AbOSE Report ( Ab ilene O perational S ecurity E xercise) T. Charles - - PowerPoint PPT Presentation

abose report
SMART_READER_LITE
LIVE PREVIEW

AbOSE Report ( Ab ilene O perational S ecurity E xercise) T. Charles - - PowerPoint PPT Presentation

Feb 28, 2023 623 likes •766 views

AbOSE Report ( Ab ilene O perational S ecurity E xercise) T. Charles Yun, Internet2 Presentation Overview 2006 January A bit of scene setting and background Background, Goals Methodology TF-CSIRT, Amsterdam, the Netherlands

slide-1
SLIDE 1

AbOSE Report

(Abilene Operational Security Exercise)

  • T. Charles Yun, Internet2
slide-2
SLIDE 2

2006 January TF-CSIRT, Amsterdam, the Netherlands Slide 2

Presentation Overview

  • A bit of scene setting and background
  • Background, Goals
  • Methodology
  • Findings
  • Lessons Learned
  • Follow up
  • Invitation to International Security Exercise
  • Contact Info
slide-3
SLIDE 3

2006 January TF-CSIRT, Amsterdam, the Netherlands Slide 3

Abilene Network Backbone

Background Information Main office Logo Current location

slide-4
SLIDE 4

2006 January TF-CSIRT, Amsterdam, the Netherlands Slide 4

Salsa (1 of 2)

  • Advisory and coordination group for security

activities for Internet2

  • Security at Line Speed workshop (S@LS), the

“fruitcake” document, annual meetings

  • Working Groups and meetings
  • Network Authorization (NetAuth), Federated

Wireless Network Authentication (FWNA), Computer Security Incident (CSI2)

  • Reconnections “Managing Academic Networks

With New Requirements”, NetGurus

xref Marco’s ENISA hierarchy from yesterday

Background Information

slide-5
SLIDE 5

2006 January TF-CSIRT, Amsterdam, the Netherlands Slide 5

Salsa (2 of 2)

  • Address security in various ways:
  • Time frames: short, medium, long
  • Process, procedure, policy (think ISO-9000, legal

requirements, etc.)

  • Groups: community, Community, COMMUNITY
  • Operational, exploratory, R&D

Background Information

slide-6
SLIDE 6

2006 January TF-CSIRT, Amsterdam, the Netherlands Slide 6

AbOSE

  • One day long event, held November 2005 in

Indianapolis, Indiana, USA

  • Designed to initiate conversations on the Network

Operation Center's (NOC) activities in their support

  • f Abilene
  • This was not an audit
  • Information gathering, gap analysis, baseline,

document

  • Report is currently in draft and has been released to

participants, public version soon.

slide-7
SLIDE 7

2006 January TF-CSIRT, Amsterdam, the Netherlands Slide 7

Methodology

  • Two scenarios, invented, refined, executed
  • “Table top” exercise (talking, no flows initiated)
  • DDoS attack
  • Backbone link is inconsistently saturated between

two core router nodes

  • Targeting an important demo
  • Router compromise with press/reporter investigation
  • Router provides indication of problem and

reporter has been contacted by “bad guy” to advertise the compromise

slide-8
SLIDE 8

2006 January TF-CSIRT, Amsterdam, the Netherlands Slide 8

Findings

  • Report identifies ~40 observations with suggested

responses

  • Patterns of activity emerged in the two scenarios,

some expected and others not.

  • Some processes were in place and followed, others

need to be developed, noting that the any new process is hinged on the NOC’s return on investment

  • Some observations revealed policy questions that

should be answered by Internet2, or, the NOC’s response is based on other people’s decisions.

slide-9
SLIDE 9

2006 January TF-CSIRT, Amsterdam, the Netherlands Slide 9

Lessons Learned (some of them)

  • Well designed, detailed scenarios are important to

respond to unexpected questions.

  • Engineers (plural) need to be involved in the design

*and* execution of the scenario. (Obviously, these engineers will not participate in the exercise.)

  • Make sure that every external “event” or “character”

is represented by a real person. If someone is supposedly upset and sending email, have a real person start sending email… and then call a person’s cell phone.

  • Test processes, not the cleverness of engineers.
slide-10
SLIDE 10

2006 January TF-CSIRT, Amsterdam, the Netherlands Slide 10

Follow Up

  • Initiate regularly occurring Abilene exercise
  • Planning to hold annually, during the summer

holidays

  • Potentially run a table-top and *live* exercise
  • “Regular” exercises with international partners
  • What is the proper format of an international

exercise? Process analysis or “real problems”

  • Start off with a similar baseline exercise and

evolve into more complicated activities

slide-11
SLIDE 11

2006 January TF-CSIRT, Amsterdam, the Netherlands Slide 11

Invitation to Intl Security Exercise

  • Which entities should participate (regional, national,

backbone, or collaborative organizations)?

  • Who should organize?
  • When: I suggest late summer 2006
  • Format: Baseline assessment, similar to the AbOSE

reported here. Probably a distributed event, via video+voice+IM (or in Hawaii/Sicily/Provence)

  • Goals: Some are obvious, additional thoughts?
slide-12
SLIDE 12

2006 January TF-CSIRT, Amsterdam, the Netherlands Slide 12

Contact Info

  • T. Charles Yun

Internet2 charles @ internet2 . edu 734.352.4960 (desk) Ann Arbor, Michigan, USA

  • http://security.internet2.edu/