Working Group 7: Botnet Remediation

Status Update

June 6, 2012

Michael O’Reirdan (MAAWG) - ChairPeter Fonash (DHS) – Vice-Chair

2

WG 7 Objectives

Working Group 7 – Botnet Remediation Description: This Working Group will review the efforts undertaken within the international community, such as the Australian Internet Industry Code of Practice, and among domestic stakeholder groups, such as IETF and the Messaging Anti-Abuse Working Group, for applicability to U.S. ISPs. Building on the work of CSRIC II Working Group 8 ISP Network Protection Practices, the Botnet Remediation Working Group shall propose a set of agreed-upon voluntary practices that would constitute the framework for an opt-in implementation model for ISPs. The Working Group will propose a method for ISPs to express their intent to op-into the framework proposed by the Working Group.

The Working Group will also identify potential ISP implementation obstacles to the newly drafted Botnet Remediation business practices and identify steps the FCC can take that may help overcome these obstacles.

Finally, the Working Group shall identify performance metrics to evaluate the effectiveness of the ISP Botnet Remediation Business Practices at curbing the spread of botnet infections.

3

WG 7 MembersName Organization

Michael O'Reirdan (Chair) MAAWG

Peter Fonash (Vice Chair) DHS

Robert Thornberry (Editor) Alcatel-Lucent

Michael Little

Applied Communications Sciences

Alex Bobotek AT&T

John Denning Bank of Amer.

Neil Schwartzman (Secretary) CAUCE

Chris Lewis CAUCE

Michael Glenn CenturyLink

Paul Diamond (Editor) CenturyLink

Jay Opperman Comcast

Matt Carothers Cox

Gunter Ollmann Damballa

Brian Done DHS

Name Organization

Daniel Bright EMC Inc

Mats Nilsson Ericsson

Kurian Jacob FCC

Vern Mosley FCC

Bill McInnis IID

Chris Sills IID

Tim Rohrbaugh Intersections

Barry Greene ISC

Merike Kaeo ISC

Ed White McAfee

Kevin Sullivan Microsoft

Jon Boyens NIST

Craig Spiezle OTA

Bill Smith PayPal

Gabe Iovino REN-ISAC

Johannes Ullrich SANS Institute

Name Organization

Adam O'Donnell Sourcefire

Alfred Huger Sourcefire

Greg Holzapfel Sprint

James Holgerson Sprint

Michael Fiumano Sprint

Kevin Frank Sprint

Maxim Weinstein StopBadware

Patrick Gardner Symantec

Tice Morgan T-Mobile

John Griffin TCS

Chris Roosenraad TWC

Joe St Sauver (Glossary)

Univ of Oregon/Internet 2

Robert Mayer USTelecom Assoc.

Eric Osterweil Verisign

John St. Clair Verizon

Timothy Vogel Verizon

4

Work Plan

Phase 1: Based on CSRIC II output, MAAWG recommendations and IETF draft, produce initial Code of Conduct

Phase 2: Identify Barriers to Code Participation

Phase 3: Develop Bot Metrics

5

Status

Phase 1: U.S. Anti-Bot Code of Conduct (ABCs) for Internet Service Providers (ISPs) completed

– ISPs representing 86% of the U.S. residential subscriber market are either currently participating, or have agreed to participate, in the Code

– Efforts underway to outreach to the smaller ISPs to increase awareness and participation

6

Identification of Code Barriers

• Work in progress to:

– identify potential ISP implementation obstacles to the voluntary U.S. Code of Conduct for ISPs,– identify steps the FCC can take that may help overcome these obstacles, and– develop a framework to assist smaller ISPs identify and overcome potential barriers to Code participation

7

Code Metrics

• Work in progress to:

– identify performance metrics to evaluate the effectiveness of following the voluntary U.S. Anti-Bot Code of Conduct for ISPs at curbing the spread of botnet infections

8

Challenges

• Metrics work is proving extremely challenging• Australian iCode is only now starting work on developing metrics after two years of operation• Likely outcome is a work plan for developing metrics

Multi-Stakeholder Approach to Cybersecurity

ISPsISPs

EndUsersEndUsers

AppDev.AppDev.

AVVendorsAV

Vendors

PlatformVendorsPlatformVendors

e-CommerceOrgs.

e-CommerceOrgs.

CriticalInfra.CriticalInfra.

OSVendorsOS

Vendors

EnterprisesEnterprises

Int’lPartnersInt’l

Partners

ResearchInst.

ResearchInst.

Gov’tD/AsGov’tD/As

RegulatorsRegulators

WebHostsWebHosts

ContentProvidersContentProviders

PrivacyAdvocatesPrivacy

Advocates

• ISPs are in a position to detect botnets operating within their networks and notify end-users of suspected bot infections

• Other members of the Internet ecosystem have equally important roles to fulfill

• A multi-stakeholder approach is necessary in order to fully combat the botnet threat

9

10

Next Steps

• Determine long-term administration of Code participation• Continue Phase 2 - Identification of Barriers to Code Participation• Continue Phase 3 – Effectiveness Metrics• Deliver final report on Anti-Bot Code of Conduct - Barriers and Metrics – in December 2012