What Botnets do
Source : PCWorld© Leaders in Security – LSEC, 2014, for ACDC – public , p 2
But who cares? – Business ? – not really
Source : LSEC, Innovations, Websense, 09/13© Leaders in Security – LSEC, 2014, for ACDC – public , p 3
Carna Botnet : 420.000 bots – a research project
Source : LSEC, ACDC, Cyberdefcon 03/2013© Leaders in Security – LSEC, 2014, for ACDC – public , p 4
Relevance for ETSI Members : Global Threat Map Today
Europe is target and host
Source : Hostexploit, September 2013© Leaders in Security – LSEC, 2014, for ACDC – public , p 5
Why ETSI Members should have interest in Botnets• Spambots : spam can result in extra cost for the ISPs in terms of wasted
network, server, or personnel resources, among many other potential costs
and side effects
• Reputation : can also negatively affect the reputation of the ISP, their
customers, and the email reputation of the IP address space used by the ISP
(often referred to simply as 'IP reputation').
• Hosting criminal activities : platforms for directing, participating in, or otherwise
conducting attacks on critical Internet infrastructure. Bots are frequently used
as part of coordinated Distributed Denial of Service (DDoS) attacks for
criminal, political, or other motivations.
Source : CSRIC, January 2012 – US ABC – AntiBotnet
criminal, political, or other motivations.
• Role of ISPs :
• attempt to detect and observe botnets operating in their networks.
• may also be in a position to be able to notify their customers of actual,
potential, or likely infection by bots.
• Role of end-users
• being notified they can take steps to remove the bots, resolve any
problems which may stem from the bot infection, and protect themselves
against future threats.
© Leaders in Security – LSEC, 2014, for ACDC – public , p 6
Impact of Botnet Defense
Source : PCWorld, IBM© Leaders in Security – LSEC, 2014, for ACDC – public , p 7
Infected machines vs subscribers per ISP (spam)
<8>
Source : Botnet mitigation and the role of ISPs, TU Delft, March 2013© Leaders in Security – LSEC, 2014, for ACDC – public , p 8
ACDC &
The European Commission's
Cyber Security Strategy
Trust and SecurityDG CONNECT - European Commission
Pan-European Multi-stakeholder approach
10
Source : ENISA, 2012 : DG INFSO CIP PSP
© Leaders in Security – LSEC, 2014, for ACDC – public , p 10
ACDC Partner Spread
ACDC Partner Spread
WP2 Pilot Components & Technology Development
Tools :
(1) Sensors and detection tools for networks
(2) Systems Infections – infected websites analysis
(3) Device Detection and mitigation – multi-purpose tools for end users(3) Device Detection and mitigation – multi-purpose tools for end users
(4) Centralized Data Clearing House and
(5) Pan-European Support Centre,
T2.1: Establishing and Management of Pilot Governance Group. (LSEC) [M01-M27]T2.2 : Developing Technology Framework (ATOS) [M01-M06]T2.3 : Developing Pilot Component Task Forces (LSEC) [M01-M21]T.2.4 : Pilot Component Developments (LSEC, TID) [M03-M23]T2.5 : Change management (LSEC) [M06-M27]T2.6 : Component Development Quality control management (LSEC) [M06-M27]
© Leaders in Security – LSEC, 2013, Private & Confidential, p 11© Leaders in Security – LSEC, 2014, for ACDC – public , p 11
Examples : Telecom Italia Involvement
Telecom Italia Information Technology is in charge to
manage the IT stuff and the security operations for the
TI group.
Within TI-IT, Security Lab has several year of experience
on botnet-fighting:
12
on botnet-fighting:
• Analysis of botnet phenomena, focus on botmasters
behaviors.
• Identification of infected PC through DNS analysis
• Honeynet systems
• Malware domains identifications and monitoring
• Mobile malware analysis
© Leaders in Security – LSEC, 2014, for ACDC – public , p 12
Examples : Telecom Italia Involvement
• Honeynet system:
• Network of sensors on public fixed and mobile
networks
• Nowadays 80 sensors are available
• Opensource technology used for honeypots
• HPFEEDS protocol internally used to
13© Leaders in Security – LSEC, 2014, for ACDC – public , p 13
• HPFEEDS protocol internally used to
convey/distribute information collected by
honeypots
• Internet Background Radiation:
• Collaboration with UK CyberDefcon (Darknet)
• Passive sensors, “black hole”
• Entire x.x.x.0/24, entire class C network dedicated
STIX Aggregator
Operational Detection
CARNet (KR) have produced a network of detection systems which
Identify botnet activity within spam e-mails and network connections.
15© Leaders in Security – LSEC, 2013, for ACDC – public , p 15
Operational Detection
XLAB have produced an Intrusion Detection System for Android smart
phones.
16© Leaders in Security – LSEC, 2013, for ACDC – public , p 16
Data Sharing & Analysis
CARNet creates identified threat information in the STIX format and
sends the information to the ACDC STIX Aggregator
STIX Aggregator
17© Leaders in Security – LSEC, 2013, for ACDC – public , p 17
The XLAB Android IDS infrastructure queries the STIX
Aggregator to obtain threat information provided by
CARNet and blocks access to suspicious sites.
Types of Information Currently Collected
• URLs hosting suspected malware
• Malware samples
• IP Addresses of hosts sending SPAM
• IP Addresses of suspected Command and Control Servers
•…
18© Leaders in Security – LSEC, 2013, for ACDC – public , p 18
Collected from Honeypot Networks, SPAM collection systems and
Custom partner tools.
Expected outcomes for Telecom Italia
• TI, as a telco and ISP provider, is particularly
interested in fighting malware and botnets protecting
its infrastructures and customers
• TI is strongly involved in the ACDC Pilot with a team of
security skilled people, technical measures and tools
that will be integrated into the ACDC framework
19© Leaders in Security – LSEC, 2013, for ACDC – public , p 19
that will be integrated into the ACDC framework
• Information and experience sharing, international
collaboration are nowadays essential for effective
cybersecurity
• ACDC represents a concrete way to improve the
security of the EU cyberspace.
http://www.check-and-secure.com
User Tools & impact
© Leaders in Security – LSEC, 2013, for ACDC – public , p 20 https://www.check-and-secure.com/completion/_de/index.html
https://www.initiative-s.de/de/index.html
User Tools & Impact
© Leaders in Security – LSEC, 2013, for ACDC – public , p 21 https://www.initiative-s.de/de/index.html
Effective Cyber Threat Intelligence
and Information Sharing
Sharing Impact
© Leaders in Security – LSEC, 2013, for ACDC – public , p 22 http://stix.mitre.org/
WP2 Pilot Components & Technology Development
Tools :
(1) Sensors and detection tools for networks
(2) Systems Infections – infected websites analysis
(3) Device Detection and mitigation – multi-purpose tools for end users(3) Device Detection and mitigation – multi-purpose tools for end users
(4) Centralized Data Clearing House and
(5) Pan-European Support Centre,
T2.1: Establishing and Management of Pilot Governance Group. (LSEC) [M01-M27]T2.2 : Developing Technology Framework (ATOS) [M01-M06]T2.3 : Developing Pilot Component Task Forces (LSEC) [M01-M21]T.2.4 : Pilot Component Developments (LSEC, TID) [M03-M23]T2.5 : Change management (LSEC) [M06-M27]T2.6 : Component Development Quality control management (LSEC) [M06-M27]
© Leaders in Security – LSEC, 2013, Private & Confidential, p 23© Leaders in Security – LSEC, 2013, for ACDC – public , p 23
Join ACDC
Building Community Portal, Reaching out to :
industry, research, existing communities, law enforcement
policy makers, isp’s & operators, CERTs, …
Looking for :
1. Detection & Mitigation Tools & Techniques
2. Data Analysis and Botnet Analysis & Prevalence - Deployment
24© Leaders in Security – LSEC, 2013, for ACDC – public , p 24
2. Data Analysis and Botnet Analysis & Prevalence - Deployment
3. Data & Intelligence Sharing
4. Awareness Creation
5. Influencing Policy
NOT THE END
More information and follow-up
www.acdc-project.eu
www.botfree.euwww.botfree.eu
Q or CUlrich Seldeslachts
+32 475 71 3602
Paolo de Lutiis
[email protected]© Leaders in Security – LSEC, 2013, Private & Confidential, p 25
• Council conclusions on Critical Information Infrastructure Protection
http://register.consilium.europa.eu/pdf/en/11/st10/st10299.en11.pdf
• Commission Communication on Critical Information Infrastructure Protection – "Achievements and next steps: towards global cyber-security" - COM(2011) 163 http://ec.europa.eu/information_society/policy/nis/docs/comm_2011/comm_163_en.pdf
• Digital Agenda for Europe - COM(2010)245 of 19 May 2010http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2010:0245:FIN:EN:PDF
Links to Policy Documents
Digital Agenda for Europe - COM(2010)245 of 19 May 2010http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2010:0245:FIN:EN:PDF
• The EU Internal Security Strategy in Action: Five steps towards a more secure Europe COM(2010)673http://ec.europa.eu/commission_2010-2014/malmstrom/archive/internal_security_strategy_in_action_en.pdf
• Commission Communication on Critical Information Infrastructure Protection – "Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience" -COM(2009) 149http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2009:0149:FIN:EN:PDF
© Leaders in Security – LSEC, 2013, for ACDC – public , p 26