Making the Internet DNS More Secure and Resilient: An ICANN Perspective Greg Rattray ICANN Chief...
-
Upload
walter-francis -
Category
Documents
-
view
216 -
download
1
Transcript of Making the Internet DNS More Secure and Resilient: An ICANN Perspective Greg Rattray ICANN Chief...
![Page 1: Making the Internet DNS More Secure and Resilient: An ICANN Perspective Greg Rattray ICANN Chief Internet Security Advisor.](https://reader030.fdocuments.us/reader030/viewer/2022032707/56649e235503460f94b1135e/html5/thumbnails/1.jpg)
Making the Internet DNS More Secure and Resilient: An ICANN Perspective
Greg RattrayICANN Chief Internet Security Advisor
![Page 2: Making the Internet DNS More Secure and Resilient: An ICANN Perspective Greg Rattray ICANN Chief Internet Security Advisor.](https://reader030.fdocuments.us/reader030/viewer/2022032707/56649e235503460f94b1135e/html5/thumbnails/2.jpg)
The Internet as an Ecosystem• Built as experiment; now part of everyday life
– Assumed benign, cooperative users• Now involves a wide variety of systems,
stakeholders, opportunities & risks– Governments, corporations, civil society, criminals
• Malicious actors now use Internet– Growing centers of gravity – militarily, economically, socially– Anonymity & ability to leverage 3rd Parties for Bad Acts
• Will we a tipping point in inability to address growth of malicious activity and capability?– My mother-in-law: Can I safely use my credit card?
![Page 3: Making the Internet DNS More Secure and Resilient: An ICANN Perspective Greg Rattray ICANN Chief Internet Security Advisor.](https://reader030.fdocuments.us/reader030/viewer/2022032707/56649e235503460f94b1135e/html5/thumbnails/3.jpg)
Bot Nets and Complexity of Attacks
Bot
DNS resolution
Bot Code Bot Code
Routing
Botnet Developer
Bot Bot
Target(s)
Bot ControllerC2
Attacker
Multiple purposes;Possibly nodigitalconnection
Who’s responsible? Who should be subject of retaliation? - What type? Legal notice, arrest, digital disruption?Who should be part of a cooperative mitigation and defense?
Actors Involved- Code Developers- Botnet Developer (t = X)- Bot Controller (t = Y)- Owners of assets ( C2 and bots)- DNS operators - ISPs- Target(s)
Attack the swamps, not the fever
![Page 4: Making the Internet DNS More Secure and Resilient: An ICANN Perspective Greg Rattray ICANN Chief Internet Security Advisor.](https://reader030.fdocuments.us/reader030/viewer/2022032707/56649e235503460f94b1135e/html5/thumbnails/4.jpg)
The Internet: coordinated, not controlled
Just some of the major organizations concerned with the Internet
![Page 5: Making the Internet DNS More Secure and Resilient: An ICANN Perspective Greg Rattray ICANN Chief Internet Security Advisor.](https://reader030.fdocuments.us/reader030/viewer/2022032707/56649e235503460f94b1135e/html5/thumbnails/5.jpg)
What is Domain Name?
Mechanism for translating name into numberwww.icann.org = 192.0.32.7 (IP address)
• ccTLD (country code top-level domain)• Generally used or reserved for a country • .jp, .kr, .uk, .my …etc
• gTLD (generic top-level domain)• .com, .info, .net, .name, .biz, .pro …etc
• others (infrastructure top-level domain)• .arpa, .int ...etc
![Page 6: Making the Internet DNS More Secure and Resilient: An ICANN Perspective Greg Rattray ICANN Chief Internet Security Advisor.](https://reader030.fdocuments.us/reader030/viewer/2022032707/56649e235503460f94b1135e/html5/thumbnails/6.jpg)
.
ICANN/IANA(Internet Assigned
Numbers Authority)ip address
.se .jp
ccTLD registry
..com
.net
gTLD registry
domain names
registrar
Root Zonew/ USG and VeriSign
.net zone
I want ‘example.net’to setup www.example.net
www.example.net = = 192.0.2.1
example.net zone
AfriNICARIN RIPE NCC
LACNIC
RIR
ISPISP
ISP
LIR
JPNICCNNIC
KRNIC
NIR
APNIC
I need 1 ip addressto setup www.example.net
![Page 7: Making the Internet DNS More Secure and Resilient: An ICANN Perspective Greg Rattray ICANN Chief Internet Security Advisor.](https://reader030.fdocuments.us/reader030/viewer/2022032707/56649e235503460f94b1135e/html5/thumbnails/7.jpg)
ICANN’s Role and Plan
ICANN Plan for Enhancing Internet Security, Stability and Resiliency established in 2009
• Core: Ensure DNS system stability and resiliency• Enabler: Work with broader Internet and security
communities to combat systemic DNS abuse; assist operators to protect DNS registration and publication processes
• Contributor: Identification of risks to security, stability and resiliency of the DNS as part of larger cybersecurity challenges
• Not involved in cyber war/espionage or content control
Plan available at www.icann.org/en/security
![Page 8: Making the Internet DNS More Secure and Resilient: An ICANN Perspective Greg Rattray ICANN Chief Internet Security Advisor.](https://reader030.fdocuments.us/reader030/viewer/2022032707/56649e235503460f94b1135e/html5/thumbnails/8.jpg)
DNS System-wide SSRCoordination, Analysis and Planning
Provide for coherence in concepts of a key sub-system of a larger Internet ecosystem
• Conduct annual DNS SSR symposium. This year in Kyoto in early February focused on Measuring DNS Health – Baselined what metrics and measurements exist and where gaps
exist in terms of getting more comprehensive– Key parameters for DNS health – coherency, integrity, speed,
availability, resiliency
• Developing set of key contingencies for use in ICANN and community efforts related to response and exercise planning
• Finalizing continuity plan for failures of DNS registries to address how to protect registrants
![Page 9: Making the Internet DNS More Secure and Resilient: An ICANN Perspective Greg Rattray ICANN Chief Internet Security Advisor.](https://reader030.fdocuments.us/reader030/viewer/2022032707/56649e235503460f94b1135e/html5/thumbnails/9.jpg)
DNS Vital Signs
Coherency
Integrity
Speed
Availability
Resiliency
![Page 10: Making the Internet DNS More Secure and Resilient: An ICANN Perspective Greg Rattray ICANN Chief Internet Security Advisor.](https://reader030.fdocuments.us/reader030/viewer/2022032707/56649e235503460f94b1135e/html5/thumbnails/10.jpg)
Mitigation of Malicious Conduct in New Top Level Domains
Practical measures for extending the DNS in a more secure and accountable fashion
• Requirement for employing key security technology (DNSSec)• Prohibition on undermining protocol (Wildcarding )• Requirements to enhance trust in people (background checks) • Enable a scalable approach to investigation and response
(Zone File Access)• A voluntary program for higher trust in key zones (TLD
certification program)
![Page 11: Making the Internet DNS More Secure and Resilient: An ICANN Perspective Greg Rattray ICANN Chief Internet Security Advisor.](https://reader030.fdocuments.us/reader030/viewer/2022032707/56649e235503460f94b1135e/html5/thumbnails/11.jpg)
DNS Collaborative Response
Enabling effective private sector response and leadership
• Working closely with FIRST and national CERT community– Joint session in Nairobi; help set up East African CERT– DNS Security workshop at FIRST general meeting in June
• Continue collaboration in stopping spread of Conficker as well as lessons learned and follow-up efforts
• Continue to have security team incident reporting mechanisms to identify potential systemic DNS incidents
![Page 12: Making the Internet DNS More Secure and Resilient: An ICANN Perspective Greg Rattray ICANN Chief Internet Security Advisor.](https://reader030.fdocuments.us/reader030/viewer/2022032707/56649e235503460f94b1135e/html5/thumbnails/12.jpg)
Capacity Building Programs
Enabling effective security and resilience at the edge of the system
• Continue conduct of ccTLD security and resiliency training program – Attack and Contingency Response Program focused on managerial
level threat awareness and contingency planning– Joint registry operations training program initiated focused on basic,
advanced and security DNS technical skill building
• Reaching over 100 DNS ccTLD operators in 41 ccTLDs in the last six months
![Page 13: Making the Internet DNS More Secure and Resilient: An ICANN Perspective Greg Rattray ICANN Chief Internet Security Advisor.](https://reader030.fdocuments.us/reader030/viewer/2022032707/56649e235503460f94b1135e/html5/thumbnails/13.jpg)
Global EngagementFoster a global dialogue on how to most effectively pursue
security/resiliency for Domain Name System
• Work closely with regional TLD associations and network operators groups
• Work to enhance regional outreach activities– INTERPOL workshop – Asia-Pacific Economic Cooperation – Telecommunications and Information Working Group – Commonwealth Telecommunications Organization
• This ICANN – MSU Institute for Information Security Issues annual forum
![Page 14: Making the Internet DNS More Secure and Resilient: An ICANN Perspective Greg Rattray ICANN Chief Internet Security Advisor.](https://reader030.fdocuments.us/reader030/viewer/2022032707/56649e235503460f94b1135e/html5/thumbnails/14.jpg)
Discussion Questions
What are the expectations of private sector/multi-stakeholder organizations to provide security and resilience in key aspects in the global information infrastructure?
What are the right mechanisms for achieving transparency and accountability in this regard?