of Southern California ISI (isi.edu). Those who deploy it are rewarded with rich threat intelligence about who’s targeting their systems and how. The threat intelligence LightScope provides to users is enhanced through research partnerships with ipinfo (ipinfo.io), greynoise (greynoise.io), and abuseIPDB (abuseIPDB.com). What does the software do? Observes attacker interactions with closed ports on live hosts, forwards that traffic to USC honeypots, and reports attackers to AbuseIPDB.com and ISPs. What do you get for running it? Detailed information about who's targeting you, automatic reporting of the malicious actors to ISPs, and personalized IP blocklists. What DOESN'T it do? It's not antivirus or Endpoint Detection and Response (EDR), and it won't slow down your system like they do. It’s also not a Web Application Firewall (WAF), and it doesn’t examine traffic to running services such as webservers (for privacy reasons). Why should I run it? See who's attacking your server Find out if your laptop is getting attacked on public Wifi Discover compromised routers/smart TVs scanning your home network Support open cybersecurity research What data do you collect? We are interested in the traffic scanners and attackers send to closed ports on your servers. Your IP is fully anonymized and we do not collect any identifiable data about your machine. We went through IRB to certify our methods. A full list of data collected can be found in FAQs (lightscope.isi.edu/faq.html) Why are you doing this? To help people who can't afford expensive services. To collect data in support of PhD research. Is it actively supported? Yes. How do I contact you? E@alumni.usc.edu x.com/EricKapitanski discord.gg/7s3nkhXP How do I install it? lightscope.isi.edu/installation.h… What are your research questions? RQ1: What is the differences in attacker/scanner interactions between telescopes, dedicated honeypots, and live machines. RQ2: What is the proportion of unwanted TCP traffic that is spoofed. RQ3: How can the different scan types be fingerprinted based on packet sequences (as opposed to examining fields on a packet by packet basis)?

A free twofer! Get some insight into who's attacking/scanning your systems, and help a grad student collect research data at the same time!

Hi everyone, please consider supporting my PhD research, and receive free threat intelligence in return! LightScope - Turn closed ports into honeypots! What is it? LightScope is free, open source software that gathers data for graduate cybersecurity research at the University of Southern California ISI (isi.edu). Those who deploy it are rewarded with rich threat intelligence about who’s targeting their systems and how. The threat intelligence LightScope provides to users is enhanced through research partnerships with ipinfo (ipinfo.io), greynoise (greynoise.io), and abuseIPDB (abuseIPDB.com). What does the software do? Observes attacker interactions with closed ports on live hosts, forwards that traffic to USC honeypots, and reports attackers to AbuseIPDB.com and ISPs. What do you get for running it? Detailed information about who's targeting you, automatic reporting of the malicious actors to ISPs, and personalized IP blocklists. What DOESN'T it do? It's not antivirus or Endpoint Detection and Response (EDR), and it won't slow down your system like they do. It’s also not a Web Application Firewall (WAF), and it doesn’t examine traffic to running services such as webservers (for privacy reasons). Why should I run it? See who's attacking your server Find out if your laptop is getting attacked on public Wifi Discover compromised routers/smart TVs scanning your home network Support open cybersecurity research What data do you collect? We are interested in the traffic scanners and attackers send to closed ports on your servers. Your IP is fully anonymized and we do not collect any identifiable data about your machine. We went through IRB to certify our methods. A full list of data collected can be found in FAQs (lightscope.isi.edu/faq.html) Why are you doing this? To help people who can't afford expensive services.  To collect data in support of PhD research. Is it actively supported? Yes. How do I contact you? E@alumni.usc.edu x.com/EricKapitanski discord.gg/7s3nkhXP How do I install it? lightscope.isi.edu/installation.h… What are your research questions? RQ1: What is the differences in attacker/scanner interactions between telescopes, dedicated honeypots, and live machines. RQ2: What is the proportion of unwanted TCP traffic that is spoofed. RQ3: How can the different scan types be fingerprinted based on packet sequences (as opposed to examining fields on a packet by packet basis)?