abuse helper app - networkshop44
TRANSCRIPT
AbuseHelper
Lee Harrigan-Green
#nsw44
How we currently process abuse intel
RTIR
Report comes in
Incident handler is alerted to new ticket
Script parses data and creates tickets
Incident handler processes report using home-grown script
Data distributed to organisations as part of ticket creation process
#nsw44
How we currently process abuse intel
01/05/2023
Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all)
RTIR
Report comes in
Incident handler is alerted to new ticket
Script parses data and adds data to existing ticket
Incident handler checks ticket for new data
Incident handler sends data on to site
#nsw4401/05/2023 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all)
Process review findings
»Shadowserver data delay ~24hrs»Getting the latest data sent out requires intervention by an incident handler
»Incomplete data is sometimes sent out making investigations difficult
»A response is often not required and creates unnecessary work for both parties
#nsw4401/05/2023 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all)
The landscape is evolving
»Major vulnerabilities are being disclosed»More open/insecure services reachable via the internet
»Malware is frequently becoming more complex»Guest networks and BYOD == Larger attack surface!
»Increase in intel data and available feeds = security teams are processing a substantial amount of data
»This means that we need to automate more!
#nsw4401/05/2023 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all)
We know we can do much better!
»Faster processing»Timely reporting»All data should be actionable and relevant»Must communicate clearly when an acknowledgement or response is required
#nsw4401/05/2023 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all)
AbuseHelper
»AbuseHelper or AbuseSA automates the collection, processing and reporting of intelligence and abuse data to help organisations secure their networks
»Developed by Codenomicon a branch of Synopsys
#nsw4401/05/2023 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all)
AbuseHelper – What is it?
The core of AbuseHelper is a framework to help with automating the distribution of abuse information in three steps:
»Input feeds»Processing»Output
#nsw4401/05/2023 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all)
AbuseHelper – Input feeds
»Shadowserver»Codenomicon sinkhole»Abuse.ch»Team-Cymru»Phishtank»Microsoft CTIP
#nsw4401/05/2023 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all)
AbuseHelper - Processing
Processing the events from these feeds.
»Augmenting»Sanitizing»De-duplicating»Filtering»Adding additional data (GeoIP, Whois, CRM, ASN lookups)
#nsw4401/05/2023 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all)
AbuseHelper - Output
Sending out actionable reports to our customers.Outputs supported by AbuseHelper:»Direct emails»XMPP feeds»Incident handling systems»Updating firewall rules»CSV »JSON In the last couple of weeks
#nsw4401/05/2023 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all)
Options available to you!
»Customers can specify how they want their data»Reporting style – do you want reports per-IP or aggregated per-org?
»Reporting frequency is based on reporting style:›Per-IP = near real time›Aggregated = every 12 hours or daily
#nsw4401/05/2023 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all)
Incident walkthrough
Input feeds
Processing
Output
#nsw4401/05/2023 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all)
Input feed
»Each feed bot will frequently poll its source and retrieve data for ASN786
»Once retrieved, each bot will store the data in an XMPP chat room
#nsw4401/05/2023 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all)
Incident walkthrough
Input feeds
Processing
Output
#nsw4401/05/2023 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all)
Data Processing
The processing stage allows us to customise certain aspects of the data we receive from each feed.We will:»Filter out reports with “missing data”»Remove duplicate entries»Run whois lookups to find correct contacts»Run GeoIP lookups on IP address»Retrieve reporting style for each customerOnce this work has been completed, the report is now ready tobe outputted.
#nsw4401/05/2023 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all)
Incident walkthrough
Input feeds
Processing
Output
#nsw4401/05/2023 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all)
Data output/distribution
»The output stage is where we send the information to you
»Once the processing stage is complete, what’s left will be an actionable report with the relevant contact details appended
»An “RTIR bot” will then connect to our RTIR instance and send out data depending on the reporting style configured
#nsw4401/05/2023 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all)
Customer interaction
»All reports will come from [email protected]»We will no longer require a response to issues from this address
»RTIR reference number included with each report»Feel free to ask for assistance»Provide feedback where relevant (samples, C&C hosts, pcaps, proxy logs)
#nsw4401/05/2023 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all)
How does this improve things for you?
✓Faster processing✓Timely reporting✓All data will be actionable✓Must communicate clearly when an
acknowledgement or response is required✓Sites will have more information to help secure their
networks
#nsw4401/05/2023 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all)
How does this improve things for Janet CSIRT?
Use of automation where possible to enable us to use our time for:
»Research»Writing more best practice and advisory documents»Proactive “hunting”»Improve existing services and tools»Develop new services and tools
#nsw4401/05/2023 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all)
Situational Awareness
»AbuseHelper provides a range of visualisation options giving us a better view and understanding of the state of security on the Janet network
»We can see where we’ve improved as a network»Help identify where we could or should focus our efforts
#nsw4401/05/2023 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all)
Visualisation example
Click to icon to add image
#nsw4401/05/2023 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all)
Visualisation example
Click to icon to add image
#nsw4401/05/2023 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all)
Visualisation example
Click to icon to add image
#nsw4401/05/2023 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all)
Visualisation example
Click to icon to add image
#nsw4401/05/2023 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all)
Where we are currently
»Around 100 Jisc customers currently receiving AbuseHelper reporting
»Deployment has been slow due to efforts on other projects
»Currently only processing ShadowServer data»Feedback from the initial pilot organisations is positive
»Looking for all customers active by June»If you want to be added sooner please get in contact
#nsw44
jisc.ac.uk
Thanks for listening!
Lee Harrigan-GreenSenior Security Architect [email protected]