REN-ISAC Community for Cyber Security Protection and Response

REN-ISACCommunity for Cyber Security

Protection and ResponseEDUCAUSE Live

November 10, 2008

Presentation Outline

• List the focus areas of a HE institution’s security office / team

• List community-based organizations in HE security space

• Map the focus areas to the community-based organizations

• Describe the REN-ISAC organization

• Describe how to join REN-ISAC

+ outreach awareness and training

+ policy development and enforcement

+ situational awareness

+ monitor for threat and infected systems

+ protect systems & users from active threat

+ vulnerability scanning

+ incident response

+ data and privacy protection

+ security reviews and consulting

+ risk assessment

+ report to management

+ interface with law enforcement

+ continuing education of staff

+ evaluate security products and services

+ compliance monitoring

+ promote awareness

+ protect systems and users from active threat

+ incident response

+ consult on secure dev and admin

+ risk assessment

+ security office staff education

+ promote awareness

+ incident response

+ risk assessment

Regional and StateCommunities

+ promote awareness

+ incident response

+ risk assessment

+ promote awareness

+ incident response

+ risk assessment

+ promote awareness

+ incident response

+ risk assessment

+ promote awareness

+ incident response

+ risk assessment

+ promote awareness

+ incident response

+ risk assessment

+ promote awareness

+ incident response

+ risk assessment

+ promote awareness

+ incident response

+ risk assessment

+ outreach awareness and training

+ situational awareness

+ protect systems & users from active threat

+ incident response

+ security reviews and consulting

+ risk assessment

+ continuing education of staff

+ evaluate security products and services

+ compliance monitoring

Things a security office/team does:

outreach awareness and training policy development and enforcement situational awareness monitor for threat and infected systems protect systems and users from active threat vulnerability scanning incident response data and privacy protection internal security reviews and consulting

risk assessment report to management interface with law enforcement continuing education of staff evaluate security products and services compliance monitoring

The EDUCAUSE and Internet2 Security Task

Force focuses on strategy and planning, serving to coordinate collaboration

across people, processes, and technologies.

The EDUCAUSE and Internet2 Security Task

Force focuses on strategy and planning, serving to coordinate collaboration

across people, processes, and technologies.

REN-ISAC addressesreal-time operational

protection and response matters, within the context of a private

information sharing trust community.

REN-ISAC addressesreal-time operational

protection and response matters, within the context of a private

information sharing trust community.

REN-ISAC Goal

The goal of the REN-ISAC is to aid and promote cyber security protection and response within the higher education and research (R&E) communities, through :

•the exchange of sensitive actionable information within a private trust community,

•the provision of direct security services, and

•serving as the R&E trusted partner within the formal ISAC community.

Information Sharing

• REN-ISAC is a private trust community for sharing sensitive information.

• The private and trusted character of the membership

– provides a safe zone for the sharing of organizational incident experience – information which otherwise would not be shared,

– protects information about our methods and sources, and

– protects information which if publicly disclosed would abet our adversaries.

REN-ISAC is a Cooperative Effort

• Member participation is a cornerstone of REN-ISAC

• Advisory Groups

– Executive Advisory Group: IU, LSU, Oakland U, Reed College, U Mass, UMBC, Internet2, and EDUCAUSE

– Technical Advisory Group: Cornell, IU, MOREnet, Team Cymru, UC Berkeley, U Mass, U Minn, U Oregon, and WPI

• Analysis Teams

– Microsoft Analysis Team: IU, NYU, U Washington

• Service development teams

– Numerous contributors

• Dedicated resource contributors: IU, LSU, Internet2

• Other major contributions (systems, tools, coordination, etc.)

– Buffalo, Brandeis, WPI, MOREnet, and EDUCAUSE

Benefits of Membership

• Receive and share actionable defense information

• Receive protection and response information products, e.g. Daily Watch Report, Alerts, Advisories, etc.

• Establish relationships with known and trusted peers

• Benefit from information sharing relationships constructed in the broad security community

• Benefit from vendor relationships (e.g. Microsoft SCP)

• Participate in technical security webinars

• Participate in REN-ISAC meetings, workshops, & training

• Have access to the 24x7 REN-ISAC Watch Desk

• Have access to active threat and other sensitive data feeds, e.g. for local IP and DNS block lists, sensor signatures, etc.

Receive and share actionable defense information

• Information resources include:

– REN-ISAC members

– External information sharing relationships

– Results of direct reconnaissance

– Other sector ISACs

– Global Research NOC at IU (R&E backbone networks)

– Vendor relationships

– Network instrumentation and sensors operated by REN-ISAC

Receive and share actionable defense information

• Information resources include:

– REN-ISAC members

– External information sharing relationships

– Results of direct reconnaissance

– Other sector ISACs

– Global Research NOC at IU (R&E backbone networks)

– Vendor relationships

– Network instrumentation and sensors operated by REN-ISAC

Receive and share actionable defense informationExample: REN-ISAC members sharing

Subject: Dear Iu.edu SubscriberDate: Mon, 31 Mar 2008 08:46:09 +1300From: IU.EDU SUPPORT TEAM <support@iu.edu>Reply-To: supportc@instructor.netTo: undisclosed-recipients: ;

IMPORTANT NOTICE FROM THE IU.EDU SUPPORT TEAM

Dear Iu.edu Subscriber,

To complete your Iu.edu account and enable us upgrade our system so as to serve you better, you must reply to this emailimmediately and enter your password here (*********)

Failure to do this will immediately render your email address deactivated from our database.

You can also confirm your email address by logging into your Iu account at https://webmail.iu.edu/horde/imp/login.php

Thank you for using IU.EDU!!THE IU.EDU TEAM

Subject: Dear Iu.edu SubscriberDate: Mon, 31 Mar 2008 08:46:09 +1300From: IU.EDU SUPPORT TEAM <support@iu.edu>Reply-To: supportc@instructor.netTo: undisclosed-recipients: ;

IMPORTANT NOTICE FROM THE IU.EDU SUPPORT TEAM

Dear Iu.edu Subscriber,

To complete your Iu.edu account and enable us upgrade our system so as to serve you better, you must reply to this emailimmediately and enter your password here (*********)

Failure to do this will immediately render your email address deactivated from our database.

You can also confirm your email address by logging into your Iu account at https://webmail.iu.edu/horde/imp/login.php

Thank you for using IU.EDU!!THE IU.EDU TEAM

web mail account credential phishing – poll of REN-ISAC member experience

• Conducted April 7 & 8, 2008

• Limitations of the poll:

– <~ 50% of the community responded (a short response window).

– Motivations to respond may be different between those who received the phish and those who didn't.

– Membership is moderately skewed to large and advanced degree institutions.

• 107 institutions responded to the poll,

– 86 sites reported receiving the phish,

– 61 reported that someone at the institution fell for the attack, and

– 42 reported that compromised credentials were used by the attacker

• The distribution of last time the phish was observed is:

Dec: 3 Jan: 1 Feb: 6 Mar:37 Apr: 34 (by Apr 8)

web mail account credential phishing – information sharing among members

DateInstitutionMessage CountFrom AddressReply-to addressEmail Source IPStolen Login IPSubject line

web mail account credential phishing – protection and response

• Members used the shared information in protection and response actions

• Overall collected data, with permissions of each contributing member, was taken to law enforcement

Information Products

• Daily Watch Report provides situational awareness.

• Alerts provide critical and timely information concerning new or increasing threat.

• Notifications identify specific sources and targets of active threator incident involving R&E. Sent directly to contacts at involved sites.

• Feeds provide collective information regarding known sources of threat; useful for IP and DNS block lists, sensor signatures, etc.

• Advisories inform regarding specific practices or approaches that can improve security posture.

• TechBurst webcasts provide instruction on technical topics relevant to security protection and response.

• Monitoring views provide summary views from sensor systems, useful for situational awareness.

Alert SampleStorm Worm DDoS Threat to EDU; Aug 2007

Prevention

Mitigation

Don’ts

References

Notifications Sent

Information Products: Notifications:REN-ISAC EDU Storm Worm Daily Notifications

TechBurst Webcasts

• DNSSEC• RENOIR• Routing: Protocols, Operation and Security for the R&E Community• Teredo (IPv6)• FBI and Cybercrime reporting• REN-ISAC Online Communities• Bro-IDS == IDS++• Attacking Embedded Devices• Determining "Reasonable Belief" during incident response• DNS Intel• Snort• Forensic Computer Investigations, Part II• Forensic Computer Investigations, Part I• Nepenthes• Reverse Engineering Malware• Spam zombies dissected• Shared Darknet Project• DNS: Protocols, Operation and Security for the R&E Community - Part II of II• DNS: Protocols, Operation and Security for the R&E Community - Part I of II• NetFlow Advanced Topics• Introduction to NetFlow• Botnet Detection Using DNS Methods

Membership

• Membership is open to:

– institutions of higher education,

– teaching hospitals,

– research and education network providers, and

– government-funded research organizations;

– international, although focused on U.S.

• Membership is currently free, but necessary growth and value to the community is not sustainable.

• Beginning July 1, 2009 a nominal membership fee will be instituted. The fee is not finalized, but the yearly per-institution cost will be kept very low.

– The fee will be per-institution, irrespective of the number of REN-ISAC member representatives from the institution.

Membership

People

How to Join (in the past and currently)

• Paraphrased, the individual must

– must have organization-wide responsibilities for cyber security protection and response,

– at an institution of higher education, teaching hospital, research and education network provider, or government-funded research organization,

– must be permanent staff, and

– must be vouched-for (personal trust) by 2 existing members.

• http://www.ren-isac.net/membership.html

Revised Membership Model

• In November 2008, REN-ISAC will implement a revised membership model. Objectives of the new model are to:

– Retain a strongly trusted information sharing environment

– Extend the reach of REN-ISAC more broadly in the R&E community

– Align “membership” directly with the institution

– Set a base for a long-term sustainable business model

• Vastly oversimplified descriptions of the current and revised membership models are:

– Current model: Individuals join. The individual must meet a specific work profile and receive two vouches of personal trust from existing REN-ISAC members. The individual joins to "represent [his or her] institution".

– Revised model: Institutions and organizations join. A CIO or designee joins on behalf of the institution. That person assumes the ongoing responsibility of "management representative", and nominates one or more "member representatives" who participate in the operational information sharing. Two tiers of participation are differentiated in the degree of vetting of the prospective member and the classification of sensitive information shared in the tier.

Revised Membership Model: Two-Tiered

• “General” membership = the entry-level tier

– A CIO (or equivalent/designee) appoints General members – one or more full-time staff who meet eligibility requirements. Personal trust vouches are not required, but nominations are open to dispute by existing members

• “XSec” membership = the e(X)tra (Sec)ure tier

– Additional membership criteria, and two vouches of personal trust are required from existing XSec members

• XSec has its own community-plumbing for sharing extra-sensitive information, and additional services available.

• Two tiers = extend reach of REN-ISAC benefits in the R&E sector, while still retaining a strong-trust core

• Two important aspects of the revised model are:

– it appropriately aligns membership with the institution rather than the individual, and

– it creates an entry-level membership tier that doesn't have the hurdle of two vouches of personal trust from current members.

• Details regarding the current and revised membership models are at:

– Current: http://www.ren-isac.net/membership.html

– Revised: http://www.indiana.edu/~ishare/membership.shtml

How to Join (Revised Membership Model)

• Process:

– Institutional membership is applied for by the CIO, local equivalent, or a designee of the same.• Requiring CIO or eq. involvement gives us a tractable point of reference for

confirming identity, and identifies institutional commitment

– The person identified above becomes the ‘management representative’ and nominates one or more ‘member representatives’ who participate in the operational information sharing.

• The ‘process’ will come online in November. In the meantime, we suggest that you (CIOs or local equivalents) register your intent to join, and we’ll contact you when revised model is implemented.

• Register intent at: http://www.ren-isac.net/join

In the works: Development Projects

Not in priority order:

• Scanning Service

• Sensor projects in conjunction with commercial and non-commercial partners

• Security Event System (SES) in cooperation with Internet2 and Argonne National Laboratory

• Incident Information Sharing System (RENOIR), in cooperation with Internet2 and Worcester Polytechnic Institute

Priorities for the Coming Year

Not in priority order:

• Membership growth

• Implement the two-tiered membership model

• Implement a sustainability & growth business plan

• Facilitate member involvement and contribution

• Development of additional information sharing relationships, and care and feeding of existing relationships

• Assessment of current services and member needs

• Aforementioned development projects

Contacts

http://www.ren-isac.net

24x7 Watch Desk:

soc@ren-isac.net

+1(317)278-6630

Doug Pearson, Technical Director

dodpears@ren-isac.net

Mark Bruhn, Executive Director

mbruhn@iu.edu

Gabriel Iovino, Principal Security Engineer

giovino@ren-isac.net

REN-ISAC Community for Cyber Security Protection and Response

Documents

Transcript of REN-ISAC Community for Cyber Security Protection and Response

1 Cybersecurity and the Electric Grid Fun with the EO, PD, DHS, NIST, NERC, ESCC, ES-ISAC, DOE, and FERC Roger Williams University Cyber Threats and Cyber.

Internet2 Abilene & REN-ISAC Arbor Networks Peakflow SP Identification and Response to DoS Joint Techs Winter 2006 Albuquerque Doug Pearson.

Internet2 Abilene & REN-ISAC Arbor Networks Peakflow SP Identification and Response to DoS

REN-ISAC Community for Cyber Security Protection and Response

ISAC - Wye and Usk Foundationwebcam.wyeuskfoundation.org/isac/content/downloads... · (ISAC) project was a four year €1.27m partnership between the Foundation, Environment Agency

ISAC-I RF SYSTEM OPERATIONS Z. ANG. Outline ISAC-I RF system names ISAC-I RF amplifiers locations ISAC-I RF control stations locations How to turn on.

Case Studies in ISAC Information Sharing...ISACs • Oil and Natural Gas ISAC (ONG) • Surface TransportaMon • Water ISAC • Over the Road & Motor Coach ISAC • Public Transit

Security and Certificates REN-ISAC TechBurst 9AM Pacific, June 30 th, 2011 Joe St Sauver, Ph.D. joe@uoregon.edu or joe@internet2.edu Internet2 Nationwide.

CYBER SECURITY IS OUR SHARED RESPONSIBILITY BE The …...CYBER SECURITY IS OUR SHARED RESPONSIBILITY BE The City University New York MS-ISAC GOOD C E TIZEN Multi-State Information

Membership Guide - ren-isac.net · 1.1 REN-ISAC is a private community composed of trusted representatives of member institutions. The fundamental underpinning of REN-ISAC is shared

CYBER SECURITY IS OUR SHARED RESPONSIBILITY BE A …...CYBER SECURITY IS OUR SHARED RESPONSIBILITY BE A HUMAN FIREWALL The City University New York MS-ISAC Multi-State Information

Auto-ISAC Community Call · TLP WHITE: May be shared within the Auto-ISAC Community. 26 April 2019 3 Welcome - Auto-ISAC Community Call! Welcome Purpose: These monthly Auto-ISAC Community

INDIANAUNIVERSITYINDIANAUNIVERSITY 23rd APAN Meeting Manila, Philippines January 25 2007 REN-ISAC and Peakflow SP John Hicks Indiana University TransPAC2.

Crowd-sourcing CyberSecurity through the REN- ISAC Community · 2017-03-22 · Crowd-sourcing CyberSecurity through the REN-ISAC Community Chris O’Donnell. REN-ISAC Background.

Auto-ISAC Community Call€¦ · and building, cyber incident response, scenario design, modeling and simulation, facilitation, evaluation, analysis, improvement planning, and implementation

1 REN-ISAC Research and Education Networking Information Sharing and Analysis Center Internet2 Member’s Meeting Chicago 5 December 2006.

Introduction to the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) (166231516)

REN-ISAC Research and Education Networking Information Sharing and Analysis Center

Threat Intelligence on the Cheap - OWASP · Threat Intelligence on the Cheap OWASP Los Angeles May 24, ... • REN-ISAC project ... more/better intel than DarkWeb

E-ISAC Update Update WECC...4 Mission The E-ISAC reduces cyber and physical security risk to the electricity industry across North America by providing unique insights, leadership,