E E -CoAT -CoAT E uropean Cooperation of Abuse fighting Teams - - PowerPoint PPT Presentation

e e coat coat
SMART_READER_LITE
LIVE PREVIEW

E E -CoAT -CoAT E uropean Cooperation of Abuse fighting Teams - - PowerPoint PPT Presentation

Mar 10, 2024 454 likes •569 views

E E -CoAT -CoAT E uropean Cooperation of Abuse fighting Teams Remarks on E -CoAT TF-CSIRT/ FIRST joint event Amsterdam, January 2006 Don Stikvoort (e-coat workshop chair) S ORBS blacklist entries FI 5036 BR 173885 US 330142 CH

slide-1
SLIDE 1

E

  • CoAT

E

  • CoAT

E uropean Cooperation

  • f Abuse fighting

Teams

Remarks on E

  • CoAT

TF-CSIRT/ FIRST joint event Amsterdam, January 2006 Don Stikvoort (e-coat workshop chair)

slide-2
SLIDE 2
slide-3
SLIDE 3

US 330142 J P 50216 GB 38794 AU 14291 CA 49415 DE 44798 FR 74923 CN 219508 EU 1743 KR 289457 NL 15004 IT 25866 S E 10178 52940 ES 40997 CH 9349 BR 173885 FI 5036

S ORBS blacklist entries

US JP GB AU CA DE FR CN EU KR NL IT SE TW ES CH BR FI

slide-4
SLIDE 4

Abuse Abuse you know it’s massive ..

you know it’s massive ..

  • E

xample

– Major North-E uropean ISP / telecom provider – 700 to 1000 complaints per day

  • Blacklisting out of control at times

– Whitelisting as a patch

  • Phishing increasing
  • Botnets
  • ………

THE PROBLE M IS HARDLY GE TTING ANY SMALLE R …

slide-5
SLIDE 5

Massive Abuse Massive Abuse who cares ?

who cares ?

  • TF-CSIRT and FIRST concentrate on classical

CE RT issues

– lacking focus on mass aspects of abuse

  • E

TNO and FIINA concentrate on higher level issues

– Not well suited for collaborative hands-on approach

  • MAAWG concentrates on messaging

– No clear focus on abuse yet

slide-6
SLIDE 6

E

  • CoAT

E

  • CoAT

initiative initiative

  • Initiative of large E

uropean ISPs abuse teams

  • Workshops organised on

volunteer base

– Madrid Jan 2004 – Hamburg May 2004 – Amsterdam November 2004 – Zürich May 2005 – Amsterdam, 12 January 2006

CSIRTs Abuse teams

slide-7
SLIDE 7

E

  • CoAT

E

  • CoAT

goals & interests goals & interests

  • Goals

– Discussion of shared problems – Sharing of solutions – E stablishing best practices and common standards (e.g. reporting) – Awareness raising outside E

  • CoAT
  • Interests

– Fighting (massive) abuse together – Direct NOC-to-NOC contacts – Whitelisting/ blacklisting – Other issues as initiated by members

slide-8
SLIDE 8

E

  • CoAT

E

  • CoAT

projects projects

  • Noc-to-noc contacts for E-CoAT members

– IRC server

  • Courtesy KPN-CERT & XS4ALL (Scott McIntyre)

– Mailing lists

  • Whitelisting / blacklisting

– Discussions with blacklisters/whitelisters started (sorbs … , bit.nl initiatives like nl whitelist & others)

  • Mainly blocking of (individual) IP numbers or SMTP servers

– eu-whitelist, or ?? Will be investigated

  • Tooling

– Group started on tooling (e.g. incident handling, forensics, whitelisting)

  • Awareness raising

– ENISA: role of national fora, inspire regulation

  • A.o.b. – up to members
slide-9
SLIDE 9

E

  • CoAT

E

  • CoAT

factsheet factsheet (i) (i)

  • Volunteer driven
  • Minimum overhead

– Members do !

  • Maximum efficiency through collaboration:

– Optimal cooperation with internal/ external CE RTs – E xplicitly recognised by TF-CSIRT (co-locating, reporting) – Liaison with relevant groups/ institutions ( E NISA, MAAWG, FIINA, E TNO ) – Intent to create FIRST Special Interest Group together with similar efforts in other regions (like AAA in AP region)

  • Propose BoFsession at FIRST conference in Baltimore
slide-10
SLIDE 10

E

  • CoAT

E

  • CoAT

factsheet factsheet (ii) (ii)

  • Next workshop (*tentative*):

– Helsinki 20 September 2006 – Preceding TF-CSIRT

  • Website

– http:/ / www.e-coat.org/

  • E
  • mail

– sc@e-coat.org – sc = elected “Support Coordination” group – organises the efforts