1

REN-ISACResearch and Education

Networking Information Sharing and Analysis Center

Internet2 Member’s Meeting

Chicago

5 December 2006

2

ISACs

• The development of Information Sharing and Analysis Centers (ISACs) was encouraged by U.S. Government Presidential Decision Directive 63: Protecting America's Critical Infrastructures (1998), to – gather information on vulnerabilities, threats, intrusions, and anomalies;

– perform analysis and develop recommended response;

– and disseminate information so that member organizations can better defend and secure their infrastructures and operations.

3

ISACs

• Subsequently, The National Strategy to Secure Cyberspace (2003) states: "The National Cyberspace Security Response System is a public-private architecture, coordinated by the Department of Homeland Security, for analyzing and warning; managing incidents of national significance; promoting continuity in government systems and private sector infrastructures; and increasing information sharing across and between organizations to improve cyberspace security. The National Cyberspace Security Response System will include governmental entities and nongovernmental entities, such as private sector information sharing and analysis centers (ISACs)."

4

ISACs

• Collect, derive, analyze, and disseminate security threat information, including:– the physical security of infrastructure, operations, and facilities, and

– computing and networking infrastructures

• Provide resources to support member understanding of threats, protection, and mitigation techniques

• Most, including REN-ISAC, are private-sector entities

5

ISACs

• Chemical Industry ISAC• Electricity Sector ISAC• Energy ISAC• Emergency Management and Response ISAC• Financial Services ISAC• Highway ISAC• Information Technology ISAC• Multi-State ISAC• National Coordinating Center for Telecommunications

ISAC• Public Transit ISAC• Research and Education Networking ISAC• Surface Transportation ISAC• Water ISAC

6

REN-ISAC

• Is an integral part of U.S. higher education’s strategy to improve network security through information collection, analysis, dissemination, early warning, and response;

• is specifically designed to support the unique environment and needs of organizations connected to served higher education and research networks; and

• supports efforts to protect the U.S. national cyber infrastructure by participating in the formal ISAC structure.

7

REN-ISAC

• Membership is open and free to institutions of higher education, teaching hospitals, research and education network providers, and government-funded research organizations. – http://www.ren-isac.net/membership.html

8

REN-ISAC Organization

• Hosted by Indiana University• Permanent staff• Executive Advisory Group (being formed)• Technical Advisory Group

– Support and contributions from:– Indiana University– Internet2– EDUCAUSE– Louisiana State University, Worchester Polytechnic Institute, University of Massachusetts Amherst

– And the members

9

REN-ISAC “Permanent” Staff

• Mark Bruhn, Executive Director• Doug Pearson, Technical Director• Dave Monnier, Principle Security Engineer

10

Technical Advisory Group

• The REN-ISAC Technical Advisory Group (TAG) advises REN-ISAC staff regarding useful products, services, and methods guided by the REN-ISAC mission and evaluation of member needs.– Chris Misra - University of Massachusetts Amherst (Chair)– Tom Davis - Indiana University– Phil Deneault - Worcester Polytechnic Institute– Brian Eckman - University of Minnesota– Stephen Gill - Team Cymru– John Kristoff - UltraDNS– Randy Raw - Missouri Research & Education Network– Joe St Sauver - University of Oregon– Michael Sinatra - University of California Berkeley– Ex-officio Members

▪ Doug Pearson - REN-ISAC/Indiana University▪ Dave Monnier - REN-ISAC/Indiana University

11

Member Survey

• …

12

Executive Advisory Group

• The REN-ISAC Executive Steering Group (ESG) advises REN-ISAC management regarding policies, legal issues, plans and strategies, and other non-technical aspects of REN-ISAC operations.– Jack Seuss - University of Maryland-Baltimore County (Chair)– Brian Voss - Louisiana State University– Theresa Rowe - Oakland University– Ken Klingenstein - Internet2 & University of Colorado– (invited)– (invited)– (invited)– Ex-officio Members

▪ Mark Bruhn - REN-ISAC/Indiana University▪ Chris Mizra - TAG Chair, University of Massachusetts Amherst

13

Executive Advisory Group

• First task of this group -- now that we’ve established that this activity is of excellent value -- right? -- is a sustainable business model.

14

Relationships

• Internet2• Other private threat collection and mitigation

efforts, e.g. among ISPs, .edu regional groups, etc.

• Global Research NOC at Indiana University, servicing Internet2 Abilene, National LambaRail, and international connecting networks

• Other sector ISACs• Department of Homeland Security & US-CERT• National ISAC Council• Internet2/EDUCAUSE Computer & Network Security

Task Force• IU Advanced Network Management Lab

15

REN-ISAC Activities

• A vetted trust community for R&E cybersecurity• Information-sharing and communications channels• Information products aimed at protection and

response• Participate in mitigation communities• Incident response • 24x7 Watch Desk (ren-isac@iu.edu, +1 317 274 6630)• Improve R&E security posture• Participate in other higher education and

national efforts for cyber infrastructure protection

16

Trust Community for R&E Cybersecurity

• A trusted community for sharing sensitive information regarding cybersecurity threat, incidents, response, and protection, specifically designed to support the unique environment and needs of higher education and research organizations.

• Membership is oriented to permanent staff with organization-wide responsibility for cybersecurity protection or response at an institution of higher education, teaching hospital, research and education network provider, or government-funded research organization.

• http://www.ren-isac.net/membership.html

17

Information Sources

• Network instrumentation and sensors– Abilene netflow– Arbor Networks Peakflow SP– Darknet, honeypots– Global NOC operational monitoring systems

• Direct reconnaissance• Information sharing relationships

– Private network security collaborations– Members– Daily security status calls with ISACs and US-CERT– Backbone network and security engineers– Vendors, relationships and monthly ISAC conferences

– Relationships to national CERTs

18

Information Products

• Daily Weather Report provides situational awareness and actionable protection information.

• Alerts provide critical, timely, actionable protection information concerning new or increasing threat.

• Notifications identify specific sources and targets of active threat or incident involving member networks.

• Threat Information Resources provide information regarding known active sources of threat.

• Advisories inform regarding specific practices or approaches that can improve security posture.

• Instruction on technical topics relevant to security protection and response.

• Monitoring views provide aggregate information for situational awareness.

19

Tools

• Darknet– Internet Motion Sensor (http://ims.eecs.umich.edu/)

• NetFlow – Repositories and reporting tools– Average 10 GB/day– Flow-tools (http://www.splintered.net/sw/flow-tools/)– IU ANML Traffic Grapher– Arbor Networks Peakflow SP

• Honeypot• Cybersecurity Registry for R&E (in process)

20

Additional Works in Progress

• Regional Security Groups– Facilitate organizational interactions of regional security working groups, particularly aimed to assist new/developing groups.

• Vendor relationships– Serve as a two-way interface for deep relations between vendor security teams and U.S. higher education.

• Internet2 Abilene Operational security exercises– First held November 2005:

▪ Day-long “table top” exercise (talking only, no flows)

▪ Abilene backbone infrastructure attacks, 2 scenarios▪ Report identifies ~40 observations

– Second (date TBD) will include domestic and international participants

21

Additional Works Under Consideration

• Additional Threat Information Resources– Malware sites– Warez IRC networks

• Clearinghouse for additional information resources– Snort signatures– IDS and firewall logs, netflow, darknet, etc.

• Passive DNS Replication– Collect limited information from participating institution DNS systems to develop a database that can be used to perform reverse queries to identify the domain name miscreants use in conjunction with identified hacked or infected machines.

22

Additional Works Under Consideration

• Bro IDS on a backbone network– Open-source network intrusion detection system.

Passively monitors for suspicious traffic by comparing against rules describing events or patterns

– Developed at Lawrence Berkeley National Laboratory– Designed for use at institutional network borders or

choke points; potential value in inter-network backbones(?)

– Areas for exploration:▪ Use on 10 Gbps links▪ Direct network anomaly detection and response▪ Botnet command and control identification▪ Worms and malware▪ BGP analysis▪ Live fingerprint sharing in community of Bros▪ Policy considerations for the use of packet inspection on backbone networks

23

Additional Works Under Consideration

• HoneyFarm via GRE– A honeypot is a system that interacts with an attacker and pretends to be a victim. It logs the attack activity and may permit itself to be compromised, thereby recording the attack method and capturing sample of the installed malware. A honeynet is an architected system and network of computers designed to be attacked.

– Project to deploy a large central honeynet managed by REN-ISAC in cooperation with the IU Advanced Network Management Laboratory. Address space is contributed by REN-ISAC members, and tunneled to the honeyfarm via GRE across Abilene.

24

Additional Works Under Consideration

• Inter-organizational incident tracking system– Use of IODEF. Being looked at by SALSA CSI2

• Malware sandbox

25

R&D Opportunities

• Security considerations for regional, national, and global layer 1 & 2 networks– L1 and L2 interconnections acquired and controlled by end-users, for example big science research projects, can introduce unexpected, uncontrolled, and unstable network topology elements and circumvent campus security borders – potentially affecting an entire campus. Dynamic interconnection provisioning amplifies the risk.

– Need shared knowledge in a closed security community of the dynamic end-to-end lambda and L2 interconnection assignments▪ Who is my university connected to today?

26

R&D Opportunities

• Packet inspection tools on high-speed networks• Statistical methods to identify departures from

normal variation and anomaly detection to identify botnets, worms, and other infections– Netflow, darknet, IDS, and other data sources

• Expand monitoring methods and instrumentation – other R&D opportunities– IPv6– Multicast– BGP health – SPAM load– Instant Messaging threat vectors

27

Relationship Opportunities

• International relationships for R&E network security protection and incident response– Potential areas for cooperation

▪ Shared Darknet Project▪ Information sharing regarding active botnets, malware sites, etc.

▪ Cooperation on DDoS trace back; Arbor FP sharing▪ L1/L2 security considerations▪ Bro on the Backbone experiment▪ Facilitate notifications to security contacts at source institutions for botnet and other incidents

▪ Honeyfarm via GRE project▪ Operational security exercises▪ Others?

28

• Questions?• Discussion?

• Contacts:– Mark Bruhn

▪ mbruhn@iu.edu– Doug Pearson

▪ dodpears@ren-isac.net– Dave Monnier

▪ dmonnier@ren-isac.net– But, better:

▪ ren-isac@ren-isac.net▪ http://www.ren-isac.net▪ 24x7 Watch Desk: +1(317)274-6630