260 likes | 270 Views
This article discusses the vision and reality of delivering a secure and healthy naming service through the DNS-CERT concept, proposing a distributed and hierarchical model. It explores the need for a DNS-CERT, its main characteristics, issues raised with the centralized model, and recommendations for a new concept. The article concludes with the main elements of the proposed DNS-CERT model.
E N D
DNS-CERT Vision and Reality for delivering a secure and healthy naming service Dr. Igor Nai Fovino Global Cyber Security Center Malta, 18 June 2012
Domain Name System The Domain Name System Root • Created in 1983 by Paul Mockapetris (RFCs 1034 and 1035) • What Internet users use to reference anything by name on the Internet • The mechanism by which Internet software translates names to addresses and vice versa .mil .com .edu ebay google • A lookup mechanism for translating objects into other objects • A globally distributed, loosely coherent, scalable, reliable, dynamic database
Elements…Operation Layer Operations unfortunately are not strictly regulated, especially with regard to crisis management and minimum service requirements
Critical Infrastructures – ICT Dependencies Massive use of Internet in Critical Infrastructures Cloud/CDN/SOA Infrastructures Massive increase of Emergent Pervasive Services DNS Centrality of DNS
DNS as Critical Infrastructure: its impact on Energy Smart Grids Public Network DNS impacts on
In the last years the number, type and impact of DNS incidents is increasing DNS Incident Avalanche and Zeus botnet attackers started a broad attack from domains registered through a very small number of registrant at any time Massive DNS cache poisoning attack that affected millions of users in Brazil A DNS cache poisoning attack strategy, with a vast potential for exploitation, is identified Internet Domain Name System's root servers target of a denial of service attack 10/2002 1997 2007 7/2008 11/2008 12/2008 2009 11/2011 Internet Domain Name System's root servers target of a denial of service attack Attack against several country code top-level domain (ccTLD) registration system Internet distributed denial of service attack. 4 of the 13 root servers were affected, two badly Conficker worm infects millions of computers
Hence born the need of DNS CERT. In 2010 ICANN proposed a DNS-CERT based on centralized model Main characteristics ICANN’s DNS-CERT proposal1 • Gain situational awareness • Share information • Improve coordination within the DNS operational community and with the broader security community • Provide both proactive and reactive services such as: • Incident handling coordination or direct assistance • 365 x 24 x 7 point of contact • Vulnerability management support • Security advisory services • Watch and warning services • Education and training • Dashboard service to meause DNS health and security status • Annual budget of $ 4.2 milion USD (staff, facilities, support) • Launched with ICANN support but supervised by a sponsor-based Board of Governors 1) http://www.icann.org/en/news/public-comment/dns-cert-12feb10-en.htm
…but it didn’t got consensus by the community because the CERT model is not easy to apply to the DNS ecosystem Main issues raised Main recommendations • Analysis to understand threats and risks to the DNS should precede specific proposals for a DNS‐CERT • ICANN proposal was considered insufficient in detail and in analysing gaps regarding current activities and capabilities related to DNS security and resiliency • The mission of establishing a DNS‐CERT was outside of ICANN’s limited role of technical coordination • Better understand emerging threats and understand how these translate on DNS ecosystem actors • Examine existing initiatives and evaluate alternative or supplementary mechanisms for addressing DNS security and issues and with a lower resource requirement • Establish a working group to involve the ICANN supporting organizations and advisory committees for analysing the requirements, resources and organizational approaches to the DNS‐CERT concept • Educate existing DNS operators and the CSIRT community and enhance information sharing capabilities
To respond to issues and recommendation raised, GCSEC proposes a new DNS-CERT concept, based on distributed and hierarchical model Main reasons for a new concept • While ICANN proposed a centralized model, our concept is based on a hierarchical and distributed model. It will meet the needs of a global and independent architecture, as it is the DNS indeed • Unlike the ICANN model, this new concept willnot overlap current activities and capabilities (es. National CERT activities already in place) but enhance and improve it through the sharing of experiences, initiatives, best practices • In our concept, establishing the DNS-CERT will be the mission of the community and not of a single organization • It creates culture of emergency preparedness in DNS community and promotes education and security exercises • The distributed model is an agile model and facilitates the interfaces with stakeholders such as national CERT andrelative critical infrastructure
The New DNS-CERT model is composed of five main elements Main DNS-CERT model elements Mission • It defines the mission of CERT (e.g. provide concentrated support, enhance the capability, cooperation and information sharing, …) Constituency • It consists of all aspects concerning participant and stokeholds identification and engagement, authority model definition (full, shared or no authority), board Operational model • It defines the model on which DNS-CERT will provide its services (e.g. centralized, distributed, combined distributed and centralized model) Governance model • It includes all organizational and procedural aspects for create and continually enhance capability of incident response and prevention (es. Information sharing and trust model) Services • It consists in all services that the DNS-CERT can deliver (reactive, proactive, artifact handling, security quality management)
DNS-CERT mission Mission Enhance level of security, stability, resiliency and health of the Global DNS creating a distributed capability response among all actors of DNS ecosystem to respond and prevent DNS incidents and threats
Costituency is composed of particapants that are directly involved in DNS-CERT and stakeholders that are interested in or could support it CERT constituency is an established term for the customer base of its services Possible participants Possible stakeholders • Participants are all people or organizations that must be directly involved in DNS-CERT activities. Possible participants are: • Root Operators • DNS Operators • TLD Registries • Registrars • ISPs • Registrants • Critical Infrastructure Operators • Stakeholders are people or organizations that are interested in DNS-CERT activities or that could support it in specific cases. Possible stakeholders are: • National CERT • Standardization organization • Business community • Law Enforcement • Vendors • Researchers & Academics • International incident cooperation organizations • Government agencies • The distributed model, facilitates the interface with the local national CERT (stakeholders), which have capabilities and contacts to interface directly with the operators of critical infrastructure • International organization for incident cooperation (such as FIRST) will be able to contribute in dissemination of common best practices and awareness about DNS issues
Operational model The basic concepts Defining a high performing schema to organize the sharing of information and resources among DNS CERT participants Three main elements Actors • It defines the DNS CERT participants, the stakeholders, and any other interested organization that are interested in the work of the group and acts either as a passive or an active contributor Events • It defines the set of possible events, needs and situations that trigger one or more interactions among the actors Interactions • It defines the type of interaction between two actors at the occurrence of a specific event
Operational model The building blocks Actors Root Operators, DNS Operators, TLD Registries, Registrars, ISP, Corporate Infrastructures Operators, Registrants, Law Enforcements, Vendors, Researches & Academics, National CERTs, Government Agencies, Standardization Organizations, Business Community, International Incident Cooperation Organizations, … • Events • I have an Opinion: an idea, an evaluation, a view, or a suggestion could interest the CERT • I find a Vulnerability: a vulnerability that impacts the DNS has been discovered • I perceive an Anomaly: a DNS anomalous behaviour has been noticed • An Incident occurs: an incident directly or indirectly related to the DNS has happened • I have a Solution: A solution related to a DNS issue has been found • I have Need: I have a necessity concerning the DNS • I am asked for Involvement: An actor engages me for a task • Interactions • Request: I ask for something • Response: I answer a request • Interest: I express interest in something • Information: I share information on a topic • Link: I share something related to a previous interaction • Forward: I forward something to another actor
Operational model From a general model of interaction… Events Matrix Each Event that occurs to a specific Actor triggers an Interaction to one or more other actors of the CERT. Taking into account the identified events, we noticed that not all the actors need to directly interact with each other. The matrix describes how the actors are linked together in our operational model and shows with different colors a greater or lesser logical proximity. It is worth noticing how an actor is likely to talk with others of the same type or similar one Illustrative No events of the source actor trigs a direct interaction with the destination actor All the events of the source actor can trigs a direct interaction with the destination actor
Operational model … to a hierarchical schema • What we showed in the previous slide is an “Adjacency matrix” of a graph where: • the nodes are the actors of the CERT • the edge represents the possible flows of interactions among the actors themselves • That matrix generates a hierarchical 3D model • Our schema allows a rational interaction among the actors of the CERT avoiding redundancy and useless spread of information Root Op. R&A Root Op. R&A Root Op. R&A Root Op. R&A Root Op. R&A Vendors Vendors Vendors Vendors Vendors DNSOp. DNSOp. DNSOp. DNSOp. DNSOp. ISP ISP ISP ISP ISP TLD Reg. TLD Reg. TLD Reg. TLD Reg. TLD Reg. Registrars Registrants CIO Registrars Registrants CIO Registrars Registrants CIO Registrars Registrants CIO Registrars Registrants CIO
Operational model Some examples Example 1 Example 2 2. 1. 2. 1. 3. The CERT can be activated when an actor has a specific problem. The Operating Model requests that actor to alert one of those it is connected with searching for assistance The CERT allows a simple and convenient knowledge/resources sharing among the involved actors
First step could be the adoption of a common DNS security, resiliency and health metrics framework • The CERT needs a common and formalized language to exchange information • A common way to measur DNS performances as well as a common way of investigation on potential weaknesses are needed steps • There is a lack of standards • The MeNSa project: “Define methodologies and develop instruments to measure DNS health and security”
Goals • Coherency • Integrity • Speed • Availability • Resiliency • Stability • Security • Vulnerability Health • Identify components and processes involved in the DNS. • Analyze common characteristics. • Identify suitable methodologies. • Describe a workflow for DNS assessment. • Collect available tools and develop new ones. • Define and implements algorithms for the framework.
Point of View Analysis Each actor will be able to describe the DNS from its perspective • To select only a certain set of information it is introduced a mechanism allowing to “read” the model under different perspectives Zone Several PoVs defined… Resolver Every PoV will be described with respect to the proposed models. End User ASP
Operational model will be managed through a governance model composed of organization, processes and tools CERT Governance Model Organization Processes Tools
Organization includes strategies, legal and administrative framework, organizational model and policies Illustrative Organization main aspects • Mission, vision, goals, objectives, constraints • Strategy and minimum capability’s level • Risk Management strategies • Trust Model • … Strategies • Legal entity • Funding Model • Non disclosure agreements (NDAs) • Mutual Aid and Assistance Agreement • … Legal & admin framework • Organizational model and structure • Reporting structure, authority • Roles and responsibilities • Staff • … Organization model • Information sharing policy • Incident classification and communication policy • Trust communication policy • Resource management policies • Incident handling guidelines • Interoperability policy • … Policies
Organizational model could be composed of a distributed and hierarchical structure overnighted by a Board composed of participant’s representatives Organizational model Management Board Root Op. R&A Comments Group B • The model is based on voluntary participation • DNS-CERT could be managed by a not-for-profit consortium composed of participants • It will be overnighted by a Board composed of one representative for participant • Basic Information Sharing will be managed through a distributed ISAC • Face to Face meetings will be organized during the year Vendors DNSOp. Coordination Groups Group A Group C ISP TLD Reg. Operational Layer Registrars Registrants CIO
Governance model includes also all processes and tools Illustrative Processes main aspects • Information sharing process • Mutual aid and assistance process • Communication and coordination process • Risk management process • Incident reporting process • Incident coordinated response process • Performance measurement process • Escalation process • Emergency management process • Post incident evaluation process • Lessons learned and improvement process • Incident management exercise process • … • Tools for information sharing • Tools for DNS heath and security evaluation • Tool for performance evaluation • ….
In the first phase, DNS CERT would provide some services and others in a second phase Typical CERT Services1 First phase’s possible DNS CERT services Second phase’s possible DNS CERT services 1) ENISA CSIRT services List from CERT/CC
Final Remarks Attacks to the DNS system can be used to indirectly damage critical infrastructures The DNS must be, indeed, considered a Critical Infrastructure Stronger Inter-Actors Governance Processes Assessment Frameworks Early Warning Policies Protocol enforcement Information Sharing Need for a Distributed and Coordinated DNS CERT The Global Cyber Security Center is promoting a new initiative to support the concept of DNS-CERT