A Honeypot based malware analysis tool for SACCOs in Kenya

Abstract

Kenya had her first established Savings and Credit Co-operative (SACCO) society in 1908 and to date, the SACCO societies have grown into a Billion-dollar industry. SACCOs contribute 5.72% to Kenya’s Gross Domestic Product (GDP) and are significantly changing the lives of Kenyans in almost all sectors of the economy. Like other sectors, SACCOs are facing growing cyber threats that have potential to affect their performance. The report by Serianu of 2018 indicates that SACCOs have poor visibility on enterprise cybersecurity and thus are poorly prepared to anticipate risk, detect vulnerabilities, respond to incidents and contain threats. Further, SACCOs have low budget allocations and inadequate skilled staff to advise in prevention and protection against threats. Because of this, SACCOs across the globe lose hundreds of millions of dollars annually. The Serianu Cyber Security Report of 2018, indicates that the global cost of cybercrime was at 600 billion dollars in 2015, which had risen by $100 billion from the previous year. The report indicated the SACCOs were the most affected, while the affected organizations lost money, experienced downtimes and reputation damage. It is observed that many SACCOs in Kenya are slowly putting up measures to prevent, detect, and remediate cyber-attacks with minimal resources. This study intends to help SACCOs have a paradigm shift in how to detect and respond to malware by developing a prototype. The literature review brought to light the different applications of honeypot solutions, but the solution is not common within the SACCO industry. The prototype, a honeypot that was used for malware analysis in order to determine breach scenarios and common cyberattacks showed outstanding performance when run for a few days, in capturing malware, and helping in their analysis. The proposed solution enables SACCOs to better mitigate and possibly reverse Cyber-attacks on their infrastructure due to the information they get from analysing malware. Development of the prototype was based on Rapid Application Development methodology to build a robust malware analysis tool on Honeypots and was tested for reliability where it showed an outstanding accuracy level as all attack traffic was captured and logged. While from the first 24 hours of uptime, in 100 captured attacks, the prototype was able to give Md5 hashes of 11 malwares, the prototype captured the IP addresses associated with the rest of the attacks which can be blacklisted by a SACCO employing this tool.