Transcript REN-ISAC

Research and Education Networking
Information Sharing and Analysis Center
REN-ISAC
Doug Pearson
Director, REN-ISAC
[email protected]
[email protected]
Copyright Trustees of Indiana University 2003. Permission is granted for this material to be shared for non-commercial educational
purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by
permission of Indiana University. To disseminate otherwise or to republish requires written permission from Indiana University (via
email to [email protected])
Background
Supported by Indiana University and through relationship with
EDUCAUSE and Internet2, the REN-ISAC:
• is an integral part of the U.S. higher education strategy to
improve network security through information collection,
analysis, dissemination, early warning, and response;
specifically designed to support the unique environment
and needs of organizations connected to served higher
education and research networks, and
• supports efforts to protect the U.S. national cyber
infrastructure by participating in the formal U.S. ISAC
structure.
2
Community Served
• Phase I (current):
– Internet2 membership
• Phase II (entering):
– Internet2 and EDUCAUSE membership
• Phase III (to come)
– Reach out to all of U.S. higher education through staged
approaches, e.g. state networks, associations of small
colleges, etc.
3
REN-ISAC
Background
Supported by Indiana University and through relationship with
EDUCAUSE and Internet2, the REN-ISAC:
• is an integral part of the U.S. higher education
strategy to improve network security through information
collection, analysis, dissemination, early warning, and
response; specifically designed to support the unique
environment and needs of organizations connected to
served higher education and research networks, and
• supports efforts to protect the U.S. national cyber
infrastructure by participating in the formal U.S. ISAC
structure.
4
an integral part of higher education’s strategy…
Complementary Relationships
• REN-ISAC has core complimentary relationships with:
– EDUCAUSE
– Internet2
– EDUCAUSE and Internet2 Security Task Force
– IU Global NOC and Abilene network engineering
– IU Advanced Network Management Lab
– IU Information Technology Security Office
– US Department of Homeland Security & US-CERT
– IT-ISAC
– ISAC Council
– SALSA
5
REN-ISAC
Background
Supported by Indiana University and through relationship with
EDUCAUSE and Internet2, the REN-ISAC:
• is an integral part of the U.S. higher education strategy to
improve network security through information collection,
analysis, dissemination, early warning, and response;
specifically designed to support the unique environment
and needs of organizations connected to served higher
education and research networks, and
• supports efforts to protect the U.S. national cyber
infrastructure by participating in the formal U.S. ISAC
structure.
6
supports efforts to protect national cyber infrastructure…
Complementary Relationships
• US Department of Homeland Security - Information
Analysis and Infrastructure Protection Directorate has the
objective so implement the national strategy and to
promote public/private partnerships for information sharing
and analysis – ISACs.
• ISACs are encouraged in each critical sector of national
security and the economy, e.g. IT, water, agriculture,
energy, transportation, finance, etc.
• ISAC Council is a body of the private sector ISACs that
promotes cooperation, sharing, and relation to DHS.
• National Cyber Security Partnership is a public-private
collaboration focused on strategies and actions to assist the
DHS National Cyber Security Division in implementation of
the President’s National Strategy to Secure Cyberspace.
7
REN-ISAC
Background
Supported by Indiana University and through relationship with
EDUCAUSE and Internet2, the REN-ISAC:
• is an integral part of higher education’s strategy to improve
network security through information collection,
analysis, dissemination, early warning, and response;
specifically designed to support the unique environment
and needs of organizations connected to served higher
education and research networks, and
• supports efforts to protect the national cyber infrastructure
by participating in the formal U.S. ISAC structure.
8
information collection, analysis, dissemination…
Information Resources
• Network instrumentation
•
•
•
•
Abilene NetFlow data
Abilene router ACL counters
Darknet
Global NOC operational monitoring systems
• Daily cybersecurity status calls with ISACs and US-CERT
• Vetted/closed network security collaborations
• Backbone and member security and network engineers
• Vendors, e.g. monthly ISAC calls with vendors
• Security mailing lists, e.g. EDUCAUSE, FIRST, etc.
• Members – related to incidents on local networks
9
information collection, analysis, dissemination…
Abilene NetFlow Analysis
• Through partnership with Internet2 and the IU Abilene
NOC, the REN-ISAC has access to Abilene NetFlow data.
• In conjunction with the IU Advanced Network Management
Lab the NetFlow data is analyzed to characterize general
network security threat activity, and to identify specific
threats.
10
information collection, analysis, dissemination…
Abilene NetFlow Policy
• REN-ISAC & Internet2 NetFlow data policy agreement,
highlights:
– Data is anonymized to /21. Under perceived threat and
at the request of involved institutions the REN-ISAC can
selectively turn off anonymization.
– Publicly reported information is restricted to aggregate
views of the network. Information that identifies specific
institutions or individuals cannot be reported publicly.
– Detailed and sensitive information must be
communicated with designated representatives of the
affected institutions and refer only to local activity,
unless otherwise authorized.
11
information collection, analysis, dissemination…
Abilene NetFlow Analysis
• Custom analysis
– Aggregate reports
– Detailed reports
• Data anonymized to /21
12
information collection, analysis, dissemination…
Abilene NetFlow Analysis – Traffic Grapher
IU ANML developed tool. Graph netflow by source and
destination IP port numbers, IP addresses and networks (in
CIDR format), and AS numbers. ICMP, TCP or UDP.
Optimized performance.
13
information collection, analysis, dissemination…
Traffic on Common and Threat Vector Ports
• Utilize Traffic Grapher to provide public views of Abilene
traffic on common application and threat vector ports.
• http://ren-isac.net/monitoring.cgi
• Also utilize ACL counters in Abilene routers to collect and
publish similar views.
14
15
16
17
information collection, analysis, dissemination…
Arbor PeakFlow Analysis on Abilene
• Processes Abilene NetFlow data
• Intelligent identification of anomalies
• Abilene is by nature an anomalous network, e.g. bursts of
high bandwidth flows.
• Need to:
– Tune the PeakFlow system to reduce false alerts.
– Incorporate into standard watch desk procedure.
• How to effectively share the information gained via Arbor?
18
19
20
information collection, analysis, dissemination…
REN-ISAC Darknet
• A darknet is:
– A block of routed IP space, typically /24 or larger, that
contains no hosts other than the darknet collector. The
collector listens to all traffic directed at the address
block, hearing worm scanning and backscatter. The
collector may optionally syn-ack connection requests in
order to attempt to collect worm payload.
21
information collection, analysis, dissemination…
REN-ISAC Darknet
• REN-ISAC in participation with the Internet Motion Sensor
• Send aggregate reports to community and host-specific
reports to owning institutions:
port 135/TCP
-----------10-14-2004 00:00:01
10-14-2004 00:00:02
10-14-2004 00:00:03
10-14-2004 00:01:01
port 445/TCP
-----------10-14-2004 00:00:01
10-14-2004 00:00:02
10-14-2004 00:00:03
10-14-2004 00:01:01
ETC...
your.host.address.here
your.host.address.here
your.host.address.here
your.host.address.here
your.host.address.here
your.host.address.here
your.host.address.here
your.host.address.here
22
REN-ISAC
Background
Supported by Indiana University and through relationship with
EDUCAUSE and Internet2, the REN-ISAC:
• is an integral part of the U.S. higher education strategy to
improve network security through information collection,
analysis, dissemination, early warning, and response;
specifically designed to support the unique environment
and needs of organizations connected to served higher
education and research networks, and
• supports efforts to protect the U.S. national cyber
infrastructure by participating in the formal U.S. ISAC
structure.
23
early warning, and response…
Warning and Response
• REN-ISAC Watch Desk
– 24 x 7
– Co-located and staffed with the Abilene NOC
– +1 (317) 278-6630
– [email protected]
• Public reports to the U.S. higher education community
regarding analysis at aggregate views.
• Private reports to institutions regarding active threat
involving their institution.
24
early warning, and response…
Warning and Response
• Daily Reports
– REN-ISAC Weather Report
– Darknet Report
• Alerts
• Public views from monitoring systems
25
early warning, and response…
Weather Report
• Daily Weather Report distributed via email to closed/vetted
communities, including:
– REN-ISAC members
– Inter-ISAC + DHS cybersecurity community
• Contains aggregate observations of threat traffic based on:
– Abilene netflow
– REN-ISAC darknet
26
Daily REN-ISAC Weather Report
27
Daily REN-ISAC Weather Report
CRITICAL NOTICES
28
Daily REN-ISAC Weather Report
NEW WATCHES
29
Daily REN-ISAC Weather Report
ABILENE NETFLOW ANALYSIS
30
Daily REN-ISAC Weather Report
DARKNET MONITOR – TOP PORTS
31
Daily REN-ISAC Weather Report
NOTES
32
Daily REN-ISAC Weather Report
REFERENCES
33
early warning, and response…
Darknet Report
• Daily per-institution reports sent to REN-ISAC members:
• Contains observations from the REN-ISAC darknet of
worm/scanning/etc. activity seen originating at the member
networks.
34
Daily REN-ISAC Darknet Reports
35
Daily REN-ISAC Darknet Reports
INDIVIDUAL REPORT PER INSTITUTION
36
Daily REN-ISAC Darknet Reports
LIST DARKNET HITS BY SOURCE IP
37
Daily REN-ISAC Darknet Reports
LIST OF WATCHED NETWORKS
38
Daily REN-ISAC Darknet Reports
TIME-STAMPED DETAIL FILES
39
early warning, and response…
Alerts
• Alerts are sent as required, distributed to:
– REN-ISAC members
• and, as appropriate to:
– Inter-ISAC + DHS cybersecurity community
– UNISOG
– EDUCAUSE security mailing list
– NSP-SEC
40
Alerts: Example 1
Increased activity on TCP/5900; VNC backdoors?
ALERT: “Increased activity on destination
TCP/5900 – possibly scanning for VNC servers
or for trojan’d systems with VNC backdoor.”
“Observed in the REN-ISAC darknet...”
“TCP/5900 is used by...”
“Bugtraq lists a number of vulnerabilities”
“We recommend…”
41
Alerts: Example 2
URGENT block recommendation
ALERT: “URGENT block recommendation”
“We recommend that institutions blocks
these domains at their name servers and
block the addresses at their border.”
“... IFRAME vulnerability is being used to
install malware…”
References…
42
Alerts: Example 3
TCP/6101 scan activity increasing
ALERT: “The REN-ISAC has started seeing
scans against TCP/6101 beginning Wednesday,
Jan 12…”
“TCP/6101 scans are scouting for systems
on which to attempt to exploit the Veritas
BackupExec Agent vulnerability.”
List of scanning hosts.
“… we’re contacting the host
institution or upstream provider…”
43
REN-ISAC
Background
Supported by Indiana University and through relationship with
EDUCAUSE and Internet2, the REN-ISAC:
• is an integral part of higher education’s strategy to improve
network security through information collection, analysis,
dissemination, early warning, and response; specifically
designed to support the unique environment and needs of
organizations connected to served higher education and
research networks, and
• supports efforts to protect the national cyber infrastructure
by participating in the formal U.S. ISAC structure.
44
dissemination…
Communications Challenge
• Early warning and response to threat requires the
communication of timely and sensitive information to
designated contacts. The proper contact is one who can act
immediately, with knowledge and authority upon conveyed
information, and who is cleared to handle potentially
sensitive information.
• Publicly published contact points rarely serve those
requirements. Privacy considerations prevent deep and rich
contact information from being publicly published.
45
dissemination…
Communications Challenge
receives, analyzes, and disseminates network security…
Abilene NetFlow Analysis
• REN-ISAC & Internet2 NetFlow data policy agreement,
highlights:
– Publicly reported information is restricted to
aggregate views of the network. Information that
identifies specific institutions or individuals cannot be
reported publicly.
– Detailed and sensitive information must be
communicated with designated representatives of
the affected institutions and refer only to local activity,
unless otherwise authorized.
46
42
dissemination…
REN-ISAC Cyber Security Registry
• To provide contact information for cyber security matters in
US higher education, the REN-ISAC is developing a cyber
security registry. The goal is to have deep and rich contact
information for all US colleges and universities.
• The primary registrant is the CIO, IT Security Officer,
organizational equivalent, or superior.
• All registrations will be vetted for authenticity.
• Primary registrant assigns delegates. Delegates can be
functional accounts.
• Currency of the information will be aggressively
maintained.
47
dissemination…
REN-ISAC Cyber Security Registry
• Aiming for 24 x 7 contact, with deep reach – a decision
maker, primary actor, with clearance for sensitive
information.
• Optional permissions for REN-ISAC to send reports
regarding threat activity seen sourced from or directed at
the institution – reports may identify specific machines.
• Related Registry information to serve network security
management and response:
– address blocks
– routing registry
– network connections (e.g. Abilene, NLR)
48
dissemination…
REN-ISAC Cyber Security Registry
• Registry information will be:
– utilized by the REN-ISAC for response, such as response
to threat activity identified in Abilene NetFlow,
– utilized by the REN-ISAC for early warning,
– open to the members of the trusted circle established by
the Registry, and
– with permission, proxied by the REN-ISAC to outside
trusted entities, e.g. ISP’s and law enforcement.
49
50
51
52
53
54
55
56
dissemination…
REN-ISAC Cyber Security Registry
• The Registry will enable:
– Appropriate communications by the REN-ISAC
– Sharing of sensitive information derived from the
various information sources:
• Network instrumentation; including netflow, ACL counters,
and, operational monitoring systems
• Daily security status calls with ISACs and US-CERT
• Vetted/closed network security collaborations
• Backbone and member security and network engineers
• Vendors, e.g. monthly ISAC calls with vendors
• Members – related to incidents on local networks
57
dissemination…
REN-ISAC Cyber Security Registry
• The Registry will enable:
– Sharing among the trusted circle members
– Establishment of a vetted/trusted mailing list for
members to share sensitive information
– Access to the REN-ISAC / US-CERT secure portal
– Access to segmented data and tools:
• Segmented views of netflow information
• Per-interface ACLs
• Other potentials that can be served by a federated trust
environment
58
Summary of Activities
• Within US higher education, provide warning and response to
cyber threat and vulnerabilities; improve awareness, information
sharing, and communications.
• Support efforts to protect the national cyber infrastructure by
participating in the formal U.S. ISAC structure.
• Receive, analyze, and disseminate network security operational,
threat, warning, and attack information.
• REN-ISAC Cyber Security Registry
• Operational 24 x 7 watch desk
• Daily information sharing with ISACs, US-CERT, DHS and others
• Cultivate relationships and outreach to complimentary
organizations and efforts
59
Opportunities for Collaboration with APAN?
• Tools
– Netflow tools
– Darknet information analysis tools
• Information sharing
– Such as daily reports and darknet information
• Common published views of activtity
– Such as port traffic
• Other?
60
Links
•
REN-ISAC
– http://www.ren-isac.net
•
Internet2
– http://www.internet2.edu
•
EDUCAUSE
– http://www.educause.edu
•
EDUCAUSE and Internet2 Security Task Force
– http://www.educause.edu/security/
•
Indiana University Global NOC
– http://globalnoc.iu.edu
•
IU Internet2 Abilene network engineering
– http://globalnoc.iu.edu
•
SALSA:
– http://www.internet2.edu/security
61
Links
•
IAIP Daily Open Source Report
– http://www.nipc.gov/dailyreports/dailyindex.htm
•
IU Advanced Network Management Lab
– http://www.anml.iu.edu/
•
IU Information Technology Security Office
– http://www.itso.iu.edu/
•
IT-ISAC
– https://www.it-isac.org/
•
US-CERT
– www.us-cert.gov/
•
Flow Tools
– http://www.splintered.net/sw/flow-tools/
62