Upload
oriol-tarradelles
View
219
Download
0
Embed Size (px)
Citation preview
8/3/2019 Anti-Botnet Policy Initiatives 2 2
1/36
Telefonica International Wholesale ServicesComputer Security Incidence Response TeamTelefonica Research & Development
Telefonica IWS CSIRT
March 10th, 2011
Once upon a time
8/3/2019 Anti-Botnet Policy Initiatives 2 2
2/36
1
Once upon a time who we are
8/3/2019 Anti-Botnet Policy Initiatives 2 2
3/36
2
About TIWS CSIRTAbout TIWS CSIRTAbout TIWS CSIRTAbout TIWS CSIRT
Network Security
Carlos Olea
CSIRT TIWSInternal Security
TechnicalSupport
NetworkSystems
NetworkTechnology IT Legal BU IP SD
Telefonica GroupRelationships
Research Spain Latam O2
ExternalRelationships
Gov International
Coo1
8/3/2019 Anti-Botnet Policy Initiatives 2 2
4/36
Diapositiva 3
Coo1 weicoo01; 28/12/2010
8/3/2019 Anti-Botnet Policy Initiatives 2 2
5/36
3
Network AbuseNetwork AbuseNetwork AbuseNetwork Abuse
Network SecurityNetwork SecurityNetwork SecurityNetwork Security
CSIRT TIWSCSIRT TIWSCSIRT TIWSCSIRT TIWS
Security Incidences related toTelefonica Services orcustomers.
Security incidences or threatsthat can impact to ourservices or customers.
Single Point of contact forsecurity and coordination
Network abuse and security are managed witha proper team to be sure that externalcommunications are forwarded and handled bythe right people inside Telefonica.
The CSIRT e-mail have a different team tocoordinate security issues in TIWS and inTelefonica Group.
In CSIRT e-mail account we provide PGP facilityto encrypt all the communications andnewsletters.
About TIWS CSIRTAbout TIWS CSIRTAbout TIWS CSIRTAbout TIWS CSIRTSecurity Forums
CSIRT | Telefnica Computer Security Incidence Response Team
Distrito C West 1 Building, 3th Floor | Ronda de la Comunicacin s/n, 28050 Madrid, Spain
[email protected] | Tel +34 914 83x xxx
PGP ID : 0xB405ED13 | PGP FingerPrint : 05E9 8A22 CA41 1341 17EA 6768 D4AB 8A99 B405 ED13
8/3/2019 Anti-Botnet Policy Initiatives 2 2
6/36
Telefonica Wholesale is positioned as a Tier 1Telefonica Wholesale is positioned as a Tier 1Telefonica Wholesale is positioned as a Tier 1Telefonica Wholesale is positioned as a Tier 1
Carrier in the international arena...Carrier in the international arena...Carrier in the international arena...Carrier in the international arena...
+45,000km
fiber optic,
18 Landing
stations
20 billion
Minutes intl. voice,
300 direct
destination
Best Data
Networkcapillarity
in Latam
2 International
Control Centers
and POPs in +40
Countries
International
MPLS
Network
Tier 1 IP
Backbone
+500
professionals
in 33
countries
Security
Services
DoS
Shield
8/3/2019 Anti-Botnet Policy Initiatives 2 2
7/36
5
Argentina: 21.9 million
Brazil: 67.0 million
Central America: 6.3 million
Colombia: 11.2 million
Chile: 10.7 million
Ecuador: 3.8 million
Mexico: 17.7 million
Peru: 15.9 million
Uruguay: 1.6 million
Venezuela: 11.8 million
Wireline market rank
Mobile market rank
21
12
21
11
2
2
11
1
2
2
Notes:
- Central America includes Guatemala, Panama, El Salvador and Nicaragua
- Total accesses figure includes Narrowband Internet accesses of Terra Brasil and Terra Colombia, andBroadband Internet accesses of Terra Brasil, Telefnica de Argentina, Terra Guatemala and Terra Mxico.
Data as of December 09
Total Accesses
168.6 million
Telefonica is a leader in the Latin American
Telco market
8/3/2019 Anti-Botnet Policy Initiatives 2 2
8/36
6
Spain: 46.8 million
UK: 21.9 million
Germany: 17.1 million
Ireland: 1.7 million
Czech Republic: 7.8 million
Slovakia: 0.6 million
1
21
11
4
2
3
Data as of December 09
... enjoys a significant footprint in Europe
Wireline market rank
Mobile market rank
Total Accesses
96.0 million
8/3/2019 Anti-Botnet Policy Initiatives 2 2
9/36
7
External Activities: just to clarify the threat picture
8/3/2019 Anti-Botnet Policy Initiatives 2 2
10/36
200,000
400,000
100,000
300,000
500,000
2003 2004 2005 20062000 2001 2002 2007Source: McAfee Labs
Virus and Bots PUP Trojan
ExternalExternalExternalExternal ActivitiesActivitiesActivitiesActivitiesSome yearly figures I
8/3/2019 Anti-Botnet Policy Initiatives 2 2
11/36
2003 2004 2005 20062000 2001 2002 2007
400,000
800,000
200,000
600,000
1,000,000
1,200,000
1,400,000
1,600,000
1,800,000
2,000,000
2,200,000
Virus and Bots PUP Trojan
2008Source: McAfee Labs
External ActivitiesSome yearly figures II
8/3/2019 Anti-Botnet Policy Initiatives 2 2
12/36
2008
Virus and Bots PUP Trojan
2,400,000
2,600,000
2,800,000
3,000,000
3,200,000
400,000
800,000
200,000
600,000
1,000,000
1,200,000
1,400,000
1,600,000
1,800,000
2,000,000
2,200,000
2009Source: McAfee Labs
External ActivitiesSome yearly figures III
8/3/2019 Anti-Botnet Policy Initiatives 2 2
13/36
11
External ActivitiesSometimes size matters
8/3/2019 Anti-Botnet Policy Initiatives 2 2
14/36
Make Money using our networksActivities impacting our services and customers
12
8/3/2019 Anti-Botnet Policy Initiatives 2 2
15/36
13
TheTheTheThe challengechallengechallengechallenge talkingtalkingtalkingtalking aboutaboutaboutabout BotnetsBotnetsBotnetsBotnetsMalware Infection Cycle, the untouchables
8/3/2019 Anti-Botnet Policy Initiatives 2 2
16/36
14
Local Activities just to clarify the Business
8/3/2019 Anti-Botnet Policy Initiatives 2 2
17/36
15
BRAS
Network Centre
ADSL
Enterprise workers
GGSN
NodoB
RAS
OLT
DSLAM
ONT
FTTH
Basic Users
RTC
RDSI
Hot spot
SGSN
RNC
OB Local/Regional
VPN
STB
VPN User
BTS
BSC
PE
2G/3G
Subscribers
MacroLAN
Mobile UserNodoB
FemtonodosCore IP
Access Network
& Agregation
MSC
MGW
RR
BG
OB
OB
Transport
STP
PE
RA
PE
ICX
ICX
ICX
PE
X25
ATM
External Cloud(SS7, X25, ATM,
PSTN)
External Cloud(GRX, OMVs)
TIWSRTC
HLR
RADIUS
LDAP DNS
CG
ALTAMIRA
Services
Web
SMSC MMSC
SVAs
DMZ
Intranet
DNS
Domestic Services country basisDomestic Services country basisDomestic Services country basisDomestic Services country basis
How much money and time do you need?
We are still fighting or resolving the root cause?
All the problems are in your network / services?
Who are the target for customer claims?
Fraud1.604
Hacking20.047
Copyright violations2.011.998
Spam3.709.114
Virus1581
Insults, abuses232
8/3/2019 Anti-Botnet Policy Initiatives 2 2
18/36
16
WelcomeWelcomeWelcomeWelcome backbackbackback totototo thethethethe BotnetsBotnetsBotnetsBotnetsMalware Infection Cycle, the untouchables
8/3/2019 Anti-Botnet Policy Initiatives 2 2
19/36
17
DDoSDDoSDDoSDDoS,,,, SpamSpamSpamSpam,,,, PhisingPhisingPhisingPhising,,,, FarmingFarmingFarmingFarmingWe are under attack
Transit Peer
TIWS
Customer 1 Customer 2
Botnet Master
BotnetBotnet
Botnet
Victim
Saturation
8/3/2019 Anti-Botnet Policy Initiatives 2 2
20/36
18
What initiatives? Let's take a look at the framework
8/3/2019 Anti-Botnet Policy Initiatives 2 2
21/36
19
Policies Operations
TechnologyResearch
8/3/2019 Anti-Botnet Policy Initiatives 2 2
22/36
PoliciesPoliciesPoliciesPolicies
20
CORPORATESECURITY
POLICY
FAIR USEPOLICY
TERMS OFSERVICE
Illegal ActivitiesChild PornographySpamFraud
Intellectual Property RightsHacking and similar activitiesService disruption
Security Commitments
Warranties
Claim Procedures
Termination of Services
8/3/2019 Anti-Botnet Policy Initiatives 2 2
23/36
21
Yes, we have tools for SecurityYes, we have tools for SecurityYes, we have tools for SecurityYes, we have tools for Security
8/3/2019 Anti-Botnet Policy Initiatives 2 2
24/36
22
AAAA stepstepstepstep forwardforwardforwardforwardManaging Data
Network
Traffic
Preprocessing
WhiteList
WatchList
Scan
Spam / Phising
Binary Download
Activity
Response
Detection
Message ResponseDetection
Incoming
PRIVMSG Analyzer
Outgoing
PRIVMSG Analyzer
Activity LogHTTP
P2P
Protocol
Matcher
IRC
DNS Logs
Reports
Correlation
Engine
SAQQARA
Connection Records
Phising Sites
Web Pages to log Bot Status
Malware Download Sites
Spyware Data Drop off sites
Bot command and control sites
Spam Flows
FQDN via DNS
List Detail
8/3/2019 Anti-Botnet Policy Initiatives 2 2
25/36
23
Internet Internet
TIWS
Customer 1 Customer 2
Botnet
Master
Security
CnC
iBGP
iBGP
iBGP
BotnetBotnet
Botnet
ip route 3.3.3.3 255.255.255.255 null 0 tag 1
Victim
3.3.3.3
WithWithWithWith informationinformationinformationinformation taketaketaketake actionsactionsactionsactions!!!!
Black Hole Routing
Web Pageredirection
Flow Inspection
Profile Management
Bot CnC Block
Spam Flows
8/3/2019 Anti-Botnet Policy Initiatives 2 2
26/36
Domestic Services
MultiNational Services
Domestic Services
Domestic Services
Domestic Services
Customer
SMC
CSIRT ModelCSIRT ModelCSIRT ModelCSIRT ModelAlways starting
Wholesale Services
International ManagedServices
TIWS
Single Point of Contact
Quick Response
International Coordination
24
8/3/2019 Anti-Botnet Policy Initiatives 2 2
27/36
CSIRT ScopeCSIRT ScopeCSIRT ScopeCSIRT ScopeThe mess inside
MANAGEMENTMANAGEMENTMANAGEMENTMANAGEMENT
Risk Reports
Problem Support Security Director Plan
Strategy for SecurityTechnology
AUDITORYAUDITORYAUDITORYAUDITORY Ethic Hack
Auditory Methodology
Security Compliance
Risk
Management
TechnologyTechnologyTechnologyTechnology
Security Innovation
Technology Observer
Secure Development
Security Lab
Knowledge
management
Provider Selection
PlanningPlanningPlanningPlanning
Standards
Methodology
Security Certifications
Technology Plan
Budget prioritization
EngineeringEngineeringEngineeringEngineering
Design Criteria
Procedure Definition
Best Practices
Tests on Field
Change Management
FOAs
OperationsOperationsOperationsOperations
User Management
CSIRT
SOC/monitorization
Maintenance
Support
Incidence Management
Business needs
25
8/3/2019 Anti-Botnet Policy Initiatives 2 2
28/36
26
Research Activities Collaborative Security is trendy
8/3/2019 Anti-Botnet Policy Initiatives 2 2
29/36
Three ISPs working with the industry in a research project toThree ISPs working with the industry in a research project toThree ISPs working with the industry in a research project toThree ISPs working with the industry in a research project to
fight botnets in a collaborative wayfight botnets in a collaborative wayfight botnets in a collaborative wayfight botnets in a collaborative way
8/3/2019 Anti-Botnet Policy Initiatives 2 2
30/36
Our Research trend: Collaborative SecurityOur Research trend: Collaborative SecurityOur Research trend: Collaborative SecurityOur Research trend: Collaborative Security
GOAL: to share securityinformation to enhance thedetection and the mitigation
How to do that?- Placing the monitoring activity close to the
network edge
- Advanced applications to let us detect morecomplex, distributed attacks. For instance:advanced correlation engines.
- Collaborative Security Services: such ascollectors sharing their alarms and usingimported alarms from to draw a widerpicture of the threats.
- Inter-domain information sharing: proposingcontrolled security information sharing withother Operators/ISPs
Ongoing project: FP7 DEMONS(co-funded by the EC)
28
8/3/2019 Anti-Botnet Policy Initiatives 2 2
31/36
DEMONS VISIONDEMONS VISIONDEMONS VISIONDEMONS VISION
29
Probe
Probe
ProbeProbe
and MediatorProbe
Probe
Mediator
and Collector
Mediator
and Collector
Mediator
and Collector
Mediator
and Collector
Mediator
and Collector
Mediator
and Collector
Mediator
and Collector
Mediator
and Collector
Innovation pillars
In-network processing and distributedintelligence
Application-tailored data reduction andprotection
Resilient autonomic monitoring overlay
Cross-domain interworking
Target Impact
Scalability
Privacy preservation
Flexibility and resilience
Cross-domain threat detection andmitigation
Overlay of in-network monitoring devices
From data-gathering probes to collaborative P2P computing and filtering devices
8/3/2019 Anti-Botnet Policy Initiatives 2 2
32/36
A SAMPLE OF DEMONS COLLABORATIVEA SAMPLE OF DEMONS COLLABORATIVEA SAMPLE OF DEMONS COLLABORATIVEA SAMPLE OF DEMONS COLLABORATIVE
APPROACHAPPROACHAPPROACHAPPROACH
30
8/3/2019 Anti-Botnet Policy Initiatives 2 2
33/36
31
lets look again at what we are doing
8/3/2019 Anti-Botnet Policy Initiatives 2 2
34/36
32
Security PoliciesSecurity PoliciesSecurity PoliciesSecurity Policies
Fair Use PolicyFair Use PolicyFair Use PolicyFair Use PolicyPolicies
Network AbuseNetwork AbuseNetwork AbuseNetwork Abuse
Network SecurityNetwork SecurityNetwork SecurityNetwork Security
CSIRT TIWSCSIRT TIWSCSIRT TIWSCSIRT TIWS
Operations
Security PlatformsSecurity PlatformsSecurity PlatformsSecurity Platforms
Network SecurityNetwork SecurityNetwork SecurityNetwork Security
SOCsSOCsSOCsSOCs
TechnologyCollaborative SecurityCollaborative SecurityCollaborative SecurityCollaborative Security
Research
8/3/2019 Anti-Botnet Policy Initiatives 2 2
35/36
33
And a call to action
...Collaborative Security
8/3/2019 Anti-Botnet Policy Initiatives 2 2
36/36