EnhancingCollabora.veResponsetoSecurityChallengesInvolvingtheDNS

YurieIto

SecurityTeam

InternetCorpora.onforAssignedNamesandNumbers(ICANN)

TheInternetasanEcosystem• Builtasexperiment;nowpartofeverydaylife

– Assumedbenign,coopera2veusers

• Nowinvolvesawidevarietyofsystems,

stakeholders,opportuni.es&risks– Governments,corpora.ons,civilsociety,criminals

• MaliciousactorsnowuseInternet– Growingcentersofgravity–economically,socially,militarily

– Anonymity&abilitytoleverage3rdPar.esforBadActs

– Undergroundeconomyisdeveloped

Key loggerSpywareBotnets

PhishingTrojan..

Attack toolsmethods

Social Engineering

Attack against Vulnerability

Actors(could be internal,external)

UndergroundEcosystem

Criminal organizations,Terrorists, Industryspy..Etc..

Monetarystolen assets

Money, Threat…

Assets (information, System, Resources, IP…)

Business

technology

humanpolicy

3

RiskandcosttotheaOackersvs.Assetvalueincyberspace

low

high

cost/risk to the attackers Asset value to attackers

profit

= motivationPolitical, intelligence

motivation…

4

BotNetsandComplexityofAOacks

Bot

Bot Code Bot Code

Rou.ng

BotnetDeveloper

Bot Bot

Target(s)

BotControllerC2

AOacker

Multiplepurposes;Possibly nodigitalconnection

Who’s responsible?Who should be part of a cooperativemitigation and defense?Who should be in a investigation/legalenforcement?

Actors Involved- Code Developers- Botnet Developer (t = X)- Bot Controller (t = Y)- Owners of assets ( C2 and bots)- DNS operators- ISPs- Target (s)(to includefirewall, IDS, proxies,targeted network asset

Attack the swamps, not the fever

WhatisICANN?

• Interna.onal,publicbenefit,non‐profitorganiza.onmanagingtheInternetuniqueiden.fiersystems,includingtheDNS– Includesarangeofsuppor.ngorganiza.onsandadvisorycommiOees

• Ensuring“SecurityandStability”ofthosesystemsisacoremission

ICANNRolesandResponsibilityRelatedtoSecurity,StabilityandResiliency

• ByLaws:Tocoordinate,overall,theglobalInternet'ssystemofuniqueiden.fiers,andtoensurestableandsecureopera8onoftheInternet'suniqueiden.fiersystems

• Core:EnsureDNSsystemstabilityandresiliency• Enabler:WorkwithbroaderInternetandsecurity

communi.estocombatsystemicDNSabuse;assistoperatorstoprotectDNSregistra.onandpublica.onprocess

• Contributor:Iden.fica.onofriskstosecurity,stabilityandresiliencyoftheDNSaspartoflargercybersecuritychallenges

• Notinvolvedincyberwar/espionageorcontentcontrol

Board approved ICANN Plan for Enhancing Internet Security, Stability and ResiliencySSR Plan : http://www.icann.org/en/announcements/announcement-2-21may09-en.htm

JPA,Affirma.onofCommitments&Security,StabilityandResiliency

• Affirma.onreplacesJPAasof1October;noenddate– DOCandICANNmakecommitmentsonanumberoffronts

• “Preservingsecurity,stabilityandresiliency”oneoffourmajorjointcommitments

• Sec.on9.2detailsspecificresponsibili.es– HaveaDNSSSRplanandupdateregularly–willdoannually

– Communityreviewevery3years;firstoneinayear

– Focusareas:

• security,stabilityandresiliencymaOers,bothphysicalandnetwork,rela.ngtoDNS

• ensuringappropriatecon.ngencyplanning;• maintainingclearprocesses

8

ICANNSecurityStaff

• GregRaOray:ChiefInternetSecurityAdvisor

• JohnCrain:SeniorDirectorofSSR

• GeoffBickers:DirectorofSecurityOpera.ons

• YurieIto:Director,GlobalSecurityPrograms

KeyIni8a8ve:InternetAssignedNumbersAuthority(IANA)Opera8ons

• Suppor.ngtheimplementa.onofDNSSecurityExtensions(DNSSec)– WorkingwithUSG/VeriSigntosignrootbyendofyr

• Ini.ateimprovingrootzonemanagementthroughautoma.on

• Improveauthen.ca.onofcommunica.onwithTLDmanagers

KeyIni8a8ve:DNSRootServerOpera8ons

• Con.nuingtoseekmutualrecogni.onofrolesandresponsibili.esandini.ateavoluntaryefforttoconductcon.ngencyplanningandexercises

• Secure,resilientL‐rootopera.on

KeyIni8a8ve:Collabora8onwithTLDRegistriesandRegistrars

• EstablishingNewgTLDsandIDNs:EnsureestablishmentofnewgTLDandIDNapplicantsprovideforstableopera.ons&enhancedsecuritycontrols

• gTLDRegistries:

– MaturethegTLDregistrycon.nuityplanandtestthedataescrowsystem

– Establishexpeditedsecurityrequestandresponsesystem

• ccTLDRegistries:

– MaturethejointAOackandCon.ngencyResponsePlanning(ACRP)programthathasbeenestablishedwiththeregionalTLDassocia.ons

– FacilitatetheccTLDworkinggrouponincidentresponse

• Registrars:Enhanceregistraraccredita.onanddataescrowrequirements

KeyIni8a8ve:ccTLDSecurityandResiliencyCapacityBuildingIni8a8ve

• PartneredwithccTLDregionalorganiza.onstoprovidetraining/exerciseeventstodevelopcapacity– Managerial‐levelAOackandCrisesResponsePlanningcourse–process&bestprac.ce

– Technical‐levelhands‐ondefensetechniquesinsimulatedthreatenvironment

– Workshoptoestablishexerciseprograms

• Mul.pleeventsplannedforSpring09/Summer09– ExerciseTrainingWorkshopsJordan,Seoul– TechnicalTrainingw/LACTLDAssocia.oninSan.ago(Sep)

Looking to leverage lessons and partners

KeyIni8a8ve:contractualcompliance

• ContractualCompliance– con.nuetoenhancethescopeofcontractualenforcementac.vi.esinvolvinggTLDs

– ini.a.ngauditsofcontractedpar.esaspartofimplemen.ngtheMarch09amendmentstoRegistrarAccredita.onAgreement(RAA)

– iden.fypoten.alinvolvementofcontractedpar.esinmaliciousac.vityforcomplianceac.on.

KeyIni8a8ves:EnsureGlobalEngagementandCoopera8on

• EnhancepartnershipstoincludetheInternetEngineeringTaskForce(IETF),InternetSociety(ISOC),regionalinternetregistriesandnetworkoperatorsgroups,theDNSOpera.ons,AnalysisandResponseCenter(DNS‐OARC),andglobalincidentresponsecommunitysuchasForumofincidentresponsesecurityTeams(FIRST).

• Engageinglobaldialoguestofosterunderstandingofthesecurity,stability,andresiliencychallengesthatfacetheInternetecosystemandhowtoengagethesechallengeswithmul.‐stakeholderapproaches

GlobalCyberSecurityCommunity

Policy

Operational/Response

Law Enforcement

APEC-TEL, ASEAN

Atlantic CouncilOECD OASCCDCOE IGF

CERTs community:FIRST, APCERT,TF-CSIRT, GCC,OIC, EGC, IWWN..

Meridian: CIIPDirectory

NOG community:AfNOG, NANOG,SANOG, PACNOG,MENOG, ccNOG

TLD community:AFTLD, AP-TLD,CENTRE, LAC-TLD, RISG

DCC(BTF), Undergroundeconomyconference,…etc

EU, EC, ENISA

Operators Securitycommunity: NSP-Trust,Ops-Trust. Etc..

Abuse Responsecommunity: MAAwG,COUSE ….etc

CIP DomainISACs

G8 Lyon groupSubgroup on High-Tech Crime

ICANN Meeting

Vulnerability HandlingCommunity: CERTs,ICASI

Malicious codeanalysis community

DNS-OARC

ISOCITU

IETF, IEEE

APWG

GlobalDNSSSRSymposium• Co‐HostedwithGeorgiaTech,GeorgeMasonUniversity,DNSOARC:Over90par.cipants‐technologists,academia,operators,securityexperts,vendors

• Majorthemes– Comba.ngmaliciousabuseoftheDNS

– EnterpriseDNSriskandremedia.on– DNSsecurityinresourceconstrainedenvironments

Ini.alfindings

• Needforimprovedcollabora.veresponse

• Needfortrainingacrossallsectorsoftheindustrytoraisebothskillsandawareness

• Otherfindingsareavailableinthesymposiumreportat– hOp://www.g.sc.gatech.edu/icann09

Collabora.veResponsetoMaliciousAbuseofDomainNameSystem

• ICANNwillcollaboratetomi.gatemaliciousconductenabledbytheuseoftheDNSwith:

– DNSregistriesandregistrars

– Securityresearchcommunity

– Securityresponsecommunity

– Sokwareandsecurity/an.‐virusvendors

– LawEnforcementasappropriate

WhatisConficker?• AnInternetworm

– Self‐replica.ngmaliciouscode– Usesanetworkfordistribu.on

• Usesvariousmethodstospreadtheinfec.on(networkfileshares,mapdrivesremovablemedia)

• ConfickercodeisinjectedintoWindowsServerService– Variantsdisablesecuritymeasures– ProvidestheaOackerwithremotecontrol,execu.onprivileges,andabilitytodownloadmoremalware

• Enliststheinfectedcomputerintoabotnet– Confickerbotsqueryrendezvouspointsforaddi.onalmalwareorinstruc.onsforalreadypresentmalware

AffectedCountryCodeTLDs–ConfickerC

Posi.veLessonslearned• SecurityandDNScommuni.escanworkeffec.velytogether,atanopera.onallevel,tocontainglobalsecuritythreats– Trustwasacri.calelementinadhocpartnership

• Communica.onschannelsareessen.alincoordina.ngopera.onalresponse– ICANN’sroleinenablingcommunica.onsandstaffpar.cipa.oninadhocpartnershipwasappreciated

• SecurityandDNScommuni.esneedeachother– Leveragecompetenciesratherthanduplicatethem

– Collec.ve,globalexper.seisessen.alforeffec.veresponse

Problemsnotyetsolved• Collabora.veresponseforcedbotnetoperatorsoutofcomfortzonebutnotoutofbusiness

• Botnetwritersareagileandelusive

– Cannotputthemoutofbusinesswithoutadop.ngasimilarlyagilemodelforresponse

• Collabora.oncanbedifficulttosustain

– Numerousandcomplex,hardertobuildandmaintain,morefragilethanbotnets

• Therisk‐rewardequa.onfavorswormcreators

Musthavepublic–privatecollabora8on

WayForwardonDNSCollabora.veResponse

ICANNisac8vepar8cipa8ngintheseefforts

ccNSOIRWGupdate

• ThepurposeoftheIncidentResponseWorkingGroup(IRWG)istodevelopsustainablemechanismsfortheengagementofandinterac.onwithccTLDregistriesduringincidentsthatmayimpacttheDNS.

• InconsideringfeasiblemethodstheIRWGshouldtakeintoaccountandbeguidedby:– Theoverarchingrequirementtopreservethesecurityandstabilityof

theDNS;

– Thenon‐bindingrela.onshipoftheccTLDregistriestoanyonepar.cularen.tyexceptpossiblywiththeirowngovernments;

– Diversityoflanguage,.mezone,resources,exper.se;

– Par.cularpoliciesandprac.cesbywhichccTLDsmaybeguided.

HowcanICANN/DNScommunityandMENOGcollaborate?

• Donetworkoperatorshaveincidentresponsecontacts?Dotheyhaveon‐goingdialogue?Exerciseresponse?

• Whatcanwedomoretocollaboratewithyou?