Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Inter-NetworkCooperation
5-2-1.inter-network-cooperation 1
Matsuzaki ‘maz’Yoshinobu<[email protected]>
stolesomeslidesfromMerike Kaeo
CooperationandCoordination
• tokeeptheInternetworking– wearerelyingoneachother
• it’sgoodtoknow– community– pointofcontact
5-2-1.inter-network-cooperation 2
NOGs
• NetworkOperationsGroupisanopenforum– technologydiscussions– sharingoperationalbestpractices– compareexperience– peeringcoordination– establishingpersonalrelationships
5-2-1.inter-network-cooperation 3
NOGs
• mailing-list– anyonecansubscribe– trafficdependsoneventsandtopics
• in-personmeeting– participationfeevaries,andcostsoftransports,accommodations
– highvalue
5-2-1.inter-network-cooperation 4
NANOG
• NorthAmericanNetworkOperators’Group– evolvedfromtheNSFNET"Regional-Techs"meetingsin1994
• Threemeetingseachyear– NANOG70,Jun2017,Bellevue– NANOG71,Oct2017,SanJose– NANOG72,Feb2018,Atlanta
5-2-1.inter-network-cooperation 5
https://www.nanog.org/
• program– 1daytutorial– 3daysplenary
• about500attendees– fromAsiaandEuropeaswell
5-2-1.inter-network-cooperation 6
APRICOT
• AsiaandPacificOperationsConference– establishedin1996– co-locatedwithAP*meetings
• heldannuallyonthelastweekofFeb– APRICOT2017,HMC,VietNam– APRICOT2018,Kathmandu,Nepal
5-2-1.inter-network-cooperation 7
http://www.apricot.net/
• program– 5daysworkshop– 4daysconferenceandtutorial– 1dayAPNICmembermeeting
• about600attendees
5-2-1.inter-network-cooperation 8
SANOG
• SouthAsianNetworkOperatorsGroup– establishedin2003
• Twomeetingeachyear– SANOG29,Jan2017,Islamabad– SANOG30,Aug2017,India
5-2-1.inter-network-cooperation 9
http://www.sanog.org/
• program– 5daysworkshop– 2daystutorial– 2daysconference
• about250attendees
5-2-1.inter-network-cooperation 10
JANOG
• JapanNetworkOperators’Group– establishedin1997
• locallanguagecommunity- Japanese• Twomeetingseachyear
– JANOG39,Jan2017,Kanazawa– JANOG40,Jul2017,Koriyama
5-2-1.inter-network-cooperation 11
http://www.janog.gr.jp/
• program– 3 dayplenary+BoF
• about700attendees
5-2-1.inter-network-cooperation 12
BoFs
• birdsofafeather(BoF)isasmallmeetingfocusedonaspecifictopic– security,peering,andsoon
• usuallyscheduledinadvance,sometimesorganizedondemand
5-2-1.inter-network-cooperation 13
coffeebreaksandsocialevents
• toexpandrelationships– businessandpersonal
• tostart/manageaproject– aface-to-facemeetinghelptostepforwardthings
5-2-1.inter-network-cooperation 14
NOGoperation
• independent– formsacommitteetoleadtheNOG
• supportfromcrossindustry– ServiceProviders– ResearchandAcademics– Vendors– ISOC,NSRC,APNIC,APIA
5-2-1.inter-network-cooperation 15
otherupcomingevents
• upcomingnetwork-relatededucationortrainingevents– http://ws.edu.isoc.org/calendar/– https://nsrc.org/calendar/
5-2-1.inter-network-cooperation 16
CSIRT
• ComputerSecurityIncidentResponseTeam(CSIRT) providestheincidenthandlingserviceforitsconstituency– mayofferotherrelatedservicesaswell
• ThefirstCSIRT- CERT/CCwascreatedin1988inresponsetotheMorriswormincident
5-2-1.inter-network-cooperation 17
computersecurityincident
• Anyrealorsuspectedadverseevent• examples:
– attacksto/fromyournetwork– compromisedhost– account/informationtheft– spamorITpolicyviolation
5-2-1.inter-network-cooperation 18
needsforresponse
• tolimitthedamage• tolowerthecostofrecovery
• aneffectiveresponsebenefitsfororganizations– motivationtohaveaCSIRTinyourorganization
5-2-1.inter-network-cooperation 19
Theincidenthandlingservice
• asinglepointofcontacttoreceiveincidentreports– providesresponseandsupporttothereport– announcementtodiscloseinformationaboutspecificattack/incident
– feedbacktothereport/request
5-2-1.inter-network-cooperation 20
WhatIncidentsShouldBeReported?
• Anysuspiciousactivityshouldbereported– Thisincludessuspicioususeraccountbehavior,computersystemfailuresormisbehavior,accidentalpublicationofinternalemail,lossofequipment/accountinformation,etc.
• Reportingmethods– Internal
• Onlinesupportticketingsystem• Technicalsupportemail
– External• Abuse/incidentemailcontact• Publicweb-basedcontactform• Telephonenumberspecificallyforreportingabuse
5-2-1.inter-network-cooperation 21
InformationforReportingAnIncident
• Dateandtimeoftheevent• Descriptionoftheevent• Assetsthatareaffectedoratriskasaresultoftheevent
• Whethertheeventisinprogressorhasconcluded• Actionstakenbythepartyreportingtheevent• Informalassessmentoftheharmorimpacttotheasset• Informalassessmentofcollaterallyaffectedassets• Data(logs,files,reports)thatmayassisttheCIRTinanalyzingtheevent
5-2-1.inter-network-cooperation 22
IncidentResponse
• Itisalwaysbesttohaveaplaninplacebeforesomethingbadhappens
• DONOTPANIC!• Ifyousetappropriateguidelinesnow,itwillmakethingsaloteasierwhenasecurityincidenthappens
5-2-1.inter-network-cooperation 23
Create a checklist that can be followed whena significant security incident does occur!!
SixPhasesofIncidentResponse
5-2-1.inter-network-cooperation 24
PREPARATIONPrep the networkCreate toolsTest toolsPrep proceduresTrain teamPractice
IDENTIFICATIONHow do you know about the attack?What tools can you use?What’s your process for communication?
CONTAINMENTWhat kind of attack is it?ERADICATION
Where is the attack coming from?Where and how is it affecting the network?
RECOVERYWhat options do you have to remedy?Which option is the best under the circumstances?
POST MORTEMWhat was done?Can anything be done to prevent it?How can it be less painful in the future?
Preparation• Includestechnicalandnon-technicalelements• Knowtheenemy
– Understandwhatdrivesthemiscreants– Understandtheirtechniques
• Createthesecurityteamandplan– Whohandlessecurityduringanevent?Isitthesecurityfolks?
Thenetworkingfolks?
• Hardenthedevices• Preparethetools
5-2-1.inter-network-cooperation 25
Identification
• Goalistogatherevents,analyzethemanddeterminewhetheryouhaveanincident
• AssignIncidentHandlers– Selectapersontohandleidentificationandassessment
– Empowerthemtoescalateifneeded• ControltheFlowofInformation
– Enforce“needtoknow”policy– Telldetailstominimumnumberofpeoplepossible
• CreateTrustedCommunicationChannels
5-2-1.inter-network-cooperation 26
HowDoYouKnowYouAreUnderAttack?
• Understandthedetailsandscopeoftheattack– Identificationisnotsufficient;onceanattackisidentified,details
matter– Guidessubsequentactions
• Qualifyandquantifytheattackwithoutjeopardizingservicesavailability(e.g.,crashingarouter):– Whattypeofattackhasbeenidentified?– What’stheeffectoftheattackonthevictim(s)?– Whatnextstepsarerequired(ifany)?
• Attheveryleast:– Sourceanddestinationaddress– Protocolinformation– Portinformation
5-2-1.inter-network-cooperation 27
Containment
• StoppingtheDamage– Preventattackerfromgettinganydeeperintotheimpactedsystems,orspreadingtoothersystems
• InformManagement• Notifyyourlocalororganizationalincidenthandlingteam
• Additional3phases– Shorttermcontainment– Gatheringevidence/backup– Longtermcontainment
5-2-1.inter-network-cooperation 28
ShortTermContainment• Trytopreventattackerfromcausingmoredamage• Wantuntaintedevidence• Somepossibleactions:
– Disconnectnetworkcable– Pullthepowercable(losesvolatilememoryandmaydamagedrive)
– Isolateswitchportsothatsystemcannolongersend/receivedata
– Applyfilterstoroutersand/orfirewalls– Changeatarget’snameinDNStopointtoadifferentIPaddress
5-2-1.inter-network-cooperation 29
Gatheringevidence
• Thisisnevereasyunderpressure• Hint:Playwiththesetoolsandmakesureyouknowhowtousethembeforeanincidenthappens– dd forUnix/LinuxandWindows– Ghost(thelatestversions– defaultisnotbit-by-bitsoknowhowtoconfigure)
– Driveduplicatorhardwareandwriteblockers
5-2-1.inter-network-cooperation 30
LongTermContainment
• Onceback-upcreatedforforensicsanalysisthechangesforlongtermcontainmentcanbegin
• Applytemporarysolution(s)tostayinproductionwhilebuildingacleansystem– Patchsystem– Changepasswords– Removeaccountsusedbyhacker– Changefilepermissions– Shutdownbackdoorprocessesusedbyattacker
5-2-1.inter-network-cooperation 31
Eradication
• Goalistogetridofanytracesonnetworkdevice(s)thatanattackoccurred
• Determinehowtheattackwasexecutedfromthegatheredevidence
• Restoreoperatingsystemsandconfigurationsfromcleanbackups
• Mayrequirestartingfromcompletelywipedsystems
• Improvedefenses
5-2-1.inter-network-cooperation 32
Recovery
• Goalistogetimpactedsystemsbackintoproductioninasafemanner
• Performsystemvalidations– Runvulnerabilityscanners– Carefullycheckapplicationanddevicelogs
• Usenetworkandhost-basedintrusiondetectionsystemstomonitorreoccurrenceofattack
• Applyanynewlyidentifiedmitigationtechniques
5-2-1.inter-network-cooperation 33
PostMortem• Apostmortemwillhelpanalyzetheeventafternormaloperationshasresumed(andpeoplehavecaughtuponsleep)
• Havethemeetingsoonaftertheincidentpassedsoeveryonehasdetailsfreshintheirminds
• DoNOTblameanyonefordoingsomethingincorrectly
• Theprimarygoalistoaddresslessonslearnedandnotmakethesamemistakesnexttime
• Whatcanyoudotomakerecoveryfaster,easier,lesspainfulinthefuture?
5-2-1.inter-network-cooperation 34
buildingyourCSIRT
• missionstatement– what/howtodo
• constituency– forwhom
• structure– budget,positionwithinorganization
• relationshipwithotherCSIRTs
5-2-1.inter-network-cooperation 35
CSIRTtypes
• NationalCISRTs– anationalpointofcontacttocoordinateanincidenthandling,reducethenumberofsecurityincidentsinthatcountry
• ISP/xSP CSIRTs– provideasecureenvironmentfortheircustomer,andprovideresponsetotheircustomersforsecurityincidents
5-2-1.inter-network-cooperation 36
CSIRTtypes
• VendorsCSIRTs– improvethesecurityoftheirproducts
• EnterpriseCSIRTs– improvethesecurityoftheircorporation’sinfrastructure,andprovideon-siteresponseforsecurityincidents
• andmanymore
5-2-1.inter-network-cooperation 37
PointofContact
5-2-1.inter-network-cooperation 38
CSIRT
constituency
National CSIRT
Securitycommunity
• Thefollowingaresomeexamplewhichwillprovideyouatoolandcontextofthetypesofgroups.– Someareopentoall– Somearepersonalitydriven– Someareinterestdriven– Somearehighlypeervetted
5-2-1.inter-network-cooperation 39
SphereofTrust
• Thecommunitytogethercanbeseeasasphere,realm,zone,oftrust.– basedonchainofTrust
5-2-1.inter-network-cooperation 40
NeedtoKnow inOperationSecurity
• Itrustyou.YouaresomeoneIcandependon,butyoudon’treallyneedtoknowaboutthedetailsofthisincident.
• NotbeinginaNeedtoKnowSphere doesnotmeanyouarenottrusted.
5-2-1.inter-network-cooperation 41
Sphere of Trust
Need to Know
SphereofAction• Youtrustsomeone,butwilltheybeabletodosomething,beresponsive,and/ormakesomethinghappen?
• SphereofActionandChainofActionisanewconceptforvettingpeersintooperationalcommunities.
• Somecommunitieswouldliketojustknowsomethingwillhappen.
5-2-1.inter-network-cooperation 42
I've been working an attack against XXX.YY.236.66/32 and XXX.YY.236.69/32. We're seeing traffic come from <ISP-A>, <ISP-B>, <IXP-East/West> and others.
Attack is hitting both IP's on tcp 53 and sourced with x.y.0.0.
I've got it filtered so it's not a big problem, but if anyone is around I'd appreciate it if you could filter/trace on your network. I'll be up for a while :/
ExpectationofAction
• “Lurking”isbadbehavioronOperationalSecurityCommunities.
• Thereisanexpectationofaction– whereyouusetheinformationtodosomethingwithinyourspanofcontrol&influencetofightthebadness.– Collectmoredataandshare.– Useyourproducttoact.– Usetheinformationtoact(i.e.operator)– Improveyourproductornetwork.
• Inabilitytomeetexpectationserodestrustandyourreputationofsomeonewhoacts.
5-2-1.inter-network-cooperation 43
Community’sIntegrity
• Maintainingintegrityiscommonsense• Neverever forwardinformationpostingwithinaoperationalsecuritygroupwithouttheexplicitpermissionofthepersonwhopostedtheinformation– Immediatebreachoftrust– Violationoftheintegrityofthecommunity
• Eachindividualisaccountabletobeastewardoftheinformationpostedanddiscussedwithinthecommunity
5-2-1.inter-network-cooperation 44
FIRST
• FIRSTisinternationalconfederationoftrusted CISRTsandsecurityteams.– Teamconstituency,ratherthanindividuals– Teamsfromawidevarietyoforganizationsincludingeducational,commercial,vendor,governmentandmilitary
• Mostservicesareformembersonly• https://www.first.org/
5-2-1.inter-network-cooperation 45
FIRSTmembers
5-2-1.inter-network-cooperation 46
5-2-1.inter-network-cooperation 47
tobeaFIRSTmember1. FindtwoexistingFullMembersfornominatingyourteam
("sponsors")2. InformFIRSTSecretariat(FSS)thatyourteamwantstojoinFIRST.3. Workwithyoursponsorssotheyhaveathoroughunderstanding
ofyourteam4. Arrangeforasitevisitbyatleastonesponsor5. Provideallthemandatoryinformationrequestedinsupportto
yournomination(seeSection2.1.2oftheFIRSTMembershipProcessdocumentfordetails).
6. ProvideanyadditionalinformationrequestedbyFIRST7. Yoursponsorwillsubmityourapplication(aftera6-monthperiod,
atmost).8. BoardofDirectorswilldeliveronyourspecificnomination9. Ifapplicationisapproved,paythemembershipaffiliationfee.
5-2-1.inter-network-cooperation 48https://www.first.org/membership
FIRSTevents
• annualconference– everyJune– 28th annualconference
• Seoul,12-17June2016
– anyonecanattend• otherregionalmeetings
– mostlymembersonly
5-2-1.inter-network-cooperation 49
industrybasedcommunity- ISAC
• InformationSharingandAnalysisCenter• Securityrisksarealmostsimilarinanindustry
– TelecomISAC– FinancialISAC– ElectricitySectorISAC– ...andmanymore
• Mostlyaimingtoprotectnationalcriticalinfrastructures
5-2-1.inter-network-cooperation 50
individualbasedcommunity• NSP-SEC
• https://puck.nether.net/mailman/listinfo/nsp-security
• OPS-TRUST• https://openid.ops-trust.net/about
5-2-1.inter-network-cooperation 51
5-2-1.inter-network-cooperation 52
5-2-1.inter-network-cooperation 53
CVE
• CommonVulnerabilitiesandExposures• Dictionaryofcommonnames(ex.CVEidentifiers)forpubliclyknownsecurityvulnerabilities
• https://cve.mitre.org/
• Wecanuseacommonnametospecifyasecurityvulnerability
5-2-1.inter-network-cooperation 54
example:CVE-2015-5986
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5986
• target– ISCBIND9.9.7before9.9.7-P3and9.10.xbefore9.10.2-P4
• impact– vulnerableISCBINDallowsremoteattackerstocauseadenialofservices
5-2-1.inter-network-cooperation 55
ISCBINDreleasenote
• https://kb.isc.org/article/AA-01301/81/BIND-9.10.2-P4-Release-Notes.html
Introduction:BIND9.10.2-P4addressessecurityissuesdescribedinCVE-2015-5722andCVE-2015-5986.
5-2-1.inter-network-cooperation 56
CVSS
• CommonVulnerabilityScoringSystem• https://www.first.org/cvss/
– CVSSv3wasreleasedin2015• AnopenframeworkforcommunicatingthecharacteristicsandimpactofITvulnerabilities
5-2-1.inter-network-cooperation 57
CVSSScores
• BaseScore– technicalevaluation
• TemporalScore– environmentalevaluation– proofofconceptcode/attackcode– couldbechangedoverthetime
5-2-1.inter-network-cooperation 58
CVSSScores
SecurityLevel ScoreCritical 9- 10High 7- 8.9Medium 4- 6.9Low 0.1- 3.9Info 0
5-2-1.inter-network-cooperation 59
5-2-1.inter-network-cooperation 60