190 likes | 436 Views
REN-ISAC Update. Doug Pearson, REN-ISAC Technical Director DICE 12 February 2008 Athens, Greece. REN-ISAC. The goal of the REN-ISAC is to aid and promote cyber security protection and response within the higher education and research (R&E) communities, through :
E N D
REN-ISAC Update Doug Pearson, REN-ISAC Technical Director DICE 12 February 2008 Athens, Greece
REN-ISAC The goal of the REN-ISAC is to aid and promote cyber security protection and response within the higher education and research (R&E) communities, through : • the sharing of actionable information within a private trust community, • the provision of other direct security services, and • serving as the R&E trusted partner within the formal ISAC community.
Cooperative Effort • Direct and in-kind funding: • IU (host organization), LSU, Internet2, EDUCAUSE • Executive Advisory Group • IU, LSU, Oakland U, Reed College, U Mass, UMBC, U Montana, Internet2, and EDUCAUSE • Technical Advisory Group • Cornell, IU, Neustar, MOREnet, Team Cymru, UC Berkeley, U Mass, U Minn, U Oregon, and WPI • Microsoft Analysis Team • Colorado, IU, NYU, UIUC • Major contributors • Buffalo, Brandeis, and WPI (systems), MOREnet (TechBursts) • And the MEMBERS!
Membership (the old, and still current plan) • Membership is open and free to: • institutions of higher education, • teaching hospitals, • research and education network providers, and • government-funded research organizations. • Membership guidelines are roughly: • must have organization-wide responsibilities for cyber security protection and response, and • must be permanent staff, • must be vouched-for (trust) by 2 existing members • Membership includes: • International participation: currently 8 .ca, and 2 .nz • Large .gov-sponsored experiments • http://www.ren-isac.net/membership.html
Membership People Orgs.
In the works: • Revised membership model • 2-vouch trust community is difficult to scale to reach all of R&E • For sharing the most sensitive information, need to have the strong community trust that vouching – personal knowledge – brings • Solution: tiered membership – general and X(extra)-Sec members; General member = appointed by CIO, XSec member = 2-vouched. • Information sharing policies and guidelines will be structured to work with the tiered model – a certain level of information sharing (benefit) among the general membership, and extended sharing in XSec. • Business Plan • Formalized organizational framework • Long-term sustainability • Growth • Fee-based membership
Information Resources • REN-ISAC members • Direct reconnaissance • Information sharing relationships • Other sector ISACs • Global Research NOC at IU • Vendors relationships • Network instrumentation and sensors • Internet2 Abilene network backbone netflow • Arbor Peakflow SP for DDoS discovery • REN-ISAC darknet • Shared Darknet Project • Global NOC operational monitoring
Information Products • Daily Weather Reportprovides situational awareness. • Alerts provide critical and timely information concerning new or increasing threat. • Notifications identify specific sources and targets of active threat or incident involving member networks. • Data Feedsprovide specific identifying information regarding known active sources of threat. • Advisories inform regarding specific practices or approaches that can improve security posture. • TechBurst webcasts provide instruction on technical topics relevant to security protection and response. • Monitoring views provide aggregate information for situational awareness.
Compromised System Notifications to .edu Botnet Command and Control Hosts Infected Hosts Unique R&E Institutions
.EDU Storm Worm Daily Notifications from REN-ISAC Beginning Feb 21 REN-ISAC source of ongoing intelligence regarding compromised systems operating in the Storm Worm botnet. REN-ISAC sends daily notifications identifying the compromised machines to security contacts at the machine-owning organization.
.EDU Storm Worm Daily Notifications from REN-ISAC Start of the concerted and successful e-card spamming method.
.EDU Storm Worm Daily Notifications from REN-ISAC Notifications quickly and dramatically blunted the severity of Storm infection in .EDU
.EDU Storm Worm Daily Notifications from REN-ISAC The Microsoft MSRT (Malicious Software Removal Tool) addresses Storm 9/11
.EDU Storm Worm Daily Notifications from REN-ISAC Throughout July and August, utilizing the Internet2 Arbor Networks Peakflow system, REN-ISAC detected and responded to ~dozen Storm Worm DDoS attacks transiting the Internet2 network. On Sept 9 R-I issued an Alert to the R&E community, “Storm Worm DDoS Threat to the EDU Sector”
Projects in Cooperation with Internet2 CSI2 • CSI2 Shared Darknet Project • Information from dispersed, member-based darknet sensors is combined to a single community resource. Provides notifications of observed scanning sources, reports of aggregate port scanning statistics, with a more complete view of IPv4-based scanning activity than provided by a single, standalone darknet. Working in cooperation with the Internet2 SALSA CSI2 effort. • CSI2 RENOIR • Research and Education Networking Operational Incident Repository provides trust community-based sharing of incident information. Working in cooperation with the Internet2 SALSA CSI2 effort.
Projects, and Opportunities for Collaboration • Relationships and information sharing • Linkage to NREN security teams and CSIRTS • Arbor Fingerprint Sharing • Projects • PDNS • Scanning Service • Shared Darknet • Incident Information Sharing System (RENOIR) • DNS infrastructure monitoring • Federated Model (ANL, et al) • http://www.anl.gov/it/Cyber_Security/Federations_for_Cyber_Defense/index.html • Very interested to learn what others are doing wrt IPv6 • Also, interested in L2 infrastructure security services
Projects, and Opportunities for Collaboration • REN-ISAC staff at upcoming meetings • 20-21 Feb, X • 28-29 Feb, ISOI IV • 21-23 Apr, Internet2 Spring Meeting • 4-6 May, EDUCAUSE Security Professionals Conference • 6 May, REN-ISAC Annual Member Meeting
Priorities for the Coming Year • Not in order • Membership growth • Implement the revised Membership Model • Business plan • Facilitate various forms of member involvement and contribution • Develop additional and strengthen existing information sharing relationships, including the REN-ISAC and Microsoft SCPe • Assessment of current services and member needs • Cyber Security Registry • Various tool and service projects
Contacts http://www.ren-isac.net 24x7 Watch Desk: ren-isac@ren-isac.net +1(317)274-6630 Doug Pearson, Technical Director dodpears@ren-isac.net