Transcript Document 7546662

Working Group 7: Botnet Remediation
Status Update
September 12, 2012
Michael O’Reirdan (MAAWG) - Chair
Peter Fonash (DHS) – Vice-Chair
WG 7 Objectives
Working Group 7 – Botnet Remediation
Description: This Working Group will review the efforts undertaken within the international
community, such as the Australian Internet Industry Code of Practice, and among domestic
stakeholder groups, such as IETF and the Messaging Anti-Abuse Working Group, for applicability
to U.S. ISPs. Building on the work of CSRIC II Working Group 8 ISP Network Protection Practices,
the Botnet Remediation Working Group shall propose a set of agreed-upon voluntary practices
that would constitute the framework for an opt-in implementation model for ISPs. The Working
Group will propose a method for ISPs to express their intent to op-into the framework proposed
by the Working Group.
The Working Group will also identify potential ISP implementation obstacles to the newly drafted
Botnet Remediation business practices and identify steps the FCC can take that may help
overcome these obstacles.
Finally, the Working Group shall identify performance metrics to evaluate the effectiveness of the
ISP Botnet Remediation Business Practices at curbing the spread of botnet infections.
2
WG 7 Members
Name
Organization
Michael O'Reirdan
(Chair)
MAAWG
Peter Fonash (Vice
Chair)
DHS
Name
Organization
Name
Organization
Gunter Ollmann
Damballa
Johannes Ullrich
SANS Institute
Brian Done
DHS
Adam O'Donnell
Sourcefire
Daniel Bright
EMC Inc
Alfred Huger
Sourcefire
Mats Nilsson
Ericsson
Greg Holzapfel
Sprint
Robert Thornberry
(Editor)
Alcatel-Lucent
Kurian Jacob
FCC
James Holgerson
Sprint
Uma Chandrashekhar
Alcatel-Lucent
Vern Mosley
FCC
Michael Fiumano
Sprint
Bill McInnis
IID
Kevin Frank
Sprint
Michael Little
Applied
Communication
Sciences
Chris Sills
IID
Maxim Weinstein
StopBadware
Alex Bobotek
AT&T
Tim Rohrbaugh
Intersections
Patrick Gardner
Symantec
John Denning
Bank of Amer.
Barry Greene
ISC
Tice Morgan
T-Mobile
Neil Schwartzman
(Secretary)
Merike Kaeo
ISC
John Griffin
TCS
CAUCE
Ed White
McAfee
Chris Roosenraad
TWC
Chris Lewis
CAUCE
Kevin Sullivan
Microsoft
Michael Glenn
CenturyLink
Jon Boyens
NIST
Joe St Sauver
(Glossary)
Univ of
Oregon/Internet 2
Paul Diamond (Editor)
CenturyLink
Craig Spiezle
OTA
Robert Mayer
USTelecom Assoc.
Jay Opperman
Comcast
Bill Smith
PayPal
Eric Osterweil
Verisign
Matt Carothers
Cox
Gabe Iovino
REN-ISAC
John St. Clair
Verizon
Timothy Vogel
Verizon
3
Work Plan
Phase 1: Produce initial Code of Conduct
Phase 2: Identify Barriers to Code Participation
Phase 3: Develop Bot Metrics
4
Status
Phase 1: U.S. Anti-Bot
Code of Conduct (ABCs) for
Internet Service Providers
(ISPs) completed
– ISPs representing 86% of the U.S.
residential subscriber market are
either currently participating, or
have agreed to participate, in the
Code
– Efforts underway to outreach to
the smaller ISPs to increase
awareness and participation
5
Status (Cont.)
• Phase 2: Barriers to Code Participation
– Identified five dimensions that can represent obstacles,
in various degrees, depending upon individual guidelines:
• Technology
• Consumer/Markets
• Operations
• Legal/Regulatory
• Financial
– Working Group members are providing substantive input as
part of a worksheet matrix that will evolve over time as
additional implementation guidance is identified and proven
effective
6
Status (Cont.)
• Phase 2: Barriers to Code Participation (Cont.)
– Lower threshold initiatives will be identified in the
December Final Report which should provide mid- and smallsize ISPs greater latitude to adopt selected guidelines
– December Final Report will include Barriers Worksheet
Matrix along with a snap-shot of current information
– On-going analysis of the barriers may be the basis for an
IETF RFC
7
Status (Cont.)
• Phase 3: Bot Metrics
– In the process of querying ISPs to identify performance
metrics to evaluate the effectiveness of following the voluntary
U.S. Anti-Bot Code of Conduct for ISPs at curbing the spread of
botnet infections
– Encountering extreme challenges:
• Most ISPs are reluctant to share, are collecting information in different ways,
and the information is not comparable from one company to the next
• Australian iCode is only now starting work on developing metrics after two
years of operation
• Likely outcome is a work plan for developing metrics
8
WG7 Effort is Part of Multi-Stakeholder
Approach to Cybersecurity
OS
Vendors
Web
Hosts
Platform
Vendors
End
Users
App
Dev.
AV
Vendors
ISPs
Content
Providers
Enterprises
Gov’t
D/As
e-Commerce
Orgs.
Regulators
Int’l
Partners
Research
Inst.
Privacy
Advocates
• ISPs are in a position to detect
botnets operating within their
networks and notify end-users of
suspected bot infections
• Other members of the Internet
ecosystem have equally
important roles to fulfill
• A multi-stakeholder approach is
necessary in order to fully
combat the botnet threat
Critical
Infra.
9
Next Steps
• Continue Phase 2 - Identification of Barriers to
Code Participation
• Continue Phase 3 – Identification of Bot Metrics
• Deliver Final Report on Anti-Bot Code of Conduct Barriers and Metrics – in December 2012
10