Enhancing Collaborave Response to Security Challenges ... · challenges •Not involved ... •...
26
Enhancing Collabora.ve Response to Security Challenges Involving the DNS Yurie Ito Security Team Internet Corpora.on for Assigned Names and Numbers (ICANN)
Transcript of Enhancing Collaborave Response to Security Challenges ... · challenges •Not involved ... •...
EnhancingCollabora.veResponsetoSecurityChallengesInvolvingtheDNS
YurieIto
SecurityTeam
InternetCorpora.onforAssignedNamesandNumbers(ICANN)
TheInternetasanEcosystem• Builtasexperiment;nowpartofeverydaylife
– Assumedbenign,coopera2veusers
• Nowinvolvesawidevarietyofsystems,
stakeholders,opportuni.es&risks– Governments,corpora.ons,civilsociety,criminals
• MaliciousactorsnowuseInternet– Growingcentersofgravity–economically,socially,militarily
– Anonymity&abilitytoleverage3rdPar.esforBadActs
– Undergroundeconomyisdeveloped
Key loggerSpywareBotnets
PhishingTrojan..
Attack toolsmethods
Social Engineering
Attack against Vulnerability
Actors(could be internal,external)
UndergroundEcosystem
Criminal organizations,Terrorists, Industryspy..Etc..
Monetarystolen assets
Money, Threat…
Assets (information, System, Resources, IP…)
Business
technology
humanpolicy
3
RiskandcosttotheaOackersvs.Assetvalueincyberspace
low
high
cost/risk to the attackers Asset value to attackers
profit
= motivationPolitical, intelligence
motivation…
4
BotNetsandComplexityofAOacks
Bot
Bot Code Bot Code
Rou.ng
BotnetDeveloper
Bot Bot
Target(s)
BotControllerC2
AOacker
Multiplepurposes;Possibly nodigitalconnection
Who’s responsible?Who should be part of a cooperativemitigation and defense?Who should be in a investigation/legalenforcement?
Actors Involved- Code Developers- Botnet Developer (t = X)- Bot Controller (t = Y)- Owners of assets ( C2 and bots)- DNS operators- ISPs- Target (s)(to includefirewall, IDS, proxies,targeted network asset
Attack the swamps, not the fever
WhatisICANN?
• Interna.onal,publicbenefit,non‐profitorganiza.onmanagingtheInternetuniqueiden.fiersystems,includingtheDNS– Includesarangeofsuppor.ngorganiza.onsandadvisorycommiOees
• Ensuring“SecurityandStability”ofthosesystemsisacoremission
ICANNRolesandResponsibilityRelatedtoSecurity,StabilityandResiliency
• ByLaws:Tocoordinate,overall,theglobalInternet'ssystemofuniqueiden.fiers,andtoensurestableandsecureopera8onoftheInternet'suniqueiden.fiersystems
• Core:EnsureDNSsystemstabilityandresiliency• Enabler:WorkwithbroaderInternetandsecurity
communi.estocombatsystemicDNSabuse;assistoperatorstoprotectDNSregistra.onandpublica.onprocess
• Contributor:Iden.fica.onofriskstosecurity,stabilityandresiliencyoftheDNSaspartoflargercybersecuritychallenges
• Notinvolvedincyberwar/espionageorcontentcontrol
Board approved ICANN Plan for Enhancing Internet Security, Stability and ResiliencySSR Plan : http://www.icann.org/en/announcements/announcement-2-21may09-en.htm
JPA,Affirma.onofCommitments&Security,StabilityandResiliency
• Affirma.onreplacesJPAasof1October;noenddate– DOCandICANNmakecommitmentsonanumberoffronts
• “Preservingsecurity,stabilityandresiliency”oneoffourmajorjointcommitments
• Sec.on9.2detailsspecificresponsibili.es– HaveaDNSSSRplanandupdateregularly–willdoannually
– Communityreviewevery3years;firstoneinayear
– Focusareas:
• security,stabilityandresiliencymaOers,bothphysicalandnetwork,rela.ngtoDNS
• ensuringappropriatecon.ngencyplanning;• maintainingclearprocesses
8
ICANNSecurityStaff
• GregRaOray:ChiefInternetSecurityAdvisor
• JohnCrain:SeniorDirectorofSSR
• GeoffBickers:DirectorofSecurityOpera.ons
• YurieIto:Director,GlobalSecurityPrograms
KeyIni8a8ve:InternetAssignedNumbersAuthority(IANA)Opera8ons
• Suppor.ngtheimplementa.onofDNSSecurityExtensions(DNSSec)– WorkingwithUSG/VeriSigntosignrootbyendofyr
• Ini.ateimprovingrootzonemanagementthroughautoma.on
• Improveauthen.ca.onofcommunica.onwithTLDmanagers
KeyIni8a8ve:DNSRootServerOpera8ons
• Con.nuingtoseekmutualrecogni.onofrolesandresponsibili.esandini.ateavoluntaryefforttoconductcon.ngencyplanningandexercises
• Secure,resilientL‐rootopera.on
KeyIni8a8ve:Collabora8onwithTLDRegistriesandRegistrars
• EstablishingNewgTLDsandIDNs:EnsureestablishmentofnewgTLDandIDNapplicantsprovideforstableopera.ons&enhancedsecuritycontrols
• gTLDRegistries:
– MaturethegTLDregistrycon.nuityplanandtestthedataescrowsystem
– Establishexpeditedsecurityrequestandresponsesystem
• ccTLDRegistries:
– MaturethejointAOackandCon.ngencyResponsePlanning(ACRP)programthathasbeenestablishedwiththeregionalTLDassocia.ons
– FacilitatetheccTLDworkinggrouponincidentresponse
• Registrars:Enhanceregistraraccredita.onanddataescrowrequirements
KeyIni8a8ve:ccTLDSecurityandResiliencyCapacityBuildingIni8a8ve
• PartneredwithccTLDregionalorganiza.onstoprovidetraining/exerciseeventstodevelopcapacity– Managerial‐levelAOackandCrisesResponsePlanningcourse–process&bestprac.ce
– Technical‐levelhands‐ondefensetechniquesinsimulatedthreatenvironment
– Workshoptoestablishexerciseprograms
• Mul.pleeventsplannedforSpring09/Summer09– ExerciseTrainingWorkshopsJordan,Seoul– TechnicalTrainingw/LACTLDAssocia.oninSan.ago(Sep)
Looking to leverage lessons and partners
KeyIni8a8ve:contractualcompliance
• ContractualCompliance– con.nuetoenhancethescopeofcontractualenforcementac.vi.esinvolvinggTLDs
– ini.a.ngauditsofcontractedpar.esaspartofimplemen.ngtheMarch09amendmentstoRegistrarAccredita.onAgreement(RAA)
– iden.fypoten.alinvolvementofcontractedpar.esinmaliciousac.vityforcomplianceac.on.
KeyIni8a8ves:EnsureGlobalEngagementandCoopera8on
• EnhancepartnershipstoincludetheInternetEngineeringTaskForce(IETF),InternetSociety(ISOC),regionalinternetregistriesandnetworkoperatorsgroups,theDNSOpera.ons,AnalysisandResponseCenter(DNS‐OARC),andglobalincidentresponsecommunitysuchasForumofincidentresponsesecurityTeams(FIRST).
• Engageinglobaldialoguestofosterunderstandingofthesecurity,stability,andresiliencychallengesthatfacetheInternetecosystemandhowtoengagethesechallengeswithmul.‐stakeholderapproaches
GlobalCyberSecurityCommunity
Policy
Operational/Response
Law Enforcement
APEC-TEL, ASEAN
Atlantic CouncilOECD OASCCDCOE IGF
CERTs community:FIRST, APCERT,TF-CSIRT, GCC,OIC, EGC, IWWN..
Meridian: CIIPDirectory
NOG community:AfNOG, NANOG,SANOG, PACNOG,MENOG, ccNOG
TLD community:AFTLD, AP-TLD,CENTRE, LAC-TLD, RISG
DCC(BTF), Undergroundeconomyconference,…etc
EU, EC, ENISA
Operators Securitycommunity: NSP-Trust,Ops-Trust. Etc..
Abuse Responsecommunity: MAAwG,COUSE ….etc
CIP DomainISACs
G8 Lyon groupSubgroup on High-Tech Crime
ICANN Meeting
Vulnerability HandlingCommunity: CERTs,ICASI
Malicious codeanalysis community
DNS-OARC
ISOCITU
IETF, IEEE
APWG
GlobalDNSSSRSymposium• Co‐HostedwithGeorgiaTech,GeorgeMasonUniversity,DNSOARC:Over90par.cipants‐technologists,academia,operators,securityexperts,vendors
• Majorthemes– Comba.ngmaliciousabuseoftheDNS
– EnterpriseDNSriskandremedia.on– DNSsecurityinresourceconstrainedenvironments
Ini.alfindings
• Needforimprovedcollabora.veresponse
• Needfortrainingacrossallsectorsoftheindustrytoraisebothskillsandawareness
• Otherfindingsareavailableinthesymposiumreportat– hOp://www.g.sc.gatech.edu/icann09
Collabora.veResponsetoMaliciousAbuseofDomainNameSystem
• ICANNwillcollaboratetomi.gatemaliciousconductenabledbytheuseoftheDNSwith:
– DNSregistriesandregistrars
– Securityresearchcommunity
– Securityresponsecommunity
– Sokwareandsecurity/an.‐virusvendors
– LawEnforcementasappropriate
WhatisConficker?• AnInternetworm
– Self‐replica.ngmaliciouscode– Usesanetworkfordistribu.on
• Usesvariousmethodstospreadtheinfec.on(networkfileshares,mapdrivesremovablemedia)
• ConfickercodeisinjectedintoWindowsServerService– Variantsdisablesecuritymeasures– ProvidestheaOackerwithremotecontrol,execu.onprivileges,andabilitytodownloadmoremalware
• Enliststheinfectedcomputerintoabotnet– Confickerbotsqueryrendezvouspointsforaddi.onalmalwareorinstruc.onsforalreadypresentmalware
AffectedCountryCodeTLDs–ConfickerC
Posi.veLessonslearned• SecurityandDNScommuni.escanworkeffec.velytogether,atanopera.onallevel,tocontainglobalsecuritythreats– Trustwasacri.calelementinadhocpartnership
• Communica.onschannelsareessen.alincoordina.ngopera.onalresponse– ICANN’sroleinenablingcommunica.onsandstaffpar.cipa.oninadhocpartnershipwasappreciated
• SecurityandDNScommuni.esneedeachother– Leveragecompetenciesratherthanduplicatethem
– Collec.ve,globalexper.seisessen.alforeffec.veresponse
Problemsnotyetsolved• Collabora.veresponseforcedbotnetoperatorsoutofcomfortzonebutnotoutofbusiness
• Botnetwritersareagileandelusive
– Cannotputthemoutofbusinesswithoutadop.ngasimilarlyagilemodelforresponse
• Collabora.oncanbedifficulttosustain
– Numerousandcomplex,hardertobuildandmaintain,morefragilethanbotnets
• Therisk‐rewardequa.onfavorswormcreators
Musthavepublic–privatecollabora8on
WayForwardonDNSCollabora.veResponse
ICANNisac8vepar8cipa8ngintheseefforts
ccNSOIRWGupdate
• ThepurposeoftheIncidentResponseWorkingGroup(IRWG)istodevelopsustainablemechanismsfortheengagementofandinterac.onwithccTLDregistriesduringincidentsthatmayimpacttheDNS.
• InconsideringfeasiblemethodstheIRWGshouldtakeintoaccountandbeguidedby:– Theoverarchingrequirementtopreservethesecurityandstabilityof
theDNS;
– Thenon‐bindingrela.onshipoftheccTLDregistriestoanyonepar.cularen.tyexceptpossiblywiththeirowngovernments;
– Diversityoflanguage,.mezone,resources,exper.se;
– Par.cularpoliciesandprac.cesbywhichccTLDsmaybeguided.
HowcanICANN/DNScommunityandMENOGcollaborate?
• Donetworkoperatorshaveincidentresponsecontacts?Dotheyhaveon‐goingdialogue?Exerciseresponse?
• Whatcanwedomoretocollaboratewithyou?
