Transcript Slide 1

REN-ISAC Update
Doug Pearson, REN-ISAC Technical Director
DICE
12 February 2008
Athens, Greece
1
REN-ISAC
The goal of the REN-ISAC is to aid and promote cyber security
protection and response within the higher education and
research (R&E) communities, through :
• the sharing of actionable information within a private trust
community,
• the provision of other direct security services, and
• serving as the R&E trusted partner within the formal ISAC
community.
2
Cooperative Effort
• Direct and in-kind funding:
– IU (host organization), LSU, Internet2, EDUCAUSE
• Executive Advisory Group
– IU, LSU, Oakland U, Reed College, U Mass, UMBC, U Montana,
Internet2, and EDUCAUSE
• Technical Advisory Group
– Cornell, IU, Neustar, MOREnet, Team Cymru, UC Berkeley,
U Mass, U Minn, U Oregon, and WPI
• Microsoft Analysis Team
– Colorado, IU, NYU, UIUC
• Major contributors
– Buffalo, Brandeis, and WPI (systems), MOREnet (TechBursts)
• And the MEMBERS!
3
Membership (the old, and still current plan)
• Membership is open and free to:
–
–
–
–
institutions of higher education,
teaching hospitals,
research and education network providers, and
government-funded research organizations.
• Membership guidelines are roughly:
– must have organization-wide responsibilities for cyber security
protection and response, and
– must be permanent staff,
– must be vouched-for (trust) by 2 existing members
• Membership includes:
– International participation: currently 8 .ca, and 2 .nz
– Large .gov-sponsored experiments
• http://www.ren-isac.net/membership.html
4
Oct-07
Aug-07
Jun-07
Apr-07
Feb-07
Dec-06
Oct-06
Aug-06
Jun-06
Apr-06
Feb-06
Dec-05
Oct-05
Aug-05
Jun-05
Apr-05
Feb-05
Dec-04
Oct-04
Aug-04
Membership
450
400
350
300
250
200
150
100
50
0
People
250
200
150
Orgs.
100
50
0
5
In the works:
• Revised membership model
– 2-vouch trust community is difficult to scale to reach all of R&E
– For sharing the most sensitive information, need to have the strong
community trust that vouching – personal knowledge – brings
– Solution: tiered membership – general and X(extra)-Sec members;
General member = appointed by CIO, XSec member = 2-vouched.
– Information sharing policies and guidelines will be structured to work
with the tiered model – a certain level of information sharing (benefit)
among the general membership, and extended sharing in XSec.
• Business Plan
–
–
–
–
Formalized organizational framework
Long-term sustainability
Growth
Fee-based membership
6
Information Resources
•
•
•
•
•
•
•
REN-ISAC members
Direct reconnaissance
Information sharing relationships
Other sector ISACs
Global Research NOC at IU
Vendors relationships
Network instrumentation and sensors
– Internet2 Abilene network backbone netflow
• Arbor Peakflow SP for DDoS discovery
– REN-ISAC darknet
– Shared Darknet Project
– Global NOC operational monitoring
7
Information Products
• Daily Weather Report provides situational awareness.
• Alerts provide critical and timely information concerning new
or increasing threat.
• Notifications identify specific sources and targets of active
threat or incident involving member networks.
• Data Feeds provide specific identifying information
regarding known active sources of threat.
• Advisories inform regarding specific practices or approaches
that can improve security posture.
• TechBurst webcasts provide instruction on technical topics
relevant to security protection and response.
• Monitoring views provide aggregate information for
situational awareness.
8
0
700
600
500
400
300
200
Sep-07
Aug-07
Jul-07
Jun-07
May-07
Apr-07
Mar-07
Feb-07
Jan-07
Dec-06
Nov-06
Oct-06
Sep-06
Aug-06
Jul-06
Jun-06
Apr-06
Mar-06
Feb-06
Jan-06
Sep-07
Aug-07
Jul-07
Jun-07
May-07
Apr-07
Mar-07
Feb-07
Jan-07
Dec-06
Nov-06
Oct-06
Sep-06
Aug-06
Jul-06
Jun-06
May-06
12000
May-06
Apr-06
Mar-06
Feb-06
14000
Jan-06
100
90
80
70
60
50
40
30
20
10
0
Compromised System Notifications to .edu
Botnet Command
and Control Hosts
10000
8000
6000
Infected Hosts
4000
2000
Unique R&E
Institutions
100
0
9
.EDU Storm Worm Daily Notifications from REN-ISAC
800
ecard
700
ecard run #2
phishy
600
help
video
500
labor day
400
privacy
nfl
300
arcade
200
100
0
2/21
3/7
3/21
4/4
4/18
5/2
5/16
5/30
6/13
6/27
7/11
7/25
8/8
8/22
9/5
9/19
Beginning Feb 21 REN-ISAC source of ongoing intelligence regarding
compromised systems operating in the Storm Worm botnet.
REN-ISAC sends daily notifications identifying the compromised
machines to security contacts at the machine-owning organization.
10
.EDU Storm Worm Daily Notifications from REN-ISAC
800
ecard
700
ecard run #2
phishy
600
help
video
500
labor day
400
privacy
nfl
300
arcade
200
100
0
2/21
3/7
3/21
4/4
4/18
5/2
5/16
5/30
6/13
6/27
7/11
7/25
8/8
8/22
9/5
9/19
Start of the concerted
and successful e-card
spamming method.
11
.EDU Storm Worm Daily Notifications from REN-ISAC
800
ecard
700
ecard run #2
phishy
600
help
video
500
labor day
400
privacy
nfl
300
arcade
200
100
0
2/21
3/7
3/21
4/4
4/18
5/2
5/16
5/30
6/13
6/27
7/11
7/25
8/8
8/22
9/5
9/19
Notifications quickly and dramatically blunted the
severity of Storm infection in .EDU
12
.EDU Storm Worm Daily Notifications from REN-ISAC
800
ecard
700
ecard run #2
phishy
600
help
video
500
labor day
400
privacy
nfl
300
arcade
200
100
0
2/21
3/7
3/21
4/4
4/18
5/2
5/16
5/30
6/13
6/27
7/11
7/25
8/8
8/22
9/5
9/19
The Microsoft MSRT (Malicious Software Removal Tool)
addresses Storm 9/11
13
.EDU Storm Worm Daily Notifications from REN-ISAC
800
ecard
700
ecard run #2
phishy
600
help
video
500
labor day
400
privacy
nfl
300
arcade
200
100
0
2/21
3/7
3/21
4/4
4/18
5/2
5/16
5/30
6/13
6/27
7/11
7/25
8/8
8/22
9/5
9/19
Throughout July and August, utilizing the Internet2 Arbor
Networks Peakflow system, REN-ISAC detected and
responded to ~dozen Storm Worm DDoS attacks transiting the
Internet2 network. On Sept 9 R-I issued an Alert to the R&E
community, “Storm Worm DDoS Threat to the EDU Sector”
14
Projects in Cooperation with Internet2 CSI2
• CSI2 Shared Darknet Project
– Information from dispersed, member-based darknet sensors is
combined to a single community resource. Provides notifications of
observed scanning sources, reports of aggregate port scanning
statistics, with a more complete view of IPv4-based scanning activity
than provided by a single, standalone darknet. Working in
cooperation with the Internet2 SALSA CSI2 effort.
• CSI2 RENOIR
– Research and Education Networking Operational Incident Repository
provides trust community-based sharing of incident information.
Working in cooperation with the Internet2 SALSA CSI2 effort.
15
Projects, and Opportunities for Collaboration
• Relationships and information sharing
– Linkage to NREN security teams and CSIRTS
– Arbor Fingerprint Sharing
• Projects
–
–
–
–
–
–
PDNS
Scanning Service
Shared Darknet
Incident Information Sharing System (RENOIR)
DNS infrastructure monitoring
Federated Model (ANL, et al)
• http://www.anl.gov/it/Cyber_Security/Federations_for_Cyber_Def
ense/index.html
• Very interested to learn what others are doing wrt IPv6
• Also, interested in L2 infrastructure security services
16
Projects, and Opportunities for Collaboration
• REN-ISAC staff at upcoming meetings
–
–
–
–
–
20-21 Feb, X
28-29 Feb, ISOI IV
21-23 Apr, Internet2 Spring Meeting
4-6 May, EDUCAUSE Security Professionals Conference
6 May, REN-ISAC Annual Member Meeting
17
Priorities for the Coming Year
• Not in order
–
–
–
–
–
Membership growth
Implement the revised Membership Model
Business plan
Facilitate various forms of member involvement and contribution
Develop additional and strengthen existing information sharing
relationships, including the REN-ISAC and Microsoft SCPe
– Assessment of current services and member needs
– Cyber Security Registry
– Various tool and service projects
18
Contacts
http://www.ren-isac.net
24x7 Watch Desk:
[email protected]
+1(317)274-6630
Doug Pearson, Technical Director
[email protected]
19