RedCLARA GT-CSIRT

17/06/2012

1

GT-CSIRT: RedCLARA CSIRT Working Group

Liliana SolhaCSIRT-WG Coordinator

2nd Academic CSIRT MeetingJune 17, 2012Hilton, Malta

Agenda

• About RedCLARA

• GT-CSIRT Initiative

• LA-1: Malicious Activity Monitoring

• LA-2: Security Incident Handling

• LA-3: CSIRT Assistance

17/06/2012

2

About RedCLARA

� Latin American Research, Education andDevelopment network.

� Association of NRENs (National Researchand Education Networks).

� Academic and Research community:

� Universities and Higher Education

Schools

� Technology Centers

� Research Centers and Institutions

� etc

� Million of Internet users!

About RedCLARA (cont)

� Argentina (INNOVA-RED)

� Bolivia (ADSIB)

� Brazil (RNP)

� Chile (REUNA)

� Colombia (RENATA)

� Costa Rica (CONARE)

� Ecuador (CEDIA)

� El Salvador (RAICES)

� Guatemala (RAGIE)

� Mexico (CUDI)

� Panamá (REDCYT)

� Paraguay (ARANDU)

� Peru (RAAP)

� Uruguay (RAU)

� Venezuela (REACCIUN)

RedCLARA Members:

17/06/2012

3

GT-CSIRT Initiative

• Established in August, 2011 (duration: 2 years)

• GT-CSIRT Mission

Build CSIRT capabilities in each NREN and promote collaborative actions among the ones already established.

• Different approach

– 03 Action Lines:1. LA-1: Malicious Activity Monitoring

2. LA-2: Security Incident Handling

3. LA-4: CSIRTs Assistance

– Pilot � All NRENs

GT-CSIRT Initiative (cont)

• WG Members

Institution NREN Name

INICTEL RAAP José Luis Quiroz

INICTEL RAAP Javier Richard Quinto

CEDIA CEDIA Claudio Chacón

CEDIA CEDIA Mabel Mendez

RAU RAU Sergio RamirezRAU RAU Mónica Soliño

REUNA REUNA Claudia Inostroza

RNP RNP Frederico CostaRNP RNP Carla Freitas

UTPL CEDIA Rebeca Pilco

UTPL CEDIA Julia Pineda

• Coordinator: Liliana Solha (CAIS/RNP)• Vice-coordinator: Carlos Córdova (UTPL/CEDIA)• Assistant: Rildo Souza (CAIS/RNP)

17/06/2012

4

LA-1: Malicious activity monitoring

• The SurfIDS Tool

- Distributed IDS (D-IDS) developed by SurfNET

– http://www.surfnet.nl/

– http://ids.surfnet.nl

- Model for enviroments where network usage ispoor controlled (as some NRENs)

- Focused on worm detection, non-authorized accessattempts and other type of malicious traffic.

- Advantages: Easy installation, low rate of false positives, easy updating process.

LA-1: Malicious activty monitoring (cont)

SurfIDS: Modus operandi

17/06/2012

5



17/06/2012

6


+ +


Web interface

17/06/2012

7


FUTURENREN 1

NREN X

• Event correlation infrastructure:

• Security incident statistics for

LAC

• incidents correlation among

NRENs

• attack trends analysis

• malware database for LAC

RedClara

•••

LA-2: Incident Handling

• Incident Handling Process

– Incidents reception (sources): • Monitoring (GT-CSIRT “LA-1: Malicious Activity Monitoring”)

• Incident feeds/files from different sources– Shadowserver, zone-h, spamcop, specific agreements, etc.

• Notifications from CSIRTs, sysadmins, regular users.

IncidentReception

Triage andAnalysis

Contention/Mitigation

RecoveringPost-

incident

17/06/2012

8

LA-2: Incident Handling (cont)

• RNP experience

– High amount of reported incidents (NREN)

– Most of them followed a standarized form

– Some organizations required to receive theincidents on a batch.

– Non-documented and non-standarized scripts

– Hard to update the security PoCs database.

GENICS �� RedCLARA!


• RNP experience

– High amount of incidents (NREN)

– Most of them followed a standarized form

– Some organizations required to receive theincidents on a batch.

– Non-documented and non-standarized scripts

– Hard to update the security PoCs database.

GENICS

GENICS �� RedCLARA!

17/06/2012

9


GENICS: Modus operandi

I

N

P

U

T

Filter (ID)

Parsers DB

E-mail

File

Parser OUTPUT Sending

Security contacts DB

C

O

N

S

T

I

T

U

E

N

C

Y


Homepage

17/06/2012

10


Control panel – Security PoCs manager


Contacts Manager – NREN

17/06/2012

11


Contacts Manager: NREN Details


• About Security Point-of-Contacts

– RFCs 2142

• sec_poc1@nren_domain, sec_poc2@nren_domain

• security@nren_domain, abuse@nren_domain

– Whois database update (abuse-c)

– Ex: Equatorian NREN (CEDIA)

AS27841 and blockIP 190.15.128/20

Results from LACNIC now:

nic-hdl: SCN3

person: Security CEDIA NREN

e-mail: [email protected]

address: Av. 12 de Abril Universidad Cuenca - Edif. Lab. Tecnologicos piso 3, s/n, AgustinCueva address: EC010112 - Cuenca – AZ

country: EC

phone: +593 07 4051000 [4220]

created: 20120524

17/06/2012

12


Control Panel: Incidents Manager

LA-2: Incidents Handling (cont)

Incidents Manager: Parsers

17/06/2012

13

LA-2: Incidents Handling (cont)

Incidents Manager: Parser details

LA-3: CSIRT Assistance

– Since NRENs have implemented:

• Malicious activity monitoring infraestructure

• Incident handling infraestructure

Are they already acting as CSIRTs? Not yet, but they are close to that.

– CSIRT WG developed a “CSIRT Establishment Checklist”

• Pilot: UTPL CSIRT + RNP CSIRT supporting the future CEDIA CSIRT

• CSIRT Establishment Training (July, 2012)

17/06/2012

14

Next steps

– CLARA-TEC: Incident Handling Training for NRENs

• July, 2012 – Lima, Peru

– LA-1: Malicious activity monitoring

• Finalize the pilot with 2 sensor/NREN (June, 2012)

• Prepare the course material (June, 2012)

• Spread out the monitoring solution (August, 2012 – July, 2013)

– LA-2: Incident handling

• Finalize the pilot (June, 2012)

• Prepare the course material (June, 2012)

• Spread out the incident handling solution/model (August, 2012 – July, 2013)

– Develop a program for supporting NREN CSIRTs (August 2012 – July2013)

• Looking for funding and partnerships!

Questions

Liliana Velásquez Solha

[email protected]

Documents

RedCLARA GT-CSIRT