REN-ISAC Community for Cyber Security Protection and Response

REN-ISACCommunity for Cyber Security

Protection and ResponseEDUCAUSE Live

November 10, 2008

Presentation Outline

• List the focus areas of a HE institution’s security office / team

• List community-based organizations in HE security space

• Map the focus areas to the community-based organizations

• Describe the REN-ISAC organization

• Describe how to join REN-ISAC

2

3

4

5

6

7

+ outreach awareness and training

+ policy development and enforcement

+ situational awareness

+ monitor for threat and infected systems

+ protect systems & users from active threat

+ vulnerability scanning

+ incident response

+ data and privacy protection

+ security reviews and consulting

+ risk assessment

+ report to management

+ interface with law enforcement

+ continuing education of staff

+ evaluate security products and services

+ compliance monitoring

+ promote awareness



+ protect systems and users from active threat


+ incident response


+ consult on secure dev and admin

+ risk assessment



+ security office staff education

8

+ promote awareness





+ incident response



+ risk assessment




9

Regional and StateCommunities

+ promote awareness





+ incident response



+ risk assessment




10


+ promote awareness





+ incident response



+ risk assessment




11


+ promote awareness





+ incident response



+ risk assessment




12


+ promote awareness





+ incident response



+ risk assessment




13


+ promote awareness





+ incident response



+ risk assessment




14

+ promote awareness





+ incident response



+ risk assessment




15

+ promote awareness





+ incident response



+ risk assessment




16

+ outreach awareness and training


+ situational awareness


+ protect systems & users from active threat


+ incident response


+ security reviews and consulting

+ risk assessment



+ continuing education of staff

+ evaluate security products and services

+ compliance monitoring

Things a security office/team does:

outreach awareness and training policy development and enforcement situational awareness monitor for threat and infected systems protect systems and users from active threat vulnerability scanning incident response data and privacy protection internal security reviews and consulting

risk assessment report to management interface with law enforcement continuing education of staff evaluate security products and services compliance monitoring

Rg/St

17




Rg/St

18

The EDUCAUSE and Internet2 Security Task

Force focuses on strategy and planning, serving to coordinate collaboration

across people, processes, and technologies.

The EDUCAUSE and Internet2 Security Task

Force focuses on strategy and planning, serving to coordinate collaboration

across people, processes, and technologies.




Rg/St

19

REN-ISAC addressesreal-time operational

protection and response matters, within the context of a private

information sharing trust community.

REN-ISAC addressesreal-time operational

protection and response matters, within the context of a private

information sharing trust community.




Rg/St

20

REN-ISAC Goal

The goal of the REN-ISAC is to aid and promote cyber security protection and response within the higher education and research (R&E) communities, through :

•the exchange of sensitive actionable information within a private trust community,

•the provision of direct security services, and

•serving as the R&E trusted partner within the formal ISAC community.

21

Information Sharing

• REN-ISAC is a private trust community for sharing sensitive information.

• The private and trusted character of the membership

– provides a safe zone for the sharing of organizational incident experience – information which otherwise would not be shared,

– protects information about our methods and sources, and

– protects information which if publicly disclosed would abet our adversaries.

22

REN-ISAC is a Cooperative Effort

• Member participation is a cornerstone of REN-ISAC

• Advisory Groups

– Executive Advisory Group: IU, LSU, Oakland U, Reed College, U Mass, UMBC, Internet2, and EDUCAUSE

– Technical Advisory Group: Cornell, IU, MOREnet, Team Cymru, UC Berkeley, U Mass, U Minn, U Oregon, and WPI

• Analysis Teams

– Microsoft Analysis Team: IU, NYU, U Washington

• Service development teams

– Numerous contributors

• Dedicated resource contributors: IU, LSU, Internet2

• Other major contributions (systems, tools, coordination, etc.)

– Buffalo, Brandeis, WPI, MOREnet, and EDUCAUSE

23

Benefits of Membership

• Receive and share actionable defense information

• Receive protection and response information products, e.g. Daily Watch Report, Alerts, Advisories, etc.

• Establish relationships with known and trusted peers

• Benefit from information sharing relationships constructed in the broad security community

• Benefit from vendor relationships (e.g. Microsoft SCP)

• Participate in technical security webinars

• Participate in REN-ISAC meetings, workshops, & training

• Have access to the 24x7 REN-ISAC Watch Desk

• Have access to active threat and other sensitive data feeds, e.g. for local IP and DNS block lists, sensor signatures, etc.

24











25

Receive and share actionable defense information

• Information resources include:

– REN-ISAC members

– External information sharing relationships

– Results of direct reconnaissance

– Other sector ISACs

– Global Research NOC at IU (R&E backbone networks)

– Vendor relationships

– Network instrumentation and sensors operated by REN-ISAC

26

Receive and share actionable defense information

• Information resources include:

– REN-ISAC members

– External information sharing relationships

– Results of direct reconnaissance

– Other sector ISACs

– Global Research NOC at IU (R&E backbone networks)

– Vendor relationships

– Network instrumentation and sensors operated by REN-ISAC

27

Receive and share actionable defense informationExample: REN-ISAC members sharing

28

Subject: Dear Iu.edu SubscriberDate: Mon, 31 Mar 2008 08:46:09 +1300From: IU.EDU SUPPORT TEAM <[email protected]>Reply-To: [email protected]: undisclosed-recipients: ;

IMPORTANT NOTICE FROM THE IU.EDU SUPPORT TEAM

Dear Iu.edu Subscriber,

To complete your Iu.edu account and enable us upgrade our system so as to serve you better, you must reply to this emailimmediately and enter your password here (*********)

Failure to do this will immediately render your email address deactivated from our database.

You can also confirm your email address by logging into your Iu account at https://webmail.iu.edu/horde/imp/login.php

Thank you for using IU.EDU!!THE IU.EDU TEAM

Subject: Dear Iu.edu SubscriberDate: Mon, 31 Mar 2008 08:46:09 +1300From: IU.EDU SUPPORT TEAM <[email protected]>Reply-To: [email protected]: undisclosed-recipients: ;

IMPORTANT NOTICE FROM THE IU.EDU SUPPORT TEAM

Dear Iu.edu Subscriber,

To complete your Iu.edu account and enable us upgrade our system so as to serve you better, you must reply to this emailimmediately and enter your password here (*********)

Failure to do this will immediately render your email address deactivated from our database.

You can also confirm your email address by logging into your Iu account at https://webmail.iu.edu/horde/imp/login.php

Thank you for using IU.EDU!!THE IU.EDU TEAM

web mail account credential phishing – poll of REN-ISAC member experience

• Conducted April 7 & 8, 2008

• Limitations of the poll:

– <~ 50% of the community responded (a short response window).

– Motivations to respond may be different between those who received the phish and those who didn't.

– Membership is moderately skewed to large and advanced degree institutions.

• 107 institutions responded to the poll,

– 86 sites reported receiving the phish,

– 61 reported that someone at the institution fell for the attack, and

– 42 reported that compromised credentials were used by the attacker

• The distribution of last time the phish was observed is:

Dec: 3 Jan: 1 Feb: 6 Mar:37 Apr: 34 (by Apr 8)

29

web mail account credential phishing – information sharing among members

30

DateInstitutionMessage CountFrom AddressReply-to addressEmail Source IPStolen Login IPSubject line

web mail account credential phishing – protection and response

• Members used the shared information in protection and response actions

• Overall collected data, with permissions of each contributing member, was taken to law enforcement

31











32

Information Products

• Daily Watch Report provides situational awareness.

• Alerts provide critical and timely information concerning new or increasing threat.

• Notifications identify specific sources and targets of active threator incident involving R&E. Sent directly to contacts at involved sites.

• Feeds provide collective information regarding known sources of threat; useful for IP and DNS block lists, sensor signatures, etc.

• Advisories inform regarding specific practices or approaches that can improve security posture.

• TechBurst webcasts provide instruction on technical topics relevant to security protection and response.

• Monitoring views provide summary views from sensor systems, useful for situational awareness.

33









34

Alert SampleStorm Worm DDoS Threat to EDU; Aug 2007

35

Issue

Prevention

Mitigation

Don’ts

References









36

Notifications Sent

37

Information Products: Notifications:REN-ISAC EDU Storm Worm Daily Notifications

38











39

TechBurst Webcasts

• DNSSEC• RENOIR• Routing: Protocols, Operation and Security for the R&E Community• Teredo (IPv6)• FBI and Cybercrime reporting• REN-ISAC Online Communities• Bro-IDS == IDS++• Attacking Embedded Devices• Determining "Reasonable Belief" during incident response• DNS Intel• Snort• Forensic Computer Investigations, Part II• Forensic Computer Investigations, Part I• Nepenthes• Reverse Engineering Malware• Spam zombies dissected• Shared Darknet Project• DNS: Protocols, Operation and Security for the R&E Community - Part II of II• DNS: Protocols, Operation and Security for the R&E Community - Part I of II• NetFlow Advanced Topics• Introduction to NetFlow• Botnet Detection Using DNS Methods

40











41

Membership

• Membership is open to:

– institutions of higher education,

– teaching hospitals,

– research and education network providers, and

– government-funded research organizations;

– international, although focused on U.S.

• Membership is currently free, but necessary growth and value to the community is not sustainable.

• Beginning July 1, 2009 a nominal membership fee will be instituted. The fee is not finalized, but the yearly per-institution cost will be kept very low.

– The fee will be per-institution, irrespective of the number of REN-ISAC member representatives from the institution.

42

Membership

People

Orgs

43

How to Join (in the past and currently)

• Paraphrased, the individual must

– must have organization-wide responsibilities for cyber security protection and response,

– at an institution of higher education, teaching hospital, research and education network provider, or government-funded research organization,

– must be permanent staff, and

– must be vouched-for (personal trust) by 2 existing members.

• http://www.ren-isac.net/membership.html

44

http://www.ren-isac.net/membership.html

Revised Membership Model

• In November 2008, REN-ISAC will implement a revised membership model. Objectives of the new model are to:

– Retain a strongly trusted information sharing environment

– Extend the reach of REN-ISAC more broadly in the R&E community

– Align “membership” directly with the institution

– Set a base for a long-term sustainable business model

45


• Vastly oversimplified descriptions of the current and revised membership models are:

– Current model: Individuals join. The individual must meet a specific work profile and receive two vouches of personal trust from existing REN-ISAC members. The individual joins to "represent [his or her] institution".

– Revised model: Institutions and organizations join. A CIO or designee joins on behalf of the institution. That person assumes the ongoing responsibility of "management representative", and nominates one or more "member representatives" who participate in the operational information sharing. Two tiers of participation are differentiated in the degree of vetting of the prospective member and the classification of sensitive information shared in the tier.

46

Revised Membership Model: Two-Tiered

• “General” membership = the entry-level tier

– A CIO (or equivalent/designee) appoints General members – one or more full-time staff who meet eligibility requirements. Personal trust vouches are not required, but nominations are open to dispute by existing members

• “XSec” membership = the e(X)tra (Sec)ure tier

– Additional membership criteria, and two vouches of personal trust are required from existing XSec members

• XSec has its own community-plumbing for sharing extra-sensitive information, and additional services available.

• Two tiers = extend reach of REN-ISAC benefits in the R&E sector, while still retaining a strong-trust core

47


• Two important aspects of the revised model are:

– it appropriately aligns membership with the institution rather than the individual, and

– it creates an entry-level membership tier that doesn't have the hurdle of two vouches of personal trust from current members.

• Details regarding the current and revised membership models are at:

– Current: http://www.ren-isac.net/membership.html

– Revised: http://www.indiana.edu/~ishare/membership.shtml

48

http://www.ren-isac.net/membership.html

http://www.indiana.edu/~ishare/membership.shtml

How to Join (Revised Membership Model)

• Process:

– Institutional membership is applied for by the CIO, local equivalent, or a designee of the same.• Requiring CIO or eq. involvement gives us a tractable point of reference for

confirming identity, and identifies institutional commitment

– The person identified above becomes the ‘management representative’ and nominates one or more ‘member representatives’ who participate in the operational information sharing.

• The ‘process’ will come online in November. In the meantime, we suggest that you (CIOs or local equivalents) register your intent to join, and we’ll contact you when revised model is implemented.

• Register intent at: http://www.ren-isac.net/join

49

In the works: Development Projects

Not in priority order:

• Scanning Service

• Sensor projects in conjunction with commercial and non-commercial partners

• Security Event System (SES) in cooperation with Internet2 and Argonne National Laboratory

• Incident Information Sharing System (RENOIR), in cooperation with Internet2 and Worcester Polytechnic Institute

50

Priorities for the Coming Year

Not in priority order:

• Membership growth

• Implement the two-tiered membership model

• Implement a sustainability & growth business plan

• Facilitate member involvement and contribution

• Development of additional information sharing relationships, and care and feeding of existing relationships

• Assessment of current services and member needs

• Aforementioned development projects

51

Contacts

http://www.ren-isac.net

24x7 Watch Desk:

[email protected]

+1(317)278-6630

Doug Pearson, Technical Director

[email protected]

Mark Bruhn, Executive Director

[email protected]

Gabriel Iovino, Principal Security Engineer

[email protected]

52

mailto:[email protected]



Documents

REN-ISAC Community for Cyber Security Protection and Response