Working Group 7: Botnet Remediation
description
Transcript of Working Group 7: Botnet Remediation
Working Group 7: Botnet Remediation
March 6, 2013
Michael O’Reirdan (M3AAWG) - ChairPeter Fonash (DHS) – Vice-Chair
2
WG 7 Objectives
Working Group 7 – Botnet Remediation Description: This Working Group will review the efforts undertaken within the international community, such as the Australian Internet Industry Code of Practice, and among domestic stakeholder groups, such as IETF and the Messaging Anti-Abuse Working Group, for applicability to U.S. ISPs. Building on the work of CSRIC II Working Group 8 ISP Network Protection Practices, the Botnet Remediation Working Group shall propose a set of agreed-upon voluntary practices that would constitute the framework for an opt-in implementation model for ISPs. The Working Group will propose a method for ISPs to express their intent to op-into the framework proposed by the Working Group.
The Working Group will also identify potential ISP implementation obstacles to the newly drafted Botnet Remediation business practices and identify steps the FCC can take that may help overcome these obstacles.
Finally, the Working Group shall identify performance metrics to evaluate the effectiveness of the ISP Botnet Remediation Business Practices at curbing the spread of botnet infections.
3
WG 7 MembersName Organization
Michael O'Reirdan (Chair) M3AAWG
Peter Fonash (Vice Chair) DHS
Robert Thornberry (Editor) Alcatel-Lucent
Uma Chandrashekhar Alcatel-Lucent
Michael Little
Applied Communication Sciences
Alex Bobotek AT&T
John Denning Bank of Amer.
Neil Schwartzman (Secretary) CAUCE
Chris Lewis CAUCE, Spamhaus
Michael Glenn CenturyLink
Paul Diamond (Editor) CenturyLink
Jay Opperman Comcast
Matt Carothers Cox
Name Organization
Gunter Ollmann Damballa
Brian Done DHS
Daniel Bright EMC Inc
Mats Nilsson Ericsson
Kurian Jacob FCC
Vern Mosley (Liaison) FCC
Bill McInnis IID
Chris Sills IID
Tim Rohrbaugh Intersections
Barry Greene ISC
Merike Kaeo ISC
Ed White McAfee
Kevin Sullivan Microsoft
Matthew Tooley NCTA
Jon Boyens NIST
Craig Spiezle OTA
Bill Smith PayPal
Gabe Iovino REN-ISAC
Name Organization
Johannes Ullrich SANS Institute
Adam O'Donnell Sourcefire
Alfred Huger Sourcefire
Kevin Frank Sprint
Michael Fiumano Sprint
James Holgerson Sprint
Greg Holzapfel Sprint
Maxim Weinstein StopBadware
Patrick Gardner Symantec
Tice Morgan T-Mobile
John Griffin TCS
Chris Roosenraad TWC
Joe St SauverUniv of Oregon/Internet 2
Robert Mayer USTelecom Assoc.
Eric Osterweil Verisign
John St. Clair Verizon
Timothy Vogel Verizon
4
March 2012 Deliverable
U.S. Anti-Bot Code of Conduct (ABCs) for Internet Service Providers (ISPs) completed
– ISPs representing 94% of the U.S. residential subscriber market are either currently participating, or have agreed to participate, in the Code
5
March 2013 Deliverable
Final Report: U.S. Anti-Bot Code of Conduct (ABCs) for Internet Service Providers (ISPs) - Barrier and Metric Considerations
6
Barriers to ISP Participation
• Technology Barriers– Barriers where current technical solutions insufficient to tackle botnet threat
• Consumer/Market Barriers– Barriers from implementation solutions viewed by customers as ineffective
• Operational Barriers– Barriers that could negatively impact organization’s primary mission and
resources
• Financial Barriers– Barriers resulting from inability to quantify costs/benefits of participation
• Legal/Policy Barriers– Barriers associated with legal and/or policy constraints
7
Barriers Guide (Appendix 3)
• Provides ISPs guidance on Code implementation activities
• Guidance grouped according to
– End-User Education– Detection– End-User Notification– Remediation– Collaboration
• And further sub-divided by– Technology Barriers– Consumer and Market Barriers– Operational Barriers– Financial Barriers– Legal/Regulatory/Policy Barriers
8
Bot Metrics Guide (Appendix 4)
• Expected Audience• What is and is not a “bot”• Counting botted “things”• Questions about “bots”• Statistical questions on
botnet measurements• ISPs as a potential source of
botnet data• Sinkholing, DNS-based
methods, direct data collection and simulations
• Recommendations
9
March 2013 Deliverable cont.
• Metrics Glossary – Appendix 5• Related Industry Security and Metrics Activity – Appendix 6
– M3AAWG Bot Pilot Phase 1 Metrics– Japan’s Cyber Clean Center Metrics– Australia’s iCode Metrics– Germany Anti-Botnet Initiative Metrics– Ireland’s Anti-Botnet Initiative Metrics– Finland’s Anti-Botnet Initiative Metrics– Shadowserver Foundation Metrics– Spamhaus CBL Metrics
10
Conclusions
• WG7 delivered the U.S. Anti-Bot Code of Conduct for ISPs• WG7 identified potential ISP implementation barriers • WG7 identified steps FCC can take to help overcome barriers• WG7 identified challenges to obtaining Code effectiveness
metrics at the present time• The Code, along with the Barriers and Metrics Guides, will
require periodic updates from Code participants• There is a need to:
– Address the bot problem with an Internet ecosystem multi-stakeholder approach – Continue to focus on bot reduction and mitigation to reduce the spread of bot
infections
11
Recommendations
• FCC, working in partnership with other federal government agencies and industry:– Facilitate ISP awareness of Code Barriers Guide and encourage ISPs to use
Barriers Guide as a resource in planning and evaluating Code participation– Facilitate creation of case studies on bot mitigation activities to examine
metrics created around particular bot remediation efforts, a good example being the recent Georgia Tech DNSChanger study presented at M3AAWG
– Leverage industry-sponsored pilot programs to examine the collection and sharing of metrics around particular bot efforts
– Facilitate research in bot metric development– Establish a vehicle, such as a workshop or webcast, to foster ongoing
dialogue around these issues• Include international participants
Call to Action
ISPsISPs
EndUsersEndUsers
AppDev.AppDev.
AVVendorsAV
Vendors
PlatformVendorsPlatformVendors
e-CommerceOrgs.
e-CommerceOrgs.
CriticalInfra.CriticalInfra.
OSVendorsOS
Vendors
EnterprisesEnterprises
Int’lPartnersInt’l
Partners
ResearchInst.
ResearchInst.
Gov’tD/AsGov’tD/As
RegulatorsRegulators
WebHostsWebHosts
ContentProvidersContentProviders
PrivacyAdvocatesPrivacy
Advocates
• WG7 believes the voluntary approach recommended will lead to further recommendations on Internet ecosystem multi-stakeholder approaches to best contain the spread of bot infections
• WG7 further believes by expeditiously taking voluntary action on the recommendations, the FCC will significantly contribute to, and facilitate development and implementation of, voluntary practices that can be followed by the Internet ecosystem multi-stakeholders to combat the spread of bot infections
12