enhancing collaborave response to security challenges ... · challenges •not involved ... •...
TRANSCRIPT
EnhancingCollabora.veResponsetoSecurityChallengesInvolvingtheDNS
YurieIto
SecurityTeam
InternetCorpora.onforAssignedNamesandNumbers(ICANN)
TheInternetasanEcosystem• Builtasexperiment;nowpartofeverydaylife
– Assumedbenign,coopera2veusers
• Nowinvolvesawidevarietyofsystems,
stakeholders,opportuni.es&risks– Governments,corpora.ons,civilsociety,criminals
• MaliciousactorsnowuseInternet– Growingcentersofgravity–economically,socially,militarily
– Anonymity&abilitytoleverage3rdPar.esforBadActs
– Undergroundeconomyisdeveloped
Key loggerSpywareBotnets
PhishingTrojan..
Attack toolsmethods
Social Engineering
Attack against Vulnerability
Actors(could be internal,external)
UndergroundEcosystem
Criminal organizations,Terrorists, Industryspy..Etc..
Monetarystolen assets
Money, Threat…
Assets (information, System, Resources, IP…)
Business
technology
humanpolicy
3
RiskandcosttotheaOackersvs.Assetvalueincyberspace
low
high
cost/risk to the attackers Asset value to attackers
profit
= motivationPolitical, intelligence
motivation…
4
BotNetsandComplexityofAOacks
Bot
Bot Code Bot Code
Rou.ng
BotnetDeveloper
Bot Bot
Target(s)
BotControllerC2
AOacker
Multiplepurposes;Possibly nodigitalconnection
Who’s responsible?Who should be part of a cooperativemitigation and defense?Who should be in a investigation/legalenforcement?
Actors Involved- Code Developers- Botnet Developer (t = X)- Bot Controller (t = Y)- Owners of assets ( C2 and bots)- DNS operators- ISPs- Target (s)(to includefirewall, IDS, proxies,targeted network asset
Attack the swamps, not the fever
WhatisICANN?
• Interna.onal,publicbenefit,non‐profitorganiza.onmanagingtheInternetuniqueiden.fiersystems,includingtheDNS– Includesarangeofsuppor.ngorganiza.onsandadvisorycommiOees
• Ensuring“SecurityandStability”ofthosesystemsisacoremission
ICANNRolesandResponsibilityRelatedtoSecurity,StabilityandResiliency
• ByLaws:Tocoordinate,overall,theglobalInternet'ssystemofuniqueiden.fiers,andtoensurestableandsecureopera8onoftheInternet'suniqueiden.fiersystems
• Core:EnsureDNSsystemstabilityandresiliency• Enabler:WorkwithbroaderInternetandsecurity
communi.estocombatsystemicDNSabuse;assistoperatorstoprotectDNSregistra.onandpublica.onprocess
• Contributor:Iden.fica.onofriskstosecurity,stabilityandresiliencyoftheDNSaspartoflargercybersecuritychallenges
• Notinvolvedincyberwar/espionageorcontentcontrol
Board approved ICANN Plan for Enhancing Internet Security, Stability and ResiliencySSR Plan : http://www.icann.org/en/announcements/announcement-2-21may09-en.htm
JPA,Affirma.onofCommitments&Security,StabilityandResiliency
• Affirma.onreplacesJPAasof1October;noenddate– DOCandICANNmakecommitmentsonanumberoffronts
• “Preservingsecurity,stabilityandresiliency”oneoffourmajorjointcommitments
• Sec.on9.2detailsspecificresponsibili.es– HaveaDNSSSRplanandupdateregularly–willdoannually
– Communityreviewevery3years;firstoneinayear
– Focusareas:
• security,stabilityandresiliencymaOers,bothphysicalandnetwork,rela.ngtoDNS
• ensuringappropriatecon.ngencyplanning;• maintainingclearprocesses
8
ICANNSecurityStaff
• GregRaOray:ChiefInternetSecurityAdvisor
• JohnCrain:SeniorDirectorofSSR
• GeoffBickers:DirectorofSecurityOpera.ons
• YurieIto:Director,GlobalSecurityPrograms
KeyIni8a8ve:InternetAssignedNumbersAuthority(IANA)Opera8ons
• Suppor.ngtheimplementa.onofDNSSecurityExtensions(DNSSec)– WorkingwithUSG/VeriSigntosignrootbyendofyr
• Ini.ateimprovingrootzonemanagementthroughautoma.on
• Improveauthen.ca.onofcommunica.onwithTLDmanagers
KeyIni8a8ve:DNSRootServerOpera8ons
• Con.nuingtoseekmutualrecogni.onofrolesandresponsibili.esandini.ateavoluntaryefforttoconductcon.ngencyplanningandexercises
• Secure,resilientL‐rootopera.on
KeyIni8a8ve:Collabora8onwithTLDRegistriesandRegistrars
• EstablishingNewgTLDsandIDNs:EnsureestablishmentofnewgTLDandIDNapplicantsprovideforstableopera.ons&enhancedsecuritycontrols
• gTLDRegistries:
– MaturethegTLDregistrycon.nuityplanandtestthedataescrowsystem
– Establishexpeditedsecurityrequestandresponsesystem
• ccTLDRegistries:
– MaturethejointAOackandCon.ngencyResponsePlanning(ACRP)programthathasbeenestablishedwiththeregionalTLDassocia.ons
– FacilitatetheccTLDworkinggrouponincidentresponse
• Registrars:Enhanceregistraraccredita.onanddataescrowrequirements
KeyIni8a8ve:ccTLDSecurityandResiliencyCapacityBuildingIni8a8ve
• PartneredwithccTLDregionalorganiza.onstoprovidetraining/exerciseeventstodevelopcapacity– Managerial‐levelAOackandCrisesResponsePlanningcourse–process&bestprac.ce
– Technical‐levelhands‐ondefensetechniquesinsimulatedthreatenvironment
– Workshoptoestablishexerciseprograms
• Mul.pleeventsplannedforSpring09/Summer09– ExerciseTrainingWorkshopsJordan,Seoul– TechnicalTrainingw/LACTLDAssocia.oninSan.ago(Sep)
Looking to leverage lessons and partners
KeyIni8a8ve:contractualcompliance
• ContractualCompliance– con.nuetoenhancethescopeofcontractualenforcementac.vi.esinvolvinggTLDs
– ini.a.ngauditsofcontractedpar.esaspartofimplemen.ngtheMarch09amendmentstoRegistrarAccredita.onAgreement(RAA)
– iden.fypoten.alinvolvementofcontractedpar.esinmaliciousac.vityforcomplianceac.on.
KeyIni8a8ves:EnsureGlobalEngagementandCoopera8on
• EnhancepartnershipstoincludetheInternetEngineeringTaskForce(IETF),InternetSociety(ISOC),regionalinternetregistriesandnetworkoperatorsgroups,theDNSOpera.ons,AnalysisandResponseCenter(DNS‐OARC),andglobalincidentresponsecommunitysuchasForumofincidentresponsesecurityTeams(FIRST).
• Engageinglobaldialoguestofosterunderstandingofthesecurity,stability,andresiliencychallengesthatfacetheInternetecosystemandhowtoengagethesechallengeswithmul.‐stakeholderapproaches
GlobalCyberSecurityCommunity
Policy
Operational/Response
Law Enforcement
APEC-TEL, ASEAN
Atlantic CouncilOECD OASCCDCOE IGF
CERTs community:FIRST, APCERT,TF-CSIRT, GCC,OIC, EGC, IWWN..
Meridian: CIIPDirectory
NOG community:AfNOG, NANOG,SANOG, PACNOG,MENOG, ccNOG
TLD community:AFTLD, AP-TLD,CENTRE, LAC-TLD, RISG
DCC(BTF), Undergroundeconomyconference,…etc
EU, EC, ENISA
Operators Securitycommunity: NSP-Trust,Ops-Trust. Etc..
Abuse Responsecommunity: MAAwG,COUSE ….etc
CIP DomainISACs
G8 Lyon groupSubgroup on High-Tech Crime
ICANN Meeting
Vulnerability HandlingCommunity: CERTs,ICASI
Malicious codeanalysis community
DNS-OARC
ISOCITU
IETF, IEEE
APWG
GlobalDNSSSRSymposium• Co‐HostedwithGeorgiaTech,GeorgeMasonUniversity,DNSOARC:Over90par.cipants‐technologists,academia,operators,securityexperts,vendors
• Majorthemes– Comba.ngmaliciousabuseoftheDNS
– EnterpriseDNSriskandremedia.on– DNSsecurityinresourceconstrainedenvironments
Ini.alfindings
• Needforimprovedcollabora.veresponse
• Needfortrainingacrossallsectorsoftheindustrytoraisebothskillsandawareness
• Otherfindingsareavailableinthesymposiumreportat– hOp://www.g.sc.gatech.edu/icann09
Collabora.veResponsetoMaliciousAbuseofDomainNameSystem
• ICANNwillcollaboratetomi.gatemaliciousconductenabledbytheuseoftheDNSwith:
– DNSregistriesandregistrars
– Securityresearchcommunity
– Securityresponsecommunity
– Sokwareandsecurity/an.‐virusvendors
– LawEnforcementasappropriate
WhatisConficker?• AnInternetworm
– Self‐replica.ngmaliciouscode– Usesanetworkfordistribu.on
• Usesvariousmethodstospreadtheinfec.on(networkfileshares,mapdrivesremovablemedia)
• ConfickercodeisinjectedintoWindowsServerService– Variantsdisablesecuritymeasures– ProvidestheaOackerwithremotecontrol,execu.onprivileges,andabilitytodownloadmoremalware
• Enliststheinfectedcomputerintoabotnet– Confickerbotsqueryrendezvouspointsforaddi.onalmalwareorinstruc.onsforalreadypresentmalware
AffectedCountryCodeTLDs–ConfickerC
Posi.veLessonslearned• SecurityandDNScommuni.escanworkeffec.velytogether,atanopera.onallevel,tocontainglobalsecuritythreats– Trustwasacri.calelementinadhocpartnership
• Communica.onschannelsareessen.alincoordina.ngopera.onalresponse– ICANN’sroleinenablingcommunica.onsandstaffpar.cipa.oninadhocpartnershipwasappreciated
• SecurityandDNScommuni.esneedeachother– Leveragecompetenciesratherthanduplicatethem
– Collec.ve,globalexper.seisessen.alforeffec.veresponse
Problemsnotyetsolved• Collabora.veresponseforcedbotnetoperatorsoutofcomfortzonebutnotoutofbusiness
• Botnetwritersareagileandelusive
– Cannotputthemoutofbusinesswithoutadop.ngasimilarlyagilemodelforresponse
• Collabora.oncanbedifficulttosustain
– Numerousandcomplex,hardertobuildandmaintain,morefragilethanbotnets
• Therisk‐rewardequa.onfavorswormcreators
Musthavepublic–privatecollabora8on
WayForwardonDNSCollabora.veResponse
ICANNisac8vepar8cipa8ngintheseefforts
ccNSOIRWGupdate
• ThepurposeoftheIncidentResponseWorkingGroup(IRWG)istodevelopsustainablemechanismsfortheengagementofandinterac.onwithccTLDregistriesduringincidentsthatmayimpacttheDNS.
• InconsideringfeasiblemethodstheIRWGshouldtakeintoaccountandbeguidedby:– Theoverarchingrequirementtopreservethesecurityandstabilityof
theDNS;
– Thenon‐bindingrela.onshipoftheccTLDregistriestoanyonepar.cularen.tyexceptpossiblywiththeirowngovernments;
– Diversityoflanguage,.mezone,resources,exper.se;
– Par.cularpoliciesandprac.cesbywhichccTLDsmaybeguided.
HowcanICANN/DNScommunityandMENOGcollaborate?
• Donetworkoperatorshaveincidentresponsecontacts?Dotheyhaveon‐goingdialogue?Exerciseresponse?
• Whatcanwedomoretocollaboratewithyou?