PROKI (an abbreviation for Prediction and Protection against Cybernetic Incidents) is a research project of the CZ.NIC Association and the National Security Team CSIRT.CZ, launched in 2015. The PROKI project has been supported under the Security Research Program of the Czech Republic for the years 2015–2020.
Why was this project created?
The National Security Team receives information from various sources about IP addresses on blacklists, IP addresses that spread malware, IP addresses connecting to C&C servers, and so on. Until now, however, there was no system for actively processing this information. Using the IntelMQ system, a comprehensive system for aggregate information collection on Czech networks has been built to provide a continuous overview of current network threats and the possibility of additional analyses.
To whom is the report sent?
One of the target groups of the PROKI project are ISPs and Czech organizations that are members of the RIPE NCC (LIR - Local Internet Registry).
What is the purpose of the report?
The purpose of the project is to collect relevant information about security incidents in the given network. In the event that any malicious activity is detected in the network, a summary report will be sent to administrators of address blocks at regular intervals to enable them to take remedial action. Information of varying importance is sent to the email addresses listed as ‘abuse contact’ in the RIPE NCC database.
What does the report contain?
The output is a .csv report (the fields of which are separated with a comma and texts are in double quotation marks), sent as a zip-compressed e-mail attachment, containing the following information:
- time_detected – the time when the incident was detected by the source system
- ip - the IP address displaying the behavior described
- class – an incident class
i.e. Malicious Code, Intrusion Attempts, Information Gather
- type - an incident type (one class may contain several types)
i.e. botnet drone, scanner, malware
- time_delivered - the time when the incident was recorded by the PROKI system
- country_code – country code
- asn - autonomous system number
- description - an additional description of the incident, if available
- malware - malware family or name, if available
i.e. Trojan.Backdoor, Office.Word.Downloader
- feed_name - source feed name; their list is stated bellow
- feed_url – source feed URL
- raw - the original record from the source feed
E-mail reports are sent from the address firstname.lastname@example.org and are signed by the following PGP key:
User ID: PROKI CSIRT.CZ email@example.com
Key ID: 0xFAAA CDD1
Key size: 2048
Fingerprint: F000 C887 F39D 3D49 63AC EEDE EF87 7480 FAAA CDD1
The CSIRT National Security Team cannot vouch for the reliability of individual information sources, but on the basis of its own tracking activity and feedback from end-users, these resources will be continually updated and changed. For this reason, any of your suggestions or responses regarding each information source or report are useful. You can send them to firstname.lastname@example.org.
How often and where are the outputs sent?
In the first phase, the outputs will be sent once a week to the contact listed as an “abuse” contact in the RIPE database. If you have addresses from another Czech provider, you need to arrange the forwarding of information concerning your addresses directly with them.
How can I join the project and get outputs from it?
All LIRs from the Czech Republic participate in the project automatically. If you want the reports to be sent to a different e-mail address than the one stated in the RIPE NCC database, send your request to email@example.com.
How can I leave the project?
If you do not want to receive the summary reports about your addresses, please write to firstname.lastname@example.org.
Will the CSIRT.CZ Team continue to send incident-related information?
The PROKI project processes only actively collected data. However, CSIRT.CZ, in its capacity as the National Security Team, will continue to process the information it receives from different entities about malicious addresses and services, which require a quick response.
What sources of information does PROKI use?
The PROKI project is built on the IntelMQ solution that has been developed to automate the collection of security information and incident processing. The system is being used by many other security teams and is actively developed within the security community. We are currently processing information from many sources such as public blacklists with IP addresses with detected harmful activity, the outputs of both our own and public honeypots, as well as from other sources provided by cooperating CSIRT teams.
A complete list of sources with a brief description can be found here.