Research and Education Networking Information Sharing and Analysis Center REN-ISAC John Hicks TransPAC2/Indiana University Copyright Trustees of Indiana University Permission is granted for this material to be shared for non-commercial educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of Indiana University. To disseminate otherwise or to republish requires written permission from Indiana University (via to TransPAC2 Security and the

2 TransPAC2 - REN-ISAC The relationship between TransPAC2 and the REN-ISAC is one of mutual support. Supported by Indiana University and through relationship with EDUCAUSE and Internet2, the REN-ISAC: is an integral part of the U.S. higher education strategy to improve network security through information collection, analysis, dissemination, early warning, and response; specifically designed to support the unique environment and needs of organizations connected to served higher education and research networks, and supports efforts to protect the U.S. national cyber infrastructure by participating in the formal U.S. ISAC structure.

3 Complementary Relationships REN-ISAC has core complimentary relationships with: –EDUCAUSE –Internet2 –EDUCAUSE and Internet2 Security Task Force –IU Global NOC and Abilene network engineering –IU Advanced Network Management Lab –IU Information Technology Security Office –US Department of Homeland Security & US-CERT –IT-ISAC –ISAC Council –SALSA

4 Complementary Relationships US Department of Homeland Security - Information Analysis and Infrastructure Protection Directorate has the objective so implement the national strategy and to promote public/private partnerships for information sharing and analysis – ISACs. ISACs are encouraged in each critical sector of national security and the economy, e.g. IT, water, agriculture, energy, transportation, finance, etc. ISAC Council is a body of the private sector ISACs that promotes cooperation, sharing, and relation to DHS. National Cyber Security Partnership is a public-private collaboration focused on strategies and actions to assist the DHS National Cyber Security Division in implementation of the President’s National Strategy to Secure Cyberspace.

5 Information Resources Network instrumentation Router NetFlow data Router ACL counters Darknet Global NOC operational monitoring systems Daily cybersecurity status calls with ISACs and US-CERT Vetted/closed network security collaborations Backbone and member security and network engineers Vendors, e.g. monthly ISAC calls with vendors Security mailing lists, e.g. EDUCAUSE, etc. Members – related to incidents on local networks

6 NetFlow Analysis Through partnership with TransPAC2, Internet2, and the IU Abilene NOC, the REN-ISAC has access to Abilene and TransPAC2 NetFlow data. In conjunction with the IU Advanced Network Management Lab the NetFlow data is analyzed to characterize general network security threat activity, and to identify specific threats.

7 Abilene NetFlow Policy REN-ISAC & Internet2 NetFlow data policy agreement, highlights: –Data is anonymized to /21. Under perceived threat and at the request of involved institutions the REN-ISAC can selectively turn off anonymization. –Publicly reported information is restricted to aggregate views of the network. Information that identifies specific institutions or individuals cannot be reported publicly. –Detailed and sensitive information must be communicated with designated representatives of the affected institutions and refer only to local activity, unless otherwise authorized. –TransPAC2 has adopted the Abilene NetFlow Policy.

8 NetFlow Analysis Custom analysis –Aggregate reports –Detailed reports Data anonymized to /21

9 NetFlow Analysis – Traffic Grapher IU ANML developed tool. Graph netflow by source and destination IP port numbers, IP addresses and networks (in CIDR format), and AS numbers. ICMP, TCP or UDP. Optimized performance.

10 Traffic on Common and Threat Vector Ports Utilize Traffic Grapher to provide public views of Abilene traffic on common application and threat vector ports. Also utilize ACL counters in routers to collect and publish similar views.

11

12 Warning and Response REN-ISAC Watch Desk –24 x 7 –Co-located and staffed with the Global Research NOC –+1 (317) Public reports to the U.S. higher education community regarding analysis at aggregate views. Private reports to institutions regarding active threat involving their institution. Daily Reports –REN-ISAC Weather Report –Darknet Report Alerts Public views from monitoring systems

13 Weather Report Daily Weather Report distributed via to closed/vetted communities, including: –REN-ISAC members –Inter-ISAC + DHS cybersecurity community Contains aggregate observations of threat traffic based on: –Abilene netflow –REN-ISAC darknet

14 Daily REN-ISAC Weather Report Critical notes News watch Netflow analysis Darknet Monitor - Top Ports Notes Reference

15 Daily REN-ISAC Darknet Reports Individual report per institution List Darknet source by IP List of watched networks Time Stamped Detail Files

16 Alerts Alerts are sent as required, distributed to: –REN-ISAC members and, as appropriate to: –Inter-ISAC + DHS cybersecurity community –UNISOG –EDUCAUSE security mailing list –NSP-SEC

17 Communications Challenge Early warning and response to threat requires the communication of timely and sensitive information to designated contacts. The proper contact is one who can act immediately, with knowledge and authority upon conveyed information, and who is cleared to handle potentially sensitive information. Publicly published contact points rarely serve those requirements. Privacy considerations prevent deep and rich contact information from being publicly published.

18 REN-ISAC Cyber Security Registry To provide contact information for cyber security matters in US higher education, the REN-ISAC is developing a cyber security registry. The goal is to have deep and rich contact information for all US colleges and universities. The primary registrant is the CIO, IT Security Officer, organizational equivalent, or superior. All registrations will be vetted for authenticity. Primary registrant assigns delegates. Delegates can be functional accounts. Currency of the information will be aggressively maintained.

19 Summary of Activities Within US higher education, provide warning and response to cyber threat and vulnerabilities; improve awareness, information sharing, and communications. Support efforts to protect the national cyber infrastructure by participating in the formal U.S. ISAC structure. Receive, analyze, and disseminate network security operational, threat, warning, and attack information. REN-ISAC Cyber Security Registry Operational 24 x 7 watch desk Daily information sharing with ISACs, US-CERT, and others Cultivate relationships and outreach to complimentary organizations and efforts

20 Opportunities for Collaboration with APAN? Tools –Netflow tools –Darknet information analysis tools Information sharing –Such as daily reports and darknet information Common published views of activtity –Such as port traffic Other? John Hicks

21 Links TransPAC2 – REN-ISAC – Internet2 – EDUCAUSE – EDUCAUSE and Internet2 Security Task Force – Indiana University Global NOC – IU Internet2 Abilene network engineering – SALSA: –

22 Links IAIP Daily Open Source Report – IU Advanced Network Management Lab – IU Information Technology Security Office – IT-ISAC – US-CERT – Flow Tools –