1 REN-ISAC Update Research and Education Networking Information Sharing and Analysis Center Joint Techs Madison WI July 2006.

Slides:



Advertisements
Similar presentations
INDIANAUNIVERSITYINDIANAUNIVERSITY Abilene Security Exercise James Williams Director – International Networking and Operational Assurance Indiana University.
Advertisements

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
REN-ISAC Research and Education Networking Information Sharing and Analysis Center AMSAC Update July 10,
Security BoF: What Are The Community's Open Questions? Joe St Sauver, Ph.D. or Manager, Internet2 Nationwide Security.
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
Research and Educational Networking Information Analysis and Sharing Center (REN-ISAC) Doug Pearson Director, REN-ISAC
Supplied on \web site. on January 10 th, 2008 Customer Security Management Reducing Internet fraud June 1 st, 2008 eSAC Walk Thru © Copyright Prevx Limited.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Abilene Transit Security Policy Joint Techs Summer ’05 Vancouver, BC, CA Steve Cotter Director, Network Services Steve Cotter Director,
DHS, National Cyber Security Division Overview
Research and Educational Networking Information Analysis and Sharing Center (REN-ISAC) Mark S. Bruhn, Interim Director University Copyright.
REN-ISAC Update Doug Pearson, REN-ISAC Technical Director DICE 12 February 2008 Athens, Greece 1.
1 REN-ISAC Research and Education Networking Information Sharing and Analysis Center Internet2 Member’s Meeting Chicago 5 December 2006.
Arbor Multi-Layer Cloud DDoS Protection
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
REN-ISAC Research and Education Networking Information Sharing and Analysis Center.
Higher Education Cybersecurity Strategy, Programs, and Initiatives Rodney Petersen Policy Analyst & Security Task Force Coordinator EDUCAUSE.
Higher Education-Industry Collaborations to Improve Security Joy Hughes, George Mason University Peter Siegel, University of California, Davis Jack Suess,
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.
Introduction to Honeypot, Botnet, and Security Measurement
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Security Professionals Conference May REN-ISAC Goal The goal of the REN-ISAC is to aid and promote cyber security protection and response within.
BotNet Detection Techniques By Shreyas Sali
BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.
Seán Paul McGurk National Cybersecurity and Communications
Network Security Resources from the Department of Homeland Security National Cyber Security Division.
Security: New Trends, New Issues Internet2 Fall Member Meeting 2004 Doug Pearson Indiana University Research and Education Networking ISAC
REN-ISAC Activities and REN-ISAC / Internet2 Focus Group Results Doug Pearson Technical Director, REN-ISAC Joint Techs, July 2005.
INDIANAUNIVERSITYINDIANAUNIVERSITY TransPAC2 Security John Hicks TransPAC2 Indiana University 22nd APAN Conference – Singapore 20-July-2006.
SALSA-NetAuth Joint Techs Vancouver, BC July 2005.
Bots Used to Facilitate Spam Matt Ziemniak. Discuss Snort lab improvements Spam as a vehicle behind cyber threats Bots and botnets What can be done.
Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.
Critical National Infrastructure What is attacking your network, and how do you know? By Frode Rein ICT Manager, The Norwegian Parliament – Stortinget.
Information Sharing Challenges, Trends and Opportunities
Shared Darknet Project Internet2 Spring 2006 Member Meeting Doug Pearson Technical Director, REN-ISAC.
Salsa Bits: A few things that the analysts aren't talking about... December 2006.
A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science.
Office of Campus Information Security Incident Response Briefing Jeffrey Savoy, CISSP.
INDIANAUNIVERSITYINDIANAUNIVERSITY 23rd APAN Meeting Manila, Philippines January REN-ISAC and Peakflow SP John Hicks Indiana University TransPAC2.
Research and Education Networking Information Sharing and Analysis Center REN-ISAC John Hicks TransPAC2/Indiana University
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Security Topics Update Christopher Misra Mark Poepping April 2007.
Speaker: Hom-Jay Hom Date:2009/11/17 Botnet, and the CyberCriminal Underground IEEE 2008 Hsin chun Chen Clinton J. Mielke II.
NSF Cybersecuity Summit May REN-ISAC Goal The goal of the REN-ISAC is to aid and promote cyber security protection and response within the higher.
Advanced attack techniques Advanced attack techniques Increased by passing techniques against the existing detection methods such as IDS and anti- virus.
Nexthink V5 Demo Security – Malicious Anomaly. Situation › Avoid damage resulting from the incident itself and the cost of the unplanned response › Protection.
Research and Education Networking Information Sharing and Analysis Center REN-ISAC Doug Pearson Director, REN-ISAC Copyright.
AUB Department of Electrical and Computer Engineering Imad H. Elhajj American University of Beirut Electrical and Computer Engineering
Sky Advanced Threat Prevention
Research and Education Networking Information Sharing and Analysis Center REN-ISAC Doug Pearson Director, REN-ISAC
IT Security Challenges In Higher Education Steve Schuster Cornell University Copyright Steve Schuster This work is the intellectual property of.
CERT cooperation with ISP’s on Cybersecurity C ă t ă lin P ă trașcu CERT-RO 29 October 2015 RONOG 2 Meeting1.
TLP:Green FIRST/TF-CSIRT Technical Colloquium January 25 th – 27 th, 2016 Prague, CZ TLP:Green.
Internet2 Abilene & REN-ISAC Arbor Networks Peakflow SP Identification and Response to DoS Joint Techs Winter 2006 Albuquerque Doug Pearson.
Spring 2004 Internet2 Member Meeting NLR Service Center Update Dave Jent Indiana University.
REN-ISAC Research and Education Networking Information Sharing and Analysis Center Doug Pearson REN-ISAC Director Internet2 Security WG BoF October 14,
IS3220 Information Technology Infrastructure Security
Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings.
How to Make Cyber Threat Intelligence Actionable
Activu-Powered Video Wall Prominently Featured during President Obama’s Visit to the National Cybersecurity and Communications Integration Center On January.
Servers in the Wild… …and the threats that lurk about. DePaul University Information Security Team TLT Presentation 08 May 2002.
OIT Security Operations
Cybersecurity Summit 2009 Doug Pearson
By: Tekeste Berhan Habtu Chief Executive Officer Venue: African Union
Shifting from “Incident” to “Continuous” Response
Chapter 4: Protecting the Organization
Enhanced alerting and collaborative incident management
Computer Emergency Response Team
AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations.
Presentation transcript:

1 REN-ISAC Update Research and Education Networking Information Sharing and Analysis Center Joint Techs Madison WI July 2006

2 24x7 Watch Desk +1(317) Doug Pearson Technical Director, REN-ISAC Indiana University

3 REN-ISAC Activities A vetted trust community for R&E cybersecurity Information-sharing and communications channels Information products aimed at protection and response Participation in mitigation communities Incident response 24x7 Watch Desk ( ) Improvement of R&E security posture Participate in other higher education and national efforts for cyber infrastructure protection

4 Trust Community for R&E Cybersecurity A trusted community for sharing sensitive information regarding cybersecurity threat, incidents, response, and protection, specifically designed to support the unique environment and needs of higher education and research organizations. Membership is oriented to permanent staff with organization-wide responsibility for cybersecurity protection or response at an institution of higher education, teaching hospital, research and education network provider, or government-funded research organization.

5 Information Sharing Closed Community. Unless authorized for public disclosure, information is shared only within the trust community. Strict rules are enforced. This: –prevents information regarding methods of intelligence gathering and response from being exposed to blackhats, –reduces the contribution to evolutionary pressure on malware, trojans, etc., –prevents unauthorized or unintended disclosure concerning institutions involved in incidents, and –protects identities of individuals involved in response Protected Identities: Unless otherwise necessary, the identities of machines, institutions, or people involved in incidents are shared only to the sites involved.

6 Information Sources Network instrumentation and sensors –Abilene netflow –Arbor Networks Peakflow SP –Darknet, honeypots –Global NOC operational monitoring systems Direct reconnaissance Information sharing relationships –Private network security collaborations –Members –Daily security status calls with ISACs and US-CERT –Backbone network and security engineers –Vendors, relationships and monthly ISAC conferences –Relationships to national CERTs

7 Information Products The Daily Weather Report provides an aggregate- level analysis aimed to help situational awareness and to provide actionable protection information. Alerts provide critical, timely, actionable protection information concerning new or increasing threat. Notifications identify specific sources and targets of active threat or incident involving member networks. Threat Information Resources provide information regarding known active sources of threat. Advisories inform regarding specific practices or approaches that can improve security posture. Monitoring views provide aggregate information for situational awareness.

8 Recent new member services BotNet Tracker service: provides members with a rich list of known botnet command and control domain names and IP addresses. Secure IRC: provides a means for members to securely communicate in real time. Secure Wiki: provides a controlled access space for members to directly share information and documentation. TechBurst Webcasts: 30-minute webcasts on technical topics of concern to the R&E security community. Last month: Botnet Detection Using DNS Methods, coming up: Introduction to NetFlow, and Advanced Netflow Topics

9 New services in pilot phase Pilot/trial of centralized Arbor Networks Peakflow SP service provided to gigapops. –Central collector receives netflow from participating gigapop –Integrated with the overall Abilene backbone Arbor –Segmented, connector-specific views provided to participants through Arbor Customer Portal feature –DDoS and worm/malware automated threat feed features –Hardware is installed –If you're interested and/or want to participate see Doug Pearson

10 New services on immediate horizon Shared Darknet Project –A wide-aperture darknet sensor –Members who run local darknets send their collector data (minus the hits from their own institution) to REN- ISAC. Data is analyzed to identify compromised machines by IP address, destination ports involved, the number of "hits" seen, and timestamps of the activity. –The REN-ISAC sends notifications of infected machines to source institutions and develops reports of aggregate activity and trends. Warez IRC servers –List of known warez IRC servers

11 New services on immediate horizon Passive DNS replication –Useful to determine domain name for miscreant servers placed on hacked/infected machines. Similar to RUS- CERT service*, but with a view to what US R&E is experiencing. * Vendor relationships –Representative relationship with Microsoft Security Resource Center. Regional Security Groups –Facilitate organizational interactions of regional security working groups, particularly aimed to assist new/developing groups.

12 Working on (longer term) Inter-organizational incident tracking system –RENOIR; use of IODEF, worked on in SALSA CSI2 Malware sandbox

13 Upcoming activities Abilene Operational Security Exercise –First held November 2005: ▪ Day-long “table top” exercise (talking only, no flows) ▪ Abilene backbone infrastructure attacks, 2 scenarios ▪ Report identifies ~40 observations –Second to be held fall 2006(?) ▪ Plan to include domestic and international participants ▪ If you’re interested to participate and/or have ideas please see me!

14 Members 200 members, 111 institutions Currently ~<50% of Abilene Participants are REN- ISAC members. Making an effort to get all Participants and Connectors enrolled as REN-ISAC members. –

15 Some numbers During the first quarter of 2006 REN-ISAC sent: –notifications to 466 distinct.EDU sites regarding ▪ 192 botnet c&c's, ▪ 9839 bot zombies, ▪ over 400 worm infected systems, ▪ 17 DDoS events, ▪ 49 other assorted abuses, and ▪ 13,807 bot zombies to non-edu mitigation groups.

16 REN-ISAC Membership To –Join the vetted membership –Receive REN-ISAC information product –Participate in information sharing Doug Pearson PGP: Research and Education Networking ISAC 24x7 Watch Desk: +1(317)