[PPT] - Proposal for a new model for information sharing between CSIRTs Ir. PowerPoint Presentation

SLIDE 1

Proposal for a new model for information sharing between CSIRTs

Ir. David Durvaux - Security Analyst

24th annual FIRST conference – Malta - 17-22 June 2012

Christian Van Heurck – Coordinator

SLIDE 2 24th annual FIRST conference Malta, 17-22 June 2012 Proposal for a new model for information sharing between CSIRTs 2

“ Knowledge is power . Knowledge shared is power multiplied.”

Robert Noyce

SLIDE 3 24th annual FIRST conference

About CERT.be and us

Malta, 17-22 June 2012 Proposal for a new model for information sharing between CSIRTs 3

CERT.be

The federal cyber emergency team

a service of Fedict

perated by Belnet

SLIDE 4 24th annual FIRST conference

Agenda 1 Current situation 2 Proposal for a new model for sharing 3 New issues 4 Sharing time = Q&A

Malta, 17-22 June 2012 Proposal for a new model for information sharing between CSIRTs 4

SLIDE 5 24th annual FIRST conference

Propagation time

Internet delay: milliseconds

Malta, 17-22 June 2012 Proposal for a new model for information sharing between CSIRTs 5

SLIDE 6 24th annual FIRST conference

Internet

Propagation time: milliseconds

Malta, 17-22 June 2012 Proposal for a new model for information sharing between CSIRTs 6

SLIDE 7 24th annual FIRST conference

Internet

Propagation time:

Malta, 17-22 June 2012 Proposal for a new model for information sharing between CSIRTs 7

SLIDE 8 24th annual FIRST conference

Internet

Propagation time: back to milliseconds

Malta, 17-22 June 2012 Proposal for a new model for information sharing between CSIRTs 8

SLIDE 9 24th annual FIRST conference

Propagation time: back to seconds

Malta, 17-22 June 2012 Proposal for a new model for information sharing between CSIRTs 9

We need to

SHARE

more efficiently!

SLIDE 10 24th Annual FIRST conference

1 Current situation

Malta, 17-22 June 2012 Proposal for a new model for information sharing between CSIRTs 10

SLIDE 11 24th annual FIRST conference

Information overflow

Numerous valuable sources
remote
local
near real-time
Processing all the data
how: scripting?
what to treat?

Malta, 17-22 June 2012 Proposal for a new model for information sharing between CSIRTs 11

SLIDE 12 24th annual FIRST conference

Lack of large-scale overview

Malta, 17-22 June 2012 Proposal for a new model for information sharing between CSIRTs 12

SLIDE 13 24th annual FIRST conference

Contact point issues

Whom

Malta, 17-22 June 2012 Proposal for a new model for information sharing between CSIRTs 13

SLIDE 14 24th annual FIRST conference

Criminals are organised and DO share

Malta, 17-22 June 2012 Proposal for a new model for information sharing between CSIRTs 14

SLIDE 15 24th annual FIRST conference

CSIRTs are like islands

Malta, 17-22 June 2012 Proposal for a new model for information sharing between CSIRTs 15

SLIDE 16 24th annual FIRST conference

Legal issues

Allowed?
What?
With whom?
How?

Malta, 17-22 June 2012 Proposal for a new model for information sharing between CSIRTs 16

SLIDE 17 24th annual FIRST conference

Political issues

Malta, 17-22 June 2012 Proposal for a new model for information sharing between CSIRTs 17

SLIDE 18 24th annual FIRST conference

Technical issues

Malta, 17-22 June 2012 Proposal for a new model for information sharing between CSIRTs 18

SLIDE 19 24th Annual FIRST conference

2

Proposal for a new model for sharing

Malta, 17-22 June 2012 Proposal for a new model for information sharing between CSIRTs 19

SLIDE 20 24th annual FIRST conference

Connecting our islands efficiently

Malta, 17-22 June 2012 Proposal for a new model for information sharing between CSIRTs 20

SLIDE 21 24th annual FIRST conference

Creating archipelagoes

Malta, 17-22 June 2012 Proposal for a new model for information sharing between CSIRTs 21

European Union .eu
27 countries

already sharing

Why not on

incidents?

SLIDE 22 24th annual FIRST conference

Creating archipelagoes

Malta, 17-22 June 2012 Proposal for a new model for information sharing between CSIRTs 22

Benelux .be .nl .lu
3 countries sharing

since 1944

EU sub archipelago

SLIDE 23 24th annual FIRST conference

Creating archipelagoes

Malta, 17-22 June 2012 Proposal for a new model for information sharing between CSIRTs 23

Belgium .be
CERT.be proxy
Febelfin
Sectorial CSIRTs
ISP’s
Law Enforcement

SLIDE 24 24th annual FIRST conference

Seeds for archipelagoes

Geo-political decisions / history
Existing organizations
FIRST
TF-CSIRT
ENISA
National / governmental CSIRTs
Fighting a common issue
DCWG.org
Anything that pushes countries to collaborate!
Requires TRUST!

Malta, 17-22 June 2012 Proposal for a new model for information sharing between CSIRTs 24

SLIDE 25 24th annual FIRST conference

Decision tree

Malta, 17-22 June 2012 Proposal for a new model for information sharing between CSIRTs 25

Political Support? Don’t Share Filter yes yes yes yes no no no no Event Legal? Need to Know? T

Sensitive?

Share

SLIDE 26 24th annual FIRST conference

Routing model: top-down

Malta, 17-22 June 2012 Proposal for a new model for information sharing between CSIRTs 26

Archipelago Sub Archipelago Sub Sub Archipelago Concerned Constituent Event

SLIDE 27 24th annual FIRST conference

Security is no longer an island!

Malta, 17-22 June 2012 Proposal for a new model for information sharing between CSIRTs 27

Archipelago ABC Island A Island B Island C Island N Archipelago EF Island E Island F Island Z

SLIDE 28 24th annual FIRST conference

How can we share?

Malta, 17-22 June 2012 Proposal for a new model for information sharing between CSIRTs 28

Island A Island B Island C Jabber S2S Only Jabber S2S Only Jabber S2S Only events e v e n t s events

SLIDE 29 24th annual FIRST conference

What can we share?

Events
IP’s (src & dst) – Ports – Protocols
URL’s
Binaries and/or hashes of
malware
suspicious files
Information on domains, IP’s, AS’s
wner
history (passive DNS)
Binary answer to a question (yes/no)
have you seen that IP before?
Contacts

Malta, 17-22 June 2012 Proposal for a new model for information sharing between CSIRTs 29

SLIDE 30 24th annual FIRST conference

Tools already exist … for years!

Phone
mail
chat
FTP
scripts
AbuseHelper
Megatron
fordrop

Malta, 17-22 June 2012 Proposal for a new model for information sharing between CSIRTs 30

SLIDE 31 24th annual FIRST conference

AbuseHelper: the collaborative agents

Malta, 17-22 June 2012 Proposal for a new model for information sharing between CSIRTs 31

?

♫ Notification Parser Agent Experts Reporting Storage

SLIDE 32 24th annual FIRST conference

Megatron: the central vacuum cleaner

Malta, 17-22 June 2012 Proposal for a new model for information sharing between CSIRTs 32

SLIDE 33 24th annual FIRST conference

fordrop: human collaboration

Malta, 17-22 June 2012 Proposal for a new model for information sharing between CSIRTs 33

SLIDE 34 24th Annual FIRST conference

3 New issues

Malta, 17-22 June 2012 Proposal for a new model for information sharing between CSIRTs 34

SLIDE 35 24th annual FIRST conference

Correlated events: rating & feedback

Malta, 17-22 June 2012 Proposal for a new model for information sharing between CSIRTs 35

Event B Event A Source A Source B

Processing

A Correlated Events Concerned Constituent

SLIDE 36 24th Annual FIRST conference

4 Conclusion

Malta, 17-22 June 2012 Proposal for a new model for information sharing between CSIRTs 36

SLIDE 37 24th annual FIRST conference

You can share too

Malta, 17-22 June 2012 Proposal for a new model for information sharing between CSIRTs 37

Please

SHARE

and help us do that

EFFICIENTLY

SLIDE 38 24th annual FIRST conference

You are in good company

Malta, 17-22 June 2012 Proposal for a new model for information sharing between CSIRTs 38

CERT .is

SLIDE 39 24th annual FIRST conference

Sharing time!

Malta, 17-22 June 2012 Proposal for a new model for information sharing between CSIRTs 39

david@cert.be christian@cert.be