Inter-Network Cooperation · •The first CSIRT -CERT/CC was created in 1988 in response to the Morris worm incident 5-2-1.inter-network-cooperation 17. computer security incident

Inter-NetworkCooperation

5-2-1.inter-network-cooperation 1

Matsuzaki ‘maz’Yoshinobu<[email protected]>

stolesomeslidesfromMerike Kaeo

CooperationandCoordination

• tokeeptheInternetworking– wearerelyingoneachother

• it’sgoodtoknow– community– pointofcontact


NOGs

• NetworkOperationsGroupisanopenforum– technologydiscussions– sharingoperationalbestpractices– compareexperience– peeringcoordination– establishingpersonalrelationships


NOGs

• mailing-list– anyonecansubscribe– trafficdependsoneventsandtopics

• in-personmeeting– participationfeevaries,andcostsoftransports,accommodations

– highvalue


NANOG

• NorthAmericanNetworkOperators’Group– evolvedfromtheNSFNET"Regional-Techs"meetingsin1994

• Threemeetingseachyear– NANOG70,Jun2017,Bellevue– NANOG71,Oct2017,SanJose– NANOG72,Feb2018,Atlanta


https://www.nanog.org/

• program– 1daytutorial– 3daysplenary

• about500attendees– fromAsiaandEuropeaswell


APRICOT

• AsiaandPacificOperationsConference– establishedin1996– co-locatedwithAP*meetings

• heldannuallyonthelastweekofFeb– APRICOT2017,HMC,VietNam– APRICOT2018,Kathmandu,Nepal


http://www.apricot.net/

• program– 5daysworkshop– 4daysconferenceandtutorial– 1dayAPNICmembermeeting

• about600attendees


SANOG

• SouthAsianNetworkOperatorsGroup– establishedin2003

• Twomeetingeachyear– SANOG29,Jan2017,Islamabad– SANOG30,Aug2017,India


http://www.sanog.org/

• program– 5daysworkshop– 2daystutorial– 2daysconference



JANOG

• JapanNetworkOperators’Group– establishedin1997

• locallanguagecommunity- Japanese• Twomeetingseachyear

– JANOG39,Jan2017,Kanazawa– JANOG40,Jul2017,Koriyama


http://www.janog.gr.jp/

• program– 3 dayplenary+BoF



BoFs

• birdsofafeather(BoF)isasmallmeetingfocusedonaspecifictopic– security,peering,andsoon

• usuallyscheduledinadvance,sometimesorganizedondemand


coffeebreaksandsocialevents

• toexpandrelationships– businessandpersonal

• tostart/manageaproject– aface-to-facemeetinghelptostepforwardthings


NOGoperation

• independent– formsacommitteetoleadtheNOG

• supportfromcrossindustry– ServiceProviders– ResearchandAcademics– Vendors– ISOC,NSRC,APNIC,APIA


otherupcomingevents

• upcomingnetwork-relatededucationortrainingevents– http://ws.edu.isoc.org/calendar/– https://nsrc.org/calendar/


CSIRT

• ComputerSecurityIncidentResponseTeam(CSIRT) providestheincidenthandlingserviceforitsconstituency– mayofferotherrelatedservicesaswell

• ThefirstCSIRT- CERT/CCwascreatedin1988inresponsetotheMorriswormincident


computersecurityincident

• Anyrealorsuspectedadverseevent• examples:

– attacksto/fromyournetwork– compromisedhost– account/informationtheft– spamorITpolicyviolation


needsforresponse

• tolimitthedamage• tolowerthecostofrecovery

• aneffectiveresponsebenefitsfororganizations– motivationtohaveaCSIRTinyourorganization


Theincidenthandlingservice

• asinglepointofcontacttoreceiveincidentreports– providesresponseandsupporttothereport– announcementtodiscloseinformationaboutspecificattack/incident

– feedbacktothereport/request


WhatIncidentsShouldBeReported?

• Anysuspiciousactivityshouldbereported– Thisincludessuspicioususeraccountbehavior,computersystemfailuresormisbehavior,accidentalpublicationofinternalemail,lossofequipment/accountinformation,etc.

• Reportingmethods– Internal

• Onlinesupportticketingsystem• Technicalsupportemail

– External• Abuse/incidentemailcontact• Publicweb-basedcontactform• Telephonenumberspecificallyforreportingabuse


InformationforReportingAnIncident

• Dateandtimeoftheevent• Descriptionoftheevent• Assetsthatareaffectedoratriskasaresultoftheevent

• Whethertheeventisinprogressorhasconcluded• Actionstakenbythepartyreportingtheevent• Informalassessmentoftheharmorimpacttotheasset• Informalassessmentofcollaterallyaffectedassets• Data(logs,files,reports)thatmayassisttheCIRTinanalyzingtheevent


IncidentResponse

• Itisalwaysbesttohaveaplaninplacebeforesomethingbadhappens

• DONOTPANIC!• Ifyousetappropriateguidelinesnow,itwillmakethingsaloteasierwhenasecurityincidenthappens


Create a checklist that can be followed whena significant security incident does occur!!

SixPhasesofIncidentResponse


PREPARATIONPrep the networkCreate toolsTest toolsPrep proceduresTrain teamPractice

IDENTIFICATIONHow do you know about the attack?What tools can you use?What’s your process for communication?

CONTAINMENTWhat kind of attack is it?ERADICATION

Where is the attack coming from?Where and how is it affecting the network?

RECOVERYWhat options do you have to remedy?Which option is the best under the circumstances?

POST MORTEMWhat was done?Can anything be done to prevent it?How can it be less painful in the future?

Preparation• Includestechnicalandnon-technicalelements• Knowtheenemy

– Understandwhatdrivesthemiscreants– Understandtheirtechniques

• Createthesecurityteamandplan– Whohandlessecurityduringanevent?Isitthesecurityfolks?

Thenetworkingfolks?

• Hardenthedevices• Preparethetools


Identification

• Goalistogatherevents,analyzethemanddeterminewhetheryouhaveanincident

• AssignIncidentHandlers– Selectapersontohandleidentificationandassessment

– Empowerthemtoescalateifneeded• ControltheFlowofInformation

– Enforce“needtoknow”policy– Telldetailstominimumnumberofpeoplepossible

• CreateTrustedCommunicationChannels


HowDoYouKnowYouAreUnderAttack?

• Understandthedetailsandscopeoftheattack– Identificationisnotsufficient;onceanattackisidentified,details

matter– Guidessubsequentactions

• Qualifyandquantifytheattackwithoutjeopardizingservicesavailability(e.g.,crashingarouter):– Whattypeofattackhasbeenidentified?– What’stheeffectoftheattackonthevictim(s)?– Whatnextstepsarerequired(ifany)?

• Attheveryleast:– Sourceanddestinationaddress– Protocolinformation– Portinformation


Containment

• StoppingtheDamage– Preventattackerfromgettinganydeeperintotheimpactedsystems,orspreadingtoothersystems

• InformManagement• Notifyyourlocalororganizationalincidenthandlingteam

• Additional3phases– Shorttermcontainment– Gatheringevidence/backup– Longtermcontainment


ShortTermContainment• Trytopreventattackerfromcausingmoredamage• Wantuntaintedevidence• Somepossibleactions:

– Disconnectnetworkcable– Pullthepowercable(losesvolatilememoryandmaydamagedrive)

– Isolateswitchportsothatsystemcannolongersend/receivedata

– Applyfilterstoroutersand/orfirewalls– Changeatarget’snameinDNStopointtoadifferentIPaddress


Gatheringevidence

• Thisisnevereasyunderpressure• Hint:Playwiththesetoolsandmakesureyouknowhowtousethembeforeanincidenthappens– dd forUnix/LinuxandWindows– Ghost(thelatestversions– defaultisnotbit-by-bitsoknowhowtoconfigure)

– Driveduplicatorhardwareandwriteblockers


LongTermContainment

• Onceback-upcreatedforforensicsanalysisthechangesforlongtermcontainmentcanbegin

• Applytemporarysolution(s)tostayinproductionwhilebuildingacleansystem– Patchsystem– Changepasswords– Removeaccountsusedbyhacker– Changefilepermissions– Shutdownbackdoorprocessesusedbyattacker


Eradication

• Goalistogetridofanytracesonnetworkdevice(s)thatanattackoccurred

• Determinehowtheattackwasexecutedfromthegatheredevidence

• Restoreoperatingsystemsandconfigurationsfromcleanbackups

• Mayrequirestartingfromcompletelywipedsystems

• Improvedefenses


Recovery

• Goalistogetimpactedsystemsbackintoproductioninasafemanner

• Performsystemvalidations– Runvulnerabilityscanners– Carefullycheckapplicationanddevicelogs

• Usenetworkandhost-basedintrusiondetectionsystemstomonitorreoccurrenceofattack

• Applyanynewlyidentifiedmitigationtechniques


PostMortem• Apostmortemwillhelpanalyzetheeventafternormaloperationshasresumed(andpeoplehavecaughtuponsleep)

• Havethemeetingsoonaftertheincidentpassedsoeveryonehasdetailsfreshintheirminds

• DoNOTblameanyonefordoingsomethingincorrectly

• Theprimarygoalistoaddresslessonslearnedandnotmakethesamemistakesnexttime

• Whatcanyoudotomakerecoveryfaster,easier,lesspainfulinthefuture?


buildingyourCSIRT

• missionstatement– what/howtodo

• constituency– forwhom

• structure– budget,positionwithinorganization

• relationshipwithotherCSIRTs


CSIRTtypes

• NationalCISRTs– anationalpointofcontacttocoordinateanincidenthandling,reducethenumberofsecurityincidentsinthatcountry

• ISP/xSP CSIRTs– provideasecureenvironmentfortheircustomer,andprovideresponsetotheircustomersforsecurityincidents


CSIRTtypes

• VendorsCSIRTs– improvethesecurityoftheirproducts

• EnterpriseCSIRTs– improvethesecurityoftheircorporation’sinfrastructure,andprovideon-siteresponseforsecurityincidents

• andmanymore


PointofContact


CSIRT

constituency

National CSIRT

Securitycommunity

• Thefollowingaresomeexamplewhichwillprovideyouatoolandcontextofthetypesofgroups.– Someareopentoall– Somearepersonalitydriven– Someareinterestdriven– Somearehighlypeervetted


SphereofTrust

• Thecommunitytogethercanbeseeasasphere,realm,zone,oftrust.– basedonchainofTrust


NeedtoKnow inOperationSecurity

• Itrustyou.YouaresomeoneIcandependon,butyoudon’treallyneedtoknowaboutthedetailsofthisincident.

• NotbeinginaNeedtoKnowSphere doesnotmeanyouarenottrusted.


Sphere of Trust

Need to Know

SphereofAction• Youtrustsomeone,butwilltheybeabletodosomething,beresponsive,and/ormakesomethinghappen?

• SphereofActionandChainofActionisanewconceptforvettingpeersintooperationalcommunities.

• Somecommunitieswouldliketojustknowsomethingwillhappen.


I've been working an attack against XXX.YY.236.66/32 and XXX.YY.236.69/32. We're seeing traffic come from <ISP-A>, <ISP-B>, <IXP-East/West> and others.

Attack is hitting both IP's on tcp 53 and sourced with x.y.0.0.

I've got it filtered so it's not a big problem, but if anyone is around I'd appreciate it if you could filter/trace on your network. I'll be up for a while :/

ExpectationofAction

• “Lurking”isbadbehavioronOperationalSecurityCommunities.

• Thereisanexpectationofaction– whereyouusetheinformationtodosomethingwithinyourspanofcontrol&influencetofightthebadness.– Collectmoredataandshare.– Useyourproducttoact.– Usetheinformationtoact(i.e.operator)– Improveyourproductornetwork.

• Inabilitytomeetexpectationserodestrustandyourreputationofsomeonewhoacts.


Community’sIntegrity

• Maintainingintegrityiscommonsense• Neverever forwardinformationpostingwithinaoperationalsecuritygroupwithouttheexplicitpermissionofthepersonwhopostedtheinformation– Immediatebreachoftrust– Violationoftheintegrityofthecommunity

• Eachindividualisaccountabletobeastewardoftheinformationpostedanddiscussedwithinthecommunity


FIRST

• FIRSTisinternationalconfederationoftrusted CISRTsandsecurityteams.– Teamconstituency,ratherthanindividuals– Teamsfromawidevarietyoforganizationsincludingeducational,commercial,vendor,governmentandmilitary

• Mostservicesareformembersonly• https://www.first.org/


FIRSTmembers



tobeaFIRSTmember1. FindtwoexistingFullMembersfornominatingyourteam

("sponsors")2. InformFIRSTSecretariat(FSS)thatyourteamwantstojoinFIRST.3. Workwithyoursponsorssotheyhaveathoroughunderstanding

ofyourteam4. Arrangeforasitevisitbyatleastonesponsor5. Provideallthemandatoryinformationrequestedinsupportto

yournomination(seeSection2.1.2oftheFIRSTMembershipProcessdocumentfordetails).

6. ProvideanyadditionalinformationrequestedbyFIRST7. Yoursponsorwillsubmityourapplication(aftera6-monthperiod,

atmost).8. BoardofDirectorswilldeliveronyourspecificnomination9. Ifapplicationisapproved,paythemembershipaffiliationfee.

5-2-1.inter-network-cooperation 48https://www.first.org/membership

FIRSTevents

• annualconference– everyJune– 28th annualconference

• Seoul,12-17June2016

– anyonecanattend• otherregionalmeetings

– mostlymembersonly


industrybasedcommunity- ISAC

• InformationSharingandAnalysisCenter• Securityrisksarealmostsimilarinanindustry

– TelecomISAC– FinancialISAC– ElectricitySectorISAC– ...andmanymore

• Mostlyaimingtoprotectnationalcriticalinfrastructures


individualbasedcommunity• NSP-SEC

• https://puck.nether.net/mailman/listinfo/nsp-security

• OPS-TRUST• https://openid.ops-trust.net/about




CVE

• CommonVulnerabilitiesandExposures• Dictionaryofcommonnames(ex.CVEidentifiers)forpubliclyknownsecurityvulnerabilities

• https://cve.mitre.org/

• Wecanuseacommonnametospecifyasecurityvulnerability


example:CVE-2015-5986

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5986

• target– ISCBIND9.9.7before9.9.7-P3and9.10.xbefore9.10.2-P4

• impact– vulnerableISCBINDallowsremoteattackerstocauseadenialofservices


ISCBINDreleasenote

• https://kb.isc.org/article/AA-01301/81/BIND-9.10.2-P4-Release-Notes.html

Introduction:BIND9.10.2-P4addressessecurityissuesdescribedinCVE-2015-5722andCVE-2015-5986.


CVSS

• CommonVulnerabilityScoringSystem• https://www.first.org/cvss/

– CVSSv3wasreleasedin2015• AnopenframeworkforcommunicatingthecharacteristicsandimpactofITvulnerabilities


CVSSScores

• BaseScore– technicalevaluation

• TemporalScore– environmentalevaluation– proofofconceptcode/attackcode– couldbechangedoverthetime


CVSSScores

SecurityLevel ScoreCritical 9- 10High 7- 8.9Medium 4- 6.9Low 0.1- 3.9Info 0



Inter-Network Cooperation · •The first CSIRT -CERT/CC was created in 1988 in response to the Morris worm incident 5-2-1.inter-network-cooperation 17. computer security incident

Documents