Crowd-sourcing CyberSecurity through the REN- ISAC Community · 2017-03-22 · Crowd-sourcing...
Transcript of Crowd-sourcing CyberSecurity through the REN- ISAC Community · 2017-03-22 · Crowd-sourcing...
![Page 1: Crowd-sourcing CyberSecurity through the REN- ISAC Community · 2017-03-22 · Crowd-sourcing CyberSecurity through the REN-ISAC Community Chris O’Donnell. REN-ISAC Background.](https://reader036.fdocuments.net/reader036/viewer/2022081402/5f0962917e708231d426954d/html5/thumbnails/1.jpg)
Crowd-sourcing CyberSecurity through the REN-ISAC Community
Chris O’Donnell
![Page 2: Crowd-sourcing CyberSecurity through the REN- ISAC Community · 2017-03-22 · Crowd-sourcing CyberSecurity through the REN-ISAC Community Chris O’Donnell. REN-ISAC Background.](https://reader036.fdocuments.net/reader036/viewer/2022081402/5f0962917e708231d426954d/html5/thumbnails/2.jpg)
REN-ISAC Background
![Page 3: Crowd-sourcing CyberSecurity through the REN- ISAC Community · 2017-03-22 · Crowd-sourcing CyberSecurity through the REN-ISAC Community Chris O’Donnell. REN-ISAC Background.](https://reader036.fdocuments.net/reader036/viewer/2022081402/5f0962917e708231d426954d/html5/thumbnails/3.jpg)
MISSION
● Overall – serve the Research and Higher Educationspace and promote operational security
● CSIRT Role● Operate a trusted community● Work with other ISACs and others external parties
![Page 4: Crowd-sourcing CyberSecurity through the REN- ISAC Community · 2017-03-22 · Crowd-sourcing CyberSecurity through the REN-ISAC Community Chris O’Donnell. REN-ISAC Background.](https://reader036.fdocuments.net/reader036/viewer/2022081402/5f0962917e708231d426954d/html5/thumbnails/4.jpg)
FACTS AND FIGURES
▪ Hosted at Indiana University▪ Board of Directors▪ Advisory groups ▪ Ad hoc special interest groups and projects▪ Over 500 member institutions and over
1600 member representatives
![Page 5: Crowd-sourcing CyberSecurity through the REN- ISAC Community · 2017-03-22 · Crowd-sourcing CyberSecurity through the REN-ISAC Community Chris O’Donnell. REN-ISAC Background.](https://reader036.fdocuments.net/reader036/viewer/2022081402/5f0962917e708231d426954d/html5/thumbnails/5.jpg)
Threat Landscape
![Page 6: Crowd-sourcing CyberSecurity through the REN- ISAC Community · 2017-03-22 · Crowd-sourcing CyberSecurity through the REN-ISAC Community Chris O’Donnell. REN-ISAC Background.](https://reader036.fdocuments.net/reader036/viewer/2022081402/5f0962917e708231d426954d/html5/thumbnails/6.jpg)
INFOSEC IS #1 IT ISSUE IN HIGHER ED, 2016 *AND AGAIN IN 2017*
* Educause Top 10 IT Issues 2016 and 2017
![Page 7: Crowd-sourcing CyberSecurity through the REN- ISAC Community · 2017-03-22 · Crowd-sourcing CyberSecurity through the REN-ISAC Community Chris O’Donnell. REN-ISAC Background.](https://reader036.fdocuments.net/reader036/viewer/2022081402/5f0962917e708231d426954d/html5/thumbnails/7.jpg)
THREAT TRENDS
§ Motive?§ The threat actor is external to the
organization§ Time to compromise is < one hour§ Time to discover a breach occurred >
than one day
![Page 8: Crowd-sourcing CyberSecurity through the REN- ISAC Community · 2017-03-22 · Crowd-sourcing CyberSecurity through the REN-ISAC Community Chris O’Donnell. REN-ISAC Background.](https://reader036.fdocuments.net/reader036/viewer/2022081402/5f0962917e708231d426954d/html5/thumbnails/8.jpg)
DATA BREACHES IN HIGHER EDUCATION
62
8582
76
5157
47
60
33
2216
19
0
10
20
30
40
50
60
70
80
90
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016
Source: Privacy Rights Clearinghouse
![Page 9: Crowd-sourcing CyberSecurity through the REN- ISAC Community · 2017-03-22 · Crowd-sourcing CyberSecurity through the REN-ISAC Community Chris O’Donnell. REN-ISAC Background.](https://reader036.fdocuments.net/reader036/viewer/2022081402/5f0962917e708231d426954d/html5/thumbnails/9.jpg)
WHERE IS EDUCATION ON THE LIST?
![Page 10: Crowd-sourcing CyberSecurity through the REN- ISAC Community · 2017-03-22 · Crowd-sourcing CyberSecurity through the REN-ISAC Community Chris O’Donnell. REN-ISAC Background.](https://reader036.fdocuments.net/reader036/viewer/2022081402/5f0962917e708231d426954d/html5/thumbnails/10.jpg)
SENSITIVE DATA BREACHES
![Page 11: Crowd-sourcing CyberSecurity through the REN- ISAC Community · 2017-03-22 · Crowd-sourcing CyberSecurity through the REN-ISAC Community Chris O’Donnell. REN-ISAC Background.](https://reader036.fdocuments.net/reader036/viewer/2022081402/5f0962917e708231d426954d/html5/thumbnails/11.jpg)
![Page 12: Crowd-sourcing CyberSecurity through the REN- ISAC Community · 2017-03-22 · Crowd-sourcing CyberSecurity through the REN-ISAC Community Chris O’Donnell. REN-ISAC Background.](https://reader036.fdocuments.net/reader036/viewer/2022081402/5f0962917e708231d426954d/html5/thumbnails/12.jpg)
RANSOMWARE
![Page 13: Crowd-sourcing CyberSecurity through the REN- ISAC Community · 2017-03-22 · Crowd-sourcing CyberSecurity through the REN-ISAC Community Chris O’Donnell. REN-ISAC Background.](https://reader036.fdocuments.net/reader036/viewer/2022081402/5f0962917e708231d426954d/html5/thumbnails/13.jpg)
RECENT SURVEY RESULTS
Increasing employee education and awareness efforts 19 (70%)Tightening spam filters on email systems 11 (41%)Accelerating the institutions move to cloud storage 1 (4%)Reminding system administrators to verify/test backups, check schedules 9 (33%)Updating institutional policies / standards 2 (7%)
What Are You Doing to Mitigate the Risk of Ransomware? (N=27)
![Page 14: Crowd-sourcing CyberSecurity through the REN- ISAC Community · 2017-03-22 · Crowd-sourcing CyberSecurity through the REN-ISAC Community Chris O’Donnell. REN-ISAC Background.](https://reader036.fdocuments.net/reader036/viewer/2022081402/5f0962917e708231d426954d/html5/thumbnails/14.jpg)
MOBILE
§ Mobile use is increasing§ Lots of older unpatched OSes§ 3rd party app stores§ Malicious apps on primary app stores
![Page 15: Crowd-sourcing CyberSecurity through the REN- ISAC Community · 2017-03-22 · Crowd-sourcing CyberSecurity through the REN-ISAC Community Chris O’Donnell. REN-ISAC Background.](https://reader036.fdocuments.net/reader036/viewer/2022081402/5f0962917e708231d426954d/html5/thumbnails/15.jpg)
INSIDER THREAT
![Page 16: Crowd-sourcing CyberSecurity through the REN- ISAC Community · 2017-03-22 · Crowd-sourcing CyberSecurity through the REN-ISAC Community Chris O’Donnell. REN-ISAC Background.](https://reader036.fdocuments.net/reader036/viewer/2022081402/5f0962917e708231d426954d/html5/thumbnails/16.jpg)
PHISHING
§ Primary attack vector for online crime§ Spear-phishing / Whaling
![Page 17: Crowd-sourcing CyberSecurity through the REN- ISAC Community · 2017-03-22 · Crowd-sourcing CyberSecurity through the REN-ISAC Community Chris O’Donnell. REN-ISAC Background.](https://reader036.fdocuments.net/reader036/viewer/2022081402/5f0962917e708231d426954d/html5/thumbnails/17.jpg)
RECENT SURVEY RESULTS
![Page 18: Crowd-sourcing CyberSecurity through the REN- ISAC Community · 2017-03-22 · Crowd-sourcing CyberSecurity through the REN-ISAC Community Chris O’Donnell. REN-ISAC Background.](https://reader036.fdocuments.net/reader036/viewer/2022081402/5f0962917e708231d426954d/html5/thumbnails/18.jpg)
DENIAL OF SERVICE ATTACKS
�Amplification via vulnerable protocols, e.g. NTP
�Increasing use of Internet connected devices (IoT)
![Page 19: Crowd-sourcing CyberSecurity through the REN- ISAC Community · 2017-03-22 · Crowd-sourcing CyberSecurity through the REN-ISAC Community Chris O’Donnell. REN-ISAC Background.](https://reader036.fdocuments.net/reader036/viewer/2022081402/5f0962917e708231d426954d/html5/thumbnails/19.jpg)
DENIAL OF SERVICE ATTACKS
![Page 20: Crowd-sourcing CyberSecurity through the REN- ISAC Community · 2017-03-22 · Crowd-sourcing CyberSecurity through the REN-ISAC Community Chris O’Donnell. REN-ISAC Background.](https://reader036.fdocuments.net/reader036/viewer/2022081402/5f0962917e708231d426954d/html5/thumbnails/20.jpg)
COMPROMISED CREDENTIALS
![Page 21: Crowd-sourcing CyberSecurity through the REN- ISAC Community · 2017-03-22 · Crowd-sourcing CyberSecurity through the REN-ISAC Community Chris O’Donnell. REN-ISAC Background.](https://reader036.fdocuments.net/reader036/viewer/2022081402/5f0962917e708231d426954d/html5/thumbnails/21.jpg)
Crowdsourcing Cybersecurity Through the REN-ISAC Community
![Page 22: Crowd-sourcing CyberSecurity through the REN- ISAC Community · 2017-03-22 · Crowd-sourcing CyberSecurity through the REN-ISAC Community Chris O’Donnell. REN-ISAC Background.](https://reader036.fdocuments.net/reader036/viewer/2022081402/5f0962917e708231d426954d/html5/thumbnails/22.jpg)
RELATIONSHIPS
§ Sector ISAC
§ Members
§ 3rd Parties
![Page 23: Crowd-sourcing CyberSecurity through the REN- ISAC Community · 2017-03-22 · Crowd-sourcing CyberSecurity through the REN-ISAC Community Chris O’Donnell. REN-ISAC Background.](https://reader036.fdocuments.net/reader036/viewer/2022081402/5f0962917e708231d426954d/html5/thumbnails/23.jpg)
CONCERNS
![Page 24: Crowd-sourcing CyberSecurity through the REN- ISAC Community · 2017-03-22 · Crowd-sourcing CyberSecurity through the REN-ISAC Community Chris O’Donnell. REN-ISAC Background.](https://reader036.fdocuments.net/reader036/viewer/2022081402/5f0962917e708231d426954d/html5/thumbnails/24.jpg)
How do we help?
![Page 25: Crowd-sourcing CyberSecurity through the REN- ISAC Community · 2017-03-22 · Crowd-sourcing CyberSecurity through the REN-ISAC Community Chris O’Donnell. REN-ISAC Background.](https://reader036.fdocuments.net/reader036/viewer/2022081402/5f0962917e708231d426954d/html5/thumbnails/25.jpg)
CSIRT for EDU Space
![Page 26: Crowd-sourcing CyberSecurity through the REN- ISAC Community · 2017-03-22 · Crowd-sourcing CyberSecurity through the REN-ISAC Community Chris O’Donnell. REN-ISAC Background.](https://reader036.fdocuments.net/reader036/viewer/2022081402/5f0962917e708231d426954d/html5/thumbnails/26.jpg)
SOC ACTIVITY – MOSTLY AUTOMATED
Notifications Q1 Q2 Q3 Q4Compromisedmachines 23,943 16,911 13,589 12,661Compromisedcredentials 13,162 1,037,881 5,094 1,141,653SpamorPhish 117 86 111 1,995Vulnerablemachines 1 39 2 11OpenrecursiveDNSresolvers 793 713 607 655Openmailrelays 52 25 37 34Other 1 3 5 1
Totals 38,069 1,055,658 19,445 1,157,010
REN-ISACCSIRTActivity,YTD2016
![Page 27: Crowd-sourcing CyberSecurity through the REN- ISAC Community · 2017-03-22 · Crowd-sourcing CyberSecurity through the REN-ISAC Community Chris O’Donnell. REN-ISAC Background.](https://reader036.fdocuments.net/reader036/viewer/2022081402/5f0962917e708231d426954d/html5/thumbnails/27.jpg)
SOC ACTIVITY - MANUAL
Notifications Q1 Q2 Q3 Q4NotificationQuestions 429 626 278 194Passwordresets 105 100 75 60Notifications 51 21 50 38Other 177 627 477 371
Totals 762 1,374 880 663Non-interactivetickets 2,060 2,611 3,302 3,026
REN-ISACSOCActivity,YTD2016
![Page 28: Crowd-sourcing CyberSecurity through the REN- ISAC Community · 2017-03-22 · Crowd-sourcing CyberSecurity through the REN-ISAC Community Chris O’Donnell. REN-ISAC Background.](https://reader036.fdocuments.net/reader036/viewer/2022081402/5f0962917e708231d426954d/html5/thumbnails/28.jpg)
SHARING INTEL
![Page 29: Crowd-sourcing CyberSecurity through the REN- ISAC Community · 2017-03-22 · Crowd-sourcing CyberSecurity through the REN-ISAC Community Chris O’Donnell. REN-ISAC Background.](https://reader036.fdocuments.net/reader036/viewer/2022081402/5f0962917e708231d426954d/html5/thumbnails/29.jpg)
ALERTS, ADVISORIES, AND REPORTS
§ Advisories on various threats
§ Daily Watch
![Page 30: Crowd-sourcing CyberSecurity through the REN- ISAC Community · 2017-03-22 · Crowd-sourcing CyberSecurity through the REN-ISAC Community Chris O’Donnell. REN-ISAC Background.](https://reader036.fdocuments.net/reader036/viewer/2022081402/5f0962917e708231d426954d/html5/thumbnails/30.jpg)
COMMUNITY SHARING
§ Community of trusted cybersecurity staff at R&E member institutions
§ Confidentiality, Integrity and Availability§ Sharing actionable intel for operational
protection and response
![Page 31: Crowd-sourcing CyberSecurity through the REN- ISAC Community · 2017-03-22 · Crowd-sourcing CyberSecurity through the REN-ISAC Community Chris O’Donnell. REN-ISAC Background.](https://reader036.fdocuments.net/reader036/viewer/2022081402/5f0962917e708231d426954d/html5/thumbnails/31.jpg)
CIF/SESAUTOMATED THREAT INTELLIGENCE
![Page 32: Crowd-sourcing CyberSecurity through the REN- ISAC Community · 2017-03-22 · Crowd-sourcing CyberSecurity through the REN-ISAC Community Chris O’Donnell. REN-ISAC Background.](https://reader036.fdocuments.net/reader036/viewer/2022081402/5f0962917e708231d426954d/html5/thumbnails/32.jpg)
PASSIVE DNS – WHAT?
![Page 33: Crowd-sourcing CyberSecurity through the REN- ISAC Community · 2017-03-22 · Crowd-sourcing CyberSecurity through the REN-ISAC Community Chris O’Donnell. REN-ISAC Background.](https://reader036.fdocuments.net/reader036/viewer/2022081402/5f0962917e708231d426954d/html5/thumbnails/33.jpg)
`
example.com’sauthoritative
DNS server
www.example.com
Global Internet
`
Global DNS
authoritativeDNS server
recursivecachingDNS server
My University
visitwww.my.edu
request to resolvewww.example.com
![Page 34: Crowd-sourcing CyberSecurity through the REN- ISAC Community · 2017-03-22 · Crowd-sourcing CyberSecurity through the REN-ISAC Community Chris O’Donnell. REN-ISAC Background.](https://reader036.fdocuments.net/reader036/viewer/2022081402/5f0962917e708231d426954d/html5/thumbnails/34.jpg)
`
example.com’sauthoritative
DNS server
www.example.com
Global Internet
`authoritativeDNS server
recursivecachingDNS server
My University
visitwww.my.edu
where is the authoritative for example.com?
![Page 35: Crowd-sourcing CyberSecurity through the REN- ISAC Community · 2017-03-22 · Crowd-sourcing CyberSecurity through the REN-ISAC Community Chris O’Donnell. REN-ISAC Background.](https://reader036.fdocuments.net/reader036/viewer/2022081402/5f0962917e708231d426954d/html5/thumbnails/35.jpg)
`
example.com’sauthoritative
DNS server
www.example.com
Global Internet
`authoritativeDNS server
recursivecachingDNS server
My University
visitwww.my.edu
response
![Page 36: Crowd-sourcing CyberSecurity through the REN- ISAC Community · 2017-03-22 · Crowd-sourcing CyberSecurity through the REN-ISAC Community Chris O’Donnell. REN-ISAC Background.](https://reader036.fdocuments.net/reader036/viewer/2022081402/5f0962917e708231d426954d/html5/thumbnails/36.jpg)
`
example.com’sauthoritative
DNS server
www.example.com
Global Internet
`authoritativeDNS server
recursivecachingDNS server
My University
visitwww.my.edu
query
Global DNS
![Page 37: Crowd-sourcing CyberSecurity through the REN- ISAC Community · 2017-03-22 · Crowd-sourcing CyberSecurity through the REN-ISAC Community Chris O’Donnell. REN-ISAC Background.](https://reader036.fdocuments.net/reader036/viewer/2022081402/5f0962917e708231d426954d/html5/thumbnails/37.jpg)
`
example.com’sauthoritative
DNS server
www.example.com
Global Internet
`authoritativeDNS server
recursivecachingDNS server
My University
visitwww.my.edu
response
Global DNS
![Page 38: Crowd-sourcing CyberSecurity through the REN- ISAC Community · 2017-03-22 · Crowd-sourcing CyberSecurity through the REN-ISAC Community Chris O’Donnell. REN-ISAC Background.](https://reader036.fdocuments.net/reader036/viewer/2022081402/5f0962917e708231d426954d/html5/thumbnails/38.jpg)
`
example.com’sauthoritative
DNS server
www.example.com
Global Internet
`
Global DNS
authoritativeDNS server
recursivecachingDNS server
My University
visitwww.my.edu
response
![Page 39: Crowd-sourcing CyberSecurity through the REN- ISAC Community · 2017-03-22 · Crowd-sourcing CyberSecurity through the REN-ISAC Community Chris O’Donnell. REN-ISAC Background.](https://reader036.fdocuments.net/reader036/viewer/2022081402/5f0962917e708231d426954d/html5/thumbnails/39.jpg)
`
example.com’sauthoritative
DNS server
www.example.com
Global Internet
`
Global DNS
authoritativeDNS server
recursivecachingDNS server
My University
visitwww.my.edu
Whee!
![Page 40: Crowd-sourcing CyberSecurity through the REN- ISAC Community · 2017-03-22 · Crowd-sourcing CyberSecurity through the REN-ISAC Community Chris O’Donnell. REN-ISAC Background.](https://reader036.fdocuments.net/reader036/viewer/2022081402/5f0962917e708231d426954d/html5/thumbnails/40.jpg)
PASSIVE DNS – WHY?
![Page 41: Crowd-sourcing CyberSecurity through the REN- ISAC Community · 2017-03-22 · Crowd-sourcing CyberSecurity through the REN-ISAC Community Chris O’Donnell. REN-ISAC Background.](https://reader036.fdocuments.net/reader036/viewer/2022081402/5f0962917e708231d426954d/html5/thumbnails/41.jpg)
EDUCATION
▪ Techbursts
▪Wikis
![Page 42: Crowd-sourcing CyberSecurity through the REN- ISAC Community · 2017-03-22 · Crowd-sourcing CyberSecurity through the REN-ISAC Community Chris O’Donnell. REN-ISAC Background.](https://reader036.fdocuments.net/reader036/viewer/2022081402/5f0962917e708231d426954d/html5/thumbnails/42.jpg)
FUTURE (NOW) THREAT VECTORS
▪ Automated Access Controls▪ Industrial Control Systems▪ Internet of Things
![Page 43: Crowd-sourcing CyberSecurity through the REN- ISAC Community · 2017-03-22 · Crowd-sourcing CyberSecurity through the REN-ISAC Community Chris O’Donnell. REN-ISAC Background.](https://reader036.fdocuments.net/reader036/viewer/2022081402/5f0962917e708231d426954d/html5/thumbnails/43.jpg)
Wrap up….
![Page 44: Crowd-sourcing CyberSecurity through the REN- ISAC Community · 2017-03-22 · Crowd-sourcing CyberSecurity through the REN-ISAC Community Chris O’Donnell. REN-ISAC Background.](https://reader036.fdocuments.net/reader036/viewer/2022081402/5f0962917e708231d426954d/html5/thumbnails/44.jpg)
QUESTIONS?